A breach of Art. 38 (2) GDPR was also identified. The company had not allocated the necessary resources to the external DPO to enable him to perform his duties. In particular, the CNPD found that the number of hours the DPO worked for the company did not correspond to a full-time employee. Rather, the DPO typically worked between 20 and 108 hours per month. This is roughly equivalent to 12.5% to 70% of a full-time employee. Although the company addressed this issue by hiring another DPO during the course of the investigation, the CNPD concluded that the company was in violation of the GDPR prior to this change.
For all these reasons, the CNPD issued an injunction against the company to bring its practices into compliance with the GDPR for the remaining infringements (with a deadline of 6 months to remedy them) and also imposed a fine of EUR 18,000 on the company.
Source: https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2021/Decision-38FR-2021-sous-forme-anonymisee.pdf
Would you like our experts to help you in the areas of information security or data protection? Feel free to contact us via our contact form!