CNPD (Luxembourg) - Délibération n° 41FR/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD (Luxembourg) |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=Decisio...")
 
 
(5 intermediate revisions by 3 users not shown)
Line 58: Line 58:
}}
}}


Following an audit, the Luxembourg DPA (CNPD) imposed a fine of €18,700 on a company because of four breaches relating to the role and position of its Data protection Officer (DPO), and issued an injunction against that company to bring its practices in compliance with the GDPR.  
Following an audit, the Luxembourg DPA (CNPD) imposed a fine of €18,700 on a company because of four breaches relating to the role and position of its Data Protection Officer (DPO), and issued an injunction against that company to bring its practices into compliance with the GDPR within four months.  


== English Summary ==
== English Summary ==
Line 65: Line 65:
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR|Article 37 GDPR]] to [[Article 39 GDPR|Article 39 GDPR]]).
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR|Article 37 GDPR]] to [[Article 39 GDPR|Article 39 GDPR]]).


One of these audit proceedings concerned a Luxembourg private company (hereafter, the Company). During the audit, it was found by the head of investigation of the CNPD that :
One of these audit proceedings concerned a Luxembourg private company (hereafter, the controller). During the audit, it was found by the head of investigation of the DPA that :


(1) the Company had failed to publish the contact details of its DPO in breach of [[Article 37 GDPR#7|Article 37(7) GDPR]];
# the controller had failed to publish the contact details of its DPO in breach of [[Article 37 GDPR#7|Article 37(7) GDPR]];
# the controller had failed to ensure that the DPO was involved, properly and in a timely manner, in all issues which relate to the protection of personal data, in breach of [[Article 38 GDPR#1|Article 38(1) GDPR]];
# the controller had failed to ensure that the DPO could fulfill their mission with a sufficient degree of autonomy, in breach of [[Article 38 GDPR#3|Article 38(3) GDPR]];
# the controller had failed to ensure that the DPO could properly monitor the compliance of the controller's data processing practices with the GDPR, in breach of [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]].


(2) the Company had failed to ensure that the DPO was involved, properly and in a timely manner, in all issues which relate to the protection of personal data, in breach of [[Article 38 GDPR#1|Article 38(1) GDPR]];
In their audit report, the head of investigation therefore recommended the DPA to impose a fine of €18,700 on the controller, and to issue an injunction against the controller to bring its practices in compliance with the GDPR.
 
(3) the Company had failed to ensure that the DPO could fulfill their mission with a sufficient degree of autonomy, in breach of [[Article 38 GDPR#3|Article 38(3) GDPR]];
 
(4) the Company had failed to ensure that the DPO could properly monitor the compliance of the Company's data processing practices with the GDPR, in breach of [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]].
 
In their audit report, the head of investigation therefore recommended the CNPD to impose a fine of €18,700 on the Company, and to issue an injunction against the Company to bring its practices in compliance with the GDPR.


=== Holding ===
=== Holding ===
Following the audit and the report from the head of investigation, the CNPD found that the Company had been in breach of four distinct obligations relating to the role of the DPO under the GDPR, as specified below.
Following the audit and the report from the head of investigation, the DPA found that the controller had been in breach of four distinct obligations relating to the DPO under the GDPR, as specified below.


Regarding the breach of [[Article 37 GDPR#7|Article 37(7) GDPR]], the CNPD noted that it had been found that the public website
Regarding the breach of [[Article 37 GDPR#7|Article 37(7) GDPR]], the DPA noted that it had been found that the public website of the controller did not provide the direct contact details of the DPO. In case of questions or requests from data subjects, the website only provided a general online contact form, a postal address, or a telephone number. Based on these facts, the DPA found that data subjects were not able to directly contact the DPO (but only indirectly, via an other services within the controller). In the course of the proceedings, the controller remedied that breach by adding the contact details of the DPO in its online data protection notice (and in particular, in the section on the rights of data subjects). The DPA nevertheless found that, at the time of the audit, there had been a breach of [[Article 37 GDPR#7|Article 37(7) GDPR]].
public of the Company did not provide the direct contact details of the DPO. In case of questions
or requests from data subjects, the website only provided a general online contact form, a postal address, or a telephone number. Based on these facts, the CNPD found that data subjects were not able to directly contact the DPO (but only indirectly, via an other services within the Company). In the course of the proceedings, the Company remedied that breach by adding the contact details of the DPO in its online data protection notice (and in particular, in the section on the rights of data subjects). The CNPD nevertheless found that, at the time of the audit, there had been a breach of [[Article 37 GDPR#7|Article 37(7) GDPR]].


Regarding the breach of [[Article 38 GDPR#1|Article 38(1) GDPR]], the CNPD considered that the DPO had not been sufficiently involved in all issues relating to data protection law. In particular, the audit report pointed to the fact that the DPO was only being involved in various internal meetings or committees upon invitation or on an ad hoc basis, but there was no defined rule or frequency as to the involvement of the DPO in these committees. In the course of the investigation, the Company implemented new procedures according to which the DPO would become a permanent member of, or would be regularly involved in various committees meetings. Although welcoming these new measures, the CNPD nevertheless concluded that the Company had been in breach of [[Article 38 GDPR#1|Article 38(1) GDPR]] prior to these changes.
Regarding the breach of [[Article 38 GDPR#1|Article 38(1) GDPR]], the DPA considered that the DPO had not been sufficiently involved in all issues relating to data protection law. In particular, the audit report pointed to the fact that the DPO was only being involved in various internal meetings or committees upon invitation or on an ad hoc basis, but there was no defined rule or frequency as to the involvement of the DPO in these committees. In the course of the investigation, the controller implemented new procedures according to which the DPO would become a permanent member of, or would be regularly involved in various committees meetings. Although welcoming these new measures, the DPA nevertheless concluded that the controller had been in breach of [[Article 38 GDPR#1|Article 38(1) GDPR]] prior to these changes.


Regarding the breach of [[Article 38 GDPR#3|Article 38(3) GDPR]], the audit report pointed to the existence of several hierarchical intermediaries between the DPO and the highest level of management within the Company. Based on these facts, the CNPD found that the DPO could not directly report to the highest management level of the Company, and did not have a sufficient degree of autonomy and independence, as normally required by [[Article 38 GDPR#3|Article 38(3) GDPR]].
Regarding the breach of [[Article 38 GDPR#3|Article 38(3) GDPR]], the audit report pointed to the existence of several hierarchical intermediaries between the DPO and the highest level of management within the controller. Based on these facts, the DPA found that the DPO could not directly report to the highest management level of the controller, and did not have a sufficient degree of autonomy and independence, as normally required by [[Article 38 GDPR#3|Article 38(3) GDPR]].


Regarding the breach of [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]], the audit report pointed to the absence of any monitoring plan or procedures that would formalize and ensure that the DPO is able to duly monitor the compliance of the Company's data processing practices with the GDPR. Although the Company explained that monitoring procedures had been developed and finalised in December 2019, to be implemented in 2020. Because such control plan or monitoring procedures had not been put in place at the time the investigation was initiated, the CNPD concluded that the Company had breached [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]].  
Regarding the breach of [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]], the audit report pointed to the absence of any monitoring plan or procedures that would formalize and ensure that the DPO is able to duly monitor the compliance of the controller's data processing practices with the GDPR. Although the controller explained that monitoring procedures had been developed and finalised in December 2019, to be implemented in 2020. Because such control plan or monitoring procedures had not been put in place at the time the investigation was initiated, the DPA concluded that the controller had breached [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]].  


For all these reasons, the CNPD issued an injunction against the Company to bring its practices in compliance with the GDPR for the remaining breaches (with a deadline of 4 months as from the date of the decision), and also imposed an administrative fine of  €18,700 EUR on the Company.  
For all these reasons, the DPA issued an injunction against the controller to bring its practices in compliance with the GDPR for the remaining breaches (with a deadline of 4 months as from the date of the decision), and also imposed an administrative fine of  €18,700 EUR on the controller.  


== Comment ==
== Comment ==

Latest revision as of 16:57, 6 December 2023

CNPD (Luxembourg) - Decision 41FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 37(7) GDPR
Article 38(1) GDPR
Article 38(3) GDPR
Article 39(1)(b) GDPR
Article 58(2) GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.10.2021
Published: 29.11.2021
Fine: 18700 EUR
Parties: n/a
National Case Number/Name: Decision 41FR/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Luxembourg DPA (in FR)
Initial Contributor: Florence D'Ath

Following an audit, the Luxembourg DPA (CNPD) imposed a fine of €18,700 on a company because of four breaches relating to the role and position of its Data Protection Officer (DPO), and issued an injunction against that company to bring its practices into compliance with the GDPR within four months.

English Summary

Facts

In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).

One of these audit proceedings concerned a Luxembourg private company (hereafter, the controller). During the audit, it was found by the head of investigation of the DPA that :

  1. the controller had failed to publish the contact details of its DPO in breach of Article 37(7) GDPR;
  2. the controller had failed to ensure that the DPO was involved, properly and in a timely manner, in all issues which relate to the protection of personal data, in breach of Article 38(1) GDPR;
  3. the controller had failed to ensure that the DPO could fulfill their mission with a sufficient degree of autonomy, in breach of Article 38(3) GDPR;
  4. the controller had failed to ensure that the DPO could properly monitor the compliance of the controller's data processing practices with the GDPR, in breach of Article 39(1)(b) GDPR.

In their audit report, the head of investigation therefore recommended the DPA to impose a fine of €18,700 on the controller, and to issue an injunction against the controller to bring its practices in compliance with the GDPR.

Holding

Following the audit and the report from the head of investigation, the DPA found that the controller had been in breach of four distinct obligations relating to the DPO under the GDPR, as specified below.

Regarding the breach of Article 37(7) GDPR, the DPA noted that it had been found that the public website of the controller did not provide the direct contact details of the DPO. In case of questions or requests from data subjects, the website only provided a general online contact form, a postal address, or a telephone number. Based on these facts, the DPA found that data subjects were not able to directly contact the DPO (but only indirectly, via an other services within the controller). In the course of the proceedings, the controller remedied that breach by adding the contact details of the DPO in its online data protection notice (and in particular, in the section on the rights of data subjects). The DPA nevertheless found that, at the time of the audit, there had been a breach of Article 37(7) GDPR.

Regarding the breach of Article 38(1) GDPR, the DPA considered that the DPO had not been sufficiently involved in all issues relating to data protection law. In particular, the audit report pointed to the fact that the DPO was only being involved in various internal meetings or committees upon invitation or on an ad hoc basis, but there was no defined rule or frequency as to the involvement of the DPO in these committees. In the course of the investigation, the controller implemented new procedures according to which the DPO would become a permanent member of, or would be regularly involved in various committees meetings. Although welcoming these new measures, the DPA nevertheless concluded that the controller had been in breach of Article 38(1) GDPR prior to these changes.

Regarding the breach of Article 38(3) GDPR, the audit report pointed to the existence of several hierarchical intermediaries between the DPO and the highest level of management within the controller. Based on these facts, the DPA found that the DPO could not directly report to the highest management level of the controller, and did not have a sufficient degree of autonomy and independence, as normally required by Article 38(3) GDPR.

Regarding the breach of Article 39(1)(b) GDPR, the audit report pointed to the absence of any monitoring plan or procedures that would formalize and ensure that the DPO is able to duly monitor the compliance of the controller's data processing practices with the GDPR. Although the controller explained that monitoring procedures had been developed and finalised in December 2019, to be implemented in 2020. Because such control plan or monitoring procedures had not been put in place at the time the investigation was initiated, the DPA concluded that the controller had breached Article 39(1)(b) GDPR.

For all these reasons, the DPA issued an injunction against the controller to bring its practices in compliance with the GDPR for the remaining breaches (with a deadline of 4 months as from the date of the decision), and also imposed an administrative fine of €18,700 EUR on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

 Decision of the National Commission sitting in restricted formation on

            the outcome of survey No. [...] conducted with Company A

                         Deliberation n ° 41FR / 2021 of October 27, 2021



The National Commission for Data Protection sitting in a restricted body,

composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on
the protection of individuals with regard to the processing of personal data

personnel and the free movement of such data, and repealing Directive 95/46 / EC;



Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection

data and the general data protection regime, in particular Article 41 thereof;


Having regard to the internal regulations of the National Commission for Data Protection

adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point

2;



Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular
its article 9;



Considering the following:



    I. Facts and procedure


1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and
the importance of its integration into the body, and considering that the guidelines

concerning DPOs have been available since December 2016, i.e. 17 months before entry into

application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

on the protection of natural persons with regard to the processing of personal data

personal data and the free movement of such data, and repealing Directive 95/46 / EC


1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A
                                                                                                       1/21 (General Data Protection Regulation) (hereafter: the "GDPR"), the Commission

National Data Protection Authority (hereinafter: the “National Commission” or the

"CNPD") has decided to launch a thematic survey campaign on the function of the DPO.
Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the

public sector.


2. In particular, the National Commission decided by decision no. […] Of 14

September 2018 to initiate an investigation in the form of a data protection audit
with Company A located at […], […] and registered in the Trade and

Luxembourg companies under number […] (hereinafter: the “controlled”) and to designate Mr. Christophe

Buschmann as the head of the investigation. The said deliberation specifies that the investigation relates to the

compliance of the inspected with section 4 of chapter 4 of the GDPR.


3. […] the purpose of the control is all activities relating to banks or establishments

credit […].


4. By letter of September 17, 2018, the head of the survey sent a questionnaire

preliminary to the control to which the latter replied by letter of September 28, 2018.

on-site visit took place on January 29, 2019. Following these discussions, the head of the investigation established
the audit report no. […] (hereinafter: the "audit report").



5. It emerges from the audit report that in order to verify the compliance of the organization with the

section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives,
know :


    1) Ensure that the body subject to the obligation to appoint a DPO has done so;

    2) Make sure that the organization has published the contact details of its DPO;

    3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;

    4) Ensure that the DPO has sufficient expertise and skills to
        carry out its missions effectively;

    5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;

    6) Ensure that the DPO has sufficient resources to perform effectively
        of its missions;

    7) Ensure that the DPO is able to carry out his missions to a sufficient degree

        autonomy within their organization;


________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A 2/21 8) Ensure that the organization has put in place measures so that the DPO is associated with

        all matters relating to data protection;

    9) Ensure that the DPO fulfills his mission of information and advice to the

        data controller and employees;
    10) Ensure that the DPO exercises adequate control over data processing within

        of his body;

    11) Ensure that the DPO assists the data controller in carrying out the

        impact analyzes in the event of new data processing.


6. By letter of 21 October 2019 (hereinafter: the “statement of objections”), the Chief

investigation informed the inspector of breaches of obligations under the GDPR that it

noted during its investigation. The audit report was attached to this letter.



7. In particular, the head of the investigation noted in the statement of objections

failures to
                                                          2
      the obligation to publish the contact details of the DPO;

      the obligation to involve the DPO in all matters relating to the protection of
                  3
         data;
      the obligation to guarantee the autonomy of the DPO; 4

      the DPD's control mission. 5



8. By letter of November 15, 2019, the inspector sent the head of the investigation

position on the shortcomings identified in the statement of objections.



9. On August 3, 2020, the head of the investigation sent the inspector an additional letter to

the statement of objections by which he informs the inspectorate of the corrective measures he

proposes to the National Commission sitting in a restricted formation (hereinafter: the "formation

restricted ") to adopt. In this letter, the head of the investigation proposed to the restricted group
to adopt 4 different corrective measures as well as to impose a fine on the controlled person

administrative costs in the amount of 18,700 euros.







2Objective 2
3Objective 8
4Objective n ° 7
5Objective n ° 10

________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A
                                                                                                        3/2110. By letter of September 8, 2020, the inspector sent the head of the investigation his

observations on the additional letter to the statement of objections.


11. The case was on the agenda for the restricted committee session on May 31, 2021.

In accordance with article 10.2. b) the rules of procedure of the National Commission,

the head of investigation and the controlled made oral observations on the case and replied

to the questions asked by the restricted formation. The controlled had the floor last.


    II. Place

    A. On the failure to publish the contact details of the DPO


        1. On the principles



12. Article 37.7 of the GDPR provides for the obligation for the audited body to publish the

contact details of the DPD. Indeed, it follows from Article 38.4 of the GDPR that people

concerned must be able to contact the DPO about all the

questions relating to the processing of their personal data and the exercise of

rights conferred on them by the GDPR.


13. The DPO guidelines explain in this regard that this requirement

aims to ensure that "the persons concerned (both inside and outside

the organization) can easily and directly contact the DPO without having to
contact another department of the organization ". The guidelines also state that

"The contact details of the DPO must contain information enabling people to

concerned to reach it easily (a postal address, a telephone number
                                                                      6
specific and / or specific e-mail address) ”.


14. In addition, Article 12.1 of the GDPR provides that the controller must take

appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR

with regard to the processing to the data subject in a concise, transparent manner,

understandable and easily accessible, in clear and simple terms. From
information that must be transmitted to the person concerned is the relative information

contact details of the DPD, in accordance with Articles 13.1.b) and 14.1.b) of the GDPR.




6WP 243 v.01, version revised and adopted on April 5, 2017, p.15
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               the survey no. […] carried out with Company A 4/21 2. In the present case


15. It emerges from the audit report that, in order for the head of the investigation to consider objective 2

as completed by the inspected as part of this audit campaign, he expects
the organization publishes the contact details of its DPO internally within the organization and in

external to the public. The DPO must be able to be contacted easily and directly via a

communication channel adapted to the people concerned. As part of this campaign

audit, active internal communication is expected, particularly via emails,
newsletters, dedicated spaces on the intranet. Externally, it is at least expected that

DPD contact details are easily accessible on the organization's website.



16. According to the statement of objections, page 2: "The investigation showed that the website
public of Company A does not provide the direct contact details of the DPO. In case of questions

or requests from the persons concerned, the website provides a form to

complete and return to a generic email address ([…]) or by post to the address of the

hotline […] or via the secure messaging of […]. "


17. The head of the investigation concludes that "the data subjects external to Company A

cannot contact the DPO directly without having to contact another
agency service. "



18. In its position paper of November 15, 2019, the inspected does not call into question the

findings made by the head of the investigation and indicates that following the breach noted,
a dedicated e-mail address has been created "so that

data subjects can contact the Data Protection Officer directly

("DPD"). »The inspector then specified where the DPD's contact details were published, namely

on its website as well as in its data processing policy
personal.



19. During the meeting of May 31, 2021, the restricted committee noted that the contact details

of the DPD were not mentioned in the section of the controlled website relating to
the exercise of the rights of the persons concerned or in the form below this

section and asked the auditee for further information in this regard. By email from 4

June 2021, the inspected informed the restricted committee of the mention of the DPD's contact details

in this section as well as in the said form.

________________________________________________________________________


             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. […] conducted with Company A 5/2120. If measures have been taken by the inspector to comply with the obligation to

publication of the contact details of his DPO, it should be noted that these were decided

only under investigation. The restricted training recognizes that at the start of the investigation, the

controlled had not published the contact details of his DPO.


21. In view of the above, the restricted panel concludes that Article 37.7 of the GDPR has no

not respected by the inspected.


    B. On the breach of the obligation to involve the DPO in all matters relating to
        the protection of personal data



    1. On the principles


22. According to article 38.1 of the GDPR, the organization must ensure that the DPO is involved,

in an appropriate and timely manner, in all matters relating to the protection of

personal data.



23. The DPO guidelines state that “[i] t is essential that the DPO,
or his team, is involved from the earliest possible stage in all questions

relating to data protection. [...] Information and consultation of the DPO from the start

will facilitate compliance with the GDPR and encourage an approach based on

data protection by design; it should therefore be the usual procedure in
within the governance of the organization. In addition, it is important that the DPO is considered as

an interlocutor within the organization and that he or she is a member of the dedicated working groups

to data processing activities within the organization ". 7



24. The DPO guidelines provide examples on how to
to ensure this association of the DPO, such as:

       invite the DPO to participate regularly in management meetings

            upper and intermediate;

       to recommend the presence of the DPO when decisions having implications

            in terms of data protection are taken;

       always take due account of the opinion of the DPO;




7 WP 243 v.01, version revised and adopted on April 5, 2017, p. 16
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               investigation no. [...] conducted with Company A 6/21  to immediately consult the DPO in the event of a data breach or other

            incident occurs.


25. According to the guidelines for DPOs, the body could, where appropriate,

develop data protection guidelines or programs

indicating the cases in which the DPO must be consulted.


    2. In this case



26. It emerges from the audit report that, in order for the investigator to consider objective 8

as completed by the inspected as part of this audit campaign, it expects the
DPD participates in a formalized manner and on the basis of a defined frequency in the

Management, project coordination committees, new product committees,

security committees or any other committee deemed useful in the context of data protection.


27. According to the statement of objections, page 3, “[t] he investigation shows that the DPO

intervenes on invitation or on an ad hoc basis at various internal meetings or committees

which discuss issues or projects with impacts in terms of
data protection, but there is no defined rule or frequency as to the

participation of the DPO in these committees. "The head of the investigation then notes that" [t] he fact that the

DPD participated in two Internal Control Committees (January 2019 and August 2018),

Management Board of November 2017, that he be a permanent guest of the Safety Committee and
that he is involved if a Data Protection aspect concerns a new product is not sufficient to

demonstrate the formal, permanent and regular nature of the DPO's involvement. "



28. In his position paper of 15 November 2019, the inspected indicates that the DPO is
intervened on an ad hoc basis in September 2019 to the “Internal Control Committee” and to the

" Executive Committee ". He then indicates that a "quarterly intervention to the Control Committee

Internal will be implemented and formalized ”in its“ Data protection policy

personal ”.


29. The restricted formation notes that it is rightly specified on page 2 of the

statement of objections (under "preliminary remarks") that "[t] he requirements of the GDPR
are not always strictly defined. In such a situation, it is up to the authorities to

control to verify the proportionality of the measures put in place by those responsible for

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A 7/21 processing with regard to the sensitivity of the data processed and the risks incurred by the

persons concerned. "


30. However, the restricted committee notes that it is also specified on page 2 of the

statement of objections that the audited has approximately […] employees and […] customers. Leader

investigation concludes that the inspected process a significant amount of personal data. The

restricted formation shares this assessment and therefore considers that the participation
formalized and systematic of the DPO at the relevant meetings, as expected by the

investigation lead, constitutes a proportionate measure in order to ensure the association of the DPO with

all questions relating to the protection of personal data.


31. The restricted committee takes note of the fact that in its response of September 8, 2020

to the letter supplementing the statement of objections, the inspector provided "elements

additional information (...) in order to respond to the corrective measures proposed by
the head of investigation ", concerning in particular the involvement of the DPO in all questions

relating to data protection. The inspected provided a list of 6 committees (concerning

the areas of IT, risk management and subcontracting) of which the DPD is a member

permanent as well as indications on the interventions / participations of the DPD in other
committees and meetings (namely the “[…]” Committee, the “[…]” meetings and the Control Committee

internal "in order to present the quarterly activity report or any other subject that it deems

necessary ").


32. While these measures should facilitate the involvement of the DPO in all matters relating to

data protection, it should nevertheless be noted that these have been decided

under investigation. The restricted committee therefore considers that, at the start of the investigation, the

controller has not been able to demonstrate that the DPO was associated with
in an appropriate manner to all matters relating to the protection of personal data.



33. In view of the above, the restricted panel concludes that Article 38.1 of the GDPR has no
not respected by the inspected.



    C. On the breach of the obligation to guarantee the autonomy of the DPO


    1. On the principles



________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] carried out with Company A 8/2134. According to Article 38.3 of the GDPR, the body must ensure that the DPO "does not

receive no instructions with regard to the exercise of the missions ”. In addition, the DPD

"Reports directly to the highest level of management" of the organization.


35. Recital (97) of the GDPR further states that DPOs “should be able to

to exercise their functions and missions in complete independence ”.


                                                            8
36. According to the guidelines on DPOs, Article 38.3 of the GDPR "provides for

certain basic guarantees intended to ensure that DPOs are able to exercise
their missions with a sufficient degree of autonomy within their organization. […] That

means that, in carrying out their duties under Article 39, DPOs must not

receive instructions on how to handle a case, for example, what the outcome should be

obtained, how to investigate a complaint or whether to consult the supervisory authority.
In addition, they cannot be required to take a certain point of view on any issue related to

data protection legislation, for example, a particular interpretation

law. […] If the controller or processor takes decisions that are

incompatible with the GDPR and the opinion of the DPO, the latter should be able to indicate

clearly his opinion diverges at the highest level of management and at decision-makers. In this
In this regard, Article 38 (3) provides that the DPO "shall report directly to the level

higher of the management of the controller or the processor ”. Such surrender

direct account ensures that senior management (e.g. board of directors) has

knowledge of the opinions and recommendations of the DPO which fall within the framework of

task of the latter consisting in informing and advising the controller or the
subcontracting. The preparation of an annual report on the activities of the DPO for the level

higher management is another example of direct accountability. "



    2. In this case


37. It emerges from the audit report that, in order for the investigator to consider objective 7

as completed by the inspected as part of this audit campaign, it expects the

DPD is "attached to the highest level of management in order to guarantee as much as possible

autonomy ”.





8WP 243 v.01, version revised and adopted on April 5, 2017, p. 17 and 18
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                                survey no. […] carried out with Company A 9/2138. According to the Statement of Objections, page 4, "During the investigation, the officers of the

CNPD noted the existence of several hierarchical intermediaries between the DPO and the

Direction. In fact, the DPO is attached to a person from the “[…]” department who is

even attached to a person from the “[…]” department who is himself attached to the Chief
Compliance Officer. Although the DPO can intervene on an ad hoc basis in the Executive Committee

and to the Internal Control Committee at its request and at any time, the reporting line

management and therefore access to the latter are not direct and permanent. "


39. In his letter of September 8, 2020, the inspected indicated that in order to guarantee
the autonomy of the DPD: "i. the DPD function was hierarchically attached to the Chief

Group Compliance Officer (CCO) As of January 15, 2020. ii. CCO is invited

of the Executive Committee of Company A since October 1, 2018 (no intermediary

hierarchical between the DPO and the highest level of Management) and reports directly to the
Chief Executive Officer, as well as to the Chairman of the Board of Directors. iii. A report

quarterly activity on data protection is presented by the DPO to […] composed

part of the Executive Committee). The inspected also indicates that meetings

weekly are organized between the DPD and the CCO.


40. If it does not follow from the provisions of the GDPR that the DPO must necessarily be
attached to the highest level of management in order to guarantee its autonomy, training

restricted however recalls that it noted in point 29 of this decision that it is

rightly specified on page 2 of the statement of objections (under "preliminary remarks

") That" [t] he requirements of the GDPR are not always strictly defined. In such
situation, it is up to the supervisory authorities to verify the proportionality of the measures

in place by data controllers with regard to the sensitivity of the data processed

and the risks incurred by the persons concerned. "


41. However, as mentioned in point 30 of this decision, the formation

restricted shares the assessment of the head of the investigation, mentioned on page 2 of the
statement of objections, according to which the inspected processes a significant amount of data

personal. The restricted committee therefore considers that, in the absence of other measures

which would make it possible to demonstrate that direct accountability to the highest level

management is formalized, the hierarchical reporting of the DPO to the highest level of
direction, as expected by the head of the investigation, is a proportionate measure to

guarantee its autonomy.



________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] carried out with Company A 10/2142. In this regard, the restricted committee notes that at the time of the opening of the investigation,

the DPO was not attached to the highest level of management and it has not been demonstrated

by the controlled as direct reporting to the highest level of management

was formalized.


43. In view of the above, the restricted panel concludes that Article 38.3 of the GDPR has no
not respected by the inspected.


    D. On the breach relating to the DPO's control mission


    1. On the principles


44. According to section 39.1. b) of the GDPR, the DPO has, among other things, the task of "controlling the

compliance with this Regulation, other provisions of Union or State law

members in terms of data protection and internal rules of the controller
processing or subcontractor with regard to the protection of personal data, including

including with regard to the division of responsibilities, awareness raising and training

personnel participating in processing operations, and the related audits ”. the

recital (97) specifies that the DPO should help the body to verify compliance, at the level

internal, of the GDPR.

45. It follows from the guidelines on DPOs that the DPO can, within the framework

of these control tasks, in particular:


     collect information to identify processing activities;

     analyze and verify the compliance of processing activities;

     inform and advise the controller or the processor and formulate

        recommendations to him.


    2. In this case


46. It emerges from the audit report that, in order for it to be able to consider objective 10 as fulfilled

by the control as part of this audit campaign, the head of the investigation expects that

"The organization has a formalized data protection control plan

(even if it is not yet executed) ”.




9WP 243 v.01, version revised and adopted on April 5, 2017, p. 20
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               survey no. […] carried out with Company A 11/2147. According to the statement of objections, p. 5, “[i] t emerges from the investigation that the organization does not
has no control plan. Although the organization informed the CNPD that controls

relating to data protection are under construction, that they will be integrated into

the Compliance Monitoring program and that recourse to external assistance is envisaged

to build this monitoring program, the organization did not carry out the

control at the time of the survey. "


48. In his letter of September 8, 2020, the inspected indicated that he “asked for help from
consultants for the development of a control plan […] ”and that“ [this] [plan] was finalized in

[d] December 2019 and is applicable in 2020 ”. The inspected further indicates that in "April 2019

Internal Audit [of the controlled] (3rd line of defense) carried out a mission on the implementation

of Regulation (EU) 2016/679 which gave rise to recommendations. »The precise control

also that "controls have been carried out or are in the process of being carried out by the DPO",

in particular the review of the processing register and the review of the contractual clauses relating to
data protection. The inspected finally indicates that “in accordance with article 25 of

regulation, the principles of "data protection by design and protection of

default data ”have been set up as a priori control for the implementation of

new processing of personal data. "


49. The restricted committee notes that article 39.1 of the GDPR lists the missions that

the DPO must at least be entrusted with the task of monitoring compliance with the GDPR, without

however, require the body to put in place specific measures to ensure that the

DPD can accomplish its control mission. Guidelines for DPOs
indicate in particular that the keeping of the register of processing activities referred to in Article 30 of the

GDPR can be entrusted to the DPD and that "[this] register should be considered as one of the

tools enabling the DPO to carry out his duties of monitoring compliance with the GDPR as well as
                                                                                10
information and advice from the controller or processor. "


50. It emerges from the respondent's responses to the preliminary questionnaire that, from the start of

the investigation, the DPD's task was to "coordinate the documentation of the treatments in the
register ”. The restricted committee nevertheless notes that this element taken in isolation is not sufficient

not to demonstrate that the task of monitoring compliance with the GDPR could have been carried out

adequately.





10WP 243 v.01, version revised and adopted on April 5, 2017, p. 22
11Response of the inspected on 09/28/2018 to the preliminary questionnaire (question 5.d).
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A
                                                                                                      12/2151. The restricted committee recalls that it noted in point 29 of this decision

that it is rightly specified on page 2 of the statement of objections (under "remarks

preliminary ”) that“ [t] he requirements of the GDPR are not always strictly defined.

In such a situation, it is up to the supervisory authorities to verify the proportionality of the
measures put in place by data controllers with regard to the sensitivity of

data processed and the risks incurred by the data subjects. "


52. However, as mentioned in point 30 of this decision, the formation

restricted shares the assessment of the head of the investigation, mentioned on page 2 of the
statement of objections, according to which the inspected processes a significant amount of data

personal.


53. The restricted committee therefore considers that the control mission carried out

by the DPO to the inspected should be sufficiently formalized, for example by a plan

data protection control, in order to be able to demonstrate that the DPO
can perform its task of monitoring compliance with the GDPR in an adequate manner.


54. The restricted committee takes note of the elements communicated by the inspected in

his letter of September 8, 2020 concerning the development of a control plan finalized in

December 2019 and its application in 2020.


55. Nevertheless, the restricted committee notes that this control plan was established after
the start of the investigation and therefore considers that at the start of the investigation, the control was not

able to demonstrate that the DPO carries out his duties of monitoring compliance with the GDPR

in a manner suited to their needs.


56. In view of the foregoing, the Select Committee concludes that Article 39.1. b) of the GDPR
was not respected by the controlled.


    III. On corrective measures and the fine



           A. Principles


57. In accordance with article 12 of the law of 1 August 2018 on the organization of

National Commission for Data Protection and General Protection Regime

data, the National Commission has the powers provided for in Article 58.2 of the GDPR:



________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               investigation no. [...] carried out with Company A 13/21 a) notify a data controller or a subcontractor of the fact that the

       planned treatment are likely to violate the provisions of this

       regulation;

    b) call to order a controller or a processor when the

       processing operations have resulted in a violation of the provisions of this

       regulation;


    c) order the controller or processor to comply with the requests
       presented by the data subject in order to exercise their rights under the

       this regulation;


    d) order the controller or processor to put the data processing operations

       processing in accordance with the provisions of these regulations, if applicable,

       in a specific manner and within a specified timeframe;

    e) order the controller to communicate to the data subject a

       personal data breach;


    f) impose a temporary or permanent limitation, including a ban, on the

       processing;

    g) order the rectification or erasure of personal data or the

       restriction of processing in application of Articles 16, 17 and 18 and the notification of these

       measures to the recipients to whom the personal data have been

       disclosed in accordance with Article 17, paragraph 2, and Article 19;


    h) withdraw a certification or order the certification body to withdraw a
       certification issued in application of Articles 42 and 43, or order the

       certification not to issue certification if the requirements applicable to the

       certification are not or no longer satisfied;


    i) impose an administrative fine in application of Article 83, in addition to or
       the place of the measures referred to in this paragraph, depending on the characteristics

       specific to each case;


    j) order the suspension of data flows addressed to a recipient located in a

       third country or to an international organization. "

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] conducted with Company A 14/2158. Article 83 of the GDPR provides that each supervisory authority ensures that

administrative fines imposed are, in each case, effective, proportionate and

dissuasive, before specifying the elements that must be taken into account in deciding whether there
to impose an administrative fine and to decide on the amount of this fine:


    (a) the nature, gravity and duration of the breach, taking into account the nature, extent or

    the purpose of the processing concerned, as well as the number of data subjects

    affected and the level of damage they suffered;

    (b) whether the violation was committed willfully or negligently;


    c) any measures taken by the controller or processor to mitigate the

    damage suffered by the persons concerned;


    d) the degree of responsibility of the controller or processor, account

    taking into account the technical and organizational measures they have implemented in accordance with the
    Articles 25 and 32;


    e) any relevant breach previously committed by the controller or

    the subcontractor ;


    f) the degree of cooperation established with the supervisory authority in order to remedy the violation
    and mitigate any negative effects;


    g) the categories of personal data affected by the breach;


    h) the manner in which the supervisory authority became aware of the breach, in particular whether,

    and to what extent the controller or processor has notified the

    violation;

    (i) where measures referred to in Article 58 (2) have previously been

    ordered against the controller or the processor concerned for the

    same object, compliance with these measures;


    j) the application of codes of conduct approved in accordance with Article 40 or
    certification mechanisms approved under Article 42; and






________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               investigation no. [...] carried out with Company A 15/21 k) any other aggravating or mitigating circumstance applicable to the circumstances of

    the species, such as financial benefits obtained or losses avoided, directly or

    indirectly, as a result of the violation ”.

59. The restricted panel would like to point out that the facts taken into account in the context of the

this decision are those noted at the start of the investigation. Any modifications

relating to the subject of the investigation carried out subsequently, even if they make it possible to establish

fully or partially compliance, do not allow retroactive cancellation of a
breach noted.


60. Nevertheless, the steps taken by the inspected to bring themselves into compliance

with the GDPR during the investigation procedure or to remedy breaches

noted by the head of investigation in the statement of objections are taken into account by the
limited training in the context of any corrective measures to be taken.


           B. In this case



    1. As to the imposition of an administrative fine


61. In his additional letter to the statement of objections of 3 August 2020, the

investigator proposes to the restricted formation to pronounce against the controlled a

administrative fine relating to the amount of 18,700 euros.


62. In order to decide whether to impose an administrative fine and to decide, if
of the amount of this fine, the restricted committee analyzes the criteria set by

Article 83.2 of the GDPR:


- As to the nature and seriousness of the violation [article 83.2 a) of the GDPR], with regard to

breaches of articles 37.7, 38.1, 38.3, and 39.1.b) of the GDPR, restricted training
notes that the appointment of a DPO by an organization cannot be efficient and effective,

know how to facilitate compliance with the GDPR by the organization, only in the case where people

concerned have the possibility of easily finding the contact details of the DPO in order to be able to
contact the DPO on all questions relating to the processing of their

personal data and the exercise of their rights, where the DPO is involved from the

as early as possible in all data protection matters,

be able to exercise their functions and missions in complete independence, and be able to exercise
effective its missions, in particular the task of monitoring compliance with the GDPR.

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey no. [...] carried out with Company A 16 / 21- As for the duration criterion [article 83.2.a) of the GDPR], the restricted training falls under:


       (1) That the controlled indicated in its position paper of November 15, 2019 that a

       dedicated e-mail address has been created "so that data subjects can
       contact the Data Protection Officer directly ”and that the contact details

       of the DPD have been published on its website as well as in its policy on

       processing of personal data. The breach of Article 37.7 of the GDPR therefore

       lasted over time, at least between May 25, 2018 and November 2019.

       (2) That it was decided by the inspectorate to take appropriate measures to facilitate

       the involvement of the DPO in all matters relating to data protection,

       which are described in his letter of September 8, 2020. The failure to

       Article 38.1 of the GDPR therefore lasted over time, at least between May 25, 2018
       and September 2020;


       (3) That the elements communicated by the inspected during the investigation, and in particular

       by email of June 4, 2021 following the meeting of May 31, 2021, do not allow

       demonstrate that the DPO would be able to report directly to the highest
       management level in a formalized manner. Breach of Article 38.3 of the GDPR

       therefore lasted over time, from 25 May 2018, it being specified that the training

       Restricted could not find that the breach has ended;


       (4) That a control plan was finalized in December 2019 and applied in 2020. The

       breach of Article 39.1.b) of the GDPR therefore lasted over time, at the very least
       between May 25, 2018 and December 2019.


63. The restricted committee notes that the other criteria of Article 83.2 of the GDPR do not

are neither relevant nor likely to influence his decision on whether to impose a fine

administrative and its amount.

64. The restricted committee notes that if several measures have been decided by the inspected

in order to remedy the shortcomings, they were not decided until after the launch of

the investigation by CNPD agents on September 17, 2018 (see also point 59 of

this decision).

65. Therefore, the restricted panel considers that the imposition of a fine

administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for

breach of Articles 37.7, 38.1, 38.3 and 39.1.b) of the GDPR.
________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] carried out with Company A 17/2166. Regarding the amount of the administrative fine, the restricted panel recalls that

Article 83.3 of the GDPR provides that in the event of multiple violations, as is the case in

the case, the total amount of the fine may not exceed the amount set for the most serious violation
serious. Insofar as a breach of Articles 37.7, 38.1, 38.3, and 39.1.b) of the GDPR

is accused of the inspected, the maximum amount of the fine that can be withheld is 10

million euros or 2% of annual worldwide turnover, whichever is greater

retained.

67. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the

restricted committee considers that the pronouncement of a fine of 18,700 euros appears in the

both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR.



    2. Regarding the taking of corrective measures



68. In his additional letter to the statement of objections of 3 August 2020, the

survey leader suggests that the restricted group take corrective measures
following:


        "A) Order the publication of the contact details of the data protection officer

        in accordance with the requirements of article 37 paragraph 7 of the GDPR and the lines

        DPD guidelines of the Article 29 working group on the protection of
        data which indicates that data subjects should be able to easily and

        contact the DPO directly without having to contact another

        the body. Thus, one of the ways to achieve this result would be to publish the

        contact details of the DPO on the public website of [Company A] insofar as this does not
        would not already be.



        b) Order the implementation of measures ensuring an association of the DPO to all

        data protection issues, in accordance with the requirements of
        Article 38 paragraph 1 of the GDPR. Although several ways can be

        envisaged to achieve this result, one of the possibilities could be to analyze,

        with the DPO, all relevant committees / working groups with regard to protection
        data and formalize the modalities of its intervention (previous information

        with the agenda of meetings, invitation, frequency, permanent member status,

        etc ....).

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A 18/21 c) Order the establishment of a mechanism guaranteeing the DPO's autonomy

       in accordance with the requirements of Art.38 para.3 GDPR. Several

       measures can be considered to achieve this result, such as
       attachment of the DPO to the highest level of management in order to guarantee as much as possible

       its autonomy or the creation of a formal and regular direct reporting line,

       as well as an emergency escalation mechanism to the management to bypass

       the intermediate hierarchical level (s).


       d) Order the deployment of the control mission, in accordance with article 39

       paragraph 1 b) of the GDPR. The DPO should therefore document his controls relating to
       the application of internal data protection rules and procedures

       (second line of defense). This documentation could take the form of a plan

       control insofar as this has not already been done. "


69. As for the corrective measures proposed by the head of the investigation and by reference to the

point 60 of this decision, the restricted committee takes into account the procedures
carried out by the inspected in order to comply with the provisions of articles 37.7, 38.1, 38.3,

and 39.1.b) of the GDPR, in particular the measures described in his letter of November 15, 2019

and in its letter of September 8, 2020. More particularly, it takes note of the facts
following:


    - With regard to the violation of article 37.7 of the GDPR, the restricted committee notes

    that a dedicated e-mail address has been created and that the DPO's contact details have been published

    on the website of the inspected as well as in its policy on handling

    personal data. The restricted formation therefore considers that there is no need to
    pronounce the corrective measure proposed by the head of investigation under a) of point 68 of the

    this decision.


    - With regard to the violation of article 38.1 of the GDPR, the restricted committee notes

    that it was decided by the inspectorate to take appropriate measures to facilitate
    involving the DPO in all matters relating to data protection. The

    restricted party therefore considers that there is no need to pronounce the measure

    corrective measure proposed by the head of investigation under b) of point 68 of this decision.


    - With regard to the violation of article 38.3 of the GDPR, the restricted committee notes
    that the elements communicated by the inspected during the investigation, and in particular by

    email of June 4, 2021 following the meeting of May 31, 2021, do not allow to demonstrate
________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey no. [...] conducted with Company A 19/21 that the DPD would be able to report directly to the highest level of the

    direction in a formalized manner. The restricted formation therefore considers that it is necessary to

    pronounce the corrective measure proposed by the head of investigation under c) of point 68 of the

    this decision.

    - With regard to the violation of Article 39.1.b) of the GDPR, the restricted committee falls under

    that a control plan was finalized in December 2019 and applied in 2020. The training

    therefore considers that there is no need to take the corrective measure

    proposed by the head of investigation under d) of point 68 of this decision.



In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:



- to retain the breaches of articles 37.7, 38.1, 38.3 and 39.1.b) of the GDPR;


- to pronounce against Company A an administrative fine in the amount of ten-

eight thousand seven hundred euros (18,700 euros) with regard to the violation of articles 37.7, 38.1, 38.3

and 39.1.b) of the GDPR;


- to issue an injunction against Company A to comply with

Article 38.3 of the GDPR within four months of the notification of the decision of the

limited training, in particular:


ensure the establishment and maintenance of a formal mechanism guaranteeing autonomy

of the DPD.


















________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A 20/21 As decided in Belvaux on October 27, 2021.



The National Commission for Data Protection sitting in a restricted body






Tine A. Larsen Thierry Lallemang Marc Lemmer
  President Commissioner Commissioner



                             Indication of remedies



This administrative decision may be the subject of an appeal for reformation within three

months following its notification. This appeal is to be brought before the administrative tribunal and must
must be introduced through a lawyer at the Court of one of the Bar Associations.




































________________________________________________________________________


             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A 21/21