Administration communale de Leudelange – Violation Found (Luxembourg, 2023)

Following a general check carried on all Luxembourg municipalities in the summer of 2022, the Luxembourg DPA decided to open an investigation on the Municipal Administration of Leudelange (the controller). Specifically, the controller aimed to evaluate the controller’s conformity with its obligation to appoint a DPO and whether it communicated the DPO's contact details to the DPA, as provided by Article 37(1)(a) GDPR and Article 37(7) GDPR. The DPA noted that pursuant to the entry into force of the GDPR, public bodies were obliged to designate a DPO no later than 25 May 2018. Meanwhile, on the date the investigation was opened, and after consulting the register of DPOs, no DPO had been identified for the controller. The controller appointed a DPO only on 10 March 2023, namely after the opening of the investigation. Thus, the controller violated Article 37(1)(a) GDPR. Moreover, the DPA acknowledged that when the investigation began, the controller had not communicated to the DPA the contact details of the DPO, breaching Article 37(7) GDPR. Observing [https://legilux.public.lu/eli/etat/leg/loi/2018/08/01/a686/jo Article 48 of the National Data Protection Law], the DPA may impose administrative fines as provided in Article 83 GDPR, except against the State or municipalities. Hence, the DPA found it appropriate to issue a reprimand to the controller under Article 58(2)(b) GDPR. In light of this, the DPA recognised that during the proceedings, the controller took steps to remedy the shortcomings identified by the head of the investigation.