Editing CNPD (Luxembourg) - Délibération 41FR/2021

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 65: Line 65:
 
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR|Article 37 GDPR]] to [[Article 39 GDPR|Article 39 GDPR]]).
 
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR|Article 37 GDPR]] to [[Article 39 GDPR|Article 39 GDPR]]).
  
One of these audit proceedings concerned a Luxembourg private company (hereafter, the controller). During the audit, it was found by the head of investigation of the DPA that :
+
One of these audit proceedings concerned a Luxembourg private company (hereafter, the Company). During the audit, it was found by the head of investigation of the CNPD that :
  
# the controller had failed to publish the contact details of its DPO in breach of [[Article 37 GDPR#7|Article 37(7) GDPR]];
+
# the Company had failed to publish the contact details of its DPO in breach of [[Article 37 GDPR#7|Article 37(7) GDPR]];
# the controller had failed to ensure that the DPO was involved, properly and in a timely manner, in all issues which relate to the protection of personal data, in breach of [[Article 38 GDPR#1|Article 38(1) GDPR]];
+
# the Company had failed to ensure that the DPO was involved, properly and in a timely manner, in all issues which relate to the protection of personal data, in breach of [[Article 38 GDPR#1|Article 38(1) GDPR]];
# the controller had failed to ensure that the DPO could fulfill their mission with a sufficient degree of autonomy, in breach of [[Article 38 GDPR#3|Article 38(3) GDPR]];
+
# the Company had failed to ensure that the DPO could fulfill their mission with a sufficient degree of autonomy, in breach of [[Article 38 GDPR#3|Article 38(3) GDPR]];
# the controller had failed to ensure that the DPO could properly monitor the compliance of the controller's data processing practices with the GDPR, in breach of [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]].
+
# the Company had failed to ensure that the DPO could properly monitor the compliance of the Company's data processing practices with the GDPR, in breach of [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]].
  
In their audit report, the head of investigation therefore recommended the DPA to impose a fine of €18,700 on the controller, and to issue an injunction against the controller to bring its practices in compliance with the GDPR.
+
In their audit report, the head of investigation therefore recommended the CNPD to impose a fine of €18,700 on the Company, and to issue an injunction against the Company to bring its practices in compliance with the GDPR.
  
 
=== Holding ===
 
=== Holding ===
Following the audit and the report from the head of investigation, the DPA found that the controller had been in breach of four distinct obligations relating to the DPO under the GDPR, as specified below.
+
Following the audit and the report from the head of investigation, the CNPD found that the Company had been in breach of four distinct obligations relating to the DPO under the GDPR, as specified below.
  
Regarding the breach of [[Article 37 GDPR#7|Article 37(7) GDPR]], the DPA noted that it had been found that the public website of the controller did not provide the direct contact details of the DPO. In case of questions or requests from data subjects, the website only provided a general online contact form, a postal address, or a telephone number. Based on these facts, the DPA found that data subjects were not able to directly contact the DPO (but only indirectly, via an other services within the controller). In the course of the proceedings, the controller remedied that breach by adding the contact details of the DPO in its online data protection notice (and in particular, in the section on the rights of data subjects). The DPA nevertheless found that, at the time of the audit, there had been a breach of [[Article 37 GDPR#7|Article 37(7) GDPR]].
+
Regarding the breach of [[Article 37 GDPR#7|Article 37(7) GDPR]], the CNPD noted that it had been found that the public website
 +
public of the Company did not provide the direct contact details of the DPO. In case of questions
 +
or requests from data subjects, the website only provided a general online contact form, a postal address, or a telephone number. Based on these facts, the CNPD found that data subjects were not able to directly contact the DPO (but only indirectly, via an other services within the Company). In the course of the proceedings, the Company remedied that breach by adding the contact details of the DPO in its online data protection notice (and in particular, in the section on the rights of data subjects). The CNPD nevertheless found that, at the time of the audit, there had been a breach of [[Article 37 GDPR#7|Article 37(7) GDPR]].
  
Regarding the breach of [[Article 38 GDPR#1|Article 38(1) GDPR]], the DPA considered that the DPO had not been sufficiently involved in all issues relating to data protection law. In particular, the audit report pointed to the fact that the DPO was only being involved in various internal meetings or committees upon invitation or on an ad hoc basis, but there was no defined rule or frequency as to the involvement of the DPO in these committees. In the course of the investigation, the controller implemented new procedures according to which the DPO would become a permanent member of, or would be regularly involved in various committees meetings. Although welcoming these new measures, the DPA nevertheless concluded that the controller had been in breach of [[Article 38 GDPR#1|Article 38(1) GDPR]] prior to these changes.
+
Regarding the breach of [[Article 38 GDPR#1|Article 38(1) GDPR]], the CNPD considered that the DPO had not been sufficiently involved in all issues relating to data protection law. In particular, the audit report pointed to the fact that the DPO was only being involved in various internal meetings or committees upon invitation or on an ad hoc basis, but there was no defined rule or frequency as to the involvement of the DPO in these committees. In the course of the investigation, the Company implemented new procedures according to which the DPO would become a permanent member of, or would be regularly involved in various committees meetings. Although welcoming these new measures, the CNPD nevertheless concluded that the Company had been in breach of [[Article 38 GDPR#1|Article 38(1) GDPR]] prior to these changes.
  
Regarding the breach of [[Article 38 GDPR#3|Article 38(3) GDPR]], the audit report pointed to the existence of several hierarchical intermediaries between the DPO and the highest level of management within the controller. Based on these facts, the DPA found that the DPO could not directly report to the highest management level of the controller, and did not have a sufficient degree of autonomy and independence, as normally required by [[Article 38 GDPR#3|Article 38(3) GDPR]].
+
Regarding the breach of [[Article 38 GDPR#3|Article 38(3) GDPR]], the audit report pointed to the existence of several hierarchical intermediaries between the DPO and the highest level of management within the Company. Based on these facts, the CNPD found that the DPO could not directly report to the highest management level of the Company, and did not have a sufficient degree of autonomy and independence, as normally required by [[Article 38 GDPR#3|Article 38(3) GDPR]].
  
Regarding the breach of [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]], the audit report pointed to the absence of any monitoring plan or procedures that would formalize and ensure that the DPO is able to duly monitor the compliance of the controller's data processing practices with the GDPR. Although the controller explained that monitoring procedures had been developed and finalised in December 2019, to be implemented in 2020. Because such control plan or monitoring procedures had not been put in place at the time the investigation was initiated, the DPA concluded that the controller had breached [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]].  
+
Regarding the breach of [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]], the audit report pointed to the absence of any monitoring plan or procedures that would formalize and ensure that the DPO is able to duly monitor the compliance of the Company's data processing practices with the GDPR. Although the Company explained that monitoring procedures had been developed and finalised in December 2019, to be implemented in 2020. Because such control plan or monitoring procedures had not been put in place at the time the investigation was initiated, the CNPD concluded that the Company had breached [[Article 39 GDPR#1b|Article 39(1)(b) GDPR]].  
  
For all these reasons, the DPA issued an injunction against the controller to bring its practices in compliance with the GDPR for the remaining breaches (with a deadline of 4 months as from the date of the decision), and also imposed an administrative fine of  €18,700 EUR on the controller.  
+
For all these reasons, the CNPD issued an injunction against the Company to bring its practices in compliance with the GDPR for the remaining breaches (with a deadline of 4 months as from the date of the decision), and also imposed an administrative fine of  €18,700 EUR on the Company.  
  
 
== Comment ==
 
== Comment ==

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: