CNPD (Luxembourg) - n° 38FR/2021

From GDPRhub
CNPD (Luxembourg) - n° 38FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 37(7) GDPR
Article 38(1) GDPR
Article 38(2) GDPR
Article 39(1)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 15.10.2021
Published:
Fine: 18.000 EUR
Parties: n/a
National Case Number/Name: n° 38FR/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: Florence D'Ath

Following an audit, the Luxembourg DPA (CNPD) imposed a fine of €18,000 on a public entity because of four breaches relating to the role and position of its Data protection Officer (DPO), and issued an injunction against that public entity to bring its practices in compliance with the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).

One of these audit proceedings concerned a Luxembourg public entity (hereafter, the Public Entity). During the audit, it was found by the head of investigation of the CNPD that :

(1) the Public Entity had failed to publish the contact details of its DPO on its website in a way that made them easily accessible for data subjects, in breach of Article 37(7) GDPR. In particular, the contact details were not easy to find and only accessible in English. The Public Entity decided to address this issue in the course of the investigation and published the contact details of the DPO in another language on its website.

(2) the Public Entity had appointed an external DPO - a lawyer specialized in data protection law - on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, in compliance with Article 37(5) GDPR;

(3) the Public Entity had failed to ensure that the DPO was involved, properly and in a timely manner, in all issues which relate to the protection of personal data, in breach of Article 38(1) GDPR;

(4) the Public Entity had failed to implement the necessary control procedures that would have allowed the external DPO to duly monitor the compliance of the Public Entity's data processing practices with the GDPR, in breach of Article 39(1)(b) GDPR;

(5) the Public Entity had failed to allocate to the external DPO the necessary resources for the latter to carry out his/her tasks, in breach of Article 38(2) GDPR;

(6) the Public Entity was not responsible for (potential) conflict of interest of the external DPO under Article 38(6) GDPR, the latter being an external DPO and a lawyer subject to the Luxembourg law of 10 August 1991 on the profession of attorney and deontological rules.

Holding[edit | edit source]

Following the audit and the report from the head of investigation, the CNPD found that the Public Entity had been in breach of four distinct obligations relating to the role of the DPO under the GDPR, as specified below.

Regarding the breach of Article 37(7) GDPR, the CNPD considered that the contact details of the DPO were not easy to find on the website of the Public Entity, and were only accessible in English, and not in any of the official languages of the Grand Duchy of Luxembourg. Despite this issue having been addressed by the Public Entity in the course of the investigation, the CNPD considered that there had been a breach of Article 37(7) GDPR.

Regarding the breach of Article 38(1) GDPR, the CNPD considered that the DPO had not been sufficiently involved in all issues relating to data protection law. In particular, the CNPD pointed out that the external DPO could not voluntarily intervene but only acted when requested to do so by the Public Entity. The fact that the Public Entity decided, in the course of the investigation, to also appoint an internal DPO who is more regularly involved in all issues relating to data protection, does not remedy this initial breach. The CNPD therefore concluded that the Public Entity was in breach of Article 38(1) GDPR at the time of the investigation.

Regarding the breach of Article 39(1)(b) GDPR, the CNPD concurred with the opinion of the head of the investigation, according to which the Public Entity had failed to implement the necessary control procedures that would have allowed the external DPO to duly monitor the compliance of the Public Entity's data processing practices with the GDPR. The CNPD acknowledged that it is possible for an organization to rely on the services of an external DPO, such as a lawyer, for monitoring compliance with the GDPR. However, the CNPD specified that the role of the external DPO must then be formalized in the form of a control plan or monitoring procedures, to ensure that the DPO is able to effectively advise and accompany the organisation for the purpose of data protection compliance. Because such control plan or monitoring procedures had not been put in place at the time the investigation was initiated, the CNPD concluded that the Public Entity had breached Article 39(1)(b) GDPR.

Regarding the breach of Article 38(2) GDPR, the CNPD found that Public Entity had failed to allocate to the external DPO the necessary resources for the latter to be able to carry out his/her tasks. In particular, the CNPD noted that the number of hours where the DPO worked for the Public Entity did not amount to a full-time employee. Rather, the DPO usually worked between 20 and 108 hours every month, which amounts to 12,5 to 70% of a full time employee. Although the Public Entity addressed this issue by hiring another DPO in the course of the investigation, the CNPD concluded that the Public Entity had been in breach of Article 38(2) GDPR prior to this change.

For all these reasons, the CNPD issued an injunction against the Public Entity to bring its practices in compliance with the GDPR for the remaining breaches (with a deadline of 6 months for remedying those breaches), and also imposed an administrative fine of €18,000 on the Public Entity.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

  Decision of the National Commission sitting in restricted formation on

      the outcome of survey No. [...] conducted with public establishment A

                          Deliberation n ° 38FR / 2021 of October 15, 2021



The National Commission for Data Protection sitting in a restricted body,

composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of individuals with regard to the processing of personal data

and the free movement of such data, and repealing Directive 95/46 / EC;


Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection of

data and the general data protection regime, in particular Article 41 thereof;



Having regard to the internal regulations of the National Commission for Data Protection

adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10.2;


Having regard to the regulations of the National Commission for Data Protection relating to the procedure

of inquiry adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular its article

9;


Considering the following:
















   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                         the survey n ° [...] carried out with the public establishment A
                                                                                                   1/33 I. Facts and procedure


1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and

the importance of its integration into the body, and considering that the guidelines

concerning DPOs have been available since December 2016, i.e. 17 months before entry into

application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

on the protection of individuals with regard to the processing of personal data
personal data and the free movement of such data, and repealing Directive 95/46 / EC (regulation

General on Data Protection) (hereinafter: the "GDPR"), the National Commission for

data protection (hereinafter: the “National Commission” or the “CNPD”) has decided to

launch a thematic survey campaign on the function of the DPO. Thus, 25 audit procedures

were opened in 2018, involving both the private and public sectors.


2. In particular, the National Commission decided by deliberation n ° […] of September 14

2018 to initiate an investigation in the form of a data protection audit of

public establishment A, established in L [...], and registered in the trade and companies register under

the number J […] (hereafter: the “controlled”) and to designate Mr. Christophe Buschmann
as head of investigation. The said deliberation specifies that the investigation relates to the compliance of the

controlled with section 4 of chapter 4 of the GDPR.


3. The controlled is a public establishment […] under the supervision of the Ministry […]. […] Control

has as mission […]


4. By letter of September 17, 2018, the head of the survey sent a questionnaire

preliminary to the control, to which the latter replied by letter of October 5, 2018.

first on-site visit took place on January 24, 2019, a second on-site visit took place on 27

May 2019 and additional information was received on July 23, 2019. Following these

exchanges, the head of the investigation drew up the audit report no. […] (hereafter: the "audit report").






1The guidelines for DPOs were adopted by the “Article 29” working group on 13 December
2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.

   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                           the survey n ° [...] carried out with the public establishment A
                                                                                                        2/335. It emerges from the audit report that in order to verify the compliance of the inspected with section 4

of Chapter 4 of the GDPR, the head of the investigation defined eleven control objectives, namely:


    1) Ensure that the body subject to the obligation to appoint a DPO has done so;
    2) Make sure that the organization has published the contact details of its DPO;

    3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;

    4) Ensure that the DPO has sufficient expertise and skills to

        carry out its missions effectively;

    5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;

    6) Ensure that the DPO has sufficient resources to effectively carry out
        his missions ;

    7) Ensure that the DPO is able to carry out his missions to a sufficient degree

        autonomy within their organization;

    8) Ensure that the organization has put in place measures to ensure that the DPO is associated with

        all matters relating to data protection;

    9) Ensure that the DPO fulfills his mission of information and advice to the
        data controller and employees;

    10) Ensure that the DPO exercises adequate control over data processing within

        his body;

    11) Ensure that the DPO assists the data controller in carrying out the

        impact analyzes in the event of new data processing.


6. By letter of February 14, 2020 (hereafter: the “statement of objections”), the Chief
of investigation informed the control of the breaches of the obligations provided for by the GDPR that it has

noted during its investigation. The audit report was attached to the letter of February 14, 2020.



7. In particular, the head of the investigation noted in the statement of objections

breaches of:
                                                         2
     the obligation to publish the contact details of the DPO;
     the obligation to appoint the DPO on the basis of his professional qualities; 3




2
3Objective 2
 Objective n ° 4
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                       3/33  the obligation to involve the DPO in all matters relating to data protection

        of a personal nature; 4

     the obligation to provide the necessary resources to the DPO; 5

     the obligation to ensure that the other missions and tasks of the DPO do not lead to

        conflict of interest ;

     the DPD's control mission. 7



8. On August 10, 2020, the head of the investigation sent the inspectorate an additional letter to the

statement of objections (hereinafter: the "additional letter to the communication of

grievances ") by which he informs the inspectorate of the corrective measures proposed by the head of investigation

to the National Commission sitting in a restricted formation (hereinafter: the “restricted formation”)
to adopt.



9. The inspector replied to the additional letter to the statement of objections with a

letter dated September 14, 2020 in which he presents his observations for each

breach retained by the head of the investigation.



10. In addition, the inspected, on October 28, 2020, requested access to the investigation file

concerning him. Access to the investigation file was sent to it by the National Commission on 9

November 2020.


11. The president of the restricted formation informed the control by letter of April 12, 2021

that his case would be entered at the restricted session on June 16, 2021 and that he could

attend this session. The controlled informed by email of May 25, 2021 that he would participate in

said session.


12. During the restricted training session on June 16, 2021, the head of the investigation and the

controlled presented their oral observations on the case and answered questions posed

through restricted training. The controlled had the floor last.



4Objective 8
5Objective 6
6Objective 5
7Objective n ° 10
   ______________________________________________________________________


               Decision of the National Commission sitting in restricted formation on the outcome of
                           the survey n ° [...] carried out with the public establishment A
                                                                                                           4/3313. The inspected provided additional information by email of June 17, 2021, continued

to a request in this direction of the restricted training.


    II. Place



    A. On the failure to publish the contact details of the DPO


        1. On the principles



14. Article 37.7 of the GDPR provides for the obligation for the audited body to publish the

contact details of the DPD. Indeed, it follows from Article 38.4 of the GDPR that the persons concerned

must be able to contact the DPO regarding any questions relating to the
processing of their personal data and the exercise of the rights conferred on them by

GDPR.



15. The DPO guidelines explain in this regard that this requirement is aimed at

to ensure that "the persons concerned (both inside and outside the organization)
can easily and directly contact the DPO without having to contact another

agency service ". The guidelines also state that “the contact details of the

DPD must contain information allowing the data subjects to contact him

easily (a postal address, a specific telephone number and / or a
                                    8
specific e-mail) ”.


16. In addition, Article 12.1 of the GDPR provides that the controller must take

appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR in
regarding the processing to the data subject in a concise, transparent manner,

understandable and easily accessible, in clear and simple terms. Among the information

which must be sent to the person concerned is the information relating to contact details

of the DPD, in accordance with Articles 13.1.b) and 14.1.b) of the GDPR.




8
 WP 243 v.01, version revised and adopted on April 5, 2017, p.15
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                      5/33 2. In the present case



17. It follows from the audit report that, in order for the head of the investigation to consider objective 2 as

reached by the inspected as part of this audit campaign, the head of the investigation expects this

that the audited body publish the contact details of its DPO internally within the body
and externally to the public, which represents the data subjects of the processing. the

DPD must be able to be contacted easily and directly via a suitable communication channel

To those concerned. Active internal communication is expected, notably via
emails, newsletters or dedicated spaces on the intranet. Externally, it is at least

whereas the DPD's contact details are easily accessible on the website of

the body.


18. It is apparent from the statement of objections that, during the first visit by the staff of the

CNPD in charge of the investigation on January 24, 2019, the DPD's contact details were difficult to find

find on the website of the inspected insofar as, on the one hand, the website did not contain

no section dedicated to data protection and, on the other hand, the relative information notice
data protection was only available in English, without translation in any of the

official languages of Luxembourg.


19. The inspector made changes during the investigation in order to remedy this

problem. In fact, it initially created a data protection section on
its website and, in a second step, added links to download

French and German versions of the information leaflet in PDF format.


20. The head of the investigation therefore concluded in the statement of objections that, during

investigation, the DPD's contact details had become more easily accessible to

persons concerned.


21. However, as explained on page 2 of the statement of objections, '[t] he facts taken into account
account in the context of this [statement of objections] are those noted at the beginning of

investigation. Subsequent changes, even if they ultimately allow

to establish the compliance of the controller, do not allow the cancellation of a breach

found. "
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                         the survey n ° […] carried out with the public establishment A 6/3322. In this context, the restricted committee notes that the GDPR has been applicable since 25

May 2018 so that the obligation to publish the contact details of the DPO, as well as the principle of
transparency as set out in Article 12.1 of the GDPR, have existed since that date. Publish the

contact details of the DPO on a website without taking the necessary measures to ensure

that the people concerned are able to find the information and understand it comes back

to render meaningless the obligation of Article 37.7 of the GDPR.


23. In view of the above, the restricted panel concludes that Article 37.7 of the GDPR has no

not respected by the inspected.


    B. On the failure to appoint the DPO on the basis of his qualifications

        professional



            1. On the principles



24. According to article 37.5 of the GDPR, "[the DPO] is appointed on the basis of his
professional skills and, in particular, his specialized knowledge of the law and

in terms of data protection […] ”.



25. According to recital (97) of the GDPR, “[t] he level of specialist knowledge

required should be determined in particular on the basis of data processing operations
carried out and the protection required for personal data processed by the

controller or processor ”.



26. In addition, the guidelines of the “Article 29” Working Group concerning DPOs

specify that the level of expertise of the DPO "must be proportionate to the sensitivity, to the complexity
and the volume of data processed by an organization "and that" it is necessary that the DPOs

have expertise in the field of national laws and practices and





9
 WP 243 v.01, version revised and adopted on April 5, 2017, p. 13
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                      7/33 in terms of data protection, as well as in-depth knowledge
            10
of the GDPR ”.


27. The DPO guidelines go on to state that “[t] he is aware of the

line of business and body of the controller is useful. The DPD should

also have a good understanding of the processing operations carried out, as well
information systems and the controller needs in terms of

data protection and security ”.11



            2. In this case



28. It follows from the audit report that, as part of this audit campaign, for the

investigator considers objective 4 as achieved by the controlled, the investigator expects

that the DPO has at least three years of professional experience in protection

Datas.


29. According to the statement of objections, page 3, on the date of the initiation of the audit, a DPO

was in office and “[s] he had all the skills required in

legal (lawyer registered with the Luxembourg Bar) and data protection (certificate

CIPP / E) ”.


30. A new internal DPO was however appointed during the investigation in April 2019.

According to the statement of objections, page 3, this new internal DPO “is also responsible

[…] And he has the knowledge of the domain and the structure. Nevertheless, it is advisable to

note that he has no initial training in legal matters, data protection and
IT, nor does it justify a previous practice in the matter ".



31. In its position paper of September 14, 2020, the inspector wished to underline the

difficulties he had to face in recruiting a DPO with the right profile, namely a
experienced person with knowledge of the operation of the […] sector. the

controlled board of directors qualifies the first external recruitment as an "attempt


10WP 243 v.01, version revised and adopted on April 5, 2017, p. 14
11WP 243 v.01, version revised and adopted on April 5, 2017, p.14

   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                      8/33 failed ”and chose to appoint as DPD an experienced internal employee able to

to understand the challenges of the […] sector and the regulatory complexity that characterizes it. the

controlled considers that this knowledge of the trade is an important and priority criterion in

look at its specific sector.

The inspected adds that the new internal DPO has taken several training courses in

data protection between 2017 and 2019, as regular weekly coaching with

the assistance of a law firm specializing in data protection was in place

since April 2019 and that the DPO has participated monthly since December 2018 in the sessions

of the informal public sector working group […].


In addition, the DPO has the opportunity to rely on daily, for the performance of his missions,

on the contribution of the teams […] and, on the IT department, on the legal department, on

the risk management expert and any other internal resource deemed useful. Since September

2017, the inspected set up "GDRP points of contacts", consisting of the designation of

a few people belonging to the different trades of the inspected to be the relay
        12
of the DPD.


32. The restricted formation notes that, according to the head of the investigation, the formations relating to

the data protection which the internal DPO has assisted since his appointment, as well as

the fact that he has access to a number of internal and external supports in the execution of his
missions, cannot be sufficient to establish, at the time of the appointment of the new internal DPO,

the existence of sufficient expertise adapted to the needs of the inspected in terms of protection

Datas . 13



33. However, as noted on page 2 of the statement of objections, '[t] he facts

taken into account in the context of this are those observed at the start of the investigation ".


34. However, the restricted committee noted that at the start of the investigation, an external DPO was in

function and, as noted by the head of the investigation and repeated in point 29 of this




12 Report of the visit of January 24, 2019, page 3
13 Communication of Grievances, page 3.

   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                       9/33 decision, he had all the required skills in legal and

data protection.


35. In view of the foregoing, the restricted panel concludes that there is no need to retain a

breach of Article 37.5 of the GDPR.


    C. On the breach of the obligation to involve the DPO in all matters relating to the

        protection of personal data



           1. On the principles


36. According to Article 38.1 of the GDPR, the organization must ensure that the DPO is involved, in a

in an appropriate and timely manner, to all data protection matters

of a personal nature.


37. The DPO Guidelines state that “[i] t is essential that the DPO, or

his team, is involved from the earliest possible stage in all questions relating to

data protection. [...] Information and consultation of the DPO from the start will allow

facilitate compliance with the GDPR and encourage an approach based on the protection of

data by design; it should therefore be a usual procedure within the
governance of the organization. In addition, it is important that the DPO is considered as a

interlocutor within the organization and that he or she is a member of the working groups dedicated to

data processing activities within the organization ". 14


38. The DPO guidelines provide examples on how to

to ensure this association of the DPO, such as:


     invite the DPO to participate regularly in senior management meetings and

        intermediate ;

     recommend the presence of the DPO when decisions with implications for

        data protection matters are taken;


14
  WP 243 v.01, version revised and adopted on April 5, 2017, page 16
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                    10/33  always take due account of the opinion of the DPO;
     immediately consult the DPD when a data breach or other incident occurs

        product.



39. In addition, according to the guidelines for DPOs, the body could, if
as appropriate, develop guidelines or programs for the protection of

data indicating the processing operations in which the DPO must be consulted.


           2. In this case



40. It emerges from the audit report that, in order for the investigator to consider objective 8 as

completed by the inspected as part of this audit campaign, he expects the DPD
participates in a formal manner and on the basis of a defined frequency in the Management Committee,

project coordination committees, new product committees, safety committees or

any other committee deemed useful in the context of data protection.


41. According to the statement of objections, page 4, the external DPO who was in office at the start

of the audit had a role that was characterized as essentially "reactive". "[His] implication was therefore

relatively limited. He intervened mainly at the explicit request of the person in charge of
treatment and not spontaneously ”. The audit report, page 9, specifies that the implication

of the external DPO was characterized more particularly by a "low participation in

recurring meetings, only by invitation when the need has been estimated ”.


42. In its position paper of September 14, 2020, page 6, the inspected considers that the

description by the head of investigation of the essentially reactive role of the external DPO depending on the
start of the investigation is inaccurate and amounts to minimizing the involvement of the external DPO, as in

certifies the record of hours worked on several projects […].


43. The new internal DPO, for his part, participates more easily in the various meetings of the

projects. The feedback is facilitated by proximity and the various relays in place

in the structure. In addition, according to the audit report, page 9, the internal DPO is a guest
standing of the control executive committee (frequency every two weeks) and a point


   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                         the survey n ° [...] carried out with the systematic public establishment A 11/33 "GDPR" is on the agenda of each board of directors which takes place every

three months.



However, according to the audit report, page 9, a precise circuit concerning the opinions to be rendered by
the DPD is not yet clearly defined, due to the recent designation of the internal DPD.


44. In its position statement of September 14, 2020, the inspected informs the CNPD about the

establishment of an internal process ([...]) to formalize and document the DPD's association

questions relating to data protection. This internal process is implemented

systematically for each new activity […] of the control and aims to allow:


     prior documentation and systematic feedback to the DPO before

        the implementation of the controlled treatments, and this at the latest at the time of the

        in place of contracts,
     the upstream identification of sensitive data protection points,

     the upstream review of information notices and consent forms distributed

        […],

     raising awareness among operational teams and exchanges with them, in
        an optic of privacy by design, and

     planning or carrying out data protection impact analyzes.



45. The audit also specifies that the involvement of the DPD in matters of protection of
data is also carried out on the initiative of the teams or the DPD himself as part of the review

documentary, the co-signing of contracts relating to data protection, the design of

control projects, assistance to internal teams in carrying out analyzes

impact and the participation of the DPO in the executive committee as a permanent guest.


46. The restricted formation takes note of the establishment by the control of a process
internal formalization and documentation of the involvement of the new internal DPO in matters

relating to data protection. If these measures should facilitate the association of the DPD

internal to all matters relating to data protection, it is nevertheless advisable to
note that these were decided during the investigation.


   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                          the survey n ° […] carried out with the public establishment A 12/3347. Indeed, as explained on page 2 of the statement of objections, '[t] he facts taken into account

account in the context of this [statement of objections] are those noted at the beginning of

investigation. Subsequent changes, even if they ultimately allow

to establish the compliance of the controller, do not allow the cancellation of a breach
found. "


48. The restricted panel is of the opinion that the test did not sufficiently demonstrate

the association of the external DPO, depending at the start of the investigation, in an appropriate manner and in

timely in all matters relating to data protection.


49. Consequently, the restricted panel agrees with the finding of the head of the investigation that,

at the start of the investigation, the controller was not able to demonstrate that the

External DPD was appropriately involved in all matters relating to protection

personal data.


50. In view of the above, the restricted panel concludes that Article 38.1 of the GDPR has no

not respected.


    D. On the breach relating to the DPO's control mission



           1. On the principles


51. According to Article 39.1 b) of the GDPR, the DPO has, among others, the task of "monitoring compliance

of this Regulation, other provisions of Union law or the law of the Member States in
data protection and internal rules of the controller or of the

processor in the protection of personal data, including

concerns the distribution of responsibilities, awareness and training of staff

participating in processing operations, and related audits ". Recital (97) specifies
that the DPO should help the organization verify internal compliance with the GDPR.






   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                   13/33 15
52. It follows from the guidelines concerning DPOs that the DPO may, within the framework of
its control tasks, in particular:



    - collect information to identify processing activities;
    - analyze and verify the compliance of processing activities;

    - inform and advise the controller or the processor and formulate

        recommendations to him.


            2. In this case



53. It emerges from the audit report that, in order for it to be able to consider objective 10 as fulfilled

by the control as part of this audit campaign, the head of the investigation expects that

"The organization has a formalized data protection control plan
(even if it is not yet executed) ".



54. According to the statement of objections, page 5, "it emerged from the investigation that the body did not

has no formalized controls specific to data protection. In a logic
day-to-day management of data protection, and given the volume of data

processed and the sensitivity of some of these data (see preliminary remarks), it is

whereas the DPD's control missions are better formalized, for example with

the establishment of a control plan ".


55. In its position paper of September 14, 2020, the inspected indicates that the verification of the

compliance of the controller with the GDPR is ensured through the implementation of
following means:



    - the legal review of the processing register controlled by a law firm
        specialists in data protection, from January to October 2019,

    - an internal audit subcontracted to an audit firm covering organizational aspects,

    - an external audit carried out by an audit firm, in order to assess the compliance of the control

        […].



15WP 243 v.01, version revised and adopted on April 5, 2017, page 20
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                           the survey n ° [...] carried out with the public establishment A
                                                                                                        14/3356. The restricted committee notes that article 39.1 of the GDPR lists the missions that the

DPD must at least be entrusted with the task of monitoring compliance with the GDPR, without however
require the body to put in place specific measures to ensure that the DPO can

accomplish its control mission. The DPO guidelines indicate in particular

that the keeping of the register of processing activities referred to in Article 30 of the GDPR may be entrusted

to the DPO and that "this register must be considered as one of the tools allowing the DPO

to carry out its tasks of monitoring compliance with the GDPR, as well as informing and advising the
controller and processor ”.6



57. In addition, the restricted formation notes that it is rightly specified on page 2 of the

statement of objections (under "preliminary remarks") that "the requirements of the GDPR do not

are not always strictly defined. In such a situation, it is up to the supervisory authorities
to verify the proportionality of the measures put in place by the data controllers in the

with regard to the sensitivity of the data processed and the risks incurred by individuals

concerned ”.



58. In this context, the restricted training is of the opinion that it is possible for an organization to
use external service providers to verify its compliance with the GDPR. However, this call

to external service providers must be formalized, and this must not result in

completely withdraw this mission from the function of DPD. Indeed, the organization's DPO must complete

its role of monitoring compliance with the GDPR by participating in the formalization of a control plan

and by being associated with the exercise of said control by external service providers, in particular by
accompanying the work carried out, to then be able to complete with knowledge of

causes its advisory and information mission in accordance with Article 39.1 a) of the GDPR.


59. In the present case, the inspected did not demonstrate that, at the start of the investigation, a monitoring plan

compliance with the GDPR would have been formalized or that the external DPO then in office was associated with the

control carried out by external service providers. Therefore, the restricted formation is of opinion

that the inspected does not sufficiently demonstrate that the external DPO in office at the start of the
the investigation fulfilled this monitoring mission expected by Article 39.1 b) of the GDPR.




16
  WP 243 v.01, version revised and adopted on April 5, 2017, page 22
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                      15/3360. In view of the above, the restricted panel concludes that Article 39.1 b) of the GDPR has no

not respected by the inspected.




    E. On the failure to provide the necessary resources to the DPO


            1. On the principles



61. Article 38.2 of the GDPR requires the organization to help its DPO "to carry out the tasks

referred to in Article 39 by providing the necessary resources to carry out these missions, as well
that access to personal data and processing operations, and allowing it

maintain their specialized knowledge ".



62. It follows from the guidelines on DPOs that the following aspects must be
                                        17
in particular to be taken into consideration:


    - "sufficient time for the DPOs to be able to accomplish their tasks." This aspect is

        particularly important when an internal DPO is appointed part-time or when
        the external DPO is responsible for data protection in addition to other tasks.

        Otherwise, conflicting priorities could lead to the DPO's tasks being

        neglected. It is essential that the DPO is able to devote sufficient time to his

        missions. It is good practice to set a percentage of time devoted to the function

        of DPD when this function is not occupied full time. It is also of good
        practice of determining the time required to perform the function and the level of

        appropriate priority for the tasks of the DPO, and that the DPO (or the body) establish a

        workplan ;

    - necessary access to other services, such as human resources, service

        legal, IT, security, etc., so that DPOs can receive
        the support, contributions and essential information of these other services ”.





17
  WP 243 v.01, version revised and adopted on April 5, 2017, page 17
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                           the survey n ° [...] carried out with the public establishment A
                                                                                                       16/3363. The DPO guidelines state that "[d] in general, more

the processing operations are complex or sensitive, plus the resources allocated to the DPO

should be significant. The data protection function must be effective and equipped with

adequate resources with regard to the data processing carried out ”.


           2. In this case



64. It emerges from the audit report that in view of the size of the organizations selected under
of this audit campaign, so that the head of the survey considers objective 6 as fulfilled by the

controlled, he expects the controlled to have at least one FTE (full-time equivalent) for

the data protection team. The investigator also expects
the DPO has the possibility to rely on other services, such as the legal service,

IT, security, etc.



65. According to the audit report, the external DPO in office at the start of the investigation had a role
essentially "reactive". The hour records of this one oscillate between 8 p.m. and 108

hours per month, i.e. between 0.125 FTE and 0.7 FTE.


66. The monthly breakdown of these hours worked by the external DPO is detailed in the

report of the on-site visit of May 27, 2019, page 2, as follows: 8 p.m.

September 2018, 53 hours in October 2018, 57.2 hours in November 2018, 50.4 hours in
December 2018, 122.2 hours in January 2019, 103.9 hours in February 2019 and 108.6 hours in

March 2019. The restricted formation notes that this makes an average of 73.6 hours

worked per month over this 7-month period, i.e. an average monthly FTE of 0.46.


67. In view of these elements, the restricted committee understands that the external DPO has

started working hours as part of his assignments only from September
2018. In addition, most of his hours were worked between January and March 2019.


68. However, the restricted committee recalls that the GDPR entered into force on May 25, 2018.

It was therefore from May 2018 that the audited body had the obligation to comply with the GDPR by

designating a DPO exercising his function effectively and efficiently.


   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                         the survey n ° […] carried out with the public establishment A 17/3369. The audit report indicates that the new internal DPO estimated his time

more than 70% of work on data protection issues compared to all

its tasks. It is also specified that legal support by an external firm has been obtained

at the rate of one day a week, the sole legal competence of the inspected cannot provide
only limited support for the internal DPO. The inspected also benefited from assistance by a

audit firm in the conduct of the audited "GDPR" roadmap.



70. In the statement of objections, page 4, the head of the investigation states that "given
the existence of complex or sensitive processing operations (see preliminary remarks),

a high level of resources is expected ”. However, the head of the investigation noted that "the new

DPD [internal], who also holds the function of manager […] for [the inspected], assessed
more than 70% of the time devoted to his duties as DPO "and that" the controller

was not able to demonstrate the accomplishment of the control missions. This

finding is likely to highlight an inadequacy between resources and means

made available to the DPO and the needs of the controller ”.


71. In his position paper of September 14, 2020, the inspected indicates that the new DPO
internal, also responsible […] at the time of his appointment, is now Head of

Compliance […], assisted by four other people for the management of responsibilities related to

compliance and risk management. According to the screening, the presence of these four other

people allows the Head of Compliance […] to concentrate on the functions of DPD.


72. In addition, to enable the Head of Compliance [...] to take on the role of internal DPO,
the inspected person has made available a budget allowing them to resort to external legal support

and adequate technique.


73. Finally, as noted in point 55 of this decision, the inspected indicates in its decision

position of September 14, 2020, that the mission of monitoring compliance with the GDPR by the inspected

is carried out with the help of external providers such as audit firms and lawyers
specialized. The controlled is of the opinion that the control mission provided for in Article 39.1 b) of the GDPR

is ensured and therefore that the resources and means provided for the purpose of such control are adequate

to the needs of the controlled.


   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                         the survey n ° […] carried out with the public establishment A 18/3374. The restricted formation recalls that, as was indicated in the communication
of the objections, page 2, and already noted in point 21 of this decision, “[t] he facts taken into account

in the context of this [investigation] are those observed at the start of the investigation. The

subsequent modifications, even if they ultimately allow the

compliance of the controller, do not allow the cancellation of a breach
found. "


75. In addition, the restricted panel agrees with the findings of the head of the investigation that

"Given the existence of complex or sensitive processing operations (see remarks

preliminary), a high level of resources is expected ”and that“ the person responsible for

processing was not able to demonstrate the accomplishment of the control tasks.
This finding is likely to highlight a mismatch between the resources and

means made available to the DPO and the needs of the controller ”.


76. Consequently, the restricted committee is of the opinion that the inspected could not demonstrate

adequately that the inspector has provided the external DPO in office at the start of the investigation with the

resources necessary to enable it to carry out its missions.


77. In view of the above, the restricted panel concludes that Article 38.2 of the GDPR has no

not respected by the inspected.



    F. On the breach of the obligation to ensure that the other missions and tasks of the DPO

        do not give rise to a conflict of interest


           1. On the principles




78. According to Article 38.6 of the GDPR, “[the DPO] may perform other tasks and tasks. the

controller or processor ensures that these assignments and tasks do not entail
no conflict of interest ".






   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                         the survey n ° [...] carried out with the public establishment A
                                                                                                   19/33 18
79. The DPO guidelines specify that “the DPO may not exercise at
within the body a function which leads it to determine the purposes and means of processing

of personal data ”. According to the guidelines, “as a general rule, among

functions likely to give rise to a conflict of interest within the organization may appear

senior management functions (for example: general manager, operational manager,

Chief Financial Officer, Chief Medical Officer, Head of Marketing Department, Head of
human resources or IT department manager), but also other roles in a

lower level of the organizational structure if these functions or roles involve the

determination of the purposes and means of processing. In addition, there may also be

conflicts of interest, for example, if an external DPO is called upon to represent the person responsible for
processing or subcontractor in court in matters relating to matters

related to data protection.


Depending on the activities, size and structure of the organization, it can be good

practice for data controllers or processors:

     identify the functions which would be incompatible with that of DPD;

     establish internal rules for this purpose, in order to avoid conflicts of interest;

     include a more general explanation of conflicts of interest;
     to declare that the DPO has no conflict of interest with regard to his function as

        DPD, with the aim of raising awareness of this requirement;

     to provide guarantees in the internal regulations of the body, and to ensure that

        the vacancy notice for the DPD function or the service contract is sufficiently precise

        and detailed to avoid any conflict of interest. In this context, it is also appropriate to
        keep in mind that conflicts of interest can take different forms depending on whether the

        DPD is recruited internally or externally ".



            2. In this case


80. It follows from the audit report that, in order for the head of investigation to consider objective 5 as

reached by the inspected as part of this audit campaign, he expects that, in the event

where the DPO performs other functions within the audited body, these functions do not entail


18WP 243 v.01, version revised and adopted on April 5, 2017, pages 19-20
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                      20/33 no conflict of interest in particular through the exercise of functions which would lead the DPO to determine

the purposes and means of the processing of personal data. The head of the investigation

also expects the auditee to have carried out an analysis as to the existence of a possible

conflict of interest at the level of the DPO.


81. According to the statement of objections, page 5, "[t] he DPO who was in office at the start of

the audit was external and lawyer. There is a principle of managing conflicts of interest. "


82. The new DPO then appointed internally also exercised the function of

responsible […]. The statement of objections notes that "possible conflicts of interest are
likely to exist in view of the tasks performed for the two positions. Based on

DPD comments dated 12/08/2019, there is a policy of

management of potential conflicts of interest. However, the analysis of conflicts of interest between two

functions performed by the same person within the same [public institution] is not
planned. There is therefore no analysis of potential conflicts of interest between the function of DPD

and that of responsible […]. Based on the DPD's comments dated 12/08/2019, the

[controlled] will ensure that the various function sheets concerning the management of aspects are clarified.
related to data protection in order to distinguish more clearly between authorities, responsibilities

and missions ”.



83. In his position paper of September 14, 2020, the inspected indicates that the internal DPO
is now Head of Compliance […] of the organization. It also specifies that the

Head of Compliance and Risk Manager functions have been modified to include

more clearly the responsibilities and missions related to data protection.


84. The controlled conflict of interest policy was also updated in July 2020,

in order to introduce an obligation to analyze the risks of conflict of interest in the presence of a

accumulation of functions and have them arbitrated by the Controlled Board of Directors.


85. The controlled also maintains that the outsourcing of several aspects of the control of

the compliance implemented to date allows the inspectorate to rule out the risk of conflicts

interests in the control of management-related processes […]. Indeed, several aspects

   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                          the survey n ° [...] carried out with the public establishment A 21/33 of the control of the conformity of the treatments of the controlled (in particular those implemented in

as part of the exercise of the Compliance function) have been entrusted to external service providers,

as raised in point 55 of this decision.


86. By email dated June 17, 2021, the inspector sent the restricted formation the

conflict of interest policy as updated in July 2020.



87. The restricted committee recalls that, as indicated on page 2 of the
statement of objections and already noted in point 33 of this decision, '[t] he facts taken into account

taken into account in this [investigation] are those noted at the start of the investigation ".


88. The restricted committee notes that, at the start of the investigation, the DPO in office was a DPO

external who practiced the profession of lawyer within the Luxembourg Bar. The principles

ethics to which lawyers of the Luxembourg Bar are subject include the

principle according to which a lawyer cannot represent or assist parties with interests

opposing parties, nor representing or assisting a client in the event of a conflict with the personal interests of
                   19
the lawyer himself. This ethical principle is applicable to any lawyer registered with the Bar of
Luxembourg under the amended law of August 10, 1991 on the profession of lawyer and the Rules

Interior of the Luxembourg Bar Association as adopted by the Bar Council

dated January 10, 2013, without there being any obligation on the part of customers to verify the

good respect by the lawyer of this principle.


89. Therefore, the CNPD is of the opinion that it was not the responsibility of the data controller

check with their external DPO to ensure there is no conflict

of potential interests with other clients and / or subcontractors of the controlled, but on the contrary,

this obligation fell to the external DPO in application of the amended law of 10 August 1991 on
the profession of lawyer and ethical rules.



90. In view of the foregoing, the restricted panel concludes that there is no reason to retain a

breach of Article 38.6 of the GDPR.



19 Luxembourg Bar website, The legal profession, The deon https://www.barreau.lu/le-metier-d-

lawyer / deontology
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                      22/33 III. On corrective measures and the fine



    A. Principles


91. In accordance with article 12 of the law of 1 August 2018 on the organization of

National Commission for Data Protection and the General Data Protection Regime

data, the National Commission has the powers provided for in Article 58.2 of the GDPR:


            a) "notify a controller or processor that the

               planned processing operations are likely to violate the provisions

               of these regulations;


            b) call a controller or a processor to order when the

               processing operations have resulted in a violation of the provisions of this

               regulation;


            c) order the controller or processor to comply with the

               requests made by the data subject to exercise their rights in

               application of these regulations;


            d) order the controller or processor to put the
               processing operations in accordance with the provisions of this Regulation,

               where appropriate, in a specific manner and within a specified timeframe;


            e) order the controller to communicate to the data subject

               a personal data breach;


            f) impose a temporary or permanent limitation, including a ban, on the

               processing ;


            g) order the rectification or erasure of personal data or the

               restriction of processing in application of Articles 16, 17 and 18 and the notification of


   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                     23/33 these measures to the recipients to whom the personal data have
                has been disclosed in accordance with Article 17 (2) and Article 19;


            h) withdraw a certification or order the certification body to withdraw a

                certification issued in application of Articles 42 and 43, or order the body

                certification not to issue certification if the requirements applicable to the

                certification are not or no longer satisfied;


            i) impose an administrative fine in application of Article 83, in addition
                or instead of the measures referred to in this paragraph, depending on the

                characteristics specific to each case;


            j) order the suspension of data flows addressed to a recipient located in

                a third country or an international organization. "


92. Article 83 of the GDPR provides that each supervisory authority ensures that fines

administrative requirements are, in each case, effective, proportionate and dissuasive,

before specifying the elements that must be taken into account in deciding whether to impose
an administrative fine and to decide on the amount of this fine:



            a) "the nature, gravity and duration of the violation, taking into account the nature,

                scope or purpose of the processing concerned, as well as the number of people
                affected parties and the level of damage they suffered;



            (b) whether the violation was committed willfully or negligently;


            c) any action taken by the controller or processor to

                mitigate the damage suffered by the persons concerned;


            d) the degree of responsibility of the controller or processor,

                given the technical and organizational measures they have implemented
                work under Articles 25 and 32;




   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                      24/33 e) any relevant breach previously committed by the person responsible for the

                processing or subcontractor;


            f) the degree of cooperation established with the supervisory authority in order to remedy the

                violation and mitigate any negative effects;


            g) the categories of personal data affected by the breach;


            h) the manner in which the supervisory authority became aware of the violation, in particular

                whether, and to what extent, the controller or processor has notified

                the violation ;


            (i) where measures referred to in Article 58 (2) have previously been
                ordered against the controller or processor concerned

                for the same purpose, compliance with these measures;


            j) the application of codes of conduct approved under Article 40 or

                certification mechanisms approved under Article 42; and


            k) any other aggravating or mitigating circumstance applicable to the circumstances

                of the species, such as the financial benefits obtained or the losses avoided,
                directly or indirectly, as a result of the violation ”.


93. The restricted panel would like to point out that the facts taken into account in the context of the

this decision are those noted at the start of the investigation. Any modifications

relating to the subject of the investigation carried out subsequently, even if they make it possible to establish

fully or partially compliance, do not allow retroactive cancellation of a
breach noted.



94. Nevertheless, the steps taken by the inspected to comply with
the GDPR during the investigation procedure or to remedy the shortcomings identified by the

head of investigation in the statement of objections are taken into account by the restricted committee

as part of any corrective measures and / or setting the amount of a

possible administrative fine to be pronounced.
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                          the survey n ° […] carried out with the public establishment A 25/33 B. In the present case


            1. As to the imposition of an administrative fine



95. In his additional letter to the statement of objections of 10 August 2020, Chief
of investigation proposes to the restricted formation to pronounce a fine against the controlled person

administrative relating to the amount of 27,100 euros.



96. In order to decide whether to impose an administrative fine and to decide, if
of the amount of this fine, the restricted committee analyzes the criteria set by

Article 83.2 of the GDPR:



    - As to the nature and seriousness of the violation [article 83.2 a) of the GDPR], with regard to
        breaches of articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR, restricted training

        notes that the appointment of a DPO by an organization cannot be efficient and effective,

        namely to facilitate compliance with the GDPR by the body, only in the case where people

        concerned have the possibility of easily finding the contact details of the DPO to exercise
        their data protection rights, as well as in the event that the DPO has the

        resources necessary for the performance of its missions, is associated with all

        questions relating to data protection and effectively carries out its missions,

        including the task of monitoring compliance with the GDPR.


    - As for the duration criterion [article 83.2 a) of the GDPR], the restricted committee notes that:



        (1) the inspected modified its website during the investigation in order to
            to make the DPD's contact details more easily accessible to people

            concerned. In particular, a translation into French and German has been added to the

            website of the auditee in August 2019. The breach of Article 37.7 of the GDPR therefore

            lasted over time, at least between May 25, 2018 and August 2019.


        (2) the inspected informed the CNPD, in its position paper of September 14, 2020, of the

            establishment of an internal process of formalization and documentation of

   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                     26/33 the involvement of the new internal DPO in matters relating to the protection of
        data ([…]) from October 17, 2019. These measures have nevertheless been decided

        under investigation. The breach of Article 38.1 of the GDPR therefore lasted in the

        time, at a minimum between May 25, 2018 to October 19, 2019.


    (3) it has not been demonstrated by the inspectorate that the external DPO in office at the time of

        the opening of the investigation had the necessary resources to carry out its

        missions and that, according to the audit report, the new internal DPO estimates his time

        of work on data protection issues at around 70% compared to
        his other tasks. The breach of Article 38.2 of the GDPR therefore lasted in the

        time, from May 25, 2018, it being specified that the restricted training was not able to

        find that the breach has ended.


    (4) it was not demonstrated by the inspector that both the external DPO in office at the start

        of the investigation that the new internal DPO fulfilled their mission of monitoring

        compliance of the organization with the GDPR as part of their daily functions, the

        controlled having chosen to use external service providers, without
        demonstrated the involvement of external and internal DPOs in the organization of

        control. The breach of Article 39.1 b) of the GDPR therefore lasted over time,

        from May 25, 2018, it being specified that the restricted formation was not able to observe

        that the breach has ceased.


 - as to the degree of cooperation established with the supervisory authority [Article 83.2 f) of the GDPR],

    the restricted training takes into account the assertion by the head of the investigation that the

    Controlled demonstrated constructive participation throughout the investigation.


 - as regards the categories of personal data affected by the violation

    [article 83.2 g) of the GDPR], the restricted training takes into account the fact that the inspected processes

    special categories of personal data […].






______________________________________________________________________

           Decision of the National Commission sitting in restricted formation on the outcome of
                       the survey n ° [...] carried out with the public establishment A
                                                                                                  27/3397. The restricted committee notes that the other criteria of Article 83.2 of the GDPR are not

neither relevant nor likely to influence his decision on whether to impose a fine

administrative and its amount.


98. The restricted committee notes that although several measures have been decided by the inspected

in order to remedy in whole or in part certain shortcomings, it was decided only to

following the launch of the investigation by CNPD agents on September 17, 2018

(see also point 93 of this decision).


99. Therefore, the restricted panel considers that the pronouncement of an administrative fine
is justified with regard to the criteria set out in article 83.2 of the GDPR for breaches of articles

37.7, 38.1, 38.2 and 39.1 b) of the GDPR.


100. Regarding the amount of the administrative fine, the restricted panel recalls that

Article 83.3 of the GDPR provides that in the event of multiple violations, as is the case here,

the total amount of the fine cannot exceed the amount set for the most serious violation. In
the extent to which a breach of Articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR is alleged against the

controlled, the maximum amount of the fine that can be withheld is 10 million euros or

2% of worldwide annual revenue, whichever is greater.


101. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the training
Restricted considers that the imposition of a fine of 18,000 euros appears to be both effective,

proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR.


           2. Regarding the taking of corrective measures



102. In his additional letter to the statement of objections of 10 August 2020, Chief
investigation suggests that the restricted group take the following corrective measures:


        "A) Order the implementation of measures enabling the DPO (or a" Data

        Protection "dedicated) to acquire sufficient expertise adapted to the needs of the

        data protection controller in accordance with
        provisions of Article 37, paragraph (5) of the GDPR and the guidelines on

        DPD of the "Article 29" working group on data protection which specifies that the
   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                         the survey no. [...] carried out with public establishment A 28/33 DPD's level of expertise must be proportionate to the sensitivity, complexity and
    volume of data processed by the organization. Although several ways can be

    envisaged to achieve this result, one of the possibilities could be to provide a

    formal internal or external support in terms of IT skills for your DPO,

    and enroll in accelerated / intensive training in the protection of
    data. The measures mentioned by the controller during the audit, such as

    that access to external expertise for any legal assistance need, should be

    maintained, or even reinforced, in view of the sensitivity of the data processed;


    b) Order the implementation of measures ensuring the formalized and documented association

    of the DPO in all matters relating to data protection in accordance with the

    requirements of Article 38 (1) of the GDPR and of the principle of "accountability". Well

    that several ways can be envisaged to achieve this result, one of the
    possibilities could be to analyze, with the DPO, all committees / working groups

    relevant with regard to data protection and to formalize the terms of its

    intervention (previous information from the meeting agenda, invitation, frequency, status

    permanent member, etc.);


    c) Order the implementation of measures guaranteeing the necessary resources for

    DPD in accordance with the requirements of Article 38 paragraph 2 of the GDPR. Although

    several ways can be envisaged to achieve this result, one of the
    possibilities could be to relieve the DPO of all or part of his other

    missions / functions or to provide support, internally or externally, with regard to the exercise

    of his DPD missions;


    d) Order the implementation of measures ensuring that the various missions and tasks,

    current or past, of the person exercising the function of DPO do not lead to

    conflicts of interest in accordance with the requirements of Article 38 (6) of the GDPR.

    Although several ways can be implemented, one of the possibilities would be
    the involvement of a third party with the necessary skills; for the

    review of treatments for which there is a risk of conflict of interest (review of the



______________________________________________________________________

          Decision of the National Commission sitting in restricted formation on the outcome of
                      the survey n ° [...] carried out with the public establishment A
                                                                                               29/33 risk management, review of the processes concerning the various treatments present,

        review of job descriptions and / or job descriptions, etc.);



        e) Order the formal and documented deployment of the DPD's control mission
        in accordance with Article 39 paragraph 1 b) of the GDPR and the principle of "accountability".

        The DPO must exercise his control duties, in accordance with Article 39 paragraph 1

        b) of the GDPR. Although several ways can be considered to achieve this

        result, the DPO should always document his controls on the application of the rules and
        internal data protection procedures (second line of defense).

        This documentation could take the form of a monitoring plan followed by reports. "


103. As to the corrective measures proposed by the head of the investigation and by reference to point

102 of this decision, the restricted committee takes into account the steps taken

by the inspected in order to comply with the provisions of articles 37.5, 38.1, 38.2, 38.6 and 39.1 b)

of the GDPR, in particular the measures described in his letter of September 14, 2020. More
in particular, it takes note of the following facts:



    - With regard to compliance by the inspectorate with article 37.5 of the GDPR, training

        restricted notes that, following the appointment of the new internal DPO, he followed
        several training courses in data protection so that he has

        sufficient expertise to perform its duties. However, as has been noted

        in point 35 of this decision, the restricted committee considers that there is no
        to retain a breach of Article 37.5 of the GDPR with regard to the situation of the inspected

        at the start of the investigation. Consequently, the restricted committee does not pronounce the measure

        corrective as proposed by the head of the survey and repeated under a) of point 102 of the

        this decision.


    - With regard to the violation of article 38.1 of the GDPR, the inspector indicates in his

        letter of September 14, 2020 that an internal process of formalization and documentation

        the involvement of the new internal DPO in matters relating to the protection of
        data […]) was put in place by the inspected. The restricted formation considers from



   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                          the investigation no. [...] carried out with the public establishment A 30/33 when there is no need to pronounce the corrective measure proposed by the head of the investigation

     and repeated under b) of point 102 of this decision.



 - With regard to the violation of Article 38.2 of the GDPR, the internal DPO currently in
     function estimated its working time on data protection issues at

     about 70% compared to his other tasks. Given the fact that the inspected is processing a

     substantial amount of data, the degree of sensitivity of which may be relatively high,

     the limited training considers that the DPO should have more resources
     for the performance of its missions. The restricted formation therefore considers that it is necessary to

     pronounce the corrective measure proposed by the head of the investigation and repeated under c) of point

     102 of this decision.


 - With regard to the body's compliance with article 38.6 of the GDPR, training

     restricted considers that the inspected has not demonstrated that, despite the combination of functions
     internal DPD and Head of Compliance […], sufficient internal measures would have

     were taken to prevent the DPO from having to comment on treatments

     which he would have helped to determine the purposes and means. However, like this
     was noted in point 90 of this decision, the restricted panel considers that there is

     there is no reason to retain a breach of Article 38.6 of the GDPR with regard to the situation of the

     checked at the start of the investigation. Consequently, the restricted formation does not pronounce

     the corrective measure as proposed by the head of the investigation and repeated under d) of point
     102 of this decision.



 - With regard to the violation of Article 39.1 b) of the GDPR, the restricted training is

     of opinion that the inspected did not demonstrate that the DPO currently in office fulfills his
     mission of monitoring compliance with the GDPR by the inspected, the latter having chosen to do

     call on external service providers to ensure this control, without any proof

     the involvement of the new internal DPO in the organization of this control work. The
     restricted training therefore considers that the corrective measure should be taken

     proposed by the head of the investigation and repeated under e) of point 102 of this decision.





______________________________________________________________________

           Decision of the National Commission sitting in restricted formation on the outcome of

                       the survey no.
restricted formation and deliberating unanimously decides:



    - to retain the breaches of articles 37.7, 38.1, 38.2 and 39.1 b) of the GDPR;


    - to pronounce against the public establishment A an administrative fine of one

        amount of eighteen thousand euros (18,000 euros) with regard to the violation of Articles 37.7,

        38.1, 38.2 and 39.1 b) of the GDPR;


    - to issue an injunction against the public establishment
        compliance with Article 38.2 of the GDPR within six months of notification of

        the decision of the restricted committee, in particular:


        ensure that the DPO has the necessary resources for the exercise of his

        missions;


    - to issue an injunction against the public establishment

        compliance with Article 39.1 b) of the GDPR, within six months of notification

        of the decision of the restricted committee, in particular:


        ensure the formal and documented deployment of the DPD's control mission.




So decided in Belvaux, on October 15, 2021.


The National Commission for Data Protection sitting in a restricted body









Tine A. Larsen Thierry Lallemang Marc Lemmer
  President Commissioner Commissioner



   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                      32/33 Indication of remedies



This administrative decision may be the subject of an appeal for reformation within three
months following its notification. This appeal is to be brought before the administrative tribunal and must

must be introduced through a lawyer at the Court of one of the Bar Associations.
















































   ______________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the public establishment A
                                                                                                     33/33