LUXEMBOURG DPA: Insufficient involvement of data protection officer

The DPA from Luxembourg has imposed a fine of EUR 13,200 on a company. According to the DPA, the controller failed to involve the data protection officer in all matters relating to the protection of personal data. Also, the controller did not have a data protection control plan in place to demonstrate that the data protection officer was adequately performing its tasks. Furthermore, the controller failed to provide the data protection officer with the necessary resources to perform his duties. The DPA also noted that the controller's website did not contain a section dedicated to data protection and that the information notice on data protection was only available in English rather than in one of the official languages of Luxembourg.

GDPR Articles: Art. 37 (7) GDPR, Art. 38 (1), (2) GDPR, Art. 39 (1) b) GDPR
Industry: Not assigned