Company – €1,000 Fine (Luxembourg, 2022)

€1,000Commission Nationale pour la Protection des Données30 June 2022Luxembourg
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A company in Luxembourg was fined EUR 1,400 for keeping location data from its vehicles for too long. The data protection authority found that the company didn't inform users properly about how their location data was being used. This is important because it shows that companies must limit data storage and be transparent with users about their data.

What happened

The Luxembourg DPA fined a company for storing location data from its cars for a year, which was deemed excessive.

Who was affected

Employees and users whose location data was collected and stored by the company's vehicles were affected.

What the authority found

The DPA decided that the company violated the principle of storage limitation and failed to inform users about data processing, breaching GDPR rules.

Why this matters

This ruling highlights the importance of data minimization and transparency. Companies should regularly review their data retention practices and ensure users are informed about data use.

GDPR Articles Cited

AI-verified

Art. 13(GDPR)
Art. 5(1)(a) GDPR
Art. 12(1) GDPR
View original scraped data
Art. 5(1) e) GDPR
Art. 13(GDPR)

Original data from scraper before AI verification against source document.

Source verified 8 April 2026
verified correct
Luxembourg enforcementCommission Nationale pour la Protection des Données actionsAll Company actions
Full Legal Summary
Detailed

The DPA of Luxembourg (CNPD) has imposed a fine of EUR 1,400 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company's assets, optimal fleet management and optimize the workflow, among other things. Some of the location data collected by the controller was stored for a year. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DPA considered this to be a violation of the principle of storage limitation. In addition, the DPA found that the controller had not sufficiently informed the data subjects about the processing of the location data and had thus violated its information obligations pursuant to Art. 13 GDPR.

Related Enforcement Actions (8)

Other enforcement actions involving Company in LU

Fine
Oct 2021· Commission Nationale pour la Protection des Données

The DPA of Luxembourg has imposed a fine of EUR 18,700 on a company. During its investigation, the DPA first found that the controller's public websit...

€19K
Fine
Jun 2022· Commission Nationale pour la Protection des Données

The DPA of Luxembourg (CNPD) has imposed a fine of EUR 3,000 on a company. The company had installed a video surveillance system for the purpose of pr...

€3K
Current
Jun 2022

Fine

€1K

Fine
Jul 2022· Commission Nationale pour la Protection des Données

The DPA of Luxembourg (CNPD) has imposed a fine of EUR 10,000 on a company. The company had installed a video surveillance system for the purpose of p...

€10K
Fine
Dec 2022· Commission Nationale pour la Protection des Données

The DPA of Luxembourg has imposed a fine of EUR 2,100 on a company that provides online services to citizens. During its investigation, the DPA found ...

€2K
Fine
Dec 2022· Commission Nationale pour la Protection des Données

The DPA of Luxembourg has imposed a fine of EUR 700 on a company that provides online services to citizens. During its investigation, the DPA found th...

€700
Fine
Dec 2022· Commission Nationale pour la Protection des Données

The DPA of Luxembourg has imposed a fine of EUR 1,400 on a company that provides online services to citizens. During its investigation, the DPA found ...

€1K
Fine
Nov 2024· Commission Nationale pour la Protection des Données

The DPA of Luxembourg has issued a fine of EUR 2,300 on a company, that is active in the retail sale of telecommunication equipement in specialised st...

€2K
Fine
Apr 2025· Commission Nationale pour la Protection des Données

The DPA of Luxembourg has issued a fine of EUR 7,000 on a company. The controller failed to maintain complete records of its processing activities.

€7K

Details

Fine Date

30 June 2022

Authority

Commission Nationale pour la Protection des Données

Fine Amount

€1,000

Enforcement Tracker ID

ETid-1310

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Company - Luxembourg (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: