New fees for consultation and approval procedures by the luxembourg data protection authority.
Four cases where fees can be charged
23 April 2020
On 15 April 2020, the Luxembourg data protection authority (the CNPD) published a regulation fixing the amount and the terms of payment of fees in the context of its powers of authorisation and consultation.
Pursuant to article 58(3) of the General Data Protection Regulation (2016/679) (the GDPR), the CNPD is granted with certain authorizing and advisory powers. In accordance with article 47 of the law of 1 August 2018 on the organization of the CNPD and the general data protection framework, the CNPD shall determine the amount and the terms of payment of the fees in relation to such powers.
Pursuant to the Regulation, the CNPD can charge fees in four cases:
- for the accreditation of certification bodies in accordance with article 43 of the GDPR: a fee is charged at each step of the process, the amount of which depends on the step (e.g. analysis of the application, audit, certificate of approval) (from 500 EUR to 4.000 EUR);
- for the approval of certification schemes submitted by certification bodies: the amount varies depending on the stage of the process (e.g. analysis of the preliminary adoption application, criteria analysis cycle, follow-up of the adoption procedure) (from 1.000 EUR to 3.000 EUR) ;
- for the authorization of 'in house' contractual clauses to justify international transfers of personal data between a Luxembourg-based entity and an entity based outside the European Economic Area (EEA): the fee amounts to 1.500 EUR; and
- for the approval of binding corporate rules (BCR) used by multinational corporations (with a EU nexus) to legitimate the international transfer of personal data between their group entities: the fee amounts to 1.500 EUR.
The CNPD reserves itself the right to reassess the amount of fees based on the consumer price index by an amendment to the Regulation.
Are subject to the payment of fees: certification bodies, owners of certification systems, data controllers, data processors and any group of companies which request consultation or approval by the CNPD in the four above mentioned cases.
The CNPD will not process the request for consultation or approval before payment of the fees. Clifford Chance can assist with the drafting of contractual clauses or BCRs which constitute appropriate safeguards under the GDPR for international transfers of personal data.
KEY TAKE-AWAY POINTS
- The CNPD is granted with certain authorizing and advisory powers by the GDPR.
- The CNPD can charge fees to applicants in the context of such authorizing and advisory powers
- Regulation 7/2020 fixes the amount and the terms of payment of such fees.
- The fees cover (1) accreditation of certification bodies, (2) approval of their criteria of certification, (3) authorization of contractual clauses drafted 'in-house' and (4) approval of BCRs.
- Entities looking into transferring personal data outside the EEA can request the CNPD's approval of their 'in-house' contractual clauses or BCRs subject to the payment of a fee of EUR 1.500.