Image for article type news
News

Luxembourg: CNPD fines company €15,400 and imposes corrective measures on DPO obligations

January 13, 2022
Summary

The Luxembourg data protection authority (CNPD) fined a company €15,400 for non-compliance with GDPR Articles 38(1), 38(3), and 39(1)(a) and (b), relating to Data Protection Officer (DPO) obligations. The CNPD's investigation, which began with 25 audit procedures in 2018, found the company failed to involve the DPO in all data protection matters, ensure direct access of the DPO to management, and provide formal reporting of the DPO's activities. Additionally, the company lacked a formalized control plan for data protection, hindering the DPO's ability to monitor compliance. The CNPD also mandated corrective measures to enhance the DPO's involvement, autonomy, advisory capacity, and documentation of internal data protection controls.

The Luxembourg data protection authority ('CNPD') published, on 26 November 2021, its decision in Case No. 40FR/2021, as issued on 27 October 2021, in which it imposed a fine of €15,400 on an unnamed company for violating Articles 38(1), 38(3), and 39(1)(a) and (b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and a corrective measures regarding the appointment of the data protection officer ('DPO'), following the investigation. Background to the case In particular, the CNPD highlighted that it had decided to launch an investigation regarding the function of a DPO, opening 25 audit procedures in 2018 which largely concerned the private sector. As part of this

News

Gain access to unlimited articles with 7 day access to all features, no credit card required.

or

Other options: