Filing a claim with the National Commission for Data Protection
Last update
Individual rights regarding the protection of personal data have been reinforced for citizens of the European Union.
Where the use of their personal data is concerned, all individuals enjoy a number of rights. These include the right to be informed, the right of access, the right to rectification, the right to be forgotten, the right to restriction of processing, the right to data portability, and the right to object to use of their data. (These rights are listed in detail in the "preconditions" section).
Anyone can contact the data controller responsible for processing their personal data directly to assert their rights.
They may also file a claim with the National Commission for Data Protection (Commission nationale pour la protection des données - CNPD) if the data controller fails to respond to their request, or if circumstances make it difficult or impossible for the data controller to take action to implement their request.
Who is concerned
Anyone whose personal data is collected or used online, or by any other means, may contact the data controller to assert their rights.
Prerequisites
Concept of consent
The data controller may not collect or use an individual's personal data unless:
- the person concerned gives their consent for the processing of their personal data for one or more specific purposes,
- the processing of the data is required for the performance of a contract to which the individual is party, or for the implementation of pre-contractual measures taken at the individual's request;
- the processing of the data is required for the fulfilment of a legal obligation by which the data controller is bound;
- the processing of the data is required to safeguard the vital interests of the person concerned, or another natural person;
- the processing of the data is required for the purpose of conducting a mission in the public interest, or relating to the exercise of public authority with which the data controller is vested;
- the processing of the data is required for the purpose of serving the legitimate interests of the data controller or a third party, unless those interests are secondary to the interests, freedoms and fundamental rights of the person concerned, which require that the personal data be protected, particularly when the person concerned is a child.
Failure to comply with the right to be informed
The data controller must inform the person concerned not only that their personal data is being collected, but also of all of their rights attaching to such collection.
If personal data is collected directly from the person concerned, the data controller must provide the person concerned with the following information at the time of collection, unless they have already been provided with such information:
- the data controller's identity and contact details, and those of their representative, where applicable;
- the contact details of the Data Protection Officer, if such a person exists;
- the purpose of and legal basis for the processing;
- when the data is to be processed to serve the data processor's or a third party's legitimate interests, information on those interests;
- if they exist, the recipients or categories of recipients with whom the data is likely to be shared;
- where applicable, the fact that the data controller intends to transfer the personal data to a country outside the EU or an international organisation;
- the length of time for which the personal data will be retained (retention period) or, if this is unknown, the criteria used to determine the retention period;
- the right to contact the data controller to exercise their rights (the right of access to their personal data, the right to rectification and erasure of such data, the right to restriction of processing, the right to object to the use of such data, and the right to data portability);
- the right to withdraw their consent at any time, when such consent has been given for one or more specific purposes;
- the right to file a claim with the CNPD;
- if the requirement to provide their personal data is:
- a regulatory requirement;
- a contractual requirement;
- a condition for the performance of a contract;
and the consequences, if any, of refusing to provide the required data;
- the existence and consequences of a decision that is made automatically, including profiling;
- if the data controller intends to process the personal data at a later time for a purpose other than that for which it was collected, the data controller must inform the person concerned of that other purpose.
If the data is collected indirectly (i.e. not directly from the person concerned), in addition to the information to be provided when the personal data is collected directly – except for the information concerning any requirement to provide such data, and the consequences of a refusal to do so, and information on any subsequent processing –, the data controller must also provide the following information:
- the categories of personal data concerned;
- the source of the personal data and, where applicable, whether or not the data was obtained from publicly accessible sources;
- within a reasonable period of time after having obtained the personal data, but not exceeding one month, given the specific circumstances in which the personal data is to be processed;
- no later than the time of the first communication, if the personal data must be used by the data controller for the purpose of communicating with the person concerned;
- if the personal data is to be communicated to another recipient, at the latest when the personal data is first submitted to the data controller.
However, when the data is collected indirectly, the above-mentioned information need not be provided if:
- the person concerned has already been provided with such information;
- the provision of such information:
- proves to be impossible; or
- requires a disproportionate effort (especially in the case of processing for the purpose of archiving in the public interest, scientific research, or historical or statistical purposes); or
- is likely to render it impossible to achieve the purposes of the processing, or seriously compromise these aims. In those cases, the data controller must implement appropriate measures to protect the rights, freedoms, and legitimate interests of the person concerned, including by making the information publicly available;
- proves to be impossible; or
- obtaining and communicating the information is expressly provided for in EU law, or the legislation to which the data controller is subject, which provides for appropriate measures aimed at protecting the legitimate interests of the person concerned; or
- the personal data must remain confidential by virtue of an obligation of professional secrecy regulated by EU law, or the law of its member states, including a legal obligation of professional secrecy.
The communicated information must be easily accessible, easy to understand, and expressed in clear and simple terms.
The information must be provided in writing or by any other means including, when appropriate, by electronic means.
Failure to comply with the right to access personal data
The person concerned may, at any time and at no cost, exercise their right to:
- obtain confirmation as to whether or not their personal data is being processed;
- access their personal data;
- obtain the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients of their personal data (especially if such data is shared with a country outside the EU or an international organisation);
- if possible, how long their personal data will be retained, or else, the criteria used to determine the retention period;
- the existence of the right to demand that the data controller rectify or erase their personal data, or restrict its processing, as well as the right to object to having their personal data processed;
- the right to file a claim with the CNPD;
- if the personal data is collected indirectly, any information as to the source of such data;
- the existence of a decision that is made automatically, including profiling;
- a copy of their personal data held by the data controller (e.g. medical records, customer records, personal social-network account, etc.).
The person concerned need simply contact the data controller and submit their request in writing or electronically.
The data controller may charge a fee for any additional copies (copying fees).
The data controller must respond in a timely manner and, in all cases, within one month of receiving the request.
If need be, this time limit may be extended by 2 months, depending on the complexity and the number of requests. In that case, the data controller must inform the person concerned of the extension, and the reasons for the extension, within one month of receiving the request.
Failure to comply with the right to rectification
If the personal data is inaccurate, incomplete or out-of-date, the person concerned may contact the data controller directly to have it rectified or updated.
Failure to comply with the right to be forgotten
In certain cases, the person concerned may exercise their right to have the data controller erase certain data, especially if:
- the retention of certain personal data is no longer justified;
- the data controller no longer has legitimate reasons to retain the personal data of the person concerned, e.g. to fulfil legal obligations for accounting purposes.
Failure to comply with the right to restriction of processing
This right entitles the person concerned to temporarily prohibit the data controller from continuing to use their personal data for a certain length of time – i.e. until the data controller has ascertained:
- the accuracy of the data whose rectification was requested;
- the reasons given for erasure or objection.
The right to restriction also concerns cases in which the data controller no longer needs the personal data for the purpose of processing, but the data is still required by the person concerned to establish, exercise or defend their rights before the courts.
Note: The data controller may only "store" the personal data, but may not use it.
Processing may be restricted in different ways – e.g. by temporarily moving the data to another file, locking the data, temporarily withdrawing the data from a website, etc.).
Failure to comply with the right to data portability
Anyone is entitled to request that the data controller send them, free of charge, any personal data:
- that the person concerned had voluntarily shared for one or more specific purposes;
- that the data controller received for the purpose of the performance of a contract.
Such data must be sent in a structured, commonly used, machine-readable format (e.g. PDF).
In some cases, the person concerned may also demand that the data controller forward such data directly to another data controller of the individual's choice (social network, internet service provider, streaming website, etc.).
When personal data is processed by a government agency in the public interest, the right to data portability does not apply.
Failure to comply with the right to object to the use of one's personal data
Anyone may object to having their personal data collected or used.
The person concerned may, at any time, for reasons related to their specific situation, object to the processing of their personal data, even if such processing is deemed to be required:
- for the purpose of conducting a mission in the public interest, or relating to the exercise of public authority with which the data controller is vested;
- for the purpose of serving the legitimate interests of the data controller or a third party, unless those interests are secondary to the interests, freedoms and fundamental rights of the person concerned, which require that the personal data be protected, particularly when the person concerned is a child (e.g. your legitimate interests).
In that case, the data controller must cease processing the personal data, unless they can demonstrate a legitimate and compelling need:
- that outweighs the interests, rights and freedoms of the person concerned; or
- to establish, exercise or defend their rights before the courts.
If the personal data is processed for sales-prospecting purposes, the person concerned may, at any time, object to the processing of their personal data for such purposes, including for any profiling associated with such prospecting.
In that case, the personal data must no longer be processed for such prospecting purposes.
At the time of the first communication with the person concerned, and no later, the right to object must be:
- explicitly brought to the attention of the person concerned; and
- presented clearly and separately from any other information.
Preliminary steps
Anyone who finds or feels that one or more of their rights have not been respected may file a claim/request with the data controller responsible for their personal data, or with the search engine concerned.
If, in the course of performing a search, the person concerned observes that the results are inaccurate or no longer relevant, they may contact the search engine to have the results delisted. In that case, the person concerned must explain why the results are inaccurate or irrelevant (e.g. deletion of old pictures, or an out-of-date CV). (Such delisting does not mean that the data will be erased from the source website, and in certain cases, delisting may be prohibited under public law).
If no satisfactory response to the request is forthcoming, the person concerned may file a claim with the CNPD.
Costs
Filing a claim with the CNPD is free of charge.
How to proceed
Filing a claim
The claim submission form may be submitted:
- online on the CNPD website, in which case the claim will be processed more rapidly;
- by post to the following address: Commission nationale pour la protection des données, Service des réclamations, 15, boulevard du Jazz, L-4370 Belvaux.
Supporting documents
The claimant may attach documents in support of their claim, and specify the nature of the documents in the form fields reserved for that purpose.
Claimants are advised to send only supporting documents that are useful for the processing of the claim.
Documentary evidence in support of the claim may be:
- unabridged correspondence with the data controller;
- other documents, such as invoices, contracts, etc.);
- sales-prospecting messages or letters;
- photographs;
- screenshots;
- any other document deemed useful for the processing of the claim.
Disputes
In addition to the possibility of filing a claim with the CNPD, anyone with a grievance may bring their matter before the courts if they consider that their rights have not been respected by the data controller responsible for their personal data. In doing so, they obtain redress for any material or non-material damage they may have suffered.
Online services and forms
Who to contact
-
National Commission for Data Protection
- Address:
- 15, boulevard du Jazz L-4370 Belvaux Luxembourg
- Phone:
- (+352) 26 10 60 1
- Fax:
- (+352) 26 10 60 29
- Website:
- http://www.cnpd.lu
Related procedures and links
Procedures
Links
Further information
-
Your rights
on the website of the National Commission for Data Protection
-
Asserting your rights
on the website of the National Commission for Data Protection
-
Brochure "Your data? Your rights!" (in French)
on the website of the National Commission for Data Protection
Legal references
-
Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016
relatif à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation de ces données
-
Loi du 1er août 2018
portant organisation de la Commission nationale pour la protection des données