TADM - 46401
From GDPRhub
| TADM - 46401 | |
|---|---|
 | |
| Court: | TADM (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 38(1) GDPR Article 38(2) GDPR Article 39(1) GDPR Article 83 GDPR |
| Decided: | 14.05.2024 |
| Published: | 20.05.2024 |
| Parties: | CNPD Company A |
| National Case Number/Name: | 46401 |
| European Case Law Identifier: | ECLI:LU:TADM:2024:46401 |
| Appeal from: | CNPD (Luxembourg) 18FR/2021 |
| Appeal to: | Unknown |
| Original Language(s): | French |
| Original Source: | TADM (in French) |
| Initial Contributor: | lszabo |
A court upheld a fine of €18,000 imposed by the DPA on a controller for not directly involving the group-DPO with data protection-related matters and not providing them with sufficient resources.
English Summary
Facts
The Luxembourg DPA ("Commission Nationale pour la Protection des Données - CNPD") launched an investigation on a group of companies with a subsidiary based in Luxembourg (the controller).
The group of companies had appointed a single DPO (the group's DPO) under Article 37(2) GDPR to handle all data protection matters and had appointed a lawyer as the local contact point in Luxembourg to assist the group's DPO. Article 37(2) GDPR allows for the possibility to appoint one DPO for a group of undertakings. The controller had also established a GDPR Board, a committee dedicated to data protection in Luxembourg. The DPO however was not a member of the GDPR Board and was only informed of the subjects discussed there through the minutes of the GDPR Board and through the questions raised by the local contact point during these meetings. The group's DPO did not seat in Luxembourg and was involved mostly indirectly, through the local contact point, in data protection-related matters of the Luxembourg entity. During the course of the investigation, the controller did appoint its own DPO, that started on 1 October 2020.
The DPA found that even if the Group's DPO was participating in numerous meetings at a group level and regularly organised meetings with its local points of contact, this was not sufficient to demonstrate the direct, formal and permanent involvement of the DPO in Luxembourg. Therefore, the DPA found that the controller did not sufficiently involve the DPO with data protection matters violating Article 38(1) GDPR and Article 39 GDPR. It further found that the controller did not provided its DPO with the necessary resources and power, violating Article 38(2) GDPR. Thus, the DPA fined the controller €18,000.
The controller appealed this decision at the Administrative Court of the Grand Duchy of Luxembourg ("Tribunal administratif du Grand-Duché de Luxembourg - TADM"), seeking annulment of the decision. The controller argued that the DPA used their power excessively in finding violations of Article 38(1) and (2) and Article 39 GDPR. Moreover, the controller argued that the French DPA ("CNIL") had investigated its parent company and the other entities located in France and did not find any violations or made any comments regarding the appointment of the group’s DPO. The controller also argued that the fine amount was disproportionate.
Holding
Involvement of the group's DPO
The court held that in order for the DPO to comply with its obligation to inform and advise the controller under Article 39(1) GDPR, it is necessary and imperative for the DPO to be involved in questions and projects involving issues relating to the protection of personal data at the earliest possible stage. The court found that the handling of the requests and complaints by data subjects was done by a local contact point without intervention of the group's DPO. The group's DPO was only involved when a data subject was not satisfied with the handling by the local contact point. Although the controller referred to regular communications via telephone, video conferences and e-mails between the local contact point and the group's DPO, it did not provide any documentation of these communications. It was also not demonstrated that the group's DPO had preliminary been consulted about putting into place the GDPR Board.
The court dismissed the controller's argument that the DPA did not take into account that the controller appointed its own DPO during the investigation. The DPA only considered the facts as they existed on the day it started its investigation. The court agreed with the DPA that any changes made by the controller during the investigation would not eliminate an established breach and would not relieve the controller from their responsibility.
The court also dismissed the controller's argument that the CNIL came to a different conclusion during its investigation of the parent company of the group and the other entities located in France. The court held that the CNIL's finding had no relevance as it did not concern the activities in Luxembourg and both the court and DPA are not bounded by decisions from administrative authorities or courts in other countries.
Thus, the court found that the DPO was not directly involved in all data protection-related matters. Therefore, the controller violated Article 38(1) GDPR and Article 39 GDPR.
Available resources for the DPO
The court held that the controller did not present any information about formalising the working time devoted to data protection of the local contact point. The court also noted that the local contact point was the only lawyer in the controller's company in Luxembourg. The court held that the DPO had to be involved in all personal data protection related matters, general consultation was not sufficient. The court then took into account the volume of activities of the controller in Luxembourg (70 sites, between 1600 and 2100 employees and 25000 consumers per day), which would have justified at least one full time person being devoted to data protection. The court thus found that the controller violated Article 38(2) GDPR by not providing sufficient resources to its DPO.
Imposed fine
Concerning the proportionality of the fine, the court took into account Article 83 GDPR and the seriousness of the violation. The court found that the fine was proportionate as the violations that were found were serious, involved potentially a large number of people and lasted at least from 25 May 2018 to 1 October 2020.
Thus, the court dismissed the appeal and upheld the DPA's decision that the controller violated Article 38(1) and (2) and Article 39 GDPR.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Administrative Court No. 46401 of the roll
of the Grand Duchy of Luxembourg ECLI:LU:TADM:2024:46401
4 bedroom Registered August 27, 2021
Public hearing of May 14, 2024
Appeal filed by
the limited company ... SA, …,
against a decision of the National Commission for Data Protection
regarding data protection
___________________________________________________________________________
JUDGEMENT
Having regard to the request registered under number 46401 of the role and filed on August 27, 2021 at the registry
of the administrative court by Maître Renaud Le Squeren, lawyer at the Court, registered on the roll of
the Luxembourg Bar Association, in the name of the limited company ... SA, established and having its
head office in L-…, registered in the Luxembourg trade and companies register under
number ..., represented by its board of directors currently in office, tending to
reform, otherwise the annulment of a decision of May 31, 2021 of the National Commission
for data protection (“CNPD”), public establishment, registered in the data protection register
commerce and companies of Luxembourg under number J52, established and having its headquarters in L-
4370 Belvaux, 15, boulevard du Jazz, represented by its college of commissioners
currently in office, having imposed an administrative fine of 18,000 euros on him while
having ordered it to comply with Articles 38, paragraph (1) and 39,
paragraph (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 relating to the protection of individuals with regard to the processing of personal data
personal character and the free movement of data, and repealing Directive 95/46/EC
within four months following notification of the said decision;
Given the feat of the substitute bailiff Michèle Baustert, replacing
the bailiff Cathérine Nilles, both residing in Luxembourg, of August 31, 2021,
bearing notification of the aforementioned request to the CNPD, prequalified;
Having regard to the constitution of lawyer at the Court filed at the registry of the administrative court on date
of September 27, 2021 by Maître Elisabeth Guissart, lawyer at the Court, registered on the roll of
the Luxembourg Bar Association, for the CNPD, prequalified;
Having regard to the response filed at the administrative court registry on December 10
2021 by Maître Elisabeth Guissart, prequalified, in the name and on behalf of the CNPD,
prequalified;
Having regard to the reply brief filed at the administrative court registry on January 10, 2022
by Maître Renaud Le Squeren, prequalified, in the name and on behalf of the limited company
... SA, prequalified;
Having regard to the rejoinder filed at the registry of the administrative court on February 8, 2022
by Maître Elisabeth Guissart, prequalified, in the name and on behalf of the CNPD, prequalified;
1 Considering the documents submitted in question and in particular the criticized decision;
The judge-rapporteur heard in his report at the public hearing of October 10, 2023,
the parties having apologized.
__________________________________________________________________________
By letter dated September 17, 2018, the National Commission for the Protection of
data, hereinafter referred to as “the CNPD”, informed the company ... SA, hereinafter referred to as “the
company ...", of the exercise, within the latter, of a control in the form of an investigation
theme on the function of data protection delegate, hereinafter referred to as “the
DPD", as part of a broader campaign carried out among major officials of the
Luxembourg treatment in all sectors, by submitting a questionnaire to be returned
no later than October 8, 2018.
Following the return of the questionnaire on October 5, 2018 by the company... and following a visit
on site by CNPD agents on January 21, 2019, the CNPD submitted, by email
of April 26, 2019, a draft report of the on-site visit, draft document in relation
to which the company ... took a position by email of May 13, 2019.
By email of May 14, 2019, the CNPD sent the company ... the account
final report of said on-site visit.
On August 7, 2019, the CNPD sent, by email, a draft report
audit to the company ..., which sent its position on the subject by email
from August 29, 2019.
On October 31, 2019, the CNPD communicated the grievances to the data controller.
the company ..., as well as audit report no. 1716/2019, the company ... responding by mail from
November 22, 2019.
On August 24, 2020, the CNPD sent a complementary letter to the communication of
grievances to the company ... indicating the corrective measures and the fine of 18,000 euros that the
head of investigation proposed to the restricted formation of the CNPD, hereinafter referred to as “the
Restricted Training”, to pronounce with regard to the company....
The company ..., by means of a letter from its representative dated September 30, 2020,
took a position in relation to the additional letter from the CNPD of August 24, 2020.
Following the Restricted Training session of January 26, 2021, the latter decided,
by decision of May 31, 2021 referenced under number 18FR/2021, to impose on the company ... a
fine of 18,000 euros, as well as an injunction to comply with articles 38, paragraph
(1) and 39(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council
of April 27, 2016 relating to the protection of individuals with regard to the processing of
personal data and the free movement of data, and repealing the Directive
95/46/CE, hereinafter referred to as “the GDPR”, within four months from the
notification of the said decision based on the following motivation:
“(…) The National Commission for Data Protection sitting in training
restricted, composed of Madam…, president, and Messrs… and…, commissioners;
2 Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
relating to the protection of natural persons with regard to the processing of personal data
personal and the free movement of these data, and repealing Directive 95/46/EC;
er
Having regard to the law of August 1, 2018 organizing the National Commission for
data protection and the general regime on data protection, in particular its
article 41;
Considering the internal regulations of the National Commission for the Protection of
data adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its article
10.2;
Having regard to the regulation of the National Commission for Data Protection relating to the
investigation procedure adopted by decision no. 4AD/2020 dated January 22, 2020, in particular
its article 9;
Considering the following:
I. Facts and procedure
1. Considering the impact of the role of the data protection officer (hereinafter: the “DPD”)
and the importance of its integration into the organization, and considering that the guidelines
concerning DPDs have been available since December 2016, i.e. 17 months before entry into force.
application of Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016
relating to the protection of individuals with regard to the processing of personal data
personal and the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation) (hereinafter: the “GDPR”), the Commission
National Commission for Data Protection (hereinafter: the “National Commission” or the
“CNPD”) has decided to launch a thematic investigative campaign on the function of the DPD.
Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the
public sector.
2. In particular, the National Commission decided by deliberation no. 451/2018 of 14
September 2018 to open an investigation in the form of a data protection audit
with the public limited company ... S.A., established and having its head office in L-..., registered with
trade and company register under number... (hereinafter: the “controlled”) and to designate
Sir... as head of investigation. The said deliberation specifies that the investigation relates to the
compliance of the controlled with section 4 of chapter 4 of the GDPR.
3. The object of the controlled entity is in particular the operation, management, supply for its
own account or on behalf of others of all catering and hotel services in
establishments reserved for communities or the public. The controlled number around 2,100
employees spread over 70 sites as well as 25,000 consumers per day.
4. By letter of September 17, 2018, the head of investigation sent a questionnaire
preliminary to the audit to which the latter responded by letter of October 5, 2018. A
on-site visit took place on January 21, 2019. Following these discussions, the head of investigation established the
audit report no. 1716/2019 (hereinafter: the “audit report”).
3 5. It appears from the audit report that in order to verify the compliance of the organization with the
section 4 of chapter 4 of the GDPR, the head of investigation defined eleven control objectives, namely:
1) Ensure that the organization required to appoint a DPO has done so;
2) Ensure that the organization has published the contact details of its DPO;
3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;
4) Ensure that the DPO has sufficient expertise and skills to
carry out its missions effectively;
5) Ensure that the missions and tasks of the DPO do not lead to a conflict of interest;
6) Ensure that the DPO has sufficient resources to carry out effectively
of its missions;
7) Ensure that the DPO is able to carry out his missions to a sufficient degree
autonomy within one’s organization;
8) Ensure that the organization has put in place measures so that the DPO is associated with
all questions relating to data protection;
9) Ensure that the DPO fulfills its mission of providing information and advice to the
data controller and employees;
10) Ensure that the DPO exercises adequate control over data processing within the
his body;
11) Ensure that the DPO assists the data controller in carrying out the
impact analyzes in the event of new data processing.
6. By letter of October 31, 2019 (hereinafter: the “statement of objections”), the head
investigation informed the auditee of the breaches of the obligations provided for by the GDPR that it
noted during his investigation. The audit report was attached to the said letter.
7. In particular, the head of investigation noted in the statement of objections
breaches of:
- the obligation to involve the DPO in all questions relating to the protection of
personal data;
- the obligation to provide the necessary resources to the DPO;
- the information and advice mission of the DPD.
8. By letter dated November 22, 2019, the person being inspected sent the head of investigation his decision
position regarding the shortcomings listed in the statement of objections.
9. On August 24, 2020, the head of investigation sent the controlled person an additional letter
to the communication of objections (hereinafter: the “additional letter to the communication
grievances") by which he informs the auditee of the corrective measures and the fine
administrative decision that it proposes to the National Commission sitting in restricted formation (hereinafter
after: the “restricted training”) to adopt.
10. By letter dated September 30, 2020, the controlled person sent the head of investigation
its observations regarding the letter supplementing the statement of objections.
11. The case was on the agenda of the restricted training session of January 26
2021. In accordance with article 10.2. b) the internal regulations of the Commission
national, the head of investigation and the controlled person presented their oral observations in support of
their written observations. More particularly, Maître Renaud Le Squeren, agent of the
inspected, read out a note setting out the observations of the inspected person (hereinafter: the “note
4 of pleadings"). The head of investigation and the person being investigated subsequently answered the questions asked.
through restricted training. The person being controlled had the last word.
12. By email of January 27, 2021, the controlled agent sent to the
restricted training a copy of the pleadings note, an extract from a presentation dated
October 8, 2018 presenting the “Data Protection” organization chart with indication of “GDPR
Board" of the controlled person as well as an extract from the company's trade and company register
anonymous ... ... S.A. managing “checks…” in Luxembourg.
II. Place
A. As for the requirements for precision in the statement of objections and the
additional letter to the statement of objections
13. In his pleadings note, the agent of the controlled party invokes, as a preliminary matter,
that the statement of objections and the supplementary letter to the statement of objections
lack precision:
“[…] the Courriers de Grief fail to comply with the legal obligations applicable in matters
administrative, in particular in that they do not contain a precise reference to a standard
legal which would have been violated and that they contain no precise indication of the facts
detailed which would constitute a violation of a legal norm by .... By this lack
precision, the general principles of applicable rights were violated and my principal was
deprived of the possibility of providing informed and detailed explanations likely to shed light
Restricted Training. »
14. The restricted panel notes that the head of investigation expressly mentions, both
in the statement of objections and in the letter supplementing the communication
grievances, the provisions of the GDPR which the person inspected may have failed to do, namely the articles
38.1, 38.2 and 39.1. has). Furthermore, the factual findings made during the investigation and on which
the alleged breaches are based are indicated in the statement of objections. Of
surplus, the audit report including all the findings and work carried out by the manager
investigation as part of the audit mission was attached to the statement of objections. In
Furthermore, the restricted panel notes that the agent of the controlled person refers to the
“legal obligations applicable to administrative matters” as well as “general principles
of applicable rights” without specifying which rule of law would have been violated in
the species.
15. For all practical purposes, it must be noted that the person controlled was able to take
position in relation to the failings of which he is accused, as demonstrated by his statements
of November 22, 2019 and September 30, 2020 as well as the oral observations and the note of
pleadings presented at the restricted panel session of January 26, 2021.
16. It is therefore wrong for the agent of the controlled party to maintain that the communication
objections and the letter supplementing the statement of objections lack precision
so that his principal would have been “deprived of the possibility of providing explanations
enlightened and detailed information likely to shed light on Restricted Training.
B. As to the complaints listed in the statement of objections
5 a) On the failure to comply with the obligation to involve the DPO in all questions relating
to the protection of personal data
1. On the principles
17. According to article 38.1 of the GDPR, the organization must ensure that the DPO is associated,
in an appropriate and timely manner, to all matters relating to the protection of
personal data.
18. The DPD Guidelines state that “[i]t is essential that the
DPD, or its team, is involved in all matters at the earliest possible stage
relating to data protection. [...] Information and consultation of the DPO from the start
will facilitate compliance with the GDPR and encourage an approach based on
data protection by design; it should therefore be a usual procedure in
within the housekeeper of the organization. Furthermore, it is important that the DPO is seen as
a contact within the organization and be a member of the dedicated working groups
data processing activities within the organization.
19. The DPD Guidelines provide examples of how
to ensure this association of the DPD, such as:
• invite the DPO to regularly participate in senior management meetings
and intermediate;
• recommend the presence of the DPO when decisions having implications in
data protection matters are taken;
• always take due consideration of the opinion of the DPO;
• immediately consult the DPO when a data breach or other
incident occurs.
20. According to the DPD guidelines, the organization could, where appropriate
where appropriate, develop guidelines or programs for the protection of
data indicating the cases in which the DPO must be consulted.
2. In the present case
21. It appears from the audit report that, for the head of investigation to consider objective 8
as achieved by the auditee as part of this audit campaign, the head of investigation
expects the DPO to participate in a formalized manner and on the basis of a defined frequency
to the Management Committee, to the project coordination committees, to the new committees
products, safety committees or any other committee deemed useful in the context of the protection of
data.
22. According to the Statement of Objections, page 3, “the DPO participates in numerous
meetings at Group level and [...] regularly organizes meetings with its points of
local contacts. But these elements are not enough to demonstrate the direct, formal and
permanent involvement of the DPD in Luxembourg”. It still results from communication
grievances that “the Group DPO receives a monthly report from the local contact point
following the local COMEX as well as monthly reporting relating to protection issues
data (number of requests to exercise rights or complaints, impact analyzes
possible etc.). [...] the DPO is systematically informed and consulted by the contact point
6local in the event of a security incident likely to involve personal data
personnel and create a risk for the people concerned. » The head of investigation estimates
however that "these elements cannot compensate for the absence of direct involvement of the
DPD Group within ..., which could give rise to the risk that the DPD is not
sufficiently involved at the operational level in Luxembourg. » Finally, the head of investigation
argues that he “was not aware of any elements enabling this risk to be addressed, such as
for example the formal establishment of visits based on a defined frequency of the DPO
Group (or a member of its Data Protection team) in Luxembourg. These visits
would notably allow the DPO to be able to discuss directly with management
superior of ... issues related to data protection and to be able to assess
operational issues directly. »
23. In his position statement of November 22, 2019, the auditee asserts that the DPD
Group is involved in an appropriate and timely manner in all matters relating to
to the protection of personal data. The controlled person explains that “[a]ll
questions relating to the protection of personal data initiated in the Grand Duchy of
Luxembourg are received and analyzed initially by our point of contact
dedicated to data protection in Luxembourg” (hereinafter: the “local contact point”) and
that the latter works in close collaboration with the Group DPD for all questions
requiring information, analysis, advice or prior consultation from the Group DPD.
According to the person controlled, the point of contact is responsible for managing the compliance of data processing.
personal data implemented by the controlled person, under the supervision of the DPO
Group to whom the point of contact reports its actions. Furthermore, the auditee mentions in
its position statement of November 22, 2019 the establishment of a committee dedicated to the protection of
data in Luxembourg (hereinafter: the “GDPR Board”) which defines the strategy on these subjects and
the associated action plans. The audit explains the composition and operation of the GDPR
Board to support that the Group DPD is involved in managing compliance with
the provisions of the GDPR in Luxembourg.
24. In his pleadings note, the controlled agent highlights article 37.2
of the GDPR, which authorizes a group of companies to appoint a single DPO provided that this
the latter is easily reachable from each place of establishment, as well as the lines
guidelines concerning DPD to support that the operation of the controlled is compliant
to the GDPR and affirms that “[i]t was found to be no materiality of the alleged facts, no
unavailability of the DPO of ... whether vis-à-vis the supervisory authority or even the
persons concerned and a possible and uncharacterized risk cannot make it possible to establish
factually a violation. »
25. The restricted training takes note that the controlled party is a subsidiary of the French group
...and that the latter had decided to appoint a single DPO for the different entities of the group
(hereinafter: the “DPD Group”). At the central level, the group has set up an office of
data protection (“Global Data Protection Office”) composed of the Group DPD as well as
only two lawyers specializing in data protection and a project manager.
At the local level, the sole lawyer of the audited party was designated as the local point of contact for the
DPD Group.
26. As a preliminary point, the restricted panel notes that the breach alleged by the
head of investigation relates to article 38.1 of the GDPR so that the explanations of the agent of the
controlled regarding Article 37.2 of the GDPR are not relevant in this case. Indeed, even
if the GDPR authorizes a group of companies to designate a single DPO, it does not remain
7unless this DPO must be associated, in an appropriate and timely manner, with all
questions relating to the protection of personal data, in accordance with Article
38.1 of the GDPR. It is therefore possible for an organization to designate a single DPO at the level of the
group whose entities are established in several Member States of the European Union and
to provide, at local level, “contact points” who assist the DPO, particularly in
questions relating to local particularities such as national legislation. In such
case, it is however all the more important to clearly define, among other things, the
modalities of collaboration between the DPO and the “local contact points” as well as the
distribution of tasks and responsibilities.
In this case, the restricted panel notes that all questions relating to the
protection of personal data that arose at the level of the controlled were
received and analyzed initially by the local contact point who addressed
to the DPDGroupe when he considered it necessary. The restricted training still notes that the DPD
Groupe was not part of the GDPRB Board and was only informed of the subjects discussed there through
the minutes of the GDPR Board and through the questions raised by the point
local contact during these meetings.
27. It therefore appears from the investigation file that the Group DPD was not associated
only indirectly to questions relating to the protection of personal data which
arose at the level of the controlled, this through the local point of contact which, in
the facts, acted as a data protection contact within
the organism. However, the local point of contact was the sole lawyer of the controlled person and did not
part of the DPD Group team itself, namely the protection office
of data (“Global Data Protection Office”).
28. Furthermore, the restricted panel considers that the fact of transmitting the proceedings
verbal statements from the GDPR Board to the DPD Group do not allow its appropriate association to be established
and in good time to the extent that the Group DPO is simply informed of the measures that
The GDPR Board proposes to the various decision-making bodies of the controlled to implement.
The DPO is therefore not informed and especially not consulted “at the earliest possible stage”
of all questions relating to data protection.
29. In addition, the auditee indicates in his position of September 30, 2020 that
the local point of contact has been designated as DPD for the entity...S.A., with effect from October 1
2020. The restricted panel notes that the CNPD received the amending declaration by
email of September 30, 2020. However, the person being inspected must ensure that the newly appointed DPO
appointed is effectively involved in all matters relating to data protection to
personal character. Having named the local contact point as DPO is not enough
to sufficiently demonstrate such association of the latter in all questions relating to
the protection of personal data.
30. In view of the above, the restricted panel agrees with the observation of the chief
investigation according to which non-compliance with article 38.1 of the GDPR was acquired at the time of
investigation.
b) On the failure to fulfill the obligation to provide the necessary resources to the DPO
1. On the principles
8 31. Article 38.2 of the GDPR requires that the organization assists its DPO “to exercise the
missions referred to in Article 39 by providing the resources necessary to carry out these
missions, as well as access to personal data and processing operations,
and allowing him to maintain his specialized knowledge. »
32. It follows from the DPD Guidelines that the following aspects must
in particular be taken into consideration:
- “sufficient time for the DPOs to carry out their tasks. This aspect is
particularly important when an internal DPO is appointed part-time or
when the external DPO is responsible for data protection in addition to others
tasks. Otherwise, conflicting priorities could lead to tasks being
of the DPD are neglected. It is essential that the DPO can devote
enough time for his missions. It is good practice to set a
percentage of time spent on the DPD function when this function is not
not employed full time. It is also good practice to determine the
time required to execute the function and the appropriate priority level for
the tasks of the DPO, and that the DPO (or the organization) establishes a work plan;
- necessary access to other services, such as human resources, service
legal, IT, security, etc., so that DPOs can
receive essential support, input and information from these others
services ".
33. The DPD Guidelines state that “[i]n a way
Generally, the more complex or sensitive the processing operations, the more resources
granted to the DPD must be significant. The data protection function must be
effective and equipped with adequate resources with regard to the data processing carried out. »
2. In the present case
34. It appears from the audit report that, given the size of the organizations selected,
so that the head of investigation considers objective 6 as achieved by the person being monitored within the framework
of this audit campaign, the head of investigation expects the auditee to use at least
one FTE (full-time equivalent) for the team in charge of data protection. Leader
investigation also expects that the DPO will have the possibility to rely on other
services, such as legal, IT, security, etc.
It results from the statement of objections, page 3, that the DPD Group has the level
center of a team made up of two lawyers specializing in the protection of
data as well as a project manager. At the local level, however, the Group DPD does not have
than a local point of contact who was also the sole lawyer of the controlled person so that
the head of investigation notes “the risk that the DPD does not have sufficient resources at the level
local in Luxembourg, resources being concentrated at group level, but not seeming
not sufficiently deployed at the local level" as well as "the risk that in the event of a strong peak
of activity concerning legal matters to be handled within ..., the local contact point does not
may not have the means to effectively carry out its missions relating to protection
data, which would create the risk that the DPO would not be able to effectively exercise its
DPO missions for Luxembourg”.
9 35. In his position statement of November 22, 2019, the auditee asserts that the DPD
At the local level, the Group has the support of a legal team made up of the point of
local contact and a “second resource” and notes that “the job description of the Point of
Local contact and second resource in the local legal team on a long-term contract
indefinite must be detailed in terms of hourly volume and description of tasks.
36. In his pleadings note, the agent of the auditee further argues that
the requirement to formalize the distribution of working time does not exist in the regulations
applicable and that the guidelines concerning DPDs contain at most one
recommendation as a “good practice” to “determine the time required for execution
of the function and the appropriate priority level for the DPO's tasks, and that the DPO (or
the organization) establishes a work plan. Finally, the controlled agent maintains
that “[i]n here too, no materiality of the alleged facts has been established, nor has any
explanation on the criteria examined to conclude that there was a lack of resources, nor any
analysis of existing resources. A possible and uncharacterized risk cannot allow
to establish factually that ... would lack resources to meet its obligations to
under data protection. »
37. The restricted panel takes note that the controlled person opted to appoint the DPO
Group which has, at central level, a team made up of two lawyers specialized in
data protection matters as well as a project manager. At the entity level
Luxembourg which was the subject of the investigation, a local contact point was appointed,
person of the only lawyer of the controlled who also carried out other missions. There
restricted training considers that such an organization requires that the organization determine and
documents the time necessary for the local point of contact to carry out its missions relating to
data protection in order to be able to allocate the necessary resources to it. This
This requirement results in particular from the guidelines concerning DPDs as well as from the articles
5.2. and 24 of the GDPR which sets out the principle of accountability. But he
appears from the file that the person inspected did not carry out any formalization or
documentation to demonstrate that the auditee has provided the DPD function with the
resources necessary to carry out its missions at the time of the investigation.
38. In view of the above, the restricted panel concludes that article 38.2 of the GDPR
was not respected by the person being inspected.
c) On the failure relating to the information and advice mission of the DPD
1. On the principles
39. Under article 39.1. a) of the GDPR, one of the missions of the DPO is to “inform
and advise the controller or processor and employees who
carry out processing on their obligations under this Regulation
and other provisions of Union law or the law of the Member States relating to
Data protection ".
2. In the present case
40. It appears from the audit report that, for the head of investigation to consider objective 9
as achieved by the auditee within the framework of this audit campaign, he expects that
10" the organization has formal reporting of the DPO's activities to the Management Committee
based on a defined frequency. Regarding information to employees, it is expected that
the organization has put in place an adequate training system for staff in terms of
Data protection ".
41. According to the statement of objections, page 4, it appears from the investigation that there is no
direct feedback of information from the Group DPD to the local management of the controlled entity. Leader
investigation notes that “there are several levels of reporting (from the local point of contact to
the DPD, from the DPD to the Group CEO, from the local contact point to the local COMEX)", but
believes that “these elements are not sufficient to compensate for the absence of direct reporting
from the DPO to the data controller in Luxembourg”.
42. In his position of November 22, 2019, the auditee refers to these
explanations relating to the first complaint, namely the failure to fulfill the obligation to associate the
DPD for all questions relating to the protection of personal data. By
elsewhere, the audited party maintains that the Group DPD “informs and advises the person responsible for
treatment as well as employees and has notably implemented:
• An online Responsible Business Conduct course including a module
on the GDPR, available online from May 2018
• An awareness campaign with video and support on data protection
of a personal nature on May 16, 2018, as well as January 3, 2019
• An awareness campaign with video, intranet and Toolbox including the 10
golden rules on the protection of personal data dated June 3
2019 »
The auditee further affirms that the Group DPD “has the opportunity to discuss subjects
strategic and/or more operational with senior management [of the person controlled], in particular
during occasional meetings bringing together the “senior leaders” (Top 1600) of ...”.
43. The restricted panel notes that the breach noted by the head of investigation
only concerns the information and advice mission of the DPO with regard to the person responsible for
processing, and not the information and advice mission of the DPO with regard to employees.
44. The restricted formation considers that the information and advice mission of the DPD to
towards the data controller is closely linked to the obligation provided for in Article 38.1
of the GDPR, to involve the DPO appropriately and in a timely manner in all questions
relating to the protection of personal data. However, the restricted training has
noted that the Group DPD was not involved appropriately and in a timely manner with
data protection issues arising at the level of the Luxembourg entity having made
the subject of the investigation. In fact, the Group DPD was only indirectly associated, through
through the local contact point. Furthermore, he was simply informed of the measures that
The GDPR Board proposes to the various decision-making bodies of the controlled to implement.
45. In view of the above, the restricted panel concludes that article 39.1. a) of
GDPR was not complied with by the auditee.
III. On corrective measures and fines
A. The principles
11 46. In accordance with article 12 of the law of August 1, 2018 organizing the
National Commission for Data Protection and General Protection Regime
data, the CNPD has the powers provided for in article 58.2 of the GDPR:
(a) notify a controller or processor of the fact that the operations
envisaged processing operations are likely to violate the provisions of this regulation;
b) call to order a controller or a processor when the
processing operations have resulted in a violation of the provisions of this Regulation;
(c) order the controller or processor to comply with the
requests submitted by the data subject with a view to exercising their rights under the
this regulation;
(d) order the controller or processor to put the operations
processing in accordance with the provisions of this regulation, where applicable,
specific manner and within a specific time frame;
(e) order the controller to communicate to the data subject
a personal data breach;
(f) impose a temporary or permanent limitation, including a ban, on the
treatment;
g) order the rectification or erasure of personal data or the
limitation of processing pursuant to articles 16, 17 and 18 and notification of these measures
to the recipients to whom the personal data have been disclosed in application
Article 17(2) and Article 19;
(h) withdraw a certification or order the certification body to withdraw a
certification issued pursuant to articles 42 and 43, or order the body to
certification not to issue certification if the requirements applicable to the certification
are not or no longer satisfied;
(i) impose an administrative fine pursuant to section 83, in addition or
instead of the measures referred to in this paragraph, depending on the specific characteristics
in each case,
j) order the suspension of data flows addressed to a recipient located in a
third country or to an international organization. »
47. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose
administrative fines as provided for in article 83 of the GDPR, except against the State
or municipalities.
48. Article 83 of the GDPR provides that each supervisory authority ensures that the
administrative fines imposed are, in each case, effective, proportionate and
dissuasive, before specifying the elements which must be taken into account to decide whether there
there is reason to impose an administrative fine and to decide the amount of this fine:
12 “a) the nature, seriousness and duration of the violation, taking into account the nature,
scope or purpose of the processing concerned, as well as the number of data subjects
affected and the level of damage they have suffered;
(b) the fact that the violation was committed deliberately or negligently;
(c) any measures taken by the controller or processor to mitigate
the damage suffered by the persons concerned;
d) the degree of responsibility of the controller or processor, taking into account
taken into account the technical and organizational measures that they have implemented under the
articles 25 and 32;
e) any relevant breach previously committed by the controller
or the subcontractor;
(f) the degree of cooperation established with the supervisory authority with a view to remedying the
violation and to mitigate possible negative effects;
g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the violation, in particular
whether and to what extent the controller or processor has notified the violation;
(i) where measures referred to in Article 58(2) have previously been
ordered against the controller or subcontractor concerned for the
same object, compliance with these measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved pursuant to Article 42; And
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as financial benefits obtained or losses avoided, directly or
indirectly, as a result of the violation.”
49. The restricted panel wishes to clarify that the facts taken into account in the framework
of this decision are those noted at the start of the investigation. Possible modifications
relating to the subject of the investigation which occurred subsequently, even if they make it possible to establish
fully or partially conformity, do not allow retroactive cancellation of a
breach noted.
50. Nevertheless, the steps taken by the auditee to comply
with the GDPR during the investigation procedure or to remedy the shortcomings identified
by the head of investigation in the statement of objections, are taken into account by the training
restricted in the context of any corrective measures to be taken.
B. In the present case
1. As for the imposition of an administrative fine
13 51. In the supplementary letter to the statement of objections of August 24, 2020,
the head of investigation proposes to the restricted panel to pronounce against the person being investigated
administrative fine amounting to 18,000 euros.
52. In his pleadings note, the agent of the controlled party argues that a fine
administrative “must meet the principles of adequacy and proportionality of article
83 of the GDPR while in particular, no specific complaint has been formulated, no damage has been
noted and ... collaborated as far as possible with the CNPD throughout the
control period. »
53. In order to decide whether it is appropriate to impose an administrative fine and to decide,
where applicable, the amount of this fine, the restricted training analyzes the criteria set
by article 83.2 of the GDPR:
- As for the nature and seriousness of the violation (article 83.2 a) of the GDPR), with regard to
concerns breaches of articles 38.1, 38.2 and 39.1 a) of the GDPR, training
restricted notes that the appointment of a DPO by an organization cannot be
efficient and effective, namely facilitating compliance with the GDPR by the organization, that
in the event that the DPD is associated from the earliest possible stage to all
data protection issues, benefits from resources and time
necessary to carry out its missions relating to data protection and
effectively carries out its missions, including the information and advice mission of the
responsible for processing. A breach of sections 38.1, 38.2 and 39.1 a) of the
GDPR amounts to reducing the interest, or even emptying of its substance, the obligation for
an organization to appoint a DPO.
- As for the duration criterion (article 83.2.a) of the GDPR), restricted training falls under
that the auditee indicated, in his position of September 30, 2020, that the
local contact point has been appointed as DPO with effect from October 1, 2020 and
that the latter now devotes 50% of his working time to questions of
data protection, with the assistance of two other lawyers who devote
also each 50% of their working time. Furthermore, the composition and
functioning of the GDPR Board have been modified so that the DPO can
inform and advise the data controller. Violations of articles
38.1, 38.2 and 39.1 a) therefore lasted over time, at least between May 25
2018 and October 1, 2020. The restricted training reminds here that two years have passed
separated the entry into force of the GDPR from its entry into application to allow
to those responsible for processing to comply with their obligations.
- As to the number of data subjects affected by the violation and the level
damage they have suffered (article 83.2 a) of the GDPR), restricted training
notes that the controlled company has approximately 2,100 employees spread over 70 sites as well as
25,000 consumers per day. The number of people affected by the
violation is therefore potentially high.
- As for the degree of cooperation established with the supervisory authority (article 83.2 f) of the
GDPR), the restricted training takes into account the assertion of the head of investigation according to
in which the auditee demonstrated constructive participation throughout
investigation.
14 54. The restricted panel notes that the other criteria of article 83.2 of the GDPR
are neither relevant nor likely to influence its decision regarding the imposition of a fine
administrative and its amount.
55. The restricted panel notes that although several measures have been put in place by
the audited in order to remedy in whole or in part certain deficiencies, these have not been
adopted only following the launch of the investigation by CNPD agents on 17
September 2018 (see also point 49 of this decision).
56. Therefore, the restricted panel considers that the imposition of a fine
administrative is justified with regard to the criteria set by article 83.2 of the GDPR for
breach of articles 38.1, 38.2 and 39.1 a) of the GDPR.
57. Regarding the amount of the administrative fine, the restricted panel recalls
that article 83.3 of the GDPR provides that in the event of multiple violations, as is the case in
case, the total amount of the fine cannot exceed the amount set for the most serious violation
severe. To the extent that a breach of Articles 38.1, 38.2 and 39.1 a) of the GDPR is
accused of the controlled person, the maximum amount of the fine that can be withheld is 10
million euros or 2% of global annual turnover, whichever is greater
retained.
58. With regard to the relevant criteria of article 83.2 of the GDPR mentioned above, the
restricted training considers that the imposition of a fine of 18,000 euros appears in the
both effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR.
2. As for taking corrective measures
59. In his letter supplementing the statement of objections, the head of investigation
proposes that the restricted formation take the following corrective measures:
“a) Order the implementation of measures ensuring formal association and
of the DPO in all matters relating to data protection, in accordance with
with the requirements of Article 38 paragraph 1 of the GDPR. Although several ways can
be considered to achieve this result, one of the possibilities would consist of analyzing, with
the DPO, all committees/working groups relevant to data protection
and to formalize the modalities of its intervention (previous information from the agenda of
meetings, invitation, frequency, permanent member status etc.).
b) Order the provision of the necessary resources to the DPO in accordance with
with the requirements of article 38 paragraph 2 of the GDPR. Although several ways can
be considered to achieve this result, one of the possibilities would consist of unloading the
DPD and/or local members of his team of all or part of his other missions/functions
or to provide it with formal support, internally or externally, regarding the exercise of its missions
from DPD.
c) Order the implementation of measures allowing the DPO to inform and advise
formally inform the data controller of its obligations regarding the protection of
data, in accordance with Article 39 paragraph 1 a) of the GDPR. Although several ways
could be considered to achieve this result, one of the possibilities would be to implement
15places formal reporting of the DPO's activities to Management based on a frequency
defined. »
60. As for the corrective measures proposed by the head of investigation and by reference
in point 50 of this decision, the restricted training takes into account the procedures
carried out by the person inspected, following the visit by CNPD agents, in order to comply with the
provisions of articles 38.1, 38.2 and 39.1 a) of the GDPR, as detailed in these letters
of November 21, 2019 and September 30, 2020. More particularly, it takes note of the facts
following:
- As for the violation of article 38.1 of the GDPR providing for the obligation to associate the
DPD for all questions relating to the protection of personal data
personnel, the restricted training notes that the local contact person has been
designated DPO of the controlled body with effect from October 1, 2020.
However, the restricted training includes documents provided by the controlled
that this newly appointed DPO exercises his functions under the supervision of the DPO
of ... Group. The restricted formation therefore wonders whether the newly appointed DPD
designated is effectively involved in all matters relating to the protection of
personal data, and this in complete independence. Therefore, the
CNPD is of the opinion that the auditee has not sufficiently demonstrated its implementation
compliance with article 38.1 of the GDPR and considers that it is appropriate to issue a
compliance measure in this regard.
- With regard to the violation of article 38.2 of the GDPR providing for the obligation to
provide the necessary resources to the DPO, the controlled party affirms in its decision
position of September 30, 2020 that the newly appointed DPD by ... S.A.
devotes 50% of his working time to data protection issues and
that he is assisted by two lawyers who each devote 50% of their time to
work so that there will be 1.5 FTEs dedicated to data protection at
personal character.
In view of these elements, the restricted panel is of the opinion that the expectation of the chief
investigation of 1 FTE or more is achieved following the measures taken by the person inspected
course of the investigation. Consequently, the restricted panel considers that there is no
reason to issue a compliance measure in this regard.
- As for the violation of article 39.1 a) of the GDPR relating to the information mission
and advice from the DPO towards the controller, the controlled person sets out in
its position statement of September 30, 2020 the composition and operation of the
GDPR Board which will enable the newly appointed DPO to inform and
advise the data controller.
However, in view of the documents provided by the inspector, the restricted training
understands that the DPO (previously local contact point, without having exercised the
function of DPD) newly appointed by the controlled person carries out his missions under the
supervision of the DPO of ... Group, such that it is not demonstrated with
sufficiency by the controlled that the newly appointed DPO can effectively
fulfill its mission of providing information and advice to the data controller
16 controlled (...), and this in complete independence. Therefore, restricted training
considers that there is reason to issue a compliance measure in this regard.
Taking into account the foregoing developments, the National Commission sitting in
restricted formation and deliberating unanimously decides:
- to impose an administrative fine of one
amount of eighteen thousand euros (18,000 euros) with regard to the violation of the articles
38.1, 38.2 and 39.1. a) GDPR;
- to issue an injunction against the company “... S.A.” to take action
compliance with article 38.1 of the GDPR, within four months following the
notification of the decision of the restricted formation, the supporting documents for the implementation
conformity must be sent to the restricted training at the latest within this deadline,
especially :
ensure that the DPO is effectively involved in all questions relating to the
protection of personal data, and this in complete independence;
- to issue an injunction against the company “... S.A.” to take action
compliance with article 39.1 a) of the GDPR within four months following the
notification of the decision of the restricted formation, the supporting documents for the implementation
conformity must be sent to the restricted training at the latest within this deadline,
especially :
ensure that the DPO can effectively fulfill its mission of providing information and
advice to the person responsible for the controlled processing. (…)”.
By request filed with the administrative court registry on August 27, 2021, registered under
number 46401 of the roll, the company ... has filed an appeal for reformation, otherwise
to the annulment of the aforementioned decision of the CNPD of May 31, 2021.
Given that under the terms of article 55 of the law of August 1, 2018 on the organization
of the National Commission for Data Protection and the general regime on the
data protection, hereinafter referred to as “the law of August 1, 2018”, “An appeal against
the decisions of the CNPD taken in application of this law are open to the Court
administrative body which rules as judge on the merits. ", the court has jurisdiction to hear the
main appeal for reform directed against the aforementioned decision of May 31, 2021.
It follows that there is no need to rule on the subsidiary action for annulment appearing
in the application instituting proceedings.
In its response, the CNPD while referring to judicial prudence
as to the admissibility of the appeal, concludes to declare the appeal admissible in form.
It must be noted, as far as necessary, that if the fact of relating to prudence
of justice is equivalent to a dispute, a dispute not otherwise developed is
however, to be ruled out, given that it is not up to the court to make up for the deficiency of the
parties in the presentation of their arguments, it being further noted that the court does not foresee
grounds of inadmissibility which would have to be raised ex officio.
17 The main appeal for reform having, moreover, been introduced in the forms and
time limit of the law, is therefore admissible.
In support of its appeal and in fact, the plaintiff, while noting the retroacts
reviewed above, explains that it belongs to the ... group, whose parent company, established in
France, would have, for the group, designated on January 22, 2018 one of its employees as
data protection officer, hereinafter referred to as “the group DPO”, in accordance with
to the possibility offered to him through article 37, paragraph (2) of the GDPR. The plaintiff
further suggests that it would have, for its part, designated its own DPO with effect from the 1st
October 2020, of which she would have informed the CNPD on September 30, 2020, said appointment
having intervened in order to comply with the requirements set by the CNPD in its letter of
August 24, 2020.
In law, the plaintiff concludes, first of all, that the decision be reformed
referred from May 31, 2021, which would have wrongly held in its head a violation of article
38, paragraph (1) of the GDPR due to having considered that the group DPO would not have been
associated only indirectly with questions relating to the protection of personal data
personnel arising at the local level on the grounds that, on the one hand, the local point of contact,
the plaintiff's sole lawyer would not have been part of the group's DPO team, and,
on the other hand, the group DPO would only have been informed of the measures proposed by the
committee dedicated to data protection, hereinafter referred to as “the GDPR Board” - a body
established within the plaintiff whose mission would have been the definition, in Luxembourg, of
data protection strategies and related action plans -, who would have acted
as the contact person for data protection matters within the applicant, without
have been consulted at the earliest possible stage.
The plaintiff argues, in this context, that during the audit by the CNPD of 17
September 2018 to May 31, 2021, its internal organization would have evolved in the sense that the point er
local contact of the group DPD would have been appointed DPD Luxembourg with effect from 1
October 2020. It still falls under the guidelines concerning delegates to the
data protection of the “Article 29” Working Group on data protection of the
December 13, 2016, hereinafter referred to as “the guidelines”, as well as considerations
of the audit report of October 31, 2019 - according to which the association of the DPD with all
questions relating to the protection of personal data should be made as
as early as possible, that the DPO should be considered as an interlocutor within
the organization in question, in order to give its opinion and to be consulted in the event of violations of
data or in case of other incidents, and that he should be a member of the working groups
devoted to data processing activities, - that these criteria would have been respected in
the species.
Thus, both the group's DPD and its local contact point, who later became the DPD
Luxembourg, would have participated in numerous meetings at group level...,
respectively at the local level, the plaintiff further explaining that all questions
relating to the protection of personal data initiated in Luxembourg would first have been
received and analyzed by the local contact point and then communicated to the
DPO of the group for advice and support, these two people having worked in close collaboration
by telephone, respectively by means of computer communication
mainly in the event of a security incident, but also on questions relating to
processing operations implemented locally.
18 Furthermore, the group DPO would receive a monthly report from the point
local contact following the local executive committee, as well as monthly reporting relating to
data protection issues.
On the basis of these elements, the plaintiff considers that, contrary to what would be
supported by the decision referred, the group DPO would have been informed in real time by the point
of local contact, so as to be in a position to react immediately in compliance
with its obligations, and to be able to provide all the recommendations required in
within the framework of the GDPR, function taken over by the local contact point, following his appointment as DPO
Luxembourg, which would still continue to inform the group's DPD, as well as management
of the plaintiff.
After explaining the mission, as well as the composition of the GDPR Board, a body
internal advisory of the applicant composed of its various data processing services
personal, such as the local contact point which has become the DPD Luxembourg, the management of
human resources, internal and IT audit managers, as well as in the event of
need the managing director of the company..., the plaintiff explains having, during
the investigation, wished to modify its internal organization by appointing the local contact point of the
DPD of the group directly DPD Luxembourg, the latter personally attending the
meetings of both the GDPR Board, as well as, where necessary, meetings of the executive committee and
of the board of directors of the company.... She therefore contests the conclusion of the
CNPD according to which the Group DPO is not sufficiently directly involved in the
operational level in Luxembourg, while arguing that the said criticism would not be
sufficiently specified.
The plaintiff still relies, in this context, on Article 37, paragraph (2) of the
GDPR, to maintain that the group DPO would always have been easily reachable and would,
in addition, relying on the local contact, also easily reachable by the CNPD, by the
data subjects, as well as by the data controller, while highlighting the
circumstance that, on the one hand, the CNPD would have failed to report any
concrete deficiency on this subject, and, on the other hand, neither the GDPR nor the guidelines would impose
a physical presence of the DPO of a group.
Thus, by rejecting his explanations provided in relation to Article 37, paragraph (2)
of the GDPR as not being relevant and noting that the group DPO could not
be considered to have been directly, formally and permanently involved
in Luxembourg, the CNPD would have, according to the plaintiff, required physical presence and
permanent status of the group's DPO on site, obliging it to come out of legal texts
in force and which would, moreover, have been respected in this case through the point of
local contact having been appointed subsequently, out of pure diligence and in order to satisfy the requirements
unjustified actions of the CNPD, DPD Luxembourg with effect from October 1, 2020.
The applicant then relies on its information transmission schemes and
decision-making, as well as on the list of missions of the DPO to refute the conclusion of the
CNPD according to which the group DPO would simply be informed of the measures proposed by
the GDPR Board to the various decision-making bodies, so as not to be consulted at the stage
as early as possible of all questions relating to data protection. Gold,
all issues of an operational and strategic nature linked to the protection of
19 data would be identified, evaluated by the DPD Luxembourg and its team in a manner
systematically and communicated to management for decision-making.
On the basis of all of these elements, the plaintiff concludes that the law should be reformed.
decision referred for violation, by the CNPD, of article 38, paragraph (1) of the GDPR.
In its reply, the plaintiff emphasizes the structure
internal organizational structure of the group ... at the time of the audit carried out by the CNPD, materialized
by the appointment of a group DPO, responsible for all entities of the said group, who
would have been assisted by local contact points, as would have been the case in Luxembourg,
where the predicted DPO of the group would have been assisted by his local point of contact, a lawyer, by a
trainee employee become employee, as well as by the local IT team, a practice
authorized by Article 37, paragraph (2) of the GDPR. The local point of contact would have been designated
with regard to his skills and experience in matters of data protection and
would have acted, within the framework of a mandate within the meaning of the Civil Code, on behalf of the DPD of the group
with third parties, while reporting to the latter, and more particularly regarding meetings of the
executive committee, the GDPR Board and all working meetings regarding protection
data in Luxembourg.
In this context, the plaintiff focuses on the fact that the group DPO would have
was presented, together with its local data protection team in Luxembourg,
as the main contact for the people concerned, both internally and externally,
for questions relating to data protection. Thus, local contact points,
on the one hand, would work together with the group's DPD in order to define a policy
harmonized for the group while adapting it, if necessary, to local specificities and, other
share, would report the minutes of the meetings with the group DPO and all
of the data protection network, while internally organizing the implementation of policies
of data protection after information, respectively explanation and validation of the
responsible for the local processing concerned.
She further argues that as soon as the GDPR came into force, she would have communicated
an internal note for the attention of its staff in order to inform them of the terms of
the protection of personal data implemented.
On the basis of these elements, the applicant contests the CNPD’s approach consisting of
to separate, according to her, artificially the group's DPO from its local point of contact,
respectively to deny the role and missions of the local team, the plaintiff arguing,
in this context, that the CNPD would have made an overly restrictive, or even erroneous, interpretation of the
guidelines and would not have taken into account the functions of advice, information and
consultation conferred to the local contact point, as one of the members of the management team
protection of the group's data.... Thus, according to the plaintiff, the group's DPO and his
team would constitute a single whole and any action carried out by a member of the team of the
DPD of the group, in its name, should be considered as personally led by
the DPO of the group, in the same way that the action of an agent would be taken in the name of his
principal.
While reiterating its explanations regarding the functioning of the local contact point,
as well as the latter's participation in the GDPR Board, as well as in the groups of
local work and at meetings of the executive committee, the applicant questions the conclusion
of the CNPD according to which the DPO of the group could not be considered to have been
20consulted at the earliest possible stage regarding issues relating to the
data protection, while the CNPD would contradict itself on this subject by retaining, on the one hand, the
processing methods and analysis at the first level of the opinions and recommendations of the DPD
of the group and feedback from the local contact point to the GDPR Board, and, on the other hand, that the
DPD of the group would simply have been notified of the minutes of said meetings, therefore
after decisions have been made.
With regard to the CNPD's criticism, within the framework of the argument based on a
breach of Article 38, paragraph (1) of the GDPR, according to which the local contact function
would have been only an incidental activity to the function of legal responsibility of the person
concerned, the applicant contests the said analysis of the CNPD by suggesting that
both the group’s DPO and its local contact point in Luxembourg are said to be former lawyers
and experienced lawyers, so as to be perfectly able to carry out their mission,
while still specifying that the group DPD would be in daily contact with the positions
operational in Luxembourg to manage data protection issues
personal.
Furthermore, the group DPD would be immediately consulted in the event of an incident,
respectively in the event of a personal data breach. Thus, the involvement of the latter,
together with the relevant local point of contact, in accordance with the procedures for
usual governance of the group ..., should have led the CNPD to remember that the DPD of the group
would fulfill its advisory and information functions appropriately and in a timely manner.
The plaintiff ultimately contests the CNPD's assertions that the
DPD of the group, on the one hand, would not participate in meetings in Luxembourg, and, on the other hand,
would not be part of the GDPR Board, highlighting the circumstance that the said DPO is there
would be represented by its local contact point, who would fulfill its advisory obligations and
information from the controller in an appropriate and timely manner in
carrying out reporting both to the management of the applicant and to the DPD of the
band. It further specifies, in this context, that, contrary to what the CNPD would assert,
the existence of the GDPR Board would have been brought to its attention during the audit on
place.
The applicant concludes from all of these elements that the decision referred from the
CNPD should be reformed for having wrongly taken responsibility for a breach of Article 38,
paragraph (1) of the GDPR.
Secondly, the applicant concludes that the decision referred from the
May 31, 2021 for violation, otherwise misapplication of article 38, paragraph (2) of the
GDPR, on the grounds that the CNPD would have wrongly assumed that it would not have allocated the resources
necessary for the group DPO, and more particularly for his local point of contact, who
would have been the only lawyer of the Luxembourg entity having, moreover, had other missions,
to effectively carry out its missions relating to the protection of personal data.
In this context, the applicant notes, first of all, that the audit report would have retained
that compliance with the conditions set out in Article 38, paragraph (2) of the GDPR would imply
the occupation of at least one full-time job, hereinafter referred to as “FTE”, for the team
responsible for data protection. It then details the organizational arrangements
of its teams dedicated to data protection, both at central level, where the group DPO
would have a team called the “Central Data Protection Office” or “Global
21Data Protection Office”, composed of two lawyers specializing in data protection
data, a network of local contact points dedicated to data protection, as well as
of a project manager, only at the local level, where, on the date of the contested decision, the point of
local contact of the group DPO, would have been appointed as DPO Luxembourg and would have been
assisted by a lawyer, both of whom can, moreover, rely on the international expertise of the
group ... through the group DPO.
As for the volume of personal data processed, the plaintiff argues that the
CNPD would have made an error in assuming that it had 2,100 employees spread over 70
sites and would cover around 25,000 consumers per day, while, although it itself would have
indicated the said figures in its general presentation of the group ... in Luxembourg addressed to the
CNPD, it would have specified, in the questionnaire completed at the opening of the disputed audit, that
the personal data processed only concerns 5,000 people, including 1,600 employees.
She further criticizes the decision referred, with regard to the breach alleged against her
in relation to Article 38, paragraph (2) of the GDPR, while the requirement to formalize the
distribution of the DPO's working time and other personnel resources that the assistant does not
would emerge from any binding legal text, but at most from guidelines. By
elsewhere, at the time of the audit, the CNPD would not have published formal guidance on this subject, which
which leads the plaintiff to maintain that in view of the absence of details and explanations
relating thereto on the part of the CNPD, no lack of resources, nor the absence of analysis of
existing resources cannot be blamed. She would nevertheless, without however
recognize the slightest violation of the GDPR on its part, on the one hand, provided, by mail of 30
September 2020, details to the CNPD regarding the functioning of its staff dedicated to
the protection of personal data, and, on the other hand, reinforced the effective time exclusively
devoted to this area by the DPD Luxembourg by setting it at 50% of his working time,
while having assigned a team of two lawyers also working, for 50% of their
working time, on issues relating to the protection of personal data.
While reiterating its conclusions regarding the absence of a legal basis imposing the
formalization of the working time devoted by its staff to questions relating to
protection of personal data, formalization which would only be based on an interpretation
extremely extensive, erroneous and subjective of the GDPR by the CNPD, the plaintiff
further criticizes the decision referred, on the one hand, for not having taken into consideration its
IT tools used as part of its daily activity of managing the
compliance with GDPR rules, tools complementing human resources
necessary for the processing of personal data, and, on the other hand, for not having provided
objective criteria likely to justify the volume of FTEs required by the CNPD. She notes
ultimately that the CNPD would have failed to report any deficiency, absence
response, or even inappropriate response time, with regard to the question of processing
personal data, having been able to lead to the conclusion that its internal organization would have
not been sufficient in terms of resources allocated to this area.
In her reply, the plaintiff, re-exposing her internal organization
in Luxembourg in terms of data protection initially marked by a point of
local contact of the group DPD, who later became the DPD Luxembourg, who would be assisted
by a lawyer, as well as, where applicable, by a project manager deployed by the group... to
the Benelux region, by the director of human resources, as well as by the head of
IT department, each for their area of expertise, argues that the CNPD
would have failed to take these elements into consideration.
22 With regard to determining the appropriate working time to be devoted to
questions relating to the protection of personal data, duration fixed in this case by the
CNPD to the occupation of an FTE, the plaintiff maintains, first of all, that such a fixation
would not be an obligation, contrary to the approach of the CNPD in the contested decision,
but good practice, in accordance with the guidelines, which would only
provide a non-exhaustive list of elements that can be taken into account.
In this context, the plaintiff further criticizes the contested decision for not
having considered, in its analysis relating to the allocation of sufficient working time, the other
elements highlighted by the guidelines and clearly documented during the audit, such as
more particularly the circumstance that the local DPO team of the group(i) would have a contact
direct and regular with its management, (ii) would have all the financial resources and
infrastructure necessary for the proper accomplishment of the missions, (iii) would have carried out all
the necessary communications in relation to the appointment of the DPO of the group and the point
local contact with employees and third parties, (iv) would have necessary access to other
services, (v) would regularly follow training in order to maintain knowledge in
matters of data protection and (vi) would have set up an entire data protection team
data.
Furthermore, the applicant calls into question the argument of the CNPD according to which
the time to be devoted by a DPO to the tasks and missions assigned to him, which would include
in particular the establishment and maintenance of the register of processing activities, the drafting of
internal data protection procedures, issuing opinions on the need
of an impact analysis and verification of the effective implementation of the latter, maintaining
documentation on site, would be multiplied exponentially depending on
the scale of the companies chosen for control and according to the consecutive importance
processing carried out by the said companies, while the CNPD would not have taken into account, in
the species, to the organization of the group... and to its technical tools, which should have brought
the latter concluded that the resources allocated to data protection
personal would be sufficient.
The applicant ultimately still insists on the lack of visibility in the criteria
used by the CNPD to determine whether or not it complies with the resources allocated to the
DPD, the method of calculating the ETP not having been clear, due to not having taken into account
neither all the people participating locally in data management nor the other criteria of the
Guidelines.
The applicant concludes from all of these elements that the decision referred from the
CNPD should be reformed for having wrongly taken responsibility for a breach of Article 38,
paragraph (2) of the GDPR.
Finally, the applicant considers that the decision referred should incur the
reformation for violation of Article 39, paragraph (1), a) of the GDPR for having held that
the DPO of the group, due to not having been involved in an appropriate and timely manner
to all questions relating to the protection of personal data arising in the
level of the Luxembourg entity of the group ..., would not have respected its obligation
information and advice from the data controller, the subcontractor respectively the
employees processing personal data.
23 Based on recital no. 97 of the GDPR according to which the DPO should help the
data controller to verify compliance, internally, with the GDPR, as well as with the
guidelines, the applicant argues that the conclusions of the CNPD would not be based
on no binding textual element nor on any valid factual element. Thus, according to the
applicant, its operating methods at the time of the audit, with regard to the
direct feedback of information, between the local point of contact to the group DPO, from this
last towards the group management, as well as from the local point of contact to the executive committee,
should not have led the CNPD to find, in this case, a violation of Article 39,
paragraph (1), a) of the GDPR.
She further argues, in this context, that if the CNPD's conclusion that the
circumstance that the local point of contact reports to the management of the Luxembourg company
would constitute a violation of the GDPR on the grounds that the group DPO would only be indirectly
associated, should be validated, this would prevent any large international group from appointing
a DPD for the said group and to put in place a structured organization for the protection
data, even though such an option would be expressly admitted by Article 37,
paragraph (2) of the GDPR. Without recognizing the slightest violation on her part, the plaintiff
finally specifies that at present the local contact point, now the DPD Luxembourg,
would report directly to the data controller in Luxembourg.
In its reply, the plaintiff, while noting that the CNPD, of a
hand, would have rightly held that the information and advice obligations of the person responsible for
processing referred to in Article 39, paragraph (1), a) of the GDPR would necessarily be intertwined
in those referred to in Article 38, paragraph (1) of the GDPR, and, on the other hand, would have recognized
the existence of a transmission of information within the group ... from the local contact point
to the Group DPD, from the latter to the group's CEO, as well as
from the local contact point to the local executive committee, reiterates its argument relating to a
violation, by the CNPD, of article 39, paragraph (1), a) of the GDPR, due to having retained
the absence of a direct transmission of information between the local point of contact and the DPO
of the group.
She again notes, in this context, a contradiction in the legal argument
of the CNPD in that the latter would argue, on the one hand, that a group of companies could
provide for direct transmission of information between the group DPO and the manager of the
local treatment to, on the other hand, admit that it would be practically impossible, in
groups of companies of such importance as the group ..., to organize regular meetings
between the group DPO and the local contact point of the different entities. According to
plaintiff, the fact, for the CNPD, to consider that it would not respect article 39,
paragraph (1), a) of the GDPR due to the transmission of information from the contact
local, representative of the group DPO, directly to the local data controller,
would constitute an error of fact and law and should lead to the reformation of the decision
under review. The applicant insists, in this context, on the fact that such reporting, in addition
to be perfectly in line with the applicable provisions regarding the protection of
data, would have the advantage of being more precise and adapted to local specificities due to
come from a person that managers and employees would encounter on a daily basis. The position
of the CNPD would, moreover, ultimately lead to prohibiting the practice of a shared DPD for a
group of companies assisted by local teams, a practice however expressly authorized by
Article 37, paragraph (2) of the GDPR.
24 The plaintiff ultimately refutes the CNPD’s argument consisting of denying, in
the species, any foreign element must have led the latter to make contact with a
supervisory authority of another Member State, in accordance with Article 57, paragraph (1), g)
of the GDPR, such as in this case the National Commission for Information Technology and Liberties,
hereinafter referred to as the “CNIL”, even though the group’s DPD would be established in France,
while having, in each entity of the group, a data protection team
local.
In the alternative, the applicant requests the annulment of the decision referred to
accusing the CNPD of having committed an excess, if not a manifest misuse of power
by finding a violation of Articles 38, paragraphs (1) and (2), respectively 39, paragraph
(1), a) of the GDPR. She argues, in this context, that the requirements of the CNPD
would correspond more to illegal interference in its internal governance than to
the exercise of one’s discretion regarding the appropriateness of making decisions
based on applicable legal and regulatory texts.
The plaintiff further notes that its parent company, as well as its French subsidiaries
would also have been the subject of an investigation, similar to that of the CNPD, by the CNIL,
which, on the one hand, would not have identified any anomaly, or even non-compliance with the GDPR, and,
on the other hand, would not have made any particular remarks when appointing the DPO of the
group on April 3, 2018. In view of the circumstance that through the mail of his
litism of January 26, 2021, the CNPD would have been informed of the predicted investigation of the
CNIL, it would have been up to it, for the sake of consistency, to contact this
the latter, in its capacity as lead supervisory authority in accordance with Article 60 of the GDPR,
in order to discuss the data protection governance defined by its parent company for
the group ....
The plaintiff finally argues, in the context of her argument based on excess,
if not a manifest misuse of power on the part of the CNPD, what sanction will be adopted
in his charge would fail to comply with the principles of adequacy and proportionality of Article 83 of the
GDPR on the grounds that no specific breach in law, if not in fact, would have been alleged against it,
that no damage was noted by the CNPD and that it would always have collaborated in
as far as possible with the CNPD during the entire control period.
The CNPD concludes that all the means invoked by the plaintiff to be rejected
unfounded.
The court must, first of all, recall that it is not bound by the order of means, such
as presented by the parties, but has the ability to assess them following a good
administration of justice and the useful effect resulting from it, so that it is necessary to analyze,
initially, the grounds alleging a violation of Articles 38, paragraph (1) and 39,
paragraph (1), a) of the GDPR due to the complementary nature of said provisions.
Under the terms of Article 38, paragraph (1) of the GDPR “The controller and
the subcontractor ensures that the data protection officer is associated, with
appropriately and in a timely manner, to all matters relating to the protection of
personal data. », it being specified that it appears from the guidelines that “[i]t is
essential that the DPO, or his team, is involved from the earliest possible stage in all
questions relating to data protection. Regarding impact analyzes
relating to data protection, the GDPR expressly provides for the participation of the DPO
25at an early stage and specifies that the controller must seek advice from the DPO
when carrying out an analysis of this type. Information and consultation of the DPO from the start
will facilitate compliance with the GDPR and encourage an approach based on
data protection by design; it should therefore be a usual procedure in
within the governance of the organization. Furthermore, it is important that the DPO is seen as
a contact within the organization and be a member of the dedicated working groups
data processing activities within the organization.
Therefore, the organization should ensure, for example, that:
- the DPO is invited to regularly participate in management meetings
upper and intermediate;
- its presence is recommended when decisions having implications in
data protection matters are taken. All relevant information
must be transmitted to the DPO in good time to enable him to provide a
adequate notice;
- the opinion of the DPO is always duly taken into consideration. In the event of disagreement, the
G29 recommends, as a good practice, recording the reasons for
which the advice of the DPO was not followed;
- the DPO is immediately consulted when a data breach or other
incident occurs. (…)”.
Furthermore, under Article 39, paragraph (1), a) of the GDPR, one of the missions of the
DPD is notably to “(…) inform and advise the data controller or data processor
processing as well as the employees who carry out the processing on the obligations which they
are responsible under this Regulation and other provisions of Union law or
data protection law of the Member States; (…)”.
It appears from the preceding community provisions that, as rightly noted
by the CNPD, so that the obligation of article 39, paragraph (1), a) of the GDPR, requiring
information and advice to the controller from the DPO, may be
accomplished effectively, it is necessarily and imperative that said DPD be,
in accordance with article 38, paragraph (1) of the GDPR, associated, within the entity in question,
to questions and projects involving data protection issues
personal information at the earliest possible stage.
In this context, there is, in this case, place to distinguish, what concerns the organization
disputed material of the plaintiff relating to the field of data protection, between
several phases, (i) the first having been marked by the designation of the DPO of the group, which
had, in all entities of the group, a local contact point, an organization which was
in place at the time of the opening of the CNPD investigation on September 17, 2018, organization
having been modified, during the investigation, (ii) by the addition, at the level of the applicant, of the GDPR
Board, it being specified that the exact date of establishment of the said Board does not emerge from the documents
submitted to the analysis of the court, the plaintiff having mentioned it in her presentation of 21
January 2019 and (iii) by the circumstance that from October 1, 2020, the group ... has,
on the one hand, a DPO of the group, and, on the other hand, with regard to the plaintiff, a
DPD in Luxembourg, who was previously the local point of contact for the group's DPD.
The court must, at this stage, immediately note that the plaintiff's argument
consisting of reproaching the CNPD for not having taken into consideration, in its decision of 31
May 26, 2021, the measures taken during the investigation and prior to making the said decision
should be rejected as lacking in foundation.
Indeed, it emerges explicitly from the predicted decision, a position further confirmed by the
CNPD in the context of its response and rejoinder, which the latter retained
that to establish the applicant's breaches of the GDPR, she only had regard to the facts
as they existed on the day the investigation was opened and any modifications
carried out by the applicant during the investigation and before the contested decision was taken
do not make it possible to eliminate a noted breach, the court adopting, in
the present case, the same approach as to the alleged breaches and as to the principle of
the fine to be withheld, if applicable, payable by the plaintiff.
Please ensure prior to the appointment of a specific DPO for the applicant in
date of October 1, 2020, the group ... had a DPD for the entire group,
in accordance with the possibility offered to him by article 37, paragraph (2) of the GDPR under the terms
of which “A group of companies may appoint a single data protection officer to
provided that a data protection officer is easily reachable from
each place of establishment. ".
As for the organization concretely put in place between the group's DPO and his point
local contact in Luxembourg, it must be noted that even if such a situation
is a priori conceivable under the terms of article 37, paragraph (2) of the GDPR, it appears, all
first, of the preliminary questionnaire completed by the applicant and sent to the CNPD on 5
October 2018, with regard to the composition and operation of the dedicated team within
of the group ... to data protection, that “(…) the DPO [of the group] has established:
- A Central Data Protection Office (“Global Data Protection”
Office") composed of two lawyers specializing in data protection
of a personal nature. This team works transversally on the
issues related to the protection of personal data for
all of the Group's activities.... This team also supports the
local contact points dedicated to the protection of personal data
in order to ensure consistency in compliance management within the group.
- A network of local contact points dedicated to data protection
personal character who are able to communicate effectively with
data subjects and to cooperate with the competent supervisory authorities
in the language used by the supervisory authorities and data subjects
question. (…)”.
The applicant further specifies, in the said questionnaire, that the group’s DPO “(…)
organizes weekly meetings with his team centrally and monthly meetings
or quarterly with local contact points dedicated to data protection at
personal character. (…)”.
The court must also note that in the plaintiff's position of 22
November 2019, following the communication of the final audit report dated October 31
2019, it explains that “[a]ll questions relating to data protection
personal data initiated in the Grand Duchy of Luxembourg are received and analyzed in a
27firstly by our contact point dedicated to data protection in Luxembourg (the
“Local Contact Point”), (…).
The Local Contact Point works in close collaboration with the Global DPD -
including by telephone, Skype meetings or emails as much as necessary - for all
questions requiring information, analysis, advice or prior consultation of the
DPD Globale, particularly in the event of a security incident but also on questions affecting
to processing operations implemented locally. The Local Contact Point is thus
responsible for managing the compliance of personal data processing carried out
implemented by ... S.A. under the supervision of DPD Globale to whom [he] reports his actions.
... S.A. has also established a committee dedicated to data protection in Luxembourg
(the “GDPR Board”), which defines the strategy on these subjects and the associated action plans of...
HER.
The GDPR Board is composed today as follows:
- The Local Contact Point
- The Director of Human Resources of ... S.A.
- The Head of Internal Audit of ... S.A.
- The IT Manager of... S.A.
- When necessary and on the basis of the opinions and recommendations [of the DPO of
group], the managing director of ... S.A. is invited to participate in this Committee
GDPR.
The GDPR Board now meets at least 8 to 10 times per year (the “Meetings”).
of the GDPR Board).
During these meetings, the GDPR Board processes and analyzes at the first level opinions and
recommendations from the Global DPD and feedback from the Local Contact Point, and manages
operationally issues and requests regarding data protection
personal data from Luxembourg (data subjects, supervisory authority, etc.).
At the end of each GDPR Board Meeting, minutes are drawn up to record
the measures to be implemented on the data protection topics discussed.
The GDPR Board's proposals are then communicated to the various bodies
decision-making of ... S.A., according to the following grid:
Decisions regarding the protection of decision-making bodies
personal data
Emergency and operational decisions Managing Director of ... S.A. or
(BtoB contractual relations and questions General Manager and administrator of...
general) S.A. delegated by the Administrator-
delegate.
Emergency and strategic decisions COMEX (management committee at the
in connection with the rights of Luxembourg) composed of the Director General
persons concerned (data breach, and administrator, the Director of
urgent regulatory measures, etc.) business operations, administrations,
sports & leisure, the Director of Operations
28 school and health, the Director of Activities
seniors, the Project Director, the Director
administrative and financial, the Director of
human resources, the “Operations Service
Director”, the Marketing Director and
communication and the Sales Director
of his.
Strategic decisions for the company at the Board of Directors of ... S.A. or
term (global policies, policies of General Manager and administrator of ...
security, etc.) S.A. delegated by the said council.
The proposals transcribed in the minutes of the GDPR Board Meeting,
depending on their nature, will be validated and implemented by the Managing Director, otherwise by
the COMEX otherwise by the Board of Directors or the Managing Director and administrator of
... S.A. delegated by the Managing Director or the Board of Directors.
To date, the Global DPD receives the minutes of the GDPR Board and is therefore
involved in managing compliance with the provisions of the GDPR in Luxembourg, including
understood on purely operational subjects, through the questions raised by
the Local Contact Point and subsequent compliance actions.
On the basis of the elements presented above, all the issues of nature
operational and strategic aspects related to data protection are identified, evaluated and
addressed by DPD Globale and its dedicated teams in Luxembourg in a systematic manner
and, communicated to the management of ... S.A. for decision making. These decisions relating to the
protection are formalized in a summary file kept by fiscal year.
Nevertheless, ... S.A. has noted the reinforced requirement of the CNPD to ensure more
close proximity of the Global DPD with the entity's senior management.
Consequently, ... S.A. and DPD Globale are committed to strengthening its compliance with
Article 38 (1) of the GDPR for the implementation of the following actions:
- Personal participation of the Global DPD in GDPR Board Meetings
at least twice a year;
- The personal participation of DPD Globale if necessary at the COMEX
or to the Board of Directors for any subject that may require
clarifications on its opinions and recommendations or an exchange on a
particular problem;
- The organization of two annual physical meetings between the management of
... S.A. and DPD Globale. (…)”.
It also emerges from the information charter on the processing of data
personal character of the collaborators of ..., and more particularly of its appendix 1 entitled
“Global complaints management policy/requests management
complaints/requests relating to data protection rights
personnel” that the complaints management procedure is carried out, initially,
exclusively from the local contact point and only if the solution proposed by this
29last does not satisfy the complaint, that the DPO of the group is sent the file in order to
1
to find another solution than that initially proposed by the local contact point.
On the basis of these elements, the court must note that it does not appear from the elements
submitted, that the intervention of the DPO of the group, with regard to questions relating to the
protection of personal data arising at the level of the applicant, is done
at a stage in accordance with Articles 38, paragraph (1) and 39, paragraph (1), a) of the GDPR, then
that the said DPD, according to the organization initially put in place at the start of the control of the
CNPD, as well as following the establishment of the GDPR Board, can only carry out a control
a posteriori of the decisions already taken by the point of contact, respectively by the
GDPR Board.
The court must more particularly note in this context that the plaintiff is
remained in default of submitting any element establishing in particular the establishment
of a common policy within the group ... for its various local contact points
as to the position to be adopted regarding different processing of personal data
personal, respectively regarding incidents relating thereto.
Furthermore, although the plaintiff argues that there is a communication
regularly between the group DPO and its local contact point in Luxembourg, through
telephone calls, videoconferences and emails, in order to exchange
on the position to be adopted by the latter in relation to questions relating to the protection of
personal data with which he is confronted, no document documenting such
exchanges has not been paid in the context of the dispute under examination, such as in particular the
communication of the agenda of GDPR Board meetings prior to the holding
of said meetings, together with a proposed position from the local contact point
to be approved by the group DPO prior to decision-making.
The court must therefore note that the group DPO was not involved in due time
to questions relating to the protection of personal data arising at the level
of the plaintiff, nor was therefore able to usefully inform and advise the person responsible for
processing, its subcontractor, respectively the employees concerned, while the organization
implemented at the start of the control operated by the CNPD, as well as with the implementation of the GDPR
Board focused exclusively on the local contact point which had to, on the one hand, deal with,
initially, both the incidents, in accordance with appendix 1 of the information charter
on the processing of personal data of employees of ..., and, on the other hand,
take a position on issues relating to the protection of personal data
arising at the level of the plaintiff, without it being established that the DPD of the group
has previously been consulted, respectively providing indications as to the procedure to follow.
1Article 4 entitled “complaints management procedure” of appendix 1 entitled “Global complaint management policy”
management of complaints/requests management of complaints/requests relating to rights in matters of
protection of personal data » of the information charter on the processing of personal data
staff of employees of ... Luxembourg specifies, with regard to the 4th stage of the said procedure, that
“(…) If you accept the solution proposed by your local Contact dedicated to the protection of personal data
staff, we will work with you to meet your expectations. If the solution solves your
Complaint, your local Contact will close the file. In the event of disagreement, your Complaint will be forwarded to the
Group Data Protection Officer of ... (…)”.
30 It follows from the above considerations that the plaintiff's arguments based on
a violation, by the CNPD, of articles 38, paragraph (1) and 39, paragraph (1), a) of the GDPR
must incur rejection for lacking foundation.
This conclusion is not called into question by the plaintiff's argument.
relating to the reachability of the group DPO, respectively the local contact point, as well as
on the fact that no deficiencies or delays in the processing of
questions relating to the protection of personal data, while these elements
are foreign to the question of the involvement of the group DPO in the decision-making process
and advisory within the plaintiff.
With regard to the plaintiff's plea alleging a violation of Article 38,
paragraph (2) of the GDPR according to which “The controller and the processor
assist the data protection officer in carrying out the tasks referred to in Article 39 by
providing the resources necessary to carry out these missions, as well as access to data
of a personal nature and processing operations, and allowing it to maintain its
specialized knowledge. ", it should be noted that the guidelines specify, in this regard
which concerns the resources to be made available to a DPO, that “(…) the following aspects,
in particular, must be taken into consideration:
- active support of the DPO function by senior management (e.g.
at board level);
- sufficient time for DPOs to carry out their tasks. This aspect
is particularly important when an internal DPO is appointed in time
partial or when the external DPO is responsible for data protection in
plus other tasks. Otherwise, conflicting priorities could lead to
that the tasks of the DPO are neglected. It is essential that the DPO can
devote sufficient time to your missions. It is good practice to
set a percentage of time devoted to the DPO function when this
position is not occupied full-time. It is also good practice to
determine the time required to perform the function and the level of
appropriate priority for the DPO's tasks, and that the DPO (or organization)
establish a work plan;
- adequate support from the point of view of financial resources, infrastructure
(premises, installations, equipment) and personnel, if applicable;
- official communication of the appointment of the DPO to all staff
to ensure that its existence and function are known to the
within the body;
- necessary access to other services, such as human resources, service
legal, IT, security, etc., so that DPOs
can receive essential support, input and information from
these other services;
- continuing education. DPOs must be able to maintain their
up-to-date knowledge regarding developments in the field of
Data protection. The goal should be to constantly increase the
level of expertise of DPOs and they should be encouraged to participate in
training courses on data protection as well as other forms
professional development, such as participating in forums on
privacy protection, workshops, etc. ;
31 - given the size and structure of the organism, it is possible that it
must set up a DPO team (a DPO and his staff). In similar
case, the internal structure of the team as well as the tasks and responsibilities of
each of its members must be clearly established. Likewise, when the
The DPO's function is carried out by an external service provider, a team
of persons working on behalf of this entity may exercise, within the
facts, the missions of the DPD as a group, under the responsibility of a
designated primary contact person for the customer.
Generally speaking, the more complex or sensitive the processing operations are,
the greater the resources allocated to the DPD will have to be. The protection function of
data must be effective and provided with adequate resources with regard to data processing
accomplished. ".
It should be noted that providing the DPO with sufficient resources to be able to
correctly carrying out the large number of missions entrusted to him necessarily implies
the sufficient allocation of working time of the person, respectively of the persons in
responsible for questions relating to the protection of personal data, time of
work and resources that it is up to the applicant to quantify and formalize at risk
otherwise to make any control on the part of the CNPD illusory.
In this context, the court must note that it is common ground that the
applicant, at the start of the CNPD investigation and until the appointment of the point of contact
in Luxembourg as DPD Luxembourg, had not otherwise formalized the duration of the
working time that he had to devote to questions relating to the protection of
personal data, it being further noted that said point of contact was, moreover, following
the plaintiff's own statements, her only lawyer.
This observation alone is already sufficient to establish a violation of Article 38, paragraph (2) of the
GDPR, to the extent that the organization set up by the applicant at the level of its
personnel dedicated to the protection of personal data made any control of the adequacy
personnel resources devoted to it impossible.
It is still clear that the plaintiff's activity has a certain scope
in Luxembourg to encompass, according to the information provided by the applicant, 70 sites,
between 1,600 and 2,100 employees and 25,000 consumers daily, so that, on the one hand,
on the other hand, the requirement of the CNPD that the applicant should have, at least, charged one person
working full-time on issues relating to the protection of personal data
personnel cannot be called into question, and, on the other hand, that the working time devoted
initially by the local point of contact for said task - who had in addition, as retained below -
before, to directly assume the related work, while the intervention of the group DPO does not
was only done a posteriori – duration which the plaintiff quantified as corresponding to a
part-time work, was rightly considered by the CNPD to be insufficient.
It follows from all the above considerations that the CNPD is right to
found, on the part of the plaintiff, a violation of Articles 38, paragraphs (1)
2
In its preliminary questionnaire submitted to the CNPD on October 5, 2018, ... indicates that 5,000 people, including
1,600 employees, would be concerned by its processing of personal data, factual indications which
must however be considered erroneous, to the extent that the questionnaire required, on this point, the
annual number of customers.
32 and (2), as well as 39 of the GDPR, without committing an excess, otherwise a misuse of power
manifest and that all of the plaintiff's means relating thereto must be rejected for
lack foundation.
The court must still refute, in this context, the plaintiff's argument
consisting of maintaining that the CNIL would have reached another conclusion during its control of
the parent company of the group ..., as well as other entities of the said group located in France, then
that apart from the fact that neither the court nor the CNPD are bound by decisions, respectively
case law emanating from administrative authorities or courts of other countries, the said
control carried out by the CNIL does not a priori concern the structure of the applicant in
Luxembourg, so that the related conclusions not otherwise detailed are not
relevant in this case. In this context, it should be remembered that an administrative act
individual, and more particularly that which is likely to cause harm to its recipient
or to third parties, benefits from the presumption of legality as well as conformity by
relation to the objectives of the law on the basis of which it was taken, so that it belongs to that
who claims to suffer unjustified harm or inconvenience as a result of the administrative act
in question, and who therefore wishes to see it reformed or canceled with a view to obtaining a situation
which is more favorable to him, to concretely establish how the administrative act in question
3
violates a rule set by a law or a grand-ducal implementing regulation.
Furthermore, an administrative act is a priori authentic based on the content it contains and it
It is up to the administered person to establish that this content is contrary to reality in fact, otherwise to such
applicable rule of law, which the plaintiff has failed to do.
As for the violation of the principle of proportionality put forward by the plaintiff,
it should be noted that under the terms of article 48 of the law of August 1, 2016, “(1) The CNPD
may impose administrative fines as provided for in Article 83 of Regulation (EU)
2016/679, except against the State or municipalities. (…)”.
According to article 83 of the GDPR, “1. Each supervisory authority ensures that the
administrative fines imposed under this article for violations of this
regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate
and dissuasive.
2. Depending on the specific characteristics of each case, administrative fines are
imposed in addition to or in place of the measures referred to in Article 58(2), points
a) to h), and j). To decide whether to impose an administrative fine and to decide on
amount of the administrative fine, duly taken into account, in each specific case, of the
following elements:
a) the nature, seriousness and duration of the violation, taking into account the nature, scope
or the purpose of the processing concerned, as well as the number of data subjects
affected and the level of damage they have suffered;
(b) the fact that the violation was committed deliberately or negligently;
(c) any measures taken by the controller or processor to mitigate
the damage suffered by the persons concerned;
3Trib. adm., July 16, 2003, No. 15207 of the roll, Not adm. 2023, V° Administrative acts, n°158, 1 part and the others
references cited there.
4Adm. Court, January 11, 2007, No. 21679C of the roll, Not admitted. 2023, V° Administrative acts, n°1 part and the
other references cited there.
33 d) the degree of responsibility of the controller or processor, takes into account
taken into account the technical and organizational measures that they have implemented under the
sections 25 and 32;
e) any relevant breach previously committed by the controller
or the subcontractor;
(f) the degree of cooperation established with the supervisory authority with a view to remedying the
violation and to mitigate possible negative effects;
(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the violation, in particular
whether, and to what extent, the controller or processor has notified the breach;
(i) where measures referred to in Article 58(2) have previously been
ordered against the controller or subcontractor concerned for the
same object, compliance with these measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved pursuant to Article 42; And
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as financial benefits obtained or losses avoided, directly or
indirectly, due to the violation.
3. If a controller or processor deliberately or throughly violates
negligence several provisions of this regulation, within the framework of the same operation of
processing or related processing operations, the total amount of the administrative fine does not
cannot exceed the amount set for the most serious violation.
4. Violations of the following provisions are subject, in accordance with paragraph
2, administrative fines of up to EUR 10,000,000 or, in the case of
company, up to 2% of the total annual worldwide turnover of the preceding financial year, the
highest amount retained:
a) the obligations incumbent on the controller and the processor under
articles 8, 11, 25 to 39, 42 and 43;
(b) the obligations of the certification body under Articles 42
and 43;
c) the obligations incumbent on the body responsible for monitoring codes of conduct in
under Article 41, paragraph 4. (…)”.
It appears from paragraph (4) of the aforementioned article 83 of the GDPR that violations of the GDPR
held against the plaintiff are a priori sanctioned by fines
administrative costs which may amount to up to 10,000,000 euros or, in the case of a company,
up to 2% of the total annual worldwide turnover of the preceding financial year, noting that
the failings alleged against the plaintiff were indeed noted at the time of the inspection,
observation which cannot be called into question by the compliance measures implemented
subsequently, in this case by designating the local contact point as DPO at the
Luxembourg, respectively by the formalization of the latter's working time, as well as
by making two other people available to assist him from now on.
As regards then the amount of the fine retained, which amounts to
18,000 euros, the defendant rightly noted that it appears from the decision
deferred that the said amount was justified by the fact that the breaches noted were of a
certain seriousness (i) for having been likely to reduce the interest of the obligation for an organization
34to appoint a DPO, (ii) to concern a potentially large number of people, and (iii)
for having lasted at least from May 25, 2018 to October 1, 2020, while retaining that the
applicant had demonstrated good collaboration with the supervisory authorities and that
several measures had been put in place to remedy the shortcomings before the
pronouncement of the sanction.
It follows that the disputed fine must be considered to be perfectly adequate
and proportionate taking into account the criteria of Article 83, paragraph (2) of the GDPR, so that
the plaintiff's related plea must also be rejected.
This finding is not called into question by the plaintiff's argument according to
for which no specific breach could have been blamed on him, an assertion to be rejected in light of
of the conclusion above reached by the court as to a violation, in the head of the
plaintiff, Articles 38, paragraphs (1) and (2), as well as 39 of the GDPR. It is the same
developments from the plaintiff as to the absence of any damage having
resulted from violations of the GDPR obligations held against him, when it is not a question
necessarily of a criterion to be taken into account for the determination of the sanction to be
pronounce.
In view of the above considerations and in the absence of specific conclusions to
with regard to the compliance measures ordered by the decision referred, the appeal is
yet to be rejected as to this aspect of the case.
In view of the outcome of the dispute, there is no reason to grant the company's request...
in allocation of procedural compensation of 2,500 euros requested on the basis of the provisions
of article 33 of the amended law of June 21, 1999 relating to the rules of procedure before the
administrative courts.
The CNPD failing to justify to what extent it would be inequitable for it to support
only the costs not included in the costs, she must also dismiss her request in
allocation of procedural compensation in the amount of 5,000 euros.
For these reasons,
the administrative court, fourth chamber, ruling contradictorily;
declares itself competent to hear the main appeal for reform;
declares it admissible in form;
as to the merits, the unjustified and unsuccessful;
holds that there is no need to rule on the subsidiary action for annulment;
rejects the respective requests for allocation of procedural compensation made
by the parties;
Orders the plaintiff to pay the costs and expenses of the proceedings.
35Thus judged and pronounced at the public hearing of May 14, 2024 by:
Paul Nourissier, vice-president,
Olivier Poos, vice-president,
Emilie Da Cruz De Sousa, first judge,
in the presence of clerk Marc Warken.
s.Marc Warken s.Paul Nourissier
Certified reproduction true to the original
Luxembourg, May 14, 2024
The clerk of the administrative court
36
