All questions

Data protection

i Requirements for processing

The Law of 2 August 2002 on the protection of persons with regard to the processing of personal data, as amended (the 2002 Law), does not require the data controller to register with the Luxembourg Data Protection Authority (CNPD), but requires the data controller to notify each instance of personal data processing. It may, therefore, be necessary for one data controller to lodge several notifications. The notification is mandatory, unless the processing is exempt from the obligation to notify.

The following, among others, are exempt from notification:

  1. The processing of data relating exclusively to personal data necessary for the administration of the salaries of persons in the service of or working for the controller, insofar as this data is used exclusively for the said administration of salaries and is only communicated to such persons as are entitled.
  2. The processing of data relating exclusively to the management of applications and recruitments, and the administration of the staff in the service of or working for the controller. The processing may not cover data on the health of the data subject, or sensitive or legal data and may not be communicated to third parties, except in the context of application of a provision of law or regulation, or if they are essential to achieving the objectives of the processing.

The obligation to notify each instance of personal data processing provided for by the 2002 Law no longer exist as of 25 May 2018 – the date that Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR) became enforceable.

To compensate for the absence of mandatory notification, the GDPR introduces a new obligation, according to which each controller and, where applicable, the controller's representative must maintain a record of processing activities as part of its responsibilities. According to the Law of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework (the 2018 Law), it is possible for the CNPD to require from the controller any information necessary for the CNPD to assess whether the processing is compliant with the GDPR, and may request to consult the controller's record of processing activities. In accordance with the GDPR this obligation to maintain a record of processing activities does not apply to small enterprises or organisations employing fewer than 250 people, unless (1) the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects; (2) the processing is occurs frequently; or (3) the processing includes sensitive data, including personal data relating to criminal convictions and offences.

The 2018 Law also provides for a specific framework concerning surveillance at work. Consequently, prior information must be given not only to the employees but also to the staff delegation. This must include detailed descriptions of the purposes of the surveillance and the envisaged methods, as well as the retention period (or indication of criteria to calculate the period). Furthermore, the employer must formally declare not to use personal data it has collected for any other purposes.

Unless an employer is legally obliged to implement surveillance measures, it may only implement such measures following a co-decision procedure involving the staff delegation, if it is for the following purposes:

  1. health and occupational safety;
  2. control of production or performance of an employee, if this is the only possible measure to determine the exact salary; or
  3. a flexible working schedule, implemented in accordance with the Labour Code.

The employees or the staff delegation may, within 15 days of the notification, request an opinion from the CNPD on the envisaged measures. The CNPD has one month to respond and, during this period, the surveillance cannot be implemented.

In any case, the employees may lodge a complaint with the CNPD, which cannot be used as a ground for dismissal.

ii Rights of the data subjects

The data subject has the right of access to be informed about the relevant aspect of the processing, to be given access to his or her personal data and the right to rectify it in case the personal data is inaccurate or incomplete. In some circumstances, the data subject also has the right to request the erasure of his or her personal data, to object to the processing of his or her personal data and to obtain restriction of processing from the controller. In some cases, the data subject may also exercise his or her right to data portability.

In accordance with the data subject's right to be informed, the data controller must supply the data subject, no later than the date at which the data is collected and regardless of the type of media used, with the following information:

  1. the identity of the controller and of his or her representative, if any;
  2. where applicable, the contact details of the data protection officer;
  3. the purpose or purposes of the processing for which the data is intended;
  4. the recipients or categories of recipients to whom the data might be disclosed;
  5. where the processing is based on the legitimate interests of the data controller, what the legitimate interests pursued by the controller or by a third party are;
  6. where processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  7. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation outside the EEA, and the existence or absence of an adequacy decision by the CNPD, or in the case of transfers based on additional safeguards, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
  8. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  9. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  10. the right to lodge a complaint with a supervisory authority;
  11. whether answering the questions and providing personal data is compulsory (because of a statutory or contractual requirement, or a requirement necessary to enter into a contract) or voluntary, as well as the possible consequences of failure to answer or provide the data; and
  12. where applicable, the existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
iii Principles relating to processing of personal data

The GDPR establishes six important principles relating to the processing of personal data, according to which the data controller must ensure that:

  1. personal data is processed in a fair and lawful manner (lawfulness, fairness and transparency);
  2. personal data is collected for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes (purpose limitation);
  3. personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (data minimisation);
  4. personal data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (accuracy);
  5. personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (storage limitation); and
  6. personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

In accordance with the integrity and confidentiality principle, the data controller must implement all appropriate technical and organisational measures to ensure the protection of personal data against accidental or unlawful destruction or accidental loss, falsification, unauthorised dissemination or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

In particular, the personnel processing personal data should be trained to process the data in a lawful way, and the company should limit access to personal data that is processed.

In accordance with the lawfulness, fairness and transparency principle, the processing of personal data is lawful if it is based on one of the recognised legal grounds set out in Articles 6 to 10 of the GDPR.

For example, processing of general personal data (i.e., non-sensitive data) is lawful if it is necessary for the performance of a contract to which the data subject is party, if it is necessary for compliance with a legal obligation to which the controller is subject, or if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

As far as sensitive data is concerned, more restrictive legal grounds apply (Articles 9 and 10 GDPR).

iv Processors and data processing agreements

The data controller may wish to transfer personal data to a processor, who will execute the processing of personal data on its behalf. The data controller must choose a processor that provides sufficient guarantees with regard to the technical and organisational security measures pertaining to the processing to be carried out. It is up to the data controller as well as the processor to ensure that the said measures are respected.

Any processing carried out on behalf of the data controller must be governed by a written contract or legal instrument binding the processor to the data controller (data processing agreement). Data processing agreements must stipulate the obligations pertaining to the processor, as listed in Article 28 of the GDPR. In any case, a processor may not engage another processor (sub-processor) without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller the opportunity to object to such changes. Furthermore, in case a processor engages a sub-processor, the same data protection obligations as set out in the data processing agreement between the controller and the processor shall be imposed on that sub-processor. Where the sub-processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the data controller for the performance of that other processor's obligations.

v Cross-border data transfers

The data controller must supply the data subject with the information about the recipients or categories of recipients to whom the data might be disclosed. If these recipients are established outside Luxembourg, this should also be indicated.

As a general rule, personal data may only be transferred to countries within the EEA or to countries that provide an adequate level of protection of personal data in the sense of Article 45 of the GDPR. If personal data is transferred to a country that does not provide an adequate level of protection of personal data ('non-adequate' country), such transfer must be subject to appropriate safeguards or be based on one of the legally recognised derogations.

Among the appropriate safeguards that may be put in place in case of transfer of personal data towards a non-adequate country, the data exporter and the data importer may sign standard data protection clauses adopted by the European Commission.

For transfer of personal data to the United States, the data exporter and the data importer may also have recourse to the EU–US Privacy Shield. The Privacy Shield (which replaced Safe Harbour) has its own requirements under which entities established in the United States can certify their processing of personal data to facilitate the transfer of personal data. Although its lawfulness is currently being challenged, the Privacy Shield can still be used to transfer personal data to the United States.

When no additional safeguards are in place, the data controller will only be allowed to transfer personal data to non-adequate countries based on one of the legally recognised derogations, such as the explicit consent of the data subject, where appropriate.

vi Sensitive data

Sensitive data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or that concerns health or sex life, including genetic data. Sensitive data also includes personal data relating to criminal convictions or offences, such as a criminal record.

It is, in principle, forbidden to process sensitive personal data, unless a specific legal ground allows for such processing. Currently the processing of sensitive data is only permitted on the basis of one of the recognised legal grounds laid down in Articles 9 and 10 of the GDPR. For example, as far as personal data relating to criminal convictions or offences is concerned, one of the following two grounds must apply: the data may be processed under the control of an official authority; or the processing of the data has been specifically authorised by EU or Member State law (e.g., Luxembourg employment law).

vii Background checks

Background checks are allowed, provided that they comply with the provisions prohibiting discrimination and those related to the protection of privacy.

The employer's right to request a criminal record is strictly limited according to the legal provisions of the Law of 23 July 2016. This Law has substantially amended current provisions related to criminal records, as follows:

  1. During the recruitment process, the potential employer will only be able to request a criminal record excerpt in writing and shall justify the reasons for such a request in view of the role requirements. The requirement to provide a criminal record excerpt shall be indicated in the job offer. A criminal record excerpt obtained in the recruitment phase can only be kept for one month starting from the signature of the contract. If the candidate is not hired, the excerpt must be destroyed.
  2. During the course of employment, the employer will only be able to request a new criminal record excerpt if:
    • the employer is permitted by law to request a criminal record excerpt; or
    • the employee's post will change and the new role requires renewed verification of honourability.

A criminal record excerpt obtained during the employment relationship can only be kept for two months, unless provided otherwise under other legal provisions.

Requesting a criminal record excerpt in breach of the new legal provisions will be a criminal offence that may be sanctioned by a fine of between €251 and €5,000, and a term of imprisonment between eight days and one year. Retaining a criminal record excerpt in excess of the time frame is also a criminal offence that may be sanctioned by a fine between €251 and €3,000.

The employer will have to keep record of:

  1. the job offers from future employers requesting a criminal record excerpt with justification for the request; and
  2. the requests for a criminal record excerpt from current employees with justification for the request.

Credit checks are covered by personal and private data provisions and therefore cannot be the subject of employer enquiries. However, depending on the applicant's position and the nature of his or her activities, an employer may request him or her to provide such information.

Employers may ask whether a job applicant has authorisation to work in Luxembourg and request evidence thereof. During the hiring process, employers are prohibited from making enquiries based on sexual orientation, religion, convictions, disability or ethnic origin.