The CNPD is a collegiate body made up of four members, one of which is a president. The members are called Data Protection Commissioners and are authorised to use the title “Commissioner”, with this title having no impact on their rank or their remuneration. Four deputy members are also appointed.
The deputy members are called to replace members of the college when they are absent or unable to attend.
It operates in the form of a public establishment under the supervision of the Minister whose responsibilities include data protection (currently the Minister for Communications and Media, Mr. Xavier Bettel). It is nevertheless independent in the exercise of its functions.
The CNPD meets regularly for deliberations. The college may validly sit and deliberate only if at least three members of the college are present. The decisions shall be adopted by majority vote. If the number of votes are equal, the president has the deciding vote. Abstentions are not permitted.
The members of the college and the deputy members cannot sit, deliberate or adopt decisions in a matter in which they have a direct or indirect interest.
Regulations and procedures
Rules of procedure
The CNPD shall adopted its rules of procedure, including its internal procedures and working methods on 22 January 2020. The rules of procedure shall be adopted unanimously by the members of the college in plenary session. These internal rules of procedure are published in the Official Gazette of the Grand Duchy of Luxembourg.
The internal regulations determine:
- operating conditions for the CNPD;
- the organisation of the services of the CNPD;
- the procedures for convening the members of the college and holding collegiate meetings.
Regulation relating to the investigation procedure
This Regulation has been adopted pursuant to article 40 of the Act of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework. It determines the procedure for investigations before the CNPD.
Procedure for complaints
In the course of the procedure of complaint, the CNPD first examines whether a complaint is justified, i.e. it checks whether the facts alleged by the claimant relating to the processing of personal data are likely or not to constitute a violation of the applicable data protection legislation. Where the CNPD considers that the challenged processing of data would indeed be contrary to applicable law, it will use its best endeavours to remedy the situation without making use of the binding measures entrusted within the framework of its powers conferred by law.