Regulatory actions, fines, warnings, and enforcement decisions
Boete van €7.000 - Nationale Commissie voor de Bescherming van Persoonsgegevens (CNPD).
De beschermingsautoriteit van Luxemburg heeft een bedrijf een boete van 7.000 euro opgelegd. Het bedrijf heeft nagelaten om volledige registraties bij te houden van haar gegevensverwerking activiteiten.
€7,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has issued a fine of EUR 7,000 on a company. The controller failed to maintain complete records of its processing activities.
€175,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has issued a fine of EUR 175,000 on a Credit Institution. The controller failed to respond to information requests within the timeframe specified in Art. 12 (3) of the GDPR.
€2,300 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has issued a fine of EUR 2,300 on a company, that is active in the retail sale of telecommunication equipement in specialised stores. The controller had installed video surveillance on the property. The video surveillance was installed in a way, that partly infringed the prinicple of legality and the principle of data minimisation. The controller also failed to adequately inform data subjects regarding the data processing and failed to implement adequate technical and organ
€2,500 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 2,500 on a controller. The controller had used location systems on his service vehicles and construction machinery. During its investigation, the DPA found that the controller had failed to provide its employees with sufficient information about the location systems. In addition, the DPA found a breach of the principle of data minimization, as the location system was also operated outside working hours and had no deactivation function, which meant
€1,400 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 1,400 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the processing of personal data, therefore
€2,500 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 2,500 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR.
€1,500 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 1,500 on a manager of a real estate co-ownership. The controller had disclosed personal data to unauthorized third parties without having a legal basis for such disclosure. In addition, the controller did not respond to requests from data subjects to exercise their rights in a timely manner.
€700 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 700 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the transfer of personal data to a third coun
€1,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 1,000 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR.
€2,100 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 2,100 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the processing of personal data, therefore
€10,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg (CNPD) has imposed a fine of EUR 10,000 on a company. The company had installed a video surveillance system for the purpose of protecting company property and staff. However, the cameras also constantly captured parts of employee's work areas, a break room, a meeting room and a neighbor property. The DPA states that the controller violated the principle of data minimization under Art. 5 (1) c) GDPR due to the excessive CCTV. Furthermore, the DPA found a violation of the inf
€1,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 1,000 on a company. The company had installed a video surveillance system that recorded both employees and third parties. During its investigation, the DPA found that the company had breached its information obligations under Art. 12 GDPR and Art. 13 GDPR.
€1,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 1,000 on a company. The company had installed a video surveillance system that recorded both employees and third parties. During its investigation, the DPA found that the company had breached its information obligations under Art. 12 GDPR and Art. 13 GDPR.
€1,400 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg (CNPD) has imposed a fine of EUR 1,400 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company's assets, optimal fleet management and optimize the workflow, among other things. Some of the location data collected by the controller was stored for a year. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DPA considered this to be a violat
€3,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg (CNPD) has imposed a fine of EUR 3,000 on a company. The company had installed a video surveillance system for the purpose of protecting company property and staff. However, the cameras also constantly captured parts of employee's work areas. The DPA states that the controller thus violated the principle of data minimization under Art. 5 (1) c) GDPR. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR, by not properly informing its
€1,000 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg has imposed a fine of EUR 1,000 on a café owner. The owner had installed two video surveillance cameras in the café for the purpose of protecting company assets and the safety of customers and employees. Those cameras, however, constantly captured parts of the employee's work areas. The DPA found this to be a violation of the principle of data minimization. It also found that the owner had not sufficiently complied with its information obligations under Art. 13 GDPR.
€6,800 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 6,800 on a company. The company had installed a video surveillance system to protect the company's assets, prevent intrusion by unauthorized persons and prevent accidents. However, the cameras also captured parts of an employee's work area, the smoking area that employees frequently used and parts of the public space. The DPA states that the controller thus violated the principle of data minimization under Art. 5 (1) c) of the GDPR. Furthe
€1,500 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 1,500 on a company. The company had installed a video surveillance system to ensure that their customers would not have to wait when their front desk staff was not present. However, the cameras also constantly captured parts of two employee's work areas. The DPA states that the controller thus violated the principle of data minimization under Art. 5 (1) c) of the GDPR. Furthermore, the DPA found a violation of the information obligations s
€15,400 fine - National Commission for Data Protection (CNPD)
The Luxembourg DPA has imposed a fine of EUR 15,400 on a company. According to the DPA, the controller failed to involve the data protection officer in all matters related to the protection of personal data. In addition, contrary to the requirements of the GDPR, the data protection officer did not report directly to the highest management level; instead, there were two levels of hierarchy in between. Also, the controller did not have a data protection control plan in place to demonstrate that th
€18,700 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 18,700 on a company. During its investigation, the DPA first found that the controller's public website did not include direct contact details for the DPO. Furthermore, the DPO was not sufficiently involved in all data protection matters. For example, they only participated in internal meetings by invitation. Moreover, there were several hierarchical intermediaries between the DPO and the highest management level of the controller, not granting the
€13,200 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg has imposed a fine of EUR 13,200 on a company. According to the DPA, the controller firstly failed to involve the data protection officer in all matters relating to the protection of personal data. Second, the controller did not have a data protection control plan in place to demonstrate that the data protection officer was adequately performing its tasks.
€18,000 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg has imposed a fine of EUR 13,200 on a company. According to the DPA, the controller failed to involve the data protection officer in all matters relating to the protection of personal data. Also, the controller did not have a data protection control plan in place to demonstrate that the data protection officer was adequately performing its tasks. Furthermore, the controller failed to provide the data protection officer with the necessary resources to perform his duties. T
€5,300 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg has imposed a fine of EUR 5,300 on a company. The company had installed 75 surveillance cameras on its premises as well as tracking devices in some of its vehicles used by employees to travel to customers. A few of these cameras covered, among other things, parts of a public street and a private neighboring property. During its investigation, the DPA also found that the cameras covered the employee cafeteria, allowing employees to be monitored outside of their working hou
€135,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 135,000 on an insurance company. On October 19, 2018, an employee of the controller had sent an e-mail to an uninvolved third party instead of the data subject. This occurred due to an error by the employee who had incorrectly entered the e-mail address of the data subject. In addition to the name and gender of the data subject, the e-mail also contained detailed information about the data subject's illnesses. In addition, the attachment contained
€746,000,000 fine - National Commission for Data Protection (CNPD)
In its quarterly report, Amazon.com Inc. announced that the DPA from Luxembourg (CNPD) had fined Amazon Europe Core S.à r.l. EUR 746,000,000 for failing to process personal data in compliance with the GDPR. Amazon plans to take legal action against the decision.
€12,500 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 12,500 on a company. The company had installed a video surveillance system for the purpose of protecting company property, securing access to private and high-risk locations, and ensuring the safety of users and preventing accidents. However, the cameras also excessively captured parts of the public space and workplaces of employees. The DPA finds that the controller thus violated the principle of data minimization under Art. 5 (1) c) of t
€7,200 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 7,200 on a company. The company had installed a video surveillance system to protect the company's assets, prevent intrusion by unauthorized persons and prevent accidents. However, the cameras also captured parts of an employee's work area and the smoking area that employees frequently used. Furthermore, the controller had installed location sensors on the cars in its fleet. This was intended to optimize the company's operations. The DPA f
€7,600 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 7,600 on a company. This company had installed a video surveillance system for the purpose of protecting the company's assets, preventing intrusion by unauthorized persons and preventing accidents. However, two of the cameras also covered parts of a public street and six of the cameras covered the workplaces of some employees The DPA states that the recording of the employees and the public street was not necessary to ensure the purposes a
€15,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg (CNPD) has imposed a fine of EUR 15,000 on a company. During an investigation, the DPA found that the controller had not sufficiently involved the data protection officer in all matters relating to the protection of personal data. In addition, the controller had not guaranteed sufficient autonomy for the data protection officer. Lastly, the data protection officer had not received sufficient training to be able to properly and independently advise and inform the controller.
€18,000 fine - National Commission for Data Protection (CNPD)
The DPA of Luxembourg has imposed a fine of EUR 18,000 on a company. According to the DPA, the controller firstly failed to involve the data protection officer in all matters relating to the protection of personal data. Secondly, the controller failed to provide the data protection officer with the necessary resources to perform his duties.
€2,400 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,400 on a company. The controller had installed a video surveillance system to protect the company's assets and prevent entry by unauthorized persons. However, the cameras also excessively captured parts of the canteen terrace which serves as a recreation area for employees. The DPA finds that recording employees during their break is not necessary to ensure the purposes related to the video surveillance and was therefore disproportionate
€1,900 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 1,900 on a company. The controller had installed a video surveillance system to protect the company's assets and prevent entry by unauthorized persons. However, the cameras also excessively captured parts of the public space. The DPA finds that the controller thus violated the principle of data minimization under Article 5 (1) c) GDPR. In addition, the DPA finds that the controller stored the recordings longer than legally permitted and th
€1,000 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 1,000 on a company. The controller had installed a video surveillance system with the purposes of the protection of property, securing access to private and risky places, as well as the safety of users and the prevention of accidents. However, the cameras also excessively captured parts of the public space. The DPA finds that the controller thus violated the principle of data minimization under Article 5 (1) c) GDPR. In addition, the contr
€2,600 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,600 on a company. The controller had installed a video surveillance system to protect the company's assets and prevent entry by unauthorized persons.However, the cameras also excessively captured parts of the canteen which serves as a break location for employees. The DPA finds that recording employees during their break is not necessary to ensure the purposes related to the video surveillance and was therefore disproportionate. The DPA
€2,800 fine - National Commission for Data Protection (CNPD)
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,800 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company's assets, monitor the transport of goods and the drivers' working hours, among other things. Some of the location data collected by the controller was stored for two years and four months. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DP