When the GDPR Clock Never Stops: Lessons from a EUR 175,000 Fine for Delayed Data Subject Responses

1. Facts of the case

The CNPD investigated a credit institution, “Company A”, during a nine month period about 47 claims made by data subjects. They alleged delays in replies to their acces rights requests. The CNPD acted as the lead supervisory authority under Art 56 GDPR because the main establishement of the controller (Company A) is in Luxembourg.

2. The principle of transparency (Art 12 GDPR)

In this decision, the CNPD mainly analysed Art 12 (3) and (4) GDPR. In Art 12 (3) GDPR it is laid down, that the controller must provide information without undue delay and in any event within one month of receiving the request. This deadline can be extended by two months if necessary due to complexity or volume, but the data subject must be informed about the extension and its reasons within the first month. Art 12 (4) GDPR states that if the controller does not act on the request, it must inform the data subject within one month at the latest of the reasons for its inactivity and of the possibility of lodging a complaint with the supervisery authority and seeking a judicial remedy.

3. Key Legal Issues of the case

In this decision, the CNPD had to analyse different factors which led to the delays, including technical issues, force majeure and human errors.

3.1. Technical Issues:

the controller stated that it provided two ways to contact the Data Protection Officer (“DPO”) of Company A for exercising the rights of data subjects: At the time, Company A had a contact form in its privacy policy that allowed data subjects to submit requests. The second option to contact the responsible departments of Company A was the DPO’s e-mail address. The controller later stated that this was only the secondary point of contact, leaving the contact form as the main contact channel.

Due to the high number of unwanted e-mails (spam) received by the DPO’s inbox, it was technically no longer possible to filter the genuine requests of the people concerned. Although, the CNPD confirmed the technical malfunction of the DPO’s inbox it clearly stated the following:

1. The privacy policy of Company A not only mentioned the contact form but also explicitly listed the DPO’s e-mail address for data protection queries.
2. Art 38 (4) GDPR and the European Data Protection Committee’s (EDPS) guidelines request to contact the DPO directly and easily. Therefore, the obligation to process requests sent to the DPO’s e-mail stays with the controller even if there is an additional contact form available. Data subjects are not obliged to send their request solely via said contact form.
3. The one-month response deadline started when the requests reached the DPO’s mailbox, even if Company A never read them because of the malfunction. The EDPS guidelines confirm that the deadline starts running when the request arrives at any official channel, not when it’s read.

3.2. Covid-19 crises:

in the response of some of the claims, the controller explained that the non-compliance with the deadline set out in Art 12 (3) and (4) GDPR was linked to the context of Covid-19 because the mailroom was not fully operational. The CNPD assessed this argument as follows:

1. At the time of the events, the Covid-19 crises had already lastet for more than eight months and the controller has therefore had the necessary time to adapt its mail management.
2. As a registered credit institution Company A is required to have a business continuity plan in times of crises such as Covid-19. The fact, that Company A had such a business continuity plan which allowed it to respond to a majority of the requests, but not to all, was not seen as a valid argument.
3. The controller must always comply with the time limits set out in Art 12 (3) and (4) GDPR, even in times of pandemic. The considerations regarding Covid-19 have no impact on the objective finding of a breach of the GDPR.

3.3. Human Errors

In its decision, the CNPD found various human errors which made it impossible to comply with the request deadline. Examples of these errors were:

1. In certain complaints, the customer service failed to differentiate a request from a data subject from a parallel request related to another matter, such as  questions about account closures, disputes, or general customer service issues. As a result, the data rights requests were ignored or not handled properly within the legal timeframe.
2. Some requests were not forwarded internally to the correct department responsible for handling GDPR rights.
3. In at least one case, Company A sent a reply to the wrong e-mail address, because of a missing dot in the address, so the data subject never received it.

Regarding these human errors the CNPD ruled the following:

1. All these human errors were found as a failure of the controller because the obligation is to ensure the data subject actually receives the information.
2. The factors such as human errors may be taken into consideration, insofar as they are relevant. But in the context of corrective measures and / or administrative fines the auhority could only find that the controller breached Art 12 (3) and (4) GDPR.

3.4. Further arguments made by the controller

3.4.1. Nine months of secret investigations:

CNPD formally opened an investigation based on Art 38 Luxembourg Data Protection Act into Company A on 21 October 2022. Only nine months later, CNPD sent the formal letter informing the controller of the investigation. Company A therefore argued that this long gap lead to unfairness, because it was already asked about information in the course of dealing with complaints without knowing that these requests were connected to a full investigation.

Under the procedural rules of the CNPD, there is no fixed time limit for informing a controller once an investigation is formally opened. It is not necessary for the preliminary phase of gathering the relevant facts for the controller to be immediately informed. This only, if the rights of defence are fully respected and the controller is given the opportunity to express its point of view and to submit additional documents at each stage of the investigation process. In this case, the CNPD could not find a violation of these rights.

3.4.2. When changes do not change anything 

The controller additionally claimed that it had taken steps after the start of the investigation to improve the handling of data requests. These implemented changes were cooperated closely with the CNPD during the period covered by the investigation. However, the CNPD considers, that any non-compliance with the time limits set out in Art 12 (3) and (4) GDPR constitute a breach of the GDPR. Any changes made by Company A during the course of the investigation and prior to the decision of the CNPD, even if they make it possible to establish full or partial compliance, do not make it possible to retroactively cancel an identified breach.

4. Lessons Learned

Even if the initial fine of EUR 493,560 has been lowered to EUR 175,000, it remains a substancial fine. The CNPD’s decision sends a clear message to data controllers: strict adherence to GDPR response deadlines is non-negotiable, regardless of technical glitches, human mistakes, or extraordinary circumstances like Covid-19. Published contact channels must be fully operational, and internal workflows must be watertight to ensure every data subject request is identified and handled on time. Post-incident improvements, no matter how effective, cannot erase past breaches. Continuous, proactive compliance is the only way to avoid regulatory scrutiny and significant financial penalties.

Article provided by INPLP member: Virginie Liebermann and Michel Molitor (Molitor, Luxembourg)

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)