Luxembourg

Company

18,700 €

GDPR enforcement action by National Commission for Data Protection (CNPD) on 2021-10-27.

Rank · Sector

#35

of 218 in Not assigned

Rank · Luxembourg

of 34

Rank · All fines

#1,122

of 3,050

Case details

Authority: National Commission for Data Protection (CNPD)
Date: 2021-10-27
Controller / Processor: Company
Sector: Not assigned
Quoted Articles: Art. 37 (7) GDPR, Art. 38 (1), (3) GDPR, Art. 39 (1) b) GDPR
Type of violation: Insufficient involvement of data protection officer

Summary

The DPA of Luxembourg has imposed a fine of EUR 18,700 on a company. During its investigation, the DPA first found that the controller's public website did not include direct contact details for the DPO. Furthermore, the DPO was not sufficiently involved in all data protection matters. For example, they only participated in internal meetings by invitation. Moreover, there were several hierarchical intermediaries between the DPO and the highest management level of the controller, not granting them sufficient autonomy. Also, in the absence of formalized procedures, the DPO was not able to sufficiently monitor the consistency of data processing practices.

Open original source Links to the regulator's original publication or another source.