CNPD (Luxembourg) - Délibération n°18FR/2021: Difference between revisions
From GDPRhub
No edit summary |
|||
| Line 52: | Line 52: | ||
}} | }} | ||
The Luxembourg DPA fined a controller €18,000 for not | The Luxembourg DPA fined a controller €18,000 for not providing their DPO the necessary resources and organizational framework to appropriately carry out their tasks. | ||
== English Summary == | == English Summary == | ||
Revision as of 11:21, 15 June 2021
| CNPD (Luxembourg) - Délibération n°18FR/2021 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 38(1) GDPR Article 38(2) GDPR Article 39(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 31.05.2021 |
| Published: | 14.06.2021 |
| Fine: | 18000 |
| Parties: | n/a |
| National Case Number/Name: | Délibération n°18FR/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNPD (in FR) |
| Initial Contributor: | n/a |
The Luxembourg DPA fined a controller €18,000 for not providing their DPO the necessary resources and organizational framework to appropriately carry out their tasks.
English Summary
Facts
The Luxembourg DPA (CNPD) launched an investigation on a group of companies with a subsidiary based in Luxembourg (Company A).
The central headquarters had a privacy office, while the Luxembourg subsidiary had a sole data protection lawyer. The group of companies had appointed a single Group DPO to handle the data protection matters of both the central company and the Luxembourg subsidiary. The local data protection lawyer was the single point of contact of the DPO with the Company A.
Holding
The CNPD determined that even if the DPO was participating in numerous meetings at a group level and regularly organized meetings with its local points of contact, that was not sufficient to demonstrate the direct, formal and permanent involvement of the DPO in Luxembourg.
The Group DPO received a monthly report from the local contact point relating to data protection issues (number of requests to exercise rights or complaints, possible impact analyzes etc.). The DPO was also systematically informed and consulted by the local contact point in case of security incidents likely to involve personal data and create a risk for the people concerned.
However, the DPA considered that such elements could not compensate for the absence of direct involvement of the Group DPO within Company A, which could create the risk that the DPO was not sufficiently involved at operational level in Luxembourg, being therefore in breach of Article 38(1) GDPR, as the DPO must involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
There were not any measures to address that risk, such as for example regular visits of the Group DPO to Company A, that would allow the DPO to be able to discuss data protection issues and related operational issues directly with the management of the company.
There was no direct feedback of information from the Group DPO to the local department either. There are several levels of reporting, but the DPA considered that it was not sufficient to compensate for the lack of direct reporting from the DPO to the data controller in Luxembourg.
All questions relating to the protection of personal data that arose at the control level were received and first analyzed by the local point of contact who afterwards assessed the issue and contacted the Group DPO when they deemed it necessary. Therefore, the DPO was not informed and above all not consulted from the earliest stage possible of all matters relating to data protection.
Hence, a breach of Article 38(2) was also found, since the DPO was nor provided the resources necessary to carry out those tasks and access to personal data and processing operations.
This also led to a breach of Article 39(1)(a), due to the lack of direct feedback.
Additionally, during the course of the proceedings, the Company A appointed a new DPO. The DPA remarked that it must ensure that the newly appointed DPO is effectively involved in all matters relating to data protection.
For these violations, the DPA fined the controller €18,000. The DPA took into account the will to cooperate of the company.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation
on the outcome of survey No. [...] conducted among
Company A
Deliberation n ° 18FR / 2021 of May 31, 2021
The National Commission for Data Protection sitting in a restricted body,
composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc
Lemmer, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on
the protection of individuals with regard to the processing of personal data
personnel and the free movement of such data, and repealing Directive 95/46 / EC;
er
Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection
data and the general data protection regime, in particular Article 41 thereof;
Having regard to the internal regulations of the National Commission for Data Protection
adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10.2;
Having regard to the regulation of the National Commission for Data Protection relating to
investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular
its article 9;
Considering the following:
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Company A 1/22 I. Facts and procedure
1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and
the importance of its integration into the body, and considering that the guidelines
concerning DPOs have been available since December 2016, i.e. 17 months before entry into
application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
on the protection of natural persons with regard to the processing of personal data
personal data and the free movement of such data, and repealing Directive 95/46 / EC
(general data protection regulation) (hereafter: the "GDPR"), the Commission
National Data Protection Authority (hereinafter: the “National Commission” or the
"CNPD") has decided to launch a thematic survey campaign on the function of the DPO.
Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the
public sector.
2. In particular, the National Commission decided by decision no. […] Of 14
September 2018 to initiate an investigation in the form of a data protection audit
with […] Company A, established and having its registered office at L- […], registered in the register of
trade and companies under number […] (hereinafter: the "controlled") and to designate
Mr. Christophe Buschmann as head of investigation. Said deliberation specifies that
the investigation relates to the compliance of the inspected with section 4 of chapter 4 of the GDPR.
2
3. The main purpose of the inspection is […]. The controlled has approximately […] employees
3
spread over […] sites as well as […].
4. By letter of September 17, 2018, the head of the survey sent a questionnaire
preliminary to the control to which the latter replied by letter of October 5, 2018. A visit
on site took place on January 21, 2019. Following these discussions, the head of the investigation established the
audit report no. […] (hereinafter: the "audit report").
1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
2Coordinated statutes filed on […].
3Presentation of the inspection of January 21, 2019
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
2/225. It emerges from the audit report that in order to verify the compliance of the organization with the
section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives,
know :
1) Ensure that the body subject to the obligation to appoint a DPO has done so;
2) Make sure that the organization has published the contact details of its DPO;
3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;
4) Ensure that the DPO has sufficient expertise and skills to
carry out its missions effectively;
5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;
6) Ensure that the DPO has sufficient resources to perform effectively
of its missions;
7) Ensure that the DPO is able to carry out his missions to a sufficient degree
autonomy within their organization;
8) Ensure that the organization has put in place measures to ensure that the DPO is associated with
all matters relating to data protection;
9) Ensure that the DPO fulfills his mission of information and advice to the
data controller and employees;
10) Ensure that the DPO exercises adequate control over data processing within
of his body;
11) Ensure that the DPO assists the data controller in carrying out the
impact analyzes in the event of new data processing.
6. By letter of October 31, 2019 (hereinafter: the “statement of objections”), the Chief
investigation informed the inspector of breaches of obligations under the GDPR that it
noted during its investigation. The audit report was attached to this letter.
7. In particular, the head of the investigation noted in the statement of objections
breaches of:
the obligation to involve the DPO in all matters relating to the protection of
personal data; 4
5
the obligation to provide the necessary resources to the DPO;
6
the DPD's mission of information and advice.
4
5Objective 8
6Objective 6
Objective n ° 10
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
3/228. By letter of November 22, 2019, the inspector sent the head of the investigation
position on the shortcomings listed in the statement of objections.
9. On August 24, 2020, the head of the investigation sent the inspector an additional letter
to the statement of objections (hereinafter: the "additional letter to the communication of
grievances ") by which he informs the control of the corrective measures and the administrative fine
which he proposes to the National Commission sitting in restricted formation (hereinafter: the "
restricted training ") to adopt.
10. By letter of September 30, 2020, the inspector sent the head of the investigation his
observations on the additional letter to the statement of objections.
11. The case was on the agenda of the restricted formation session on January 26
2021. In accordance with article 10.2. b) the rules of procedure of the Commission
national, the head of investigation and the supervisee presented their oral observations in support of
their written submissions. More particularly, Maître […], agent of the inspected, gave
reading of a note setting out the observations of the inspected (hereinafter: the "pleadings note").
The head of the investigation and the inspector subsequently answered the questions posed by the training
restraint. The controlled had the floor last.
12. By email of January 27, 2021, the inspected representative sent the training
restricted a copy of the pleadings, an excerpt from a presentation dated October 8
2018 presenting the "Data Protection" organization chart with indication of "[GDPR Committee]"
of the controlled as well as an extract from the trade and companies register of [...] Company B
manager […] in Luxembourg.
II. Place
A. As regards the requirements for precision in the statement of objections and in the letter
complementary to the statement of objections
13. In his statement of pleadings, the agent of the inspected invokes, as a preliminary point, that the
statement of objections and the additional letter to the statement of objections
lack precision:
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° […] carried out with Company A 4/22 "[…] the Grievance Couriers fail to comply with the legal obligations applicable in
administrative, in particular in that they do not contain a precise reference to a standard
that would have been violated and that they do not contain any precise indication of the facts
details that would constitute a violation of a legal standard by Company A. By this
lack of precision, the general principles of applicable rights have been violated and my
principal was deprived of the opportunity to provide informed and detailed explanations
likely to shed light on Restricted Training. "
14. The restricted panel notes that the head of the investigation expressly mentions, both
in the statement of objections than in the additional letter to the communication
grievances, the provisions of the GDPR that the inspected would have failed, namely articles
38.1, 38.2 and 39.1. at). In addition, the factual findings made during the investigation and on which
the alleged shortcomings are based are indicated in the statement of objections. Of
surplus, the audit report containing all the findings and work carried out by the manager
investigation as part of the audit mission was attached to the statement of objections. In
In addition, the restricted committee notes that the inspectorate's representative refers to the
"Legal obligations applicable in administrative matters" as well as "general principles
of applicable rights ”without specifying which rule of law would have been violated in
the species.
15. For all practical purposes, it should be noted that the inspected was in a position to take
position in relation to the breaches alleged against him, as demonstrated by his
position of 22 November 2019 and 30 September 2020 as well as the oral observations and the
note of pleadings presented at the restricted session of January 26, 2021.
16. It is therefore wrong that the agent of the inspected maintains that the communication of
complaints and the letter supplementing the statement of objections lack
so that his principal would have been "deprived of the possibility of providing enlightened explanations
and detailed information likely to enlighten the Restricted Training ".
B. As regards the complaints listed in the statement of objections
a) The breach of the obligation to involve the DPO in all matters relating to
the protection of personal data
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] conducted with Company A 5/22 1. On the principles
17. According to article 38.1 of the GDPR, the organization must ensure that the DPO is involved,
in an appropriate and timely manner, in all matters relating to the protection of
personal data.
18. The DPO guidelines state that “[i] t is essential that the DPO,
or his team, is involved from the earliest possible stage in all questions
relating to data protection. [...] Information and consultation of the DPO from the start
will facilitate compliance with the GDPR and encourage an approach based on
data protection by design; it should therefore be the usual procedure in
within the governance of the organization. In addition, it is important that the DPO is considered as
an interlocutor within the organization and that he or she is a member of the dedicated working groups
7
to data processing activities within the organization ".
19. The DPO guidelines provide examples on how to
to ensure this association of the DPO, such as:
invite the DPO to participate regularly in senior management meetings
and intermediate;
recommend the presence of the DPO when decisions with implications
in terms of data protection are taken;
always take due account of the opinion of the DPO;
immediately consult the DPO in the event of a data breach or any other
incident occurs.
20. According to the guidelines on DPOs, the body could, where appropriate,
develop data protection guidelines or programs
indicating the cases in which the DPO must be consulted.
2. In this case
21. It appears from the audit report that in order for the investigator to consider objective 8
as achieved by the inspected within the framework of this audit campaign, the head of the investigation
7 WP 243 v.01, version revised and adopted on April 5, 2017, p. 16
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 6/22 expects the DPO to participate in a formalized manner and on the basis of a defined frequency
the Management Committee, project coordination committees, new committees
products, safety committees or any other committee deemed useful in the context of protection
Datas.
22. According to the statement of objections, page 3, “the DPO participates in numerous
meetings at Group level and […] regularly organize meetings with its points of
local contacts. But these elements are not sufficient to demonstrate the direct, formal and
permanent involvement of the DPD in Luxembourg ”. It still results from the communication of
complaints that “the Group DPO receives a monthly report from the local contact point continued
to […] as well as a monthly report […] relating to data protection issues
(number of requests to exercise rights or complaints, possible impact analyzes
etc.). […] The DPO is systematically informed and consulted by the local contact point in
case of a security incident likely to involve personal data and
create a risk for the people concerned. "However, the head of the investigation believes that
“These elements cannot compensate for the absence of direct involvement of the DPD Groupe
within Company A, which could create the risk that the DPO is not
sufficiently involved at operational level in Luxembourg. "Finally, the head of the investigation
argues that he "was not aware of any elements to address this risk, such as
for example the formal establishment of visits based on a defined frequency of the DPO
Group (or a member of its Data Protection team) in Luxembourg. These visits
would in particular allow the DPO to be able to discuss directly with the management
superior of Company A for issues related to data protection and power
directly assess operational issues. "
23. In its position paper of 22 November 2019, the inspected affirms that the DPD Groupe
is involved in an appropriate and timely manner in all matters relating to the
protection of personal data. The inspected explains that “[all] the questions
relating to the protection of personal data initiated in the Grand Duchy of Luxembourg
are first received and analyzed by our contact point dedicated to
data protection in Luxembourg ”(hereinafter: the“ local contact point ”) and that this
the latter works in close collaboration with the DPD Groupe […]. According to the inspected, the point of
contact is responsible for the compliance management of the processing of personal data
personnel implemented by the inspected, this under the supervision of the DPD Groupe who
contact reports its actions. In addition, the inspected mentions in its position paper
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with Company A 7/22 of 22 November 2019 the establishment of a committee dedicated to data protection in Luxembourg
(hereinafter: the "[GDPR Committee]") which defines the strategy on these subjects and the action plans
associates. The controlled sets out the composition and functioning of the [GDPR Committee] for
support that the Group DPO is involved in the management of compliance with the provisions
of the GDPR in Luxembourg.
24. In his pleadings, the agent of the inspected highlights article 37.2 of the
GDPR, which allows a group of companies to designate a single DPO provided that the latter
be easily reachable from each place of establishment, as well as the guidelines
concerning DPOs to maintain that the operation of the inspected complies with the GDPR
and affirms that "[i] t was found no materiality of the alleged facts, no
unavailability of the DPO of Company A, whether vis-à-vis the supervisory authority or
of the persons concerned and a possible and uncharacterized risk cannot allow
to factually establish a violation. "
25. The restricted committee notes that the inspected is a subsidiary of the group […] and that
the latter had decided to appoint a single DPO for the different entities of the group (here-
after: the “DPD Groupe”). At the central level, the group has set up an office for
data protection (“[…]”) composed of the DPD Groupe as well as […] lawyers
specialists in data protection and […] project manager. At local level,
the sole inspectorate lawyer has been appointed as the local point of contact for the DPD Group.
26. As a preliminary point, the restricted panel notes that the breach alleged by the chief
investigation relates to Article 38.1 of the GDPR so that the explanations of the agent of the
controlled under Article 37.2 of the GDPR are not relevant in this case. Indeed,
even if the GDPR allows a group of companies to designate a single DPO, it does not remain
not less that this DPO must be associated, in an appropriate and timely manner, with all
questions relating to the protection of personal data, in accordance with
Article 38.1 of the GDPR. It is thus possible for an organization to appoint a single DPO at the level
of the group whose entities are established in several Member States of the European Union
and to provide, at the local level, "contact points" which assist the DPO, in particular in
questions relating to local particularities such as national legislation. In such
However, it is all the more important to clearly define, among other things, the
modalities of collaboration between the DPO and the “local contact points” as well as the
distribution of tasks and responsibilities.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 8/22 In this case, the restricted committee noted that all questions relating to the protection of
personal data that arose at the control level were received and
first analyzed by the local point of contact who contacted the DPD Group
when he felt it was necessary. The restricted training further notes that the DPD Groupe did not
not part of the [GDPR Committee] and was only informed of the matters discussed there through the lawsuits-
verbal of the [GDPR Committee] and through the questions raised by the point of
local contact during these meetings.
27. It emerges from the investigation file that the DPD Groupe was not associated
only indirectly to questions relating to the protection of personal data
that arose at the controlled level, through the local point of contact who,
in fact, acted as the interlocutor in matters of data protection within
of the body. However, the local point of contact was the sole jurist of the inspected and did not
part of the DPD Groupe team itself, namely the office for the protection of
data ("[…]").
28. In addition, the restricted panel considers that the fact of transmitting the minutes
of the [GDPR Committee] to the DPD Group does not allow its appropriate association to be established and in
timely insofar as the Group DPO is simply informed of the measures that the
[GDPR Committee] proposes to the various control decision-making bodies to implement.
The DPO is therefore not informed and above all not consulted "from the earliest stage
possible ”of all matters relating to data protection.
29. In addition, the controlled indicates in its position paper of September 30, 2020 that the
er
local contact point has been appointed as DPO for Company A, with effect from 1 October
2020. The restricted committee notes that the CNPD received the amending declaration by
e-mail of September 30, 2020. However, the inspected must ensure that the newly appointed DPO
appointed is effectively involved in all matters relating to data protection
of a personal nature. The fact of having appointed the local point of contact as DPD is not enough
not to sufficiently demonstrate such association of the latter to all questions
relating to the protection of personal data.
30. In view of the foregoing, the restricted committee agrees with the findings of the head of the investigation
that the non-compliance with Article 38.1 of the GDPR was acquired at the time of the investigation.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted with Company A 9/22 b) On the failure to provide the necessary resources to the DPO
1. On the principles
31. Article 38.2 of the GDPR requires the organization to help its DPO "to carry out the tasks
referred to in Article 39 by providing the necessary resources to carry out these tasks, as well
that access to personal data and processing operations, and
allowing to maintain its specialized knowledge. "
32. It follows from the guidelines on DPOs that the following aspects must be
in particular to be taken into consideration: 8
“sufficient time for the DPOs to accomplish their tasks. This aspect is
particularly important when an internal DPO is appointed part-time or
when the external DPO is responsible for data protection in addition to others
tasks. Otherwise, conflicting priorities could lead to the tasks of the
DPD are neglected. It is essential that the DPO can devote sufficient
time to his missions. It is good practice to set a percentage of time
dedicated to the function of DPO when this function is not occupied full time.
It is also good practice to determine the time required to complete
the function and the appropriate level of priority for the tasks of the DPO, and that the DPO (or
the organization) establish a work plan;
necessary access to other services, such as human resources, service
legal, IT, security, etc., so that DPOs can
receive essential support, input and information from these others
services ".
33. The DPO Guidelines state that "[d] in general,
the more complex or sensitive the processing operations, the more resources allocated
to the DPD should be significant. The data protection function must be effective and
provided with adequate resources with regard to the data processing carried out. "
2. In this case
8WP 243 v.01, version revised and adopted on April 5, 2017, p. 17
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] conducted with Company A 10/2234. It emerges from the audit report that, in view of the size of the organizations selected, for
that the head of investigation considers objective 6 as achieved by the control within the framework of
this audit campaign, the head of the investigation expects the inspected to use at least
an FTE (full-time equivalent) for the data protection team. Leader
investigation also expects the DPO to have the opportunity to rely on other
services, such as legal, IT, security, etc.
It follows from the statement of objections, page 3, that the Group DPO has at the level
central team made up of [...] lawyers specializing in the protection of
data as well as […] project manager. At the local level, however, the DPD Groupe does not have
than a local point of contact who was also the sole legal expert of the controlled so that the
head of investigation noted "the risk that the DPO does not have sufficient resources at the
local in Luxembourg, resources being concentrated at group level, but not seeming
not sufficiently deployed at the local level ”as well as“ the risk that in the event of a strong peak
activity concerning the legal matters to be handled within Company A, the point of contact
may not have the means to effectively carry out its missions relating to
data protection, which would create the risk that the DPO could not exercise
effectively its DPD missions for Luxembourg ”.
35. In its position paper of 22 November 2019, the inspected affirms that the DPD Groupe
has the local support of a legal team made up of the local point of contact
and a "second resource" and notes that "the job description of the Local Contact Point
and the second resource in the local legal team on an open-ended contract
must be detailed in terms of hourly volume and description of tasks ”.
36. In his note of pleadings, the agent of the controlled also argues that
the requirement to formalize the distribution of working time does not exist in the regulations
applicable and that the DPO guidelines contain at most one
recommendation as a "good practice" to "determine the time required to
the performance of the function and the appropriate level of priority for the tasks of the DPO, and that the
DPD (or the body) establishes a work plan ". Finally, the agent of the inspected
maintains that "[i] here too have not been found any materiality of the alleged facts, nor provided
no explanation of the criteria examined to conclude a lack of resources, nor
no analysis of existing resources. A possible and uncharacterized risk cannot
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey no. [...] conducted with Company A 11/22 to establish factually that Company A would lack the resources to deal with
its obligations under data protection. "
37. The restricted committee notes that the inspected has chosen to appoint the Group DPO
which has, at the central level, a team made up of [...] lawyers specializing in
of data protection as well as […] project manager. At the entity level
Luxembourg woman having been the subject of the investigation, a local contact point was appointed, in the
person of the only lawyer of the controlled who carried out moreover still other missions. The
restricted training considers that such an organization requires that the organization determine and
documents the time required for the local point of contact to perform its related duties
to data protection in order to be able to allocate the necessary resources to it. This
This requirement results in particular from the guidelines on DPOs as well as from the articles
5.2. and 24 of the GDPR which set out the principle of accountability. Now it emerges
of the file that the inspected has not carried out any formalization or documentation
making it possible to demonstrate that the inspected person has provided the DPO function with the resources
necessary for the performance of its missions at the time of the investigation.
38. In view of the above, the restricted panel concludes that Article 38.2 of the GDPR has no
not respected by the inspected.
c) On the failure to provide information and advice to the DPO
1. On the principles
39. Under section 39.1. a) of the GDPR, one of the missions of the DPO is to "inform and
advise the controller or processor as well as the employees who carry out
processing on their obligations under this Regulation and other
provisions of Union law or the law of the Member States relating to the protection of
data ”.
2. In this case
40. It appears from the audit report that, in order for the investigator to consider objective 9
as achieved by the controlled as part of this audit campaign, he expects "
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey no. [...] carried out with Company A 12/22 the organization has formal reporting on the activities of the DPO to the Management Committee on
basis of a defined frequency. Regarding information to employees,
the organization is expected to have put in place an adequate training system for personnel
in terms of data protection ”.
41. According to the statement of objections, page 4, it appears from the investigation that there is no
direct reporting of information from the Group DPD to the local control department. Leader
survey notes that "there are several levels of reporting ([...])", but considers that "these
elements are not sufficient to compensate for the lack of direct reporting from the DPO to the
data controller in Luxembourg ”.
42. In its position paper of 22 November 2019, the inspected refers to these explanations
relating to the first complaint, namely the breach of the obligation to involve the DPO in all
questions relating to the protection of personal data. Moreover, the controlled
maintains that the Group DPO “informs and advises the controller as well as the
employees and in particular implemented:
o Online training […], available online from May 2018
o An awareness campaign with […] on the protection of personal data
staff on […] 2018, as well as on […] 2019 […]
o An awareness campaign with […] including the 10 golden rules on
protection of personal data dated […] 2019 ”
The inspected confirms that the DPD Groupe “has the opportunity to discuss issues
strategic and / or more operational with the senior management […] of Company A ”.
43. The restricted committee noted that the failure noted by the head of the investigation
concerns that the DPO's mission of information and advice to the head of
processing, and not the DPO's mission of providing information and advice to employees.
44. The restricted committee considers that the DPO’s information and advice mission to
with regard to the controller is closely linked to the obligation, provided for in Article 38.1
of the GDPR, to involve the DPO in an appropriate and timely manner in all questions
relating to the protection of personal data. However, the limited training has
noted that the Group DPO was not involved in an appropriate and timely manner with
data protection issues arising at the level of the Luxembourg entity having
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey no. […] conducted with Company A 13/22 is the subject of the survey. Indeed, the DPD Groupe was only indirectly associated, by
through the local point of contact. In addition, he was simply informed of the measures that
the [GDPR Committee] proposes to the various supervisory decision-making bodies to implement
artwork.
45. In view of the foregoing, the Select Committee concludes that Article 39.1. a) of the GDPR
was not respected by the controlled.
III. On corrective measures and fines
A. Principles
46. In accordance with article 12 of the law of 1 August 2018 on the organization of the
National Commission for Data Protection and General Protection Regime
data, the CNPD has the powers provided for in Article 58.2 of the GDPR:
a) notify a controller or processor that data processing operations
planned treatment are likely to violate the provisions of this
regulation;
b) call to order a controller or a processor when the
processing operations have resulted in a violation of the provisions of this
regulation;
c) order the controller or processor to comply with the requests
presented by the data subject in order to exercise their rights under the
this regulation;
d) order the controller or processor to put the data processing operations
processing in accordance with the provisions of these regulations, if applicable,
in a specific manner and within a specified timeframe;
e) order the controller to communicate to the data subject a
personal data breach;
9 Points 26 to 30 of this decision
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
14/22 f) impose a temporary or permanent limitation, including a ban, on the
treatment;
g) order the rectification or erasure of personal data or the
restriction of processing in application of Articles 16, 17 and 18 and the notification of these
measures to the recipients to whom the personal data have been
disclosed in accordance with Article 17, paragraph 2, and Article 19;
h) withdraw a certification or order the certification body to withdraw a
certification issued in application of Articles 42 and 43, or order the
certification not to issue certification if the requirements applicable to the
certification are not or no longer satisfied;
i) impose an administrative fine in application of Article 83, in addition to or
the place of the measures referred to in this paragraph, depending on the characteristics
specific to each case;
j) order the suspension of data flows addressed to a recipient located in a
third country or to an international organization. "
47. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose
administrative fines as provided for in Article 83 of the GDPR, except against the State
or municipalities.
48. Article 83 of the GDPR provides that each supervisory authority ensures that
administrative fines imposed are, in each case, effective, proportionate and
dissuasive, before specifying the elements that must be taken into account in deciding whether there
to impose an administrative fine and to decide on the amount of this fine:
"(A) the nature, gravity and duration of the breach, taking into account the nature,
scope or purpose of the processing concerned, as well as the number of people
affected parties and the level of damage they suffered;
(b) whether the violation was committed willfully or negligently;
c) any measures taken by the controller or processor to mitigate
the damage suffered by the persons concerned;
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey no. [...] carried out with Company A 15/22 d) the degree of responsibility of the controller or the processor, account
taking into account the technical and organizational measures they have implemented under
Articles 25 and 32;
e) any relevant breach previously committed by the controller
or the subcontractor;
f) the degree of cooperation established with the supervisory authority in order to remedy the
violation and mitigate any negative effects;
g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the breach, in particular
whether, and to what extent, the controller or processor has notified the
violation;
(i) where measures referred to in Article 58 (2) have previously been
ordered against the controller or processor concerned for
the same object, compliance with these measures;
j) the application of codes of conduct approved in accordance with Article 40 or
certification mechanisms approved under Article 42; and
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as financial benefits obtained or losses avoided, directly
or indirectly, as a result of the violation ”.
49. The restricted panel wishes to point out that the facts taken into account in the context of the
this decision are those noted at the start of the investigation. Any modifications
relating to the subject of the investigation carried out subsequently, even if they make it possible to establish
fully or partially compliance, do not allow retroactive cancellation of a
breach noted.
50. Nevertheless, the steps taken by the inspected to bring themselves into compliance
with the GDPR during the investigation procedure or to remedy breaches
noted by the head of investigation in the statement of objections, are taken into account by the
limited training in the context of any corrective measures to be taken.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey no. […] carried out with Company A 16/22 B. In the present case
1. As to the imposition of an administrative fine
51. In the additional letter to the statement of objections of 24 August 2020, the
investigator proposes to the restricted formation to pronounce against the controlled a
administrative fine relating to the amount of 18,000 euros.
52. In his pleadings, the agent of the controlled argues that a fine
administrative "must meet the principles of adequacy and proportionality of Article 83
of the GDPR while in particular, no specific grievance has been formulated, no damage has been
observed and Company A collaborated as much as possible with the CNPD during
the entire monitoring period. "
53. In order to decide whether to impose an administrative fine and to decide, if
of the amount of this fine, the restricted committee analyzes the criteria set by
Article 83.2 of the GDPR:
- As to the nature and seriousness of the violation (article 83.2 a) of the GDPR), with regard to
concerns breaches of Articles 38.1, 38.2 and 39.1 a) of the GDPR, the training
restricted notes that the appointment of a DPO by an organization cannot be
efficient and effective, namely facilitating compliance with the GDPR by the organization, that in
the case where the DPD is associated from the earliest possible stage with all
data protection issues, takes advantage of time and resources
necessary to perform their data protection duties and exercise
effectively its missions including the information and advice mission of
controller. A breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR
amounts to reducing the interest, or even emptying of its substance, the obligation for an organism
to appoint a DPO.
- As for the duration criterion (article 83.2.a) of the GDPR), the restricted committee notes that
the controlled indicated, in its position paper of September 30, 2020, that the point of
er
local contact has been appointed as DPO with effect from 1 October 2020 and that this
the latter now devotes 50% of his working time to protection issues
data, with the assistance of [...] other lawyers who also devote
each 50% of their working time. In addition, the composition and functioning of the
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey no. [...] conducted with Company A 17/22 [GDPR Committee] have been modified so that the DPO can inform and advise
the controller. Breaches of Articles 38.1, 38.2 and 39.1 a) have
er
therefore lasted over time, at least between May 25, 2018 and October 1, 2020.
The restricted party recalls here that two years have separated the entry into force of the
GDPR of its entry into force to allow data controllers to
comply with their obligations.
- As to the number of data subjects affected by the violation and the level of
damage they have suffered (Article 83.2 a) of the GDPR), the restricted committee notes that
the inspected has approximately […] employees spread over […] sites as well as […]. The
number of people affected by the violation is therefore potentially high.
- As to the degree of cooperation established with the supervisory authority (Article 83.2 f) of
GDPR), the restricted training takes into account the assertion of the head of the investigation according to
which the inspected has shown constructive participation throughout
investigation.
54. The restricted committee notes that the other criteria of Article 83.2 of the GDPR do not
are neither relevant nor likely to influence his decision on whether to impose a fine
administrative and its amount.
55. The restricted committee notes that although several measures have been put in place by the
checked in order to remedy all or part of certain shortcomings, these have not been
adopted only following the launch of the investigation by CNPD officers on 17
September 2018 (see also point 49 of this decision).
56. Therefore, the restricted panel considers that the imposition of a fine
administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for
breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR.
57. Regarding the amount of the administrative fine, the restricted panel recalls that
Article 83.3 of the GDPR provides that in the event of multiple violations, as is the case in
the case, the total amount of the fine may not exceed the amount set for the most serious violation
serious. Insofar as a breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR is
reproached for the control, the maximum amount of the fine that can be withheld is 10
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with Company A 18/22 million euros or 2% of the worldwide annual turnover, the highest amount being
retained.
58. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the
restricted committee considers that the pronouncement of a fine of 18,000 euros appears in the
both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR.
2. Regarding the taking of corrective measures
59. In his additional letter to the statement of objections, the head of the investigation
suggests that the restricted group take the following corrective measures:
"A) Order the implementation of measures ensuring a formal association and
effectiveness of the DPO in all matters relating to data protection,
in accordance with the requirements of Art.38 para.1 GDPR. Although several
ways can be envisaged to achieve this result, one of the possibilities
would consist of analyzing, with the DPO, all committees / working groups relevant to the
with regard to data protection and to formalize the terms of its intervention
(previous information from the meeting agenda, invitation, frequency, status of
permanent member etc.).
b) Order the provision of the necessary resources to the DPO in accordance with
the requirements of article 38 paragraph 2 of the GDPR. Although several ways
can be envisaged to achieve this result, one of the possibilities would be
to relieve the DPO and / or the local members of his team of all or part of his
other missions / functions or to provide formal support, internally or externally,
with regard to the performance of his duties as DPD.
c) Order the implementation of measures enabling the DPO to inform and advise
formally the data controller on his obligations in terms of protection
data, in accordance with Article 39 paragraph 1 a) of the GDPR. Although
several ways can be envisaged to achieve this result, one of the
possibilities would be to set up a formal reporting of the DPD's activities to the
Direction based on a defined frequency. "
60. As to the corrective measures proposed by the head of the investigation and by reference to the
point 50 of this decision, the restricted committee takes into account the procedures
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] conducted with Company A 19/22 carried out by the inspector, following the visit of CNPD agents, in order to comply with
provisions of articles 38.1, 38.2 and 39.1 a) of the GDPR, as detailed in these letters
November 21, 2019 and September 30, 2020. In particular, it takes note of the facts
following:
- As for the violation of Article 38.1 of the GDPR providing for the obligation to involve the DPO
to all questions relating to the protection of personal data,
restricted training takes note that the local contact point has been appointed DPD of
er
the inspected body with effect from October 1, 2020.
However, the restricted training includes documents provided by the inspected
that this newly appointed DPO performs his duties under the supervision of the DPO
[of the group]. The restricted committee therefore wonders whether the newly appointed DPO
is effectively involved in all matters relating to data protection
of a personal nature, and this in complete independence. Therefore, the CNPD is
of the opinion that the inspected has not sufficiently demonstrated its compliance with
Article 38.1 of the GDPR and considers that it is necessary to pronounce an enforcement measure
compliance in this regard.
- With regard to the violation of article 38.2 of the GDPR providing for the obligation to
provide the necessary resources to the DPO, the inspected affirms in their position statement
of September 30, 2020 that the DPO newly appointed by Company A consecrates
50% of his working time on data protection issues and he is
assisted by [...] jurists who devote [...] so that there will be 1.5 FTEs devoted to
the protection of personal data.
In view of these elements, the restricted formation is of the opinion that the expectation of the chef
investigation of 1 FTE or more is reached following the measures taken by the inspected
during the investigation. Therefore, the restricted formation considers that there is no
instead of pronouncing a compliance measure in this regard.
- As for the violation of Article 39.1 a) of the GDPR relating to the mission of information and
advice from the DPO to the data controller, the inspector explains in his
position of September 30, 2020 the composition and functioning of the [Committee
GDPR] which will allow the newly appointed DPO to inform and advise the
controller.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 20/22 However, in view of the documents provided by the inspected, the limited training
understands that the DPO (previously local point of contact, without having exercised the
of DPD) newly appointed by the inspected carries out its missions under the supervision
of the DPD [of the group], so that it is not sufficiently demonstrated by the
checked that the newly appointed DPO can effectively fulfill his mission
information and advice to the controller controlled (Company A), and
this in complete independence. Therefore, the restricted party considers that there is
instead of pronouncing a compliance measure in this regard.
In view of the foregoing developments, the National Commission sitting in
restricted formation and deliberating unanimously decides:
- to pronounce against the company "Company A" an administrative fine of one
amount of eighteen thousand euros (18,000 euros) with regard to the violation of articles 38.1, 38.2
and 39.1. a) of the GDPR;
- to issue an injunction against the company "Company A" to come into
compliance with Article 38.1 of the GDPR, within four months of the notification of
the decision of the restricted committee, the supporting documents for compliance must be
sent to the restricted group at the latest within this period, in particular:
ensure that the DPO is effectively involved in all questions relating to protection
personal data, and this in complete independence;
- to issue an injunction against the company "Company A" to come into
compliance with Article 39.1 a) of the GDPR within four months of notification
of the decision of the restricted committee, the supporting documents for compliance must be
sent to the restricted group at the latest within this period, in particular:
ensure that the DPO can effectively fulfill his mission of information and advice
towards the controller.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 21/22 As decided in Belvaux on May 31, 2021.
For the National Commission for Data Protection sitting in a restricted body
Tine A. Larsen Thierry Lallemang Marc Lemmer
President Commissioner Commissioner
Indication of remedies
This administrative decision may be the subject of an appeal for reformation within three
months following its notification. This appeal is to be brought before the administrative tribunal and must
must be introduced through a lawyer at the Court of one of the Bar Associations.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 22/22
