Attention: Brexit may have an impact on the processing of personal data. For more information, please consult our FAQ on the subject.
In the course of its activities, any business or organisation may need to collect and record personal data. For example, data may be collected for commercial purposes, for surveillance purposes or even for safety purposes.
Effective from 25 May 2018, the General Data Protection Regulation (GDPR) is now applicable in all European Union (EU) member states, including Luxembourg. The GDPR places greater responsibility on data controllers and subcontractors (processors) that process personal data.
Businesses subject to the GDPR must now satisfy a number of new requirements, which vary depending on the nature of their activities. On the other hand, reporting requirements have been considerably reduced.
Consequently, businesses no longer need to notify the National Commission for Data Protection (Commission nationale pour la protection des données – CNPD), or seek that body's prior approval, to process personal data. However, they must ensure compliance with the new data-protection rules, and be able to provide documentary evidence to that effect.
Who is concerned
The data controller may be any organisation:
- in the public or private sector;
- regardless of its size or area of activity;
- that processes the personal data of an individual ("person concerned"), whether on its own account or on behalf of another, provided that:
- it is established in an EU member state; or
- its operations are targeted directly at individuals in an EU member state, even if the organisation is established outside the EU.
For example, the following are subject to the GDPR: any company established in Luxembourg that exports all its products outside the EU, or any company established outside the EU operating an e-commerce website in French, German or Luxembourgish, and delivering products to Luxembourg.
The persons concerned are those whose personal data is processed.
How to proceed
Target data processing
The data controller / processor must:
- process the personal data in a manner that is legal, fair and transparent for the person concerned;
- restrict the amount of data collected to that which is strictly necessary for the purpose of the processing, and refrain from any subsequent processing of such data that is incompatible with that purpose;
- ensure that the processed personal data is accurate and, if necessary, up to date. All reasonable measures must be taken to immediately erase/rectify any personal data that is found to be inaccurate in regard to the purposes for which it is being processed;
- keep the personal data in a form permitting the identification of the persons concerned for only so long as is necessary to achieve the purpose for which it is being processed;
- process the personal data in a manner that ensures its security, integrity, and confidentiality. They must implement appropriate organisational measures to protect the personal data from:
- unauthorised or illegal progressing; and
- loss, destruction, or accidental damage.
The data controller / processor must ensure that the processing is legal. As such, the processing must be:
- necessary for the performance of a contract to which the person concerned is a party (employment contract, sales agreement, etc.) or for the implementation of pre-contractual measures taken at the latter's request; or
- necessary to comply with a legal obligation to which the data controller is subject (e.g. an employer's obligation to withhold taxes from an employee's salary, etc.); or
- carried out only after having obtained the free, specific, informed and unequivocal consent of the person concerned (personal data freely provided by a customer to a trader, etc.);
- necessary to safeguard the vital interests of the person concerned, or another physical person;
- necessary for the purpose of conducting a mission in the public interest, or relating to the exercise of public authority with which the data controller is vested;
- necessary to serve the legitimate interests of the data controller or a third party, unless those interests are secondary to the interests, freedoms and fundamental rights of the person concerned, which require that the personal data be protected, particularly when the person concerned is a child.
Note: the personal data may be kept for longer periods but only if it is to be processed for the purpose of:
- archiving in the public interest;
- scientific or historical research;
- producing statistics.
In this case, the data controller must implement appropriate technical and organisational measures to preserve the rights and freedoms of the person concerned.
Consent of the persons concerned
At the time of collecting the personal data, the data controller / processor must obtain the consent of the person concerned, if such consent constitutes the basis for legitimacy as explained above. If the processing is to take place as part of the performance of a contract or to comply with a legal obligation, consent is not required.
Consent must be expressly given. Consent is not deemed given in case of silence, pre-ticked boxes or inaction.
Informing the persons concerned
At the time of collecting the data, the data controller / processor must also inform the person concerned of the conditions in which they intend to process the data, regardless of the basis for legitimacy being used, as explained above. In particular, they must inform the person concerned of:
- the identity and contact details of the data controller and, where applicable, the contact details of the data-protection officer;
- the categories of data concerned;
- the recipients or categories of recipients with whom the data is likely to be shared;
- the ultimate purpose of the processing;
- the legal basis;
- how long the data will be retained;
- the possibility of data transfers outside the EU;
- their rights (the right of access to their data, rectification, to restrict processing, to object to its use, the right to be forgotten, the right to data portability, and the right to file a claim with the CNPD).
Businesses that process personal data must inform:
- the employees concerned;
- all persons external to the company who may also be concerned (customers, suppliers, visitors);
- if a surveillance system is used in the workplace, the staff representatives, i.e. the joint works committee – until the next trade-union elections – or, failing this, the staff delegation or, failing this, the Inspectorate of Labour and Mines (Inspection du travail et des mines – ITM).
In practice, the person is often informed by means of a document – internal memo, employment contract, additional clause to the contract, data-collection form, etc. – which they are required to countersign.
If a video surveillance system is in use, persons accessing the site under video surveillance can be informed by means of a pictogram which is clearly displayed at the entrance to the site. The above-mentioned information must be provided to the persons concerned at their request.
Secure data processing
The data controller / processor must take the necessary precautions at every step of the data-management and processing cycle (from initial collection to destruction) to ensure that the data is kept secure.
In particular, they must implement appropriate technical and organisational measures to achieve a level of security that is suited to the risks. Such measures include:
- pseudonymisation and encryption of personal data;
- measures to ensure the uninterrupted confidentiality, integrity, availability and resilience of their data-processing systems and services;
- measures to promptly restore the availability of and access to personal data in the event of a physical or technical incident;
- a procedure for regularly testing, analysing and assessing the effectiveness of the technical and organisational measures.
When assessing the appropriateness of the level of security, the data controller must take account of the risks associated with the processing – in particular, risks pertaining to:
- the destruction of the personal data;
- its loss;
- its alteration;
- unauthorised disclosure of data that is shared, retained or processed in another manner;
- unauthorised access to such data, whether accidental or fraudulent.
The business must also implement measures to ensure that its employees – and any other physical persons acting under its authority – who have access to personal data refrain from processing such data unless instructed to do so.
The data controller must keep a record of the processing operations for which they are responsible.
The business or organisation concerned is not required to keep a record if it has fewer than 250 employees, unless the processing that it performs:
- is likely to pose a risk to the rights and freedoms of the persons concerned;
- is not occasional; or
- involves so-called "sensitive" data, or personal data pertaining to criminal convictions or offences.
In case of doubt, it is recommended that the business/organisation keep such a record.
Likewise, processors must also keep a record of all categories of processing operations conducted on behalf of the data controller.
The record must contain:
- the name and contact details of the data controller or their legal representative and, if one has been appointed, the DPO;
- the persons in charge of the operational departments processing the data within the company;
- the list of processors;
- the categories of processed data;
- the data that is likely to pose risks on account of its sensitive nature (e.g. health-related data, or data on past offences);
- the purpose(s) for which the data is collected or processed (e.g. management of business relations, management of human resources);
- the place where the data is hosted;
- the recipients and countries that the data is shared with;
- for each category of data, the length of time that the data will be retained;
- the security measures that have been implemented to minimise the risk of unauthorised access to the data, and the impact of such access on the privacy of the persons concerned.
The record must be made available to the CNPD at the latter's request.
- The data controller / processor may also create a processing record using the "GDPR Compliance Support Tool" developed by the CNPD.
Data Protection Impact Assessment (DPIA)
The data controller / processor must carry out a Data Protection Impact Assessment (DPIA):
- before processing the data;
- for any processing operations that could pose a serious risk to the rights and freedoms of the natural persons concerned, particularly in light of the widespread use of new technologies, and considering:
- the nature of the processing;
- its scope;
- its context;
- its purpose(s).
A DPIA may cover a set of similar processing operations that pose a similar level of risk.
With a DPIA, a business can:
- establish a personal-data processing system or a product that is compliant with privacy requirements;
- assess the impact on the privacy of the persons concerned;
- demonstrate compliance with the fundamental principles of the GDPR.
The data controller / processor is required to carry out a DPIA if the processing poses a serious risk if they (the data controller / processor):
- carry out systematic and in-depth assessments of a natural person's personal details using automatic processing techniques (including profiling);
- engage in large-scale processing on specific categories of data (health information, criminal-record information); or
- engage in large-scale systematic surveillance of areas open to the public (processing used to observe, monitor or track the persons concerned, including data collected as a result of systematic surveillance of public spaces).
When the data controller / processor carries out a DPIA, they should seek the advice of their Data Protection Officer (DPO), if one has been appointed.
The DPIA contains:
- a description of the processing and its purpose(s), including, where applicable, the business's legitimate interests in processing the data;
- an assessment of the need for and extent of the processing with regard to its purpose(s);
- an assessment of the risks posed to the rights and freedoms of the persons concerned;
- the measures adopted to mitigate or eliminate such risks (security guarantees, measures and mechanisms designed to protect personal data);
- proof of GDPR compliance, considering the rights and legitimate interests of the persons concerned and other persons affected by the processing.
For example, a company must carry out a DPIA if it monitors the use of its IT systems (internet, email, computers, software, etc.).
Pre-processing consultation with the CNPD
If, after analysing the risks to the rights and freedoms of the persons concerned, one or more serious, uncontrolled risks are found, the data controller / processor must consult with the CNPD.
The consultation must take place after the DPIA has been carried out, and before engaging in the intended processing.
The CNPD will return an opinion on the intended processing and the manner in which the risks will be managed. The processing may not begin before:
- receiving the CNPD's opinion; and
- implementing any recommendations made by the CNPD.
Note: The consultation is not of a "general" nature, but only:
- in connection with the DPIA; and
- if the processing would pose a serious risk were the data controller to take no measures to mitigate it.
The business may also use the encryption key provided by the CNPD to protect the confidentiality of the documents at the time of submission.
If the file is incomplete, it will not be processed until the CNPD receives all the information it requires for the purpose of the consultation.
The CNPD may ask the business to provide further information to complete the DPIA.
Once it has received the consultation request, the CNPD has up to 8 weeks to return its written opinion to the data controller / processor. This time limit may be extended by a further 6 weeks, depending on the complexity of the intended processing.
The CNPD must inform the data controller / processor of any extension to the 8-week time limit, and of the reasons for the delay, within 1 month of receiving the consultation request. The time limits may be suspended until the CNPD receives the requested information.
Personal data breach
If a personal data breach occurs, the data controller must document it in an in-house record, indicating:
- the facts surrounding the breach;
- the effects of the breach;
- the remedial measures taken, including those of which the data controller is not required to notify the CNPD.
The CNPD may ask to be given access to the in-house record to ascertain that the data controller or the processor has fulfilled their obligations regarding the management of data breaches.
If the data breach poses a risk to individuals' rights and freedoms, the business must notify the CNPD within 72 hours of learning of the breach.
If the breach is likely to pose a serious risk to the rights and freedoms of the persons concerned, the data controller / processor must inform them of the breach as quickly as possible.
The processor must notify the data controller of any personal data breach as soon as possible after having learned of the breach.
The notification must be given using a special form provided by the CNPD.
The notification must:
- describe the nature of the personal data breach, including, if possible:
- the categories and approximate number of persons affected by the breach; and
- the categories and approximate number of personal-data records concerned;
- state the name and contact details of the DPO, or another contact person from whom additional information may be sought;
- describe the probable consequences of the personal data breach;
- describe the measures taken, or those that the data controller proposes to take, to remedy the personal data breach, including any measures to mitigate any possible negative consequences.
On receiving the notification, the CNPD:
- sends the data controller an acknowledgement of receipt;
- check the notification, and if necessary, contact the data controller to ascertain that the notification is authentic;
- depending on the circumstances, request further information and reply to any questions, particularly on whether or not it is necessary to contact the persons concerned.
The communication sent to the person concerned must describe the nature of the personal data breach in clear and simple terms, and contain at least:
- the name and contact details of the DPO, or another contact person from whom additional information may be sought;
- a description of the probable consequences of the breach;
- a description of the measures taken, or those that the data controller proposes to take, to remedy the breach, including any measures to mitigate any possible negative consequences.
The communication may be forwarded to the person concerned by any means. The data controller must ensure, with a high degree of probability, that the person concerned has received the information in the communication. If necessary, a public communication may be required.
Where their personal data is concerned, everyone has the right to be informed, as well as the right of access, to rectification, to be forgotten, to restriction of processing, to data portability, and the right to object to its use.
The data controller / processor must be able to demonstrate to the CNPD, at any time, that they are fulfilling their obligations as regards the protection of personal data, and acting in respect of the rights of the persons concerned.
To do so, they must compile a regularly updated file containing all the necessary documents.
The file must contain:
- the documentation on the processing of personal data – i.e.:
- for data controllers, the processing register, and for processors, the categories of processing activities;
- the DPIAs for any processing that could pose serious risks to individuals' rights and freedoms;
- the contexts in data is transferred outside the EU (standard contractual provisions, certifications, etc.);
- the record of personal data breaches;
- information provided to persons whose data is processed – i.e.:
- the type of information;
- the manner in which the consent of the persons concerned is obtained;
- the procedures in place for the persons concerned to exercise their rights;
- the contracts and agreements defining the roles and responsibilities of the various players – i.e.:
- agreements with processors;
- in-house procedures for dealing with data breaches;
- proof that the persons concerned have given their consent, when this is the legal basis for the processing of the data.
Data controllers who fail to fulfil their obligations in matters concerning the protection of personal data are liable for sanctions, which include being forbidden from carrying out specific processing operations, and fines of up to EUR 20 million or amounting to 4 % of their global annual turnover. Such fines must be effective, proportionate, dissuasive and suited to the specific circumstances.