News
β Insufficient association of a dpo
ππ Luxembourg: €15,000 Fine for Poor DPO Involvement
π
Decision 20FR/2021 of June 11, 2021
The Luxembourg Data Protection Authority sanctioned a company for insufficient involvement of the DPO (Data Protection Officer) in matters related to personal data protection.
π¨ Key Findings:
π Irregular Participation:
The DPO was invited to meetings on demand, but not systematically.
π₯ Lack of Visibility:
Their position within the organization did not allow for adequate involvement or clear recognition as a point of contact for data protection.
π’ Inadequate Hierarchical Position:
Although the DPO reported to senior management, multiple hierarchical layers undermined their real independence.
π« Access to Top Management Was Conditional:
Direct contact with the board was only possible in cases of a “significant issue”, which restricted the DPO’s independence.
π No Formal Control Plan:
There was no structured plan to prove that the DPO was fulfilling their oversight responsibilities.
π― Key Takeaways:
βοΈ The DPO must be systematically involved in any project involving personal data.
βοΈ They must have unconditional, direct access to top management.