News

🔒📉 Luxembourg: €15,000 Fine for Poor DPO Involvement

📅 Decision 20FR/2021 of June 11, 2021
The Luxembourg Data Protection Authority sanctioned a company for insufficient involvement of the DPO (Data Protection Officer) in matters related to personal data protection.

🚨 Key Findings:

🔁 Irregular Participation:
The DPO was invited to meetings on demand, but not systematically.

👥 Lack of Visibility:
Their position within the organization did not allow for adequate involvement or clear recognition as a point of contact for data protection.

🏢 Inadequate Hierarchical Position:
Although the DPO reported to senior management, multiple hierarchical layers undermined their real independence.

🚫 Access to Top Management Was Conditional:
Direct contact with the board was only possible in cases of a “significant issue”, which restricted the DPO’s independence.

📋 No Formal Control Plan:
There was no structured plan to prove that the DPO was fulfilling their oversight responsibilities.

🎯 Key Takeaways:

✔️ The DPO must be systematically involved in any project involving personal data.
✔️ They must have unconditional, direct access to top management.