TADM - 46401: Difference between revisions
m (fixed redirect) |
No edit summary |
||
(7 intermediate revisions by 2 users not shown) | |||
Line 60: | Line 60: | ||
|Appeal_From_Case_Number_Name=18FR/2021 | |Appeal_From_Case_Number_Name=18FR/2021 | ||
|Appeal_From_Status= | |Appeal_From_Status= | ||
|Appeal_From_Link=https:// | |Appeal_From_Link=https://gdprhub.eu/index.php?title=CNPD_(Luxembourg)_-_D%C3%A9lib%C3%A9ration_n%C2%B018FR/2021 | ||
|Appeal_To_Body= | |Appeal_To_Body= | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name= | ||
Line 70: | Line 70: | ||
}} | }} | ||
A court upheld a fine of €18,000 imposed by the DPA on a controller for not directly involving the group-DPO with data protection-related matters and not providing them with sufficient resources. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The group DPO did not seat in Luxembourg and was involved mostly indirectly, through | The Luxembourg DPA ("''Commission Nationale pour la Protection des Données - CNPD''") launched an investigation on a group of companies with a subsidiary based in Luxembourg (the controller). | ||
The group of companies had appointed a single DPO (the group's DPO) under [[Article 37 GDPR#2|Article 37(2) GDPR]] to handle all data protection matters and had appointed a lawyer as the local contact point in Luxembourg to assist the group's DPO. [[Article 37 GDPR#2|Article 37(2) GDPR]] allows for the possibility to appoint one DPO for a group of undertakings. The controller had also established a GDPR Board, a committee dedicated to data protection in Luxembourg. The DPO however was not a member of the GDPR Board and was only informed of the subjects discussed there through the minutes of the GDPR Board and through the questions raised by the local contact point during these meetings. The group's DPO did not seat in Luxembourg and was involved mostly indirectly, through the local contact point, in data protection-related matters of the Luxembourg entity. During the course of the investigation, the controller did appoint its own DPO, that started on 1 October 2020. | |||
The DPA found that even if the Group's DPO was participating in numerous meetings at a group level and regularly organised meetings with its local points of contact, this was not sufficient to demonstrate the direct, formal and permanent involvement of the DPO in Luxembourg. Therefore, the DPA found that the controller did not sufficiently involve the DPO with data protection matters violating [[Article 38 GDPR#1|Article 38(1) GDPR]] and [[Article 39 GDPR]]. It further found that the controller did not provided its DPO with the necessary resources and power, violating [[Article 38 GDPR#2|Article 38(2) GDPR]]. Thus, the DPA fined the controller €18,000. | |||
The controller appealed this decision at the Administrative Court of the Grand Duchy of Luxembourg ("''Tribunal administratif du Grand-Duché de Luxembourg - TADM''"), seeking annulment of the decision. The controller argued that the DPA used their power excessively in finding violations of [[Article 38 GDPR#1|Article 38(1)]] and [[Article 38 GDPR#2|(2)]] and [[Article 39 GDPR]]. Moreover, the controller argued that the French DPA ("''CNIL''") had investigated its parent company and the other entities located in France and did not find any violations or made any comments regarding the appointment of the group’s DPO. The controller also argued that the fine amount was disproportionate. | |||
=== Holding === | === Holding === | ||
The | <u>Involvement of the group's DPO</u> | ||
The court held that in order for the DPO to comply with its obligation to inform and advise the controller under [[Article 39 GDPR#1|Article 39(1) GDPR]], it is necessary and imperative for the DPO to be involved in questions and projects involving issues relating to the protection of personal data at the earliest possible stage. The court found that the handling of the requests and complaints by data subjects was done by a local contact point without intervention of the group's DPO. The group's DPO was only involved when a data subject was not satisfied with the handling by the local contact point. Although the controller referred to regular communications via telephone, video conferences and e-mails between the local contact point and the group's DPO, it did not provide any documentation of these communications. It was also not demonstrated that the group's DPO had preliminary been consulted about putting into place the GDPR Board. | |||
The court dismissed the controller's argument that the DPA did not take into account that the controller appointed its own DPO during the investigation. The DPA only considered the facts as they existed on the day it started its investigation. The court agreed with the DPA that any changes made by the controller during the investigation would not eliminate an established breach and would not relieve the controller from their responsibility. | |||
Although the controller referred to regular communications via telephone, | |||
It was also not demonstrated that the DPO had | The court also dismissed the controller's argument that the ''CNIL'' came to a different conclusion during its investigation of the parent company of the group and the other entities located in France. The court held that the ''CNIL''<nowiki/>'s finding had no relevance as it did not concern the activities in Luxembourg and both the court and DPA are not bounded by decisions from administrative authorities or courts in other countries. | ||
The volume of activities of the controller in Luxembourg | Thus, the court found that the DPO was not directly involved in all data protection-related matters. Therefore, the controller violated [[Article 38 GDPR#1|Article 38(1) GDPR]] and [[Article 39 GDPR]]. | ||
The | |||
Concerning the proportionality of the fine, the court | <u>Available resources for the DPO</u> | ||
The court held that the controller did not present any information about formalising the working time devoted to data protection of the local contact point. The court also noted that the local contact point was the only lawyer in the controller's company in Luxembourg. The court held that the DPO had to be involved in all personal data protection related matters, general consultation was not sufficient. The court then took into account the volume of activities of the controller in Luxembourg (70 sites, between 1600 and 2100 employees and 25000 consumers per day), which would have justified at least one full time person being devoted to data protection. The court thus found that the controller violated [[Article 38 GDPR#2|Article 38(2) GDPR]] by not providing sufficient resources to its DPO. | |||
the fine was proportionate | |||
<u>Imposed fine</u> | |||
Concerning the proportionality of the fine, the court took into account [[Article 83 GDPR]] and the seriousness of the violation. The court found that the fine was proportionate as the violations that were found were serious, involved potentially a large number of people and lasted at least from 25 May 2018 to 1 October 2020. | |||
Thus, the court dismissed the appeal and upheld the DPA's decision that the controller violated [[Article 38 GDPR#1|Article 38(1)]] and [[Article 38 GDPR#2|(2)]] and [[Article 39 GDPR]]. | |||
== Comment == | == Comment == | ||
== Further Resources == | == Further Resources == |
Latest revision as of 10:44, 24 July 2024
TADM - 46401 | |
---|---|
Court: | TADM (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 38(1) GDPR Article 38(2) GDPR Article 39(1) GDPR Article 83 GDPR |
Decided: | 14.05.2024 |
Published: | 20.05.2024 |
Parties: | CNPD Company A |
National Case Number/Name: | 46401 |
European Case Law Identifier: | ECLI:LU:TADM:2024:46401 |
Appeal from: | CNPD (Luxembourg) 18FR/2021 |
Appeal to: | Unknown |
Original Language(s): | French |
Original Source: | TADM (in French) |
Initial Contributor: | lszabo |
A court upheld a fine of €18,000 imposed by the DPA on a controller for not directly involving the group-DPO with data protection-related matters and not providing them with sufficient resources.
English Summary
Facts
The Luxembourg DPA ("Commission Nationale pour la Protection des Données - CNPD") launched an investigation on a group of companies with a subsidiary based in Luxembourg (the controller).
The group of companies had appointed a single DPO (the group's DPO) under Article 37(2) GDPR to handle all data protection matters and had appointed a lawyer as the local contact point in Luxembourg to assist the group's DPO. Article 37(2) GDPR allows for the possibility to appoint one DPO for a group of undertakings. The controller had also established a GDPR Board, a committee dedicated to data protection in Luxembourg. The DPO however was not a member of the GDPR Board and was only informed of the subjects discussed there through the minutes of the GDPR Board and through the questions raised by the local contact point during these meetings. The group's DPO did not seat in Luxembourg and was involved mostly indirectly, through the local contact point, in data protection-related matters of the Luxembourg entity. During the course of the investigation, the controller did appoint its own DPO, that started on 1 October 2020.
The DPA found that even if the Group's DPO was participating in numerous meetings at a group level and regularly organised meetings with its local points of contact, this was not sufficient to demonstrate the direct, formal and permanent involvement of the DPO in Luxembourg. Therefore, the DPA found that the controller did not sufficiently involve the DPO with data protection matters violating Article 38(1) GDPR and Article 39 GDPR. It further found that the controller did not provided its DPO with the necessary resources and power, violating Article 38(2) GDPR. Thus, the DPA fined the controller €18,000.
The controller appealed this decision at the Administrative Court of the Grand Duchy of Luxembourg ("Tribunal administratif du Grand-Duché de Luxembourg - TADM"), seeking annulment of the decision. The controller argued that the DPA used their power excessively in finding violations of Article 38(1) and (2) and Article 39 GDPR. Moreover, the controller argued that the French DPA ("CNIL") had investigated its parent company and the other entities located in France and did not find any violations or made any comments regarding the appointment of the group’s DPO. The controller also argued that the fine amount was disproportionate.
Holding
Involvement of the group's DPO
The court held that in order for the DPO to comply with its obligation to inform and advise the controller under Article 39(1) GDPR, it is necessary and imperative for the DPO to be involved in questions and projects involving issues relating to the protection of personal data at the earliest possible stage. The court found that the handling of the requests and complaints by data subjects was done by a local contact point without intervention of the group's DPO. The group's DPO was only involved when a data subject was not satisfied with the handling by the local contact point. Although the controller referred to regular communications via telephone, video conferences and e-mails between the local contact point and the group's DPO, it did not provide any documentation of these communications. It was also not demonstrated that the group's DPO had preliminary been consulted about putting into place the GDPR Board.
The court dismissed the controller's argument that the DPA did not take into account that the controller appointed its own DPO during the investigation. The DPA only considered the facts as they existed on the day it started its investigation. The court agreed with the DPA that any changes made by the controller during the investigation would not eliminate an established breach and would not relieve the controller from their responsibility.
The court also dismissed the controller's argument that the CNIL came to a different conclusion during its investigation of the parent company of the group and the other entities located in France. The court held that the CNIL's finding had no relevance as it did not concern the activities in Luxembourg and both the court and DPA are not bounded by decisions from administrative authorities or courts in other countries.
Thus, the court found that the DPO was not directly involved in all data protection-related matters. Therefore, the controller violated Article 38(1) GDPR and Article 39 GDPR.
Available resources for the DPO
The court held that the controller did not present any information about formalising the working time devoted to data protection of the local contact point. The court also noted that the local contact point was the only lawyer in the controller's company in Luxembourg. The court held that the DPO had to be involved in all personal data protection related matters, general consultation was not sufficient. The court then took into account the volume of activities of the controller in Luxembourg (70 sites, between 1600 and 2100 employees and 25000 consumers per day), which would have justified at least one full time person being devoted to data protection. The court thus found that the controller violated Article 38(2) GDPR by not providing sufficient resources to its DPO.
Imposed fine
Concerning the proportionality of the fine, the court took into account Article 83 GDPR and the seriousness of the violation. The court found that the fine was proportionate as the violations that were found were serious, involved potentially a large number of people and lasted at least from 25 May 2018 to 1 October 2020.
Thus, the court dismissed the appeal and upheld the DPA's decision that the controller violated Article 38(1) and (2) and Article 39 GDPR.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Administrative Court No. 46401 of the roll of the Grand Duchy of Luxembourg ECLI:LU:TADM:2024:46401 4 bedroom Registered August 27, 2021 Public hearing of May 14, 2024 Appeal filed by the limited company ... SA, …, against a decision of the National Commission for Data Protection regarding data protection ___________________________________________________________________________ JUDGEMENT Having regard to the request registered under number 46401 of the role and filed on August 27, 2021 at the registry of the administrative court by Maître Renaud Le Squeren, lawyer at the Court, registered on the roll of the Luxembourg Bar Association, in the name of the limited company ... SA, established and having its head office in L-…, registered in the Luxembourg trade and companies register under number ..., represented by its board of directors currently in office, tending to reform, otherwise the annulment of a decision of May 31, 2021 of the National Commission for data protection (“CNPD”), public establishment, registered in the data protection register commerce and companies of Luxembourg under number J52, established and having its headquarters in L- 4370 Belvaux, 15, boulevard du Jazz, represented by its college of commissioners currently in office, having imposed an administrative fine of 18,000 euros on him while having ordered it to comply with Articles 38, paragraph (1) and 39, paragraph (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data personal character and the free movement of data, and repealing Directive 95/46/EC within four months following notification of the said decision; Given the feat of the substitute bailiff Michèle Baustert, replacing the bailiff Cathérine Nilles, both residing in Luxembourg, of August 31, 2021, bearing notification of the aforementioned request to the CNPD, prequalified; Having regard to the constitution of lawyer at the Court filed at the registry of the administrative court on date of September 27, 2021 by Maître Elisabeth Guissart, lawyer at the Court, registered on the roll of the Luxembourg Bar Association, for the CNPD, prequalified; Having regard to the response filed at the administrative court registry on December 10 2021 by Maître Elisabeth Guissart, prequalified, in the name and on behalf of the CNPD, prequalified; Having regard to the reply brief filed at the administrative court registry on January 10, 2022 by Maître Renaud Le Squeren, prequalified, in the name and on behalf of the limited company ... SA, prequalified; Having regard to the rejoinder filed at the registry of the administrative court on February 8, 2022 by Maître Elisabeth Guissart, prequalified, in the name and on behalf of the CNPD, prequalified; 1 Considering the documents submitted in question and in particular the criticized decision; The judge-rapporteur heard in his report at the public hearing of October 10, 2023, the parties having apologized. __________________________________________________________________________ By letter dated September 17, 2018, the National Commission for the Protection of data, hereinafter referred to as “the CNPD”, informed the company ... SA, hereinafter referred to as “the company ...", of the exercise, within the latter, of a control in the form of an investigation theme on the function of data protection delegate, hereinafter referred to as “the DPD", as part of a broader campaign carried out among major officials of the Luxembourg treatment in all sectors, by submitting a questionnaire to be returned no later than October 8, 2018. Following the return of the questionnaire on October 5, 2018 by the company... and following a visit on site by CNPD agents on January 21, 2019, the CNPD submitted, by email of April 26, 2019, a draft report of the on-site visit, draft document in relation to which the company ... took a position by email of May 13, 2019. By email of May 14, 2019, the CNPD sent the company ... the account final report of said on-site visit. On August 7, 2019, the CNPD sent, by email, a draft report audit to the company ..., which sent its position on the subject by email from August 29, 2019. On October 31, 2019, the CNPD communicated the grievances to the data controller. the company ..., as well as audit report no. 1716/2019, the company ... responding by mail from November 22, 2019. On August 24, 2020, the CNPD sent a complementary letter to the communication of grievances to the company ... indicating the corrective measures and the fine of 18,000 euros that the head of investigation proposed to the restricted formation of the CNPD, hereinafter referred to as “the Restricted Training”, to pronounce with regard to the company.... The company ..., by means of a letter from its representative dated September 30, 2020, took a position in relation to the additional letter from the CNPD of August 24, 2020. Following the Restricted Training session of January 26, 2021, the latter decided, by decision of May 31, 2021 referenced under number 18FR/2021, to impose on the company ... a fine of 18,000 euros, as well as an injunction to comply with articles 38, paragraph (1) and 39(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of data, and repealing the Directive 95/46/CE, hereinafter referred to as “the GDPR”, within four months from the notification of the said decision based on the following motivation: “(…) The National Commission for Data Protection sitting in training restricted, composed of Madam…, president, and Messrs… and…, commissioners; 2 Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data personal and the free movement of these data, and repealing Directive 95/46/EC; er Having regard to the law of August 1, 2018 organizing the National Commission for data protection and the general regime on data protection, in particular its article 41; Considering the internal regulations of the National Commission for the Protection of data adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its article 10.2; Having regard to the regulation of the National Commission for Data Protection relating to the investigation procedure adopted by decision no. 4AD/2020 dated January 22, 2020, in particular its article 9; Considering the following: I. Facts and procedure 1. Considering the impact of the role of the data protection officer (hereinafter: the “DPD”) and the importance of its integration into the organization, and considering that the guidelines concerning DPDs have been available since December 2016, i.e. 17 months before entry into force. application of Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data personal and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: the “GDPR”), the Commission National Commission for Data Protection (hereinafter: the “National Commission” or the “CNPD”) has decided to launch a thematic investigative campaign on the function of the DPD. Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the public sector. 2. In particular, the National Commission decided by deliberation no. 451/2018 of 14 September 2018 to open an investigation in the form of a data protection audit with the public limited company ... S.A., established and having its head office in L-..., registered with trade and company register under number... (hereinafter: the “controlled”) and to designate Sir... as head of investigation. The said deliberation specifies that the investigation relates to the compliance of the controlled with section 4 of chapter 4 of the GDPR. 3. The object of the controlled entity is in particular the operation, management, supply for its own account or on behalf of others of all catering and hotel services in establishments reserved for communities or the public. The controlled number around 2,100 employees spread over 70 sites as well as 25,000 consumers per day. 4. By letter of September 17, 2018, the head of investigation sent a questionnaire preliminary to the audit to which the latter responded by letter of October 5, 2018. A on-site visit took place on January 21, 2019. Following these discussions, the head of investigation established the audit report no. 1716/2019 (hereinafter: the “audit report”). 3 5. It appears from the audit report that in order to verify the compliance of the organization with the section 4 of chapter 4 of the GDPR, the head of investigation defined eleven control objectives, namely: 1) Ensure that the organization required to appoint a DPO has done so; 2) Ensure that the organization has published the contact details of its DPO; 3) Ensure that the organization has communicated the contact details of its DPO to the CNPD; 4) Ensure that the DPO has sufficient expertise and skills to carry out its missions effectively; 5) Ensure that the missions and tasks of the DPO do not lead to a conflict of interest; 6) Ensure that the DPO has sufficient resources to carry out effectively of its missions; 7) Ensure that the DPO is able to carry out his missions to a sufficient degree autonomy within one’s organization; 8) Ensure that the organization has put in place measures so that the DPO is associated with all questions relating to data protection; 9) Ensure that the DPO fulfills its mission of providing information and advice to the data controller and employees; 10) Ensure that the DPO exercises adequate control over data processing within the his body; 11) Ensure that the DPO assists the data controller in carrying out the impact analyzes in the event of new data processing. 6. By letter of October 31, 2019 (hereinafter: the “statement of objections”), the head investigation informed the auditee of the breaches of the obligations provided for by the GDPR that it noted during his investigation. The audit report was attached to the said letter. 7. In particular, the head of investigation noted in the statement of objections breaches of: - the obligation to involve the DPO in all questions relating to the protection of personal data; - the obligation to provide the necessary resources to the DPO; - the information and advice mission of the DPD. 8. By letter dated November 22, 2019, the person being inspected sent the head of investigation his decision position regarding the shortcomings listed in the statement of objections. 9. On August 24, 2020, the head of investigation sent the controlled person an additional letter to the communication of objections (hereinafter: the “additional letter to the communication grievances") by which he informs the auditee of the corrective measures and the fine administrative decision that it proposes to the National Commission sitting in restricted formation (hereinafter after: the “restricted training”) to adopt. 10. By letter dated September 30, 2020, the controlled person sent the head of investigation its observations regarding the letter supplementing the statement of objections. 11. The case was on the agenda of the restricted training session of January 26 2021. In accordance with article 10.2. b) the internal regulations of the Commission national, the head of investigation and the controlled person presented their oral observations in support of their written observations. More particularly, Maître Renaud Le Squeren, agent of the inspected, read out a note setting out the observations of the inspected person (hereinafter: the “note 4 of pleadings"). The head of investigation and the person being investigated subsequently answered the questions asked. through restricted training. The person being controlled had the last word. 12. By email of January 27, 2021, the controlled agent sent to the restricted training a copy of the pleadings note, an extract from a presentation dated October 8, 2018 presenting the “Data Protection” organization chart with indication of “GDPR Board" of the controlled person as well as an extract from the company's trade and company register anonymous ... ... S.A. managing “checks…” in Luxembourg. II. Place A. As for the requirements for precision in the statement of objections and the additional letter to the statement of objections 13. In his pleadings note, the agent of the controlled party invokes, as a preliminary matter, that the statement of objections and the supplementary letter to the statement of objections lack precision: “[…] the Courriers de Grief fail to comply with the legal obligations applicable in matters administrative, in particular in that they do not contain a precise reference to a standard legal which would have been violated and that they contain no precise indication of the facts detailed which would constitute a violation of a legal norm by .... By this lack precision, the general principles of applicable rights were violated and my principal was deprived of the possibility of providing informed and detailed explanations likely to shed light Restricted Training. » 14. The restricted panel notes that the head of investigation expressly mentions, both in the statement of objections and in the letter supplementing the communication grievances, the provisions of the GDPR which the person inspected may have failed to do, namely the articles 38.1, 38.2 and 39.1. has). Furthermore, the factual findings made during the investigation and on which the alleged breaches are based are indicated in the statement of objections. Of surplus, the audit report including all the findings and work carried out by the manager investigation as part of the audit mission was attached to the statement of objections. In Furthermore, the restricted panel notes that the agent of the controlled person refers to the “legal obligations applicable to administrative matters” as well as “general principles of applicable rights” without specifying which rule of law would have been violated in the species. 15. For all practical purposes, it must be noted that the person controlled was able to take position in relation to the failings of which he is accused, as demonstrated by his statements of November 22, 2019 and September 30, 2020 as well as the oral observations and the note of pleadings presented at the restricted panel session of January 26, 2021. 16. It is therefore wrong for the agent of the controlled party to maintain that the communication objections and the letter supplementing the statement of objections lack precision so that his principal would have been “deprived of the possibility of providing explanations enlightened and detailed information likely to shed light on Restricted Training. B. As to the complaints listed in the statement of objections 5 a) On the failure to comply with the obligation to involve the DPO in all questions relating to the protection of personal data 1. On the principles 17. According to article 38.1 of the GDPR, the organization must ensure that the DPO is associated, in an appropriate and timely manner, to all matters relating to the protection of personal data. 18. The DPD Guidelines state that “[i]t is essential that the DPD, or its team, is involved in all matters at the earliest possible stage relating to data protection. [...] Information and consultation of the DPO from the start will facilitate compliance with the GDPR and encourage an approach based on data protection by design; it should therefore be a usual procedure in within the housekeeper of the organization. Furthermore, it is important that the DPO is seen as a contact within the organization and be a member of the dedicated working groups data processing activities within the organization. 19. The DPD Guidelines provide examples of how to ensure this association of the DPD, such as: • invite the DPO to regularly participate in senior management meetings and intermediate; • recommend the presence of the DPO when decisions having implications in data protection matters are taken; • always take due consideration of the opinion of the DPO; • immediately consult the DPO when a data breach or other incident occurs. 20. According to the DPD guidelines, the organization could, where appropriate where appropriate, develop guidelines or programs for the protection of data indicating the cases in which the DPO must be consulted. 2. In the present case 21. It appears from the audit report that, for the head of investigation to consider objective 8 as achieved by the auditee as part of this audit campaign, the head of investigation expects the DPO to participate in a formalized manner and on the basis of a defined frequency to the Management Committee, to the project coordination committees, to the new committees products, safety committees or any other committee deemed useful in the context of the protection of data. 22. According to the Statement of Objections, page 3, “the DPO participates in numerous meetings at Group level and [...] regularly organizes meetings with its points of local contacts. But these elements are not enough to demonstrate the direct, formal and permanent involvement of the DPD in Luxembourg”. It still results from communication grievances that “the Group DPO receives a monthly report from the local contact point following the local COMEX as well as monthly reporting relating to protection issues data (number of requests to exercise rights or complaints, impact analyzes possible etc.). [...] the DPO is systematically informed and consulted by the contact point 6local in the event of a security incident likely to involve personal data personnel and create a risk for the people concerned. » The head of investigation estimates however that "these elements cannot compensate for the absence of direct involvement of the DPD Group within ..., which could give rise to the risk that the DPD is not sufficiently involved at the operational level in Luxembourg. » Finally, the head of investigation argues that he “was not aware of any elements enabling this risk to be addressed, such as for example the formal establishment of visits based on a defined frequency of the DPO Group (or a member of its Data Protection team) in Luxembourg. These visits would notably allow the DPO to be able to discuss directly with management superior of ... issues related to data protection and to be able to assess operational issues directly. » 23. In his position statement of November 22, 2019, the auditee asserts that the DPD Group is involved in an appropriate and timely manner in all matters relating to to the protection of personal data. The controlled person explains that “[a]ll questions relating to the protection of personal data initiated in the Grand Duchy of Luxembourg are received and analyzed initially by our point of contact dedicated to data protection in Luxembourg” (hereinafter: the “local contact point”) and that the latter works in close collaboration with the Group DPD for all questions requiring information, analysis, advice or prior consultation from the Group DPD. According to the person controlled, the point of contact is responsible for managing the compliance of data processing. personal data implemented by the controlled person, under the supervision of the DPO Group to whom the point of contact reports its actions. Furthermore, the auditee mentions in its position statement of November 22, 2019 the establishment of a committee dedicated to the protection of data in Luxembourg (hereinafter: the “GDPR Board”) which defines the strategy on these subjects and the associated action plans. The audit explains the composition and operation of the GDPR Board to support that the Group DPD is involved in managing compliance with the provisions of the GDPR in Luxembourg. 24. In his pleadings note, the controlled agent highlights article 37.2 of the GDPR, which authorizes a group of companies to appoint a single DPO provided that this the latter is easily reachable from each place of establishment, as well as the lines guidelines concerning DPD to support that the operation of the controlled is compliant to the GDPR and affirms that “[i]t was found to be no materiality of the alleged facts, no unavailability of the DPO of ... whether vis-à-vis the supervisory authority or even the persons concerned and a possible and uncharacterized risk cannot make it possible to establish factually a violation. » 25. The restricted training takes note that the controlled party is a subsidiary of the French group ...and that the latter had decided to appoint a single DPO for the different entities of the group (hereinafter: the “DPD Group”). At the central level, the group has set up an office of data protection (“Global Data Protection Office”) composed of the Group DPD as well as only two lawyers specializing in data protection and a project manager. At the local level, the sole lawyer of the audited party was designated as the local point of contact for the DPD Group. 26. As a preliminary point, the restricted panel notes that the breach alleged by the head of investigation relates to article 38.1 of the GDPR so that the explanations of the agent of the controlled regarding Article 37.2 of the GDPR are not relevant in this case. Indeed, even if the GDPR authorizes a group of companies to designate a single DPO, it does not remain 7unless this DPO must be associated, in an appropriate and timely manner, with all questions relating to the protection of personal data, in accordance with Article 38.1 of the GDPR. It is therefore possible for an organization to designate a single DPO at the level of the group whose entities are established in several Member States of the European Union and to provide, at local level, “contact points” who assist the DPO, particularly in questions relating to local particularities such as national legislation. In such case, it is however all the more important to clearly define, among other things, the modalities of collaboration between the DPO and the “local contact points” as well as the distribution of tasks and responsibilities. In this case, the restricted panel notes that all questions relating to the protection of personal data that arose at the level of the controlled were received and analyzed initially by the local contact point who addressed to the DPDGroupe when he considered it necessary. The restricted training still notes that the DPD Groupe was not part of the GDPRB Board and was only informed of the subjects discussed there through the minutes of the GDPR Board and through the questions raised by the point local contact during these meetings. 27. It therefore appears from the investigation file that the Group DPD was not associated only indirectly to questions relating to the protection of personal data which arose at the level of the controlled, this through the local point of contact which, in the facts, acted as a data protection contact within the organism. However, the local point of contact was the sole lawyer of the controlled person and did not part of the DPD Group team itself, namely the protection office of data (“Global Data Protection Office”). 28. Furthermore, the restricted panel considers that the fact of transmitting the proceedings verbal statements from the GDPR Board to the DPD Group do not allow its appropriate association to be established and in good time to the extent that the Group DPO is simply informed of the measures that The GDPR Board proposes to the various decision-making bodies of the controlled to implement. The DPO is therefore not informed and especially not consulted “at the earliest possible stage” of all questions relating to data protection. 29. In addition, the auditee indicates in his position of September 30, 2020 that the local point of contact has been designated as DPD for the entity...S.A., with effect from October 1 2020. The restricted panel notes that the CNPD received the amending declaration by email of September 30, 2020. However, the person being inspected must ensure that the newly appointed DPO appointed is effectively involved in all matters relating to data protection to personal character. Having named the local contact point as DPO is not enough to sufficiently demonstrate such association of the latter in all questions relating to the protection of personal data. 30. In view of the above, the restricted panel agrees with the observation of the chief investigation according to which non-compliance with article 38.1 of the GDPR was acquired at the time of investigation. b) On the failure to fulfill the obligation to provide the necessary resources to the DPO 1. On the principles 8 31. Article 38.2 of the GDPR requires that the organization assists its DPO “to exercise the missions referred to in Article 39 by providing the resources necessary to carry out these missions, as well as access to personal data and processing operations, and allowing him to maintain his specialized knowledge. » 32. It follows from the DPD Guidelines that the following aspects must in particular be taken into consideration: - “sufficient time for the DPOs to carry out their tasks. This aspect is particularly important when an internal DPO is appointed part-time or when the external DPO is responsible for data protection in addition to others tasks. Otherwise, conflicting priorities could lead to tasks being of the DPD are neglected. It is essential that the DPO can devote enough time for his missions. It is good practice to set a percentage of time spent on the DPD function when this function is not not employed full time. It is also good practice to determine the time required to execute the function and the appropriate priority level for the tasks of the DPO, and that the DPO (or the organization) establishes a work plan; - necessary access to other services, such as human resources, service legal, IT, security, etc., so that DPOs can receive essential support, input and information from these others services ". 33. The DPD Guidelines state that “[i]n a way Generally, the more complex or sensitive the processing operations, the more resources granted to the DPD must be significant. The data protection function must be effective and equipped with adequate resources with regard to the data processing carried out. » 2. In the present case 34. It appears from the audit report that, given the size of the organizations selected, so that the head of investigation considers objective 6 as achieved by the person being monitored within the framework of this audit campaign, the head of investigation expects the auditee to use at least one FTE (full-time equivalent) for the team in charge of data protection. Leader investigation also expects that the DPO will have the possibility to rely on other services, such as legal, IT, security, etc. It results from the statement of objections, page 3, that the DPD Group has the level center of a team made up of two lawyers specializing in the protection of data as well as a project manager. At the local level, however, the Group DPD does not have than a local point of contact who was also the sole lawyer of the controlled person so that the head of investigation notes “the risk that the DPD does not have sufficient resources at the level local in Luxembourg, resources being concentrated at group level, but not seeming not sufficiently deployed at the local level" as well as "the risk that in the event of a strong peak of activity concerning legal matters to be handled within ..., the local contact point does not may not have the means to effectively carry out its missions relating to protection data, which would create the risk that the DPO would not be able to effectively exercise its DPO missions for Luxembourg”. 9 35. In his position statement of November 22, 2019, the auditee asserts that the DPD At the local level, the Group has the support of a legal team made up of the point of local contact and a “second resource” and notes that “the job description of the Point of Local contact and second resource in the local legal team on a long-term contract indefinite must be detailed in terms of hourly volume and description of tasks. 36. In his pleadings note, the agent of the auditee further argues that the requirement to formalize the distribution of working time does not exist in the regulations applicable and that the guidelines concerning DPDs contain at most one recommendation as a “good practice” to “determine the time required for execution of the function and the appropriate priority level for the DPO's tasks, and that the DPO (or the organization) establishes a work plan. Finally, the controlled agent maintains that “[i]n here too, no materiality of the alleged facts has been established, nor has any explanation on the criteria examined to conclude that there was a lack of resources, nor any analysis of existing resources. A possible and uncharacterized risk cannot allow to establish factually that ... would lack resources to meet its obligations to under data protection. » 37. The restricted panel takes note that the controlled person opted to appoint the DPO Group which has, at central level, a team made up of two lawyers specialized in data protection matters as well as a project manager. At the entity level Luxembourg which was the subject of the investigation, a local contact point was appointed, person of the only lawyer of the controlled who also carried out other missions. There restricted training considers that such an organization requires that the organization determine and documents the time necessary for the local point of contact to carry out its missions relating to data protection in order to be able to allocate the necessary resources to it. This This requirement results in particular from the guidelines concerning DPDs as well as from the articles 5.2. and 24 of the GDPR which sets out the principle of accountability. But he appears from the file that the person inspected did not carry out any formalization or documentation to demonstrate that the auditee has provided the DPD function with the resources necessary to carry out its missions at the time of the investigation. 38. In view of the above, the restricted panel concludes that article 38.2 of the GDPR was not respected by the person being inspected. c) On the failure relating to the information and advice mission of the DPD 1. On the principles 39. Under article 39.1. a) of the GDPR, one of the missions of the DPO is to “inform and advise the controller or processor and employees who carry out processing on their obligations under this Regulation and other provisions of Union law or the law of the Member States relating to Data protection ". 2. In the present case 40. It appears from the audit report that, for the head of investigation to consider objective 9 as achieved by the auditee within the framework of this audit campaign, he expects that 10" the organization has formal reporting of the DPO's activities to the Management Committee based on a defined frequency. Regarding information to employees, it is expected that the organization has put in place an adequate training system for staff in terms of Data protection ". 41. According to the statement of objections, page 4, it appears from the investigation that there is no direct feedback of information from the Group DPD to the local management of the controlled entity. Leader investigation notes that “there are several levels of reporting (from the local point of contact to the DPD, from the DPD to the Group CEO, from the local contact point to the local COMEX)", but believes that “these elements are not sufficient to compensate for the absence of direct reporting from the DPO to the data controller in Luxembourg”. 42. In his position of November 22, 2019, the auditee refers to these explanations relating to the first complaint, namely the failure to fulfill the obligation to associate the DPD for all questions relating to the protection of personal data. By elsewhere, the audited party maintains that the Group DPD “informs and advises the person responsible for treatment as well as employees and has notably implemented: • An online Responsible Business Conduct course including a module on the GDPR, available online from May 2018 • An awareness campaign with video and support on data protection of a personal nature on May 16, 2018, as well as January 3, 2019 • An awareness campaign with video, intranet and Toolbox including the 10 golden rules on the protection of personal data dated June 3 2019 » The auditee further affirms that the Group DPD “has the opportunity to discuss subjects strategic and/or more operational with senior management [of the person controlled], in particular during occasional meetings bringing together the “senior leaders” (Top 1600) of ...”. 43. The restricted panel notes that the breach noted by the head of investigation only concerns the information and advice mission of the DPO with regard to the person responsible for processing, and not the information and advice mission of the DPO with regard to employees. 44. The restricted formation considers that the information and advice mission of the DPD to towards the data controller is closely linked to the obligation provided for in Article 38.1 of the GDPR, to involve the DPO appropriately and in a timely manner in all questions relating to the protection of personal data. However, the restricted training has noted that the Group DPD was not involved appropriately and in a timely manner with data protection issues arising at the level of the Luxembourg entity having made the subject of the investigation. In fact, the Group DPD was only indirectly associated, through through the local contact point. Furthermore, he was simply informed of the measures that The GDPR Board proposes to the various decision-making bodies of the controlled to implement. 45. In view of the above, the restricted panel concludes that article 39.1. a) of GDPR was not complied with by the auditee. III. On corrective measures and fines A. The principles 11 46. In accordance with article 12 of the law of August 1, 2018 organizing the National Commission for Data Protection and General Protection Regime data, the CNPD has the powers provided for in article 58.2 of the GDPR: (a) notify a controller or processor of the fact that the operations envisaged processing operations are likely to violate the provisions of this regulation; b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this Regulation; (c) order the controller or processor to comply with the requests submitted by the data subject with a view to exercising their rights under the this regulation; (d) order the controller or processor to put the operations processing in accordance with the provisions of this regulation, where applicable, specific manner and within a specific time frame; (e) order the controller to communicate to the data subject a personal data breach; (f) impose a temporary or permanent limitation, including a ban, on the treatment; g) order the rectification or erasure of personal data or the limitation of processing pursuant to articles 16, 17 and 18 and notification of these measures to the recipients to whom the personal data have been disclosed in application Article 17(2) and Article 19; (h) withdraw a certification or order the certification body to withdraw a certification issued pursuant to articles 42 and 43, or order the body to certification not to issue certification if the requirements applicable to the certification are not or no longer satisfied; (i) impose an administrative fine pursuant to section 83, in addition or instead of the measures referred to in this paragraph, depending on the specific characteristics in each case, j) order the suspension of data flows addressed to a recipient located in a third country or to an international organization. » 47. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose administrative fines as provided for in article 83 of the GDPR, except against the State or municipalities. 48. Article 83 of the GDPR provides that each supervisory authority ensures that the administrative fines imposed are, in each case, effective, proportionate and dissuasive, before specifying the elements which must be taken into account to decide whether there there is reason to impose an administrative fine and to decide the amount of this fine: 12 “a) the nature, seriousness and duration of the violation, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they have suffered; (b) the fact that the violation was committed deliberately or negligently; (c) any measures taken by the controller or processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller or processor, taking into account taken into account the technical and organizational measures that they have implemented under the articles 25 and 32; e) any relevant breach previously committed by the controller or the subcontractor; (f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and to mitigate possible negative effects; g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the violation, in particular whether and to what extent the controller or processor has notified the violation; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or subcontractor concerned for the same object, compliance with these measures; (j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; And k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation.” 49. The restricted panel wishes to clarify that the facts taken into account in the framework of this decision are those noted at the start of the investigation. Possible modifications relating to the subject of the investigation which occurred subsequently, even if they make it possible to establish fully or partially conformity, do not allow retroactive cancellation of a breach noted. 50. Nevertheless, the steps taken by the auditee to comply with the GDPR during the investigation procedure or to remedy the shortcomings identified by the head of investigation in the statement of objections, are taken into account by the training restricted in the context of any corrective measures to be taken. B. In the present case 1. As for the imposition of an administrative fine 13 51. In the supplementary letter to the statement of objections of August 24, 2020, the head of investigation proposes to the restricted panel to pronounce against the person being investigated administrative fine amounting to 18,000 euros. 52. In his pleadings note, the agent of the controlled party argues that a fine administrative “must meet the principles of adequacy and proportionality of article 83 of the GDPR while in particular, no specific complaint has been formulated, no damage has been noted and ... collaborated as far as possible with the CNPD throughout the control period. » 53. In order to decide whether it is appropriate to impose an administrative fine and to decide, where applicable, the amount of this fine, the restricted training analyzes the criteria set by article 83.2 of the GDPR: - As for the nature and seriousness of the violation (article 83.2 a) of the GDPR), with regard to concerns breaches of articles 38.1, 38.2 and 39.1 a) of the GDPR, training restricted notes that the appointment of a DPO by an organization cannot be efficient and effective, namely facilitating compliance with the GDPR by the organization, that in the event that the DPD is associated from the earliest possible stage to all data protection issues, benefits from resources and time necessary to carry out its missions relating to data protection and effectively carries out its missions, including the information and advice mission of the responsible for processing. A breach of sections 38.1, 38.2 and 39.1 a) of the GDPR amounts to reducing the interest, or even emptying of its substance, the obligation for an organization to appoint a DPO. - As for the duration criterion (article 83.2.a) of the GDPR), restricted training falls under that the auditee indicated, in his position of September 30, 2020, that the local contact point has been appointed as DPO with effect from October 1, 2020 and that the latter now devotes 50% of his working time to questions of data protection, with the assistance of two other lawyers who devote also each 50% of their working time. Furthermore, the composition and functioning of the GDPR Board have been modified so that the DPO can inform and advise the data controller. Violations of articles 38.1, 38.2 and 39.1 a) therefore lasted over time, at least between May 25 2018 and October 1, 2020. The restricted training reminds here that two years have passed separated the entry into force of the GDPR from its entry into application to allow to those responsible for processing to comply with their obligations. - As to the number of data subjects affected by the violation and the level damage they have suffered (article 83.2 a) of the GDPR), restricted training notes that the controlled company has approximately 2,100 employees spread over 70 sites as well as 25,000 consumers per day. The number of people affected by the violation is therefore potentially high. - As for the degree of cooperation established with the supervisory authority (article 83.2 f) of the GDPR), the restricted training takes into account the assertion of the head of investigation according to in which the auditee demonstrated constructive participation throughout investigation. 14 54. The restricted panel notes that the other criteria of article 83.2 of the GDPR are neither relevant nor likely to influence its decision regarding the imposition of a fine administrative and its amount. 55. The restricted panel notes that although several measures have been put in place by the audited in order to remedy in whole or in part certain deficiencies, these have not been adopted only following the launch of the investigation by CNPD agents on 17 September 2018 (see also point 49 of this decision). 56. Therefore, the restricted panel considers that the imposition of a fine administrative is justified with regard to the criteria set by article 83.2 of the GDPR for breach of articles 38.1, 38.2 and 39.1 a) of the GDPR. 57. Regarding the amount of the administrative fine, the restricted panel recalls that article 83.3 of the GDPR provides that in the event of multiple violations, as is the case in case, the total amount of the fine cannot exceed the amount set for the most serious violation severe. To the extent that a breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR is accused of the controlled person, the maximum amount of the fine that can be withheld is 10 million euros or 2% of global annual turnover, whichever is greater retained. 58. With regard to the relevant criteria of article 83.2 of the GDPR mentioned above, the restricted training considers that the imposition of a fine of 18,000 euros appears in the both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR. 2. As for taking corrective measures 59. In his letter supplementing the statement of objections, the head of investigation proposes that the restricted formation take the following corrective measures: “a) Order the implementation of measures ensuring formal association and of the DPO in all matters relating to data protection, in accordance with with the requirements of Article 38 paragraph 1 of the GDPR. Although several ways can be considered to achieve this result, one of the possibilities would consist of analyzing, with the DPO, all committees/working groups relevant to data protection and to formalize the modalities of its intervention (previous information from the agenda of meetings, invitation, frequency, permanent member status etc.). b) Order the provision of the necessary resources to the DPO in accordance with with the requirements of article 38 paragraph 2 of the GDPR. Although several ways can be considered to achieve this result, one of the possibilities would consist of unloading the DPD and/or local members of his team of all or part of his other missions/functions or to provide it with formal support, internally or externally, regarding the exercise of its missions from DPD. c) Order the implementation of measures allowing the DPO to inform and advise formally inform the data controller of its obligations regarding the protection of data, in accordance with Article 39 paragraph 1 a) of the GDPR. Although several ways could be considered to achieve this result, one of the possibilities would be to implement 15places formal reporting of the DPO's activities to Management based on a frequency defined. » 60. As for the corrective measures proposed by the head of investigation and by reference in point 50 of this decision, the restricted training takes into account the procedures carried out by the person inspected, following the visit by CNPD agents, in order to comply with the provisions of articles 38.1, 38.2 and 39.1 a) of the GDPR, as detailed in these letters of November 21, 2019 and September 30, 2020. More particularly, it takes note of the facts following: - As for the violation of article 38.1 of the GDPR providing for the obligation to associate the DPD for all questions relating to the protection of personal data personnel, the restricted training notes that the local contact person has been designated DPO of the controlled body with effect from October 1, 2020. However, the restricted training includes documents provided by the controlled that this newly appointed DPO exercises his functions under the supervision of the DPO of ... Group. The restricted formation therefore wonders whether the newly appointed DPD designated is effectively involved in all matters relating to the protection of personal data, and this in complete independence. Therefore, the CNPD is of the opinion that the auditee has not sufficiently demonstrated its implementation compliance with article 38.1 of the GDPR and considers that it is appropriate to issue a compliance measure in this regard. - With regard to the violation of article 38.2 of the GDPR providing for the obligation to provide the necessary resources to the DPO, the controlled party affirms in its decision position of September 30, 2020 that the newly appointed DPD by ... S.A. devotes 50% of his working time to data protection issues and that he is assisted by two lawyers who each devote 50% of their time to work so that there will be 1.5 FTEs dedicated to data protection at personal character. In view of these elements, the restricted panel is of the opinion that the expectation of the chief investigation of 1 FTE or more is achieved following the measures taken by the person inspected course of the investigation. Consequently, the restricted panel considers that there is no reason to issue a compliance measure in this regard. - As for the violation of article 39.1 a) of the GDPR relating to the information mission and advice from the DPO towards the controller, the controlled person sets out in its position statement of September 30, 2020 the composition and operation of the GDPR Board which will enable the newly appointed DPO to inform and advise the data controller. However, in view of the documents provided by the inspector, the restricted training understands that the DPO (previously local contact point, without having exercised the function of DPD) newly appointed by the controlled person carries out his missions under the supervision of the DPO of ... Group, such that it is not demonstrated with sufficiency by the controlled that the newly appointed DPO can effectively fulfill its mission of providing information and advice to the data controller 16 controlled (...), and this in complete independence. Therefore, restricted training considers that there is reason to issue a compliance measure in this regard. Taking into account the foregoing developments, the National Commission sitting in restricted formation and deliberating unanimously decides: - to impose an administrative fine of one amount of eighteen thousand euros (18,000 euros) with regard to the violation of the articles 38.1, 38.2 and 39.1. a) GDPR; - to issue an injunction against the company “... S.A.” to take action compliance with article 38.1 of the GDPR, within four months following the notification of the decision of the restricted formation, the supporting documents for the implementation conformity must be sent to the restricted training at the latest within this deadline, especially : ensure that the DPO is effectively involved in all questions relating to the protection of personal data, and this in complete independence; - to issue an injunction against the company “... S.A.” to take action compliance with article 39.1 a) of the GDPR within four months following the notification of the decision of the restricted formation, the supporting documents for the implementation conformity must be sent to the restricted training at the latest within this deadline, especially : ensure that the DPO can effectively fulfill its mission of providing information and advice to the person responsible for the controlled processing. (…)”. By request filed with the administrative court registry on August 27, 2021, registered under number 46401 of the roll, the company ... has filed an appeal for reformation, otherwise to the annulment of the aforementioned decision of the CNPD of May 31, 2021. Given that under the terms of article 55 of the law of August 1, 2018 on the organization of the National Commission for Data Protection and the general regime on the data protection, hereinafter referred to as “the law of August 1, 2018”, “An appeal against the decisions of the CNPD taken in application of this law are open to the Court administrative body which rules as judge on the merits. ", the court has jurisdiction to hear the main appeal for reform directed against the aforementioned decision of May 31, 2021. It follows that there is no need to rule on the subsidiary action for annulment appearing in the application instituting proceedings. In its response, the CNPD while referring to judicial prudence as to the admissibility of the appeal, concludes to declare the appeal admissible in form. It must be noted, as far as necessary, that if the fact of relating to prudence of justice is equivalent to a dispute, a dispute not otherwise developed is however, to be ruled out, given that it is not up to the court to make up for the deficiency of the parties in the presentation of their arguments, it being further noted that the court does not foresee grounds of inadmissibility which would have to be raised ex officio. 17 The main appeal for reform having, moreover, been introduced in the forms and time limit of the law, is therefore admissible. In support of its appeal and in fact, the plaintiff, while noting the retroacts reviewed above, explains that it belongs to the ... group, whose parent company, established in France, would have, for the group, designated on January 22, 2018 one of its employees as data protection officer, hereinafter referred to as “the group DPO”, in accordance with to the possibility offered to him through article 37, paragraph (2) of the GDPR. The plaintiff further suggests that it would have, for its part, designated its own DPO with effect from the 1st October 2020, of which she would have informed the CNPD on September 30, 2020, said appointment having intervened in order to comply with the requirements set by the CNPD in its letter of August 24, 2020. In law, the plaintiff concludes, first of all, that the decision be reformed referred from May 31, 2021, which would have wrongly held in its head a violation of article 38, paragraph (1) of the GDPR due to having considered that the group DPO would not have been associated only indirectly with questions relating to the protection of personal data personnel arising at the local level on the grounds that, on the one hand, the local point of contact, the plaintiff's sole lawyer would not have been part of the group's DPO team, and, on the other hand, the group DPO would only have been informed of the measures proposed by the committee dedicated to data protection, hereinafter referred to as “the GDPR Board” - a body established within the plaintiff whose mission would have been the definition, in Luxembourg, of data protection strategies and related action plans -, who would have acted as the contact person for data protection matters within the applicant, without have been consulted at the earliest possible stage. The plaintiff argues, in this context, that during the audit by the CNPD of 17 September 2018 to May 31, 2021, its internal organization would have evolved in the sense that the point er local contact of the group DPD would have been appointed DPD Luxembourg with effect from 1 October 2020. It still falls under the guidelines concerning delegates to the data protection of the “Article 29” Working Group on data protection of the December 13, 2016, hereinafter referred to as “the guidelines”, as well as considerations of the audit report of October 31, 2019 - according to which the association of the DPD with all questions relating to the protection of personal data should be made as as early as possible, that the DPO should be considered as an interlocutor within the organization in question, in order to give its opinion and to be consulted in the event of violations of data or in case of other incidents, and that he should be a member of the working groups devoted to data processing activities, - that these criteria would have been respected in the species. Thus, both the group's DPD and its local contact point, who later became the DPD Luxembourg, would have participated in numerous meetings at group level..., respectively at the local level, the plaintiff further explaining that all questions relating to the protection of personal data initiated in Luxembourg would first have been received and analyzed by the local contact point and then communicated to the DPO of the group for advice and support, these two people having worked in close collaboration by telephone, respectively by means of computer communication mainly in the event of a security incident, but also on questions relating to processing operations implemented locally. 18 Furthermore, the group DPO would receive a monthly report from the point local contact following the local executive committee, as well as monthly reporting relating to data protection issues. On the basis of these elements, the plaintiff considers that, contrary to what would be supported by the decision referred, the group DPO would have been informed in real time by the point of local contact, so as to be in a position to react immediately in compliance with its obligations, and to be able to provide all the recommendations required in within the framework of the GDPR, function taken over by the local contact point, following his appointment as DPO Luxembourg, which would still continue to inform the group's DPD, as well as management of the plaintiff. After explaining the mission, as well as the composition of the GDPR Board, a body internal advisory of the applicant composed of its various data processing services personal, such as the local contact point which has become the DPD Luxembourg, the management of human resources, internal and IT audit managers, as well as in the event of need the managing director of the company..., the plaintiff explains having, during the investigation, wished to modify its internal organization by appointing the local contact point of the DPD of the group directly DPD Luxembourg, the latter personally attending the meetings of both the GDPR Board, as well as, where necessary, meetings of the executive committee and of the board of directors of the company.... She therefore contests the conclusion of the CNPD according to which the Group DPO is not sufficiently directly involved in the operational level in Luxembourg, while arguing that the said criticism would not be sufficiently specified. The plaintiff still relies, in this context, on Article 37, paragraph (2) of the GDPR, to maintain that the group DPO would always have been easily reachable and would, in addition, relying on the local contact, also easily reachable by the CNPD, by the data subjects, as well as by the data controller, while highlighting the circumstance that, on the one hand, the CNPD would have failed to report any concrete deficiency on this subject, and, on the other hand, neither the GDPR nor the guidelines would impose a physical presence of the DPO of a group. Thus, by rejecting his explanations provided in relation to Article 37, paragraph (2) of the GDPR as not being relevant and noting that the group DPO could not be considered to have been directly, formally and permanently involved in Luxembourg, the CNPD would have, according to the plaintiff, required physical presence and permanent status of the group's DPO on site, obliging it to come out of legal texts in force and which would, moreover, have been respected in this case through the point of local contact having been appointed subsequently, out of pure diligence and in order to satisfy the requirements unjustified actions of the CNPD, DPD Luxembourg with effect from October 1, 2020. The applicant then relies on its information transmission schemes and decision-making, as well as on the list of missions of the DPO to refute the conclusion of the CNPD according to which the group DPO would simply be informed of the measures proposed by the GDPR Board to the various decision-making bodies, so as not to be consulted at the stage as early as possible of all questions relating to data protection. Gold, all issues of an operational and strategic nature linked to the protection of 19 data would be identified, evaluated by the DPD Luxembourg and its team in a manner systematically and communicated to management for decision-making. On the basis of all of these elements, the plaintiff concludes that the law should be reformed. decision referred for violation, by the CNPD, of article 38, paragraph (1) of the GDPR. In its reply, the plaintiff emphasizes the structure internal organizational structure of the group ... at the time of the audit carried out by the CNPD, materialized by the appointment of a group DPO, responsible for all entities of the said group, who would have been assisted by local contact points, as would have been the case in Luxembourg, where the predicted DPO of the group would have been assisted by his local point of contact, a lawyer, by a trainee employee become employee, as well as by the local IT team, a practice authorized by Article 37, paragraph (2) of the GDPR. The local point of contact would have been designated with regard to his skills and experience in matters of data protection and would have acted, within the framework of a mandate within the meaning of the Civil Code, on behalf of the DPD of the group with third parties, while reporting to the latter, and more particularly regarding meetings of the executive committee, the GDPR Board and all working meetings regarding protection data in Luxembourg. In this context, the plaintiff focuses on the fact that the group DPO would have was presented, together with its local data protection team in Luxembourg, as the main contact for the people concerned, both internally and externally, for questions relating to data protection. Thus, local contact points, on the one hand, would work together with the group's DPD in order to define a policy harmonized for the group while adapting it, if necessary, to local specificities and, other share, would report the minutes of the meetings with the group DPO and all of the data protection network, while internally organizing the implementation of policies of data protection after information, respectively explanation and validation of the responsible for the local processing concerned. She further argues that as soon as the GDPR came into force, she would have communicated an internal note for the attention of its staff in order to inform them of the terms of the protection of personal data implemented. On the basis of these elements, the applicant contests the CNPD’s approach consisting of to separate, according to her, artificially the group's DPO from its local point of contact, respectively to deny the role and missions of the local team, the plaintiff arguing, in this context, that the CNPD would have made an overly restrictive, or even erroneous, interpretation of the guidelines and would not have taken into account the functions of advice, information and consultation conferred to the local contact point, as one of the members of the management team protection of the group's data.... Thus, according to the plaintiff, the group's DPO and his team would constitute a single whole and any action carried out by a member of the team of the DPD of the group, in its name, should be considered as personally led by the DPO of the group, in the same way that the action of an agent would be taken in the name of his principal. While reiterating its explanations regarding the functioning of the local contact point, as well as the latter's participation in the GDPR Board, as well as in the groups of local work and at meetings of the executive committee, the applicant questions the conclusion of the CNPD according to which the DPO of the group could not be considered to have been 20consulted at the earliest possible stage regarding issues relating to the data protection, while the CNPD would contradict itself on this subject by retaining, on the one hand, the processing methods and analysis at the first level of the opinions and recommendations of the DPD of the group and feedback from the local contact point to the GDPR Board, and, on the other hand, that the DPD of the group would simply have been notified of the minutes of said meetings, therefore after decisions have been made. With regard to the CNPD's criticism, within the framework of the argument based on a breach of Article 38, paragraph (1) of the GDPR, according to which the local contact function would have been only an incidental activity to the function of legal responsibility of the person concerned, the applicant contests the said analysis of the CNPD by suggesting that both the group’s DPO and its local contact point in Luxembourg are said to be former lawyers and experienced lawyers, so as to be perfectly able to carry out their mission, while still specifying that the group DPD would be in daily contact with the positions operational in Luxembourg to manage data protection issues personal. Furthermore, the group DPD would be immediately consulted in the event of an incident, respectively in the event of a personal data breach. Thus, the involvement of the latter, together with the relevant local point of contact, in accordance with the procedures for usual governance of the group ..., should have led the CNPD to remember that the DPD of the group would fulfill its advisory and information functions appropriately and in a timely manner. The plaintiff ultimately contests the CNPD's assertions that the DPD of the group, on the one hand, would not participate in meetings in Luxembourg, and, on the other hand, would not be part of the GDPR Board, highlighting the circumstance that the said DPO is there would be represented by its local contact point, who would fulfill its advisory obligations and information from the controller in an appropriate and timely manner in carrying out reporting both to the management of the applicant and to the DPD of the band. It further specifies, in this context, that, contrary to what the CNPD would assert, the existence of the GDPR Board would have been brought to its attention during the audit on place. The applicant concludes from all of these elements that the decision referred from the CNPD should be reformed for having wrongly taken responsibility for a breach of Article 38, paragraph (1) of the GDPR. Secondly, the applicant concludes that the decision referred from the May 31, 2021 for violation, otherwise misapplication of article 38, paragraph (2) of the GDPR, on the grounds that the CNPD would have wrongly assumed that it would not have allocated the resources necessary for the group DPO, and more particularly for his local point of contact, who would have been the only lawyer of the Luxembourg entity having, moreover, had other missions, to effectively carry out its missions relating to the protection of personal data. In this context, the applicant notes, first of all, that the audit report would have retained that compliance with the conditions set out in Article 38, paragraph (2) of the GDPR would imply the occupation of at least one full-time job, hereinafter referred to as “FTE”, for the team responsible for data protection. It then details the organizational arrangements of its teams dedicated to data protection, both at central level, where the group DPO would have a team called the “Central Data Protection Office” or “Global 21Data Protection Office”, composed of two lawyers specializing in data protection data, a network of local contact points dedicated to data protection, as well as of a project manager, only at the local level, where, on the date of the contested decision, the point of local contact of the group DPO, would have been appointed as DPO Luxembourg and would have been assisted by a lawyer, both of whom can, moreover, rely on the international expertise of the group ... through the group DPO. As for the volume of personal data processed, the plaintiff argues that the CNPD would have made an error in assuming that it had 2,100 employees spread over 70 sites and would cover around 25,000 consumers per day, while, although it itself would have indicated the said figures in its general presentation of the group ... in Luxembourg addressed to the CNPD, it would have specified, in the questionnaire completed at the opening of the disputed audit, that the personal data processed only concerns 5,000 people, including 1,600 employees. She further criticizes the decision referred, with regard to the breach alleged against her in relation to Article 38, paragraph (2) of the GDPR, while the requirement to formalize the distribution of the DPO's working time and other personnel resources that the assistant does not would emerge from any binding legal text, but at most from guidelines. By elsewhere, at the time of the audit, the CNPD would not have published formal guidance on this subject, which which leads the plaintiff to maintain that in view of the absence of details and explanations relating thereto on the part of the CNPD, no lack of resources, nor the absence of analysis of existing resources cannot be blamed. She would nevertheless, without however recognize the slightest violation of the GDPR on its part, on the one hand, provided, by mail of 30 September 2020, details to the CNPD regarding the functioning of its staff dedicated to the protection of personal data, and, on the other hand, reinforced the effective time exclusively devoted to this area by the DPD Luxembourg by setting it at 50% of his working time, while having assigned a team of two lawyers also working, for 50% of their working time, on issues relating to the protection of personal data. While reiterating its conclusions regarding the absence of a legal basis imposing the formalization of the working time devoted by its staff to questions relating to protection of personal data, formalization which would only be based on an interpretation extremely extensive, erroneous and subjective of the GDPR by the CNPD, the plaintiff further criticizes the decision referred, on the one hand, for not having taken into consideration its IT tools used as part of its daily activity of managing the compliance with GDPR rules, tools complementing human resources necessary for the processing of personal data, and, on the other hand, for not having provided objective criteria likely to justify the volume of FTEs required by the CNPD. She notes ultimately that the CNPD would have failed to report any deficiency, absence response, or even inappropriate response time, with regard to the question of processing personal data, having been able to lead to the conclusion that its internal organization would have not been sufficient in terms of resources allocated to this area. In her reply, the plaintiff, re-exposing her internal organization in Luxembourg in terms of data protection initially marked by a point of local contact of the group DPD, who later became the DPD Luxembourg, who would be assisted by a lawyer, as well as, where applicable, by a project manager deployed by the group... to the Benelux region, by the director of human resources, as well as by the head of IT department, each for their area of expertise, argues that the CNPD would have failed to take these elements into consideration. 22 With regard to determining the appropriate working time to be devoted to questions relating to the protection of personal data, duration fixed in this case by the CNPD to the occupation of an FTE, the plaintiff maintains, first of all, that such a fixation would not be an obligation, contrary to the approach of the CNPD in the contested decision, but good practice, in accordance with the guidelines, which would only provide a non-exhaustive list of elements that can be taken into account. In this context, the plaintiff further criticizes the contested decision for not having considered, in its analysis relating to the allocation of sufficient working time, the other elements highlighted by the guidelines and clearly documented during the audit, such as more particularly the circumstance that the local DPO team of the group(i) would have a contact direct and regular with its management, (ii) would have all the financial resources and infrastructure necessary for the proper accomplishment of the missions, (iii) would have carried out all the necessary communications in relation to the appointment of the DPO of the group and the point local contact with employees and third parties, (iv) would have necessary access to other services, (v) would regularly follow training in order to maintain knowledge in matters of data protection and (vi) would have set up an entire data protection team data. Furthermore, the applicant calls into question the argument of the CNPD according to which the time to be devoted by a DPO to the tasks and missions assigned to him, which would include in particular the establishment and maintenance of the register of processing activities, the drafting of internal data protection procedures, issuing opinions on the need of an impact analysis and verification of the effective implementation of the latter, maintaining documentation on site, would be multiplied exponentially depending on the scale of the companies chosen for control and according to the consecutive importance processing carried out by the said companies, while the CNPD would not have taken into account, in the species, to the organization of the group... and to its technical tools, which should have brought the latter concluded that the resources allocated to data protection personal would be sufficient. The applicant ultimately still insists on the lack of visibility in the criteria used by the CNPD to determine whether or not it complies with the resources allocated to the DPD, the method of calculating the ETP not having been clear, due to not having taken into account neither all the people participating locally in data management nor the other criteria of the Guidelines. The applicant concludes from all of these elements that the decision referred from the CNPD should be reformed for having wrongly taken responsibility for a breach of Article 38, paragraph (2) of the GDPR. Finally, the applicant considers that the decision referred should incur the reformation for violation of Article 39, paragraph (1), a) of the GDPR for having held that the DPO of the group, due to not having been involved in an appropriate and timely manner to all questions relating to the protection of personal data arising in the level of the Luxembourg entity of the group ..., would not have respected its obligation information and advice from the data controller, the subcontractor respectively the employees processing personal data. 23 Based on recital no. 97 of the GDPR according to which the DPO should help the data controller to verify compliance, internally, with the GDPR, as well as with the guidelines, the applicant argues that the conclusions of the CNPD would not be based on no binding textual element nor on any valid factual element. Thus, according to the applicant, its operating methods at the time of the audit, with regard to the direct feedback of information, between the local point of contact to the group DPO, from this last towards the group management, as well as from the local point of contact to the executive committee, should not have led the CNPD to find, in this case, a violation of Article 39, paragraph (1), a) of the GDPR. She further argues, in this context, that if the CNPD's conclusion that the circumstance that the local point of contact reports to the management of the Luxembourg company would constitute a violation of the GDPR on the grounds that the group DPO would only be indirectly associated, should be validated, this would prevent any large international group from appointing a DPD for the said group and to put in place a structured organization for the protection data, even though such an option would be expressly admitted by Article 37, paragraph (2) of the GDPR. Without recognizing the slightest violation on her part, the plaintiff finally specifies that at present the local contact point, now the DPD Luxembourg, would report directly to the data controller in Luxembourg. In its reply, the plaintiff, while noting that the CNPD, of a hand, would have rightly held that the information and advice obligations of the person responsible for processing referred to in Article 39, paragraph (1), a) of the GDPR would necessarily be intertwined in those referred to in Article 38, paragraph (1) of the GDPR, and, on the other hand, would have recognized the existence of a transmission of information within the group ... from the local contact point to the Group DPD, from the latter to the group's CEO, as well as from the local contact point to the local executive committee, reiterates its argument relating to a violation, by the CNPD, of article 39, paragraph (1), a) of the GDPR, due to having retained the absence of a direct transmission of information between the local point of contact and the DPO of the group. She again notes, in this context, a contradiction in the legal argument of the CNPD in that the latter would argue, on the one hand, that a group of companies could provide for direct transmission of information between the group DPO and the manager of the local treatment to, on the other hand, admit that it would be practically impossible, in groups of companies of such importance as the group ..., to organize regular meetings between the group DPO and the local contact point of the different entities. According to plaintiff, the fact, for the CNPD, to consider that it would not respect article 39, paragraph (1), a) of the GDPR due to the transmission of information from the contact local, representative of the group DPO, directly to the local data controller, would constitute an error of fact and law and should lead to the reformation of the decision under review. The applicant insists, in this context, on the fact that such reporting, in addition to be perfectly in line with the applicable provisions regarding the protection of data, would have the advantage of being more precise and adapted to local specificities due to come from a person that managers and employees would encounter on a daily basis. The position of the CNPD would, moreover, ultimately lead to prohibiting the practice of a shared DPD for a group of companies assisted by local teams, a practice however expressly authorized by Article 37, paragraph (2) of the GDPR. 24 The plaintiff ultimately refutes the CNPD’s argument consisting of denying, in the species, any foreign element must have led the latter to make contact with a supervisory authority of another Member State, in accordance with Article 57, paragraph (1), g) of the GDPR, such as in this case the National Commission for Information Technology and Liberties, hereinafter referred to as the “CNIL”, even though the group’s DPD would be established in France, while having, in each entity of the group, a data protection team local. In the alternative, the applicant requests the annulment of the decision referred to accusing the CNPD of having committed an excess, if not a manifest misuse of power by finding a violation of Articles 38, paragraphs (1) and (2), respectively 39, paragraph (1), a) of the GDPR. She argues, in this context, that the requirements of the CNPD would correspond more to illegal interference in its internal governance than to the exercise of one’s discretion regarding the appropriateness of making decisions based on applicable legal and regulatory texts. The plaintiff further notes that its parent company, as well as its French subsidiaries would also have been the subject of an investigation, similar to that of the CNPD, by the CNIL, which, on the one hand, would not have identified any anomaly, or even non-compliance with the GDPR, and, on the other hand, would not have made any particular remarks when appointing the DPO of the group on April 3, 2018. In view of the circumstance that through the mail of his litism of January 26, 2021, the CNPD would have been informed of the predicted investigation of the CNIL, it would have been up to it, for the sake of consistency, to contact this the latter, in its capacity as lead supervisory authority in accordance with Article 60 of the GDPR, in order to discuss the data protection governance defined by its parent company for the group .... The plaintiff finally argues, in the context of her argument based on excess, if not a manifest misuse of power on the part of the CNPD, what sanction will be adopted in his charge would fail to comply with the principles of adequacy and proportionality of Article 83 of the GDPR on the grounds that no specific breach in law, if not in fact, would have been alleged against it, that no damage was noted by the CNPD and that it would always have collaborated in as far as possible with the CNPD during the entire control period. The CNPD concludes that all the means invoked by the plaintiff to be rejected unfounded. The court must, first of all, recall that it is not bound by the order of means, such as presented by the parties, but has the ability to assess them following a good administration of justice and the useful effect resulting from it, so that it is necessary to analyze, initially, the grounds alleging a violation of Articles 38, paragraph (1) and 39, paragraph (1), a) of the GDPR due to the complementary nature of said provisions. Under the terms of Article 38, paragraph (1) of the GDPR “The controller and the subcontractor ensures that the data protection officer is associated, with appropriately and in a timely manner, to all matters relating to the protection of personal data. », it being specified that it appears from the guidelines that “[i]t is essential that the DPO, or his team, is involved from the earliest possible stage in all questions relating to data protection. Regarding impact analyzes relating to data protection, the GDPR expressly provides for the participation of the DPO 25at an early stage and specifies that the controller must seek advice from the DPO when carrying out an analysis of this type. Information and consultation of the DPO from the start will facilitate compliance with the GDPR and encourage an approach based on data protection by design; it should therefore be a usual procedure in within the governance of the organization. Furthermore, it is important that the DPO is seen as a contact within the organization and be a member of the dedicated working groups data processing activities within the organization. Therefore, the organization should ensure, for example, that: - the DPO is invited to regularly participate in management meetings upper and intermediate; - its presence is recommended when decisions having implications in data protection matters are taken. All relevant information must be transmitted to the DPO in good time to enable him to provide a adequate notice; - the opinion of the DPO is always duly taken into consideration. In the event of disagreement, the G29 recommends, as a good practice, recording the reasons for which the advice of the DPO was not followed; - the DPO is immediately consulted when a data breach or other incident occurs. (…)”. Furthermore, under Article 39, paragraph (1), a) of the GDPR, one of the missions of the DPD is notably to “(…) inform and advise the data controller or data processor processing as well as the employees who carry out the processing on the obligations which they are responsible under this Regulation and other provisions of Union law or data protection law of the Member States; (…)”. It appears from the preceding community provisions that, as rightly noted by the CNPD, so that the obligation of article 39, paragraph (1), a) of the GDPR, requiring information and advice to the controller from the DPO, may be accomplished effectively, it is necessarily and imperative that said DPD be, in accordance with article 38, paragraph (1) of the GDPR, associated, within the entity in question, to questions and projects involving data protection issues personal information at the earliest possible stage. In this context, there is, in this case, place to distinguish, what concerns the organization disputed material of the plaintiff relating to the field of data protection, between several phases, (i) the first having been marked by the designation of the DPO of the group, which had, in all entities of the group, a local contact point, an organization which was in place at the time of the opening of the CNPD investigation on September 17, 2018, organization having been modified, during the investigation, (ii) by the addition, at the level of the applicant, of the GDPR Board, it being specified that the exact date of establishment of the said Board does not emerge from the documents submitted to the analysis of the court, the plaintiff having mentioned it in her presentation of 21 January 2019 and (iii) by the circumstance that from October 1, 2020, the group ... has, on the one hand, a DPO of the group, and, on the other hand, with regard to the plaintiff, a DPD in Luxembourg, who was previously the local point of contact for the group's DPD. The court must, at this stage, immediately note that the plaintiff's argument consisting of reproaching the CNPD for not having taken into consideration, in its decision of 31 May 26, 2021, the measures taken during the investigation and prior to making the said decision should be rejected as lacking in foundation. Indeed, it emerges explicitly from the predicted decision, a position further confirmed by the CNPD in the context of its response and rejoinder, which the latter retained that to establish the applicant's breaches of the GDPR, she only had regard to the facts as they existed on the day the investigation was opened and any modifications carried out by the applicant during the investigation and before the contested decision was taken do not make it possible to eliminate a noted breach, the court adopting, in the present case, the same approach as to the alleged breaches and as to the principle of the fine to be withheld, if applicable, payable by the plaintiff. Please ensure prior to the appointment of a specific DPO for the applicant in date of October 1, 2020, the group ... had a DPD for the entire group, in accordance with the possibility offered to him by article 37, paragraph (2) of the GDPR under the terms of which “A group of companies may appoint a single data protection officer to provided that a data protection officer is easily reachable from each place of establishment. ". As for the organization concretely put in place between the group's DPO and his point local contact in Luxembourg, it must be noted that even if such a situation is a priori conceivable under the terms of article 37, paragraph (2) of the GDPR, it appears, all first, of the preliminary questionnaire completed by the applicant and sent to the CNPD on 5 October 2018, with regard to the composition and operation of the dedicated team within of the group ... to data protection, that “(…) the DPO [of the group] has established: - A Central Data Protection Office (“Global Data Protection” Office") composed of two lawyers specializing in data protection of a personal nature. This team works transversally on the issues related to the protection of personal data for all of the Group's activities.... This team also supports the local contact points dedicated to the protection of personal data in order to ensure consistency in compliance management within the group. - A network of local contact points dedicated to data protection personal character who are able to communicate effectively with data subjects and to cooperate with the competent supervisory authorities in the language used by the supervisory authorities and data subjects question. (…)”. The applicant further specifies, in the said questionnaire, that the group’s DPO “(…) organizes weekly meetings with his team centrally and monthly meetings or quarterly with local contact points dedicated to data protection at personal character. (…)”. The court must also note that in the plaintiff's position of 22 November 2019, following the communication of the final audit report dated October 31 2019, it explains that “[a]ll questions relating to data protection personal data initiated in the Grand Duchy of Luxembourg are received and analyzed in a 27firstly by our contact point dedicated to data protection in Luxembourg (the “Local Contact Point”), (…). The Local Contact Point works in close collaboration with the Global DPD - including by telephone, Skype meetings or emails as much as necessary - for all questions requiring information, analysis, advice or prior consultation of the DPD Globale, particularly in the event of a security incident but also on questions affecting to processing operations implemented locally. The Local Contact Point is thus responsible for managing the compliance of personal data processing carried out implemented by ... S.A. under the supervision of DPD Globale to whom [he] reports his actions. ... S.A. has also established a committee dedicated to data protection in Luxembourg (the “GDPR Board”), which defines the strategy on these subjects and the associated action plans of... HER. The GDPR Board is composed today as follows: - The Local Contact Point - The Director of Human Resources of ... S.A. - The Head of Internal Audit of ... S.A. - The IT Manager of... S.A. - When necessary and on the basis of the opinions and recommendations [of the DPO of group], the managing director of ... S.A. is invited to participate in this Committee GDPR. The GDPR Board now meets at least 8 to 10 times per year (the “Meetings”). of the GDPR Board). During these meetings, the GDPR Board processes and analyzes at the first level opinions and recommendations from the Global DPD and feedback from the Local Contact Point, and manages operationally issues and requests regarding data protection personal data from Luxembourg (data subjects, supervisory authority, etc.). At the end of each GDPR Board Meeting, minutes are drawn up to record the measures to be implemented on the data protection topics discussed. The GDPR Board's proposals are then communicated to the various bodies decision-making of ... S.A., according to the following grid: Decisions regarding the protection of decision-making bodies personal data Emergency and operational decisions Managing Director of ... S.A. or (BtoB contractual relations and questions General Manager and administrator of... general) S.A. delegated by the Administrator- delegate. Emergency and strategic decisions COMEX (management committee at the in connection with the rights of Luxembourg) composed of the Director General persons concerned (data breach, and administrator, the Director of urgent regulatory measures, etc.) business operations, administrations, sports & leisure, the Director of Operations 28 school and health, the Director of Activities seniors, the Project Director, the Director administrative and financial, the Director of human resources, the “Operations Service Director”, the Marketing Director and communication and the Sales Director of his. Strategic decisions for the company at the Board of Directors of ... S.A. or term (global policies, policies of General Manager and administrator of ... security, etc.) S.A. delegated by the said council. The proposals transcribed in the minutes of the GDPR Board Meeting, depending on their nature, will be validated and implemented by the Managing Director, otherwise by the COMEX otherwise by the Board of Directors or the Managing Director and administrator of ... S.A. delegated by the Managing Director or the Board of Directors. To date, the Global DPD receives the minutes of the GDPR Board and is therefore involved in managing compliance with the provisions of the GDPR in Luxembourg, including understood on purely operational subjects, through the questions raised by the Local Contact Point and subsequent compliance actions. On the basis of the elements presented above, all the issues of nature operational and strategic aspects related to data protection are identified, evaluated and addressed by DPD Globale and its dedicated teams in Luxembourg in a systematic manner and, communicated to the management of ... S.A. for decision making. These decisions relating to the protection are formalized in a summary file kept by fiscal year. Nevertheless, ... S.A. has noted the reinforced requirement of the CNPD to ensure more close proximity of the Global DPD with the entity's senior management. Consequently, ... S.A. and DPD Globale are committed to strengthening its compliance with Article 38 (1) of the GDPR for the implementation of the following actions: - Personal participation of the Global DPD in GDPR Board Meetings at least twice a year; - The personal participation of DPD Globale if necessary at the COMEX or to the Board of Directors for any subject that may require clarifications on its opinions and recommendations or an exchange on a particular problem; - The organization of two annual physical meetings between the management of ... S.A. and DPD Globale. (…)”. It also emerges from the information charter on the processing of data personal character of the collaborators of ..., and more particularly of its appendix 1 entitled “Global complaints management policy/requests management complaints/requests relating to data protection rights personnel” that the complaints management procedure is carried out, initially, exclusively from the local contact point and only if the solution proposed by this 29last does not satisfy the complaint, that the DPO of the group is sent the file in order to 1 to find another solution than that initially proposed by the local contact point. On the basis of these elements, the court must note that it does not appear from the elements submitted, that the intervention of the DPO of the group, with regard to questions relating to the protection of personal data arising at the level of the applicant, is done at a stage in accordance with Articles 38, paragraph (1) and 39, paragraph (1), a) of the GDPR, then that the said DPD, according to the organization initially put in place at the start of the control of the CNPD, as well as following the establishment of the GDPR Board, can only carry out a control a posteriori of the decisions already taken by the point of contact, respectively by the GDPR Board. The court must more particularly note in this context that the plaintiff is remained in default of submitting any element establishing in particular the establishment of a common policy within the group ... for its various local contact points as to the position to be adopted regarding different processing of personal data personal, respectively regarding incidents relating thereto. Furthermore, although the plaintiff argues that there is a communication regularly between the group DPO and its local contact point in Luxembourg, through telephone calls, videoconferences and emails, in order to exchange on the position to be adopted by the latter in relation to questions relating to the protection of personal data with which he is confronted, no document documenting such exchanges has not been paid in the context of the dispute under examination, such as in particular the communication of the agenda of GDPR Board meetings prior to the holding of said meetings, together with a proposed position from the local contact point to be approved by the group DPO prior to decision-making. The court must therefore note that the group DPO was not involved in due time to questions relating to the protection of personal data arising at the level of the plaintiff, nor was therefore able to usefully inform and advise the person responsible for processing, its subcontractor, respectively the employees concerned, while the organization implemented at the start of the control operated by the CNPD, as well as with the implementation of the GDPR Board focused exclusively on the local contact point which had to, on the one hand, deal with, initially, both the incidents, in accordance with appendix 1 of the information charter on the processing of personal data of employees of ..., and, on the other hand, take a position on issues relating to the protection of personal data arising at the level of the plaintiff, without it being established that the DPD of the group has previously been consulted, respectively providing indications as to the procedure to follow. 1Article 4 entitled “complaints management procedure” of appendix 1 entitled “Global complaint management policy” management of complaints/requests management of complaints/requests relating to rights in matters of protection of personal data » of the information charter on the processing of personal data staff of employees of ... Luxembourg specifies, with regard to the 4th stage of the said procedure, that “(…) If you accept the solution proposed by your local Contact dedicated to the protection of personal data staff, we will work with you to meet your expectations. If the solution solves your Complaint, your local Contact will close the file. In the event of disagreement, your Complaint will be forwarded to the Group Data Protection Officer of ... (…)”. 30 It follows from the above considerations that the plaintiff's arguments based on a violation, by the CNPD, of articles 38, paragraph (1) and 39, paragraph (1), a) of the GDPR must incur rejection for lacking foundation. This conclusion is not called into question by the plaintiff's argument. relating to the reachability of the group DPO, respectively the local contact point, as well as on the fact that no deficiencies or delays in the processing of questions relating to the protection of personal data, while these elements are foreign to the question of the involvement of the group DPO in the decision-making process and advisory within the plaintiff. With regard to the plaintiff's plea alleging a violation of Article 38, paragraph (2) of the GDPR according to which “The controller and the processor assist the data protection officer in carrying out the tasks referred to in Article 39 by providing the resources necessary to carry out these missions, as well as access to data of a personal nature and processing operations, and allowing it to maintain its specialized knowledge. ", it should be noted that the guidelines specify, in this regard which concerns the resources to be made available to a DPO, that “(…) the following aspects, in particular, must be taken into consideration: - active support of the DPO function by senior management (e.g. at board level); - sufficient time for DPOs to carry out their tasks. This aspect is particularly important when an internal DPO is appointed in time partial or when the external DPO is responsible for data protection in plus other tasks. Otherwise, conflicting priorities could lead to that the tasks of the DPO are neglected. It is essential that the DPO can devote sufficient time to your missions. It is good practice to set a percentage of time devoted to the DPO function when this position is not occupied full-time. It is also good practice to determine the time required to perform the function and the level of appropriate priority for the DPO's tasks, and that the DPO (or organization) establish a work plan; - adequate support from the point of view of financial resources, infrastructure (premises, installations, equipment) and personnel, if applicable; - official communication of the appointment of the DPO to all staff to ensure that its existence and function are known to the within the body; - necessary access to other services, such as human resources, service legal, IT, security, etc., so that DPOs can receive essential support, input and information from these other services; - continuing education. DPOs must be able to maintain their up-to-date knowledge regarding developments in the field of Data protection. The goal should be to constantly increase the level of expertise of DPOs and they should be encouraged to participate in training courses on data protection as well as other forms professional development, such as participating in forums on privacy protection, workshops, etc. ; 31 - given the size and structure of the organism, it is possible that it must set up a DPO team (a DPO and his staff). In similar case, the internal structure of the team as well as the tasks and responsibilities of each of its members must be clearly established. Likewise, when the The DPO's function is carried out by an external service provider, a team of persons working on behalf of this entity may exercise, within the facts, the missions of the DPD as a group, under the responsibility of a designated primary contact person for the customer. Generally speaking, the more complex or sensitive the processing operations are, the greater the resources allocated to the DPD will have to be. The protection function of data must be effective and provided with adequate resources with regard to data processing accomplished. ". It should be noted that providing the DPO with sufficient resources to be able to correctly carrying out the large number of missions entrusted to him necessarily implies the sufficient allocation of working time of the person, respectively of the persons in responsible for questions relating to the protection of personal data, time of work and resources that it is up to the applicant to quantify and formalize at risk otherwise to make any control on the part of the CNPD illusory. In this context, the court must note that it is common ground that the applicant, at the start of the CNPD investigation and until the appointment of the point of contact in Luxembourg as DPD Luxembourg, had not otherwise formalized the duration of the working time that he had to devote to questions relating to the protection of personal data, it being further noted that said point of contact was, moreover, following the plaintiff's own statements, her only lawyer. This observation alone is already sufficient to establish a violation of Article 38, paragraph (2) of the GDPR, to the extent that the organization set up by the applicant at the level of its personnel dedicated to the protection of personal data made any control of the adequacy personnel resources devoted to it impossible. It is still clear that the plaintiff's activity has a certain scope in Luxembourg to encompass, according to the information provided by the applicant, 70 sites, between 1,600 and 2,100 employees and 25,000 consumers daily, so that, on the one hand, on the other hand, the requirement of the CNPD that the applicant should have, at least, charged one person working full-time on issues relating to the protection of personal data personnel cannot be called into question, and, on the other hand, that the working time devoted initially by the local point of contact for said task - who had in addition, as retained below - before, to directly assume the related work, while the intervention of the group DPO does not was only done a posteriori – duration which the plaintiff quantified as corresponding to a part-time work, was rightly considered by the CNPD to be insufficient. It follows from all the above considerations that the CNPD is right to found, on the part of the plaintiff, a violation of Articles 38, paragraphs (1) 2 In its preliminary questionnaire submitted to the CNPD on October 5, 2018, ... indicates that 5,000 people, including 1,600 employees, would be concerned by its processing of personal data, factual indications which must however be considered erroneous, to the extent that the questionnaire required, on this point, the annual number of customers. 32 and (2), as well as 39 of the GDPR, without committing an excess, otherwise a misuse of power manifest and that all of the plaintiff's means relating thereto must be rejected for lack foundation. The court must still refute, in this context, the plaintiff's argument consisting of maintaining that the CNIL would have reached another conclusion during its control of the parent company of the group ..., as well as other entities of the said group located in France, then that apart from the fact that neither the court nor the CNPD are bound by decisions, respectively case law emanating from administrative authorities or courts of other countries, the said control carried out by the CNIL does not a priori concern the structure of the applicant in Luxembourg, so that the related conclusions not otherwise detailed are not relevant in this case. In this context, it should be remembered that an administrative act individual, and more particularly that which is likely to cause harm to its recipient or to third parties, benefits from the presumption of legality as well as conformity by relation to the objectives of the law on the basis of which it was taken, so that it belongs to that who claims to suffer unjustified harm or inconvenience as a result of the administrative act in question, and who therefore wishes to see it reformed or canceled with a view to obtaining a situation which is more favorable to him, to concretely establish how the administrative act in question 3 violates a rule set by a law or a grand-ducal implementing regulation. Furthermore, an administrative act is a priori authentic based on the content it contains and it It is up to the administered person to establish that this content is contrary to reality in fact, otherwise to such applicable rule of law, which the plaintiff has failed to do. As for the violation of the principle of proportionality put forward by the plaintiff, it should be noted that under the terms of article 48 of the law of August 1, 2016, “(1) The CNPD may impose administrative fines as provided for in Article 83 of Regulation (EU) 2016/679, except against the State or municipalities. (…)”. According to article 83 of the GDPR, “1. Each supervisory authority ensures that the administrative fines imposed under this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. 2. Depending on the specific characteristics of each case, administrative fines are imposed in addition to or in place of the measures referred to in Article 58(2), points a) to h), and j). To decide whether to impose an administrative fine and to decide on amount of the administrative fine, duly taken into account, in each specific case, of the following elements: a) the nature, seriousness and duration of the violation, taking into account the nature, scope or the purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they have suffered; (b) the fact that the violation was committed deliberately or negligently; (c) any measures taken by the controller or processor to mitigate the damage suffered by the persons concerned; 3Trib. adm., July 16, 2003, No. 15207 of the roll, Not adm. 2023, V° Administrative acts, n°158, 1 part and the others references cited there. 4Adm. Court, January 11, 2007, No. 21679C of the roll, Not admitted. 2023, V° Administrative acts, n°1 part and the other references cited there. 33 d) the degree of responsibility of the controller or processor, takes into account taken into account the technical and organizational measures that they have implemented under the sections 25 and 32; e) any relevant breach previously committed by the controller or the subcontractor; (f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and to mitigate possible negative effects; (g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the violation, in particular whether, and to what extent, the controller or processor has notified the breach; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or subcontractor concerned for the same object, compliance with these measures; (j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; And k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as financial benefits obtained or losses avoided, directly or indirectly, due to the violation. 3. If a controller or processor deliberately or throughly violates negligence several provisions of this regulation, within the framework of the same operation of processing or related processing operations, the total amount of the administrative fine does not cannot exceed the amount set for the most serious violation. 4. Violations of the following provisions are subject, in accordance with paragraph 2, administrative fines of up to EUR 10,000,000 or, in the case of company, up to 2% of the total annual worldwide turnover of the preceding financial year, the highest amount retained: a) the obligations incumbent on the controller and the processor under articles 8, 11, 25 to 39, 42 and 43; (b) the obligations of the certification body under Articles 42 and 43; c) the obligations incumbent on the body responsible for monitoring codes of conduct in under Article 41, paragraph 4. (…)”. It appears from paragraph (4) of the aforementioned article 83 of the GDPR that violations of the GDPR held against the plaintiff are a priori sanctioned by fines administrative costs which may amount to up to 10,000,000 euros or, in the case of a company, up to 2% of the total annual worldwide turnover of the preceding financial year, noting that the failings alleged against the plaintiff were indeed noted at the time of the inspection, observation which cannot be called into question by the compliance measures implemented subsequently, in this case by designating the local contact point as DPO at the Luxembourg, respectively by the formalization of the latter's working time, as well as by making two other people available to assist him from now on. As regards then the amount of the fine retained, which amounts to 18,000 euros, the defendant rightly noted that it appears from the decision deferred that the said amount was justified by the fact that the breaches noted were of a certain seriousness (i) for having been likely to reduce the interest of the obligation for an organization 34to appoint a DPO, (ii) to concern a potentially large number of people, and (iii) for having lasted at least from May 25, 2018 to October 1, 2020, while retaining that the applicant had demonstrated good collaboration with the supervisory authorities and that several measures had been put in place to remedy the shortcomings before the pronouncement of the sanction. It follows that the disputed fine must be considered to be perfectly adequate and proportionate taking into account the criteria of Article 83, paragraph (2) of the GDPR, so that the plaintiff's related plea must also be rejected. This finding is not called into question by the plaintiff's argument according to for which no specific breach could have been blamed on him, an assertion to be rejected in light of of the conclusion above reached by the court as to a violation, in the head of the plaintiff, Articles 38, paragraphs (1) and (2), as well as 39 of the GDPR. It is the same developments from the plaintiff as to the absence of any damage having resulted from violations of the GDPR obligations held against him, when it is not a question necessarily of a criterion to be taken into account for the determination of the sanction to be pronounce. In view of the above considerations and in the absence of specific conclusions to with regard to the compliance measures ordered by the decision referred, the appeal is yet to be rejected as to this aspect of the case. In view of the outcome of the dispute, there is no reason to grant the company's request... in allocation of procedural compensation of 2,500 euros requested on the basis of the provisions of article 33 of the amended law of June 21, 1999 relating to the rules of procedure before the administrative courts. The CNPD failing to justify to what extent it would be inequitable for it to support only the costs not included in the costs, she must also dismiss her request in allocation of procedural compensation in the amount of 5,000 euros. For these reasons, the administrative court, fourth chamber, ruling contradictorily; declares itself competent to hear the main appeal for reform; declares it admissible in form; as to the merits, the unjustified and unsuccessful; holds that there is no need to rule on the subsidiary action for annulment; rejects the respective requests for allocation of procedural compensation made by the parties; Orders the plaintiff to pay the costs and expenses of the proceedings. 35Thus judged and pronounced at the public hearing of May 14, 2024 by: Paul Nourissier, vice-president, Olivier Poos, vice-president, Emilie Da Cruz De Sousa, first judge, in the presence of clerk Marc Warken. s.Marc Warken s.Paul Nourissier Certified reproduction true to the original Luxembourg, May 14, 2024 The clerk of the administrative court 36