Company – €18,700 Fine (Luxembourg, 2021)

€18,700Commission Nationale pour la Protection des Données27 October 2021Luxembourg
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A company in Luxembourg was fined €18,700 for not properly involving its Data Protection Officer (DPO) in privacy matters. The DPO lacked direct contact details on the website and wasn't given enough authority or access to management. This case shows the importance of empowering DPOs to ensure compliance with data protection laws.

What happened

The company failed to properly involve its Data Protection Officer in data protection matters and did not provide direct contact details for the DPO.

Who was affected

The company's Data Protection Officer, who was not sufficiently involved in privacy matters.

What the authority found

The Luxembourg authority fined the company for not granting the DPO enough autonomy and access, violating GDPR requirements for DPO involvement.

Why this matters

This ruling highlights the critical role of DPOs in maintaining data protection compliance. Companies should ensure DPOs have the necessary authority and visibility to manage data privacy effectively.

GDPR Articles Cited

Art. 37(7) GDPR
Art. 38(1) GDPR
Art. 39(1)(b) GDPR
Luxembourg enforcementCommission Nationale pour la Protection des Données actionsAll Company actions
Full Legal Summary
Detailed

The DPA of Luxembourg has imposed a fine of EUR 18,700 on a company. During its investigation, the DPA first found that the controller's public website did not include direct contact details for the DPO. Furthermore, the DPO was not sufficiently involved in all data protection matters. For example, they only participated in internal meetings by invitation. Moreover, there were several hierarchical intermediaries between the DPO and the highest management level of the controller, not granting them sufficient autonomy. Also, in the absence of formalized procedures, the DPO was not able to sufficiently monitor the consistency of data processing practices.

Related Enforcement Actions (6)

Other enforcement actions involving Company in LU

Current
Oct 2021

Fine

€19K

Fine
Jun 2022· Commission Nationale pour la Protection des Données

The DPA of Luxembourg (CNPD) has imposed a fine of EUR 3,000 on a company. The company had installed a video surveillance system for the purpose of pr...

€3K
Fine
Jun 2022· Commission Nationale pour la Protection des Données

The DPA of Luxembourg (CNPD) has imposed a fine of EUR 1,400 on a company. The controller had installed location sensors on a number of cars in its fl...

€1K
Fine
Jul 2022· Commission Nationale pour la Protection des Données

The DPA of Luxembourg (CNPD) has imposed a fine of EUR 10,000 on a company. The company had installed a video surveillance system for the purpose of p...

€10K
Fine
Dec 2022· Commission Nationale pour la Protection des Données

The DPA of Luxembourg has imposed a fine of EUR 700 on a company that provides online services to citizens. During its investigation, the DPA found th...

€700
Fine
Nov 2024· Commission Nationale pour la Protection des Données

The DPA of Luxembourg has issued a fine of EUR 2,300 on a company, that is active in the retail sale of telecommunication equipement in specialised st...

€2K
Fine
Apr 2025· Commission Nationale pour la Protection des Données

The DPA of Luxembourg has issued a fine of EUR 7,000 on a company. The controller failed to maintain complete records of its processing activities.

€7K

Details

Fine Date

27 October 2021

Authority

Commission Nationale pour la Protection des Données

Fine Amount

€18,700

Enforcement Tracker ID

ETid-1747

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Company - Luxembourg (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: