The Luxembourg data protection authority ('CNPD') published, on 26 November 2021, its decision in Case No. 40FR/2021, as issued on 27 October 2021, in which it imposed a fine of €15,400 on an unnamed company for violating Articles 38(1), 38(3), and 39(1)(a) and (b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and a corrective measures regarding the appointment of the data protection officer ('DPO'), following the investigation. Background to the case In particular, the CNPD highlighted that it had decided to launch an investigation regarding the function of a DPO, opening 25 audit procedures in 2018 which largely concerned the private sector. As part of this