CNPD (Luxembourg) - Délibération n°18FR/2021

From GDPRhub
CNPD (Luxembourg) - Délibération n°18FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 38(1) GDPR
Article 38(2) GDPR
Article 39(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 31.05.2021
Published: 14.06.2021
Fine: 18000
Parties: n/a
National Case Number/Name: Délibération n°18FR/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: n/a

The Luxembourg DPA fined a controller €18,000 for not providing their DPO with the necessary resources and organizational framework to appropriately carry out their tasks.

English Summary[edit | edit source]

Facts[edit | edit source]

The Luxembourg DPA (CNPD) launched an investigation on a group of companies with a subsidiary based in Luxembourg (Company A).

The central headquarters had a privacy office, while the Luxembourg subsidiary had a sole data protection lawyer. The group of companies had appointed a single Group DPO to handle the data protection matters of both the central company and the Luxembourg subsidiary. The local data protection lawyer was the single point of contact of the DPO with the Company A.

Holding[edit | edit source]

The CNPD determined that even if the DPO was participating in numerous meetings at a group level and regularly organized meetings with its local points of contact, that was not sufficient to demonstrate the direct, formal and permanent involvement of the DPO in Luxembourg.

The Group DPO received a monthly report from the local contact point relating to data protection issues (number of requests to exercise rights or complaints, possible impact analyzes etc.). The DPO was also systematically informed and consulted by the local contact point in case of security incidents likely to involve personal data and create a risk for the people concerned.

However, the DPA considered that such elements could not compensate for the absence of direct involvement of the Group DPO within Company A, which could create the risk that the DPO was not sufficiently involved at operational level in Luxembourg, being therefore in breach of Article 38(1) GDPR, as the DPO must involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

There were not any measures to address that risk, such as for example regular visits of the Group DPO to Company A, that would allow the DPO to be able to discuss data protection issues and related operational issues directly with the management of the company.

There was no direct feedback of information from the Group DPO to the local department either. There are several levels of reporting, but the DPA considered that it was not sufficient to compensate for the lack of direct reporting from the DPO to the data controller in Luxembourg.

All questions relating to the protection of personal data that arose at the control level were received and first analyzed by the local point of contact who afterwards assessed the issue and contacted the Group DPO when they deemed it necessary. Therefore, the DPO was not informed and above all not consulted from the earliest stage possible of all matters relating to data protection.

Hence, a breach of Article 38(2) was also found, since the DPO was nor provided the resources necessary to carry out those tasks and access to personal data and processing operations.

This also led to a breach of Article 39(1)(a), due to the lack of direct feedback.

Additionally, during the course of the proceedings, the Company A appointed a new DPO. The DPA remarked that it must ensure that the newly appointed DPO is effectively involved in all matters relating to data protection.

For these violations, the DPA fined the controller €18,000. The DPA took into account the will to cooperate of the company.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

   Decision of the National Commission sitting in restricted formation

                 on the outcome of survey No. [...] conducted among

                                        Company A

                          Deliberation n ° 18FR / 2021 of May 31, 2021



The National Commission for Data Protection sitting in a restricted body,

composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc
Lemmer, commissioners;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on

the protection of individuals with regard to the processing of personal data
personnel and the free movement of such data, and repealing Directive 95/46 / EC;


             er
Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection

data and the general data protection regime, in particular Article 41 thereof;


Having regard to the internal regulations of the National Commission for Data Protection

adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10.2;


Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular

its article 9;


Considering the following:



















________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. […] carried out with Company A 1/22 I. Facts and procedure



1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and
the importance of its integration into the body, and considering that the guidelines

concerning DPOs have been available since December 2016, i.e. 17 months before entry into

application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

on the protection of natural persons with regard to the processing of personal data

personal data and the free movement of such data, and repealing Directive 95/46 / EC

(general data protection regulation) (hereafter: the "GDPR"), the Commission

National Data Protection Authority (hereinafter: the “National Commission” or the

"CNPD") has decided to launch a thematic survey campaign on the function of the DPO.

Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the
public sector.



2. In particular, the National Commission decided by decision no. […] Of 14

September 2018 to initiate an investigation in the form of a data protection audit

with […] Company A, established and having its registered office at L- […], registered in the register of

trade and companies under number […] (hereinafter: the "controlled") and to designate

Mr. Christophe Buschmann as head of investigation. Said deliberation specifies that

the investigation relates to the compliance of the inspected with section 4 of chapter 4 of the GDPR.

                                                     2
3. The main purpose of the inspection is […]. The controlled has approximately […] employees
                                      3
spread over […] sites as well as […].



4. By letter of September 17, 2018, the head of the survey sent a questionnaire
preliminary to the control to which the latter replied by letter of October 5, 2018. A visit

on site took place on January 21, 2019. Following these discussions, the head of the investigation established the

audit report no. […] (hereinafter: the "audit report").









1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
2Coordinated statutes filed on […].
3Presentation of the inspection of January 21, 2019

________________________________________________________________________

               Decision of the National Commission sitting in restricted formation on the outcome of
                                 survey no. [...] conducted with Company A
                                                                                                           2/225. It emerges from the audit report that in order to verify the compliance of the organization with the

section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives,
know :


    1) Ensure that the body subject to the obligation to appoint a DPO has done so;

    2) Make sure that the organization has published the contact details of its DPO;

    3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;

    4) Ensure that the DPO has sufficient expertise and skills to

        carry out its missions effectively;

    5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;

    6) Ensure that the DPO has sufficient resources to perform effectively
        of its missions;

    7) Ensure that the DPO is able to carry out his missions to a sufficient degree

        autonomy within their organization;

    8) Ensure that the organization has put in place measures to ensure that the DPO is associated with

        all matters relating to data protection;

    9) Ensure that the DPO fulfills his mission of information and advice to the
        data controller and employees;

    10) Ensure that the DPO exercises adequate control over data processing within

        of his body;

    11) Ensure that the DPO assists the data controller in carrying out the

        impact analyzes in the event of new data processing.


6. By letter of October 31, 2019 (hereinafter: the “statement of objections”), the Chief

investigation informed the inspector of breaches of obligations under the GDPR that it

noted during its investigation. The audit report was attached to this letter.


7. In particular, the head of the investigation noted in the statement of objections

breaches of:

      the obligation to involve the DPO in all matters relating to the protection of

        personal data; 4
                                                                     5
      the obligation to provide the necessary resources to the DPO;
                                                        6
      the DPD's mission of information and advice.


4
5Objective 8
6Objective 6
 Objective n ° 10
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A
                                                                                                       3/228. By letter of November 22, 2019, the inspector sent the head of the investigation

position on the shortcomings listed in the statement of objections.


9. On August 24, 2020, the head of the investigation sent the inspector an additional letter

to the statement of objections (hereinafter: the "additional letter to the communication of

grievances ") by which he informs the control of the corrective measures and the administrative fine
which he proposes to the National Commission sitting in restricted formation (hereinafter: the "

restricted training ") to adopt.


10. By letter of September 30, 2020, the inspector sent the head of the investigation his

observations on the additional letter to the statement of objections.


11. The case was on the agenda of the restricted formation session on January 26

2021. In accordance with article 10.2. b) the rules of procedure of the Commission

national, the head of investigation and the supervisee presented their oral observations in support of
their written submissions. More particularly, Maître […], agent of the inspected, gave

reading of a note setting out the observations of the inspected (hereinafter: the "pleadings note").

The head of the investigation and the inspector subsequently answered the questions posed by the training

restraint. The controlled had the floor last.


12. By email of January 27, 2021, the inspected representative sent the training

restricted a copy of the pleadings, an excerpt from a presentation dated October 8

2018 presenting the "Data Protection" organization chart with indication of "[GDPR Committee]"
of the controlled as well as an extract from the trade and companies register of [...] Company B

manager […] in Luxembourg.


    II. Place


    A. As regards the requirements for precision in the statement of objections and in the letter

        complementary to the statement of objections

13. In his statement of pleadings, the agent of the inspected invokes, as a preliminary point, that the

statement of objections and the additional letter to the statement of objections

lack precision:



________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey n ° […] carried out with Company A 4/22 "[…] the Grievance Couriers fail to comply with the legal obligations applicable in

administrative, in particular in that they do not contain a precise reference to a standard

that would have been violated and that they do not contain any precise indication of the facts
details that would constitute a violation of a legal standard by Company A. By this

lack of precision, the general principles of applicable rights have been violated and my

principal was deprived of the opportunity to provide informed and detailed explanations

likely to shed light on Restricted Training. "


14. The restricted panel notes that the head of the investigation expressly mentions, both

in the statement of objections than in the additional letter to the communication
grievances, the provisions of the GDPR that the inspected would have failed, namely articles

38.1, 38.2 and 39.1. at). In addition, the factual findings made during the investigation and on which

the alleged shortcomings are based are indicated in the statement of objections. Of

surplus, the audit report containing all the findings and work carried out by the manager
investigation as part of the audit mission was attached to the statement of objections. In

In addition, the restricted committee notes that the inspectorate's representative refers to the

"Legal obligations applicable in administrative matters" as well as "general principles

of applicable rights ”without specifying which rule of law would have been violated in
the species.



15. For all practical purposes, it should be noted that the inspected was in a position to take

position in relation to the breaches alleged against him, as demonstrated by his
position of 22 November 2019 and 30 September 2020 as well as the oral observations and the

note of pleadings presented at the restricted session of January 26, 2021.



16. It is therefore wrong that the agent of the inspected maintains that the communication of
complaints and the letter supplementing the statement of objections lack

so that his principal would have been "deprived of the possibility of providing enlightened explanations

and detailed information likely to enlighten the Restricted Training ".



    B. As regards the complaints listed in the statement of objections



    a) The breach of the obligation to involve the DPO in all matters relating to

        the protection of personal data

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] conducted with Company A 5/22 1. On the principles


17. According to article 38.1 of the GDPR, the organization must ensure that the DPO is involved,

in an appropriate and timely manner, in all matters relating to the protection of

personal data.


18. The DPO guidelines state that “[i] t is essential that the DPO,

or his team, is involved from the earliest possible stage in all questions

relating to data protection. [...] Information and consultation of the DPO from the start

will facilitate compliance with the GDPR and encourage an approach based on
data protection by design; it should therefore be the usual procedure in

within the governance of the organization. In addition, it is important that the DPO is considered as

an interlocutor within the organization and that he or she is a member of the dedicated working groups
                                                                  7
to data processing activities within the organization ".


19. The DPO guidelines provide examples on how to
to ensure this association of the DPO, such as:


       invite the DPO to participate regularly in senior management meetings

            and intermediate;

       recommend the presence of the DPO when decisions with implications

            in terms of data protection are taken;

       always take due account of the opinion of the DPO;

       immediately consult the DPO in the event of a data breach or any other
            incident occurs.



20. According to the guidelines on DPOs, the body could, where appropriate,

develop data protection guidelines or programs
indicating the cases in which the DPO must be consulted.


    2. In this case



21. It appears from the audit report that in order for the investigator to consider objective 8

as achieved by the inspected within the framework of this audit campaign, the head of the investigation


7 WP 243 v.01, version revised and adopted on April 5, 2017, p. 16
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               survey no. [...] conducted with Company A 6/22 expects the DPO to participate in a formalized manner and on the basis of a defined frequency

the Management Committee, project coordination committees, new committees

products, safety committees or any other committee deemed useful in the context of protection
Datas.



22. According to the statement of objections, page 3, “the DPO participates in numerous

meetings at Group level and […] regularly organize meetings with its points of
local contacts. But these elements are not sufficient to demonstrate the direct, formal and

permanent involvement of the DPD in Luxembourg ”. It still results from the communication of

complaints that “the Group DPO receives a monthly report from the local contact point continued
to […] as well as a monthly report […] relating to data protection issues

(number of requests to exercise rights or complaints, possible impact analyzes

etc.). […] The DPO is systematically informed and consulted by the local contact point in

case of a security incident likely to involve personal data and
create a risk for the people concerned. "However, the head of the investigation believes that

“These elements cannot compensate for the absence of direct involvement of the DPD Groupe

within Company A, which could create the risk that the DPO is not

sufficiently involved at operational level in Luxembourg. "Finally, the head of the investigation
argues that he "was not aware of any elements to address this risk, such as

for example the formal establishment of visits based on a defined frequency of the DPO

Group (or a member of its Data Protection team) in Luxembourg. These visits

would in particular allow the DPO to be able to discuss directly with the management
superior of Company A for issues related to data protection and power

directly assess operational issues. "



23. In its position paper of 22 November 2019, the inspected affirms that the DPD Groupe
is involved in an appropriate and timely manner in all matters relating to the

protection of personal data. The inspected explains that “[all] the questions

relating to the protection of personal data initiated in the Grand Duchy of Luxembourg
are first received and analyzed by our contact point dedicated to

data protection in Luxembourg ”(hereinafter: the“ local contact point ”) and that this

the latter works in close collaboration with the DPD Groupe […]. According to the inspected, the point of

contact is responsible for the compliance management of the processing of personal data
personnel implemented by the inspected, this under the supervision of the DPD Groupe who

contact reports its actions. In addition, the inspected mentions in its position paper

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] carried out with Company A 7/22 of 22 November 2019 the establishment of a committee dedicated to data protection in Luxembourg

(hereinafter: the "[GDPR Committee]") which defines the strategy on these subjects and the action plans

associates. The controlled sets out the composition and functioning of the [GDPR Committee] for
support that the Group DPO is involved in the management of compliance with the provisions

of the GDPR in Luxembourg.


24. In his pleadings, the agent of the inspected highlights article 37.2 of the

GDPR, which allows a group of companies to designate a single DPO provided that the latter
be easily reachable from each place of establishment, as well as the guidelines

concerning DPOs to maintain that the operation of the inspected complies with the GDPR

and affirms that "[i] t was found no materiality of the alleged facts, no

unavailability of the DPO of Company A, whether vis-à-vis the supervisory authority or
of the persons concerned and a possible and uncharacterized risk cannot allow

to factually establish a violation. "



25. The restricted committee notes that the inspected is a subsidiary of the group […] and that
the latter had decided to appoint a single DPO for the different entities of the group (here-

after: the “DPD Groupe”). At the central level, the group has set up an office for

data protection (“[…]”) composed of the DPD Groupe as well as […] lawyers

specialists in data protection and […] project manager. At local level,
the sole inspectorate lawyer has been appointed as the local point of contact for the DPD Group.



26. As a preliminary point, the restricted panel notes that the breach alleged by the chief
investigation relates to Article 38.1 of the GDPR so that the explanations of the agent of the

controlled under Article 37.2 of the GDPR are not relevant in this case. Indeed,

even if the GDPR allows a group of companies to designate a single DPO, it does not remain

not less that this DPO must be associated, in an appropriate and timely manner, with all
questions relating to the protection of personal data, in accordance with

Article 38.1 of the GDPR. It is thus possible for an organization to appoint a single DPO at the level

of the group whose entities are established in several Member States of the European Union

and to provide, at the local level, "contact points" which assist the DPO, in particular in
questions relating to local particularities such as national legislation. In such

However, it is all the more important to clearly define, among other things, the

modalities of collaboration between the DPO and the “local contact points” as well as the

distribution of tasks and responsibilities.

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A 8/22 In this case, the restricted committee noted that all questions relating to the protection of

personal data that arose at the control level were received and

first analyzed by the local point of contact who contacted the DPD Group
when he felt it was necessary. The restricted training further notes that the DPD Groupe did not

not part of the [GDPR Committee] and was only informed of the matters discussed there through the lawsuits-

verbal of the [GDPR Committee] and through the questions raised by the point of

local contact during these meetings.


27. It emerges from the investigation file that the DPD Groupe was not associated

only indirectly to questions relating to the protection of personal data

that arose at the controlled level, through the local point of contact who,
in fact, acted as the interlocutor in matters of data protection within

of the body. However, the local point of contact was the sole jurist of the inspected and did not

part of the DPD Groupe team itself, namely the office for the protection of

data ("[…]").


28. In addition, the restricted panel considers that the fact of transmitting the minutes

of the [GDPR Committee] to the DPD Group does not allow its appropriate association to be established and in

timely insofar as the Group DPO is simply informed of the measures that the
[GDPR Committee] proposes to the various control decision-making bodies to implement.

The DPO is therefore not informed and above all not consulted "from the earliest stage

possible ”of all matters relating to data protection.


29. In addition, the controlled indicates in its position paper of September 30, 2020 that the
                                                                                      er
local contact point has been appointed as DPO for Company A, with effect from 1 October
2020. The restricted committee notes that the CNPD received the amending declaration by

e-mail of September 30, 2020. However, the inspected must ensure that the newly appointed DPO

appointed is effectively involved in all matters relating to data protection

of a personal nature. The fact of having appointed the local point of contact as DPD is not enough
not to sufficiently demonstrate such association of the latter to all questions

relating to the protection of personal data.



30. In view of the foregoing, the restricted committee agrees with the findings of the head of the investigation
that the non-compliance with Article 38.1 of the GDPR was acquired at the time of the investigation.


________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               investigation no. [...] conducted with Company A 9/22 b) On the failure to provide the necessary resources to the DPO



    1. On the principles


31. Article 38.2 of the GDPR requires the organization to help its DPO "to carry out the tasks

referred to in Article 39 by providing the necessary resources to carry out these tasks, as well

that access to personal data and processing operations, and

allowing to maintain its specialized knowledge. "


32. It follows from the guidelines on DPOs that the following aspects must be

in particular to be taken into consideration: 8


     “sufficient time for the DPOs to accomplish their tasks. This aspect is

        particularly important when an internal DPO is appointed part-time or
        when the external DPO is responsible for data protection in addition to others

        tasks. Otherwise, conflicting priorities could lead to the tasks of the

        DPD are neglected. It is essential that the DPO can devote sufficient

        time to his missions. It is good practice to set a percentage of time

        dedicated to the function of DPO when this function is not occupied full time.
        It is also good practice to determine the time required to complete

        the function and the appropriate level of priority for the tasks of the DPO, and that the DPO (or

        the organization) establish a work plan;

     necessary access to other services, such as human resources, service

        legal, IT, security, etc., so that DPOs can
        receive essential support, input and information from these others

        services ".


33. The DPO Guidelines state that "[d] in general,

the more complex or sensitive the processing operations, the more resources allocated

to the DPD should be significant. The data protection function must be effective and
provided with adequate resources with regard to the data processing carried out. "



    2. In this case



8WP 243 v.01, version revised and adopted on April 5, 2017, p. 17
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               survey no. […] conducted with Company A 10/2234. It emerges from the audit report that, in view of the size of the organizations selected, for

that the head of investigation considers objective 6 as achieved by the control within the framework of
this audit campaign, the head of the investigation expects the inspected to use at least

an FTE (full-time equivalent) for the data protection team. Leader

investigation also expects the DPO to have the opportunity to rely on other

services, such as legal, IT, security, etc.


It follows from the statement of objections, page 3, that the Group DPO has at the level

central team made up of [...] lawyers specializing in the protection of
data as well as […] project manager. At the local level, however, the DPD Groupe does not have

than a local point of contact who was also the sole legal expert of the controlled so that the

head of investigation noted "the risk that the DPO does not have sufficient resources at the

local in Luxembourg, resources being concentrated at group level, but not seeming
not sufficiently deployed at the local level ”as well as“ the risk that in the event of a strong peak

activity concerning the legal matters to be handled within Company A, the point of contact

may not have the means to effectively carry out its missions relating to

data protection, which would create the risk that the DPO could not exercise
effectively its DPD missions for Luxembourg ”.



35. In its position paper of 22 November 2019, the inspected affirms that the DPD Groupe

has the local support of a legal team made up of the local point of contact
and a "second resource" and notes that "the job description of the Local Contact Point

and the second resource in the local legal team on an open-ended contract

must be detailed in terms of hourly volume and description of tasks ”.


36. In his note of pleadings, the agent of the controlled also argues that

the requirement to formalize the distribution of working time does not exist in the regulations

applicable and that the DPO guidelines contain at most one
recommendation as a "good practice" to "determine the time required to

the performance of the function and the appropriate level of priority for the tasks of the DPO, and that the

DPD (or the body) establishes a work plan ". Finally, the agent of the inspected

maintains that "[i] here too have not been found any materiality of the alleged facts, nor provided
no explanation of the criteria examined to conclude a lack of resources, nor

no analysis of existing resources. A possible and uncharacterized risk cannot

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey no. [...] conducted with Company A 11/22 to establish factually that Company A would lack the resources to deal with

its obligations under data protection. "


37. The restricted committee notes that the inspected has chosen to appoint the Group DPO

which has, at the central level, a team made up of [...] lawyers specializing in

of data protection as well as […] project manager. At the entity level

Luxembourg woman having been the subject of the investigation, a local contact point was appointed, in the
person of the only lawyer of the controlled who carried out moreover still other missions. The

restricted training considers that such an organization requires that the organization determine and

documents the time required for the local point of contact to perform its related duties
to data protection in order to be able to allocate the necessary resources to it. This

This requirement results in particular from the guidelines on DPOs as well as from the articles

5.2. and 24 of the GDPR which set out the principle of accountability. Now it emerges

of the file that the inspected has not carried out any formalization or documentation
making it possible to demonstrate that the inspected person has provided the DPO function with the resources

necessary for the performance of its missions at the time of the investigation.



38. In view of the above, the restricted panel concludes that Article 38.2 of the GDPR has no
not respected by the inspected.



    c) On the failure to provide information and advice to the DPO


    1. On the principles



39. Under section 39.1. a) of the GDPR, one of the missions of the DPO is to "inform and

advise the controller or processor as well as the employees who carry out
processing on their obligations under this Regulation and other

provisions of Union law or the law of the Member States relating to the protection of

data ”.


    2. In this case



40. It appears from the audit report that, in order for the investigator to consider objective 9
as achieved by the controlled as part of this audit campaign, he expects "



________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey no. [...] carried out with Company A 12/22 the organization has formal reporting on the activities of the DPO to the Management Committee on

basis of a defined frequency. Regarding information to employees,

the organization is expected to have put in place an adequate training system for personnel
in terms of data protection ”.



41. According to the statement of objections, page 4, it appears from the investigation that there is no

direct reporting of information from the Group DPD to the local control department. Leader
survey notes that "there are several levels of reporting ([...])", but considers that "these

elements are not sufficient to compensate for the lack of direct reporting from the DPO to the

data controller in Luxembourg ”.


42. In its position paper of 22 November 2019, the inspected refers to these explanations

relating to the first complaint, namely the breach of the obligation to involve the DPO in all

questions relating to the protection of personal data. Moreover, the controlled
maintains that the Group DPO “informs and advises the controller as well as the

employees and in particular implemented:


    o Online training […], available online from May 2018

    o An awareness campaign with […] on the protection of personal data
       staff on […] 2018, as well as on […] 2019 […]

    o An awareness campaign with […] including the 10 golden rules on

       protection of personal data dated […] 2019 ”


The inspected confirms that the DPD Groupe “has the opportunity to discuss issues

strategic and / or more operational with the senior management […] of Company A ”.

43. The restricted committee noted that the failure noted by the head of the investigation

concerns that the DPO's mission of information and advice to the head of

processing, and not the DPO's mission of providing information and advice to employees.



44. The restricted committee considers that the DPO’s information and advice mission to

with regard to the controller is closely linked to the obligation, provided for in Article 38.1

of the GDPR, to involve the DPO in an appropriate and timely manner in all questions

relating to the protection of personal data. However, the limited training has
noted that the Group DPO was not involved in an appropriate and timely manner with

data protection issues arising at the level of the Luxembourg entity having
________________________________________________________________________


             Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey no. […] conducted with Company A 13/22 is the subject of the survey. Indeed, the DPD Groupe was only indirectly associated, by

through the local point of contact. In addition, he was simply informed of the measures that

the [GDPR Committee] proposes to the various supervisory decision-making bodies to implement

artwork.


45. In view of the foregoing, the Select Committee concludes that Article 39.1. a) of the GDPR

was not respected by the controlled.


    III. On corrective measures and fines



    A. Principles


46. In accordance with article 12 of the law of 1 August 2018 on the organization of the

National Commission for Data Protection and General Protection Regime

data, the CNPD has the powers provided for in Article 58.2 of the GDPR:


    a) notify a controller or processor that data processing operations

        planned treatment are likely to violate the provisions of this

        regulation;


    b) call to order a controller or a processor when the
        processing operations have resulted in a violation of the provisions of this

        regulation;


    c) order the controller or processor to comply with the requests

        presented by the data subject in order to exercise their rights under the

        this regulation;


    d) order the controller or processor to put the data processing operations
        processing in accordance with the provisions of these regulations, if applicable,

        in a specific manner and within a specified timeframe;


    e) order the controller to communicate to the data subject a

        personal data breach;






9 Points 26 to 30 of this decision
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A
                                                                                                     14/22 f) impose a temporary or permanent limitation, including a ban, on the

        treatment;


    g) order the rectification or erasure of personal data or the

        restriction of processing in application of Articles 16, 17 and 18 and the notification of these
        measures to the recipients to whom the personal data have been

        disclosed in accordance with Article 17, paragraph 2, and Article 19;


    h) withdraw a certification or order the certification body to withdraw a

        certification issued in application of Articles 42 and 43, or order the

        certification not to issue certification if the requirements applicable to the
        certification are not or no longer satisfied;


    i) impose an administrative fine in application of Article 83, in addition to or

        the place of the measures referred to in this paragraph, depending on the characteristics

        specific to each case;


    j) order the suspension of data flows addressed to a recipient located in a
        third country or to an international organization. "


47. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose

administrative fines as provided for in Article 83 of the GDPR, except against the State

or municipalities.


48. Article 83 of the GDPR provides that each supervisory authority ensures that
administrative fines imposed are, in each case, effective, proportionate and

dissuasive, before specifying the elements that must be taken into account in deciding whether there

to impose an administrative fine and to decide on the amount of this fine:


        "(A) the nature, gravity and duration of the breach, taking into account the nature,
        scope or purpose of the processing concerned, as well as the number of people

        affected parties and the level of damage they suffered;


        (b) whether the violation was committed willfully or negligently;


        c) any measures taken by the controller or processor to mitigate

        the damage suffered by the persons concerned;



________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                                the survey no. [...] carried out with Company A 15/22 d) the degree of responsibility of the controller or the processor, account

        taking into account the technical and organizational measures they have implemented under

        Articles 25 and 32;

        e) any relevant breach previously committed by the controller

        or the subcontractor;


        f) the degree of cooperation established with the supervisory authority in order to remedy the

        violation and mitigate any negative effects;


        g) the categories of personal data affected by the breach;

        h) the manner in which the supervisory authority became aware of the breach, in particular

        whether, and to what extent, the controller or processor has notified the

        violation;


        (i) where measures referred to in Article 58 (2) have previously been
        ordered against the controller or processor concerned for

        the same object, compliance with these measures;


        j) the application of codes of conduct approved in accordance with Article 40 or

        certification mechanisms approved under Article 42; and


        k) any other aggravating or mitigating circumstance applicable to the circumstances of
        the species, such as financial benefits obtained or losses avoided, directly

        or indirectly, as a result of the violation ”.


49. The restricted panel wishes to point out that the facts taken into account in the context of the

this decision are those noted at the start of the investigation. Any modifications
relating to the subject of the investigation carried out subsequently, even if they make it possible to establish

fully or partially compliance, do not allow retroactive cancellation of a

breach noted.


50. Nevertheless, the steps taken by the inspected to bring themselves into compliance

with the GDPR during the investigation procedure or to remedy breaches

noted by the head of investigation in the statement of objections, are taken into account by the

limited training in the context of any corrective measures to be taken.


________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey no. […] carried out with Company A 16/22 B. In the present case



    1. As to the imposition of an administrative fine


51. In the additional letter to the statement of objections of 24 August 2020, the

investigator proposes to the restricted formation to pronounce against the controlled a
administrative fine relating to the amount of 18,000 euros.


52. In his pleadings, the agent of the controlled argues that a fine

administrative "must meet the principles of adequacy and proportionality of Article 83

of the GDPR while in particular, no specific grievance has been formulated, no damage has been
observed and Company A collaborated as much as possible with the CNPD during

the entire monitoring period. "


53. In order to decide whether to impose an administrative fine and to decide, if

of the amount of this fine, the restricted committee analyzes the criteria set by

Article 83.2 of the GDPR:


    - As to the nature and seriousness of the violation (article 83.2 a) of the GDPR), with regard to

        concerns breaches of Articles 38.1, 38.2 and 39.1 a) of the GDPR, the training

        restricted notes that the appointment of a DPO by an organization cannot be
        efficient and effective, namely facilitating compliance with the GDPR by the organization, that in

        the case where the DPD is associated from the earliest possible stage with all

        data protection issues, takes advantage of time and resources

        necessary to perform their data protection duties and exercise
        effectively its missions including the information and advice mission of

        controller. A breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR

        amounts to reducing the interest, or even emptying of its substance, the obligation for an organism

        to appoint a DPO.


    - As for the duration criterion (article 83.2.a) of the GDPR), the restricted committee notes that

        the controlled indicated, in its position paper of September 30, 2020, that the point of
                                                                     er
        local contact has been appointed as DPO with effect from 1 October 2020 and that this

        the latter now devotes 50% of his working time to protection issues
        data, with the assistance of [...] other lawyers who also devote

        each 50% of their working time. In addition, the composition and functioning of the

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey no. [...] conducted with Company A 17/22 [GDPR Committee] have been modified so that the DPO can inform and advise

        the controller. Breaches of Articles 38.1, 38.2 and 39.1 a) have
                                                                                er
        therefore lasted over time, at least between May 25, 2018 and October 1, 2020.

        The restricted party recalls here that two years have separated the entry into force of the
        GDPR of its entry into force to allow data controllers to

        comply with their obligations.



    - As to the number of data subjects affected by the violation and the level of
        damage they have suffered (Article 83.2 a) of the GDPR), the restricted committee notes that

        the inspected has approximately […] employees spread over […] sites as well as […]. The

        number of people affected by the violation is therefore potentially high.



    - As to the degree of cooperation established with the supervisory authority (Article 83.2 f) of
        GDPR), the restricted training takes into account the assertion of the head of the investigation according to

        which the inspected has shown constructive participation throughout

        investigation.


54. The restricted committee notes that the other criteria of Article 83.2 of the GDPR do not

are neither relevant nor likely to influence his decision on whether to impose a fine

administrative and its amount.


55. The restricted committee notes that although several measures have been put in place by the

checked in order to remedy all or part of certain shortcomings, these have not been

adopted only following the launch of the investigation by CNPD officers on 17

September 2018 (see also point 49 of this decision).


56. Therefore, the restricted panel considers that the imposition of a fine

administrative procedure is justified with regard to the criteria set out in Article 83.2 of the GDPR for

breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR.


57. Regarding the amount of the administrative fine, the restricted panel recalls that

Article 83.3 of the GDPR provides that in the event of multiple violations, as is the case in

the case, the total amount of the fine may not exceed the amount set for the most serious violation
serious. Insofar as a breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR is

reproached for the control, the maximum amount of the fine that can be withheld is 10

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               the survey n ° [...] carried out with Company A 18/22 million euros or 2% of the worldwide annual turnover, the highest amount being

retained.


58. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the

restricted committee considers that the pronouncement of a fine of 18,000 euros appears in the

both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR.


             2. Regarding the taking of corrective measures


59. In his additional letter to the statement of objections, the head of the investigation
suggests that the restricted group take the following corrective measures:


       "A) Order the implementation of measures ensuring a formal association and

       effectiveness of the DPO in all matters relating to data protection,

       in accordance with the requirements of Art.38 para.1 GDPR. Although several
       ways can be envisaged to achieve this result, one of the possibilities

       would consist of analyzing, with the DPO, all committees / working groups relevant to the

       with regard to data protection and to formalize the terms of its intervention

       (previous information from the meeting agenda, invitation, frequency, status of
       permanent member etc.).


       b) Order the provision of the necessary resources to the DPO in accordance with

       the requirements of article 38 paragraph 2 of the GDPR. Although several ways

       can be envisaged to achieve this result, one of the possibilities would be
       to relieve the DPO and / or the local members of his team of all or part of his

       other missions / functions or to provide formal support, internally or externally,

       with regard to the performance of his duties as DPD.


       c) Order the implementation of measures enabling the DPO to inform and advise

       formally the data controller on his obligations in terms of protection
       data, in accordance with Article 39 paragraph 1 a) of the GDPR. Although

       several ways can be envisaged to achieve this result, one of the

       possibilities would be to set up a formal reporting of the DPD's activities to the
       Direction based on a defined frequency. "


60. As to the corrective measures proposed by the head of the investigation and by reference to the

point 50 of this decision, the restricted committee takes into account the procedures

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                              the survey n ° [...] conducted with Company A 19/22 carried out by the inspector, following the visit of CNPD agents, in order to comply with

provisions of articles 38.1, 38.2 and 39.1 a) of the GDPR, as detailed in these letters

November 21, 2019 and September 30, 2020. In particular, it takes note of the facts

following:

    - As for the violation of Article 38.1 of the GDPR providing for the obligation to involve the DPO

        to all questions relating to the protection of personal data,

        restricted training takes note that the local contact point has been appointed DPD of
                                             er
        the inspected body with effect from October 1, 2020.


        However, the restricted training includes documents provided by the inspected

        that this newly appointed DPO performs his duties under the supervision of the DPO

        [of the group]. The restricted committee therefore wonders whether the newly appointed DPO
        is effectively involved in all matters relating to data protection

        of a personal nature, and this in complete independence. Therefore, the CNPD is

        of the opinion that the inspected has not sufficiently demonstrated its compliance with

        Article 38.1 of the GDPR and considers that it is necessary to pronounce an enforcement measure
        compliance in this regard.



    - With regard to the violation of article 38.2 of the GDPR providing for the obligation to

        provide the necessary resources to the DPO, the inspected affirms in their position statement

        of September 30, 2020 that the DPO newly appointed by Company A consecrates
        50% of his working time on data protection issues and he is

        assisted by [...] jurists who devote [...] so that there will be 1.5 FTEs devoted to

        the protection of personal data.

        In view of these elements, the restricted formation is of the opinion that the expectation of the chef
        investigation of 1 FTE or more is reached following the measures taken by the inspected

        during the investigation. Therefore, the restricted formation considers that there is no

        instead of pronouncing a compliance measure in this regard.


    - As for the violation of Article 39.1 a) of the GDPR relating to the mission of information and

        advice from the DPO to the data controller, the inspector explains in his

        position of September 30, 2020 the composition and functioning of the [Committee

        GDPR] which will allow the newly appointed DPO to inform and advise the
        controller.


________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A 20/22 However, in view of the documents provided by the inspected, the limited training

        understands that the DPO (previously local point of contact, without having exercised the
        of DPD) newly appointed by the inspected carries out its missions under the supervision

        of the DPD [of the group], so that it is not sufficiently demonstrated by the

        checked that the newly appointed DPO can effectively fulfill his mission

        information and advice to the controller controlled (Company A), and
        this in complete independence. Therefore, the restricted party considers that there is

        instead of pronouncing a compliance measure in this regard.





In view of the foregoing developments, the National Commission sitting in

restricted formation and deliberating unanimously decides:


- to pronounce against the company "Company A" an administrative fine of one

amount of eighteen thousand euros (18,000 euros) with regard to the violation of articles 38.1, 38.2

and 39.1. a) of the GDPR;


- to issue an injunction against the company "Company A" to come into

compliance with Article 38.1 of the GDPR, within four months of the notification of

the decision of the restricted committee, the supporting documents for compliance must be
sent to the restricted group at the latest within this period, in particular:



ensure that the DPO is effectively involved in all questions relating to protection

personal data, and this in complete independence;


- to issue an injunction against the company "Company A" to come into

compliance with Article 39.1 a) of the GDPR within four months of notification

of the decision of the restricted committee, the supporting documents for compliance must be
sent to the restricted group at the latest within this period, in particular:



ensure that the DPO can effectively fulfill his mission of information and advice

towards the controller.



________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A 21/22 As decided in Belvaux on May 31, 2021.



For the National Commission for Data Protection sitting in a restricted body






Tine A. Larsen Thierry Lallemang Marc Lemmer
  President Commissioner Commissioner







                             Indication of remedies


This administrative decision may be the subject of an appeal for reformation within three

months following its notification. This appeal is to be brought before the administrative tribunal and must

must be introduced through a lawyer at the Court of one of the Bar Associations.


































________________________________________________________________________


             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A 22/22