Decision of the National Commission sitting in restricted formation on Deliberation n°38FR/2021

€18,000 in fines


The DPA held a public entity liable as the details were not easy to find on the website, and were only accessible in English, and not in any of the official languages.

Our analysis

In 2018, the Luxembourg DPA initiated 25 audit proceedings related to the role of the Data Protection Officer (DPO) under the GDPR. One of the audits involved a public entity in Luxembourg, which was found to be in breach of four distinct obligations related to the role of the DPO under the GDPR. The head of investigation found that the entity had failed to publish the contact details of its DPO on its website in a way that made them easily accessible for data subjects, which violated Article 37(7) GDPR. The contact details were difficult to find and only available in English, rather than any of the official languages of Luxembourg. Although the controller addressed this issue during the investigation by publishing the contact details of the DPO in another language on its website, the CNPD still considered it to be a breach of Article 37(7) GDPR.


The CNPD (National Data Protection Authority) has taken action against the controller for non-compliance with the GDPR, issuing an injunction that requires the controller to remedy any remaining breaches within a specified period of six months. In addition, an administrative fine of €18,000 has been imposed on the controller.


Luxembourg DPA and Anonymous Public Entity

Case number

n° 38FR/2021

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us