First administrative fines imposed by the Luxembourg data protection supervisory authority

On 7 June 2021, the Luxembourg National Data Protection Commission (Commission Nationale pour la Protection des Données – “CNPD”) published 18 decisions:

  • in nine decisions, the CNPD found that controllers (Luxembourg-based companies) did not breach any of the provisions of the (EU) General Data Protection Regulation 2016/679  (“GDPR”) and decided therefore to close the ongoing investigation;
  • in six decisions, the CNPD issued a formal warning (rappel à l’ordre) or an injunction to comply (injonction de se mettre en conformité) to companies due to breaches of the GDPR (sometimes associated with a fine);
  • finally, in six cases, the CNPD decided to impose administrative fines on the entities concerned due to more significant violations of the GDPR.

This is the very first set of administrative fines the CNPD has issued since the entry into force of the GDPR. These 18 decisions are the result of enquiries and audits led by the CNPD towards several companies that were selected according to various criteria such as:

  • the size of the organisations,
  • the sensitivity of the data processed and the associated risk for the data subject, and
  • the sector of activity (e.g. the insurance sector)1 .

The CNPD noted that the entities subject to administrative fines either failed to comply with key principles of the GDPR, such as the principle of data minimisation, the principle of transparency or did not adequately put in place appropriate security measures or did not appoint a Data Protection Officer (“DPO”) as is required by the GDPR under certain criteria. As a consequence of these breaches, the CNPD imposed administrative fines ranging from EUR 1,000 to EUR 18,000.

In one of the decisions, the CNPD reminded the importance of the DPO’s involvement at the earliest possible stage in all data protection issues and the need to have necessary resources and time to carry out his/her data protection duties.

A decision rendered by the CNPD may be appealed before the administrative court within three months following its notification to the entity concerned.

All the decisions published by the CNPD can be consulted here. Please note that these decisions are anonymised.

1 National Data Protection Commission (Commission Nationale pour la Protection des Données) – Annual report p. 43.

Related expertise