News

🔍 When emails sent to the DPO are identified as SPAM!

Regulator: CNPD, Luxembourg
Source: Deliberation no. 1FR/2025 of 6 January 2025

🚦 Response time: an ‘RGPD chrono’ that can be (very) expensive!
The Luxembourg CNPD has fined a bank €175,000 for 46 delays or failure to respond to right of access requests (Art. 12 & 15 RGPD). ❌

Technical failure of the DPO's mailbox (spam filtering) → some emails could not be processed.

3 key lessons 👇
Response time: 1 month
The clock starts as soon as the request is received!
- Not "from the moment you process the email!
- Bank holiday? We reply on the 1st working day thereafter.

Suspension ≠ extension.
🔹 Suspension: you ask for clarification on the scope of the request, or proof of identification ➜ the timer stops until received.
🔹 Extension: volume/complexity = +2 months, to be notified within the 1st month.

Multiple channels = multiple risks.
- DPO box saturated, anti-spam too strict, lost paper mail... ➜ so many potential delays.
- 💡 Set up multi-channel ticketing + D+20/+30/+45/+60 KPI for complex requests.

Anti-sanction checklist 🛡️
✅ Automated acknowledgement of receipt (< 24 h)
✅ Workflow with internal alerts on D+20
✅ Ready-to-send ‘extension’ & ‘reasoned refusal’ templates
✅ Quarterly audit of RGPD mailboxes + filters
✅ Front-office training: recognising a rights request 🎯

Respecting the deadline is 80% of the compliance perceived by the authority... and by your customers!
A simple internal memo can avoid an administrative penalty