CNPD (Luxembourg) - Délibération n° 36FR/2021: Difference between revisions

From GDPRhub
No edit summary
(→‎Further Resources: Added actual decision)
 
(2 intermediate revisions by 2 users not shown)
Line 61: Line 61:
Given the importance of the role of DPOs within organizations which need to appoint one, the Luxembourg DPA (the CNPD) launched an audit campaign on the DPO's function defining 11 audit objectives. As part of this campaign, the CNPD carried out 28 audits within different organizations.
Given the importance of the role of DPOs within organizations which need to appoint one, the Luxembourg DPA (the CNPD) launched an audit campaign on the DPO's function defining 11 audit objectives. As part of this campaign, the CNPD carried out 28 audits within different organizations.


=== Holding ===
During the audit proceeding carried out by the CNPD on the role of the DPO within a company (hereafter, the Company), the CNPD found that the Company had fail to comply with several obligations relating to the appointment and role of DPO. In particular:
During the audit proceeding carried out by the CNPD on the role of the DPO within a company (hereafter, the Company), the CNPD found that the Company had fail to comply with several obligations relating to the appointment and role of DPO. In particular:


* '''a violation of the obligation to appoint the DPO on the basis of his professional qualities ([[Article 37 GDPR|Article 37(5) GDPR]]):''' according to the CNPD, this objective is met if the DPO to have at least three years of professional data protection experience. In this case however, the audit report pointed that the DPO did not have any particular expertise in data protection at the time of his appointment, but had been appointed because of he already had the position of "Chief Compliance & Legal Officer” within the Company. In response to this finding of the audit report, the Company sent additional documents to the CNPD proving that the DPO had more than three years of professional experience in the field of data protection;
*'''a violation of the obligation to appoint the DPO based on his/her professional qualities ([[Article 37 GDPR|Article 37(5) GDPR]]):''' according to the CNPD, this objective is met if the DPO to have at least three years of professional data protection experience. In this case however, the audit report pointed that the DPO did not have any particular expertise in data protection at the time of his appointment, but had been appointed because of he already had the position of "Chief Compliance & Legal Officer” within the Company. In response to this finding of the audit report, the Company sent additional documents to the CNPD proving that the DPO had more than three years of professional experience in the field of data protection;


* '''a violation of the obligation to involve the DPO in all matters related to the protection of personal data ([[Article 38 GDPR|Article 38(1) GDPR]]):'''  according to the CNPD, this objective is met if the DPO is formally and frequently participates in the executive committee, project coordination committees, new product committees, security committees or any other committee deemed useful in the context of data protection. The audit report pointed that this was not foreseen in the Company's procedures . The Company took steps to formalize the involvement and presence of the DPO in the structural consultative bodies, as well as in internal procedures and policies as a measure to be in line with the legislation and the guidelines of the WP29.
*'''a violation of the obligation to involve the DPO in all matters related to the protection of personal data ([[Article 38 GDPR|Article 38(1) GDPR]]):'''  according to the CNPD, this objective is met if the DPO is formally and frequently participates in the executive committee, project coordination committees, new product committees, security committees or any other committee deemed useful in the context of data protection. The audit report pointed that this was not foreseen in the Company's procedures . The Company took steps to formalize the involvement and presence of the DPO in the structural consultative bodies, as well as in internal procedures and policies as a measure to be in line with the legislation and the guidelines of the WP29.


* '''a violation of the obligation to provide the DPO with the necessary resources ([[Article 38 GDPR|Article 38(2) GDPR]]):''' according to the CNPD, this objective is met if at least one full time equivalent (FTE) is allocated to the DPO team (i.e. one person working full time as a DPO), and has the opportunity to rely on other services, such as the legal department, IT, security, etc. During the audit, it was found that the resources allocated to the data protection team were approximately 0.7 FTE. In addition, the time allocated to the DPO in terms of data protection task was not defined. In response to the audit report, the Company announced that the management had decided that the DPO would carry out his duties on a full-time basis (one FTE)
*'''a violation of the obligation to provide the DPO with the necessary resources ([[Article 38 GDPR|Article 38(2) GDPR]]):''' according to the CNPD, this objective is met if at least one full time equivalent (FTE) is allocated to the DPO team (i.e. one person working full time as a DPO), and has the opportunity to rely on other services, such as the legal department, IT, security, etc. During the audit, it was found that the resources allocated to the data protection team were approximately 0.7 FTE. In addition, the time allocated to the DPO in terms of data protection task was not defined. In response to the audit report, the Company announced that the management had decided that the DPO would carry out his duties on a full-time basis (one FTE)


* '''a violation of the obligation to ensure that the DPO has the task to monitor compliance with the GDPR with the policies of the controller ([[Article 39 GDPR|Article 39(1) GDPR]]):''' according to the CNPD, this objective is met if the organisation has a formalized data protection control plan, where the monitoring tasks of the DPO team are defined. The audit report found that the Company had some specific procedures in place (such as for answering data subject requests), but did not have monitoring procedures in place. In response to this finding, the Company disclosed documents to show that internal compliance and monitoring procedures were implemented regarding the processing of personal data, and that those procedure were frequently revised.
*'''a violation of the obligation to ensure that the DPO has the task to monitor compliance with the GDPR with the policies of the controller ([[Article 39 GDPR|Article 39(1) GDPR]]):''' according to the CNPD, this objective is met if the organisation has a formalized data protection control plan, where the monitoring tasks of the DPO team are defined. The audit report found that the Company had some specific procedures in place (such as for answering data subject requests), but did not have monitoring procedures in place. In response to this finding, the Company disclosed documents to show that internal compliance and monitoring procedures were implemented regarding the processing of personal data, and that those procedure were frequently revised.
 
Although the audit report had identified four data protection violations and had proposed to impose a sanction based on all four violations, the CNPD only upheld two breaches in its decision, taking into account the measures that were already implemented by the organization in the course of the audit proceeding to remedy the breaches of Article 38(1) GDPR and Article 39(1)(b) GDPR. The CNPD noted however that these measures were taken after the start of the investigation, and that the Company had therefore failed to be compliant beforehand. As a result, the CNPD imposed a fine of €13,200 on the Company.
=== Holding ===
Although the audit report had identified four data protection violations and had proposed to impose a sanction based on all four violations, the CNPD only upheld two breaches in its decision, taking into account the measures that were already implemented by the organization in the course of the audit proceeding to remedy the breaches of Article 38(1) GDPR and Article 39(1)(b) GDPR. The CNPD noted however that these measures were taken after the start of the investigation, and that the Company had therefore failed to be compliant beforehand. As a result, the CNPD imposed a fine of 13.200 EUR on the Company.


== Comment ==
== Comment ==
Line 78: Line 77:


== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
[https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2021/Decision-36FR-2021-sous-forme-anomyisee.pdf The decision (in French).]


== English Machine Translation of the Decision ==
== English Machine Translation of the Decision ==

Latest revision as of 07:39, 12 November 2021

CNPD (Luxembourg) - Délibération n° 36FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 38(1) GDPR
Article 39(1)(b) GDPR
Article 83(2) GDPR
Article 83(3) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.10.2021
Published: 02.11.2021
Fine: 13200 EUR
Parties: n/a
National Case Number/Name: Délibération n° 36FR/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Délibération n° 36FR/2021 (in FR)
Initial Contributor: Matthias Smet

The Luxembourg DPA (CNPD) fined a company €13,200 for two violations of the GDPR identified in the course of an audit on the role of the Data Protection Officer's (DPO) within a company. The CNPD originally found four violations, but only upheld two of them because the company had already taken measures to remedy these breaches.

English Summary

Facts

Given the importance of the role of DPOs within organizations which need to appoint one, the Luxembourg DPA (the CNPD) launched an audit campaign on the DPO's function defining 11 audit objectives. As part of this campaign, the CNPD carried out 28 audits within different organizations.

Holding

During the audit proceeding carried out by the CNPD on the role of the DPO within a company (hereafter, the Company), the CNPD found that the Company had fail to comply with several obligations relating to the appointment and role of DPO. In particular:

  • a violation of the obligation to appoint the DPO based on his/her professional qualities (Article 37(5) GDPR): according to the CNPD, this objective is met if the DPO to have at least three years of professional data protection experience. In this case however, the audit report pointed that the DPO did not have any particular expertise in data protection at the time of his appointment, but had been appointed because of he already had the position of "Chief Compliance & Legal Officer” within the Company. In response to this finding of the audit report, the Company sent additional documents to the CNPD proving that the DPO had more than three years of professional experience in the field of data protection;
  • a violation of the obligation to involve the DPO in all matters related to the protection of personal data (Article 38(1) GDPR): according to the CNPD, this objective is met if the DPO is formally and frequently participates in the executive committee, project coordination committees, new product committees, security committees or any other committee deemed useful in the context of data protection. The audit report pointed that this was not foreseen in the Company's procedures . The Company took steps to formalize the involvement and presence of the DPO in the structural consultative bodies, as well as in internal procedures and policies as a measure to be in line with the legislation and the guidelines of the WP29.
  • a violation of the obligation to provide the DPO with the necessary resources (Article 38(2) GDPR): according to the CNPD, this objective is met if at least one full time equivalent (FTE) is allocated to the DPO team (i.e. one person working full time as a DPO), and has the opportunity to rely on other services, such as the legal department, IT, security, etc. During the audit, it was found that the resources allocated to the data protection team were approximately 0.7 FTE. In addition, the time allocated to the DPO in terms of data protection task was not defined. In response to the audit report, the Company announced that the management had decided that the DPO would carry out his duties on a full-time basis (one FTE)
  • a violation of the obligation to ensure that the DPO has the task to monitor compliance with the GDPR with the policies of the controller (Article 39(1) GDPR): according to the CNPD, this objective is met if the organisation has a formalized data protection control plan, where the monitoring tasks of the DPO team are defined. The audit report found that the Company had some specific procedures in place (such as for answering data subject requests), but did not have monitoring procedures in place. In response to this finding, the Company disclosed documents to show that internal compliance and monitoring procedures were implemented regarding the processing of personal data, and that those procedure were frequently revised.

Although the audit report had identified four data protection violations and had proposed to impose a sanction based on all four violations, the CNPD only upheld two breaches in its decision, taking into account the measures that were already implemented by the organization in the course of the audit proceeding to remedy the breaches of Article 38(1) GDPR and Article 39(1)(b) GDPR. The CNPD noted however that these measures were taken after the start of the investigation, and that the Company had therefore failed to be compliant beforehand. As a result, the CNPD imposed a fine of €13,200 on the Company.

Comment

Share your comments here!

Further Resources

The decision (in French).

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.


    





    
        
            
                
                    
                
                Go to home
            
        
        
            
                Decisions
            
        

        

    

    
        
    
    Deliberation N ° 36FR / of October 13, 2021 - fine
    

        
            
        
                
                        02/11/2021
                
                
        
        
        
    Thematic survey campaign on the function of the data protection officer.
    




            
        
        
    To know more
    
    
    
    
        
            
                Deliberation N ° 36FR / 2021 of October 13, 2021 - fine
            
            

            (Pdf - 747 KB)
            
        
    
    




        
    Last update 02/11/2021
    

    

        
    
    Deliberation N ° 36FR / of October 13, 2021 - fine
    

        
            
        
                
                        02/11/2021
                
                
        
        
        
    Thematic survey campaign on the function of the data protection officer.
    




            
        
        
    To know more
    
    
    
    
        
            
                Deliberation N ° 36FR / 2021 of October 13, 2021 - fine
            
            

            (Pdf - 747 KB)
            
        
    
    




        
    Last update 02/11/2021
    

    
            
        
                
                        02/11/2021
                
                
        
        
        
    Thematic survey campaign on the function of the data protection officer.