CNPD 16/12/2025: insufficient GDPR Article 30 record sanctioned

Key point: on 16 December 2025, the CNPD fined a Luxembourg company (Decision No. 7FR/2025) for an incomplete record of processing activities, imposing a €7,000 fine and remedial orders. The decision clarifies practical expectations for the “ROPA” and how fines are calculated.

The case

On 16/12/2025, the CNPD (restricted formation) found insufficient information in several records (points a), c), d) and e) of GDPR Article 30) and imposed €7,000. Partial fixes made in 2025 remained incomplete for some entries. See the public case note and pseudonymised PDF: Record of processing – Insufficient information and Deliberation No. 7FR/2025 (PDF).

Legal reasoning

Legal basis

Article 30 GDPR requires documenting: a) identity/contact details (including DPO where applicable), b) purposes, c) categories of data subjects and personal data, d) categories of recipients, e) any transfers outside the EU (third country and safeguards/Article 49(1) derogations), f) retention/erasure periods, g) a general description of security measures (Article 32(1)). Official text: EUR‑Lex, Article 30.

CNPD’s interpretation

The decision notes material gaps: poorly identified recipients, vague data categories, and above all missing details on third‑country transfers (no country identification in several entries). Some issues persisted despite fixes in Feb/Apr 2025 (e.g., “General customer & supplier contract & relationship management”). See §§ 113‑123 of the PDF.

Fine calculation methodology

The CNPD applies the EDPB’s harmonised method (Guidelines 04/2022) in five steps: legal qualification (Art. 83(4)-(6)), starting point, aggravating/mitigating factors, legal caps, and the effectiveness/proportionality/deterrence test (Art. 83(1)). References: EDPB Guidelines, final 24/05/2023 and decision §§ 85 ff., 107.

CNPD guidance and tools

The CNPD provides an illustrative register template (associations) that explicitly lists expected fields, including retention and technical/organisational security measures: CNPD guidance and register template. The "Record of processing – Professionals" page summarises required items and the narrow <250 employees exception (Art. 30(5)).

What this changes in practice

• The record is not a mere inventory. The CNPD reviews entry by entry. For extra‑EU transfers, do not stop at yes/no: specify each third country, legal basis (SCCs, BCRs, adequacy, Art. 49), and any supplementary measures.
• Retention and security must be operationally filled out (“where possible”, Art. 30(1)(f)-(g)). The CNPD template offers useful target values.
• SaaS tools: substance over tooling. An exploitable export may be requested during on‑site inspections. See the observation about the register being “available on an online application” in the PDF.
• Fine calculation: the EDPB method applies. Even a single low‑gravity infringement must be effective and dissuasive.

To speed up remediation and ensure CNPD compliance in Luxembourg, a certified DPO mandate can help structure the record and document transfers.

Use cases

• Group with non‑EU subsidiaries: each “customers/suppliers” entry must detail flows (CRM, support, ticketing), identify third countries and mechanisms (SCCs 2021/914, DPF if applicable to the US, ad hoc clauses), possibly via a transfer map. The CNPD flagged incomplete “marketing support materials”, “technical data exchanges”, “ticketing system” entries.
• Bank/PSF with an intra‑EU cloud processor but L1/L2 support outside the EU: document support, telemetry, logs, observability if extra‑EU access/processing is possible, with countries and safeguards.
• Public/semi‑public sector: the <250 exception is cumulative and rarely met; the CNPD recommends keeping a record in all cases for accountability.

Common pitfalls

1. “Fill in transfers later”. Rejected by the CNPD: identify third countries and mechanism at the time of processing.
2. Over‑broad data categories. Use sub‑categories (identity, contact, financial, health, etc.) as in the CNPD template.
3. Unidentified recipients. Go beyond “providers” or “internal departments”: name vendor/integrator/subsidiary/service and distinguish EU/non‑EU.
4. Missing retention periods. State a business rule (e.g., 2 years after relationship ends; 10 years for accounting) and reference a retention policy if needed.
5. Generic security measures. Describe concrete controls (access control, encryption in transit/at rest, logging/traceability, testing, immutable backups) consistent with Article 32. A DPO can coordinate with security and business teams.

Official sources

• CNPD — Deliberation No. 7FR/2025 (public note and pseudonymised decision): decision page and PDF
• GDPR — Article 30: EUR‑Lex (consolidated)
• EDPB — Guidelines 04/2022 on the calculation of administrative fines (24/05/2023)
• CNPD — Record of processing – Professionals
• CNPD — Register template (associations) and guidance

In 2026, tighten your “transfers” entries (countries/mechanisms), refine categories/recipients, and anchor retention/security. Beyond compliance, this is your best defence if the CNPD knocks.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.