1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
The EU General Data Protection Regulation (679/2016) (GDPR) has been fully and directly applicable in Luxembourg since 25 May 2018.
The Law of 1 August 2018 on the Organisation of the National Data Protection Commission and the General Data Protection Framework (‘Law of 1 August 2018') completes the GDPR at the national level and repeals the Law of 2 August 2002 on the protection of persons with regard to the processing of personal data legislation.
The Law of 1 August 2018 on the Protection of Individuals with regard to the Processing of Personal Data in Criminal and National Security Matters (‘Law of 1 August 2018 on criminal data processing') transposes into national law Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
The Law of 30 May 2005, as amended, concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (the ‘Electronic Communications Protection Law') transposes Directive 2002/58/EC into national legislation. It governs the protection of personal data in the field of telecommunications and electronic communications, and takes recent and foreseeable developments in the field of services and technologies involving electronic communications into account.
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
Specific sectors laws that have an impact on data protection in Luxembourg include the following:
- Protection of privacy: Law of 11 August 1982 on the protection of privacy;
- Employee monitoring: Articles L261-1 and L261-2 of the Labour Code on processing operations for workplace supervision purposes;
- Passenger name records: Law of 1 August 2018 on the processing of passenger name record data in the context of the prevention and repression of terrorism and serious crime, and amending Law of 5 July 2016 on the reorganisation of the State Intelligence Service;
- Cybercrime: Law of 18 July 2014 concerning the approval of the Convention on Cybercrime of the Council of Europe, opened for signature in Budapest on 23 November 2001;
- Unique identifiers: Law of 18 June 2013 regarding the identification of a physical person within the national register of physical persons and identity cards;
- Criminal records and exchange of information within the European Union: Law of 29 March 2013 concerning the organisation of criminal records and the exchange of information from criminal records between member states of the European Union; and
- Networks and electronic communications services: Law of 27 February 2011 on electronic communications networks and services.
According to the Law of 1 August 2018 and the general data protection framework, the processing of genetic data for the purposes of the exercise of the specific rights of the controller in the field of labour law and insurance is prohibited.
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
The European Union has signed bilateral passenger name record (PNR) agreements with the United States, Canada and Australia. PNR data is information provided by passengers when they book tickets and when checking in for flights, as well as data collected by air carriers for their own commercial purposes. PNR data can be used by law enforcement authorities to fight serious crime and terrorism. The transfer of PNR data from the European Union to third countries can be done only through a bilateral agreement that provides for a high level of personal data protection.
The European Union has also signed a bilateral agreement with the United States regarding the transfer of financial data, called the Terrorist Finance Tracking Programme.
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The National Commission for Data Protection (Commission Nationale pour la Protection des Données (CNPD)) is responsible for monitoring and checking that data is processed in accordance with the GDPR and the Electronic Communications Protection Law.
According to Article 58 of the GDPR, the CNPD has investigative powers, corrective powers, authorisation powers and advisory powers.
1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?
Industry standards and best practices play an important role in enabling individuals and entities processing personal data to better understand, apply and comply with their obligations.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
The EU General Data Protection Regulation (GDPR) applies to the processing of personal data:
- in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union;
- of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union; or
- by a controller not established in the European Union, but in a place where member state law applies by virtue of public international law.
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
The GDPR does not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of EU law;
- by EU member states when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union (specific provisions on the common foreign and security policy);
- by a natural person in the course of a purely personal or household activity; or
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
2.3 Does the data privacy regime have extra-territorial application?
See question 2.1.
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
(a) Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
(d) Data subject
An identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(e) Personal data
Any information relating to an identified or identifiable natural person.
(f) Sensitive personal data
Personal data regarding racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, data concerning health, sex life or sexual orientation, genetic data and biometric data.
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
The terms are defined as in the EU General Data Protection Regulation. There are no other key relevant terms in our jurisdiction.
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
There is no registration requirement in Luxembourg, as the EU General Data Protection Regulation (GDPR) does not require notifications or registrations before processing data.
4.2 What is the process for registration?
This is not applicable in Luxembourg.
4.3 Is registered information publicly accessible?
This is not applicable in Luxembourg.
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
All the lawful bases provided for by the EU General Data Protection Regulation (GDPR) are recognised in Luxembourg. Therefore, the processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has consented to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Sensitive data is subject to enhanced protection and its processing is, in principle, prohibited. Nevertheless, the prohibition does not apply if one of the following applies:
- The data subject has given explicit consent to the processing of the personal data for one or more specified purposes;
- The processing is necessary for a legal obligation in the field of employment, social security or social protection law;
- The processing is necessary to protect the vital interests of the data subject or another person where the data subject is unable to give consent;
- The processing is carried out by a non-profit-seeking body and relates to members of that body or persons who have regular contact;
- The processing relates to data made public by the data subject;
- The processing is necessary for legal claims;
- The processing is necessary for reasons of substantial public interest;
- The processing is necessary for healthcare reasons
- The processing is necessary for public health reasons; or
- The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) of the GDPR shall be carried out only under the control of official authority or when the processing is authorised by EU or member state law providing for appropriate safeguards for the rights and freedoms of data subjects.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
Any processing of personal data must comply with the six data protection principles provided for by the GDPR personal data must be:
- processed fairly, lawfully and transparently (lawfulness, fairness and transparency);
- collected for specific, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes (purpose limitation);
- adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed (data minimisation);
- accurate and, where necessary, up to date (accuracy);
- kept in an identifiable form for no longer than necessary (storage limitation); and
- kept secure (integrity and confidentiality).
In addition to the six data protection principles, the GDPR introduces the principle of accountability according to which the controller shall be responsible for and be able to demonstrate compliance with all the above-mentioned principles.
Sensitive data is subject to enhanced protection (see question 5.1).
These principles apply even if the processing of personal data is outsourced.
5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
The Law of 1 August 2018 on the Organisation of the National Data Protection Commission and the general data protection framework introduces provisions regarding certain specific processing situations, in particular with respect to:
- the processing of personal data for the sole purpose of journalism, university research, art or literature. The Law of 1 August 2018 provides that the processing is not subject to:
- the prohibition of processing special categories of personal data;
- the limitation to process public judicial data;
- the rules applicable to transfers to third countries;
- the obligation to provide certain information to the concerned persons; and
- the obligation to give access to data subjects in certain circumstances;
- the processing of personal data for scientific or historical research or statistical purposes. The Law of 1 August 2018 provides that the rights of access, rectification, limitation and objection of the data subject may be limited to the extent that such rights would make impossible or seriously impede the accomplishment of the specific concerned purposes, provided that certain appropriate measures are implemented;
- the processing of genetic data for the purpose of exercising the rights of the controller in the field of labour and insurance law. Such processing is prohibited according to the Law of 1 August 2018; and
- the processing of personal data for monitoring purposes in the context of employment (see question 10.2)
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
A third party may process the data on behalf of the data controller. In such case, the controller must choose a processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be implemented, and must ensure compliance with those measures.
In accordance with Articles 28, Section 3 and 28, Section 9 of the EU General Data Protection Regulation (GDPR), the data processing by a third party must be governed by a contract or legal act binding the processor to the controller, which sets out:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subjects;
- the obligations and rights of the controller; and
- confirmation in particular that:
- the data processor shall process only on instructions from the data controller; and
- the data processor is subject to the same obligations as its own subcontractors.
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Personal data may be transferred freely between the countries inside the European Economic Area, provided that the processing complies with the general principles of the GDPR (eg, lawfulness of processing, compatibility of the communication of data to a third party with the initial processing activity, information to the data subjects).
Data may only be transferred to companies located in a country which provides an adequate level of protection. A transfer of personal data to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. To date, the following countries have, after confirmation of the European Commission, an adequate level of protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States (limited to the Privacy Shield Framework). Adequacy talks are also ongoing with South Korea.
In the absence of a decision from the European Commission, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
Without requiring any specific authorisation from a supervisory authority (the National Commission for Data Protection), the abovementioned appropriate safeguards may be provided for by:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules;
- standard data protection clauses adopted by the commission;
- standard data protection clauses (ad hoc clauses) adopted by a supervisory authority and approved by the commission;
- an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
Subject to the authorisation from the competent supervisory authority, the appropriate safeguards may also be provided for, in particular, by:
- contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
- provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
In the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
- The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment, exercise or defence of legal claims;
- The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment, exercise or defence of legal claims;
- The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
- The transfer is made from a register which, according to EU or member state law, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU or member state law for consultation are fulfilled in the particular case.
6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
There are no other requirements or restrictions than those set out in the GDPR.
It is also recommended to follow the different guidelines relating to the transfer of personal data issued by the European Data Protection Board and available on its website.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
Data subjects have the following rights:
- Right to information: The data subject has the right to be informed about the collection and use of his or her personal data.
- Right of access: The data subject has the right to get access to his or her personal data and receive a copy of his or her personal information.
- Right to rectification: He or she has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
- Right to erasure: He or she has the right to request the erasure of his or her personal data when the retention is no longer justified.
- Right to restriction of processing: He or she has the right to obtain from the controller restriction of processing under certain conditions.
- Right to data portability: He or she has the right to receive, free of charge, his or her personal data that he or she has provided to a controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller.
- Right to object: He or she has the right to object at any time on compelling legitimate grounds relating to his or her particular situation to the processing of data relating to him or her. This right also exists on request in the case of processing for the purposes of direct marketing.
- Right to contest a decision based solely on automated processing.
Data subject rights are not absolute and may in certain situations be limited where necessary and appropriate to safeguard, as far as relevant:
- national security;
- public security;
- the prevention, investigation, detection and/or prosecution of criminal offences or the execution of criminal penalties;
- other important objectives of general public interest of the European Union or of a member state;
- the protection of judicial independence and judicial proceedings;
- the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in certain cases referred to above;*
- the protection of the data subject, or the rights and freedoms of others; or
- the enforcement of civil law matters.
* This limitation only applies in certain cases listed above (i.e., national security, defence, public security, the prevention, investigation, detection and/or prosecution of criminal offences or the execution of criminal penalties, other important objectives of general public interest of the European Union or of a member state, the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.)
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
Data subjects may contact the controller to exercise their rights by post, email or phone. The controller may ask additional information necessary to confirm the identity of the data subject, if it has reasonable doubts about this.
Information must be provided in writing or by other means – including, where appropriate, by email – in a concise, transparent, understandable and easily accessible manner, with clear and simple terms. The controller must reply to the request without undue delay, and in principle within one month of receipt of the request. This period may be extended by two months where necessary (eg, in complex cases or if multiple requests are made). In such case, the controller must inform the data subject of the reason for the extension within the first month.
Information shall be provided free of charge. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge a reasonable fee taking into account the administrative costs of providing the information or refuse to act on the request.
If the controller rejects the request, then it must inform the data subject of the reasons for doing so and of his or her right to file a complaint with the National Commission for Data Protection and to seek a judicial remedy.
Where a data subject makes a request by electronic means, the controller shall provide the requested information by electronic means where possible, unless the data subject requests otherwise.
7.3 What remedies are available to data subjects in case of breach of their rights?
In case of breach of their rights, data subjects have the following rights:
- the right to lodge a complaint with supervisory authorities where their data have been processed in a way that does not comply with the EU General Data Protection Regulation (GDPR);
- the right to an effective judicial remedy:
- against legally binding decisions concerning him or her taken by a supervisory authority; or
- where a supervisory authority fails to deal with a complaint or fails to inform the data subject within three months of the progress or outcome of his or her complaint;
- the right to an effective judicial remedy against a relevant controller or processor responsible for the alleged breach.; and
- the right to compensation from a relevant controller or processor for material or immaterial damage resulting from infringement of the GDPR.
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
The designation of a data protection officer (DPO) is mandatory in the following cases:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
An organisation may also designate a DPO on a voluntary basis. In such case, the same requirements apply to his or her designation, position and missions as if the designation had been mandatory.
Unless it is evident that an organisation is not required to designate a DPO, it is recommended that controllers and processors document the internal analysis carried out to determine whether a DPO is to be appointed.
Failure to appoint a DPO where mandatory may result in administrative fines of up to €10 million or, in the case of an undertaking, up to 2% of its total worldwide annual turnover in the preceding financial year.
8.2 What qualifications or other criteria must the data protection officer meet?
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.
The EU General Data Protection Regulation (GDPR) does not define precisely the necessary level of knowledge, but it must be commensurate with the sensitivity, complexity and amount of data that the organisation processes.
Relevant skills and expertise include in particular:
- expertise in national and European data protection laws and practices, including an in-depth understanding of the GDPR;
- an understanding of the processing operations carried out by the organisation;
- an understanding of information technologies and data security;
- knowledge of the business sector and the organisation; and
- the ability to promote a data protection culture within the organisation.
8.3 What are the key responsibilities of the data protection officer?
The DPO shall be involved in all issues related to personal data. The GDPR provides for a list of tasks that the DPO must have as a minimum:
- The DPO should assist the controller or the processor to monitor internal compliance with the GDPR. In particular, the DPO may:
- collect information to identify processing activities;
- analyse and check the compliance of processing activities; and
- inform, advise and issue recommendations to the controller or the processor.
- The DPO should provide advice where requested as regards the data protection impact assessment and monitor its performance.
- The DPO should also cooperate with the supervisory authority and act as a contact point for the supervisory authority on issues relating to data processing.
The DPO contributes to the awareness and training of staff involved in personal data processing operations. In the performance of his or her tasks, the DPO should have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Yes. The function of the DPO can be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller's/processor's organisation. In this latter case, such individual or organisation should fulfil all relevant requirements of Section 4 of the GDPR. The DPO must have the required professional qualities and perform his or her tasks in an independent manner, and should not fulfil other tasks and duties that would result in a conflict of interest.
8.5 What record-keeping and documentation requirements apply in the data privacy context?
Each data controller should maintain a record of processing activities which contains:
- the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to which the personal data have been or will be disclosed, including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of different categories of data; and
- where possible, a general description of technical and organisational security measures.
Each processor must also maintain a record of all categories of processing activities carried out on the behalf of the controller.
However, this obligation shall not apply if the following conditions are fulfilled:
- The enterprise or an organisation employs fewer than 250 persons;
- The processing it carries out is not likely to result in a risk to the rights and freedoms of data subjects;
- The processing is occasional; and
- The processing does not include special categories of data (Article 9(1) of the GDPR) or personal data relating to criminal convictions and offences (Article 10 of the GDPR).
The GDPR does not define a unique template or format for the records of processing activities. A register of processing activities may be created using the GDPR Compliance Support Tool developed by the National Commission for Data Protection (CNPD).
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
The DPO cannot be penalised or dismissed by the controller or the processor for performing his or her tasks, and should directly report to the highest management level of the controller or the processor.
The DPO may fulfil other tasks and duties, provided that this does not give rise to a conflict of interests. The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.
Details of the DPO must be communicated to the CNPD. In this regard, a form allowing organisations to send their DPO's details to the CNPD is available on the CNPD website.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
Data controllers and processors must implement appropriate technical and organisational measures in order to ensure a level of security appropriate to the risk represented by personal data. Those measures should take into account:
- the state of the art;
- the costs of implementation;
- the nature, scope, context and purposes of the processing; and
- the varying risks represented for the rights and freedoms of natural persons.
Such measures can include:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of an incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisation measures to ensure the security of the processing.
In assessing the appropriate level of security, account must be taken in particular of the risks that are presented by processing – in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Compliance with these requirements can be demonstrated by adhering to an approved code of conduct or certification mechanism.
Data controllers and processors must take reasonable steps to ensure that any natural person acting on their behalf who has access to personal data does not process the data except on instructions given by the controller, unless he or she is required to do so by law.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
If a data breach results in a risk to the rights and freedoms of individuals, the controller must notify the personal data breach to the National Commission for Data Protection (CNPD) without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the CNPD is not made within 72 hours, the controller must also justify the reasons for the delay.
The notification must, at least:
- describe the nature of the personal data breach – including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the DPO's name and contact details or other contact point;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including measures to mitigate its possible adverse effects.
Notification of the violation shall be sent by email to the CNPD. A form available on the CNPD website may be used to notify the breach.
Data processors are also responsible for setting up organisational and technical measures to be able to notify the controller without undue delay after becoming aware of a personal data breach in order to comply with the 72-hour notification period after the incident is detected.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay.
The communication to the data subject must describe in clear and plain language the nature of the personal data breach and contain at least:
- the DPO's name and contact details or other contact point where further information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken or proposed to be taken by the controller to address the personal data breach – including, where appropriate, measures to mitigate its possible adverse effects.
However, communication to the data subject is not required in certain cases, such as where:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach; or
- communication would involve disproportionate effort.
In such a case, the controller can inform the data subjects by public communication or similar measure whereby the data subjects are informed in an equally effective manner.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken (including data breaches not notified to the CNPD).
The CNPD may request access to this documentation to verify compliance by the controller or processor with the EU General Data Protection Regulation.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
The Law of 1 August 2018 provides a legal basis to process personal data in the employment context for monitoring purposes (see question 10.2). Additionally, other legal provisions may allow or require employers to process employees' personal data.
When processing personal data, employers should respect the provisions of the EU General Data Protection Regulation (GDPR) regarding:
- the legitimacy and lawfulness of the processing of personal data (see questions 5.1 and 5.2);
- employees' rights (see question 7.1);
- the appropriate technical and organisational measures that must be taken (see question 9.1); and
- the record of processing activities (see question 8.5).
Furthermore, under Luxembourg Labour Law, any employer may request a candidate to submit a criminal record extract (Number 3 or 4) under certain conditions. In all cases, if the employer decides not to hire the job applicant, the criminal record must be immediately destroyed. If the job applicant is hired, the employer is entitled to retain the criminal record only for one month starting from signature of the contract. During the employment relationship, the employer may also ask for a criminal record extract Number 3 to be issued in the event of a new assignment which justifies a new examination of good repute in relation to the specific requirements of the post. The extract may not be kept beyond a period of two months from the date of issue.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
According to Article L261-1 of the Labour Code, as amended by the Law of 1 August 2018, which entered into effect on 20 August 2018, the processing of personal data for the purpose of monitoring employees in the context of employment relations may be carried out by the employer only in the cases referred to in Articles 6 (1)(a) to (f) of the GDPR. The prior authorisation of the National Commission for Data Protection (CNPD) for conducting monitoring activities is no longer required.
Usually, the monitoring and surveillance measures will be justified by the legitimate interest pursued by the employer. On the contrary, consent does not seem to be an appropriate lawfulness basis in labour relations, in view of the clear imbalance between employer and employee and the fact that consent can be withdrawn at any moment.
If the processing is considered lawful, it will nevertheless have to be determined whether the supervision is necessary and proportionate to the intended purpose (data minimisation principle – Article 5 of the GDPR). For example, the continuous and permanent monitoring of the data subject would seem to be necessary and proportionate.
The employer must inform each employee concerned by the monitoring individually before any data is processed. It must also inform in advance the staff delegation or, in the absence thereof, the Luxembourg Labour Inspectorate. This must include a detailed description of:
- the purpose of the intended processing;
- the arrangements for implementing the supervision system;
- where appropriate, the duration or criteria for storing the data; and
- a formal undertaking by the employer that the data collected will not be used for a purpose other than that explicitly declared.
Furthermore, when supervision is implemented for the following reasons, it is subject to co-decision:
- for the safety and health needs of employees;
- for the temporary control of the employee's production or services, where this measure is the only means of determining the exact salary; or
- within the framework of a mobile work organisation.
Therefore, the processing may be carried out only with the agreement of the staff delegation, except where the processing complies with a legal or regulatory obligation.
The staff delegation or, failing that, the concerned employees may, within 15 days of receipt of prior information, request an opinion from the CNPD regarding the proposed processing project for the purposes of supervising the employees in the context of labour relations. The CNPD must deliver its opinion within one month of receipt of this request. The request has suspensive effect. The employer thus cannot implement the supervision before the CNPD has delivered its opinion. The employees concerned also have the right to lodge a complaint with the CNPD. Such a complaint is neither a serious nor a legitimate reason for dismissal.
Since monitoring and surveillance result in the processing of employees' personal data, the employer is obliged to indicate this data processing in the record of data processing activities, as required under Article 30 of the GDPR.
It is also necessary, from the beginning of the surveillance measures, to adopt technical and organisational measures in order to ensure a level of security and confidentiality that is appropriate to the risk presented by processing personal data in accordance with Article 32 of the GDPR.
Depending on the monitoring activity, the employer might have to carry out a prior data protection impact assessment – in particular, where the employer implements systematic monitoring of employees' activities or systematic tracking of their location.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
According to the CNPD guidelines on video surveillance, employees have the right not to be subject to continuous and permanent surveillance. Therefore, the field of view of cameras must be limited to the area that must be necessarily monitored for the purposes of the processing. It must not include areas that are reserved for employees' private use and spaces which are not intended for work-related tasks. Similarly, continuous surveillance of external personnel is not always permissible. Any filming of internal/external access points in a building must be limited to the surface area that is strictly necessary to view the persons attempting to gain access. It must not include the public roadway. Furthermore, the cameras must be visible and reported by appropriate signs and the recording must capture images only, without sound.
The CNPD guidelines further provide that the video surveillance data should be kept for eight days only, but that this period can exceptionally be extended up to 30 days in exceptional circumstances.
In addition, if another company is involved in the data processing resulting from the monitoring (eg, a security company, which would typically be a data processor acting in the name and on behalf of the employer), an outsourcing contract must be entered into between the employer and this subcontractor. This contract must comply with the requirements set out in Article 28 of the GDPR with respect to the relationship between data controller and data processors.
11 Online issues
The Electronic Communications Protection Law also expressly specifies that:
- the methods of providing information and offering the right to refuse should be as user friendly as possible; and
- where it is technically possible and effective, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application.
By exception, such consent and prior information are not required for cookies that are:
- used for the sole purpose facilitating the transmission of a communication over an electronic communications network; or
- strictly necessary in order to provide an information service explicitly requested by the subscriber or user.
The European Data Protection Board (EDPB) has recently updated its guidelines on consent and clarified some issues relating to cookies:
- ‘Scrolling' or ‘swiping' through a webpage or similar user activity under no circumstances satisfies the requirement for clear and affirmative action and does not constitute valid consent under the GDPR. The EDPB has emphasised that data subjects must be able to withdraw consent as easily as it is given.
11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Cloud service providers offer three types of services that can be used in the cloud: software as a service, platform as a service and infrastructure as a service.
The GDPR distinguishes the ‘data controller' (which determines the purposes and means of the processing of personal data) and the ‘data processor' (which processes personal data on behalf of the controller). The cloud service provider may be a data processor, a data controller or both.
As data controller, a customer of cloud computing services must choose a cloud service provider, acting as processor, which provides sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be implemented, and must ensure compliance with those measures.
The data processing by a cloud service provider must be governed by a contract or legal act binding the processor to the controller and providing in particular that:
- the data processor shall process only on instructions from the data controller; and
- the data processor is subject to the same obligations as its own subcontractors.
Where the cloud service provider acts as controller, it must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that data is being processed in accordance with the GDPR.
Where the customer of cloud computing services and the cloud service provider jointly determine the purposes and means of processing, they act as joint controllers. They must, in a transparent manner, determine their respective responsibilities for compliance with the obligations under the GDPR by entering into an agreement.
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
According to the amended Law of 14 August 2000 on electronic commerce, applicable to the sending of communications by a provider of information society services, any provider must obtain the prior consent of potential customers before sending unsolicited commercial communications.
The Electronic Communications Protection Law allows the transmission of unsolicited communications for purposes of direct marketing only with the prior consent of the subscriber or user concerned (‘opt-in').
When providers obtain the electronic addresses of their customers through the sale of a product or service, they may use these email addresses for commercial or marketing purposes and, notably, send commercial communications to such customers by electronic means. However, customers must be given a clear and distinct opportunity to oppose, free of charge, the use of their electronic address (‘opt-out'). Customers must be able to oppose such use at the time of the collection of their email address and on the receipt of any new commercial communications.
In case of unsolicited electronic commercial communications, providers must regularly consult the ‘opt-out' registers designated by Grand-Ducal regulations, in which natural persons who do not wish to receive this type of communication can register, and respect the wishes of these persons. The commercial communication must be identified as such, in a clear and unambiguous manner, upon receipt by the addressee. The provider must also be clearly identified. Raffles and promotional games must be clearly recognisable as such, and their conditions of participation must be easily accessible and presented in a precise and unambiguous manner.
The Electronic Communications Protection Law prohibits the sending of email for the purpose of direct marketing while disguising, concealing or misrepresenting the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient can send a request that such communications cease.
12.1 In which forums are data privacy disputes typically heard in your jurisdiction?
A person whose privacy rights have been or are being infringed can lodge a complaint with the National Commission for Data Protection (CNPD). Data controllers that fail to fulfil their obligations in matters concerning the protection of personal data are liable to sanctions, including a prohibition on carrying out specific processing operations and fines of up to €20 million or 4% of their global annual turnover. Such fines must be effective, proportionate, dissuasive and suited to the specific circumstances.
A data subject may also claim damages before both criminal and civil courts and, where appropriate, file a criminal complaint with the state prosecutor or investigating judge. A judge can, without prejudice to the right to compensation for damage suffered, prescribe all measures, such as sequestration or seizure, to prevent or stop an invasion of privacy. These measures may be ordered, if urgent, in summary proceedings. An infringement of privacy may also give rise to criminal prosecution and be sanctioned by imprisonment for up to two years and/or the imposition of fines.
12.2 What issues do such disputes typically involve? How are they typically resolved?
There is no public information available on this matter. Nevertheless, the CNPD takes a pragmatic approach so that, where appropriate and depending on the breach concerned, it will give priority to dialogue with data processors that have committed breaches before imposing such severe sanctions as provided for by the EU General Data Protection Regulation.
12.3 Have there been any recent cases of note?
There are only few national case law available on the CNPD website.
13 Trends and predictions
13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The European Union is currently experiencing a wide-ranging health crisis due to the COVID-19 crisis. The current data privacy landscape is also being impacted. In this context, the National Commission for Data Protection (CNPD) recently issued recommendations on the collection of personal data in the context of a health crisis, which is available on its website.
The CNPD has also issued an opinion on Draft Law 7606, which would series of measures concerning natural persons in the context of the fight against COVID-19 and amending:
- the amended Law of 25 November 1975 concerning the supply of medicines to the public; and
- the amended Law of 11 April 1983 regulating the placing on the market and advertising of medicinal products.
Article 9 of this draft law provides for the establishment of an information system by the Health Directorate to monitor developments in the COVID-19 situation and makes recommendations in the interests of public health to the government. Developments over the next 12 months will therefore likely involve the processing of sensitive data in the context of the fight against COVID-19.
14 Tips and traps
14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
In order to ensure effective data protection in Luxembourg, each person or entity that processes personal data must ensure that it is familiar with and understands the obligations incumbent upon it as a data controller or data processor under the EU General Data Protection Regulation, in order to be able to comply with them.
We recommend that data controllers regularly update their register of processing activities and consult the National Commission for Data Protection (CNPD) website in order to keep abreast of any new guidelines that may be issued by the CNPD, particularly in the current context of the fight against COVID-19.
At the European level, we also recommend that data controllers follow the guidelines issued by the European Data Protection Board.
Alexandra Simon assisted with the preparation of this Guide.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.