Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Luxembourg: CNPD fines company €15,400 and imposes corrective measures on DPO obligations

The Luxembourg data protection authority ('CNPD') published, on 26 November 2021, its decision in Case No. 40FR/2021, as issued on 27 October 2021, in which it imposed a fine of €15,400 on an unnamed company for violating Articles 38(1), 38(3), and 39(1)(a) and (b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and a corrective measures regarding the appointment of the data protection officer ('DPO'), following the investigation.

Background to the case

In particular, the CNPD highlighted that it had decided to launch an investigation regarding the function of a DPO, opening 25 audit procedures in 2018 which largely concerned the private sector. As part of this audit, the head investigator defined 11 control objectives, which were included in their visit report regarding the company, dated 20 February 2019, and include the following:

  • ensure that the organisation subject to the obligation to appoint a DPO has done so;
  • make sure that the organisation has published the contact details of its DPO;
  • ensure that the organisation has communicated the contact details of its DPO to the CNPD;
  • ensure that the DPO has sufficient expertise and skills to carry out its role effectively;
  • ensure that the responsibilities and tasks of the DPO do not give rise to a conflict of interest;
  • ensure that the DPO has sufficient resources to perform its role effectively;
  • ensure that the DPO is able to carry out their role with a sufficient degree of autonomy;
  • ensure that the organisation has put measures in place allowing the DPO to be associated with all matters relating to data protection;
  • ensure that the DPO fulfils their responsibility regarding advising the data controller and employees;
  • ensure that the DPO exercises adequate control over data processing within the organisation; and
  • ensure that the DPO assists the controller in carrying out impact analysis in the event of possible new data processing.

Findings of the CNPD

Firstly, the CNPD outlined that although documents were provided concerning the presentation of the activity of the DPO to the management committee of the company, the document only provided proof that the presentation was made, and failed to evidence that the DPO was appropriately involved in all matters relating to the protection of personal data, thus violating Article 38(1) of the GDPR.  

Furthermore, the CNPD found that although the DPO reported to management of the company, there were two hierarchical layers between the DPO and the management, and therefore, direct access of the DPO to management committee's was not guaranteed, thereby breaching Article 38(3) of the GDPR.

In addition, the CNPD found that the company engaged in no formal reporting on the activities of the DPO on a regular basis, and that there was no proof that statements mentioning the formal reporting of the DPO's activities on a quarterly basis actually occurred, thereby violating Article 39(1)(a) of the GDPR.

Moreover, the CNPD detailed that the company did not have a formalised control plan specific to data protection, even though such a requirement does not need to have been executed. Therefore, the CNPD found that the DPO could not exercise their objective of controlling the compliance of the data controller, as stated within Article 39(1)(b) of the GDPR.

Outcomes

Specifically, the CNPD imposed a fine of €15,400 on the company for its breach of the obligations of a DPO under Articles 38(1), 38(3), and 39(1)(a) and (b) of the GDPR. In addition, the CNPD outlined four corrective measures to be taken, including:

  • measures to ensure the DPO is associated with all data protection issued;
  • measures guaranteeing the DPO's autonomy;
  • measures enabling the DPO to inform and advise the controller and employees on their data protection obligations; and
  • ensure the DPO document their controls relating to the application of internal data protection rules and procedure.

You can read the press release here and access the decision here, both only available in French.