News

📌 Luxembourg-Based Company Penalized 🚨

Facts
Following an audit, the Luxembourg regulator, CNPD, imposed a fine of €18,700 on a company due to failures in the role and positioning of its Data Protection Officer (DPO). The company was also ordered to comply within four months.

🔍 Key Violations Identified

1. Absence of Direct DPO Contact Details on the Company Website
• Violation of Article 37-7 of the GDPR: The website only provided an online contact form, a postal address, or a general phone number. Data subjects could not directly contact the DPO but had to go through other company departments.
2. Insufficient Involvement of the DPO in Data Protection Matters
• Violation of Article 38-1 of the GDPR: The DPO was not adequately involved in discussions and decisions regarding personal data protection. They were only invited to meetings or committees on an ad hoc basis without a defined rule or frequency for participation.
• Corrective Action: During the investigation, the company established new procedures, making the DPO a permanent or regular member of relevant committees.
3. Inadequate Positioning of the DPO
• Violation of Article 38-3 of the GDPR: The DPO was hierarchically placed at N-3 under the Chief Compliance Officer, limiting their autonomy and independence to report to the highest level of management. The regulator noted multiple hierarchical layers between the DPO and top management.
4. Lack of a Formalized Data Protection Control Plan
• Violation of Article 39-1(b) of the GDPR: The company failed to implement a structured plan or procedures to demonstrate the DPO's ability to oversee and ensure compliance with GDPR requirements effectively.

📌 Consequences

• Administrative Fine: €18,700
• Reputational Damage: Public exposure of compliance gaps harmed the company's image.
• Mandatory Compliance Deadline: Four months to address the violations.