CNPD (Luxembourg) - Délibération n° 20FR/2021: Difference between revisions

Latest revision as of 19:42, 4 September 2021

CNPD (Luxembourg) - 20FR/2021

Authority:	CNPD (Luxembourg)
Jurisdiction:	Luxembourg
Relevant Law:	Article 38(1) GDPR Article 38(3) GDPR Article 39(1)(a) GDPR Article 39(1)(b) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	11.06.2021
Published:	01.07.2021
Fine:	15.000 EUR
Parties:	Luxembourg data protection authority Logistics company (anonymized)
National Case Number/Name:	20FR/2021
European Case Law Identifier:	na
Appeal:	Unknown
Original Language(s):	French
Original Source:	Official website of the Luxembourgish DPA (CNPD) (in FR)
Initial Contributor:	Maïlys Lemaître

The Luxembourg DPA fined a logistics company €15,000 for failing to ensure that its DPO could exercise the tasks outlined in Articles 38(1), 38(3), 39(1)(a) and 39(1)(b) GDPR, including because the DPO was not invited to all relevant meetings, and did not report directly to the highest level of management.

English Summary

Facts

The Luxembourgish Data Protection Authority (CNPD) conducted an investigation at a logistics company within the framework of a global investigation campaign on the function of Data Protection Officer (DPO) in both private and public sectors.

Dispute

Did the logistics company meet the legal requirements regarding the function of DPO?

Holding

Following their investigation at the company, the CNPD found:

that the company's DPO did not seem to be invited to all relevant meetings for them and that it therefore could not be considered that they were involved properly and in a timely manner in all issues which relate to the protection of personal data as required by Article 38(1) GDPR;
that the DPO did not report directly to the highest level of management at the company, thus not ensuring that the DPO could act without receiving any instructions regarding the exercise of their tasks pursuant to Art. 38(3) GDPR;
that, though it could reasonably be expected that the DPO did a formal and frequent reporting on their activities to the management, such a reporting had not been set up and that the company therefore did not meet the requirements of Article 39(1)(a) GDPR which states that the DPO should inform and advise the controller;
that the company had not been able to demonstrate that they had an audit plan for the year, thus violating Article 39(1)(b) GDPR regarding the DPO's duties to monitor compliance with GDPR.

In view of those violations, the CNPD:

imposed an administrative fine of fifteen thousand euros (€15,000) on the company;
ordered them to comply with Articles 38(1), 38(3), 39(1)(a) and 39(1)(b) GDPR within four months of the notification of the decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation on

the outcome of survey No. [...] conducted with Company A

Deliberation n ° 20FR / 2021 of June 11, 2021

The National Commission for Data Protection sitting in a restricted body,

composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc
Lemmer, commissioners;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on

the protection of individuals with regard to the processing of personal data

personnel and the free movement of such data, and repealing Directive 95/46 / EC;

Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection

data and the general data protection regime, in particular Article 41 thereof;

Having regard to the internal regulations of the National Commission for Data Protection

adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point 2;

Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular
its article 9;

Considering the following:

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] conducted with Company A 1/25 I. Facts and procedure

1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and

the importance of its integration into the body, and considering that the guidelines
1
concerning DPOs have been available since December 2016, i.e. 17 months before entry
in application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27

April 2016 on the protection of individuals with regard to the processing of

personal data and the free movement of such data, and repealing the

Directive 95/46 / EC (General Data Protection Regulation) (hereinafter: the "

RGPD ”), the National Data Protection Commission (hereinafter: the
"National Commission" or "CNPD") has decided to launch an investigation campaign

thematic on the function of the DPO. Thus, 25 audit procedures were opened in 2018,

concerning both the private and public sectors.

2. In particular, the National Commission decided by deliberation n ° […] of September 14
2018 to initiate an investigation in the form of a data protection audit of

Company A established at […] L- […] and registered in the trade and companies register

under the number […] (hereafter: the “controlled”) and to designate Mr. Christophe

Buschmann as the head of the investigation. The said deliberation specifies that the investigation relates to the

compliance of the inspected with section 4 of chapter 4 of the GDPR.

3. […] the inspectorate [is active in the field of transport] […].

4. The controlled has approximately […] collaborators and in terms of its activities […].

5. By letter of September 17, 2018, the head of the survey sent a questionnaire

preliminary to the control to which the latter replied by letter of October 9, 2018.

site visits took place on February 4 and May 2, 2019. Following these discussions, the chef

investigation prepared the audit report no. […] (hereafter: the "audit report").

6. It emerges from the audit report that in order to verify the compliance of the organization with section

4 of Chapter 4 of the GDPR, the head of the investigation defined eleven control objectives, namely:

1) Ensure that the body subject to the obligation to appoint a DPO has done so;

1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of

survey no. […] conducted with Company A 2/25 2) Ensure that the organization has published the contact details of its DPO;

3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;

4) Ensure that the DPO has sufficient expertise and skills to

carry out its missions effectively;

5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;
6) Ensure that the DPO has sufficient resources to perform effectively

of its missions;

7) Ensure that the DPO is able to carry out his missions to a sufficient degree

autonomy within their organization;

8) Ensure that the organization has put in place measures to ensure that the DPO is associated with

all matters relating to data protection;

9) Ensure that the DPO fulfills his mission of information and advice to the

data controller and employees;

10) Ensure that the DPO exercises adequate control over data processing within

of his body;

11) Ensure that the DPO assists the data controller in carrying out the

impact analyzes in the event of new data processing.

7. By letter of 7 November 2019 (hereinafter: the “statement of objections”), the Chief

investigation informed the control of breaches of obligations under the GDPR

which he found during his investigation. The audit report was attached to this letter.

8. In particular, the head of the investigation noted in the statement of objections

breaches of:

 the obligation to involve the DPO in all matters relating to the protection of
2
personal data;
3
 the obligation to guarantee the autonomy of the DPO;
4
 the DPD's control mission;
5
 the DPD's mission of information and advice.

9. By letter of December 4, 2019, the inspector sent the head of the investigation

position on the shortcomings identified in the statement of objections.

2Objective 8
3Objective n ° 7
4Objective n ° 10
5Objective 9

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
3/2510. On August 10, 2020, the head of the investigation sent the inspectorate an additional letter to the

statement of objections (hereinafter: the "additional letter to the communication of

grievances ") by which he informs the inspector about the corrective measures and the fine
administrative office that he proposes to the National Commission sitting in a restricted group (here-

after: the "restricted formation") to adopt. In this letter, the investigator proposed

to the restricted formation to adopt three different corrective measures, as well as to impose
at the control an administrative fine in the amount of 15,000 euros.

11. By letter of September 17, 2020, the inspector sent the head of the investigation his

observations on the additional letter to the statement of objections.

12. The case was on the agenda of the restricted formation session on November 13
2020. In accordance with article 10.2. b) the rules of procedure of the Commission

national, the head of investigation and the supervisee presented their oral observations in support of

of their written observations and answered questions posed by the training

restraint. The controlled had the floor last.

II. Place

A. On the breach of the obligation to involve the DPO in all matters relating to

the protection of personal data

1. On the principles

13. According to Article 38.1 of the GDPR, the organization must ensure that the DPO is involved, in a

in an appropriate and timely manner, in all matters relating to the protection of

personal data.

14. The DPO Guidelines state that "[i] t is essential that the DPO, or

his team, is involved from the earliest possible stage in all questions

relating to data protection. [...] Information and consultation of the DPO from
start will facilitate compliance with the GDPR and encourage a grounded approach

on data protection by design; it should therefore be a procedure

usual in the governance of the organization. In addition, it is important that the DPO is

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
4/25 considered as an interlocutor within the organization and that he is a member of groups

of work devoted to data processing activities within the organization ". 6

15. The DPO guidelines provide examples on how to

to ensure this association of the DPO, such as:

 invite the DPO to participate regularly in management meetings
upper and intermediate;

 to recommend the presence of the DPO when decisions having implications

in terms of data protection are taken;

 always take due account of the opinion of the DPO;

 immediately consult the DPO in the event of a data breach or any other

incident occurs.

16. According to the guidelines on DPOs, the body could, where appropriate,

develop data protection guidelines or programs

indicating the cases in which the DPO must be consulted.

2. In this case

17. It emerges from the audit report that, in order for the investigator to consider objective 8 as

completed by the inspected as part of this audit campaign, he expects the DPD

participates in a formalized manner and on the basis of a defined frequency in the

Management, project coordination committees, new product committees,
security committees or any other committee deemed useful in the context of data protection.

18. According to the statement of objections, page 3, “the DPO participates in the board of directors on

invitation or on request, but not systematically (...) The DPO's participation

to project meetings with an impact on data protection is planned, but not
still in place systematically. The statement of objections then states

that "The fact that the DPO's intervention in the various meetings relevant to the

with regard to the protection of personal data is not systematic is not

such as to guarantee an appropriate involvement of the DPO, nor to establish his position in
as an interlocutor within the organization. "

6 WP 243 v.01, version revised and adopted on April 5, 2017, p. 16
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Company A 5/2519. In addition, the head of the investigation, taking into consideration the protection policy

data which, during the investigation, was being prepared by the inspected, notes

in the statement of objections, page 3, that "if the existence of a policy of protection
data specifying the need to integrate the DPO in all questions related to the

data protection is an important element of governance, it is not enough to

ensure the appropriate and timely involvement of the DPO at the operational level. Of
internal procedures specifically specifying how the DPO must be involved,

systematic invitation of the DPO to meetings or his designation as

permanent member of a committee would be, for example, elements allowing to

demonstrate its operational involvement. "

20. In his position paper of 4 December 2019, page 2, the inspected indicates that "[i] he is

important (...) to take into account the particularities of each organization as well as its

decision-making and organizational functioning in order to assess how "
appropriate "the controller, together with the processor, must associate the DPO" with

all matters relating to data protection ”” and argues that “Neither the GDPR,

nor do the guidelines provide for an obligation for the data controller to

make the DPO a permanent member of any decision-making committee ”. Also, according to
the controlled "the requirement formulated in the report that the DPO is a member

standing of the Board of Directors […] is neither in conformity with these texts, nor necessary to

the exercise of the DPD's missions. "

21. The inspector also recalls that measures have been taken "to help the DPO to

carry out its missions ", including by appointing for each service," one or more

"GDPR correspondents" whose missions are in particular to relay the objectives of the
data protection policy within their service and coordinate operations

compliance under the responsibility of the head of the department concerned and the DPO. They

have direct access to it. "

22. The restricted committee notes that the GDPR does not specify which measures are

should be taken by the controller to ensure the involvement of the DPO

to all questions relating to data protection. As for the guidelines

concerning DPOs, they formulate recommendations and best practices,
in order to guide data controllers in ensuring compliance with their

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
6/25 governance, in particular by providing examples of how to ensure this

association.

23. Nevertheless, the restricted formation notes that it is rightly specified on page 2 of the

statement of objections (under "preliminary remarks") that "[t] he requirements of the

GDPR is not always strictly defined. In such a situation, it is up to the
supervisory authorities to verify the proportionality of the measures put in place by the

data controllers with regard to the sensitivity of the data processed and the risks

incurred by the persons concerned. "

24. In this regard, the restricted committee notes that the inspectorate has approximately […]

collaborators (according to the investigation file), that it has an internal department of […].

[…]. It follows, however, that the activities of the inspected involve processing of

personal data that potentially affects a significant number of
persons concerned. However, if the inspected has put in place, prior to the start of

the investigation, certain organizational measures facilitating the association of the DPO, in

in particular by appointing “GDPR correspondents” for each service, the training

restricted considers, however, that the formalized and systematic participation of the DPO
at relevant meetings, as expected by the investigator, is a measure

proportionate in order to ensure the involvement of the DPO in all matters relating to the

Protection of personal data.

25. The restricted committee took note of the fact that in its letter of September 17, 2020, the

controlled indicates that it was decided to "formalize monthly meetings between the DPD

and the heads of departments who process the most personal data (mainly
IT, human resources and […]) (…) as well as biannual meetings with

the other heads of departments "and add" as an annex to the general management policy

data, a form allowing each person in charge of a project to deal with

the DPO the question of data protection ”. If these measures should allow
to ensure the involvement of the DPO in all matters relating to data protection,

it should be noted that these were decided during the investigation by the inspectorate.

The limited training therefore agrees with the findings of the head of the investigation that,

at the start of the investigation, the inspected was unable to demonstrate that the DPO was
appropriately associated with all data protection matters

personal.

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
7/2526. The limited training further notes that it does not have the documentation that

would make it possible to demonstrate the taking of such measures by the inspected.

27. In view of the above, the restricted panel concludes that Article 38.1 of the GDPR does not have
been respected by the inspected.

B. On the breach of the obligation to guarantee the autonomy of the DPO

1. On the principles

28. According to Article 38.3 of the GDPR, the body must ensure that the DPO "does not receive

no instructions regarding the exercise of the missions ”. In addition, the DPD "makes

directly to the highest level of "management" of the organization.

29. Recital (97) of the GDPR further states that DPOs “should be able to

to exercise their functions and missions in complete independence ”.

7
30. According to the guidelines on DPOs, Article 38.3 of the GDPR "provides for certain
basic guarantees intended to ensure that DPOs are able to exercise their

missions with a sufficient degree of autonomy within their organization. […] That means

that, in carrying out their duties under Article 39, DPOs must not

receive instructions on how to handle a case, for example, what outcome should

be obtained, how to investigate a complaint or whether to consult with the
control. Furthermore, they cannot be required to take a certain point of view on a

issue related to data protection legislation, for example, a

particular interpretation of the law. […] If the controller or the processor

takes decisions that are incompatible with the GDPR and the opinion of the DPO, the latter

should be given the opportunity to clearly state their dissent at the highest level
management and decision-makers. In this regard, Article 38 (3) provides that the

DPD "reports directly to the highest level of management of the person responsible for

processing or subcontractor ”. Such direct accountability ensures that

senior management (e.g. the board of directors) is aware of the opinions and

DPD recommendations that fall within the scope of the latter's mission

7WP 243 v.01, version revised and adopted on April 5, 2017, p. 17 and 18
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of

the survey no. […] carried out with Company A 8/25 consisting in informing and advising the controller or the processor.

The preparation of an annual report on the activities of the DPO intended for the highest level

management is another example of direct accountability. "

2. In this case

31. It emerges from the audit report that, in order for the investigator to consider objective 7 as

completed by the inspected as part of this audit campaign, he expects the DPD
either "attached to the highest level of management in order to guarantee as much as possible

autonomy ”.

32. According to the statement of objections, page 3, '' It appears from the investigation that the […] indicates

that the DPO reports directly to the highest level of the Company, in this case
the Board of Directors and General Management. However, Company A has not been in

able to demonstrate the existence of such a direct relationship at the highest level of

management, for example, through an activity report. Regarding the connection

hierarchical, the DPO was initially attached to the legal director, himself
to the administrative and financial director. "

33. Regarding the establishment of an activity report, the head of the investigation noted on page

4 of the statement of objections that a modification was made during the investigation

in the direction of compliance, the DPO now establishing a monthly report
for the attention of the Director-General. The head of the investigation, however, notes that the DPO should

be able to independently determine the content of this monthly report which is first

discussed with the Administrative and Financial Director.

34. Regarding hierarchical reporting, the head of the investigation recalls on page 4 of
the statement of objections that 'the existence of several hierarchical levels between the

DPD and the highest level of management is not such as to guarantee its

autonomy. "And underlines that during the investigation, the inspector indicated" that the attachment

hierarchy of the new DPD was uncertain ”.

35. In his position paper of 4 December 2019, page 3, the inspected argued that the DPO

previously in office "regularly reported to the Director

Administrative and Financial in 2018 "and that a particular context in terms of

recruitment of the current DPO resulted in the latter “reporting to the
Administrative and financial director informally (...) until March 2019 ". The

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
9/25 controlled then specifies that since March 15, 2019, the legal service and the DPO have been

part of […], placed under the responsibility of the Chief Executive Officer and that since May 2019,

a “formal activity report” is drawn up each month.

36. As for the content of the report drawn up by the DPO, the inspector specifies on page 4 of his report

position of 4 December 2019 that "The monthly activity report is (...) sent to the

Chief Executive Officer without the content of the report having been modified, except

report of the meeting with the Administrative and Financial Director ”.

37. In its position paper of 4 December 2019, the controlled also argues, on page
3, that “The report cites […] of Company A to identify a breach by making a

fragmentary quotation: "the data protection officer reports directly to the

highest level of the Company, in this case the Board of Directors and the
Executive management ". However, the CNPD omitted the part of the text of […] specifying that

the DPO reports to the Board of Directors and General Management “for all

significant problem occurring or noted in the course of his duties ”.

38. The inspected continues by indicating that “The GDPR and the guidelines not specifying

what should be the nature of the report made at the highest level of the hierarchy, Company A
considered, in view of the size and organization of Company A, that it was preferable to

discuss data protection issues at a lower level (heads of

department who have the delegations of power to make decisions or even directors
depending on the nature of the problem) in order to resolve them in the most efficient way and

then report to the Chief Executive Officer. Of course, in the event that the DPD

would notice a significant blockage, he has the opportunity to speak directly to the Management

General and to the Board of Directors. "

39. On this point, the restricted committee notes that the direct report to the highest level of the

direction is, according to [...], conditioned on the existence of a "significant problem" (or

“Significant blocking”, according to the controlled position of December 4, 2019). Outraged

the question of knowing what are the criteria which make it possible to determine, in practice,
the existence of such a problem, the restricted party has reservations about this

condition which could constitute an obstacle to the direct access of the DPO at the highest level

management, in that the DPO could be in the position of having to justify

the existence of such a "significant problem" before intervening at the highest level
of management. However, the restricted committee considers that the DPO should be able to bypass

the intermediate hierarchical levels as soon as it deems necessary.
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
10/2540. The restricted training is also in this regard, that in its letter of September 17

2020, the inspector informed the head of the investigation of measures decided in this regard, namely

that it will be added, in its "general policy for the management of personal data
personnel ", the following indication:" the DPO, if he considers it necessary, can directly

contact the Managing Director of Company A in order to provide him with any

problematic ”.

41. If measures were decided during the investigation by the inspected in the sense of a
compliance, the limited training nevertheless agrees with the report of the chief

investigation according to which, at the start of the investigation, the inspector was not able to

demonstrate that the DPO could act without receiving instruction regarding the exercise

of his assignments or that he reported directly to the highest level of management.

42. The restricted committee notes that it does not have the documentation that would allow

demonstrate that the measures described in point 40 of this decision have been taken

by the controlled.

43. In view of the above, the restricted panel concludes that Article 38.3 of the GDPR does not have
been respected by the inspected.

C. On the failure to provide information and advice to the DPO

1. On the principles

44. Under section 39.1. a) of the GDPR, one of the missions of the DPO is to "inform and

advise the controller or processor as well as the employees who

carry out the processing on their obligations under this
regulation and other provisions of Union law or of the law of the Member States in

data protection '.

2. In this case

45. It emerges from the audit report that, in order for the investigator to consider objective 9 as

completed by the inspected as part of this audit campaign, he expects

"The organization has formal reporting on the activities of the DPO to the

Direction based on a defined frequency. Regarding information to employees, it is

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
11/25 whereas the organization has put in place an adequate training system for personnel

in terms of data protection ”.

46. On these two points, according to the statement of objections, page 4, 'It emerges from the investigation
that the staff of Company A have been made aware by the DPO alone or accompanied by the

CISO. Specific training has been carried out for senior executives,

human resources and the IT department. With regard to the person responsible for

treatment, the DPO issues recommendations on an ad-hoc basis (13 between 25 May
2018 and February 4, 2019). In a logic of daily management of the protection of

data and given the volume of data processed, the sensitivity of certain

these data or the complexity of the processing operations (see remarks

preliminary), it is expected that information and advisory missions with regard to the
controller are better formalized, for example with a report

activity. "It is then specified that during the investigation" the CNPD agents were

informed that there is now a monthly report for the attention of the Director General ”.
The limited training nevertheless notes that it does not have the documentation

which would make it possible to demonstrate that this measure has been put in place. This being specified,

it is stated in the statement of objections, page 5, that at the start of the investigation, "the

controller has not been able to demonstrate that the DPO is exercising his
information and advice missions with regard to the data controller. "

47. In his position paper of December 4, 2019, the controlled first argues "that neither the

GDPR nor the guidelines impose any formality on how

which the DPO carries out his information and advice missions "and" that the absence of
formal activity report on a regular basis is not sufficient to demonstrate that the DPO has not

carried out its information and advisory missions. »The inspected then describes how

way the data protection officer carries out his information and

advice “notably through the review of contracts (service provision,
outsourcing, etc.), data protection impact assessments (DPIA) or

further responses to requests from the various GDPR correspondents or

services "and specifies that" the DPO is confronted every day with requests and

issues related to data protection for which it issues an opinion either
informal (telephone for example) or formal (most often email or report). "

48. With regard to the mission of informing employees about their obligations

are incumbent under the GDPR, the inspected indicated in its position paper of 4 December

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
12/25 2021 that “[c] as stressed by the CNPD, the DPD also carries out his

information and advice during training and awareness sessions. "

49. In this regard, the restricted panel notes that the breach noted by the chief

of investigation only concerns the DPD's information and advice mission with regard to

the data controller, and not the DPO's information and advice mission to

with regard to employees.

50. The restricted committee notes that article 39.1 of the GDPR lists the tasks that the

DPD must at least be entrusted, whose mission is to inform and advise the organization
as well as the employees, without however specifying whether specific measures must be

put in place to ensure that the DPO can accomplish his information and

advice. The DPO guidelines, which formulate recommendations and

best practices to guide data controllers in implementing

compliance with regard to their governance, also briefly discuss the

DPD advisory and information mission. Thus, they specify that the keeping of the register

processing activities referred to in Article 30 of the GDPR may be entrusted to the DPD and that
"[This] register must be considered as one of the tools enabling the DPO to exercise his

monitoring missions for compliance with the GDPR as well as providing information and advice to the

controller or processor. "8

51. In the present case, the restricted committee notes that it appears from the investigation file that the DPO

been involved in the establishment of the register of processing activities and ensure a
9
followed by this register.

52. The restricted committee further notes that in its position paper of 4 December
2019, the inspected provided information to describe how the DPO performs in

performs its missions of information and advice with regard to the controller.

53. Nevertheless, the restricted committee recalls that it has already noted in point 23 of the

this decision which is rightly specified on page 2 of the statement of objections

(under "preliminary remarks") that "[t] he requirements of the GDPR are not always

strictly defined. In such a situation, it is up to the supervisory authorities to verify

the proportionality of the measures put in place by the data controllers

8WP 243 v.01, version revised and adopted on April 5, 2017, p. 22
9 Visit report of February 4, 2019, p. 5
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
13/25 with regard to the sensitivity of the data processed and the risks incurred by individuals

concerned. "

54. However, in view of the fact that it has already been found in point 24 of this decision that
the activities of the inspected involve the processing of personal data which

potentially affect a large number of people concerned, the training

Restricted considers that formal reporting of the DPO's activities to management, on

the basis of a defined frequency, constitutes a proportionate measure to demonstrate
that the DPO performs his duties of information and advice with regard to the head of

treatment.

55. The restricted committee noted that the inspected indicated that a formal report, on a

monthly basis, was set up during the survey, but nevertheless supports the
report by the head of the investigation that, at the start of the investigation, the data controller

has not been able to demonstrate that the DPO carries out his information and

advice to the data controller.

56. The restricted formation further recalls that it does not have the documentation which
would make it possible to demonstrate that this measure was put in place by the inspected.

57. In view of the foregoing, the Select Committee concludes that Article 39.1. a) of the GDPR does not have

not respected by the inspected.

D. On the breach relating to the DPO's control mission

1. On the principles

58. According to section 39.1. b) of the GDPR, the DPO has, among other things, the task of "monitoring compliance
of this Regulation, other provisions of Union or State law

members in terms of data protection and internal rules of the controller

processing or subcontractor with regard to the protection of personal data,

including with regard to the division of responsibilities, awareness raising and
training of staff involved in processing operations, and audits

reporting ”. Recital (97) specifies that the DPD should help the organization to verify the

internal compliance with the GDPR.

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
14/2559. It follows from the guidelines concerning DPOs that, in the context of its mission of

control, the DPO may in particular:

 collect information to identify processing activities;

 analyze and verify the compliance of processing activities;

 inform and advise the controller or the processor and formulate

recommendations to him.

2. In this case

60. It appears from the audit report that, in order for the investigator to consider Objective 10 as
completed by the inspected as part of this audit campaign, he expects

"The organization has a formalized control plan for the protection of

data (even if it is not yet executed) ”.

61. According to the statement of objections, page 5, “The investigation showed that the body

carries out ad hoc checks in the context of projects for which the DPO
participates. In a logic of daily management of data protection, and

given the volume of data processed, the sensitivity of some of these data

or the complexity of the processing operations (see preliminary remarks), it is

whereas the DPD's control missions are better formalized, for example with

the establishment of a control plan. "

62. In his position paper of 4 December 2019, the controlled argued “that it is not

because there is no formalized control plan that no adequate control of the treatment

data within the organization is carried out. Moreover, this control is often done

implicitly within the framework of projects for which the DPD intervenes. Indeed, through

the review of the register of processing, DPIA, issues raised, the DPD
monitors the application of the rules and feeds the information back to the hierarchy as needed in order

to regularize the situation. "

63. The restricted committee notes that article 39.1 of the GDPR lists the missions that the

DPD must at least be entrusted with the task of monitoring compliance with the GDPR, without

however, require the body to put in place specific measures to ensure that

the DPO can accomplish his control mission. Thus, the guidelines concerning

10WP 243 v.01, version revised and adopted on April 5, 2017, p. 20
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
the survey no. [...] conducted with Company A 15/25 the DPOs specify in particular that the keeping of the register of processing activities referred to in
Article 30 of the GDPR can be entrusted to the DPD and that "[this] register must be considered

as one of the tools allowing the DPO to carry out his compliance control missions

of the GDPR as well as information and advice from the controller or sub

treating. "

64. The restricted committee has already noted in point 51 of this decision that it is apparent from

investigation file that the DPO was involved in establishing the activity register
12
processing and monitor this register. The controlled, in his position

of December 4, 2019, argues that the DPO monitors the application of the GDPR
in particular “through the review of the processing register”.

65. Nevertheless, as has already been recalled in points 23 and 53 above, it is specified in

rightly on page 2 of the statement of objections (under "preliminary remarks")

that “[t] he requirements of the GDPR are not always strictly defined. In such

situation, it is up to the supervisory authorities to verify the proportionality of the measures

implemented by data controllers with regard to the sensitivity of the data

processed and the risks incurred by the data subjects. "

66. However, in view of the fact that it has already been found in point 24 of this decision that

the activities of the inspected involve the processing of personal data which
potentially affect a large number of people concerned, the training

restricted considers that the control mission carried out by the DPO with the controlled

should be further formalized, for example through a control plan for

data protection, in order to be able to demonstrate that the DPO is carrying out his

adequate monitoring of compliance with the GDPR.

67. The restricted committee took note of the fact that in its letter of September 17, 2020, the

controlled indicates that it was decided "to put in place an audit and control strategy
through the development in 2020 of a control plan ”. However, this decision being

intervened during the investigation, the small group agrees with the chief's observation

investigation according to which the inspected was not able to demonstrate that the DPO exercises

its missions of monitoring compliance with the GDPR.

11
12WP 243 v.01, version revised and adopted on April 5, 2017, p. 22
February 4, 2019 visit report, p. 5
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
16/2568. The limited group notes that it does not have the documentation that would allow

to demonstrate that this measure has been implemented by the inspected.

69. In view of the foregoing, the Select Committee concludes that Article 39.1. b) of the GDPR does not have

not respected by the inspected.

III. On corrective measures and the fine

A. Principles

70. In accordance with article 12 of the law of 1 August 2018 on the organization of the

National Commission for Data Protection and the General Regime on

data protection, the National Commission has the powers provided for in Article

58.2 of the GDPR:

a) notify a controller or processor that data processing operations
planned treatment are likely to violate the provisions of this

regulation;

b) call to order a controller or a processor when the

processing operations have resulted in a violation of the provisions of this

regulation;

c) order the controller or processor to comply with the requests

presented by the data subject in order to exercise their rights under the

this regulation;

d) order the controller or processor to put the data processing operations

processing in accordance with the provisions of these regulations, if applicable,
in a specific manner and within a specified timeframe;

e) order the controller to communicate to the data subject a

personal data breach;

f) impose a temporary or permanent limitation, including a ban, on the

treatment;

g) order the rectification or erasure of personal data or the

restriction of processing in application of Articles 16, 17 and 18 and the notification of these
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
the survey no. [...] carried out at Company A 17/25 measures to the recipients to whom the personal data have been

disclosed in accordance with Article 17, paragraph 2, and Article 19;

h) withdraw a certification or order the certification body to withdraw a
certification issued in application of Articles 42 and 43, or order the

certification not to issue certification if the requirements applicable to the

certification are not or no longer satisfied;

i) impose an administrative fine in application of Article 83, in addition to or
the place of the measures referred to in this paragraph, depending on the characteristics

specific to each case;

j) order the suspension of data flows addressed to a recipient located in a

third country or to an international organization. "

71. Article 83 of the GDPR provides that each supervisory authority ensures that fines
administrative requirements are, in each case, effective, proportionate and

dissuasive, before specifying the elements that must be taken into account in deciding

whether to impose an administrative fine and to decide on the amount of this
fine:

(a) the nature, gravity and duration of the breach, taking into account the nature, extent or

the purpose of the processing concerned, as well as the number of data subjects

affected and the level of damage they suffered;

(b) whether the violation was committed willfully or negligently;

c) any measures taken by the controller or processor to mitigate the

damage suffered by the persons concerned;

d) the degree of responsibility of the controller or processor, account

taking into account the technical and organizational measures they have implemented in accordance with the

Articles 25 and 32;

e) any relevant breach previously committed by the controller or

the subcontractor ;

f) the degree of cooperation established with the supervisory authority in order to remedy the violation

and mitigate any negative effects;
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
18/25 g) the categories of personal data affected by the breach;

h) the manner in which the supervisory authority became aware of the breach, in particular whether,

and to what extent the controller or processor has notified the
violation;

(i) where measures referred to in Article 58 (2) have previously been

ordered against the controller or the processor concerned for the

same object, compliance with these measures;

j) the application of codes of conduct approved in accordance with Article 40 or
certification mechanisms approved under Article 42; and

k) any other aggravating or mitigating circumstance applicable to the circumstances of

the species, such as financial benefits obtained or losses avoided, directly or

indirectly, as a result of the violation ”.

72. The restricted panel would like to point out that the facts taken into account in the context of the

this decision are those noted at the start of the investigation. Any

subsequent changes relating to the subject of the investigation, even if they

allow compliance to be fully or partially established, do not allow
retroactively cancel a breach found.

73. Nevertheless, the steps taken by the inspected to comply with

the GDPR during the investigation procedure or to remedy the shortcomings identified

by the head of investigation in the statement of objections, are taken into account by the
limited training in the context of any corrective measures to be taken.

B. In this case

1. As to the imposition of an administrative fine

74. In his additional letter to the statement of objections of 10 August 2020, Chief

of investigation proposes to the restricted formation to pronounce against the controlled a
administrative fine relating to the amount of 15,000 euros.

75. In his letter of September 17, 2020, the inspected maintains “that the proposed sanction

to Restricted Training is not in line with the grievances invoked ”.

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
19/2576. In order to decide whether to impose an administrative fine and to decide, if

if applicable, the amount of this fine, the restricted committee analyzes the criteria

by Article 83.2 of the GDPR:

- As to the nature and seriousness of the violation [article 83.2 a) of the GDPR], with regard to

breaches of Articles 38.1, 38.3, 39.1 a) and 39.1 b) of the GDPR, training

restricted notes that the appointment of a DPO by an organization cannot be efficient

and effective, namely to facilitate compliance with the GDPR by the organization, only in the event that the
DPD is involved from the earliest possible stage in all questions relating to the

data protection, exercise their functions and missions in complete independence, exercise

effectively its missions, including the information and advice of the manager

processing and the task of monitoring compliance with the GDPR.

- As for the duration criterion [article 83.2.a) of the GDPR], the restricted committee notes that the

controlled indicated, in its letter of September 17, 2020:

(1) That it was decided to take measures in September 2020 to formalize

involving the DPO in all matters relating to data protection. The
breach of Article 38.1 of the GDPR therefore lasted over time, at least between

May 25, 2018 and September 2020;

(2) That the DPO has been attached to [...] since March 2019 and that it was decided to take

measures in September 2020 to formalize the possibility for the DPO, if he
considers it necessary, "to contact the Chief Executive Officer directly in order to

escalate any problem to him ”. The breach of Article 38.3 of the GDPR therefore

lasted at least between May 25, 2018 and September 2020.

(3) That it was decided to put in place "an audit and control strategy by
the development in 2020 of a control plan. "The breach of section 39.1. b) from

GDPR therefore lasted over time, at least between May 25, 2018 and September

2020.

Regarding the mission of information and advice, the limited training falls under

that it emerges from the audit report that the audited party indicated that formal reporting was
implemented in May 2019. The breach of Article 39.1.a) of the GDPR therefore lasted for

at least between May 25, 2018 and May 2019.

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
20/25 - As to the number of data subjects affected by the violation and the level of

damage they have suffered [article 83.2 a) of the GDPR], the restricted training recalls the

findings made in point 24 of this decision, namely that the audited account
approximately […] collaborators (according to the investigation file), […].

- As for the degree of cooperation established with the supervisory authority [Article 83.2 f) of the GDPR],

the restricted training takes into account the assertion by the head of the investigation that the

Controlled demonstrated constructive participation throughout the investigation.

- As to the categories of personal data affected by the violation

[article 83.2 g) of the GDPR], the restricted training takes into account the fact that the inspected

has an internal service […].

77. The restricted committee notes that the other criteria of Article 83.2 of the GDPR are not
neither relevant nor likely to influence his decision on whether to impose a fine

administrative and its amount.

78. The restricted committee notes that if several measures have been decided by the inspected

in order to remedy in whole or in part certain shortcomings, these have not been
decided that following the launch of the investigation by CNPD agents on

17 September 2018 (see also point 72 of this decision).

79. Therefore, the restricted panel considers that the imposition of an administrative fine

is justified with regard to the criteria set out in Article 83.2 of the GDPR for breach of

Articles 38.1, 38.3, 39.1 a) and 39.1 b) of the GDPR.

80. Regarding the amount of the administrative fine, the restricted panel recalls that

Article 83.3 of the GDPR provides that in the event of multiple violations, as is the case in

the case, the total amount of the fine may not exceed the amount set for the violation

worse. To the extent that a breach of Articles 38.1, 38.3, 39.1 a) and 39.1 b)
of the GDPR is criticized for the inspectorate, the maximum amount of the fine that can be retained

amounts to 10 million euros or 2% of global annual turnover, the most

high being withheld.

81. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the training
Restricted considers that the imposition of a fine of 15,000 euros appears at the same time

effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR.

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
21/25 2. As to the taking of corrective measures

82. In his additional letter to the statement of objections, the head of the investigation

suggests that the restricted group take the following corrective measures:

"A) Order the implementation of measures ensuring the formalized association and

documented by the DPO in all matters relating to data protection,

in accordance with the requirements of Art.38 para.1 GDPR and the principle of

"Accountability". Although several ways can be considered to achieve
this result, one of the possibilities could be to analyze, with the DPO, all the

relevant committees / working groups with regard to data protection and

formalize in writing the terms of his intervention (previous information from the agenda

meetings, invitation, frequency, permanent member status, etc.). It is to be remembered
that the presence of the DPO in the various committees / working groups should enable him to be

directly and fully informed, but that this presence does not mean that the DPO has

necessarily a decision-making role.

b) Order the establishment and maintenance of a formal mechanism ensuring
the autonomy of the DPO in accordance with the requirements of Article 38 (3) of the GDPR.

Several ways can be envisaged to achieve this result, such as

attach the DPD to the highest level of management in order to guarantee as much as possible

autonomy or to create a formal and regular direct reporting line, as well as a
formal emergency escalation mechanism to management to bypass the

intermediate hierarchical level (s) on the initiative of the DPO.

c) Order the formal and documented deployment of the DPD's control mission

in accordance with Article 39 paragraph 1 b) of the GDPR and the principle of “accountability”.
Although several ways can be implemented to achieve this result, the

DPD should document its controls on the application of internal rules and procedures

data protection (second line of defense). This documentation

could take the form of a control plan followed by control and audit reports. "

83. As to the corrective measures proposed by the head of the investigation and by reference to point

73 of this decision, the restricted committee takes into account the procedures

carried out by the inspected in order to comply with the provisions of articles 38.1, 38.3, and

39.1 b) of the GDPR, as detailed in his letter September 17, 2020. More
in particular, it takes note of the following facts:

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
22/25 - With regard to the violation of article 38.1 of the GDPR, measures have been

decided by the inspectorate in order to ensure the involvement of the DPO in all questions

relating to data protection. Indeed, the inspected decided to "formalize
monthly meetings between the DPO and the heads of departments that process the most data

personal […] (…) as well as biannual meetings with the other heads of

services "and add" as an annex to the general data management policy, a
form allowing each person in charge of a project to deal with the DPO the

question of data protection. ”However, the limited training does not have

no documentation to demonstrate that such enforcement measures have been taken

in conformity by the inspected. The restricted training therefore considers that
pronounce the corrective measure proposed by the head of investigation under a).

- With regard to the violation of article 38.3 of the GDPR, the inspected recalls that the

DPD has been attached to [...] since March 2019 and indicates that the following indication will be
added to the general policy for the management of personal data

Company A: "the DPO, if he considers it necessary, can directly contact the

General Manager of Company A in order to report any problem to him.

restricted party considers that such a measure would allow the DPO, if he considers
necessary, bypass the intermediate hierarchical levels. Nevertheless, the

restricted training does not have the documentation to demonstrate that

this compliance measure was taken by the inspected. Restricted training

therefore considers that the corrective measure proposed by the
head of investigation under b).

- With regard to the violation of Article 39.1 b) of the GDPR, the inspector indicates that he
was decided "to put in place an audit and control strategy by developing

in 2020 of a control plan ”. However, the restricted formation does not have

the documentation to demonstrate the implementation of this implementation measure

in conformity by the inspected. The restricted training therefore considers that
to pronounce the corrective measure proposed by the head of investigation under c).

84. With regard to the violation of Article 39.1 a) of the GDPR, taking into account the findings

made in points 55 and 56 of this decision, the restricted committee considers that there
place to order the implementation of corrective measures to ensure that the DPO

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
23/25 exercises, in a formal and documented manner, its mission of information and advice with regard to

of the controller.

In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:

- to retain the breaches of articles 38.1, 38.3, 39.1 a) and 39.1 b) of the GDPR;

- to pronounce against Company A an administrative fine in the amount of fifteen

one thousand euros (15,000 euros) with regard to the violation of articles 38.1, 38.3, 39.1 a) and 39.1 b)

of the GDPR;

- to issue an injunction against Company A to comply with

Article 38.1 of the GDPR, within four months of the notification of the decision to

the restricted training, the proof of compliance to be sent to the
restricted training at the latest within this period, in particular:

ensure the formal and documented association of the DPO with all questions relating to
data protection;

- to issue an injunction against Company A to comply with

Article 38.3 of the GDPR, within four months of the notification of the decision to
the restricted training, the proof of compliance to be sent to the

restricted training at the latest within this period, in particular:

ensure the establishment and maintenance of a formal mechanism guaranteeing autonomy
of the DPD;

- to issue an injunction against Company A to comply with

Article 39.1 b) of the GDPR, within four months of notification of the decision
of the restricted training, proof of compliance to be sent to the

restricted training at the latest within this period, in particular:

ensure the formal and documented deployment of the DPD's control mission;
________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
24 / 25- to issue an injunction against Company A to comply with

Article 39.1 a) of the GDPR, within four months of notification of the decision

of the restricted training, proof of compliance to be sent to the
restricted training at the latest within this period, in particular:

ensure that the DPO exercises, in a formal and documented manner, his mission of information and

advice to the controller.

So decided in Belvaux on June 11, 2021.

For the National Commission for Data Protection sitting in a restricted body

Tine A. Larsen Thierry Lallemang Marc Lemmer
President Commissioner Commissioner

Indication of remedies

This administrative decision may be the subject of an appeal for reformation within three

months following its notification. This appeal is to be brought before the administrative tribunal and must

must be introduced through a lawyer at the Court of one of the Bar Associations.

________________________________________________________________________

Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 25/25

@@ Line 54: / Line 54: @@
 }}
-The CNPD fined a logistics company €15,000 because they had not ensured that the DPO be able to exercise their tasks in compliance with Articles 38(1), 38(3), 39(1)(a) and 39(1)(b) GDPR.
+The Luxembourg DPA fined a logistics company €15,000 for failing to ensure that its DPO could exercise the tasks outlined in Articles 38(1), 38(3), 39(1)(a) and 39(1)(b) GDPR, including because the DPO was not invited to all relevant meetings, and did not report directly to the highest level of management.
 == English Summary ==
@@ Line 60: / Line 60: @@
 === Facts ===
 The Luxembourgish Data Protection Authority (CNPD) conducted an investigation at a logistics company within the framework of a global investigation campaign on the function of Data Protection Officer (DPO) in both private and public sectors.
 === Dispute ===
 Did the logistics company meet the legal requirements regarding the function of DPO?
 === Holding ===
-Following this investigation, the CNPD found:
+Following their investigation at the company, the CNPD found:
-) that the company's DPO did not seem to be invited to all relevant meetings for them and that it therefore could not be considered that they were involved properly and in a timely manner in all issues which relate to the protection of personal data as required by Article 38(1) GPDR;
-) that the DPO did not report directly to the highest level of management at the company, thus not ensuring that the DPO could act without receiving any instructions regarding the exercise of their tasks pursuant to Art. 38(3) GPDR;
+# that the company's DPO did not seem to be invited to all relevant meetings for them and that it therefore could not be considered that they were involved properly and in a timely manner in all issues which relate to the protection of personal data as required by Article 38(1) GDPR;
-) that, though it could reasonably be expected that the DPO did a formal and frequent reporting on their activities to the management, such a reporting had not been set up and that the company therefore did not meet the requirements of [[Article 39 GDPR#1a|Article 39(1)(a) GDPR]] which states that the DPO should inform and advise the controller;
+# that the DPO did not report directly to the highest level of management at the company, thus not ensuring that the DPO could act without receiving any instructions regarding the exercise of their tasks pursuant to Art. 38(3) GDPR;
-) that the company had not been able to demonstrate that they had an audit plan for the year, thus violating Article 39(1)(b) GPDR regarding the DPO's duties to monitor compliance with GPDR.
+# that, though it could reasonably be expected that the DPO did a formal and frequent reporting on their activities to the management, such a reporting had not been set up and that the company therefore did not meet the requirements of Article 39(1)(a) GDPR which states that the DPO should inform and advise the controller;
+# that the company had not been able to demonstrate that they had an audit plan for the year, thus violating Article 39(1)(b) GDPR regarding the DPO's duties to monitor compliance with GDPR.
 In view of those violations, the CNPD:
-- imposed an administrative fine of fifteen thousand euros (15.000€) on the company;
-- ordered them to comply with Articles 38(1), 38(3), 39(1)(a) and 39(1)(b) GDPR within four months of the notification of the decision.
+* imposed an administrative fine of fifteen thousand euros (€15,000) on the company;
+* ordered them to comply with Articles 38(1), 38(3), 39(1)(a) and 39(1)(b) GDPR within four months of the notification of the decision.
 == Comment ==