Cases ›

Decision of the National Commission sitting in restricted formation on Deliberation n°38FR/2021

€18,000 in fines

Excerpt

The DPA held a public entity liable as the details were not easy to find on the website, and were only accessible in English, and not in any of the official languages.

Our analysis

In 2018, the Luxembourg DPA initiated 25 audit proceedings related to the role of the Data Protection Officer (DPO) under the GDPR. One of the audits involved a public entity in Luxembourg, which was found to be in breach of four distinct obligations related to the role of the DPO under the GDPR. The head of investigation found that the entity had failed to publish the contact details of its DPO on its website in a way that made them easily accessible for data subjects, which violated Article 37(7) GDPR. The contact details were difficult to find and only available in English, rather than any of the official languages of Luxembourg. Although the controller addressed this issue during the investigation by publishing the contact details of the DPO in another language on its website, the CNPD still considered it to be a breach of Article 37(7) GDPR.

Outcome

The CNPD (National Data Protection Authority) has taken action against the controller for non-compliance with the GDPR, issuing an injunction that requires the controller to remedy any remaining breaches within a specified period of six months. In addition, an administrative fine of €18,000 has been imposed on the controller.

Parties

Luxembourg DPA and Anonymous Public Entity

Case number

n° 38FR/2021

Related deceptive patterns

Trick wording

The trick wording deceptive pattern takes advantage of user expectations and ambiguous language to mislead and deceive users. It is normal for users to scan-read when they are online, as a way to cope with the sheer volume of information they are faced with. This means they don't read and dwell on every word on every page. Trick wording usually takes advantage of the scan reading strategy, by making a piece of content look like it is saying one thing, when in fact it is saying something else that is not in the user's best interests.

Related laws

GDPR - Article 37
EU & UK

Outlines the appointment of a Data Protection Officer (DPO) for certain organizations.

GDPR - Article 38
EU & UK

Requires the appointment of a Data Protection Officer (DPO) in certain circumstances.

GDPR - Article 39
EU & UK

Outlines the role of the Data Protection Officer (DPO) within organizations.

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us