The Luxembourg GDPR bill n°7184 has been amended to incorporate the long awaited specific provisions relating to monitoring at the workplace (click here for our comments on the initial version of the bill). If the bill is adopted in this version, there would be no authorisation or notification requirements anymore and employers would have more room to determine the purpose(s) of such a monitoring… as long as they comply with GDPR requirements of course and some basic rules on the social dialogue with the staff delegation (if any).

Currently, the Luxembourg 2002 Data Protection Act read together with Article L. 261-1 of the Luxembourg Labour Code foresees a rather strict framework for the "monitoring" of employees at the workplace. This framework concerns, amongst others, the non-occasional monitoring of the employees' use of the Internet or e-mail on the workplace.

The GDPR offers flexibility to the EU Member States in some specific fields, such as for the processing in the context of an employment relationship (Article 88 GDPR).

By submitting the amended Luxembourg GDPR bill, the Luxembourg government seized this opportunity to propose amendments to Article L. 261-1 of Labour Code and will entail the following changes compared:

CURRENT FRAMEWORK

FUTURE FRAMEWORK:

(if the GDPR bill is adopted as such)

 

Prior CNPD authorisation

No prior CNPD authorisation

but:

 

  • the staff delegation or, in the absence thereof, the employees can ask the CNPD for a prior advice on the compliance of the monitoring project (whereas it is not clear yet whether such advice is binding or n

 

  • the general GDPR rules on the necessity to conduct a DPIA with a possible consultation of the CNPD apply

Only 5 specific grounds for legitimate processing:

  1. the safety and health of employees,
  2. the protection of the employer's property,
  3.  the control of machine based production processes,
  4. the temporary control of employee production or performance if necessary to determine the salary and
  5. within the context of a work organisation based on flexible hours (horaire mobile)

All legitimate bases as per the GDPR

  • Co-decision staff delegation / joint committee (where still existing) for companies of >150 employees for processing n°1, 4 and 5

 

  • Co-decision by collective agreement, subordinated agreement (accord subordonné), agreement regarding inter-professional social dialogue, agreement with the staff delegation or with the employees concerned

 

No changes

 

 

No changes

 

 

 

However, in case of disagreement in the above mentioned co-decision processes, possibility to ask the CNPD for a prior advice on the compliance of the monitoring project (whereas it is not clear yet whether such advice is binding or not)

Information

to employees

and

to staff delegation / joint committee (where still existing) or in the absence thereof, the labour inspectorate (ITM)

No substantial changes

 

Next to the GDPR, employers shall also bear in mind while implementing surveillance measures that right to private life of Article 8 ECHR is also applicable to workplace with the requirements stemming from the recent seminal judgments of the European Court of Human Rights in the cases Bărbulescu v. Romania and Libert c. France (click here for our recent newsflash on the last case).

A particular point of attention is also the transition towards the new regime. Indeed, according to the latest version of the bill, the authorisations delivered under the current regime would be repealed once the final law enters into force. This raises the question as to whether this would (re)open the possibility for the staff delegation to solicit an advice from the CNPD as the compliance of the monitoring scheme with the GDPR even when such a scheme has received a prior approval of the CNPD under the current regime.