Fining practice
Trend: Have the national data protection authorities in Luxembourg focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?
The Luxembourg data protection authority ("Commission nationale pour la protection des données", "CNPD") has concentrated its efforts in 2022 on two main topics: The appointment of a DPO as well as compliance of video surveillance systems with the GDPR. Municipal authorities, schools and private sector companies were the main focus of CNPD investigations.
The CNPD has not issued yet any report for 2023 and we are unable to define a trend as the decisions taken in 2023 often relate to investigations carried out in 2022. However, we found that vehicle tracking systems were one of the CNPD's main concerns.
Overall, what was the most significant fine in Luxembourg to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?
On 16 July 2021, the CNPD imposed a fine of EUR 746 million on Amazon. Indeed, pursuant to the procedures for cooperation between authorities introduced by the GDPR, the CNPD was competent to deal with this case, as Amazon Europe Core was established in Luxembourg. Amazon was mainly blamed for processing user data for advertisements without asking permission. This fine was challenged by Amazon and the case is still pending. Amazon's main argument is that the CNPD should have given it the opportunity to change its practices to comply with the GDPR before imposing a fine.
Organisation of authorities and course of fine proceedings in Luxembourg
How is the data protection authority organised in Luxembourg? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
- The CNPD is an independent public body with legal personality and with financial and administrative autonomy.
- The CNPD is divided into six departments: an “Awareness” department, a “Guidance” Department, a “Compliance” Department, a “Claims” Department, an “Investigations” Department, and an “Administration” Department.
- In 2022, CNPD had 58 employees. The CNPD's budget for the 2022 financial year amounts to EUR 8.2 million (an increase of 15.06% on the previous year's budget).
How does a fine procedure work in Luxembourg? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
- Fines may be directly imposed by the CNPD as part of administrative proceedings.
- If the CNPD decides to initiate fine proceedings following audits or inspections, the company shall be notified to this effect. A report proposing the imposing of an enforcement measure shall be sent to the company and the latter may submit its observations to the CNPD.
- An appeal against the decisions of the CNPD can be made before the Administrative Tribunal, which rules on the merits of the case. The time limit for lodging an appeal is three months.
When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?
Fines are transferred to the State treasury.
Is there a common, official calculation methodology for fines in Luxembourg (such as the fining models in the Netherlands or Germany)?
There is no common, official calculation methodology for fines. Fines are calculated in light of the criteria mentioned in Article 83(5) and (6) of the GDPR.
Can public authorities be fined in Luxembourg? If they can: Where does this money go?
CNPD may impose fines on public authorities, except the State and municipalities. Fines are transferred to the State treasury.
In Luxembourg, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
All decisions issued by the CNPD are published on the CNPD’s website. These decisions contain information on the relevant facts, imposed fines and other procedural steps. Often the involved parties are anonymised.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?
See our answer to previous question.
Other legal consequences of non-compliance in Luxembourg
Does Luxembourg have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
- Under Luxembourg law, there is currently no specific framework allowing for class actions. Such actions are also not admissible under the general rules of civil procedure as claimants may only sue in respect of a prejudice they have suffered personally.
- A bill of Law is still under discussion concerning the introduction of consumer class action in Luxembourg law.
What is more relevant in Luxembourg: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
Currently, fines imposed by the CNPD are much more common than court cases, which are relatively rare in Luxembourg.
