Luxembourg Data Protection Commission vigorously enforces GDPR

Introduction:

Article 37 of GDPR requires the appointment of a Data Protection Officer (“DPO”). The appointment of a DPO is a critical compliance requirement and recent decisions of the Luxembourg Data Protection Commission (a.k.a the “CNPD”) illustrate the implications of a failure to appoint a DPO, as well as the failure to adhere to GDPR’s prerequisites relating to the DPO’s function.

In addition, we note that use of video surveillance and geolocation technologies is another area that is subject to GDPR constraints. The use of such technologies requires an understanding of the lawfulness and conditions for compliance with GDPR.

We would like to bring to your attention four recent decisions of the CNPD published on November 2, 2021, relating to the implementation and enforcement of GDPR.

Three CNPD decisions were rendered following a deliberate and concerted investigation campaign carried out by the CNPD since 2018 in respect of the position and role of the DPO, as well as the importance of its integration into the organizational fabric of a company.

A fourth decision relates to the setting up of video surveillance and geolocation systems.

We note that the decisions taken are detailed and reasoned legal opinions that cite the legal basis for these decisions. These decisions serve as future guidance to organizations in the implementation of GDPR. The CNPD’s decisions imposed a range of sanctions ranging from warnings to fines. The fines ranged from EUR 3,500 to 18,000. In this context, we note that the CNPD applies GDPR strictly and will not hesitate to impose severe penalties.

The CNPD adapts the sanctions to the factual circumstances and takes into account the approach and collaborative attitude of the audited entity during the investigation.

It should be noted that the basis for a decision is taken on the findings at the outset of the investigation. Any subsequent corrective measures taken by the audited entity may be considered in determining the sanctions imposed.

The cases in detail:

Decision n ° 38 FR 2021 issued on October 15, 2021

The CNPD reiterated that:

the identity of the DPO must be provided to the CNPD;
the DPO will have all the resources necessary to enable it to carry out his mission, and these resources must be provided to the DPO by the entity;
the DPO needs to be involved in all decisions relating to data protection and exercise a real control mission; and
the DPO will require specific qualifications to be able to hold this position.

Sanction: administrative fine of € 18,000 and an order to comply.

Decision n ° 37 FR 2021 issued on October 13, 2021

The CNPD reiterated that:

the identity of the DPO must be provided to the CNPD; and
the independence of the DPO must be guaranteed, and in particular, to ensure that there is no conflict of interest.

Sanction: during the investigation, voluntary compliance measures were undertaken; only a call of legal reminder was made by the CNPD.

Decision n ° 36 FR 2021 issued on October 13, 2021

The CNPD reiterated that:

the DPO has to be appointed based on professional qualifications;
three years of professional experience in the field of data protection were deemed sufficient in the particular circumstances;
the DPO must be involved in all decisions relating to data protection and exercise real control over decisions; and
the entity concerned is required to introduce a formal data protection control plan.

Sanction: the CNPD issued an administrative fine of € 13,200.

CCTV Decision n ° 35 FR 2021 issued on October 13, 2021

The audited entity had installed CCTV cameras within the company and geolocation systems in part of its fleet of vehicles.
The CNPD reiterated the principle of “data minimization” in terms of video surveillance. This principle implies only strictly required data can be collected.
To this end, before installing a video surveillance system, the data controller must define, in a precise manner, the purpose(s) it wishes to achieve by using such a system.
The CNPD reiterated that an employee must not be subject to permanent surveillance, especially during their hours of rest.
In the same order, the CNPD reiterated that the cameras intended to monitor an access point (entrance and exit, doorstep, porch, door, awning, hall, etc.) must have a limited field of vision.
Clear and complete information must be provided in areas of surveillance (not a mere post sign).
Information for employees on geolocation must be complete, clear and individualized (a mere post sign in the car is insufficient).

Fine: the CNPD imposed a fine of € 5,300 and orders to comply.