CNPD (Luxembourg) - Délibération n° 38FR/2021
CNPD (Luxembourg) - n° 38FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 37(7) GDPR Article 38(1) GDPR Article 38(2) GDPR Article 39(1)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 15.10.2021 |
Published: | |
Fine: | 18.000 EUR |
Parties: | n/a |
National Case Number/Name: | n° 38FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | Florence D'Ath |
Following an audit, the Luxembourg DPA (the CNPD) imposed a fine of €18,000 on a public entity because of four breaches relating to the role and position of its Data Protection Officer (DPO), and issued an injunction against that public entity to bring its practices in compliance with the GDPR.
English Summary
Facts
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).
One of these audit proceedings concerned a Luxembourg public entity (hereafter, the controller). During the audit, it was found by the head of investigation of the CNPD that :
(1) the controller had failed to publish the contact details of its DPO on its website in a way that made them easily accessible for data subjects, in breach of Article 37(7) GDPR. In particular, the contact details were not easy to find and only accessible in English. The controller decided to address this issue in the course of the investigation and published the contact details of the DPO in another language on its website.
(2) the controller had appointed an external DPO - a lawyer specialized in data protection law - on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, in compliance with Article 37(5) GDPR;
(3) the controller had failed to ensure that the DPO was involved, properly and in a timely manner, in all issues which relate to the protection of personal data, in breach of Article 38(1) GDPR;
(4) the controller had failed to implement the necessary control procedures that would have allowed the external DPO to duly monitor the compliance of the controller's data processing practices with the GDPR, in breach of Article 39(1)(b) GDPR;
(5) the controller had failed to allocate to the external DPO the necessary resources for the latter to carry out his/her tasks, in breach of Article 38(2) GDPR;
(6) the controller was not responsible for (potential) conflict of interest of the external DPO under Article 38(6) GDPR, the latter being an external DPO and a lawyer subject to the Luxembourg law of 10 August 1991 on the profession of attorney and deontological rules.
Holding
Following the audit and the report from the head of investigation, the CNPD found that the controller had been in breach of four distinct obligations relating to the role of the DPO under the GDPR, as specified below.
Regarding the breach of Article 37(7) GDPR, the CNPD considered that the contact details of the DPO were not easy to find on the website of the controller, and were only accessible in English, and not in any of the official languages of the Grand Duchy of Luxembourg. Despite this issue having been addressed by the controller in the course of the investigation, the CNPD considered that there had been a breach of Article 37(7) GDPR.
Regarding the breach of Article 38(1) GDPR, the CNPD considered that the DPO had not been sufficiently involved in all issues relating to data protection law. In particular, the pointed out that the external DPO could not voluntarily intervene but only acted when requested to do so by the controller. The fact that the controller decided, in the course of the investigation, to also appoint an internal DPO who is more regularly involved in all issues relating to data protection, did not remedy this initial breach. The CNPD therefore concluded that the controller was in breach of Article 38(1) GDPR at the time of the investigation.
Regarding the breach of Article 39(1)(b) GDPR, the CNPD concurred with the opinion of the head of the investigation, according to which the controller had failed to implement the necessary control procedures that would have allowed the external DPO to duly monitor the compliance of the controller's data processing practices with the GDPR. The CNPD acknowledged that it is possible for an organization to rely on the services of an external DPO, such as a lawyer, for monitoring compliance with the GDPR. However, the CNPD specified that the role of the external DPO must then be formalized in the form of a control plan or monitoring procedures, to ensure that the DPO is able to effectively advise and accompany the organisation for the purpose of data protection compliance. Because such control plan or monitoring procedures had not been put in place at the time the investigation was initiated, the CNPD concluded that the controller had breached Article 39(1)(b) GDPR.
Regarding the breach of Article 38(2) GDPR, the CNPD found that controller had failed to allocate to the external DPO the necessary resources for the latter to be able to carry out his/her tasks. In particular, the CNPD noted that the number of hours where the DPO worked for the controller did not amount to a full-time employee. Rather, the DPO usually worked between 20 and 108 hours every month, which amounts to 12,5 to 70% of a full time employee. Although the controller addressed this issue by hiring another DPO in the course of the investigation, the CNPD concluded that the controller had been in breach of Article 38(2) GDPR prior to this change.
For all these reasons, the CNPD issued an injunction against the controller to bring its practices in compliance with the GDPR for the remaining breaches (with a deadline of 6 months for remedying those breaches), and also imposed an administrative fine of €18,000 on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey No. [...] conducted with public establishment A Deliberation n ° 38FR / 2021 of October 15, 2021 The National Commission for Data Protection sitting in a restricted body, composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC; Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection of data and the general data protection regime, in particular Article 41 thereof; Having regard to the internal regulations of the National Commission for Data Protection adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10.2; Having regard to the regulations of the National Commission for Data Protection relating to the procedure of inquiry adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular its article 9; Considering the following: ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 1/33 I. Facts and procedure 1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and the importance of its integration into the body, and considering that the guidelines concerning DPOs have been available since December 2016, i.e. 17 months before entry into application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data personal data and the free movement of such data, and repealing Directive 95/46 / EC (regulation General on Data Protection) (hereinafter: the "GDPR"), the National Commission for data protection (hereinafter: the “National Commission” or the “CNPD”) has decided to launch a thematic survey campaign on the function of the DPO. Thus, 25 audit procedures were opened in 2018, involving both the private and public sectors. 2. In particular, the National Commission decided by deliberation n ° […] of September 14 2018 to initiate an investigation in the form of a data protection audit of public establishment A, established in L [...], and registered in the trade and companies register under the number J […] (hereafter: the “controlled”) and to designate Mr. Christophe Buschmann as head of investigation. The said deliberation specifies that the investigation relates to the compliance of the controlled with section 4 of chapter 4 of the GDPR. 3. The controlled is a public establishment […] under the supervision of the Ministry […]. […] Control has as mission […] 4. By letter of September 17, 2018, the head of the survey sent a questionnaire preliminary to the control, to which the latter replied by letter of October 5, 2018. first on-site visit took place on January 24, 2019, a second on-site visit took place on 27 May 2019 and additional information was received on July 23, 2019. Following these exchanges, the head of the investigation drew up the audit report no. […] (hereafter: the "audit report"). 1The guidelines for DPOs were adopted by the “Article 29” working group on 13 December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 2/335. It emerges from the audit report that in order to verify the compliance of the inspected with section 4 of Chapter 4 of the GDPR, the head of the investigation defined eleven control objectives, namely: 1) Ensure that the body subject to the obligation to appoint a DPO has done so; 2) Make sure that the organization has published the contact details of its DPO; 3) Ensure that the organization has communicated the contact details of its DPO to the CNPD; 4) Ensure that the DPO has sufficient expertise and skills to carry out its missions effectively; 5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest; 6) Ensure that the DPO has sufficient resources to effectively carry out his missions ; 7) Ensure that the DPO is able to carry out his missions to a sufficient degree autonomy within their organization; 8) Ensure that the organization has put in place measures to ensure that the DPO is associated with all matters relating to data protection; 9) Ensure that the DPO fulfills his mission of information and advice to the data controller and employees; 10) Ensure that the DPO exercises adequate control over data processing within his body; 11) Ensure that the DPO assists the data controller in carrying out the impact analyzes in the event of new data processing. 6. By letter of February 14, 2020 (hereafter: the “statement of objections”), the Chief of investigation informed the control of the breaches of the obligations provided for by the GDPR that it has noted during its investigation. The audit report was attached to the letter of February 14, 2020. 7. In particular, the head of the investigation noted in the statement of objections breaches of: 2 the obligation to publish the contact details of the DPO; the obligation to appoint the DPO on the basis of his professional qualities; 3 2 3Objective 2 Objective n ° 4 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 3/33 the obligation to involve the DPO in all matters relating to data protection of a personal nature; 4 the obligation to provide the necessary resources to the DPO; 5 the obligation to ensure that the other missions and tasks of the DPO do not lead to conflict of interest ; the DPD's control mission. 7 8. On August 10, 2020, the head of the investigation sent the inspectorate an additional letter to the statement of objections (hereinafter: the "additional letter to the communication of grievances ") by which he informs the inspectorate of the corrective measures proposed by the head of investigation to the National Commission sitting in a restricted formation (hereinafter: the “restricted formation”) to adopt. 9. The inspector replied to the additional letter to the statement of objections with a letter dated September 14, 2020 in which he presents his observations for each breach retained by the head of the investigation. 10. In addition, the inspected, on October 28, 2020, requested access to the investigation file concerning him. Access to the investigation file was sent to it by the National Commission on 9 November 2020. 11. The president of the restricted formation informed the control by letter of April 12, 2021 that his case would be entered at the restricted session on June 16, 2021 and that he could attend this session. The controlled informed by email of May 25, 2021 that he would participate in said session. 12. During the restricted training session on June 16, 2021, the head of the investigation and the controlled presented their oral observations on the case and answered questions posed through restricted training. The controlled had the floor last. 4Objective 8 5Objective 6 6Objective 5 7Objective n ° 10 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 4/3313. The inspected provided additional information by email of June 17, 2021, continued to a request in this direction of the restricted training. II. Place A. On the failure to publish the contact details of the DPO 1. On the principles 14. Article 37.7 of the GDPR provides for the obligation for the audited body to publish the contact details of the DPD. Indeed, it follows from Article 38.4 of the GDPR that the persons concerned must be able to contact the DPO regarding any questions relating to the processing of their personal data and the exercise of the rights conferred on them by GDPR. 15. The DPO guidelines explain in this regard that this requirement is aimed at to ensure that "the persons concerned (both inside and outside the organization) can easily and directly contact the DPO without having to contact another agency service ". The guidelines also state that “the contact details of the DPD must contain information allowing the data subjects to contact him easily (a postal address, a specific telephone number and / or a 8 specific e-mail) ”. 16. In addition, Article 12.1 of the GDPR provides that the controller must take appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR in regarding the processing to the data subject in a concise, transparent manner, understandable and easily accessible, in clear and simple terms. Among the information which must be sent to the person concerned is the information relating to contact details of the DPD, in accordance with Articles 13.1.b) and 14.1.b) of the GDPR. 8 WP 243 v.01, version revised and adopted on April 5, 2017, p.15 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 5/33 2. In the present case 17. It follows from the audit report that, in order for the head of the investigation to consider objective 2 as reached by the inspected as part of this audit campaign, the head of the investigation expects this that the audited body publish the contact details of its DPO internally within the body and externally to the public, which represents the data subjects of the processing. the DPD must be able to be contacted easily and directly via a suitable communication channel To those concerned. Active internal communication is expected, notably via emails, newsletters or dedicated spaces on the intranet. Externally, it is at least whereas the DPD's contact details are easily accessible on the website of the body. 18. It is apparent from the statement of objections that, during the first visit by the staff of the CNPD in charge of the investigation on January 24, 2019, the DPD's contact details were difficult to find find on the website of the inspected insofar as, on the one hand, the website did not contain no section dedicated to data protection and, on the other hand, the relative information notice data protection was only available in English, without translation in any of the official languages of Luxembourg. 19. The inspector made changes during the investigation in order to remedy this problem. In fact, it initially created a data protection section on its website and, in a second step, added links to download French and German versions of the information leaflet in PDF format. 20. The head of the investigation therefore concluded in the statement of objections that, during investigation, the DPD's contact details had become more easily accessible to persons concerned. 21. However, as explained on page 2 of the statement of objections, '[t] he facts taken into account account in the context of this [statement of objections] are those noted at the beginning of investigation. Subsequent changes, even if they ultimately allow to establish the compliance of the controller, do not allow the cancellation of a breach found. " ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° […] carried out with the public establishment A 6/3322. In this context, the restricted committee notes that the GDPR has been applicable since 25 May 2018 so that the obligation to publish the contact details of the DPO, as well as the principle of transparency as set out in Article 12.1 of the GDPR, have existed since that date. Publish the contact details of the DPO on a website without taking the necessary measures to ensure that the people concerned are able to find the information and understand it comes back to render meaningless the obligation of Article 37.7 of the GDPR. 23. In view of the above, the restricted panel concludes that Article 37.7 of the GDPR has no not respected by the inspected. B. On the failure to appoint the DPO on the basis of his qualifications professional 1. On the principles 24. According to article 37.5 of the GDPR, "[the DPO] is appointed on the basis of his professional skills and, in particular, his specialized knowledge of the law and in terms of data protection […] ”. 25. According to recital (97) of the GDPR, “[t] he level of specialist knowledge required should be determined in particular on the basis of data processing operations carried out and the protection required for personal data processed by the controller or processor ”. 26. In addition, the guidelines of the “Article 29” Working Group concerning DPOs specify that the level of expertise of the DPO "must be proportionate to the sensitivity, to the complexity and the volume of data processed by an organization "and that" it is necessary that the DPOs have expertise in the field of national laws and practices and 9 WP 243 v.01, version revised and adopted on April 5, 2017, p. 13 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 7/33 in terms of data protection, as well as in-depth knowledge 10 of the GDPR ”. 27. The DPO guidelines go on to state that “[t] he is aware of the line of business and body of the controller is useful. The DPD should also have a good understanding of the processing operations carried out, as well information systems and the controller needs in terms of data protection and security ”.11 2. In this case 28. It follows from the audit report that, as part of this audit campaign, for the investigator considers objective 4 as achieved by the controlled, the investigator expects that the DPO has at least three years of professional experience in protection Datas. 29. According to the statement of objections, page 3, on the date of the initiation of the audit, a DPO was in office and “[s] he had all the skills required in legal (lawyer registered with the Luxembourg Bar) and data protection (certificate CIPP / E) ”. 30. A new internal DPO was however appointed during the investigation in April 2019. According to the statement of objections, page 3, this new internal DPO “is also responsible […] And he has the knowledge of the domain and the structure. Nevertheless, it is advisable to note that he has no initial training in legal matters, data protection and IT, nor does it justify a previous practice in the matter ". 31. In its position paper of September 14, 2020, the inspector wished to underline the difficulties he had to face in recruiting a DPO with the right profile, namely a experienced person with knowledge of the operation of the […] sector. the controlled board of directors qualifies the first external recruitment as an "attempt 10WP 243 v.01, version revised and adopted on April 5, 2017, p. 14 11WP 243 v.01, version revised and adopted on April 5, 2017, p.14 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 8/33 failed ”and chose to appoint as DPD an experienced internal employee able to to understand the challenges of the […] sector and the regulatory complexity that characterizes it. the controlled considers that this knowledge of the trade is an important and priority criterion in look at its specific sector. The inspected adds that the new internal DPO has taken several training courses in data protection between 2017 and 2019, as regular weekly coaching with the assistance of a law firm specializing in data protection was in place since April 2019 and that the DPO has participated monthly since December 2018 in the sessions of the informal public sector working group […]. In addition, the DPO has the opportunity to rely on daily, for the performance of his missions, on the contribution of the teams […] and, on the IT department, on the legal department, on the risk management expert and any other internal resource deemed useful. Since September 2017, the inspected set up "GDRP points of contacts", consisting of the designation of a few people belonging to the different trades of the inspected to be the relay 12 of the DPD. 32. The restricted formation notes that, according to the head of the investigation, the formations relating to the data protection which the internal DPO has assisted since his appointment, as well as the fact that he has access to a number of internal and external supports in the execution of his missions, cannot be sufficient to establish, at the time of the appointment of the new internal DPO, the existence of sufficient expertise adapted to the needs of the inspected in terms of protection Datas . 13 33. However, as noted on page 2 of the statement of objections, '[t] he facts taken into account in the context of this are those observed at the start of the investigation ". 34. However, the restricted committee noted that at the start of the investigation, an external DPO was in function and, as noted by the head of the investigation and repeated in point 29 of this 12 Report of the visit of January 24, 2019, page 3 13 Communication of Grievances, page 3. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 9/33 decision, he had all the required skills in legal and data protection. 35. In view of the foregoing, the restricted panel concludes that there is no need to retain a breach of Article 37.5 of the GDPR. C. On the breach of the obligation to involve the DPO in all matters relating to the protection of personal data 1. On the principles 36. According to Article 38.1 of the GDPR, the organization must ensure that the DPO is involved, in a in an appropriate and timely manner, to all data protection matters of a personal nature. 37. The DPO Guidelines state that “[i] t is essential that the DPO, or his team, is involved from the earliest possible stage in all questions relating to data protection. [...] Information and consultation of the DPO from the start will allow facilitate compliance with the GDPR and encourage an approach based on the protection of data by design; it should therefore be a usual procedure within the governance of the organization. In addition, it is important that the DPO is considered as a interlocutor within the organization and that he or she is a member of the working groups dedicated to data processing activities within the organization ". 14 38. The DPO guidelines provide examples on how to to ensure this association of the DPO, such as: invite the DPO to participate regularly in senior management meetings and intermediate ; recommend the presence of the DPO when decisions with implications for data protection matters are taken; 14 WP 243 v.01, version revised and adopted on April 5, 2017, page 16 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 10/33 always take due account of the opinion of the DPO; immediately consult the DPD when a data breach or other incident occurs product. 39. In addition, according to the guidelines for DPOs, the body could, if as appropriate, develop guidelines or programs for the protection of data indicating the processing operations in which the DPO must be consulted. 2. In this case 40. It emerges from the audit report that, in order for the investigator to consider objective 8 as completed by the inspected as part of this audit campaign, he expects the DPD participates in a formal manner and on the basis of a defined frequency in the Management Committee, project coordination committees, new product committees, safety committees or any other committee deemed useful in the context of data protection. 41. According to the statement of objections, page 4, the external DPO who was in office at the start of the audit had a role that was characterized as essentially "reactive". "[His] implication was therefore relatively limited. He intervened mainly at the explicit request of the person in charge of treatment and not spontaneously ”. The audit report, page 9, specifies that the implication of the external DPO was characterized more particularly by a "low participation in recurring meetings, only by invitation when the need has been estimated ”. 42. In its position paper of September 14, 2020, page 6, the inspected considers that the description by the head of investigation of the essentially reactive role of the external DPO depending on the start of the investigation is inaccurate and amounts to minimizing the involvement of the external DPO, as in certifies the record of hours worked on several projects […]. 43. The new internal DPO, for his part, participates more easily in the various meetings of the projects. The feedback is facilitated by proximity and the various relays in place in the structure. In addition, according to the audit report, page 9, the internal DPO is a guest standing of the control executive committee (frequency every two weeks) and a point ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the systematic public establishment A 11/33 "GDPR" is on the agenda of each board of directors which takes place every three months. However, according to the audit report, page 9, a precise circuit concerning the opinions to be rendered by the DPD is not yet clearly defined, due to the recent designation of the internal DPD. 44. In its position statement of September 14, 2020, the inspected informs the CNPD about the establishment of an internal process ([...]) to formalize and document the DPD's association questions relating to data protection. This internal process is implemented systematically for each new activity […] of the control and aims to allow: prior documentation and systematic feedback to the DPO before the implementation of the controlled treatments, and this at the latest at the time of the in place of contracts, the upstream identification of sensitive data protection points, the upstream review of information notices and consent forms distributed […], raising awareness among operational teams and exchanges with them, in an optic of privacy by design, and planning or carrying out data protection impact analyzes. 45. The audit also specifies that the involvement of the DPD in matters of protection of data is also carried out on the initiative of the teams or the DPD himself as part of the review documentary, the co-signing of contracts relating to data protection, the design of control projects, assistance to internal teams in carrying out analyzes impact and the participation of the DPO in the executive committee as a permanent guest. 46. The restricted formation takes note of the establishment by the control of a process internal formalization and documentation of the involvement of the new internal DPO in matters relating to data protection. If these measures should facilitate the association of the DPD internal to all matters relating to data protection, it is nevertheless advisable to note that these were decided during the investigation. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° […] carried out with the public establishment A 12/3347. Indeed, as explained on page 2 of the statement of objections, '[t] he facts taken into account account in the context of this [statement of objections] are those noted at the beginning of investigation. Subsequent changes, even if they ultimately allow to establish the compliance of the controller, do not allow the cancellation of a breach found. " 48. The restricted panel is of the opinion that the test did not sufficiently demonstrate the association of the external DPO, depending at the start of the investigation, in an appropriate manner and in timely in all matters relating to data protection. 49. Consequently, the restricted panel agrees with the finding of the head of the investigation that, at the start of the investigation, the controller was not able to demonstrate that the External DPD was appropriately involved in all matters relating to protection personal data. 50. In view of the above, the restricted panel concludes that Article 38.1 of the GDPR has no not respected. D. On the breach relating to the DPO's control mission 1. On the principles 51. According to Article 39.1 b) of the GDPR, the DPO has, among others, the task of "monitoring compliance of this Regulation, other provisions of Union law or the law of the Member States in data protection and internal rules of the controller or of the processor in the protection of personal data, including concerns the distribution of responsibilities, awareness and training of staff participating in processing operations, and related audits ". Recital (97) specifies that the DPO should help the organization verify internal compliance with the GDPR. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 13/33 15 52. It follows from the guidelines concerning DPOs that the DPO may, within the framework of its control tasks, in particular: - collect information to identify processing activities; - analyze and verify the compliance of processing activities; - inform and advise the controller or the processor and formulate recommendations to him. 2. In this case 53. It emerges from the audit report that, in order for it to be able to consider objective 10 as fulfilled by the control as part of this audit campaign, the head of the investigation expects that "The organization has a formalized data protection control plan (even if it is not yet executed) ". 54. According to the statement of objections, page 5, "it emerged from the investigation that the body did not has no formalized controls specific to data protection. In a logic day-to-day management of data protection, and given the volume of data processed and the sensitivity of some of these data (see preliminary remarks), it is whereas the DPD's control missions are better formalized, for example with the establishment of a control plan ". 55. In its position paper of September 14, 2020, the inspected indicates that the verification of the compliance of the controller with the GDPR is ensured through the implementation of following means: - the legal review of the processing register controlled by a law firm specialists in data protection, from January to October 2019, - an internal audit subcontracted to an audit firm covering organizational aspects, - an external audit carried out by an audit firm, in order to assess the compliance of the control […]. 15WP 243 v.01, version revised and adopted on April 5, 2017, page 20 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 14/3356. The restricted committee notes that article 39.1 of the GDPR lists the missions that the DPD must at least be entrusted with the task of monitoring compliance with the GDPR, without however require the body to put in place specific measures to ensure that the DPO can accomplish its control mission. The DPO guidelines indicate in particular that the keeping of the register of processing activities referred to in Article 30 of the GDPR may be entrusted to the DPO and that "this register must be considered as one of the tools allowing the DPO to carry out its tasks of monitoring compliance with the GDPR, as well as informing and advising the controller and processor ”.6 57. In addition, the restricted formation notes that it is rightly specified on page 2 of the statement of objections (under "preliminary remarks") that "the requirements of the GDPR do not are not always strictly defined. In such a situation, it is up to the supervisory authorities to verify the proportionality of the measures put in place by the data controllers in the with regard to the sensitivity of the data processed and the risks incurred by individuals concerned ”. 58. In this context, the restricted training is of the opinion that it is possible for an organization to use external service providers to verify its compliance with the GDPR. However, this call to external service providers must be formalized, and this must not result in completely withdraw this mission from the function of DPD. Indeed, the organization's DPO must complete its role of monitoring compliance with the GDPR by participating in the formalization of a control plan and by being associated with the exercise of said control by external service providers, in particular by accompanying the work carried out, to then be able to complete with knowledge of causes its advisory and information mission in accordance with Article 39.1 a) of the GDPR. 59. In the present case, the inspected did not demonstrate that, at the start of the investigation, a monitoring plan compliance with the GDPR would have been formalized or that the external DPO then in office was associated with the control carried out by external service providers. Therefore, the restricted formation is of opinion that the inspected does not sufficiently demonstrate that the external DPO in office at the start of the the investigation fulfilled this monitoring mission expected by Article 39.1 b) of the GDPR. 16 WP 243 v.01, version revised and adopted on April 5, 2017, page 22 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 15/3360. In view of the above, the restricted panel concludes that Article 39.1 b) of the GDPR has no not respected by the inspected. E. On the failure to provide the necessary resources to the DPO 1. On the principles 61. Article 38.2 of the GDPR requires the organization to help its DPO "to carry out the tasks referred to in Article 39 by providing the necessary resources to carry out these missions, as well that access to personal data and processing operations, and allowing it maintain their specialized knowledge ". 62. It follows from the guidelines on DPOs that the following aspects must be 17 in particular to be taken into consideration: - "sufficient time for the DPOs to be able to accomplish their tasks." This aspect is particularly important when an internal DPO is appointed part-time or when the external DPO is responsible for data protection in addition to other tasks. Otherwise, conflicting priorities could lead to the DPO's tasks being neglected. It is essential that the DPO is able to devote sufficient time to his missions. It is good practice to set a percentage of time devoted to the function of DPD when this function is not occupied full time. It is also of good practice of determining the time required to perform the function and the level of appropriate priority for the tasks of the DPO, and that the DPO (or the body) establish a workplan ; - necessary access to other services, such as human resources, service legal, IT, security, etc., so that DPOs can receive the support, contributions and essential information of these other services ”. 17 WP 243 v.01, version revised and adopted on April 5, 2017, page 17 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 16/3363. The DPO guidelines state that "[d] in general, more the processing operations are complex or sensitive, plus the resources allocated to the DPO should be significant. The data protection function must be effective and equipped with adequate resources with regard to the data processing carried out ”. 2. In this case 64. It emerges from the audit report that in view of the size of the organizations selected under of this audit campaign, so that the head of the survey considers objective 6 as fulfilled by the controlled, he expects the controlled to have at least one FTE (full-time equivalent) for the data protection team. The investigator also expects the DPO has the possibility to rely on other services, such as the legal service, IT, security, etc. 65. According to the audit report, the external DPO in office at the start of the investigation had a role essentially "reactive". The hour records of this one oscillate between 8 p.m. and 108 hours per month, i.e. between 0.125 FTE and 0.7 FTE. 66. The monthly breakdown of these hours worked by the external DPO is detailed in the report of the on-site visit of May 27, 2019, page 2, as follows: 8 p.m. September 2018, 53 hours in October 2018, 57.2 hours in November 2018, 50.4 hours in December 2018, 122.2 hours in January 2019, 103.9 hours in February 2019 and 108.6 hours in March 2019. The restricted formation notes that this makes an average of 73.6 hours worked per month over this 7-month period, i.e. an average monthly FTE of 0.46. 67. In view of these elements, the restricted committee understands that the external DPO has started working hours as part of his assignments only from September 2018. In addition, most of his hours were worked between January and March 2019. 68. However, the restricted committee recalls that the GDPR entered into force on May 25, 2018. It was therefore from May 2018 that the audited body had the obligation to comply with the GDPR by designating a DPO exercising his function effectively and efficiently. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° […] carried out with the public establishment A 17/3369. The audit report indicates that the new internal DPO estimated his time more than 70% of work on data protection issues compared to all its tasks. It is also specified that legal support by an external firm has been obtained at the rate of one day a week, the sole legal competence of the inspected cannot provide only limited support for the internal DPO. The inspected also benefited from assistance by a audit firm in the conduct of the audited "GDPR" roadmap. 70. In the statement of objections, page 4, the head of the investigation states that "given the existence of complex or sensitive processing operations (see preliminary remarks), a high level of resources is expected ”. However, the head of the investigation noted that "the new DPD [internal], who also holds the function of manager […] for [the inspected], assessed more than 70% of the time devoted to his duties as DPO "and that" the controller was not able to demonstrate the accomplishment of the control missions. This finding is likely to highlight an inadequacy between resources and means made available to the DPO and the needs of the controller ”. 71. In his position paper of September 14, 2020, the inspected indicates that the new DPO internal, also responsible […] at the time of his appointment, is now Head of Compliance […], assisted by four other people for the management of responsibilities related to compliance and risk management. According to the screening, the presence of these four other people allows the Head of Compliance […] to concentrate on the functions of DPD. 72. In addition, to enable the Head of Compliance [...] to take on the role of internal DPO, the inspected person has made available a budget allowing them to resort to external legal support and adequate technique. 73. Finally, as noted in point 55 of this decision, the inspected indicates in its decision position of September 14, 2020, that the mission of monitoring compliance with the GDPR by the inspected is carried out with the help of external providers such as audit firms and lawyers specialized. The controlled is of the opinion that the control mission provided for in Article 39.1 b) of the GDPR is ensured and therefore that the resources and means provided for the purpose of such control are adequate to the needs of the controlled. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° […] carried out with the public establishment A 18/3374. The restricted formation recalls that, as was indicated in the communication of the objections, page 2, and already noted in point 21 of this decision, “[t] he facts taken into account in the context of this [investigation] are those observed at the start of the investigation. The subsequent modifications, even if they ultimately allow the compliance of the controller, do not allow the cancellation of a breach found. " 75. In addition, the restricted panel agrees with the findings of the head of the investigation that "Given the existence of complex or sensitive processing operations (see remarks preliminary), a high level of resources is expected ”and that“ the person responsible for processing was not able to demonstrate the accomplishment of the control tasks. This finding is likely to highlight a mismatch between the resources and means made available to the DPO and the needs of the controller ”. 76. Consequently, the restricted committee is of the opinion that the inspected could not demonstrate adequately that the inspector has provided the external DPO in office at the start of the investigation with the resources necessary to enable it to carry out its missions. 77. In view of the above, the restricted panel concludes that Article 38.2 of the GDPR has no not respected by the inspected. F. On the breach of the obligation to ensure that the other missions and tasks of the DPO do not give rise to a conflict of interest 1. On the principles 78. According to Article 38.6 of the GDPR, “[the DPO] may perform other tasks and tasks. the controller or processor ensures that these assignments and tasks do not entail no conflict of interest ". ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 19/33 18 79. The DPO guidelines specify that “the DPO may not exercise at within the body a function which leads it to determine the purposes and means of processing of personal data ”. According to the guidelines, “as a general rule, among functions likely to give rise to a conflict of interest within the organization may appear senior management functions (for example: general manager, operational manager, Chief Financial Officer, Chief Medical Officer, Head of Marketing Department, Head of human resources or IT department manager), but also other roles in a lower level of the organizational structure if these functions or roles involve the determination of the purposes and means of processing. In addition, there may also be conflicts of interest, for example, if an external DPO is called upon to represent the person responsible for processing or subcontractor in court in matters relating to matters related to data protection. Depending on the activities, size and structure of the organization, it can be good practice for data controllers or processors: identify the functions which would be incompatible with that of DPD; establish internal rules for this purpose, in order to avoid conflicts of interest; include a more general explanation of conflicts of interest; to declare that the DPO has no conflict of interest with regard to his function as DPD, with the aim of raising awareness of this requirement; to provide guarantees in the internal regulations of the body, and to ensure that the vacancy notice for the DPD function or the service contract is sufficiently precise and detailed to avoid any conflict of interest. In this context, it is also appropriate to keep in mind that conflicts of interest can take different forms depending on whether the DPD is recruited internally or externally ". 2. In this case 80. It follows from the audit report that, in order for the head of investigation to consider objective 5 as reached by the inspected as part of this audit campaign, he expects that, in the event where the DPO performs other functions within the audited body, these functions do not entail 18WP 243 v.01, version revised and adopted on April 5, 2017, pages 19-20 ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 20/33 no conflict of interest in particular through the exercise of functions which would lead the DPO to determine the purposes and means of the processing of personal data. The head of the investigation also expects the auditee to have carried out an analysis as to the existence of a possible conflict of interest at the level of the DPO. 81. According to the statement of objections, page 5, "[t] he DPO who was in office at the start of the audit was external and lawyer. There is a principle of managing conflicts of interest. " 82. The new DPO then appointed internally also exercised the function of responsible […]. The statement of objections notes that "possible conflicts of interest are likely to exist in view of the tasks performed for the two positions. Based on DPD comments dated 12/08/2019, there is a policy of management of potential conflicts of interest. However, the analysis of conflicts of interest between two functions performed by the same person within the same [public institution] is not planned. There is therefore no analysis of potential conflicts of interest between the function of DPD and that of responsible […]. Based on the DPD's comments dated 12/08/2019, the [controlled] will ensure that the various function sheets concerning the management of aspects are clarified. related to data protection in order to distinguish more clearly between authorities, responsibilities and missions ”. 83. In his position paper of September 14, 2020, the inspected indicates that the internal DPO is now Head of Compliance […] of the organization. It also specifies that the Head of Compliance and Risk Manager functions have been modified to include more clearly the responsibilities and missions related to data protection. 84. The controlled conflict of interest policy was also updated in July 2020, in order to introduce an obligation to analyze the risks of conflict of interest in the presence of a accumulation of functions and have them arbitrated by the Controlled Board of Directors. 85. The controlled also maintains that the outsourcing of several aspects of the control of the compliance implemented to date allows the inspectorate to rule out the risk of conflicts interests in the control of management-related processes […]. Indeed, several aspects ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 21/33 of the control of the conformity of the treatments of the controlled (in particular those implemented in as part of the exercise of the Compliance function) have been entrusted to external service providers, as raised in point 55 of this decision. 86. By email dated June 17, 2021, the inspector sent the restricted formation the conflict of interest policy as updated in July 2020. 87. The restricted committee recalls that, as indicated on page 2 of the statement of objections and already noted in point 33 of this decision, '[t] he facts taken into account taken into account in this [investigation] are those noted at the start of the investigation ". 88. The restricted committee notes that, at the start of the investigation, the DPO in office was a DPO external who practiced the profession of lawyer within the Luxembourg Bar. The principles ethics to which lawyers of the Luxembourg Bar are subject include the principle according to which a lawyer cannot represent or assist parties with interests opposing parties, nor representing or assisting a client in the event of a conflict with the personal interests of 19 the lawyer himself. This ethical principle is applicable to any lawyer registered with the Bar of Luxembourg under the amended law of August 10, 1991 on the profession of lawyer and the Rules Interior of the Luxembourg Bar Association as adopted by the Bar Council dated January 10, 2013, without there being any obligation on the part of customers to verify the good respect by the lawyer of this principle. 89. Therefore, the CNPD is of the opinion that it was not the responsibility of the data controller check with their external DPO to ensure there is no conflict of potential interests with other clients and / or subcontractors of the controlled, but on the contrary, this obligation fell to the external DPO in application of the amended law of 10 August 1991 on the profession of lawyer and ethical rules. 90. In view of the foregoing, the restricted panel concludes that there is no reason to retain a breach of Article 38.6 of the GDPR. 19 Luxembourg Bar website, The legal profession, The deon https://www.barreau.lu/le-metier-d- lawyer / deontology ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 22/33 III. On corrective measures and the fine A. Principles 91. In accordance with article 12 of the law of 1 August 2018 on the organization of National Commission for Data Protection and the General Data Protection Regime data, the National Commission has the powers provided for in Article 58.2 of the GDPR: a) "notify a controller or processor that the planned processing operations are likely to violate the provisions of these regulations; b) call a controller or a processor to order when the processing operations have resulted in a violation of the provisions of this regulation; c) order the controller or processor to comply with the requests made by the data subject to exercise their rights in application of these regulations; d) order the controller or processor to put the processing operations in accordance with the provisions of this Regulation, where appropriate, in a specific manner and within a specified timeframe; e) order the controller to communicate to the data subject a personal data breach; f) impose a temporary or permanent limitation, including a ban, on the processing ; g) order the rectification or erasure of personal data or the restriction of processing in application of Articles 16, 17 and 18 and the notification of ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 23/33 these measures to the recipients to whom the personal data have has been disclosed in accordance with Article 17 (2) and Article 19; h) withdraw a certification or order the certification body to withdraw a certification issued in application of Articles 42 and 43, or order the body certification not to issue certification if the requirements applicable to the certification are not or no longer satisfied; i) impose an administrative fine in application of Article 83, in addition or instead of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or an international organization. " 92. Article 83 of the GDPR provides that each supervisory authority ensures that fines administrative requirements are, in each case, effective, proportionate and dissuasive, before specifying the elements that must be taken into account in deciding whether to impose an administrative fine and to decide on the amount of this fine: a) "the nature, gravity and duration of the violation, taking into account the nature, scope or purpose of the processing concerned, as well as the number of people affected parties and the level of damage they suffered; (b) whether the violation was committed willfully or negligently; c) any action taken by the controller or processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller or processor, given the technical and organizational measures they have implemented work under Articles 25 and 32; ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 24/33 e) any relevant breach previously committed by the person responsible for the processing or subcontractor; f) the degree of cooperation established with the supervisory authority in order to remedy the violation and mitigate any negative effects; g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the violation, in particular whether, and to what extent, the controller or processor has notified the violation ; (i) where measures referred to in Article 58 (2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with these measures; j) the application of codes of conduct approved under Article 40 or certification mechanisms approved under Article 42; and k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as the financial benefits obtained or the losses avoided, directly or indirectly, as a result of the violation ”. 93. The restricted panel would like to point out that the facts taken into account in the context of the this decision are those noted at the start of the investigation. Any modifications relating to the subject of the investigation carried out subsequently, even if they make it possible to establish fully or partially compliance, do not allow retroactive cancellation of a breach noted. 94. Nevertheless, the steps taken by the inspected to comply with the GDPR during the investigation procedure or to remedy the shortcomings identified by the head of investigation in the statement of objections are taken into account by the restricted committee as part of any corrective measures and / or setting the amount of a possible administrative fine to be pronounced. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° […] carried out with the public establishment A 25/33 B. In the present case 1. As to the imposition of an administrative fine 95. In his additional letter to the statement of objections of 10 August 2020, Chief of investigation proposes to the restricted formation to pronounce a fine against the controlled person administrative relating to the amount of 27,100 euros. 96. In order to decide whether to impose an administrative fine and to decide, if of the amount of this fine, the restricted committee analyzes the criteria set by Article 83.2 of the GDPR: - As to the nature and seriousness of the violation [article 83.2 a) of the GDPR], with regard to breaches of articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR, restricted training notes that the appointment of a DPO by an organization cannot be efficient and effective, namely to facilitate compliance with the GDPR by the body, only in the case where people concerned have the possibility of easily finding the contact details of the DPO to exercise their data protection rights, as well as in the event that the DPO has the resources necessary for the performance of its missions, is associated with all questions relating to data protection and effectively carries out its missions, including the task of monitoring compliance with the GDPR. - As for the duration criterion [article 83.2 a) of the GDPR], the restricted committee notes that: (1) the inspected modified its website during the investigation in order to to make the DPD's contact details more easily accessible to people concerned. In particular, a translation into French and German has been added to the website of the auditee in August 2019. The breach of Article 37.7 of the GDPR therefore lasted over time, at least between May 25, 2018 and August 2019. (2) the inspected informed the CNPD, in its position paper of September 14, 2020, of the establishment of an internal process of formalization and documentation of ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 26/33 the involvement of the new internal DPO in matters relating to the protection of data ([…]) from October 17, 2019. These measures have nevertheless been decided under investigation. The breach of Article 38.1 of the GDPR therefore lasted in the time, at a minimum between May 25, 2018 to October 19, 2019. (3) it has not been demonstrated by the inspectorate that the external DPO in office at the time of the opening of the investigation had the necessary resources to carry out its missions and that, according to the audit report, the new internal DPO estimates his time of work on data protection issues at around 70% compared to his other tasks. The breach of Article 38.2 of the GDPR therefore lasted in the time, from May 25, 2018, it being specified that the restricted training was not able to find that the breach has ended. (4) it was not demonstrated by the inspector that both the external DPO in office at the start of the investigation that the new internal DPO fulfilled their mission of monitoring compliance of the organization with the GDPR as part of their daily functions, the controlled having chosen to use external service providers, without demonstrated the involvement of external and internal DPOs in the organization of control. The breach of Article 39.1 b) of the GDPR therefore lasted over time, from May 25, 2018, it being specified that the restricted formation was not able to observe that the breach has ceased. - as to the degree of cooperation established with the supervisory authority [Article 83.2 f) of the GDPR], the restricted training takes into account the assertion by the head of the investigation that the Controlled demonstrated constructive participation throughout the investigation. - as regards the categories of personal data affected by the violation [article 83.2 g) of the GDPR], the restricted training takes into account the fact that the inspected processes special categories of personal data […]. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 27/3397. The restricted committee notes that the other criteria of Article 83.2 of the GDPR are not neither relevant nor likely to influence his decision on whether to impose a fine administrative and its amount. 98. The restricted committee notes that although several measures have been decided by the inspected in order to remedy in whole or in part certain shortcomings, it was decided only to following the launch of the investigation by CNPD agents on September 17, 2018 (see also point 93 of this decision). 99. Therefore, the restricted panel considers that the pronouncement of an administrative fine is justified with regard to the criteria set out in article 83.2 of the GDPR for breaches of articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR. 100. Regarding the amount of the administrative fine, the restricted panel recalls that Article 83.3 of the GDPR provides that in the event of multiple violations, as is the case here, the total amount of the fine cannot exceed the amount set for the most serious violation. In the extent to which a breach of Articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR is alleged against the controlled, the maximum amount of the fine that can be withheld is 10 million euros or 2% of worldwide annual revenue, whichever is greater. 101. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the training Restricted considers that the imposition of a fine of 18,000 euros appears to be both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR. 2. Regarding the taking of corrective measures 102. In his additional letter to the statement of objections of 10 August 2020, Chief investigation suggests that the restricted group take the following corrective measures: "A) Order the implementation of measures enabling the DPO (or a" Data Protection "dedicated) to acquire sufficient expertise adapted to the needs of the data protection controller in accordance with provisions of Article 37, paragraph (5) of the GDPR and the guidelines on DPD of the "Article 29" working group on data protection which specifies that the ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. [...] carried out with public establishment A 28/33 DPD's level of expertise must be proportionate to the sensitivity, complexity and volume of data processed by the organization. Although several ways can be envisaged to achieve this result, one of the possibilities could be to provide a formal internal or external support in terms of IT skills for your DPO, and enroll in accelerated / intensive training in the protection of data. The measures mentioned by the controller during the audit, such as that access to external expertise for any legal assistance need, should be maintained, or even reinforced, in view of the sensitivity of the data processed; b) Order the implementation of measures ensuring the formalized and documented association of the DPO in all matters relating to data protection in accordance with the requirements of Article 38 (1) of the GDPR and of the principle of "accountability". Well that several ways can be envisaged to achieve this result, one of the possibilities could be to analyze, with the DPO, all committees / working groups relevant with regard to data protection and to formalize the terms of its intervention (previous information from the meeting agenda, invitation, frequency, status permanent member, etc.); c) Order the implementation of measures guaranteeing the necessary resources for DPD in accordance with the requirements of Article 38 paragraph 2 of the GDPR. Although several ways can be envisaged to achieve this result, one of the possibilities could be to relieve the DPO of all or part of his other missions / functions or to provide support, internally or externally, with regard to the exercise of his DPD missions; d) Order the implementation of measures ensuring that the various missions and tasks, current or past, of the person exercising the function of DPO do not lead to conflicts of interest in accordance with the requirements of Article 38 (6) of the GDPR. Although several ways can be implemented, one of the possibilities would be the involvement of a third party with the necessary skills; for the review of treatments for which there is a risk of conflict of interest (review of the ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 29/33 risk management, review of the processes concerning the various treatments present, review of job descriptions and / or job descriptions, etc.); e) Order the formal and documented deployment of the DPD's control mission in accordance with Article 39 paragraph 1 b) of the GDPR and the principle of "accountability". The DPO must exercise his control duties, in accordance with Article 39 paragraph 1 b) of the GDPR. Although several ways can be considered to achieve this result, the DPO should always document his controls on the application of the rules and internal data protection procedures (second line of defense). This documentation could take the form of a monitoring plan followed by reports. " 103. As to the corrective measures proposed by the head of the investigation and by reference to point 102 of this decision, the restricted committee takes into account the steps taken by the inspected in order to comply with the provisions of articles 37.5, 38.1, 38.2, 38.6 and 39.1 b) of the GDPR, in particular the measures described in his letter of September 14, 2020. More in particular, it takes note of the following facts: - With regard to compliance by the inspectorate with article 37.5 of the GDPR, training restricted notes that, following the appointment of the new internal DPO, he followed several training courses in data protection so that he has sufficient expertise to perform its duties. However, as has been noted in point 35 of this decision, the restricted committee considers that there is no to retain a breach of Article 37.5 of the GDPR with regard to the situation of the inspected at the start of the investigation. Consequently, the restricted committee does not pronounce the measure corrective as proposed by the head of the survey and repeated under a) of point 102 of the this decision. - With regard to the violation of article 38.1 of the GDPR, the inspector indicates in his letter of September 14, 2020 that an internal process of formalization and documentation the involvement of the new internal DPO in matters relating to the protection of data […]) was put in place by the inspected. The restricted formation considers from ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the investigation no. [...] carried out with the public establishment A 30/33 when there is no need to pronounce the corrective measure proposed by the head of the investigation and repeated under b) of point 102 of this decision. - With regard to the violation of Article 38.2 of the GDPR, the internal DPO currently in function estimated its working time on data protection issues at about 70% compared to his other tasks. Given the fact that the inspected is processing a substantial amount of data, the degree of sensitivity of which may be relatively high, the limited training considers that the DPO should have more resources for the performance of its missions. The restricted formation therefore considers that it is necessary to pronounce the corrective measure proposed by the head of the investigation and repeated under c) of point 102 of this decision. - With regard to the body's compliance with article 38.6 of the GDPR, training restricted considers that the inspected has not demonstrated that, despite the combination of functions internal DPD and Head of Compliance […], sufficient internal measures would have were taken to prevent the DPO from having to comment on treatments which he would have helped to determine the purposes and means. However, like this was noted in point 90 of this decision, the restricted panel considers that there is there is no reason to retain a breach of Article 38.6 of the GDPR with regard to the situation of the checked at the start of the investigation. Consequently, the restricted formation does not pronounce the corrective measure as proposed by the head of the investigation and repeated under d) of point 102 of this decision. - With regard to the violation of Article 39.1 b) of the GDPR, the restricted training is of opinion that the inspected did not demonstrate that the DPO currently in office fulfills his mission of monitoring compliance with the GDPR by the inspected, the latter having chosen to do call on external service providers to ensure this control, without any proof the involvement of the new internal DPO in the organization of this control work. The restricted training therefore considers that the corrective measure should be taken proposed by the head of the investigation and repeated under e) of point 102 of this decision. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. restricted formation and deliberating unanimously decides: - to retain the breaches of articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR; - to pronounce against the public establishment A an administrative fine of one amount of eighteen thousand euros (18,000 euros) with regard to the violation of Articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR; - to issue an injunction against the public establishment compliance with Article 38.2 of the GDPR within six months of notification of the decision of the restricted committee, in particular: ensure that the DPO has the necessary resources for the exercise of his missions; - to issue an injunction against the public establishment compliance with Article 39.1 b) of the GDPR, within six months of notification of the decision of the restricted committee, in particular: ensure the formal and documented deployment of the DPD's control mission. So decided in Belvaux, on October 15, 2021. The National Commission for Data Protection sitting in a restricted body Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 32/33 Indication of remedies This administrative decision may be the subject of an appeal for reformation within three months following its notification. This appeal is to be brought before the administrative tribunal and must must be introduced through a lawyer at the Court of one of the Bar Associations. ______________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the public establishment A 33/33