Company offering electronic communication services – no complete information of the data subjects & no sufficient technical and organisational measures

22 January 2024

Luxembourg

Background information

Date of final decision: 5 July 2023
National case
Controller: the data controller is a company offering electronic communication services.
Legal Reference(s): Article 13 (Information to be provided where personal data are collected from the data subject), Article 24 (Responsibility of the controller)
Decision: Administrative fine, Compliance order, Warning and Violation identified
Key words: Accountability, Administrative fine,Clients, Responsibility of the controller, Right to be informed

Summary of the Decision

Origin of the case

A complaint. During the handling of the complaint, it appeared that the data controller transferred multiple times personal data of the complainant to its data processor, who then transmitted said data to a third party. Therefore, the Luxemburg Supervisory Authority (the CNPD) decided to open an investigation in order to verify the compliance with the provisions of the GDPR, and more precisely concerning the legal basis of the transfer of personal data of the complainant to a third party, as well as the information of the data subject concerning said transfer.

Key Findings

The, CNPD, concluded that the data controller violated article 13.1.e) of the GDPR (no information about the recipients of the personal data, and more precisely about the transfer of the data to one specific data processor). In addition, the CNPD identified a violation of article 24.1 of the GDPR (responsibility of the data controller), as personal data of the complainant was illicitly transferred multiple times to a third party by a processor of the controller.

Decision

An administrative fine of 1.500 € was imposed, as well as a reprimand for having violated article 13.1.e) of the GDPR. In addition, the CNPD ordered the controller to bring the processing operations into compliance with article 24.1 of the GDPR, in particular by putting in place appropriate technical and organizational measures in order to verify that the data processor stops transferring the data of the complainant to a third party.

For further information: national decision

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

Company offering electronic communication services – no complete information of the data subjects & no sufficient technical and organisational measures

Background information

Summary of the Decision

Origin of the case

Key Findings

Decision

Gesichtserkennung an Flughäfen: Einzelpersonen sollten die maximale Kontrolle über biometrische Daten haben

EDPB launches French and German versions of its Data Protection Guide for small business

Finnish SA: Administrative fine of € 856,000 for failing to define storage period of customer data

Czech SA imposed fine of 13.9 million EUR for infringement of Art. 6 and Art. 13 of GDPR

Hellenic SA: fine on a company for failure to implement technical and organisational measures resulting in unauthorised access by third parties