Company offering electronic communication services – no complete information of the data subjects & no sufficient technical and organisational measures

22 January 2024

Background information

  • Date of final decision: 5 July 2023
  • National case
  • Controller: the data controller is a company offering electronic communication services.
  • Legal Reference(s): Article 13 (Information to be provided where personal data are collected from the data subject), Article 24 (Responsibility of the controller)
  • Decision: Administrative fine, Compliance order, Warning and Violation identified
  • Key words: Accountability, Administrative fine,Clients, Responsibility of the controller, Right to be informed


Summary of the Decision


Origin of the case  

A complaint. During the handling of the complaint, it appeared that the data controller transferred multiple times personal data of the complainant to its data processor, who then transmitted said data to a third party. Therefore, the Luxemburg Supervisory Authority (the CNPD) decided to open an investigation in order to verify the compliance with the provisions of the GDPR, and more precisely concerning the legal basis of the transfer of personal data of the complainant to a third party, as well as the information of the data subject concerning said transfer.

Key Findings 

The, CNPD, concluded that the data controller violated article 13.1.e) of the GDPR (no information about the recipients of the personal data, and more precisely about the transfer of the data to one specific data processor). In addition, the CNPD identified a violation of article 24.1 of the GDPR (responsibility of the data controller), as personal data of the complainant was illicitly transferred multiple times to a third party by a processor of the controller. 


An administrative fine of 1.500 € was imposed, as well as a reprimand for having violated article 13.1.e) of the GDPR. In addition, the CNPD ordered the controller to bring the processing operations into compliance with article 24.1 of the GDPR, in particular by putting in place appropriate technical and organizational measures in order to verify that the data processor stops transferring the data of the complainant to a third party.  

For further information: national decision

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.