News
Transparency in the sights of the Luxembourg data protection Authority
As in the past, the Luxembourg data protection Authority (the “CNPD”) launched in 2020 a thematic investigation on transparency (Article 12.1 of the GDPR). This investigation resulted in interesting and useful decisions of 13 December 2022 on the Authority's expectations regarding the application of the principle of transparency in the context of web services.

To conduct its investigation, the CNPD sent a questionnaire to a selection of Luxembourg companies offering web services and/or mobile app.
Nine objectives were defined to carry out the investigation to ensure whether (i) the information is available; (ii) the information is complete; (iii) the absence of information is justified by a valid exception; (iv) the information is transmitted by appropriate means (v) information is concise, transparent, understandable, and conveyed in clear and simple language;(vi) the information is adapted to the category of persons concerned (vii) the information is free of charge; (viii) the information is easily accessible; and (ix) the information is provided at key stages of processing.
Article 12.1. of the GDPR deals with the quality of information and the way this information has to be given to data subjects to enable them to exercise their rights provided by the GDPR. It requires controllers to take appropriate measures to provide "any" information under Articles 13, 14, 15 to 22 and 34 of the GDPR in a manner that is concise, transparent, intelligible and easily accessible, using clear and plain language, whatever its format.
The CNPD found breaches of the transparency obligation in the following cases:
- Information must be concise and transparent:
The data protection policy provided by the controller was broader than what is implemented in reality.
The CNPD considers that the provision of information to users that corresponds to processing that is not carried out, such as information on advertising based on the interests of the customer or on the collection of information on customer habits included in the data protection policy but which in reality are not processed by the data controller, prevents the required information from being presented to users in an effective and succinct manner.
Presenting illustrative examples in the data processing policy or using wording such as “included among the types of data (…)” or stating that “the data are processed and kept for as long as required for the purpose for which they are collected”give the impression that the information provided to users is not complete and is therefore not compliant.
- Information must be accessible, including policy changes
Substantial updates must be actively disclosed i.e. for example by using an informative email or a pop-up on the website together with a summary of the main changes and the consequences for data subjects.
A communication via a cookies banner which appears only at the time of the first connection to the Internet site does not constitute an appropriate communication support. The information must be given by an appropriate means such as an email, postal mail, contextual window on a web page, or any other means to effectively capture the user's attention.
- Information must be intelligible.
The information contained in the data protection policy must correspond to the information contained in data processing register:
In this decision, the data protection policy only mentioned that the controller can collect information on traffic for each call or internet session without indicating the collection of location data, although this was mentioned in the policy. A data subject should be able to determine in advance what the scope and consequences of the processing entails and they should not be surprised at a later point about the ways in which their personal data has been used.
- Information must be easily accessible
The fact that the information is provided in the App via hyperlinks is appropriate provided that the redirection link to the contact form and the privacy policy works (in the present case, the links were broken).
The information must be accessible at each point of collect i.e. on each concerned web page of the web site or the App.
Data subjects should not have to search for the information but should be able to access it immediately.
- Information must be providing using clear and plain language
The data protection policy must be available in the same languages as those offered on the website, namely the languages of the customers targeted by the services of the controller.
The amount of the penalties imposed in the decisions of December 13, 2022, remain relatively symbolic : between EUR 700 and EUR 3000.
The CNPD's approach is above all one of raising awareness and educating companies to enable them to comply and to accompany them on this complex but essential process.
Article provided by INPLP member: Michel Molitor and Virginie Liebermann (Molitor Avocats a La Cour, Luxembourg)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010