Law

The law dated 2 August 2002 on the protection of persons with regard to the processing of personal data as amended from time to time (Law).

The law dated 30 May 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector as amended from time to time (Law of 30 May 2005).

Definition of personal data

The Law defines "personal data" as follows: any information of any type regardless of the type of medium, including sound and image, relating to an identified or identifiable natural person (data subject); a natural person will be considered to be identifiable if he can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to its physical, physiological, genetic, mental, cultural, social or economic, identity.

Definition of sensitive personal data

Sensitive data relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and health or sex life, including the processing of genetic data.

Commission Nationale pour la Protection des Données (CNPD)

1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
T +352 26 10 60 1
F +352 26 10 60 29

The CNPD is in charge of monitoring and checking that processed data are processed in accordance with the provisions of the Law and the Law of 30 May 2005 and their implementing regulations.

Prior notification to the CNPD

The processing of personal data, which is not exempt from notification and which is not subject to prior authorisation, must be notified to the CNPD in advance. The notification must contain the information referred to in Article 13 of the Law.

The notifications are performed by completing and signing the notification form provided by the CNPD. Article 12 of the Law provides five general cases and 14 specific cases of exemptions from the obligation to notify:

General exemptions

• processing carried out by the controller if that person appoints a data protection officer (DPO) except for processing for supervision purposes

• processing operations for the sole purpose of keeping a public register

• processing operations carried out by lawyers, notaries and process servers

• processing carried out solely by journalists, or for artistic or literary expression, or

• processing necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent.

Conditional exemptions

• processing of data relating exclusively to personal data necessary for the administration of the salaries of persons in the service of or working for the controller
   
• processing of data relating exclusively to the management of applications and recruitment and the administration of the staff in the service of or working for the controller, provided that the collected data are not sensitive data (including health) or data intended for assessing the data subject
  
  
• processing of data relating exclusively to the controller’s bookkeeping provided that this data is used exclusively for such bookkeeping and the processing covers only the persons whose data is necessary for bookkeeping purposes
   
• processing of data referring exclusively to the administration of shareholders, debenture holders and partners, provided that the processing covers solely the data necessary for such administration, the data covers only those persons whose data are necessary for such administration
   
• processing of data relating exclusively to the management of the controller’s client or supplier base, provided that the processed data is not sensitive data (including health)
   
• processing of data carried out by a foundation, an association or any other non profit organisation
   
• processing of data relating exclusively to the recording of visitors carried out in the context of manual access control, provided that the data processed is restricted to only the name and business address of the visitor, his/her employer, his/her vehicle, the name, department and function of the person visited, and the time and date of the visit
   
• processing of identification data essential for communication, which is carried out with the sole purpose of contacting the person concerned provided that these data are not communicated to any other third party

• processing of data carried out by educational establishments with a view to managing their relations with their pupils or students

• processing of data of a personal nature carried out by administrative authorities if the processing is subject to specific regulations

• processing for the management of computerised and electronic communications systems and networks, provided that it is not used for the purpose of supervision
   
• processing carried out in hospitals or by a doctor concerning his/her patient, except for the processing of genetic data
   
• processing carried out by doctors concerning their patients, except for the processing of genetic data, or

• processing carried out by pharmacists other professionals in regulated health professions.

The Law has also reduced the procedures concerning processing in the health professions. Except for the processing of genetic data, there is no requirement of prior authorisation concerning such a processing, and doctors and hospitals are exempt from the obligation to notify.

Prior authorisation by the CNPD

Most processing of personal data must only be notified (unless it is exempt from notification). However, the Law provides for stricter control for processing likely to present specific risks in respect of the rights and freedoms of the individuals concerned. Such processing must be authorised by the CNPD before it may be carried out. Article 14 of the Law sets out the list of these categories of processing.

The prior authorisation by the CNPD is required for:

• the processing of genetic data

• the processing operations for supervision purposes if the data resulting from the supervision are recorded

• data processing for historical, statistical or scientific purposes

• the combination of data

• processing relating to the credit status and solvency of the data subjects, if the processing is carried out by persons other than professionals of the financial sector or insurance companies regarding their clients

• processing involving biometric data necessary for checking personal identity, or

• the usage of data for purposes other than those for which they were collected. Such processing may be carried out only when prior consent has been given by the data subject or if it is necessary to protect the vital interests of the data subject.

Processing operations that reveal race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life and the processing of genetic data are forbidden. However, such prohibition does not apply where:

• the data subject gave his 'express' consent to such processing
   
• the processing is necessary for the purposes of carrying out the obligations and specific rights of the controller (…) in the field of employment law in so far as it is authorised by law
   
• the processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent
   
• the processing is carried out with the consent of the data subject by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade union aim
   
• the processing relates to data that have been clearly made public by the data subject
   
• the processing (…) is necessary to acknowledge, exercise or defend a legal right at law (…)
   
• the processing is necessary in the public interest for historical, statistical or scientific reasons without prejudice to the conditions for the processing of specific categories of data by the health authorities
   
• the processing is necessary in the public interest for historical, statistical or scientific reasons or the processing is implemented via a Luxembourg regulation, or
   
• the processing is implemented in the context of the processing of legal data.

Genetic data may only be processed when the processing is necessary to protect the vital interests of the data subjects or when it is necessary for the purpose of preventive medicine, medical diagnostics, or the provision of care or treatment.

An authorisation from the CNPD is normally required before using technical means for monitoring people, particularly by video camera, electronic tracing, etc. However, the Law has introduced a distinction depending on whether the data are recorded or not.

The prior authorisation by the CNPD is required for processing for supervision purposes, if the data resulting from the supervision are recorded. A simple notification is required if the data resulting from the supervision are not recorded.

For the processing of data relating to credit status and solvency of the data subject, a simple notification is required if the processing is carried out by professionals of the financial sector or insurance companies on behalf of their clients.

The processing of biometric data is subject to prior authorisation.

The controller may designate a DPO. Such designation releases the controller from the obligation to carry out the notification process. It does not exempt the controller from applying for authorisation before carrying out processing for which authorisation is required.

The powers of the data protection officer are as follows:

• investigative powers to ensure supervision of the controller’s compliance with the provisions of the Law and its implementing regulations, and
   
• a right to be informed by the controller and the relating right to inform the controller of the formalities to be carried out in order to comply with the provisions of the Law and its implementing regulations.

Chapter 2 of the Law deals with the conditions under which processing may take place. The controller must ensure that he processes the data in a fair and lawful manner, which means that:

• data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way that is incompatible with those purposes
   
• the collection, recording and use of personal data is strictly limited to what is necessary to achieve the aims specifically declared in advance by the authority, agency, company, association, professional or self employed worker involved
   
• processing must be adequate and not excessive in relation to the purposes for which they are collected and/or further processed
   
• the processing of personal data is limited to cases where there is a direct connection with the initial purpose of the processing. The information must not only be useful, but also necessary to whoever is processing personal data. The data being processed must not be excessive in relation to the aim pursued
   
• an update of the collected data must be made
   
• as inaccurate or incomplete information can harm the person to whom it relates, every effort must be made to ensure the data being processed are correct and up to date. If this is not the case, the personal data must be rectified or erased. The Law also protects the data subject against any negative decision automatically made about him by a computer, without him being able to provide his personal point of view, and
   
• data which permits identification of data subjects are only kept for the necessary period of time.

Legitimacy of processing

The processing of personal data is allowed only if there is a legitimate reason to justify it. According to article 5 of the Law, data may be processed only:

• if it is necessary for compliance with a legal obligation which the controller is subject to

• if it is necessary for the performance of a task carried out in the public interest or in the exercise of public authority

• if it is necessary for the performance of a contract to which the data subject is a party
   
• if it is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and/or freedoms of the data subject
   
• in order to protect the vital interests of the data subject, or
   
• if the data subject has given his consent.

Processing of specific categories of data

Processing operations that reveal racial or ethnic origin, politic opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life, including the processing of genetic data, are forbidden and may only be allowed under very exceptional circumstances as listed above. Processing of specific categories of data by the health services is strictly regulated. Legal data and freedom of expression are also strictly regulated.

Processing for supervision purposes

Article 10 of the Law sets out the conditions under which processing for supervision purposes in any place accessible or inaccessible to the public can be made. Processing for supervision purposes is considered legitimate in and around any place presenting a risk where it is necessary not only for the safety of users and the prevention of accidents, but also for the protection of property if there is a serious risk of theft or vandalism. The criteria of necessity and proportionality will be assessed ineach individual case by the CNPD.

The data may only be processed for supervision purposes:

• if the data subject has given his consent
   
• in surroundings or in any place accessible or inaccessible to the public other than residential premises, particularly indoor car parks, stations, airports and on public transport, provided the place in question due to its nature, position, configuration or frequentation presents a risk that makes the processing necessary for the safety of users and for the prevention of accidents, for the protection of property, if there is a serious risk of theft or vandalism, or
   
• in private places where the resident natural or legal person is the controller.

The data collected for supervision purposes may be communicated only:

• if the data subject has given his consent, except where forbidden by law
   
• to the public authorities within the framework of regulations to be enacted pursuant to article 17 (1) of the Law in connection with criminal offences, State security, defence and public safety, criminal law and video surveillance systems for security areas, or
   
• to the competent legal authorities to record a criminal offence or take legal action in respect of it and to the legal authorities before which a legal right is being exercised or defended’.

Processing for the purposes of supervision at the workplace

The supervision at the workplace is only possible under certain circumstances. Article 11 of the Law refers to Article L.261-1 of the Employment Code. Such processing may be carried out only if it is necessary:

• for the safety and health of employees
   
• to protect the company’s property
   
• to control the production process relating solely to machinery
   
• temporarily control production or the employee’s services if such a measure is the only way of determining the exact remuneration, or
   
• in connection with the organisation of work under a flexible schedule in accordance with the Employment Code.

The person whose data are processed must be informed prior to processing. The data subject's consent to the processing does not, however, render the processing legitimate.

Data may be transferred to a third country, if this country ensures an adequate level of protection and if the provisions of the Law as well as its implementing regulations are complied with. The adequacy of the level of protection afforded by a third country must be assessed by the controller in light of all circumstances surrounding a data transfer operation or set of data transfer operations; particularly, the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with by that country. In case of any doubt, the controller will immediately inform the CNPD which will consider whether the third country offers an adequate level of protection.

The transfer of data to a third country that does not offer an adequate level of protection may, however, take place, provided:

• the data subject has given his consent to the proposed transfer
   
• the transfer is necessary for the performance of a contract to which the data subject and the controller are parties, or the implementation of pre-contractual measures taken at the data subject’s request
   
• transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of a legal claim

• the transfer is necessary in order to protect the vital interests of the data subject, or

• the transfer occurs from a public register.

The CNPD may authorise, as a result of a duly reasoned request, a transfer or sets of transfers of data to a third country that does not provide an adequate level of protection, if the controller offers sufficient guarantees in respect of the protection of the privacy, freedoms and fundamental rights of the data subjects, as well as the exercise of the corresponding rights. These guarantees may result from appropriate contractual clauses.

Following the Judgment of the Court of Justice of the European Union on 6 October 2015 (C-362/14) the US-EU Safe Harbor regime is no longer regarded as a valid basis for transferring personal data to the US. In November 2015, the CNPD informed in writing all Luxembourg undertakings who transferred personal data to the US that such transfers made on the basis of the Safe Harbor regime were not legal anymore but were still possible on the basis of appropriate contractual clauses (model clauses) and binding corporate rules.

The controller must implement all appropriate technical and organisational measures to ensure the protection of the data he processes against accidental or unlawful destruction or accidental loss, falsification, unauthorised dissemination or access in particularly where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

A description of these measures and of any subsequent major change must be communicated to the CNPD at its request, within fifteen days.

If the processing is carried out on behalf of the controller, the latter must choose a processor that provides sufficient guarantees as regards the technical and organisational security measures pertaining to the processing to be carried out. Any processing carried out on another person's behalf must be governed by a written contract binding the processor to the controller and providing in particular that the processor will act only on instructions from the controller and the obligations relating to security of processing operations will be also incumbent on the processor.

Breach notification

Any party that does not carry out the obligation to notify or supplies incomplete or inaccurate information is liable to a fine of between EUR 251 and EUR 125,000.

Breach authorisation

Any party who carries out processing without obtaining the prior authorisation required is liable to a term of imprisonment between eight days and one year and a fine of between EUR 251 and EUR 125,000 or one of these penalties.

Without prejudice to criminal sanctions provided for by the Law and any actions for damages under civil law, the State Prosecutor, the CNPD or any injured party may file an action for the immediate cessation of any processing operation made in violation of the legal requirements regarding notification and authorisation, and the temporary suspension of of the activity of the controller or processor.

The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing is permissible only in respect of subscribers who have given their prior consent.

Where a supplier obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, that supplier may use those electronic contact details for direct marketing of its own similar products or services provided that customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message where the customer has not initially refused such use.

The transmission of unsolicited communications for purposes of direct marketing by means other than those referred to in the previous paragraphs shall be permissible only with the prior consent of the subscriber concerned.

Traffic Data

For the purposes of the investigation, detection and prosecution of criminal offences, and solely with a view to enabling information to be made available, in so far as may be necessary, to the judicial authorities, any service provider or operator processing traffic data must retain such data for a period of six months. This obligation includes data related to the missed phone calls wherever these data are generated, stored or recorded. Beyond this period, the service provider or operator must erase these data unless they have been made anonymous.

Traffic data may be processed for the purposes of marketing electronic communications services or providing value added services, to the extent and for the duration necessary for such supply or marketing of such services, provided that the provider of an electronic communications service or the operator has informed the subscriber or user concerned in advance of the types of traffic data processed and of the purpose and duration of the processing, and provided that the subscriber or user has given his/her consent, notwithstanding his/her right to object to such processing at any time.

Location Data other than Traffic Data

Service providers or operators have also the obligation to retain location data other than traffic data for a period of six months for the purposes of the investigation, detection and prosecution of criminal offences. This obligation includes data related to missed phone calls wherever these data are generated, stored or recorded. Beyond this period, the service provider or operator must erase these data unless they have been made anonymous.

Service providers or operators may process location data other than traffic data relating to subscribers and users only if such data have been made anonymous or the subscriber or user concerned has given his/her consent thereto, to the extent and for the duration necessary for the supply of a value added service.

Service providers and, where appropriate, operators shall inform subscribers or users in advance of the types of location data other than traffic data processed, of the purposes and duration of the processing and whether the data will be transmitted to third parties for the purpose of providing the value added service. Subscribers or users shall be given the possibility to withdraw their consent to the processing of location data other than traffic data at any time.

Where consent of the subscribers or users has been obtained for the processing of location data other than traffic data, the subscriber or user must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Cookies

Prior informed consent of a subscriber/user is required. The method of providing information and the right to refuse should be as user friendly as possible and, where it is technically possible and effective, the users consent may be expressed by appropriate browser/ application settings.