On 12 September 2017, the Luxembourg Parliament issued bill of law no. 7184 (the "Bill of Law") in order to complement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC ("GDPR")1.

Through the Bill of Law, the Luxembourg legislator intends to make use of the margin for manoeuver that the GDPR grants to EU Members States to enact additional legislation vis-à- vis the protection of personal data.

Pursuant to the publication of the Bill of Law, several public and private bodies have issued detailed opinions, in some cases criticising certain points of the Bill of Law. This led the Luxembourg Government to introduce some amendments to the Bill of Law on 8 March 2018 (the "Amendments").

The Amendments introduce three major changes to the Bill of Law. The changes are as follows:

  1. Amendments to Luxembourg labour law, especially with respect to the monitoring of employees;
  2. Insertion of a specific procedure relating to the imposition of penalty payments by the Luxembourg data protection supervisory authority (the "CNPD");
  3. Establishment of a Commissariat du Gouvernement à la protection des banques de données de l'Etat (the "Commissariat").

I.Amendments to the Luxembourg Labour Code

The first version of the Bill of Law did not contain any provisions relating to the monitoring of employees, which led to criticism of the Bill of Law.

This likely encouraged the Luxembourg Government to introduce some Amendments to replace Article L. 261-1 of the Luxembourg Labour Code.

Indeed, the current version of Article L. 261-1 of the Labour Code refers to the definition of supervision provided under the current Luxembourg data protection Law of 2 August 2002 as amended, which will be repealed by the entry into force of the Bill of Law. This would leave Article L. 261-1 of the Labour Code with a reference to a concept no longer defined under Luxembourg law, thus creating a situation of great legal uncertainty for employers and employees.

The new Article L. 261-1 of the Labour Code introduced by the Amendments now provides for specific provisions relating to supervision in the context of employment relationships.

In this regard, the new Article L. 261-1 first states that an employer may process its employees' personal data for the purpose of monitoring, as long as such processing is carried out in compliance with the principles of the GDPR.

The Amendments establish a procedure to ensure the compliance of such processing with the provisions of the GDPR. Indeed, the new Article L. 261-1 of the Labour Code provides that the Articles L. 211-82, L. 414-93 and L. 423-14 of the same Code shall apply when the processing of personal data is implemented:

  1. for the purposes of employees' health and safety,
  2. for temporary control of employees' production or performance, when it is the only way to determine their exact salary, and
  3. in the context of work organisation according to the flexible working time system.

In the event of disagreement, one of the parties may request from the CNPD a preliminary opinion relating to the compliance of the monitoring project with the requirements of the GDPR. The CNPD then has one month to provide an answer.

The new Article L. 261-1 also states that the consent of an employee whose personal data is being processed is not a lawful basis for the processing implemented by the employer.

Moreover, the new Article provides that the employer should give prior notice of the contemplated processing to the person concerned by such processing, and also, in the context of a private law contract, to the joint works council, or, in the absence of a joint works council, to the staff delegation, or by default, to the Inspection du travail et des mines. In the context of a statutory regime, the employer must inform, in addition to the relevant person, the staff representative bodies, as provided in the related laws and regulations. Finally, in each case of processing of personal data for monitoring purposes, the staff delegation or the employees concerned may request a preliminary opinion relating to the GDPR compliance of the processing project from the CNPD, which must provide its response within one month from the date of the request. Such request will suspend the implementation of the processing project.

Whether such new procedure will be retained in the final version of the Bill of Law remains to be seen, as some bodies have already expressed the view that the GDPR already offers sufficient guarantees to employees to assert their rights. In the present case, it furthermore could be argued that the suspensive effect of the request will prevent the employer from putting any monitoring process in place as long as it does not know whether the staff delegation or employees will lodge such a request with the CNPD.

As a result, this "new" system would in fact be quite similar to the current Luxembourg data protection law, which requires employers to seek authorisation from the CNPD prior to carrying out monitoring activities.

This would, however, be in contradiction with the GDPR principles, which aim at removing any prior authorisation regime.

It should be noted that the Council of State recently issued an Opinion on 30 March 2018 criticising the amendments made to Article L. 261-1 of the Labour Code. In this Opinion, the Council of State considers that entitling the CNPD to issue a prior opinion regarding a processing of personal data might be counterproductive.

Indeed, as underlined by the Council of State, pursuant to the Amendments, the CNPD would be responsible both for:

  • issuing a prior opinion regarding the processing of personal data for the monitoring of employees;
  • and for handling the claims that employees might lodge at a later stage regarding the same processing of personal data.

The CNPD would thus find itself in a conflicting situation, since it would, by definition, be bound by its prior opinion.

II.Penalty payments

Pursuant to article 83 of the GDPR, the CNPD is entitled to impose administrative fines to any entity infringing the GDPR. In addition to these sanctions, the Amendments now set out how the CNPD may, in certain cases, impose penalty payments.

These penalties shall apply to data controllers or processors failing to provide certain information required by the CNPD, pursuant to article 58 (1) (a) of the GDPR5. They shall also apply to data controllers or processors failing to comply with a corrective measure adopted by the CNPD, pursuant to article 58 (2) (c), (d), (e), (f), (g), (h) and (j) of the GDPR6.

These penalty payments may reach up to 5 per cent of the average daily turnover achieved by the relevant entity in the preceding financial year, or during the last completed financial year, per day of delay from the date of the CNPD's decision.

The Amendments also include terms of limitation for the payment of penalties. The first pertains to the statutory limitation of the power vested in the CNPD to impose a penalty payment, and the second to the statutory limitation of the enforcement of the penalty payment itself.

In the first case, Article 57 of the Bill of Law provides that the power of the CNPD to impose a penalty payment is subject to a limitation period of 3 years. The statutory limitation runs from the day on which the processing of personal data ended. It is interrupted by any act of the CNPD. It starts running again after each interruption but the statutory limitation is achieved when the CNPD fails to impose any penalty payment for 6 years. The statutory limitation is however suspended for as long as the decision of the CNPD is subject to proceedings pending before the Administrative Court.

In the second case, when the penalty payment has been imposed, it is subject to a statutory limitation of 5 years. The prescription runs from the date at which the decision imposing the penalty becomes final. It is interrupted when the decision to change the amount of a penalty payment or to reject the request for such change is notified or by virtue of an act of the Administration de l'Enregistrement et des Domaines for enforced recovery of a penalty. The limitation period may also be suspended for as long as a payment extension is granted or a court order precludes enforcement of the payment.

Finally, the Amendments provide for an additional penalty whereby the CNPD is entitled to order the publication of its decisions via a newspaper or otherwise, at the expense of the sanctioned person.

III. Commissariat du Gouvernement à la protection des banques de données de l'Etat

Nevertheless, the Draft Bill shows the government's intention to reinforce the protection of personal data and to extend the mission of the CNPD by providing it with dissuasive means to sanction any infringements to the GDPR and the future Luxembourg data protection law. It is thus highly recommended for companies processing personal data to adopt, before the entry into force of the GDPR in May 2018, specific measures to comply with the new obligations arising from it and to show accountability in this respect.

IV.Conclusion

The Bill of Law, together with the Amendments, demonstrates the Government's intention to go beyond a mere mechanical application of the GDPR in Luxembourg, notably by ensuring that the rights of employees as data subjects are fully respected, giving more powers to the CNPD and establishing a Commissariat to coordinate and ensure data protection within State entities and public administrations.

Footnotes

1 Please refer to our newsflash of 29 September 2017 on European General Data Protection Regulation: http://www.arendt.com/publications/pages/luxembourg-draft-bill-gdpr-data-protection.aspx.

2 Article L. 211-8 of the Labour Code governs the introduction of a flexible working time system and specifies the steps an employer applying a reference period must follow to implement such flexible time mechanism.

3 Article L. 414-9 of the Labour Code provides for cases where the employer must have the agreement of the staff delegation to adopt certain measures.

4 decisional authority.

5 Article 58 (1) (a) of the GDPR: "[The CNPD] may order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks".

6 Article 58 (2) of the GDPR: "[The CNPD] shall have all of the following corrective powers: (c) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation; (d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; (e) to order the controller to communicate a personal data breach to the data subject; (f) to impose a temporary or definitive limitation including a ban on processing; (g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19; (h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; (j) to order the suspension of data flows to a recipient in a third country or to an international organisation".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.