November 2021, during the audit proceedings carried out by the National Commission for Data Protection (CNDP) of Luxembourg on the role of the data protection officer (DPO) within the unnamed organization, CNDP found that it had failed to comply with several obligations relating to the appointment and role of its DPO and imposed a fine of EUR 13,200. Furthermore, another fine for the same violations has been imposed for the second unnamed organization, reaching as high as EUR 18,000.
Cases details
The supervisory authority launched an audit campaign on the data protection officer’s functions and carried out 28 audits within different organizations. This was carried out due to the importance of the role of DPO’s within organizations where the appointment of them is mandatory (i.e., organizations that (a) are public authorities, (b) engage in large scale systemic monitoring, or (c) process sensitive personal data such as criminal records.) As a result, two organizations were imposed fines due to breaches of the requirements set forth in Art. 37 (7), Art. 38 (1) (2), Art. 39 (1) b) of General Data Protection Regulation (GDPR). So, the CNPD imposed fines for the following violations:
- a violation of the obligation to publish the contact details of the DPO and to inform about such designation to the supervisory authority.
- a violation of the obligation to appoint the DPO based on his/her professional qualities;
- a violation of the obligation to involve the DPO in all matters related to the protection of personal data;
- a violation of the obligation to provide the DPO with the necessary resources;
- a violation of the obligation to ensure that the DPO has the task to monitor compliance with the GDPR and with the controller’s policies.
What should we learn from this case?
As more than one organization has now received fines for violations relating to the role of data protection officer’s, organizations are advised to review and, if needed to update their current procedures related to DPO. Some suggestions are provided below.
- To ensure that DPO is appointed based on his/her professional qualities. DPO must be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Art. 39 of GDPR. CNDP advises that to meet the professional qualities, the person must have at least 3-year experience working with data protection;
- To ensure that DPO has the task to monitor compliance with the GDPR and with the policies of the controller. This objective is met if the organization has a formalized data protection control plan, where the monitoring tasks of the DPO team are defined. These tasks have to be monitored and frequently revised;
- To ensure that DPO is involved in all matters related to the protection of personal data. This objective is met if the DPO is formally and frequently participates in the executive committee, project coordination committees, new product committees, security committees, or any other committee deemed useful in the context of data protection. This must be foreseen in the organization’s internal procedures.
- To ensure that contact details of DPO have been provided to the supervisory authority and made available for the data subjects.
The content of this article is intended to provide a general guide to the subject matter. The expert should be consulted for the assessment of the specific situation.
If you need assistance in matters regarding the role of DPO or any other issues related personal data protection, please consult the experts of ECOVIS ProventusLaw.
The full judgments of the imposed fines can be accessed here and here. The text is available in French only.
The review was prepared by Milda Šlekytė, assistant attorney at law of ECOVIS ProventusLaw.