Just before summer recess, Luxembourg Parliament has adopted the law of 1 August 2018 which implements certain parts of the General Data Protection Regulation (GDPR) and repeals the former data protection law of 2 August 2002. This new law has been eagerly awaited as it puts an end to the legal uncertainty surrounding the applicability of the old law since the entry into force of the GDPR on 25 May 2018. The new law enters into force on 20 August 2018.
As announced at the introduction of the bill in September last year, the Luxembourg legislator takes a rather minimalistic approach by mainly focusing on implementing the provisions required under the GDPR, rather than adding further restrictions on the processing of personal data. The rules on the specific processing purposes governed by the new law, such as monitoring at work or scientific or historical research, apply to all data controllers and data processors established in Luxembourg.
Role of the CNPD
The biggest part of the new law deals with the role, powers, organization, etc. of the Luxembourg data protection regulator, the Commission nationale pour la protection des données (CNPD). With the entry into force of the law, the CNPD will be able to fulfil its mission in line with the provisions of the GDPR.
Freedom of expression
The new law extends the existing exception for data processing within the freedom of expression of journalists, artists, and writers, to “academic expression” as well. Otherwise, the exception has not changed significantly and the concerned persons remain exempt from the prohibition of processing special categories of personal data, from the limitation to process public judicial data, from the rules applicable to transfers to third countries, from the obligation to provide certain information to the concerned persons, and from the obligation to give access to data subjects in certain circumstances.
Scientific or historical research, statistics, and archiving
Regarding the processing of personal data for scientific or historical research purposes or statistical purposes, the legislator specifies the appropriate safeguards required under article 89 of the GDPR. These safeguards include, among others, the designation of a data protection officer, the pseudonymisation or anonymisation of data, raising staff awareness with regard to the processing of personal data and professional secrecy, and the encryption of data in transit or at rest. The data controller must be able to justify any derogation from these safeguards.
With these safeguards implemented, the data controller may limit the data subjects’ rights to access, rectification, restriction of processing, and objection where they would prevent or seriously hinder the realisation of the research project. They also enable the data controller to process special categories of personal data necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
The new law prohibits the processing of genetic data for the purposes of exercising the data controller’s own rights in the field of labour and insurance law.
Monitoring at work
Compared to the old regime under the 2002 law, the legislator eases the requirements for monitoring at work.
Beyond the requirements of the GDPR, the new law amends the Labour Code by setting out additional information requirements for the processing of personal data for certain cases in the context of employee monitoring (to protect employee security, in case of flexible work hours and to control productivity, where this is necessary to determine the salary) .
Prior to commencing the envisaged processing, employers must inform the employee representatives or, if no employee representation has been put into place, the labour inspectorate (Inspection du Travail et des Mines) about the implementation modalities of the monitoring system and, where appropriate, about the duration or the criteria of the storage of the data. In this information notice, they must also express their formal engagement not to use the collected data for other purposes than the ones explicitly indicated.
For certain specific monitoring purposes, employers must respect the co-decision powers of the employee representatives. Moreover, employee representatives, or if no such representatives exist, employees may, within fifteen days of the prior information notice, request a preliminary opinion by the CNPD which has to adopt its opinion within one month of the request. If such a request is filed, processing must be suspended pending the opinion. A complaint with the CNPD may not lead to dismissal.
Moreover, contrarily to the old regime, the new law does not categorically exclude consent as a legal basis for processing personal data of employees. Nevertheless, given the imbalance in the relationship between employers and their employees, consent should only be relied upon where employees do not suffer any detriment for refusing to give their consent.
In addition to the penalties for infringement set out by the GDPR, the new law provides the CNPD with the power to impose periodic penalty payments (astreintes) of up to five per cent of the average daily turnover generated by the data controller or data processor during the last financial year per day of delay to comply with an order by the CNPD to provide information or with a corrective measure enjoined by the CNPD.
The CNPD may order, at the expense of the sanctioned person, the publication of its decisions, with the exception of the decisions regarding periodic penalty payments and provided that all remedies have been exhausted and that the publication does not cause disproportionate harm to the parties involved.
Moreover, as announced, criminal penalties have been reduced and under the new law only those who knowingly prevent or impede, in whatever manner, the accomplishment of the missions of the CNPD, shall be punished by imprisonment of eight days to one year or shall be given a fine of 251 to 125,000 euros, or both.