CNPD (Luxembourg) - Délibération n° 36FR/2021: Difference between revisions
No edit summary |
No edit summary |
||
Line 54: | Line 54: | ||
}} | }} | ||
As a result of an audit with the subject 'the role of the DPO', | As a result of an audit with the subject 'the role of the DPO', initiated by the Luxembourg DPA, a number of violations were identified. The DPA has imposed a fine of 13,200 euros. In determining the sanction, the DPA took into account the steps taken to align with the legislation and guidelines regarding the function of the DPO in the period between the start of the audit and the decision of the DPA | ||
== English Summary == | == English Summary == |
Revision as of 08:15, 10 November 2021
CNPD (Luxembourg) - Délibération n° 36FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 38(1) GDPR Article 39(1)(b) GDPR Article 83(2) GDPR Article 83(3) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 13.10.2021 |
Published: | 02.11.2021 |
Fine: | 13200 EUR |
Parties: | n/a |
National Case Number/Name: | Délibération n° 36FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Délibération n° 36FR/2021 (in FR) |
Initial Contributor: | Matthias Smet |
As a result of an audit with the subject 'the role of the DPO', initiated by the Luxembourg DPA, a number of violations were identified. The DPA has imposed a fine of 13,200 euros. In determining the sanction, the DPA took into account the steps taken to align with the legislation and guidelines regarding the function of the DPO in the period between the start of the audit and the decision of the DPA
English Summary
Facts
Given the impact of the DPO's role and the importance of its integration within the organisation, the Luxembourg DPA launched a research campaign on the DPO's function defining 11 audit objectives. As part of this campaign, the DPA carried out 28 audits.
During the audit violations were found regarding:
- the obligation to appoint the DPO on the basis of his professional qualities (Article 37.5 GDPR)
Objective met if...: the DPO to have at least three years of professional data protection experience
The audit resulted in the finding that the DPO does not have any particular expertise in data protection at the time of his appointment. The main criterion for his appointment as DPO was his position of "Chief Compliance & Legal Officer”. In response, Company A sent additional documents to the DPA proving that the DPO had more than three years of professional experience in the field of data protection at the time of the initiation of the investigation.
- the obligation to involve the DPO in all matters related to the protection of personal data (Article 38.1 GDPR)
Objective met if...: The DPO is expected to participate formally and on a specified frequency in the executive committee, project coordination committees, new product committees, security committees or any other committee deemed useful in the context of data protection.
The audit shows that this was not foreseen in the company's procedures of. Company A took steps to formalize the involvement and presence of the DPO in the structural consultative bodies in internal procedures and policies as a measure to be in line with the legislation and the guidelines of the WP29.
- the obligation to provide the DPO with the necessary resources (Article 38.2 GDPR)
Objective met if...: at least one FTE (full time equivalent) for the data protection team & the DPO must have the opportunity to rely on other services, such as the legal department, IT, security, etc.
During the audit, it was found that the resources allocated to the data protection team were approximately 0.7 FTE, while the target is at least one FTE. In addition, the time allocated to the DPO in terms of data protection was not defined. Company A has communicated that management had decidedt that the DPO will carry out his duties on a full-time basis (one FTE)
- Compliance monitoring tasks of the DPO (Article 39.1 GDPR)
Objective met if...: the organisation has a formalized data protection control plan
The audit shows that the organisation has already some particular procedures in placed (e.g. execution of data subject requests), but does not have a 'plan of control in place'. Company A disclosed documents to show the internal processes regarding the processing of personal data are in place and reviewed frequently
Holding
Although the audit resulted in the identification of four data protection violations and it the head of investigation proposed to impose a sanction based on all four violations, the DPA only identified two breaches in its decision. The DPA also took into account the steps that were already taken by the organisation in order to comply with articles 38.1 GDPR and 39.1.b) GDPR.
Therefore, the DPA considers that there is no need to take the additional corrective measures.
Nevertheless, the DPA notes that these measures were taken after the start of the investigation and therefore considers that at the start of the investigation articles 38.1 GDPR and 39.1.b) GDPR. Therefore the DPA imposed a fine of 13.200 euros on company A.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Go to home Decisions Deliberation N ° 36FR / of October 13, 2021 - fine 02/11/2021 Thematic survey campaign on the function of the data protection officer. To know more Deliberation N ° 36FR / 2021 of October 13, 2021 - fine (Pdf - 747 KB) Last update 02/11/2021 Deliberation N ° 36FR / of October 13, 2021 - fine 02/11/2021 Thematic survey campaign on the function of the data protection officer. To know more Deliberation N ° 36FR / 2021 of October 13, 2021 - fine (Pdf - 747 KB) Last update 02/11/2021 02/11/2021 Thematic survey campaign on the function of the data protection officer.