Luxembourg: CNPD issues €15,000 fine to company for failures regarding DPO function
The Luxembourg data protection authority ('CNPD') issued, on 1 July 2021, its decision, of 11 June 2021, whereby it issued a fine of €15,000 to a company for violations of Articles 38(1), 38(3), 39(1)(a), and 39(1)(b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as part of its focus on investigations into the function of the data protection officer ('DPO'). In particular, the CNPD required the company to remedy its violations of Articles 38(1), 38(3), 39(1)(a), and 39(1)(b) of the GDPR within four months following the notification of the decision and imposed the €15,000 fine. Specifically, the decision requires the company to ensure the formalised and documented inclusion of the DPO in all matters related to data protection, to ensure the implementation and maintenance of a formal mechanism guaranteeing the independence of the DPO, ensuring the formal and documented roll-out of the DPO's responsibility of carrying out audits, and ensure that the DPO exercises, in a formal and documented manner, its responsibility to inform and advise the data controller.
You can read the decision, only available in French, here.