Public organisation A – €2,500 Fine (Luxembourg, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A public organization in Luxembourg was fined for not properly informing employees about a tracking system in their vehicles. The data protection authority found that the organization failed to provide all necessary information about how employee data was being monitored. This case serves as a reminder for organizations to ensure transparency in data collection practices.
What happened
The organization used a geo-localization system on service vehicles without fully informing employees.
Who was affected
Employees whose location data was tracked by the geo-localization system.
What the authority found
The data protection authority determined that the organization did not comply with GDPR requirements for providing complete information to employees.
Why this matters
This fine highlights the need for organizations to be transparent about data collection methods and to provide all required information to employees. It sets a precedent for accountability in data practices.
GDPR Articles Cited
Entities Involved
Following a visit to the premises of two public bodies (the joint controllers), the agents of the Luxembourgish DPA found that the controllers applied a geo-localisation system on the companies' service vehicles and construction machines. Even though the system was not connected to the drivers, through the timesheets, which indicated which driver used which vehicle or machine, it was easy to find out which employee used which vehicle on which day. On 13 December 2022, at the end of the investigation, a statement of objection was published by the rapporteur detailing breaches of Article 13 GDPR, Article 5(1)(c) GDPR and Article 5(1)(b) GDPR. Following this, the joint controllers submitted observations, and on 13 June 2023, the rapporteur and the joint controllers presented oral observations to the DPA. Regarding the obligation to provide information, pursuant to Article 13 GDPR, the DPA considered that for data processing by an employer to be considered lawful, the data subjects must be informed of the monitoring, in accordance with Article 12 GDPR and Article 13 GDPR. The joint controller had provided the employees information notes and e-mails in French and German in the vehicles and machines and on the Intranet. However, the DPA found that there had been non-compliance with Article 13 GDPR as the joint controllers did not provide all compulsory information. Namely the identity of the controllers and the DPO, the legal basis, the legitimate interests followed, the appropriate safeguards applied, and the rights of the data subjects to receive a copy and to submit a complaint to the supervisory authority. The information notes also contained the Privacy Shield as the legal basis for the transfer of personal data to the US - even though it was invalidated by the Court of Justice. Moreover, the content of the French and German versions was not identical. Secondly, in relation to Article 5(1)(c) GDPR, the DPA found that the joint controllers did not comply with the p
Related Enforcement Actions (0)
No other enforcement actions found for Public organisation A in LU
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
21 September 2023
Authority
Commission Nationale pour la Protection des Données
Fine Amount
€2,500
GDPRhub ID
gdprhub-6434About this data
Cite as: Cookie Fines. Public organisation A - Luxembourg (2023). Retrieved from cookiefines.eu
Last updated: