CNPD (Luxembourg) - Délibération n° 3018
Luxembourg's CNPD refuses to investigate Rocketreach for GDPR violations due to its foreign establishment.
Summary
The Luxembourg National Data Protection Commission (CNPD) has refused to open an investigation into Rocketreach, a company accused of selling personal data of EU subjects without a legal basis. The CNPD cited Rocketreach's foreign establishment and lack of an EU representative as reasons for not proceeding, despite acknowledging potential GDPR breaches. This decision has drawn criticism for potentially allowing companies to evade accountability by operating outside the EU.
Full text
Help CNPD (Luxembourg) - Délibération n° 3018: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 16:59, 6 December 2023 view sourceAr (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators2,246 editsm ← Older edit Latest revision as of 13:57, 23 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators94 edits Line 10: Line 10: |ECLI=|ECLI= |Original_Source_Name_1=|Original_Source_Name_1=private blog |Original_Source_Link_1=https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html|Original_Source_Link_1=https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html |Original_Source_Language_1=English|Original_Source_Language_1=English Latest revision as of 13:57, 23 June 2026 CNPD - 3018 Authority: CNPD (Luxembourg) Jurisdiction: Luxembourg Relevant Law: Article 27 GDPR Type: Complaint Outcome: Other Outcome Started: Decided: 04.02.2020 Published: 29.05.2020 Fine: None Parties: n/a National Case Number/Name: 3018 European Case Law Identifier: n/a Appeal: Not appealed Original Language(s): English Original Source: private blog (in EN) Initial Contributor: n/a Luxembourg DPA argues it cannot proceed and is not willing to open an investigation against a company established abroad that has not designated an EU Represenative. Contents 1 English Summary 1.1 Facts 1.2 Dispute 1.3 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Rocketreach sells access to personal data on EU data subjects, allegedly without any legal basis. Dispute 1. Deleting the data subject's information when all he solely asked for was access. 2. Did not answer requests to enquire about the Legal basis of processing. 3. Has not selected an EU Representative 4. Mass Processing of European Data Subjects Holding Luxembourg DPA argues it cannot proceed against a company established abroad that has not designated an EU Represenative. Comment Although thousand of Luxemburgish and hundred thousands of European Data Subjects are impacted the DPA of Luxemburg refuses to open an inquiry/Investigation. Further Resources Part1 : https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html Part2 : https://blog.zoller.lu/2020/10/how-to-effectively-evade-gdpr-and-reach.html Although agreeing that Rocketreach is in breach of the GDPR, the CNPD refuses an investigation : The CNPD argues that it doesn't have to follow their Internal Guidelines on "Investigations" as although they talked to Rocketreach they did not officially open an actual investigation in this particular case. They also argue they don't need to follow the Internal Guidelines on "Decisions" as a Decision to not open an investigation is formally not a Decision as defined in their Policies. The CNPD further argues that the Luxemburgish Law on Data Protection does not specify any criteria when or when not the CNPD would need to open an investigation and thus concludes it can do so at will. In the case of Rocket Reach in particular the CNPD argues that it makes no sense to open an investigation as they would not be able to ensure Rocketreach then respects the outcome. In other words, they won't make us benefit from their efforts should we seek judicial redress. English Machine Translation of the Decision The decision below is a machine translation of the English original. Please refer to the English original for more details. Retrieved from "https://gdprhub.eu/index.php?title=CNPD_(Luxembourg)_-_Délibération_n°_3018&oldid=51958" Categories: CNPD (Luxembourg)LuxembourgArticle 27 GDPR2020English This page was last edited on 23 June 2026, at 13:57. Content is available under Creative Commons Attribution-NonCommercial-ShareAlike unless otherwise noted. Privacy policy About GDPRhub Disclaimers
Indicators of Compromise
- url — https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html
- url — https://blog.zoller.lu/2020/10/how-to-effectively-evade-gdpr-and-reach.html