CNPD (Luxembourg) - Délibération n° 36FR/2021: Difference between revisions

From GDPRhub
No edit summary
(Great case-summary! I had to shorten the small summary to comply with maximum of words. I streamlined the layout and style in accordance with our guidelines (no 'underline'; no "..."; etc; Not "Article 39.2 GDPR" but "Article 39(2) GDPR"). I added internal hyperlinks and corrected the syntax where necessary. I also changed and harmonized references to the DPA by references to the CNPD after defining it; and references to Company A to "the Company" after defining it.)
Line 54: Line 54:
}}
}}


As a result of an audit with the subject 'the role of the DPO', conducted by the Luxembourg DPA, four violations were identified. In its decision the DPA only withheld  two of the violations raised by the head of investigation and imposed a fine of 13,200 euros. The steps that were already taken to align with the legislation and guidelines regarding the function of the DPO in the period between the start of the audit and the decision of the DPA were taken into account when the sanction was determined.  
The Luxembourg DPA (CNPD) found four violations of the GDPR in the course of an audit on the role of the Data Protection Officer (DPO) in a company. Two of these violations were withheld at the end of the audit proceeding, and the CNPD thus imposed a fine of 13.200 EUR on the concerned company.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Given the impact of the DPO's role and the importance of its integration within the organisation, the Luxembourg DPA launched a research campaign on the DPO's function defining 11 audit objectives. As part of this campaign, the DPA carried out 28 audits.
Given the importance of the role of DPOs within organizations which need to appoint one, the Luxembourg DPA (the CNPD) launched an audit campaign on the DPO's function defining 11 audit objectives. As part of this campaign, the CNPD carried out 28 audits within different organizations.


During the audit violations were found regarding:
During the audit proceeding carried out by the CNPD on the role of the DPO within a company (hereafter, the Company), the CNPD found that the Company had fail to comply with several obligations relating to the appointment and role of DPO. In particular:


* the obligation to appoint the DPO on the basis of his professional qualities (Article 37.5 GDPR)
* a violation of the obligation to appoint the DPO on the basis of his professional qualities ([[Article 37 GDPR|Article 37(5) GDPR]]): according to the CNPD, this objective is met if the DPO to have at least three years of professional data protection experience. In this case however, the audit report pointed that the DPO did not have any particular expertise in data protection at the time of his appointment, but had been appointed because of he already had the position of "Chief Compliance & Legal Officer” within the Company. In response to this finding of the audit report, the Company sent additional documents to the CNPD proving that the DPO had more than three years of professional experience in the field of data protection;


<u>Objective met if...:</u> the DPO to have at least three years of professional data protection experience
* a violation of the obligation to involve the DPO in all matters related to the protection of personal data ([[Article 38 GDPR|Article 38(1) GDPR]]):  according to the CNPD, this objective is met if the DPO is formally and frequently participates in the executive committee, project coordination committees, new product committees, security committees or any other committee deemed useful in the context of data protection. The audit report pointed that this was not foreseen in the Company's procedures . The Company took steps to formalize the involvement and presence of the DPO in the structural consultative bodies, as well as in internal procedures and policies as a measure to be in line with the legislation and the guidelines of the WP29.


The audit resulted in the finding that the DPO does not have any particular expertise in data protection at the time of his appointment. The main criterion for his appointment as DPO was his position of "Chief Compliance & Legal Officer”. In response, Company A sent additional documents to the DPA proving that the DPO had more than three years of professional experience in the field of data protection at the time of the initiation of the investigation.
* a violation of the obligation to provide the DPO with the necessary resources ([[Article 38 GDPR|Article 38(2) GDPR]]): according to the CNPD, this objective is met if at least one full time equivalent (FTE) is allocated to the DPO team (i.e. one person working full time as a DPO), and has the opportunity to rely on other services, such as the legal department, IT, security, etc. During the audit, it was found that the resources allocated to the data protection team were approximately 0.7 FTE. In addition, the time allocated to the DPO in terms of data protection task was not defined. In response to the audit report, the Company announced that the management had decided that the DPO would carry out his duties on a full-time basis (one FTE)


* the obligation to involve the DPO in all matters related to the protection of personal data (Article 38.1 GDPR)
* a violation of the obligation to give compliance monitoring tasks to the DPO ([[Article 39 GDPR|Article 39(1) GDPR]]): according to the CNPD, this objective is met if the organisation has a formalized data protection control plan, where the monitoring tasks of the DPO team is defined. The audit report found that the Company had some specific procedures in place (such as for answering data subject requests), but did not have monitoring procedures in place. In response to the finding of this report, the Company disclosed documents to show that internal compliance and monitoring procedures were implemented regarding the processing of personal data, and that those procedure were frequently revised.
 
<u>Objective met if...:</u>  The DPO is expected to participate formally and on a specified frequency in the executive committee, project coordination committees, new product committees, security committees or any other committee deemed useful in the context of data protection.
 
The audit shows that this was not foreseen in the company's procedures of. Company A took steps to formalize the involvement and presence of the DPO in the structural consultative bodies in internal procedures and policies as a measure to be in line with the legislation and the guidelines of the WP29.
 
* the obligation to provide the DPO with the necessary resources (Article 38.2 GDPR)
 
<u>Objective met if...:</u> at least one FTE (full time equivalent) for the data protection team & the DPO must have the opportunity to rely on other services, such as the legal department, IT, security, etc.
 
During the audit, it was found that the resources allocated to the data protection team were approximately 0.7 FTE, while the target is at least one FTE. In addition, the time allocated to the DPO in terms of data protection was not defined. Company A has communicated that management had decidedt that the DPO will carry out his duties on a full-time basis (one FTE)
 
* Compliance monitoring tasks of the DPO (Article 39.1 GDPR)
 
<u>Objective met if...:</u> the organisation has a formalized data protection control plan
 
The audit shows that the organisation has already some particular procedures in placed (e.g. execution of data subject requests), but does not have a 'plan of control in place'. Company A disclosed documents to show the internal processes regarding the processing of personal data are in place and reviewed frequently


=== Holding ===
=== Holding ===
Although the audit resulted in the identification of four data protection violations and it the head of investigation proposed to impose a sanction based on all four violations, the DPA only identified two breaches in its decision. The DPA also took into account the steps that were already taken by the organisation in order to comply with articles 38.1 GDPR and 39.1.b) GDPR.
Although the audit report had identified four data protection violations and had proposed to impose a sanction based on all four violations, the CNPD upheld two breaches only in its decision. When drafting its decision, the CNPD took into account the measures that were already taken by the organization in order to comply with the identified breaches of Article 38(1) GDPR and Article 39(1)(b) GDPR. Nevertheless, the CNPD noted that these measures were taken after the start of the investigation and therefore considered that the Company had breached the GDPR. As a result, the CNPD imposed a fine of 13.200 EUR on the Company.
 
Therefore, the DPA considers that there is no need to take the additional corrective measures.
 
Nevertheless, the DPA notes that these measures were taken after the start of the investigation and therefore considers that at the start of the investigation articles 38.1 GDPR and 39.1.b) GDPR. Therefore the DPA imposed a fine of 13.200 euros on company A.


== Comment ==
== Comment ==

Revision as of 09:18, 10 November 2021

CNPD (Luxembourg) - Délibération n° 36FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 38(1) GDPR
Article 39(1)(b) GDPR
Article 83(2) GDPR
Article 83(3) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.10.2021
Published: 02.11.2021
Fine: 13200 EUR
Parties: n/a
National Case Number/Name: Délibération n° 36FR/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Délibération n° 36FR/2021 (in FR)
Initial Contributor: Matthias Smet

The Luxembourg DPA (CNPD) found four violations of the GDPR in the course of an audit on the role of the Data Protection Officer (DPO) in a company. Two of these violations were withheld at the end of the audit proceeding, and the CNPD thus imposed a fine of 13.200 EUR on the concerned company.

English Summary

Facts

Given the importance of the role of DPOs within organizations which need to appoint one, the Luxembourg DPA (the CNPD) launched an audit campaign on the DPO's function defining 11 audit objectives. As part of this campaign, the CNPD carried out 28 audits within different organizations.

During the audit proceeding carried out by the CNPD on the role of the DPO within a company (hereafter, the Company), the CNPD found that the Company had fail to comply with several obligations relating to the appointment and role of DPO. In particular:

  • a violation of the obligation to appoint the DPO on the basis of his professional qualities (Article 37(5) GDPR): according to the CNPD, this objective is met if the DPO to have at least three years of professional data protection experience. In this case however, the audit report pointed that the DPO did not have any particular expertise in data protection at the time of his appointment, but had been appointed because of he already had the position of "Chief Compliance & Legal Officer” within the Company. In response to this finding of the audit report, the Company sent additional documents to the CNPD proving that the DPO had more than three years of professional experience in the field of data protection;
  • a violation of the obligation to involve the DPO in all matters related to the protection of personal data (Article 38(1) GDPR): according to the CNPD, this objective is met if the DPO is formally and frequently participates in the executive committee, project coordination committees, new product committees, security committees or any other committee deemed useful in the context of data protection. The audit report pointed that this was not foreseen in the Company's procedures . The Company took steps to formalize the involvement and presence of the DPO in the structural consultative bodies, as well as in internal procedures and policies as a measure to be in line with the legislation and the guidelines of the WP29.
  • a violation of the obligation to provide the DPO with the necessary resources (Article 38(2) GDPR): according to the CNPD, this objective is met if at least one full time equivalent (FTE) is allocated to the DPO team (i.e. one person working full time as a DPO), and has the opportunity to rely on other services, such as the legal department, IT, security, etc. During the audit, it was found that the resources allocated to the data protection team were approximately 0.7 FTE. In addition, the time allocated to the DPO in terms of data protection task was not defined. In response to the audit report, the Company announced that the management had decided that the DPO would carry out his duties on a full-time basis (one FTE)
  • a violation of the obligation to give compliance monitoring tasks to the DPO (Article 39(1) GDPR): according to the CNPD, this objective is met if the organisation has a formalized data protection control plan, where the monitoring tasks of the DPO team is defined. The audit report found that the Company had some specific procedures in place (such as for answering data subject requests), but did not have monitoring procedures in place. In response to the finding of this report, the Company disclosed documents to show that internal compliance and monitoring procedures were implemented regarding the processing of personal data, and that those procedure were frequently revised.

Holding

Although the audit report had identified four data protection violations and had proposed to impose a sanction based on all four violations, the CNPD upheld two breaches only in its decision. When drafting its decision, the CNPD took into account the measures that were already taken by the organization in order to comply with the identified breaches of Article 38(1) GDPR and Article 39(1)(b) GDPR. Nevertheless, the CNPD noted that these measures were taken after the start of the investigation and therefore considered that the Company had breached the GDPR. As a result, the CNPD imposed a fine of 13.200 EUR on the Company.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.


    





    
        
            
                
                    
                
                Go to home
            
        
        
            
                Decisions
            
        

        

    

    
        
    
    Deliberation N ° 36FR / of October 13, 2021 - fine
    

        
            
        
                
                        02/11/2021
                
                
        
        
        
    Thematic survey campaign on the function of the data protection officer.
    




            
        
        
    To know more
    
    
    
    
        
            
                Deliberation N ° 36FR / 2021 of October 13, 2021 - fine
            
            

            (Pdf - 747 KB)
            
        
    
    




        
    Last update 02/11/2021
    

    

        
    
    Deliberation N ° 36FR / of October 13, 2021 - fine
    

        
            
        
                
                        02/11/2021
                
                
        
        
        
    Thematic survey campaign on the function of the data protection officer.
    




            
        
        
    To know more
    
    
    
    
        
            
                Deliberation N ° 36FR / 2021 of October 13, 2021 - fine
            
            

            (Pdf - 747 KB)
            
        
    
    




        
    Last update 02/11/2021
    

    
            
        
                
                        02/11/2021
                
                
        
        
        
    Thematic survey campaign on the function of the data protection officer.