GDPR fine – fine proceedings due to insufficient involvement of the data protection officer

Among other things, the DPO’s expertise was examined in the procedure, especially since it involved an external law firm. Apparently, not only the independence but also the experience was examined in more detail, even though it was a law firm. According to the authorities, a DPO must be a recognized “data protection expert” with at least three years of experience in the field. The role should also have sufficient time and resources equivalent to at least one full-time employee (!). Do companies do this? Probably rather few of them. But they should. Otherwise, they will face a GDPR fine in Germany in the foreseeable future.

In 2018, the Luxembourg Data Protection Authority (CNPD) initiated 25 different audit procedures. Both in the private, as well as in the public sector, the reference was to the role of the Data Protection Officer (DPO) in accordance with ch. 4 (4) of the GDPR. In one of these audit procedures at a private company, the CNPD investigator found several violations at once. The company had violated four different obligations related to the role of the DPO under the GDPR.

With regard to the breach of Article 37 (7) of the GDPR, the CNPD considered that the contact details of the DPO were not easy to find on the company’s website and were only available in English and not in any of the official languages.

Another violation was found against Art. 38 (1) of the GDPR. Here, the CNPD was of the opinion that the DPO was not sufficiently involved in all data protection issues. In particular, the CNPD pointed out that the external DPO could not intervene voluntarily. Only at the request of the company can the external DPO intervene. The fact that in the course of the investigation the company decided to also appoint an internal DPO who would be more regularly involved in all data protection issues does not remedy this first breach. The CNPD therefore concluded that the company had violated Article 38(1) of the GDPR at the time of the investigation.

Regarding the violation of Art. 39 (1) lit.b GDPR, the CNPD was of the opinion that the company had not implemented the necessary control procedures that would have allowed the external DPO to properly monitor the compliance of the company’s data processing practices with the GDPR. The authority acknowledged that it is perfectly possible for an organization to rely on the services of an external DPO to monitor compliance with the GDPR. However, it specified that the role of the external DPO must then be formalized in the form of a monitoring plan or monitoring procedure. This procedure must ensure that the DPO can effectively advise and guide the organization on data protection compliance. As such a control plan or monitoring procedure had not yet been put in place at the time the investigation was initiated, this was considered a breach.

A breach of Art. 38 (2) GDPR was also identified. The company had not allocated the necessary resources to the external DPO to enable him to perform his duties. In particular, the CNPD found that the number of hours the DPO worked for the company did not correspond to a full-time employee. Rather, the DPO typically worked between 20 and 108 hours per month. This is roughly equivalent to 12.5% to 70% of a full-time employee. Although the company addressed this issue by hiring another DPO during the course of the investigation, the CNPD concluded that the company was in violation of the GDPR prior to this change.

For all these reasons, the CNPD issued an injunction against the company to bring its practices into compliance with the GDPR for the remaining infringements (with a deadline of 6 months to remedy them) and also imposed a fine of EUR 18,000 on the company.

Source: https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2021/Decision-38FR-2021-sous-forme-anonymisee.pdf

Would you like our experts to help you in the areas of information security or data protection? Feel free to contact us via our contact form!