CNPD (Luxembourg) - Délibération n° 38FR/2021: Difference between revisions
From GDPRhub
(→Facts) |
(Updated in line with the Style Guide, improved language) |
||
| Line 59: | Line 59: | ||
=== Facts === | === Facts === | ||
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [ | In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR]] to [[Article 39 GDPR]]). | ||
One of these audit proceedings concerned a Luxembourg public entity (hereafter, the | One of these audit proceedings concerned a Luxembourg public entity (hereafter, the controller). During the audit, it was found by the head of investigation of the that : | ||
(1) the | (1) the controller had failed to publish the contact details of its DPO on its website in a way that made them easily accessible for data subjects, in breach of [https://gdprhub.eu/index.php%3Ftitle=Article_37_GDPR Article 37(7) GDPR]. In particular, the contact details were not easy to find and only accessible in English. The controller decided to address this issue in the course of the investigation and published the contact details of the DPO in another language on its website. | ||
(2) the | (2) the controller had appointed an external DPO - a lawyer specialized in data protection law - on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, in compliance with [[Article 37 GDPR|Article 37(5) GDPR]]; | ||
(3) the | (3) the controller had failed to ensure that the DPO was involved, properly and in a timely manner, in all issues which relate to the protection of personal data, in breach of [[Article 38 GDPR|Article 38(1) GDPR]]; | ||
(4) the | (4) the controller had failed to implement the necessary control procedures that would have allowed the external DPO to duly monitor the compliance of the controller's data processing practices with the GDPR, in breach of [[Article 39 GDPR|Article 39(1)(b) GDPR]]; | ||
(5) the | (5) the controller had failed to allocate to the external DPO the necessary resources for the latter to carry out his/her tasks, in breach of [[Article 38 GDPR|Article 38(2) GDPR]]; | ||
(6) the | (6) the controller was not responsible for (potential) conflict of interest of the external DPO under [[Article 38 GDPR|Article 38(6) GDPR]], the latter being an external DPO and a lawyer subject to the Luxembourg law of 10 August 1991 on the profession of attorney and deontological rules. | ||
=== Holding === | === Holding === | ||
Following the audit and the report from the head of investigation, the | Following the audit and the report from the head of investigation, the found that the controller had been in breach of four distinct obligations relating to the role of the DPO under the GDPR, as specified below. | ||
Regarding the breach of [ | Regarding the breach of [[Article 37(7) GDPR]], the considered that the contact details of the DPO were not easy to find on the website of the controller, and were only accessible in English, and not in any of the official languages of the Grand Duchy of Luxembourg. Despite this issue having been addressed by the controller in the course of the investigation, the considered that there had been a breach of [[Article 37 GDPR|Article 37(7) GDPR]]. | ||
Regarding the breach of [[Article 38 GDPR|Article 38(1) GDPR]], the | Regarding the breach of [[Article 38 GDPR|Article 38(1) GDPR]], the considered that the DPO had not been sufficiently involved in all issues relating to data protection law. In particular, the pointed out that the external DPO could not voluntarily intervene but only acted when requested to do so by the controller. The fact that the controller decided, in the course of the investigation, to also appoint an internal DPO who is more regularly involved in all issues relating to data protection, does not remedy this initial breach. The therefore concluded that the controller was in breach of [[Article 38 GDPR|Article 38(1) GDPR]] at the time of the investigation. | ||
Regarding the breach of [[Article 39 GDPR|Article 39(1)(b) GDPR]], the | Regarding the breach of [[Article 39 GDPR|Article 39(1)(b) GDPR]], the concurred with the opinion of the head of the investigation, according to which the controller had failed to implement the necessary control procedures that would have allowed the external DPO to duly monitor the compliance of the controller's data processing practices with the GDPR. The acknowledged that it is possible for an organization to rely on the services of an external DPO, such as a lawyer, for monitoring compliance with the GDPR. However, the specified that the role of the external DPO must then be formalized in the form of a control plan or monitoring procedures, to ensure that the DPO is able to effectively advise and accompany the organisation for the purpose of data protection compliance. Because such control plan or monitoring procedures had not been put in place at the time the investigation was initiated, the concluded that the controller had breached [[Article 39 GDPR|Article 39(1)(b) GDPR]]. | ||
Regarding the breach of [[Article 38 GDPR|Article 38(2) GDPR]], the | Regarding the breach of [[Article 38 GDPR|Article 38(2) GDPR]], the found that controller had failed to allocate to the external DPO the necessary resources for the latter to be able to carry out his/her tasks. In particular, the noted that the number of hours where the DPO worked for the controller did not amount to a full-time employee. Rather, the DPO usually worked between 20 and 108 hours every month, which amounts to 12,5 to 70% of a full time employee. Although the controller addressed this issue by hiring another DPO in the course of the investigation, the concluded that the controller had been in breach of [[Article 38 GDPR|Article 38(2) GDPR]] prior to this change. | ||
For all these reasons, the | For all these reasons, the issued an injunction against the controller to bring its practices in compliance with the GDPR for the remaining breaches (with a deadline of 6 months for remedying those breaches), and also imposed an administrative fine of €18,000 on the controller. | ||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
Revision as of 17:44, 25 June 2022
| CNPD (Luxembourg) - n° 38FR/2021 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 37(7) GDPR Article 38(1) GDPR Article 38(2) GDPR Article 39(1)(b) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 15.10.2021 |
| Published: | |
| Fine: | 18.000 EUR |
| Parties: | n/a |
| National Case Number/Name: | n° 38FR/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | CNPD (in FR) |
| Initial Contributor: | Florence D'Ath |
Following an audit, the Luxembourg DPA (CNPD) imposed a fine of €18,000 on a public entity because of four breaches relating to the role and position of its Data protection Officer (DPO), and issued an injunction against that public entity to bring its practices in compliance with the GDPR.
English Summary
Facts
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).
One of these audit proceedings concerned a Luxembourg public entity (hereafter, the controller). During the audit, it was found by the head of investigation of the that :
(1) the controller had failed to publish the contact details of its DPO on its website in a way that made them easily accessible for data subjects, in breach of Article 37(7) GDPR. In particular, the contact details were not easy to find and only accessible in English. The controller decided to address this issue in the course of the investigation and published the contact details of the DPO in another language on its website.
(2) the controller had appointed an external DPO - a lawyer specialized in data protection law - on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, in compliance with Article 37(5) GDPR;
(3) the controller had failed to ensure that the DPO was involved, properly and in a timely manner, in all issues which relate to the protection of personal data, in breach of Article 38(1) GDPR;
(4) the controller had failed to implement the necessary control procedures that would have allowed the external DPO to duly monitor the compliance of the controller's data processing practices with the GDPR, in breach of Article 39(1)(b) GDPR;
(5) the controller had failed to allocate to the external DPO the necessary resources for the latter to carry out his/her tasks, in breach of Article 38(2) GDPR;
(6) the controller was not responsible for (potential) conflict of interest of the external DPO under Article 38(6) GDPR, the latter being an external DPO and a lawyer subject to the Luxembourg law of 10 August 1991 on the profession of attorney and deontological rules.
Holding
Following the audit and the report from the head of investigation, the found that the controller had been in breach of four distinct obligations relating to the role of the DPO under the GDPR, as specified below.
Regarding the breach of Article 37(7) GDPR, the considered that the contact details of the DPO were not easy to find on the website of the controller, and were only accessible in English, and not in any of the official languages of the Grand Duchy of Luxembourg. Despite this issue having been addressed by the controller in the course of the investigation, the considered that there had been a breach of Article 37(7) GDPR.
Regarding the breach of Article 38(1) GDPR, the considered that the DPO had not been sufficiently involved in all issues relating to data protection law. In particular, the pointed out that the external DPO could not voluntarily intervene but only acted when requested to do so by the controller. The fact that the controller decided, in the course of the investigation, to also appoint an internal DPO who is more regularly involved in all issues relating to data protection, does not remedy this initial breach. The therefore concluded that the controller was in breach of Article 38(1) GDPR at the time of the investigation.
Regarding the breach of Article 39(1)(b) GDPR, the concurred with the opinion of the head of the investigation, according to which the controller had failed to implement the necessary control procedures that would have allowed the external DPO to duly monitor the compliance of the controller's data processing practices with the GDPR. The acknowledged that it is possible for an organization to rely on the services of an external DPO, such as a lawyer, for monitoring compliance with the GDPR. However, the specified that the role of the external DPO must then be formalized in the form of a control plan or monitoring procedures, to ensure that the DPO is able to effectively advise and accompany the organisation for the purpose of data protection compliance. Because such control plan or monitoring procedures had not been put in place at the time the investigation was initiated, the concluded that the controller had breached Article 39(1)(b) GDPR.
Regarding the breach of Article 38(2) GDPR, the found that controller had failed to allocate to the external DPO the necessary resources for the latter to be able to carry out his/her tasks. In particular, the noted that the number of hours where the DPO worked for the controller did not amount to a full-time employee. Rather, the DPO usually worked between 20 and 108 hours every month, which amounts to 12,5 to 70% of a full time employee. Although the controller addressed this issue by hiring another DPO in the course of the investigation, the concluded that the controller had been in breach of Article 38(2) GDPR prior to this change.
For all these reasons, the issued an injunction against the controller to bring its practices in compliance with the GDPR for the remaining breaches (with a deadline of 6 months for remedying those breaches), and also imposed an administrative fine of €18,000 on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on
the outcome of survey No. [...] conducted with public establishment A
Deliberation n ° 38FR / 2021 of October 15, 2021
The National Commission for Data Protection sitting in a restricted body,
composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc
Lemmer, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the
protection of individuals with regard to the processing of personal data
and the free movement of such data, and repealing Directive 95/46 / EC;
Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection of
data and the general data protection regime, in particular Article 41 thereof;
Having regard to the internal regulations of the National Commission for Data Protection
adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10.2;
Having regard to the regulations of the National Commission for Data Protection relating to the procedure
of inquiry adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular its article
9;
Considering the following:
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
1/33 I. Facts and procedure
1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and
the importance of its integration into the body, and considering that the guidelines
concerning DPOs have been available since December 2016, i.e. 17 months before entry into
application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
on the protection of individuals with regard to the processing of personal data
personal data and the free movement of such data, and repealing Directive 95/46 / EC (regulation
General on Data Protection) (hereinafter: the "GDPR"), the National Commission for
data protection (hereinafter: the “National Commission” or the “CNPD”) has decided to
launch a thematic survey campaign on the function of the DPO. Thus, 25 audit procedures
were opened in 2018, involving both the private and public sectors.
2. In particular, the National Commission decided by deliberation n ° […] of September 14
2018 to initiate an investigation in the form of a data protection audit of
public establishment A, established in L [...], and registered in the trade and companies register under
the number J […] (hereafter: the “controlled”) and to designate Mr. Christophe Buschmann
as head of investigation. The said deliberation specifies that the investigation relates to the compliance of the
controlled with section 4 of chapter 4 of the GDPR.
3. The controlled is a public establishment […] under the supervision of the Ministry […]. […] Control
has as mission […]
4. By letter of September 17, 2018, the head of the survey sent a questionnaire
preliminary to the control, to which the latter replied by letter of October 5, 2018.
first on-site visit took place on January 24, 2019, a second on-site visit took place on 27
May 2019 and additional information was received on July 23, 2019. Following these
exchanges, the head of the investigation drew up the audit report no. […] (hereafter: the "audit report").
1The guidelines for DPOs were adopted by the “Article 29” working group on 13 December
2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
2/335. It emerges from the audit report that in order to verify the compliance of the inspected with section 4
of Chapter 4 of the GDPR, the head of the investigation defined eleven control objectives, namely:
1) Ensure that the body subject to the obligation to appoint a DPO has done so;
2) Make sure that the organization has published the contact details of its DPO;
3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;
4) Ensure that the DPO has sufficient expertise and skills to
carry out its missions effectively;
5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;
6) Ensure that the DPO has sufficient resources to effectively carry out
his missions ;
7) Ensure that the DPO is able to carry out his missions to a sufficient degree
autonomy within their organization;
8) Ensure that the organization has put in place measures to ensure that the DPO is associated with
all matters relating to data protection;
9) Ensure that the DPO fulfills his mission of information and advice to the
data controller and employees;
10) Ensure that the DPO exercises adequate control over data processing within
his body;
11) Ensure that the DPO assists the data controller in carrying out the
impact analyzes in the event of new data processing.
6. By letter of February 14, 2020 (hereafter: the “statement of objections”), the Chief
of investigation informed the control of the breaches of the obligations provided for by the GDPR that it has
noted during its investigation. The audit report was attached to the letter of February 14, 2020.
7. In particular, the head of the investigation noted in the statement of objections
breaches of:
2
the obligation to publish the contact details of the DPO;
the obligation to appoint the DPO on the basis of his professional qualities; 3
2
3Objective 2
Objective n ° 4
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
3/33 the obligation to involve the DPO in all matters relating to data protection
of a personal nature; 4
the obligation to provide the necessary resources to the DPO; 5
the obligation to ensure that the other missions and tasks of the DPO do not lead to
conflict of interest ;
the DPD's control mission. 7
8. On August 10, 2020, the head of the investigation sent the inspectorate an additional letter to the
statement of objections (hereinafter: the "additional letter to the communication of
grievances ") by which he informs the inspectorate of the corrective measures proposed by the head of investigation
to the National Commission sitting in a restricted formation (hereinafter: the “restricted formation”)
to adopt.
9. The inspector replied to the additional letter to the statement of objections with a
letter dated September 14, 2020 in which he presents his observations for each
breach retained by the head of the investigation.
10. In addition, the inspected, on October 28, 2020, requested access to the investigation file
concerning him. Access to the investigation file was sent to it by the National Commission on 9
November 2020.
11. The president of the restricted formation informed the control by letter of April 12, 2021
that his case would be entered at the restricted session on June 16, 2021 and that he could
attend this session. The controlled informed by email of May 25, 2021 that he would participate in
said session.
12. During the restricted training session on June 16, 2021, the head of the investigation and the
controlled presented their oral observations on the case and answered questions posed
through restricted training. The controlled had the floor last.
4Objective 8
5Objective 6
6Objective 5
7Objective n ° 10
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
4/3313. The inspected provided additional information by email of June 17, 2021, continued
to a request in this direction of the restricted training.
II. Place
A. On the failure to publish the contact details of the DPO
1. On the principles
14. Article 37.7 of the GDPR provides for the obligation for the audited body to publish the
contact details of the DPD. Indeed, it follows from Article 38.4 of the GDPR that the persons concerned
must be able to contact the DPO regarding any questions relating to the
processing of their personal data and the exercise of the rights conferred on them by
GDPR.
15. The DPO guidelines explain in this regard that this requirement is aimed at
to ensure that "the persons concerned (both inside and outside the organization)
can easily and directly contact the DPO without having to contact another
agency service ". The guidelines also state that “the contact details of the
DPD must contain information allowing the data subjects to contact him
easily (a postal address, a specific telephone number and / or a
8
specific e-mail) ”.
16. In addition, Article 12.1 of the GDPR provides that the controller must take
appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR in
regarding the processing to the data subject in a concise, transparent manner,
understandable and easily accessible, in clear and simple terms. Among the information
which must be sent to the person concerned is the information relating to contact details
of the DPD, in accordance with Articles 13.1.b) and 14.1.b) of the GDPR.
8
WP 243 v.01, version revised and adopted on April 5, 2017, p.15
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
5/33 2. In the present case
17. It follows from the audit report that, in order for the head of the investigation to consider objective 2 as
reached by the inspected as part of this audit campaign, the head of the investigation expects this
that the audited body publish the contact details of its DPO internally within the body
and externally to the public, which represents the data subjects of the processing. the
DPD must be able to be contacted easily and directly via a suitable communication channel
To those concerned. Active internal communication is expected, notably via
emails, newsletters or dedicated spaces on the intranet. Externally, it is at least
whereas the DPD's contact details are easily accessible on the website of
the body.
18. It is apparent from the statement of objections that, during the first visit by the staff of the
CNPD in charge of the investigation on January 24, 2019, the DPD's contact details were difficult to find
find on the website of the inspected insofar as, on the one hand, the website did not contain
no section dedicated to data protection and, on the other hand, the relative information notice
data protection was only available in English, without translation in any of the
official languages of Luxembourg.
19. The inspector made changes during the investigation in order to remedy this
problem. In fact, it initially created a data protection section on
its website and, in a second step, added links to download
French and German versions of the information leaflet in PDF format.
20. The head of the investigation therefore concluded in the statement of objections that, during
investigation, the DPD's contact details had become more easily accessible to
persons concerned.
21. However, as explained on page 2 of the statement of objections, '[t] he facts taken into account
account in the context of this [statement of objections] are those noted at the beginning of
investigation. Subsequent changes, even if they ultimately allow
to establish the compliance of the controller, do not allow the cancellation of a breach
found. "
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° […] carried out with the public establishment A 6/3322. In this context, the restricted committee notes that the GDPR has been applicable since 25
May 2018 so that the obligation to publish the contact details of the DPO, as well as the principle of
transparency as set out in Article 12.1 of the GDPR, have existed since that date. Publish the
contact details of the DPO on a website without taking the necessary measures to ensure
that the people concerned are able to find the information and understand it comes back
to render meaningless the obligation of Article 37.7 of the GDPR.
23. In view of the above, the restricted panel concludes that Article 37.7 of the GDPR has no
not respected by the inspected.
B. On the failure to appoint the DPO on the basis of his qualifications
professional
1. On the principles
24. According to article 37.5 of the GDPR, "[the DPO] is appointed on the basis of his
professional skills and, in particular, his specialized knowledge of the law and
in terms of data protection […] ”.
25. According to recital (97) of the GDPR, “[t] he level of specialist knowledge
required should be determined in particular on the basis of data processing operations
carried out and the protection required for personal data processed by the
controller or processor ”.
26. In addition, the guidelines of the “Article 29” Working Group concerning DPOs
specify that the level of expertise of the DPO "must be proportionate to the sensitivity, to the complexity
and the volume of data processed by an organization "and that" it is necessary that the DPOs
have expertise in the field of national laws and practices and
9
WP 243 v.01, version revised and adopted on April 5, 2017, p. 13
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
7/33 in terms of data protection, as well as in-depth knowledge
10
of the GDPR ”.
27. The DPO guidelines go on to state that “[t] he is aware of the
line of business and body of the controller is useful. The DPD should
also have a good understanding of the processing operations carried out, as well
information systems and the controller needs in terms of
data protection and security ”.11
2. In this case
28. It follows from the audit report that, as part of this audit campaign, for the
investigator considers objective 4 as achieved by the controlled, the investigator expects
that the DPO has at least three years of professional experience in protection
Datas.
29. According to the statement of objections, page 3, on the date of the initiation of the audit, a DPO
was in office and “[s] he had all the skills required in
legal (lawyer registered with the Luxembourg Bar) and data protection (certificate
CIPP / E) ”.
30. A new internal DPO was however appointed during the investigation in April 2019.
According to the statement of objections, page 3, this new internal DPO “is also responsible
[…] And he has the knowledge of the domain and the structure. Nevertheless, it is advisable to
note that he has no initial training in legal matters, data protection and
IT, nor does it justify a previous practice in the matter ".
31. In its position paper of September 14, 2020, the inspector wished to underline the
difficulties he had to face in recruiting a DPO with the right profile, namely a
experienced person with knowledge of the operation of the […] sector. the
controlled board of directors qualifies the first external recruitment as an "attempt
10WP 243 v.01, version revised and adopted on April 5, 2017, p. 14
11WP 243 v.01, version revised and adopted on April 5, 2017, p.14
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
8/33 failed ”and chose to appoint as DPD an experienced internal employee able to
to understand the challenges of the […] sector and the regulatory complexity that characterizes it. the
controlled considers that this knowledge of the trade is an important and priority criterion in
look at its specific sector.
The inspected adds that the new internal DPO has taken several training courses in
data protection between 2017 and 2019, as regular weekly coaching with
the assistance of a law firm specializing in data protection was in place
since April 2019 and that the DPO has participated monthly since December 2018 in the sessions
of the informal public sector working group […].
In addition, the DPO has the opportunity to rely on daily, for the performance of his missions,
on the contribution of the teams […] and, on the IT department, on the legal department, on
the risk management expert and any other internal resource deemed useful. Since September
2017, the inspected set up "GDRP points of contacts", consisting of the designation of
a few people belonging to the different trades of the inspected to be the relay
12
of the DPD.
32. The restricted formation notes that, according to the head of the investigation, the formations relating to
the data protection which the internal DPO has assisted since his appointment, as well as
the fact that he has access to a number of internal and external supports in the execution of his
missions, cannot be sufficient to establish, at the time of the appointment of the new internal DPO,
the existence of sufficient expertise adapted to the needs of the inspected in terms of protection
Datas . 13
33. However, as noted on page 2 of the statement of objections, '[t] he facts
taken into account in the context of this are those observed at the start of the investigation ".
34. However, the restricted committee noted that at the start of the investigation, an external DPO was in
function and, as noted by the head of the investigation and repeated in point 29 of this
12 Report of the visit of January 24, 2019, page 3
13 Communication of Grievances, page 3.
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
9/33 decision, he had all the required skills in legal and
data protection.
35. In view of the foregoing, the restricted panel concludes that there is no need to retain a
breach of Article 37.5 of the GDPR.
C. On the breach of the obligation to involve the DPO in all matters relating to the
protection of personal data
1. On the principles
36. According to Article 38.1 of the GDPR, the organization must ensure that the DPO is involved, in a
in an appropriate and timely manner, to all data protection matters
of a personal nature.
37. The DPO Guidelines state that “[i] t is essential that the DPO, or
his team, is involved from the earliest possible stage in all questions relating to
data protection. [...] Information and consultation of the DPO from the start will allow
facilitate compliance with the GDPR and encourage an approach based on the protection of
data by design; it should therefore be a usual procedure within the
governance of the organization. In addition, it is important that the DPO is considered as a
interlocutor within the organization and that he or she is a member of the working groups dedicated to
data processing activities within the organization ". 14
38. The DPO guidelines provide examples on how to
to ensure this association of the DPO, such as:
invite the DPO to participate regularly in senior management meetings and
intermediate ;
recommend the presence of the DPO when decisions with implications for
data protection matters are taken;
14
WP 243 v.01, version revised and adopted on April 5, 2017, page 16
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
10/33 always take due account of the opinion of the DPO;
immediately consult the DPD when a data breach or other incident occurs
product.
39. In addition, according to the guidelines for DPOs, the body could, if
as appropriate, develop guidelines or programs for the protection of
data indicating the processing operations in which the DPO must be consulted.
2. In this case
40. It emerges from the audit report that, in order for the investigator to consider objective 8 as
completed by the inspected as part of this audit campaign, he expects the DPD
participates in a formal manner and on the basis of a defined frequency in the Management Committee,
project coordination committees, new product committees, safety committees or
any other committee deemed useful in the context of data protection.
41. According to the statement of objections, page 4, the external DPO who was in office at the start
of the audit had a role that was characterized as essentially "reactive". "[His] implication was therefore
relatively limited. He intervened mainly at the explicit request of the person in charge of
treatment and not spontaneously ”. The audit report, page 9, specifies that the implication
of the external DPO was characterized more particularly by a "low participation in
recurring meetings, only by invitation when the need has been estimated ”.
42. In its position paper of September 14, 2020, page 6, the inspected considers that the
description by the head of investigation of the essentially reactive role of the external DPO depending on the
start of the investigation is inaccurate and amounts to minimizing the involvement of the external DPO, as in
certifies the record of hours worked on several projects […].
43. The new internal DPO, for his part, participates more easily in the various meetings of the
projects. The feedback is facilitated by proximity and the various relays in place
in the structure. In addition, according to the audit report, page 9, the internal DPO is a guest
standing of the control executive committee (frequency every two weeks) and a point
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the systematic public establishment A 11/33 "GDPR" is on the agenda of each board of directors which takes place every
three months.
However, according to the audit report, page 9, a precise circuit concerning the opinions to be rendered by
the DPD is not yet clearly defined, due to the recent designation of the internal DPD.
44. In its position statement of September 14, 2020, the inspected informs the CNPD about the
establishment of an internal process ([...]) to formalize and document the DPD's association
questions relating to data protection. This internal process is implemented
systematically for each new activity […] of the control and aims to allow:
prior documentation and systematic feedback to the DPO before
the implementation of the controlled treatments, and this at the latest at the time of the
in place of contracts,
the upstream identification of sensitive data protection points,
the upstream review of information notices and consent forms distributed
[…],
raising awareness among operational teams and exchanges with them, in
an optic of privacy by design, and
planning or carrying out data protection impact analyzes.
45. The audit also specifies that the involvement of the DPD in matters of protection of
data is also carried out on the initiative of the teams or the DPD himself as part of the review
documentary, the co-signing of contracts relating to data protection, the design of
control projects, assistance to internal teams in carrying out analyzes
impact and the participation of the DPO in the executive committee as a permanent guest.
46. The restricted formation takes note of the establishment by the control of a process
internal formalization and documentation of the involvement of the new internal DPO in matters
relating to data protection. If these measures should facilitate the association of the DPD
internal to all matters relating to data protection, it is nevertheless advisable to
note that these were decided during the investigation.
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° […] carried out with the public establishment A 12/3347. Indeed, as explained on page 2 of the statement of objections, '[t] he facts taken into account
account in the context of this [statement of objections] are those noted at the beginning of
investigation. Subsequent changes, even if they ultimately allow
to establish the compliance of the controller, do not allow the cancellation of a breach
found. "
48. The restricted panel is of the opinion that the test did not sufficiently demonstrate
the association of the external DPO, depending at the start of the investigation, in an appropriate manner and in
timely in all matters relating to data protection.
49. Consequently, the restricted panel agrees with the finding of the head of the investigation that,
at the start of the investigation, the controller was not able to demonstrate that the
External DPD was appropriately involved in all matters relating to protection
personal data.
50. In view of the above, the restricted panel concludes that Article 38.1 of the GDPR has no
not respected.
D. On the breach relating to the DPO's control mission
1. On the principles
51. According to Article 39.1 b) of the GDPR, the DPO has, among others, the task of "monitoring compliance
of this Regulation, other provisions of Union law or the law of the Member States in
data protection and internal rules of the controller or of the
processor in the protection of personal data, including
concerns the distribution of responsibilities, awareness and training of staff
participating in processing operations, and related audits ". Recital (97) specifies
that the DPO should help the organization verify internal compliance with the GDPR.
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
13/33 15
52. It follows from the guidelines concerning DPOs that the DPO may, within the framework of
its control tasks, in particular:
- collect information to identify processing activities;
- analyze and verify the compliance of processing activities;
- inform and advise the controller or the processor and formulate
recommendations to him.
2. In this case
53. It emerges from the audit report that, in order for it to be able to consider objective 10 as fulfilled
by the control as part of this audit campaign, the head of the investigation expects that
"The organization has a formalized data protection control plan
(even if it is not yet executed) ".
54. According to the statement of objections, page 5, "it emerged from the investigation that the body did not
has no formalized controls specific to data protection. In a logic
day-to-day management of data protection, and given the volume of data
processed and the sensitivity of some of these data (see preliminary remarks), it is
whereas the DPD's control missions are better formalized, for example with
the establishment of a control plan ".
55. In its position paper of September 14, 2020, the inspected indicates that the verification of the
compliance of the controller with the GDPR is ensured through the implementation of
following means:
- the legal review of the processing register controlled by a law firm
specialists in data protection, from January to October 2019,
- an internal audit subcontracted to an audit firm covering organizational aspects,
- an external audit carried out by an audit firm, in order to assess the compliance of the control
[…].
15WP 243 v.01, version revised and adopted on April 5, 2017, page 20
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
14/3356. The restricted committee notes that article 39.1 of the GDPR lists the missions that the
DPD must at least be entrusted with the task of monitoring compliance with the GDPR, without however
require the body to put in place specific measures to ensure that the DPO can
accomplish its control mission. The DPO guidelines indicate in particular
that the keeping of the register of processing activities referred to in Article 30 of the GDPR may be entrusted
to the DPO and that "this register must be considered as one of the tools allowing the DPO
to carry out its tasks of monitoring compliance with the GDPR, as well as informing and advising the
controller and processor ”.6
57. In addition, the restricted formation notes that it is rightly specified on page 2 of the
statement of objections (under "preliminary remarks") that "the requirements of the GDPR do not
are not always strictly defined. In such a situation, it is up to the supervisory authorities
to verify the proportionality of the measures put in place by the data controllers in the
with regard to the sensitivity of the data processed and the risks incurred by individuals
concerned ”.
58. In this context, the restricted training is of the opinion that it is possible for an organization to
use external service providers to verify its compliance with the GDPR. However, this call
to external service providers must be formalized, and this must not result in
completely withdraw this mission from the function of DPD. Indeed, the organization's DPO must complete
its role of monitoring compliance with the GDPR by participating in the formalization of a control plan
and by being associated with the exercise of said control by external service providers, in particular by
accompanying the work carried out, to then be able to complete with knowledge of
causes its advisory and information mission in accordance with Article 39.1 a) of the GDPR.
59. In the present case, the inspected did not demonstrate that, at the start of the investigation, a monitoring plan
compliance with the GDPR would have been formalized or that the external DPO then in office was associated with the
control carried out by external service providers. Therefore, the restricted formation is of opinion
that the inspected does not sufficiently demonstrate that the external DPO in office at the start of the
the investigation fulfilled this monitoring mission expected by Article 39.1 b) of the GDPR.
16
WP 243 v.01, version revised and adopted on April 5, 2017, page 22
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
15/3360. In view of the above, the restricted panel concludes that Article 39.1 b) of the GDPR has no
not respected by the inspected.
E. On the failure to provide the necessary resources to the DPO
1. On the principles
61. Article 38.2 of the GDPR requires the organization to help its DPO "to carry out the tasks
referred to in Article 39 by providing the necessary resources to carry out these missions, as well
that access to personal data and processing operations, and allowing it
maintain their specialized knowledge ".
62. It follows from the guidelines on DPOs that the following aspects must be
17
in particular to be taken into consideration:
- "sufficient time for the DPOs to be able to accomplish their tasks." This aspect is
particularly important when an internal DPO is appointed part-time or when
the external DPO is responsible for data protection in addition to other tasks.
Otherwise, conflicting priorities could lead to the DPO's tasks being
neglected. It is essential that the DPO is able to devote sufficient time to his
missions. It is good practice to set a percentage of time devoted to the function
of DPD when this function is not occupied full time. It is also of good
practice of determining the time required to perform the function and the level of
appropriate priority for the tasks of the DPO, and that the DPO (or the body) establish a
workplan ;
- necessary access to other services, such as human resources, service
legal, IT, security, etc., so that DPOs can receive
the support, contributions and essential information of these other services ”.
17
WP 243 v.01, version revised and adopted on April 5, 2017, page 17
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
16/3363. The DPO guidelines state that "[d] in general, more
the processing operations are complex or sensitive, plus the resources allocated to the DPO
should be significant. The data protection function must be effective and equipped with
adequate resources with regard to the data processing carried out ”.
2. In this case
64. It emerges from the audit report that in view of the size of the organizations selected under
of this audit campaign, so that the head of the survey considers objective 6 as fulfilled by the
controlled, he expects the controlled to have at least one FTE (full-time equivalent) for
the data protection team. The investigator also expects
the DPO has the possibility to rely on other services, such as the legal service,
IT, security, etc.
65. According to the audit report, the external DPO in office at the start of the investigation had a role
essentially "reactive". The hour records of this one oscillate between 8 p.m. and 108
hours per month, i.e. between 0.125 FTE and 0.7 FTE.
66. The monthly breakdown of these hours worked by the external DPO is detailed in the
report of the on-site visit of May 27, 2019, page 2, as follows: 8 p.m.
September 2018, 53 hours in October 2018, 57.2 hours in November 2018, 50.4 hours in
December 2018, 122.2 hours in January 2019, 103.9 hours in February 2019 and 108.6 hours in
March 2019. The restricted formation notes that this makes an average of 73.6 hours
worked per month over this 7-month period, i.e. an average monthly FTE of 0.46.
67. In view of these elements, the restricted committee understands that the external DPO has
started working hours as part of his assignments only from September
2018. In addition, most of his hours were worked between January and March 2019.
68. However, the restricted committee recalls that the GDPR entered into force on May 25, 2018.
It was therefore from May 2018 that the audited body had the obligation to comply with the GDPR by
designating a DPO exercising his function effectively and efficiently.
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° […] carried out with the public establishment A 17/3369. The audit report indicates that the new internal DPO estimated his time
more than 70% of work on data protection issues compared to all
its tasks. It is also specified that legal support by an external firm has been obtained
at the rate of one day a week, the sole legal competence of the inspected cannot provide
only limited support for the internal DPO. The inspected also benefited from assistance by a
audit firm in the conduct of the audited "GDPR" roadmap.
70. In the statement of objections, page 4, the head of the investigation states that "given
the existence of complex or sensitive processing operations (see preliminary remarks),
a high level of resources is expected ”. However, the head of the investigation noted that "the new
DPD [internal], who also holds the function of manager […] for [the inspected], assessed
more than 70% of the time devoted to his duties as DPO "and that" the controller
was not able to demonstrate the accomplishment of the control missions. This
finding is likely to highlight an inadequacy between resources and means
made available to the DPO and the needs of the controller ”.
71. In his position paper of September 14, 2020, the inspected indicates that the new DPO
internal, also responsible […] at the time of his appointment, is now Head of
Compliance […], assisted by four other people for the management of responsibilities related to
compliance and risk management. According to the screening, the presence of these four other
people allows the Head of Compliance […] to concentrate on the functions of DPD.
72. In addition, to enable the Head of Compliance [...] to take on the role of internal DPO,
the inspected person has made available a budget allowing them to resort to external legal support
and adequate technique.
73. Finally, as noted in point 55 of this decision, the inspected indicates in its decision
position of September 14, 2020, that the mission of monitoring compliance with the GDPR by the inspected
is carried out with the help of external providers such as audit firms and lawyers
specialized. The controlled is of the opinion that the control mission provided for in Article 39.1 b) of the GDPR
is ensured and therefore that the resources and means provided for the purpose of such control are adequate
to the needs of the controlled.
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° […] carried out with the public establishment A 18/3374. The restricted formation recalls that, as was indicated in the communication
of the objections, page 2, and already noted in point 21 of this decision, “[t] he facts taken into account
in the context of this [investigation] are those observed at the start of the investigation. The
subsequent modifications, even if they ultimately allow the
compliance of the controller, do not allow the cancellation of a breach
found. "
75. In addition, the restricted panel agrees with the findings of the head of the investigation that
"Given the existence of complex or sensitive processing operations (see remarks
preliminary), a high level of resources is expected ”and that“ the person responsible for
processing was not able to demonstrate the accomplishment of the control tasks.
This finding is likely to highlight a mismatch between the resources and
means made available to the DPO and the needs of the controller ”.
76. Consequently, the restricted committee is of the opinion that the inspected could not demonstrate
adequately that the inspector has provided the external DPO in office at the start of the investigation with the
resources necessary to enable it to carry out its missions.
77. In view of the above, the restricted panel concludes that Article 38.2 of the GDPR has no
not respected by the inspected.
F. On the breach of the obligation to ensure that the other missions and tasks of the DPO
do not give rise to a conflict of interest
1. On the principles
78. According to Article 38.6 of the GDPR, “[the DPO] may perform other tasks and tasks. the
controller or processor ensures that these assignments and tasks do not entail
no conflict of interest ".
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
19/33 18
79. The DPO guidelines specify that “the DPO may not exercise at
within the body a function which leads it to determine the purposes and means of processing
of personal data ”. According to the guidelines, “as a general rule, among
functions likely to give rise to a conflict of interest within the organization may appear
senior management functions (for example: general manager, operational manager,
Chief Financial Officer, Chief Medical Officer, Head of Marketing Department, Head of
human resources or IT department manager), but also other roles in a
lower level of the organizational structure if these functions or roles involve the
determination of the purposes and means of processing. In addition, there may also be
conflicts of interest, for example, if an external DPO is called upon to represent the person responsible for
processing or subcontractor in court in matters relating to matters
related to data protection.
Depending on the activities, size and structure of the organization, it can be good
practice for data controllers or processors:
identify the functions which would be incompatible with that of DPD;
establish internal rules for this purpose, in order to avoid conflicts of interest;
include a more general explanation of conflicts of interest;
to declare that the DPO has no conflict of interest with regard to his function as
DPD, with the aim of raising awareness of this requirement;
to provide guarantees in the internal regulations of the body, and to ensure that
the vacancy notice for the DPD function or the service contract is sufficiently precise
and detailed to avoid any conflict of interest. In this context, it is also appropriate to
keep in mind that conflicts of interest can take different forms depending on whether the
DPD is recruited internally or externally ".
2. In this case
80. It follows from the audit report that, in order for the head of investigation to consider objective 5 as
reached by the inspected as part of this audit campaign, he expects that, in the event
where the DPO performs other functions within the audited body, these functions do not entail
18WP 243 v.01, version revised and adopted on April 5, 2017, pages 19-20
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
20/33 no conflict of interest in particular through the exercise of functions which would lead the DPO to determine
the purposes and means of the processing of personal data. The head of the investigation
also expects the auditee to have carried out an analysis as to the existence of a possible
conflict of interest at the level of the DPO.
81. According to the statement of objections, page 5, "[t] he DPO who was in office at the start of
the audit was external and lawyer. There is a principle of managing conflicts of interest. "
82. The new DPO then appointed internally also exercised the function of
responsible […]. The statement of objections notes that "possible conflicts of interest are
likely to exist in view of the tasks performed for the two positions. Based on
DPD comments dated 12/08/2019, there is a policy of
management of potential conflicts of interest. However, the analysis of conflicts of interest between two
functions performed by the same person within the same [public institution] is not
planned. There is therefore no analysis of potential conflicts of interest between the function of DPD
and that of responsible […]. Based on the DPD's comments dated 12/08/2019, the
[controlled] will ensure that the various function sheets concerning the management of aspects are clarified.
related to data protection in order to distinguish more clearly between authorities, responsibilities
and missions ”.
83. In his position paper of September 14, 2020, the inspected indicates that the internal DPO
is now Head of Compliance […] of the organization. It also specifies that the
Head of Compliance and Risk Manager functions have been modified to include
more clearly the responsibilities and missions related to data protection.
84. The controlled conflict of interest policy was also updated in July 2020,
in order to introduce an obligation to analyze the risks of conflict of interest in the presence of a
accumulation of functions and have them arbitrated by the Controlled Board of Directors.
85. The controlled also maintains that the outsourcing of several aspects of the control of
the compliance implemented to date allows the inspectorate to rule out the risk of conflicts
interests in the control of management-related processes […]. Indeed, several aspects
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A 21/33 of the control of the conformity of the treatments of the controlled (in particular those implemented in
as part of the exercise of the Compliance function) have been entrusted to external service providers,
as raised in point 55 of this decision.
86. By email dated June 17, 2021, the inspector sent the restricted formation the
conflict of interest policy as updated in July 2020.
87. The restricted committee recalls that, as indicated on page 2 of the
statement of objections and already noted in point 33 of this decision, '[t] he facts taken into account
taken into account in this [investigation] are those noted at the start of the investigation ".
88. The restricted committee notes that, at the start of the investigation, the DPO in office was a DPO
external who practiced the profession of lawyer within the Luxembourg Bar. The principles
ethics to which lawyers of the Luxembourg Bar are subject include the
principle according to which a lawyer cannot represent or assist parties with interests
opposing parties, nor representing or assisting a client in the event of a conflict with the personal interests of
19
the lawyer himself. This ethical principle is applicable to any lawyer registered with the Bar of
Luxembourg under the amended law of August 10, 1991 on the profession of lawyer and the Rules
Interior of the Luxembourg Bar Association as adopted by the Bar Council
dated January 10, 2013, without there being any obligation on the part of customers to verify the
good respect by the lawyer of this principle.
89. Therefore, the CNPD is of the opinion that it was not the responsibility of the data controller
check with their external DPO to ensure there is no conflict
of potential interests with other clients and / or subcontractors of the controlled, but on the contrary,
this obligation fell to the external DPO in application of the amended law of 10 August 1991 on
the profession of lawyer and ethical rules.
90. In view of the foregoing, the restricted panel concludes that there is no reason to retain a
breach of Article 38.6 of the GDPR.
19 Luxembourg Bar website, The legal profession, The deon https://www.barreau.lu/le-metier-d-
lawyer / deontology
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
22/33 III. On corrective measures and the fine
A. Principles
91. In accordance with article 12 of the law of 1 August 2018 on the organization of
National Commission for Data Protection and the General Data Protection Regime
data, the National Commission has the powers provided for in Article 58.2 of the GDPR:
a) "notify a controller or processor that the
planned processing operations are likely to violate the provisions
of these regulations;
b) call a controller or a processor to order when the
processing operations have resulted in a violation of the provisions of this
regulation;
c) order the controller or processor to comply with the
requests made by the data subject to exercise their rights in
application of these regulations;
d) order the controller or processor to put the
processing operations in accordance with the provisions of this Regulation,
where appropriate, in a specific manner and within a specified timeframe;
e) order the controller to communicate to the data subject
a personal data breach;
f) impose a temporary or permanent limitation, including a ban, on the
processing ;
g) order the rectification or erasure of personal data or the
restriction of processing in application of Articles 16, 17 and 18 and the notification of
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
23/33 these measures to the recipients to whom the personal data have
has been disclosed in accordance with Article 17 (2) and Article 19;
h) withdraw a certification or order the certification body to withdraw a
certification issued in application of Articles 42 and 43, or order the body
certification not to issue certification if the requirements applicable to the
certification are not or no longer satisfied;
i) impose an administrative fine in application of Article 83, in addition
or instead of the measures referred to in this paragraph, depending on the
characteristics specific to each case;
j) order the suspension of data flows addressed to a recipient located in
a third country or an international organization. "
92. Article 83 of the GDPR provides that each supervisory authority ensures that fines
administrative requirements are, in each case, effective, proportionate and dissuasive,
before specifying the elements that must be taken into account in deciding whether to impose
an administrative fine and to decide on the amount of this fine:
a) "the nature, gravity and duration of the violation, taking into account the nature,
scope or purpose of the processing concerned, as well as the number of people
affected parties and the level of damage they suffered;
(b) whether the violation was committed willfully or negligently;
c) any action taken by the controller or processor to
mitigate the damage suffered by the persons concerned;
d) the degree of responsibility of the controller or processor,
given the technical and organizational measures they have implemented
work under Articles 25 and 32;
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
24/33 e) any relevant breach previously committed by the person responsible for the
processing or subcontractor;
f) the degree of cooperation established with the supervisory authority in order to remedy the
violation and mitigate any negative effects;
g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the violation, in particular
whether, and to what extent, the controller or processor has notified
the violation ;
(i) where measures referred to in Article 58 (2) have previously been
ordered against the controller or processor concerned
for the same purpose, compliance with these measures;
j) the application of codes of conduct approved under Article 40 or
certification mechanisms approved under Article 42; and
k) any other aggravating or mitigating circumstance applicable to the circumstances
of the species, such as the financial benefits obtained or the losses avoided,
directly or indirectly, as a result of the violation ”.
93. The restricted panel would like to point out that the facts taken into account in the context of the
this decision are those noted at the start of the investigation. Any modifications
relating to the subject of the investigation carried out subsequently, even if they make it possible to establish
fully or partially compliance, do not allow retroactive cancellation of a
breach noted.
94. Nevertheless, the steps taken by the inspected to comply with
the GDPR during the investigation procedure or to remedy the shortcomings identified by the
head of investigation in the statement of objections are taken into account by the restricted committee
as part of any corrective measures and / or setting the amount of a
possible administrative fine to be pronounced.
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° […] carried out with the public establishment A 25/33 B. In the present case
1. As to the imposition of an administrative fine
95. In his additional letter to the statement of objections of 10 August 2020, Chief
of investigation proposes to the restricted formation to pronounce a fine against the controlled person
administrative relating to the amount of 27,100 euros.
96. In order to decide whether to impose an administrative fine and to decide, if
of the amount of this fine, the restricted committee analyzes the criteria set by
Article 83.2 of the GDPR:
- As to the nature and seriousness of the violation [article 83.2 a) of the GDPR], with regard to
breaches of articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR, restricted training
notes that the appointment of a DPO by an organization cannot be efficient and effective,
namely to facilitate compliance with the GDPR by the body, only in the case where people
concerned have the possibility of easily finding the contact details of the DPO to exercise
their data protection rights, as well as in the event that the DPO has the
resources necessary for the performance of its missions, is associated with all
questions relating to data protection and effectively carries out its missions,
including the task of monitoring compliance with the GDPR.
- As for the duration criterion [article 83.2 a) of the GDPR], the restricted committee notes that:
(1) the inspected modified its website during the investigation in order to
to make the DPD's contact details more easily accessible to people
concerned. In particular, a translation into French and German has been added to the
website of the auditee in August 2019. The breach of Article 37.7 of the GDPR therefore
lasted over time, at least between May 25, 2018 and August 2019.
(2) the inspected informed the CNPD, in its position paper of September 14, 2020, of the
establishment of an internal process of formalization and documentation of
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
26/33 the involvement of the new internal DPO in matters relating to the protection of
data ([…]) from October 17, 2019. These measures have nevertheless been decided
under investigation. The breach of Article 38.1 of the GDPR therefore lasted in the
time, at a minimum between May 25, 2018 to October 19, 2019.
(3) it has not been demonstrated by the inspectorate that the external DPO in office at the time of
the opening of the investigation had the necessary resources to carry out its
missions and that, according to the audit report, the new internal DPO estimates his time
of work on data protection issues at around 70% compared to
his other tasks. The breach of Article 38.2 of the GDPR therefore lasted in the
time, from May 25, 2018, it being specified that the restricted training was not able to
find that the breach has ended.
(4) it was not demonstrated by the inspector that both the external DPO in office at the start
of the investigation that the new internal DPO fulfilled their mission of monitoring
compliance of the organization with the GDPR as part of their daily functions, the
controlled having chosen to use external service providers, without
demonstrated the involvement of external and internal DPOs in the organization of
control. The breach of Article 39.1 b) of the GDPR therefore lasted over time,
from May 25, 2018, it being specified that the restricted formation was not able to observe
that the breach has ceased.
- as to the degree of cooperation established with the supervisory authority [Article 83.2 f) of the GDPR],
the restricted training takes into account the assertion by the head of the investigation that the
Controlled demonstrated constructive participation throughout the investigation.
- as regards the categories of personal data affected by the violation
[article 83.2 g) of the GDPR], the restricted training takes into account the fact that the inspected processes
special categories of personal data […].
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
27/3397. The restricted committee notes that the other criteria of Article 83.2 of the GDPR are not
neither relevant nor likely to influence his decision on whether to impose a fine
administrative and its amount.
98. The restricted committee notes that although several measures have been decided by the inspected
in order to remedy in whole or in part certain shortcomings, it was decided only to
following the launch of the investigation by CNPD agents on September 17, 2018
(see also point 93 of this decision).
99. Therefore, the restricted panel considers that the pronouncement of an administrative fine
is justified with regard to the criteria set out in article 83.2 of the GDPR for breaches of articles
37.7, 38.1, 38.2 and 39.1 b) of the GDPR.
100. Regarding the amount of the administrative fine, the restricted panel recalls that
Article 83.3 of the GDPR provides that in the event of multiple violations, as is the case here,
the total amount of the fine cannot exceed the amount set for the most serious violation. In
the extent to which a breach of Articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR is alleged against the
controlled, the maximum amount of the fine that can be withheld is 10 million euros or
2% of worldwide annual revenue, whichever is greater.
101. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the training
Restricted considers that the imposition of a fine of 18,000 euros appears to be both effective,
proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR.
2. Regarding the taking of corrective measures
102. In his additional letter to the statement of objections of 10 August 2020, Chief
investigation suggests that the restricted group take the following corrective measures:
"A) Order the implementation of measures enabling the DPO (or a" Data
Protection "dedicated) to acquire sufficient expertise adapted to the needs of the
data protection controller in accordance with
provisions of Article 37, paragraph (5) of the GDPR and the guidelines on
DPD of the "Article 29" working group on data protection which specifies that the
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey no. [...] carried out with public establishment A 28/33 DPD's level of expertise must be proportionate to the sensitivity, complexity and
volume of data processed by the organization. Although several ways can be
envisaged to achieve this result, one of the possibilities could be to provide a
formal internal or external support in terms of IT skills for your DPO,
and enroll in accelerated / intensive training in the protection of
data. The measures mentioned by the controller during the audit, such as
that access to external expertise for any legal assistance need, should be
maintained, or even reinforced, in view of the sensitivity of the data processed;
b) Order the implementation of measures ensuring the formalized and documented association
of the DPO in all matters relating to data protection in accordance with the
requirements of Article 38 (1) of the GDPR and of the principle of "accountability". Well
that several ways can be envisaged to achieve this result, one of the
possibilities could be to analyze, with the DPO, all committees / working groups
relevant with regard to data protection and to formalize the terms of its
intervention (previous information from the meeting agenda, invitation, frequency, status
permanent member, etc.);
c) Order the implementation of measures guaranteeing the necessary resources for
DPD in accordance with the requirements of Article 38 paragraph 2 of the GDPR. Although
several ways can be envisaged to achieve this result, one of the
possibilities could be to relieve the DPO of all or part of his other
missions / functions or to provide support, internally or externally, with regard to the exercise
of his DPD missions;
d) Order the implementation of measures ensuring that the various missions and tasks,
current or past, of the person exercising the function of DPO do not lead to
conflicts of interest in accordance with the requirements of Article 38 (6) of the GDPR.
Although several ways can be implemented, one of the possibilities would be
the involvement of a third party with the necessary skills; for the
review of treatments for which there is a risk of conflict of interest (review of the
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
29/33 risk management, review of the processes concerning the various treatments present,
review of job descriptions and / or job descriptions, etc.);
e) Order the formal and documented deployment of the DPD's control mission
in accordance with Article 39 paragraph 1 b) of the GDPR and the principle of "accountability".
The DPO must exercise his control duties, in accordance with Article 39 paragraph 1
b) of the GDPR. Although several ways can be considered to achieve this
result, the DPO should always document his controls on the application of the rules and
internal data protection procedures (second line of defense).
This documentation could take the form of a monitoring plan followed by reports. "
103. As to the corrective measures proposed by the head of the investigation and by reference to point
102 of this decision, the restricted committee takes into account the steps taken
by the inspected in order to comply with the provisions of articles 37.5, 38.1, 38.2, 38.6 and 39.1 b)
of the GDPR, in particular the measures described in his letter of September 14, 2020. More
in particular, it takes note of the following facts:
- With regard to compliance by the inspectorate with article 37.5 of the GDPR, training
restricted notes that, following the appointment of the new internal DPO, he followed
several training courses in data protection so that he has
sufficient expertise to perform its duties. However, as has been noted
in point 35 of this decision, the restricted committee considers that there is no
to retain a breach of Article 37.5 of the GDPR with regard to the situation of the inspected
at the start of the investigation. Consequently, the restricted committee does not pronounce the measure
corrective as proposed by the head of the survey and repeated under a) of point 102 of the
this decision.
- With regard to the violation of article 38.1 of the GDPR, the inspector indicates in his
letter of September 14, 2020 that an internal process of formalization and documentation
the involvement of the new internal DPO in matters relating to the protection of
data […]) was put in place by the inspected. The restricted formation considers from
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the investigation no. [...] carried out with the public establishment A 30/33 when there is no need to pronounce the corrective measure proposed by the head of the investigation
and repeated under b) of point 102 of this decision.
- With regard to the violation of Article 38.2 of the GDPR, the internal DPO currently in
function estimated its working time on data protection issues at
about 70% compared to his other tasks. Given the fact that the inspected is processing a
substantial amount of data, the degree of sensitivity of which may be relatively high,
the limited training considers that the DPO should have more resources
for the performance of its missions. The restricted formation therefore considers that it is necessary to
pronounce the corrective measure proposed by the head of the investigation and repeated under c) of point
102 of this decision.
- With regard to the body's compliance with article 38.6 of the GDPR, training
restricted considers that the inspected has not demonstrated that, despite the combination of functions
internal DPD and Head of Compliance […], sufficient internal measures would have
were taken to prevent the DPO from having to comment on treatments
which he would have helped to determine the purposes and means. However, like this
was noted in point 90 of this decision, the restricted panel considers that there is
there is no reason to retain a breach of Article 38.6 of the GDPR with regard to the situation of the
checked at the start of the investigation. Consequently, the restricted formation does not pronounce
the corrective measure as proposed by the head of the investigation and repeated under d) of point
102 of this decision.
- With regard to the violation of Article 39.1 b) of the GDPR, the restricted training is
of opinion that the inspected did not demonstrate that the DPO currently in office fulfills his
mission of monitoring compliance with the GDPR by the inspected, the latter having chosen to do
call on external service providers to ensure this control, without any proof
the involvement of the new internal DPO in the organization of this control work. The
restricted training therefore considers that the corrective measure should be taken
proposed by the head of the investigation and repeated under e) of point 102 of this decision.
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey no.
restricted formation and deliberating unanimously decides:
- to retain the breaches of articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR;
- to pronounce against the public establishment A an administrative fine of one
amount of eighteen thousand euros (18,000 euros) with regard to the violation of Articles 37.7,
38.1, 38.2 and 39.1 b) of the GDPR;
- to issue an injunction against the public establishment
compliance with Article 38.2 of the GDPR within six months of notification of
the decision of the restricted committee, in particular:
ensure that the DPO has the necessary resources for the exercise of his
missions;
- to issue an injunction against the public establishment
compliance with Article 39.1 b) of the GDPR, within six months of notification
of the decision of the restricted committee, in particular:
ensure the formal and documented deployment of the DPD's control mission.
So decided in Belvaux, on October 15, 2021.
The National Commission for Data Protection sitting in a restricted body
Tine A. Larsen Thierry Lallemang Marc Lemmer
President Commissioner Commissioner
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
32/33 Indication of remedies
This administrative decision may be the subject of an appeal for reformation within three
months following its notification. This appeal is to be brought before the administrative tribunal and must
must be introduced through a lawyer at the Court of one of the Bar Associations.
______________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the public establishment A
33/33
