Luxembourg implemented the EU General Data Protection Regulation (GDPR) through the Law of 1 August 2018 on the Organisation of Luxembourg's National Commission for Data Protection (CNPD) and the General System for Protecting Data, which came into force on 20 August 2018.
The law modified Article L 261-1 of the Labour Code, which concerns the monitoring of employees.
Employers can process personal data to monitor their employees under the circumstances set out in Article 6(1) of the GDPR. Thus, the scope of such processing has been extended in Luxembourg, as employers could previously use a monitoring system in the workplace only in the five circumstances set out in the Labour Code. Further, employers no longer have to obtain the CNPD's prior authorisation to monitor employees.
Employers must still inform the person in question – as well as the relevant staff delegation or, failing that, the Inspectorate of Labour and Mines – in advance of any processing of personal data to monitor employees' activities. The Labour Code now specifies that this prior notice must include:
- a detailed description of the purpose of the planned processing;
- the process for implementing the monitoring system; and
- the duration and criteria for storing the data, as well as the employer's formal commitment not to use the data collected for any purpose other than that specifically defined in the notice (where applicable).
Where an employer plans to process data in order to monitor employees, the relevant staff delegation or, failing this, the employees concerned can submit a request for an advance compliance opinion to the CNPD within 15 days of receipt of the notice. The CNPD must provide its opinion within one month of the request. Requests for an advance compliance opinion have a suspensive effect (ie, the planned monitoring cannot be implemented until the CNPD has given its opinion).
The following types of data processing are still subject to the co-decision system in accordance with the Labour Code, unless the aim of the processing is to fulfil a legal or regulatory obligation:
- data processing to monitor employees for health and safety purposes; and
- data processing to temporarily monitor an employee's output or services when this is the only way to determine an exact salary or to organise work on a flexitime basis.
The CNPD has received numerous notifications of data breaches since the GDPR and the Law on the Organisation of Luxembourg's CNPD and the General System for Protecting Data entered into force. However, to date, it has imposed no major fines.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.