Luxembourg data protection authority – €15,000 Fine (Luxembourg, 2021)

The Luxembourgish Data Protection Authority (CNPD) conducted an investigation at a logistics company within the framework of a global investigation campaign on the function of Data Protection Officer (DPO) in both private and public sectors. Did the logistics company meet the legal requirements regarding the function of DPO? Following their investigation at the company, the CNPD found: # that the company's DPO did not seem to be invited to all relevant meetings for them and that it therefore could not be considered that they were involved properly and in a timely manner in all issues which relate to the protection of personal data as required by Article 38(1) GDPR; # that the DPO did not report directly to the highest level of management at the company, thus not ensuring that the DPO could act without receiving any instructions regarding the exercise of their tasks pursuant to Art. 38(3) GDPR; # that, though it could reasonably be expected that the DPO did a formal and frequent reporting on their activities to the management, such a reporting had not been set up and that the company therefore did not meet the requirements of Article 39(1)(a) GDPR which states that the DPO should inform and advise the controller; # that the company had not been able to demonstrate that they had an audit plan for the year, thus violating Article 39(1)(b) GDPR regarding the DPO's duties to monitor compliance with GDPR. In view of those violations, the CNPD: * imposed an administrative fine of fifteen thousand euros (€15,000) on the company; * ordered them to comply with Articles 38(1), 38(3), 39(1)(a) and 39(1)(b) GDPR within four months of the notification of the decision.