CNPD – Court Ruling (Luxembourg, 2024)

The Luxembourg DPA ("Commission Nationale pour la Protection des Données - CNPD") launched an investigation on a group of companies with a subsidiary based in Luxembourg (the controller). The group of companies had appointed a single DPO (the group's DPO) under Article 37(2) GDPR to handle all data protection matters and had appointed a lawyer as the local contact point in Luxembourg to assist the group's DPO. Article 37(2) GDPR allows for the possibility to appoint one DPO for a group of undertakings. The controller had also established a GDPR Board, a committee dedicated to data protection in Luxembourg. The DPO however was not a member of the GDPR Board and was only informed of the subjects discussed there through the minutes of the GDPR Board and through the questions raised by the local contact point during these meetings. The group's DPO did not seat in Luxembourg and was involved mostly indirectly, through the local contact point, in data protection-related matters of the Luxembourg entity. During the course of the investigation, the controller did appoint its own DPO, that started on 1 October 2020. The DPA found that even if the Group's DPO was participating in numerous meetings at a group level and regularly organised meetings with its local points of contact, this was not sufficient to demonstrate the direct, formal and permanent involvement of the DPO in Luxembourg. Therefore, the DPA found that the controller did not sufficiently involve the DPO with data protection matters violating Article 38(1) GDPR and Article 39 GDPR. It further found that the controller did not provided its DPO with the necessary resources and power, violating Article 38(2) GDPR. Thus, the DPA fined the controller €18,000. The controller appealed this decision at the Administrative Court of the Grand Duchy of Luxembourg ("Tribunal administratif du Grand-Duché de Luxembourg - TADM"), seeking annulment of the decision. The controller argued that the DPA used their power excessively