The National Commission for Data Protection (hereinafter the “CNPD”) has made public its first 18 administrative decisions and sanctions, including six fines ranging from 1.000 to 18.000 euros, issued for non-compliance with provisions of the General Data Protection Regulation (hereinafter the “GDPR”).
After a period of tolerance and pedagogy, it seems clear that the data protection supervisor is moving into a repressive phase. This is an alarm bell to which data controllers should pay a particular attention.
These are the first sanctions pronounced by the CNPD since the GDPR came into force 3 years ago.
The deletion of the notification and declaration obligations to the supervisory authority by the GDPR is certainly not a relaxation of the legislation. On the contrary, the principle of responsibility or better known as "accountability" obliges data controllers to make a more systematic and day-to-day follow-up of their personal data processing. The internal or external Data Protection Officer (hereinafter “DPO”) is of great importance to ensure compliance with the multiple obligations of the GDPR. For companies or professionals who would have put off their compliance with the GDPR until the Greek calends, they would be well advised to review their copy at the risk of seeing themselves more and more severely sanctioned in the future.
The decisions, rendered between April 8 and May 31, 2021, concern the implementation of video surveillance and geolocation systems for employees as well as the appointment of a DPO judged not to be in compliance with the GDPR.
With respect to the DPO function, the CNPD found a failure to the obligation to involve the DPO - who had been appointed at the level of the Group of Companies - in all data protection issues that arose at the local Luxembourg level and concluded that the DPO was not sufficiently and directly involved in the related issues. It also decided that the dual role of DPO and Chief Compliance Officer within the same structure presented a risk of conflict of interest, in particular in the context of AML/KYC processing by the Compliance department.
Among other things, the supervisory authority also sanctioned employers who had placed geolocation systems in some vehicles used by their employees, by stating a breach of the principle of storage limitation and of the obligation to inform the persons concerned.
These decisions are the result of investigations conducted by the CNPD, in accordance with Article 41 of the Act of August 1, 2018 on the organization of the CNPD and of the general regime on data protection, and are subject to appeal before the administrative tribunal within 3 months.
These are "lenient" sanctions at this stage since, let's remember that, under Article 83 §5 of the GDPR, fines can climb up to EUR 20.000.000,- or, in the case of a company, up to 4% of its total annual worldwide turnover in the previous financial year, the higher amount being used.
It is clear that the Luxembourgish supervisory authority no longer hesitates to raise the tone by imposing sanctions.
Moreover, the scope of its powers is becoming clearer, since the Court of Justice of the European Union recently ruled on the conditions for exercising the powers of national supervisory authorities concerning the cross-border data processing .
The Court of Justice ruled that under certain conditions, a supervisory authority may exercise its power to bring any alleged breach of the GDPR before a court in a Member State, even if it is not the lead authority for this processing.
The role of the supervisory authorities, whether or not they are the lead authority, is thus reinforced, confirming the importance of GDPR compliance, whether within small, medium or large public or private structures.
 Judgment of the Court, June 15, 2021, Facebook Ireland Ltd and Others v Gegevensbeschermingsautoriteit (C-645/19)
Our team specialised in data protection is at your disposal in case of questions or need of assistance:
- Alain GROSJEAN, Partner email@example.com
- Gabriel BLESER, Partner firstname.lastname@example.org
- Simon MALTERRE, Senior Associate email@example.com
- Elena ARNÒ, Senior Associate firstname.lastname@example.org
- Clémence PATTE, Associate email@example.com
This publication is for general guidance only and does not constitute definitive legal advice.