CNPD 1FR/2025: how the DPA calculates a GDPR fine in 5 steps

CNPD 1FR/2025 is a textbook case on calculating a GDPR fine. For repeated delays in handling data subject requests under Article 12(3)-(4) GDPR, the CNPD applies the EDPB’s five-step method and details each calculation layer.

The case

On 6 January 2025, the CNPD (restricted formation) adopted Deliberation No. 1FR/2025 against “Company A” (a credit institution supervised by the CSSF) for repeated breaches of response deadlines under Article 12(3)-(4) GDPR. The procedure aggregates 47 upheld complaints in a cross-border setting, with the CNPD acting as lead authority (Article 56 GDPR). A fine and corrective measures were imposed; the decision explains the calculation: identifying operations, starting amount, aggravating/mitigating factors, legal cap, and final check on effectiveness, proportionality, and deterrence. Official source: CNPD Deliberation No. 1FR/2025 (PDF, 46 pages) and the decision page. CNPD — decision page and anonymised PDF.

Legal reasoning

• Material basis: Article 12(3)-(4) GDPR. Controllers must respond “without undue delay and at the latest within one month,” with a possible two-month extension for complexity/volume, notified and reasoned within the first month. The 47 upheld complaints evidence overruns; some explanations (DPO mailbox organisation, COVID-19) were rejected. CNPD decision.
• Sanctioning power: Article 83 GDPR. Fines must be “effective, proportionate and dissuasive,” within the 10M€/2% (Art. 83(4)) or 20M€/4% (Art. 83(5)-(6)) caps, considering Article 83(2) criteria. Official text: EUR‑Lex. For a practical recap, see the GDPR requirements.
• Calculation method: EDPB Guidelines 04/2022 (v2.1, 24 May 2023). Five steps: (1) identify the infringement and processing operations; (2) set a starting amount based on gravity and turnover; (3) adjust for aggravating/mitigating factors; (4) check applicable caps; (5) calibrate to ensure effectiveness, proportionality, and deterrence. EDPB Guidelines 04/2022. The CNPD mirrors this: II.2, §§2.1.1–2.1.5.
• Procedural consistency: the decision recalls national rules (Law of 1 August 2018, Art. 41; internal rules 07AD/2024 and 08AD/2024) and the cooperation mechanism (Art. 56 GDPR). CNPD decision.

What this changes for executives, DPOs and CISOs in Luxembourg

• “Time-to-rights” becomes a core KPI. Be ready to produce a timestamped log per request: receipt, qualification, deadline interruptions, motivated extension notice, closure. See the “In the present case” and “General considerations” sections (II.1.B.2.1).
• The EDPB method applies to the letter. Internal fine/risk matrices must reflect gravity vs. turnover and the modulation steps. See EDPB 04/2022 and 1FR/2025 II.2.
• Synchronise DPO and Customer Service/IAM. DPO mailbox management and triage are scrutinised. In practice, it is key to professionalise the DPO function and the ticketing/IAM tooling.
• Regulated groups are more exposed. Turnover (including group-level) weighs in the deterrence step; for CSSF-regulated entities, mastering data subject rights impacts governance. See II.2, §2.1.5 and Section I (Facts). A local approach can help via GDPR compliance in Luxembourg.

Common pitfalls seen in audits

1. Assuming an acknowledgement “freezes” the one-month clock: false. Only a motivated extension, notified within the first month, is valid. CNPD decision.
2. Centralising without organising: a “privacy@” or “dpo@” mailbox without assignment/escalation rules creates systemic delays. The decision discusses mailbox operations and rejects weak organisational justifications. CNPD decision.
3. Claiming “complexity/volume” without proof: the two‑month extension requires objective, traceable reasons. The EDPB demands a non-mechanical but documented approach, echoed by the CNPD. EDPB 04/2022.
4. Underestimating repetition: 47 complaints weighed on gravity/duration and modulation. CNPD decision.
5. Forgetting the final deterrence check: authorities adjust to ensure a deterrent effect given relevant turnover. See Article 83 GDPR and Step 5 of the Guidelines; reflected in §2.1.5. EUR‑Lex.

Official sources

• CNPD — Deliberation No. 1FR/2025 (fine and corrective measures) — decision page and anonymised PDF.
• EDPB — Guidelines 04/2022 on the calculation of administrative fines (v2.1, 24 May 2023) — full text.
• EUR‑Lex — GDPR, Article 83 — official version.

In short: log every request, manage the DPO mailbox like a critical front desk, evidence any extension, monitor rights KPIs at ExCom level, and align your fine matrix with the EDPB method.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.