CNPD (Luxembourg) - Délibération n°18FR/2021: Difference between revisions
No edit summary |
|||
(One intermediate revision by one other user not shown) | |||
Line 52: | Line 52: | ||
}} | }} | ||
The Luxembourg DPA fined a controller €18,000 for not | The Luxembourg DPA fined a controller €18,000 for not providing their DPO with the necessary resources and organizational framework to appropriately carry out their tasks. | ||
== English Summary == | == English Summary == |
Latest revision as of 08:31, 16 June 2021
CNPD (Luxembourg) - Délibération n°18FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 38(1) GDPR Article 38(2) GDPR Article 39(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 31.05.2021 |
Published: | 14.06.2021 |
Fine: | 18000 |
Parties: | n/a |
National Case Number/Name: | Délibération n°18FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | n/a |
The Luxembourg DPA fined a controller €18,000 for not providing their DPO with the necessary resources and organizational framework to appropriately carry out their tasks.
English Summary
Facts
The Luxembourg DPA (CNPD) launched an investigation on a group of companies with a subsidiary based in Luxembourg (Company A).
The central headquarters had a privacy office, while the Luxembourg subsidiary had a sole data protection lawyer. The group of companies had appointed a single Group DPO to handle the data protection matters of both the central company and the Luxembourg subsidiary. The local data protection lawyer was the single point of contact of the DPO with the Company A.
Holding
The CNPD determined that even if the DPO was participating in numerous meetings at a group level and regularly organized meetings with its local points of contact, that was not sufficient to demonstrate the direct, formal and permanent involvement of the DPO in Luxembourg.
The Group DPO received a monthly report from the local contact point relating to data protection issues (number of requests to exercise rights or complaints, possible impact analyzes etc.). The DPO was also systematically informed and consulted by the local contact point in case of security incidents likely to involve personal data and create a risk for the people concerned.
However, the DPA considered that such elements could not compensate for the absence of direct involvement of the Group DPO within Company A, which could create the risk that the DPO was not sufficiently involved at operational level in Luxembourg, being therefore in breach of Article 38(1) GDPR, as the DPO must involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
There were not any measures to address that risk, such as for example regular visits of the Group DPO to Company A, that would allow the DPO to be able to discuss data protection issues and related operational issues directly with the management of the company.
There was no direct feedback of information from the Group DPO to the local department either. There are several levels of reporting, but the DPA considered that it was not sufficient to compensate for the lack of direct reporting from the DPO to the data controller in Luxembourg.
All questions relating to the protection of personal data that arose at the control level were received and first analyzed by the local point of contact who afterwards assessed the issue and contacted the Group DPO when they deemed it necessary. Therefore, the DPO was not informed and above all not consulted from the earliest stage possible of all matters relating to data protection.
Hence, a breach of Article 38(2) was also found, since the DPO was nor provided the resources necessary to carry out those tasks and access to personal data and processing operations.
This also led to a breach of Article 39(1)(a), due to the lack of direct feedback.
Additionally, during the course of the proceedings, the Company A appointed a new DPO. The DPA remarked that it must ensure that the newly appointed DPO is effectively involved in all matters relating to data protection.
For these violations, the DPA fined the controller €18,000. The DPA took into account the will to cooperate of the company.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey No. [...] conducted among Company A Deliberation n ° 18FR / 2021 of May 31, 2021 The National Commission for Data Protection sitting in a restricted body, composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data personnel and the free movement of such data, and repealing Directive 95/46 / EC; er Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection data and the general data protection regime, in particular Article 41 thereof; Having regard to the internal regulations of the National Commission for Data Protection adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10.2; Having regard to the regulation of the National Commission for Data Protection relating to investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular its article 9; Considering the following: ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Company A 1/22 I. Facts and procedure 1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and the importance of its integration into the body, and considering that the guidelines concerning DPOs have been available since December 2016, i.e. 17 months before entry into application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data personal data and the free movement of such data, and repealing Directive 95/46 / EC (general data protection regulation) (hereafter: the "GDPR"), the Commission National Data Protection Authority (hereinafter: the “National Commission” or the "CNPD") has decided to launch a thematic survey campaign on the function of the DPO. Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the public sector. 2. In particular, the National Commission decided by decision no. […] Of 14 September 2018 to initiate an investigation in the form of a data protection audit with […] Company A, established and having its registered office at L- […], registered in the register of trade and companies under number […] (hereinafter: the "controlled") and to designate Mr. Christophe Buschmann as head of investigation. Said deliberation specifies that the investigation relates to the compliance of the inspected with section 4 of chapter 4 of the GDPR. 2 3. The main purpose of the inspection is […]. The controlled has approximately […] employees 3 spread over […] sites as well as […]. 4. By letter of September 17, 2018, the head of the survey sent a questionnaire preliminary to the control to which the latter replied by letter of October 5, 2018. A visit on site took place on January 21, 2019. Following these discussions, the head of the investigation established the audit report no. […] (hereinafter: the "audit report"). 1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13 December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017. 2Coordinated statutes filed on […]. 3Presentation of the inspection of January 21, 2019 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 2/225. It emerges from the audit report that in order to verify the compliance of the organization with the section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives, know : 1) Ensure that the body subject to the obligation to appoint a DPO has done so; 2) Make sure that the organization has published the contact details of its DPO; 3) Ensure that the organization has communicated the contact details of its DPO to the CNPD; 4) Ensure that the DPO has sufficient expertise and skills to carry out its missions effectively; 5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest; 6) Ensure that the DPO has sufficient resources to perform effectively of its missions; 7) Ensure that the DPO is able to carry out his missions to a sufficient degree autonomy within their organization; 8) Ensure that the organization has put in place measures to ensure that the DPO is associated with all matters relating to data protection; 9) Ensure that the DPO fulfills his mission of information and advice to the data controller and employees; 10) Ensure that the DPO exercises adequate control over data processing within of his body; 11) Ensure that the DPO assists the data controller in carrying out the impact analyzes in the event of new data processing. 6. By letter of October 31, 2019 (hereinafter: the “statement of objections”), the Chief investigation informed the inspector of breaches of obligations under the GDPR that it noted during its investigation. The audit report was attached to this letter. 7. In particular, the head of the investigation noted in the statement of objections breaches of: the obligation to involve the DPO in all matters relating to the protection of personal data; 4 5 the obligation to provide the necessary resources to the DPO; 6 the DPD's mission of information and advice. 4 5Objective 8 6Objective 6 Objective n ° 10 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 3/228. By letter of November 22, 2019, the inspector sent the head of the investigation position on the shortcomings listed in the statement of objections. 9. On August 24, 2020, the head of the investigation sent the inspector an additional letter to the statement of objections (hereinafter: the "additional letter to the communication of grievances ") by which he informs the control of the corrective measures and the administrative fine which he proposes to the National Commission sitting in restricted formation (hereinafter: the " restricted training ") to adopt. 10. By letter of September 30, 2020, the inspector sent the head of the investigation his observations on the additional letter to the statement of objections. 11. The case was on the agenda of the restricted formation session on January 26 2021. In accordance with article 10.2. b) the rules of procedure of the Commission national, the head of investigation and the supervisee presented their oral observations in support of their written submissions. More particularly, Maître […], agent of the inspected, gave reading of a note setting out the observations of the inspected (hereinafter: the "pleadings note"). The head of the investigation and the inspector subsequently answered the questions posed by the training restraint. The controlled had the floor last. 12. By email of January 27, 2021, the inspected representative sent the training restricted a copy of the pleadings, an excerpt from a presentation dated October 8 2018 presenting the "Data Protection" organization chart with indication of "[GDPR Committee]" of the controlled as well as an extract from the trade and companies register of [...] Company B manager […] in Luxembourg. II. Place A. As regards the requirements for precision in the statement of objections and in the letter complementary to the statement of objections 13. In his statement of pleadings, the agent of the inspected invokes, as a preliminary point, that the statement of objections and the additional letter to the statement of objections lack precision: ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° […] carried out with Company A 4/22 "[…] the Grievance Couriers fail to comply with the legal obligations applicable in administrative, in particular in that they do not contain a precise reference to a standard that would have been violated and that they do not contain any precise indication of the facts details that would constitute a violation of a legal standard by Company A. By this lack of precision, the general principles of applicable rights have been violated and my principal was deprived of the opportunity to provide informed and detailed explanations likely to shed light on Restricted Training. " 14. The restricted panel notes that the head of the investigation expressly mentions, both in the statement of objections than in the additional letter to the communication grievances, the provisions of the GDPR that the inspected would have failed, namely articles 38.1, 38.2 and 39.1. at). In addition, the factual findings made during the investigation and on which the alleged shortcomings are based are indicated in the statement of objections. Of surplus, the audit report containing all the findings and work carried out by the manager investigation as part of the audit mission was attached to the statement of objections. In In addition, the restricted committee notes that the inspectorate's representative refers to the "Legal obligations applicable in administrative matters" as well as "general principles of applicable rights ”without specifying which rule of law would have been violated in the species. 15. For all practical purposes, it should be noted that the inspected was in a position to take position in relation to the breaches alleged against him, as demonstrated by his position of 22 November 2019 and 30 September 2020 as well as the oral observations and the note of pleadings presented at the restricted session of January 26, 2021. 16. It is therefore wrong that the agent of the inspected maintains that the communication of complaints and the letter supplementing the statement of objections lack so that his principal would have been "deprived of the possibility of providing enlightened explanations and detailed information likely to enlighten the Restricted Training ". B. As regards the complaints listed in the statement of objections a) The breach of the obligation to involve the DPO in all matters relating to the protection of personal data ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] conducted with Company A 5/22 1. On the principles 17. According to article 38.1 of the GDPR, the organization must ensure that the DPO is involved, in an appropriate and timely manner, in all matters relating to the protection of personal data. 18. The DPO guidelines state that “[i] t is essential that the DPO, or his team, is involved from the earliest possible stage in all questions relating to data protection. [...] Information and consultation of the DPO from the start will facilitate compliance with the GDPR and encourage an approach based on data protection by design; it should therefore be the usual procedure in within the governance of the organization. In addition, it is important that the DPO is considered as an interlocutor within the organization and that he or she is a member of the dedicated working groups 7 to data processing activities within the organization ". 19. The DPO guidelines provide examples on how to to ensure this association of the DPO, such as: invite the DPO to participate regularly in senior management meetings and intermediate; recommend the presence of the DPO when decisions with implications in terms of data protection are taken; always take due account of the opinion of the DPO; immediately consult the DPO in the event of a data breach or any other incident occurs. 20. According to the guidelines on DPOs, the body could, where appropriate, develop data protection guidelines or programs indicating the cases in which the DPO must be consulted. 2. In this case 21. It appears from the audit report that in order for the investigator to consider objective 8 as achieved by the inspected within the framework of this audit campaign, the head of the investigation 7 WP 243 v.01, version revised and adopted on April 5, 2017, p. 16 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 6/22 expects the DPO to participate in a formalized manner and on the basis of a defined frequency the Management Committee, project coordination committees, new committees products, safety committees or any other committee deemed useful in the context of protection Datas. 22. According to the statement of objections, page 3, “the DPO participates in numerous meetings at Group level and […] regularly organize meetings with its points of local contacts. But these elements are not sufficient to demonstrate the direct, formal and permanent involvement of the DPD in Luxembourg ”. It still results from the communication of complaints that “the Group DPO receives a monthly report from the local contact point continued to […] as well as a monthly report […] relating to data protection issues (number of requests to exercise rights or complaints, possible impact analyzes etc.). […] The DPO is systematically informed and consulted by the local contact point in case of a security incident likely to involve personal data and create a risk for the people concerned. "However, the head of the investigation believes that “These elements cannot compensate for the absence of direct involvement of the DPD Groupe within Company A, which could create the risk that the DPO is not sufficiently involved at operational level in Luxembourg. "Finally, the head of the investigation argues that he "was not aware of any elements to address this risk, such as for example the formal establishment of visits based on a defined frequency of the DPO Group (or a member of its Data Protection team) in Luxembourg. These visits would in particular allow the DPO to be able to discuss directly with the management superior of Company A for issues related to data protection and power directly assess operational issues. " 23. In its position paper of 22 November 2019, the inspected affirms that the DPD Groupe is involved in an appropriate and timely manner in all matters relating to the protection of personal data. The inspected explains that “[all] the questions relating to the protection of personal data initiated in the Grand Duchy of Luxembourg are first received and analyzed by our contact point dedicated to data protection in Luxembourg ”(hereinafter: the“ local contact point ”) and that this the latter works in close collaboration with the DPD Groupe […]. According to the inspected, the point of contact is responsible for the compliance management of the processing of personal data personnel implemented by the inspected, this under the supervision of the DPD Groupe who contact reports its actions. In addition, the inspected mentions in its position paper ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with Company A 7/22 of 22 November 2019 the establishment of a committee dedicated to data protection in Luxembourg (hereinafter: the "[GDPR Committee]") which defines the strategy on these subjects and the action plans associates. The controlled sets out the composition and functioning of the [GDPR Committee] for support that the Group DPO is involved in the management of compliance with the provisions of the GDPR in Luxembourg. 24. In his pleadings, the agent of the inspected highlights article 37.2 of the GDPR, which allows a group of companies to designate a single DPO provided that the latter be easily reachable from each place of establishment, as well as the guidelines concerning DPOs to maintain that the operation of the inspected complies with the GDPR and affirms that "[i] t was found no materiality of the alleged facts, no unavailability of the DPO of Company A, whether vis-à-vis the supervisory authority or of the persons concerned and a possible and uncharacterized risk cannot allow to factually establish a violation. " 25. The restricted committee notes that the inspected is a subsidiary of the group […] and that the latter had decided to appoint a single DPO for the different entities of the group (here- after: the “DPD Groupe”). At the central level, the group has set up an office for data protection (“[…]”) composed of the DPD Groupe as well as […] lawyers specialists in data protection and […] project manager. At local level, the sole inspectorate lawyer has been appointed as the local point of contact for the DPD Group. 26. As a preliminary point, the restricted panel notes that the breach alleged by the chief investigation relates to Article 38.1 of the GDPR so that the explanations of the agent of the controlled under Article 37.2 of the GDPR are not relevant in this case. Indeed, even if the GDPR allows a group of companies to designate a single DPO, it does not remain not less that this DPO must be associated, in an appropriate and timely manner, with all questions relating to the protection of personal data, in accordance with Article 38.1 of the GDPR. It is thus possible for an organization to appoint a single DPO at the level of the group whose entities are established in several Member States of the European Union and to provide, at the local level, "contact points" which assist the DPO, in particular in questions relating to local particularities such as national legislation. In such However, it is all the more important to clearly define, among other things, the modalities of collaboration between the DPO and the “local contact points” as well as the distribution of tasks and responsibilities. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 8/22 In this case, the restricted committee noted that all questions relating to the protection of personal data that arose at the control level were received and first analyzed by the local point of contact who contacted the DPD Group when he felt it was necessary. The restricted training further notes that the DPD Groupe did not not part of the [GDPR Committee] and was only informed of the matters discussed there through the lawsuits- verbal of the [GDPR Committee] and through the questions raised by the point of local contact during these meetings. 27. It emerges from the investigation file that the DPD Groupe was not associated only indirectly to questions relating to the protection of personal data that arose at the controlled level, through the local point of contact who, in fact, acted as the interlocutor in matters of data protection within of the body. However, the local point of contact was the sole jurist of the inspected and did not part of the DPD Groupe team itself, namely the office for the protection of data ("[…]"). 28. In addition, the restricted panel considers that the fact of transmitting the minutes of the [GDPR Committee] to the DPD Group does not allow its appropriate association to be established and in timely insofar as the Group DPO is simply informed of the measures that the [GDPR Committee] proposes to the various control decision-making bodies to implement. The DPO is therefore not informed and above all not consulted "from the earliest stage possible ”of all matters relating to data protection. 29. In addition, the controlled indicates in its position paper of September 30, 2020 that the er local contact point has been appointed as DPO for Company A, with effect from 1 October 2020. The restricted committee notes that the CNPD received the amending declaration by e-mail of September 30, 2020. However, the inspected must ensure that the newly appointed DPO appointed is effectively involved in all matters relating to data protection of a personal nature. The fact of having appointed the local point of contact as DPD is not enough not to sufficiently demonstrate such association of the latter to all questions relating to the protection of personal data. 30. In view of the foregoing, the restricted committee agrees with the findings of the head of the investigation that the non-compliance with Article 38.1 of the GDPR was acquired at the time of the investigation. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted with Company A 9/22 b) On the failure to provide the necessary resources to the DPO 1. On the principles 31. Article 38.2 of the GDPR requires the organization to help its DPO "to carry out the tasks referred to in Article 39 by providing the necessary resources to carry out these tasks, as well that access to personal data and processing operations, and allowing to maintain its specialized knowledge. " 32. It follows from the guidelines on DPOs that the following aspects must be in particular to be taken into consideration: 8 “sufficient time for the DPOs to accomplish their tasks. This aspect is particularly important when an internal DPO is appointed part-time or when the external DPO is responsible for data protection in addition to others tasks. Otherwise, conflicting priorities could lead to the tasks of the DPD are neglected. It is essential that the DPO can devote sufficient time to his missions. It is good practice to set a percentage of time dedicated to the function of DPO when this function is not occupied full time. It is also good practice to determine the time required to complete the function and the appropriate level of priority for the tasks of the DPO, and that the DPO (or the organization) establish a work plan; necessary access to other services, such as human resources, service legal, IT, security, etc., so that DPOs can receive essential support, input and information from these others services ". 33. The DPO Guidelines state that "[d] in general, the more complex or sensitive the processing operations, the more resources allocated to the DPD should be significant. The data protection function must be effective and provided with adequate resources with regard to the data processing carried out. " 2. In this case 8WP 243 v.01, version revised and adopted on April 5, 2017, p. 17 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] conducted with Company A 10/2234. It emerges from the audit report that, in view of the size of the organizations selected, for that the head of investigation considers objective 6 as achieved by the control within the framework of this audit campaign, the head of the investigation expects the inspected to use at least an FTE (full-time equivalent) for the data protection team. Leader investigation also expects the DPO to have the opportunity to rely on other services, such as legal, IT, security, etc. It follows from the statement of objections, page 3, that the Group DPO has at the level central team made up of [...] lawyers specializing in the protection of data as well as […] project manager. At the local level, however, the DPD Groupe does not have than a local point of contact who was also the sole legal expert of the controlled so that the head of investigation noted "the risk that the DPO does not have sufficient resources at the local in Luxembourg, resources being concentrated at group level, but not seeming not sufficiently deployed at the local level ”as well as“ the risk that in the event of a strong peak activity concerning the legal matters to be handled within Company A, the point of contact may not have the means to effectively carry out its missions relating to data protection, which would create the risk that the DPO could not exercise effectively its DPD missions for Luxembourg ”. 35. In its position paper of 22 November 2019, the inspected affirms that the DPD Groupe has the local support of a legal team made up of the local point of contact and a "second resource" and notes that "the job description of the Local Contact Point and the second resource in the local legal team on an open-ended contract must be detailed in terms of hourly volume and description of tasks ”. 36. In his note of pleadings, the agent of the controlled also argues that the requirement to formalize the distribution of working time does not exist in the regulations applicable and that the DPO guidelines contain at most one recommendation as a "good practice" to "determine the time required to the performance of the function and the appropriate level of priority for the tasks of the DPO, and that the DPD (or the body) establishes a work plan ". Finally, the agent of the inspected maintains that "[i] here too have not been found any materiality of the alleged facts, nor provided no explanation of the criteria examined to conclude a lack of resources, nor no analysis of existing resources. A possible and uncharacterized risk cannot ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with Company A 11/22 to establish factually that Company A would lack the resources to deal with its obligations under data protection. " 37. The restricted committee notes that the inspected has chosen to appoint the Group DPO which has, at the central level, a team made up of [...] lawyers specializing in of data protection as well as […] project manager. At the entity level Luxembourg woman having been the subject of the investigation, a local contact point was appointed, in the person of the only lawyer of the controlled who carried out moreover still other missions. The restricted training considers that such an organization requires that the organization determine and documents the time required for the local point of contact to perform its related duties to data protection in order to be able to allocate the necessary resources to it. This This requirement results in particular from the guidelines on DPOs as well as from the articles 5.2. and 24 of the GDPR which set out the principle of accountability. Now it emerges of the file that the inspected has not carried out any formalization or documentation making it possible to demonstrate that the inspected person has provided the DPO function with the resources necessary for the performance of its missions at the time of the investigation. 38. In view of the above, the restricted panel concludes that Article 38.2 of the GDPR has no not respected by the inspected. c) On the failure to provide information and advice to the DPO 1. On the principles 39. Under section 39.1. a) of the GDPR, one of the missions of the DPO is to "inform and advise the controller or processor as well as the employees who carry out processing on their obligations under this Regulation and other provisions of Union law or the law of the Member States relating to the protection of data ”. 2. In this case 40. It appears from the audit report that, in order for the investigator to consider objective 9 as achieved by the controlled as part of this audit campaign, he expects " ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] carried out with Company A 12/22 the organization has formal reporting on the activities of the DPO to the Management Committee on basis of a defined frequency. Regarding information to employees, the organization is expected to have put in place an adequate training system for personnel in terms of data protection ”. 41. According to the statement of objections, page 4, it appears from the investigation that there is no direct reporting of information from the Group DPD to the local control department. Leader survey notes that "there are several levels of reporting ([...])", but considers that "these elements are not sufficient to compensate for the lack of direct reporting from the DPO to the data controller in Luxembourg ”. 42. In its position paper of 22 November 2019, the inspected refers to these explanations relating to the first complaint, namely the breach of the obligation to involve the DPO in all questions relating to the protection of personal data. Moreover, the controlled maintains that the Group DPO “informs and advises the controller as well as the employees and in particular implemented: o Online training […], available online from May 2018 o An awareness campaign with […] on the protection of personal data staff on […] 2018, as well as on […] 2019 […] o An awareness campaign with […] including the 10 golden rules on protection of personal data dated […] 2019 ” The inspected confirms that the DPD Groupe “has the opportunity to discuss issues strategic and / or more operational with the senior management […] of Company A ”. 43. The restricted committee noted that the failure noted by the head of the investigation concerns that the DPO's mission of information and advice to the head of processing, and not the DPO's mission of providing information and advice to employees. 44. The restricted committee considers that the DPO’s information and advice mission to with regard to the controller is closely linked to the obligation, provided for in Article 38.1 of the GDPR, to involve the DPO in an appropriate and timely manner in all questions relating to the protection of personal data. However, the limited training has noted that the Group DPO was not involved in an appropriate and timely manner with data protection issues arising at the level of the Luxembourg entity having ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] conducted with Company A 13/22 is the subject of the survey. Indeed, the DPD Groupe was only indirectly associated, by through the local point of contact. In addition, he was simply informed of the measures that the [GDPR Committee] proposes to the various supervisory decision-making bodies to implement artwork. 45. In view of the foregoing, the Select Committee concludes that Article 39.1. a) of the GDPR was not respected by the controlled. III. On corrective measures and fines A. Principles 46. In accordance with article 12 of the law of 1 August 2018 on the organization of the National Commission for Data Protection and General Protection Regime data, the CNPD has the powers provided for in Article 58.2 of the GDPR: a) notify a controller or processor that data processing operations planned treatment are likely to violate the provisions of this regulation; b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this regulation; c) order the controller or processor to comply with the requests presented by the data subject in order to exercise their rights under the this regulation; d) order the controller or processor to put the data processing operations processing in accordance with the provisions of these regulations, if applicable, in a specific manner and within a specified timeframe; e) order the controller to communicate to the data subject a personal data breach; 9 Points 26 to 30 of this decision ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 14/22 f) impose a temporary or permanent limitation, including a ban, on the treatment; g) order the rectification or erasure of personal data or the restriction of processing in application of Articles 16, 17 and 18 and the notification of these measures to the recipients to whom the personal data have been disclosed in accordance with Article 17, paragraph 2, and Article 19; h) withdraw a certification or order the certification body to withdraw a certification issued in application of Articles 42 and 43, or order the certification not to issue certification if the requirements applicable to the certification are not or no longer satisfied; i) impose an administrative fine in application of Article 83, in addition to or the place of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or to an international organization. " 47. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose administrative fines as provided for in Article 83 of the GDPR, except against the State or municipalities. 48. Article 83 of the GDPR provides that each supervisory authority ensures that administrative fines imposed are, in each case, effective, proportionate and dissuasive, before specifying the elements that must be taken into account in deciding whether there to impose an administrative fine and to decide on the amount of this fine: "(A) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of people affected parties and the level of damage they suffered; (b) whether the violation was committed willfully or negligently; c) any measures taken by the controller or processor to mitigate the damage suffered by the persons concerned; ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] carried out with Company A 15/22 d) the degree of responsibility of the controller or the processor, account taking into account the technical and organizational measures they have implemented under Articles 25 and 32; e) any relevant breach previously committed by the controller or the subcontractor; f) the degree of cooperation established with the supervisory authority in order to remedy the violation and mitigate any negative effects; g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the breach, in particular whether, and to what extent, the controller or processor has notified the violation; (i) where measures referred to in Article 58 (2) have previously been ordered against the controller or processor concerned for the same object, compliance with these measures; j) the application of codes of conduct approved in accordance with Article 40 or certification mechanisms approved under Article 42; and k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation ”. 49. The restricted panel wishes to point out that the facts taken into account in the context of the this decision are those noted at the start of the investigation. Any modifications relating to the subject of the investigation carried out subsequently, even if they make it possible to establish fully or partially compliance, do not allow retroactive cancellation of a breach noted. 50. Nevertheless, the steps taken by the inspected to bring themselves into compliance with the GDPR during the investigation procedure or to remedy breaches noted by the head of investigation in the statement of objections, are taken into account by the limited training in the context of any corrective measures to be taken. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with Company A 16/22 B. In the present case 1. As to the imposition of an administrative fine 51. In the additional letter to the statement of objections of 24 August 2020, the investigator proposes to the restricted formation to pronounce against the controlled a administrative fine relating to the amount of 18,000 euros. 52. In his pleadings, the agent of the controlled argues that a fine administrative "must meet the principles of adequacy and proportionality of Article 83 of the GDPR while in particular, no specific grievance has been formulated, no damage has been observed and Company A collaborated as much as possible with the CNPD during the entire monitoring period. " 53. In order to decide whether to impose an administrative fine and to decide, if of the amount of this fine, the restricted committee analyzes the criteria set by Article 83.2 of the GDPR: - As to the nature and seriousness of the violation (article 83.2 a) of the GDPR), with regard to concerns breaches of Articles 38.1, 38.2 and 39.1 a) of the GDPR, the training restricted notes that the appointment of a DPO by an organization cannot be efficient and effective, namely facilitating compliance with the GDPR by the organization, that in the case where the DPD is associated from the earliest possible stage with all data protection issues, takes advantage of time and resources necessary to perform their data protection duties and exercise effectively its missions including the information and advice mission of controller. A breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR amounts to reducing the interest, or even emptying of its substance, the obligation for an organism to appoint a DPO. - As for the duration criterion (article 83.2.a) of the GDPR), the restricted committee notes that the controlled indicated, in its position paper of September 30, 2020, that the point of er local contact has been appointed as DPO with effect from 1 October 2020 and that this the latter now devotes 50% of his working time to protection issues data, with the assistance of [...] other lawyers who also devote each 50% of their working time. In addition, the composition and functioning of the ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] conducted with Company A 17/22 [GDPR Committee] have been modified so that the DPO can inform and advise the controller. Breaches of Articles 38.1, 38.2 and 39.1 a) have er therefore lasted over time, at least between May 25, 2018 and October 1, 2020. The restricted party recalls here that two years have separated the entry into force of the GDPR of its entry into force to allow data controllers to comply with their obligations. - As to the number of data subjects affected by the violation and the level of damage they have suffered (Article 83.2 a) of the GDPR), the restricted committee notes that the inspected has approximately […] employees spread over […] sites as well as […]. The number of people affected by the violation is therefore potentially high. - As to the degree of cooperation established with the supervisory authority (Article 83.2 f) of GDPR), the restricted training takes into account the assertion of the head of the investigation according to which the inspected has shown constructive participation throughout investigation. 54. The restricted committee notes that the other criteria of Article 83.2 of the GDPR do not are neither relevant nor likely to influence his decision on whether to impose a fine administrative and its amount. 55. The restricted committee notes that although several measures have been put in place by the checked in order to remedy all or part of certain shortcomings, these have not been adopted only following the launch of the investigation by CNPD officers on 17 September 2018 (see also point 49 of this decision). 56. Therefore, the restricted panel considers that the imposition of a fine administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR. 57. Regarding the amount of the administrative fine, the restricted panel recalls that Article 83.3 of the GDPR provides that in the event of multiple violations, as is the case in the case, the total amount of the fine may not exceed the amount set for the most serious violation serious. Insofar as a breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR is reproached for the control, the maximum amount of the fine that can be withheld is 10 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with Company A 18/22 million euros or 2% of the worldwide annual turnover, the highest amount being retained. 58. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the restricted committee considers that the pronouncement of a fine of 18,000 euros appears in the both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR. 2. Regarding the taking of corrective measures 59. In his additional letter to the statement of objections, the head of the investigation suggests that the restricted group take the following corrective measures: "A) Order the implementation of measures ensuring a formal association and effectiveness of the DPO in all matters relating to data protection, in accordance with the requirements of Art.38 para.1 GDPR. Although several ways can be envisaged to achieve this result, one of the possibilities would consist of analyzing, with the DPO, all committees / working groups relevant to the with regard to data protection and to formalize the terms of its intervention (previous information from the meeting agenda, invitation, frequency, status of permanent member etc.). b) Order the provision of the necessary resources to the DPO in accordance with the requirements of article 38 paragraph 2 of the GDPR. Although several ways can be envisaged to achieve this result, one of the possibilities would be to relieve the DPO and / or the local members of his team of all or part of his other missions / functions or to provide formal support, internally or externally, with regard to the performance of his duties as DPD. c) Order the implementation of measures enabling the DPO to inform and advise formally the data controller on his obligations in terms of protection data, in accordance with Article 39 paragraph 1 a) of the GDPR. Although several ways can be envisaged to achieve this result, one of the possibilities would be to set up a formal reporting of the DPD's activities to the Direction based on a defined frequency. " 60. As to the corrective measures proposed by the head of the investigation and by reference to the point 50 of this decision, the restricted committee takes into account the procedures ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] conducted with Company A 19/22 carried out by the inspector, following the visit of CNPD agents, in order to comply with provisions of articles 38.1, 38.2 and 39.1 a) of the GDPR, as detailed in these letters November 21, 2019 and September 30, 2020. In particular, it takes note of the facts following: - As for the violation of Article 38.1 of the GDPR providing for the obligation to involve the DPO to all questions relating to the protection of personal data, restricted training takes note that the local contact point has been appointed DPD of er the inspected body with effect from October 1, 2020. However, the restricted training includes documents provided by the inspected that this newly appointed DPO performs his duties under the supervision of the DPO [of the group]. The restricted committee therefore wonders whether the newly appointed DPO is effectively involved in all matters relating to data protection of a personal nature, and this in complete independence. Therefore, the CNPD is of the opinion that the inspected has not sufficiently demonstrated its compliance with Article 38.1 of the GDPR and considers that it is necessary to pronounce an enforcement measure compliance in this regard. - With regard to the violation of article 38.2 of the GDPR providing for the obligation to provide the necessary resources to the DPO, the inspected affirms in their position statement of September 30, 2020 that the DPO newly appointed by Company A consecrates 50% of his working time on data protection issues and he is assisted by [...] jurists who devote [...] so that there will be 1.5 FTEs devoted to the protection of personal data. In view of these elements, the restricted formation is of the opinion that the expectation of the chef investigation of 1 FTE or more is reached following the measures taken by the inspected during the investigation. Therefore, the restricted formation considers that there is no instead of pronouncing a compliance measure in this regard. - As for the violation of Article 39.1 a) of the GDPR relating to the mission of information and advice from the DPO to the data controller, the inspector explains in his position of September 30, 2020 the composition and functioning of the [Committee GDPR] which will allow the newly appointed DPO to inform and advise the controller. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 20/22 However, in view of the documents provided by the inspected, the limited training understands that the DPO (previously local point of contact, without having exercised the of DPD) newly appointed by the inspected carries out its missions under the supervision of the DPD [of the group], so that it is not sufficiently demonstrated by the checked that the newly appointed DPO can effectively fulfill his mission information and advice to the controller controlled (Company A), and this in complete independence. Therefore, the restricted party considers that there is instead of pronouncing a compliance measure in this regard. In view of the foregoing developments, the National Commission sitting in restricted formation and deliberating unanimously decides: - to pronounce against the company "Company A" an administrative fine of one amount of eighteen thousand euros (18,000 euros) with regard to the violation of articles 38.1, 38.2 and 39.1. a) of the GDPR; - to issue an injunction against the company "Company A" to come into compliance with Article 38.1 of the GDPR, within four months of the notification of the decision of the restricted committee, the supporting documents for compliance must be sent to the restricted group at the latest within this period, in particular: ensure that the DPO is effectively involved in all questions relating to protection personal data, and this in complete independence; - to issue an injunction against the company "Company A" to come into compliance with Article 39.1 a) of the GDPR within four months of notification of the decision of the restricted committee, the supporting documents for compliance must be sent to the restricted group at the latest within this period, in particular: ensure that the DPO can effectively fulfill his mission of information and advice towards the controller. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 21/22 As decided in Belvaux on May 31, 2021. For the National Commission for Data Protection sitting in a restricted body Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner Indication of remedies This administrative decision may be the subject of an appeal for reformation within three months following its notification. This appeal is to be brought before the administrative tribunal and must must be introduced through a lawyer at the Court of one of the Bar Associations. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 22/22