CNPD (Luxembourg) - Délibération n° 36FR/2021
|CNPD (Luxembourg) - Délibération n° 36FR/2021|
|Relevant Law:||Article 38(1) GDPR|
Article 39(1)(b) GDPR
Article 83(2) GDPR
Article 83(3) GDPR
|National Case Number/Name:||Délibération n° 36FR/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Délibération n° 36FR/2021 (in FR)|
|Initial Contributor:||Matthias Smet|
The Luxembourg DPA (CNPD) fined a company €13,200 for two violations of the GDPR identified in the course of an audit on the role of the Data Protection Officer's (DPO) within a company. The CNPD originally found four violations, but only upheld two of them because the company had already taken measures to remedy these breaches.
English Summary[edit | edit source]
Facts[edit | edit source]
Given the importance of the role of DPOs within organizations which need to appoint one, the Luxembourg DPA (the CNPD) launched an audit campaign on the DPO's function defining 11 audit objectives. As part of this campaign, the CNPD carried out 28 audits within different organizations.
Holding[edit | edit source]
During the audit proceeding carried out by the CNPD on the role of the DPO within a company (hereafter, the Company), the CNPD found that the Company had fail to comply with several obligations relating to the appointment and role of DPO. In particular:
- a violation of the obligation to appoint the DPO based on his/her professional qualities (Article 37(5) GDPR): according to the CNPD, this objective is met if the DPO to have at least three years of professional data protection experience. In this case however, the audit report pointed that the DPO did not have any particular expertise in data protection at the time of his appointment, but had been appointed because of he already had the position of "Chief Compliance & Legal Officer” within the Company. In response to this finding of the audit report, the Company sent additional documents to the CNPD proving that the DPO had more than three years of professional experience in the field of data protection;
- a violation of the obligation to involve the DPO in all matters related to the protection of personal data (Article 38(1) GDPR): according to the CNPD, this objective is met if the DPO is formally and frequently participates in the executive committee, project coordination committees, new product committees, security committees or any other committee deemed useful in the context of data protection. The audit report pointed that this was not foreseen in the Company's procedures . The Company took steps to formalize the involvement and presence of the DPO in the structural consultative bodies, as well as in internal procedures and policies as a measure to be in line with the legislation and the guidelines of the WP29.
- a violation of the obligation to provide the DPO with the necessary resources (Article 38(2) GDPR): according to the CNPD, this objective is met if at least one full time equivalent (FTE) is allocated to the DPO team (i.e. one person working full time as a DPO), and has the opportunity to rely on other services, such as the legal department, IT, security, etc. During the audit, it was found that the resources allocated to the data protection team were approximately 0.7 FTE. In addition, the time allocated to the DPO in terms of data protection task was not defined. In response to the audit report, the Company announced that the management had decided that the DPO would carry out his duties on a full-time basis (one FTE)
- a violation of the obligation to ensure that the DPO has the task to monitor compliance with the GDPR with the policies of the controller (Article 39(1) GDPR): according to the CNPD, this objective is met if the organisation has a formalized data protection control plan, where the monitoring tasks of the DPO team are defined. The audit report found that the Company had some specific procedures in place (such as for answering data subject requests), but did not have monitoring procedures in place. In response to this finding, the Company disclosed documents to show that internal compliance and monitoring procedures were implemented regarding the processing of personal data, and that those procedure were frequently revised.
Although the audit report had identified four data protection violations and had proposed to impose a sanction based on all four violations, the CNPD only upheld two breaches in its decision, taking into account the measures that were already implemented by the organization in the course of the audit proceeding to remedy the breaches of Article 38(1) GDPR and Article 39(1)(b) GDPR. The CNPD noted however that these measures were taken after the start of the investigation, and that the Company had therefore failed to be compliant beforehand. As a result, the CNPD imposed a fine of €13,200 on the Company.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Go to home Decisions Deliberation N ° 36FR / of October 13, 2021 - fine 02/11/2021 Thematic survey campaign on the function of the data protection officer. To know more Deliberation N ° 36FR / 2021 of October 13, 2021 - fine (Pdf - 747 KB) Last update 02/11/2021 Deliberation N ° 36FR / of October 13, 2021 - fine 02/11/2021 Thematic survey campaign on the function of the data protection officer. To know more Deliberation N ° 36FR / 2021 of October 13, 2021 - fine (Pdf - 747 KB) Last update 02/11/2021 02/11/2021 Thematic survey campaign on the function of the data protection officer.