Luxembourg data protection authority publishes first decisions

For the very first time, the National Commission for Data Protection (“CNPD”) has published 18 decisions, six of which inflicted fines ranging from 1.000 EUR to 18.000 EUR. 

These decisions are the outcome of onsite investigations by the CNPD on video surveillance and geolocation, and the thematic audit campaign launched by the CNPD on the role of data protection officer (“DPO”). 

The violations of the GDPR giving rise to the adoption of an administrative fine and corrective measures by the CNPD include: 

  • Non-compliance with the principle of data minimisation as a result of a surveillance camera’s disproportionate field of view;
  • Insufficient information provided to employees as to the processing of their data;
  • Non-compliance with the principle of storage limitation;
  • Failure to put in place appropriate security measures;
  • Failure to appoint a DPO.

These decisions are just a small foretaste of more extensive and stricter supervision by the CNPD, as multimillion fines are being announced and data activists are appealing certain decisions of the CNPD where no fine was imposed.