CNPD (Luxembourg) - Délibération n° 36FR/2021

From GDPRhub
Revision as of 19:02, 9 November 2021 by Matthias.smet (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD (Luxembourg) |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=Délib...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNPD (Luxembourg) - Délibération n° 36FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 38(1) GDPR
Article 39(1)(b) GDPR
Article 83(2) GDPR
Article 83(3) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.10.2021
Published: 02.11.2021
Fine: 13200 EUR
Parties: n/a
National Case Number/Name: Délibération n° 36FR/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Délibération n° 36FR/2021 (in FR)
Initial Contributor: Matthias Smet

As a result of an audit with the subject 'the role of the DPO', initiated by the Luxembourg DPA, a number of violations were identified. The DPA has imposed a fine of 13,200 euros. In determining the sanction, the DPA took into account the steps taken to align with the legislation and guidelines regarding the function of the DPO in the period between the start of the audit and the decision of the DPA.

English Summary

Facts

Given the impact of the DPO's role and the importance of its integration within the organisation, the Luxembourg DPA launched a research campaign on the DPO's function defining 11 audit objectives. As part of this campaign, the DPA carried out 28 audits.

During the audit at company A, violations were found regarding:

a) the obligation to appoint the DPO on the basis of his professional qualities (Article 37.5 GDPR)

Objective met if...: the DPO to have at least three years of professional data protection experience

the audit resulted in the finding that the DPO does not have any particular expertise in the protection of information at the time of his appointment. The main criterion for his appointment as DPO was his position of "Chief Compliance & Legal Officer”

In response, Company A sent additional documents to the DPA proving that the DPO had more than three years of professional experience in the field of data protection at the time of the initiation of the investigation.


b) the obligation to involve the DPO in all matters related to the protection of personal data (Article 38.1 GDPR)

Objective met if...: The DPO is expected to participate formally and on a specified frequency in the executive committee, project coordination committees, new product committees, security committees or any other committee deemed useful in the context of data protection.

The audit shows that this was not foreseen in the company's procedures of. Company A took steps to formalize the involvement and presence of the DPO in the structural consultative bodies in internal procedures and policies as a measure to be in line with the legislation and the guidelines of the WP29.

c) the obligation to provide the DPO with the necessary resources (Article 38.2 GDPR)

Objective met if...: at least one FTE (full time equivalent) for the data protection team & the DPO must have the opportunity to rely on other services, such as the legal department, IT, security, etc.

During the audit, it was found that the resources allocated to the data protection team were approximately 0.7 FTE, while the target is at least one FTE. In addition, the time allocated to the DPO in terms of data protection was not defined. Company A has communicated that management had decidedt that the DPO will carry out his duties on a full-time basis (one FTE)

d) The control power of the DPO (Article 39.1 GDPR)

Objective met if...: the organisation has a formalized data protection control plan

The audit shows that the organisation has already some particular procedures in placed (e.g. execution of data subject requests), but does not have a 'plan of control in place'. Company A disclosed documents to show the internal processes regarding the processing of personal data are in place and reviewed frequently

Holding

Although the audit resulted in the identification of four data protection violations and it the head of investigation proposed to impose a sanction based on all four violations, the DPA only identified two breaches in its decision. The DPA also took into account the steps that were already taken by the organisation in order to comply with articles 38.1 GDPR and 39.1.b) GDPR.

Therefore, the DPA considers that there is no need to take the additional corrective measures.

Nevertheless, the DPA notes that these measures were taken after the start of the investigation and therefore considers that at the start of the investigation articles 38.1 GDPR and 39.1.b) GDPR. Therefore the DPA imposed a fine of 13.200 euros on company A.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.


    





    
        
            
                
                    
                
                Go to home
            
        
        
            
                Decisions
            
        

        

    

    
        
    
    Deliberation N ° 36FR / of October 13, 2021 - fine
    

        
            
        
                
                        02/11/2021
                
                
        
        
        
    Thematic survey campaign on the function of the data protection officer.
    




            
        
        
    To know more
    
    
    
    
        
            
                Deliberation N ° 36FR / 2021 of October 13, 2021 - fine
            
            

            (Pdf - 747 KB)
            
        
    
    




        
    Last update 02/11/2021
    

    

        
    
    Deliberation N ° 36FR / of October 13, 2021 - fine
    

        
            
        
                
                        02/11/2021
                
                
        
        
        
    Thematic survey campaign on the function of the data protection officer.
    




            
        
        
    To know more
    
    
    
    
        
            
                Deliberation N ° 36FR / 2021 of October 13, 2021 - fine
            
            

            (Pdf - 747 KB)
            
        
    
    




        
    Last update 02/11/2021
    

    
            
        
                
                        02/11/2021
                
                
        
        
        
    Thematic survey campaign on the function of the data protection officer.