On Tuesday, 12 September 2017, the draft bill establishing the National Commission for Data Protection and implementing the General Data Protection Regulation (GDPR) has been filed by the Ministry of Communication & Media in Luxembourg (Draft Bill - N°: 7184).

This draft bill intends to "make room" for the GDPR while complementing it with national specificities.

Once adopted, this bill will definitely repeal and replace the current Luxembourg Law of 2 August 2002 relating to the protection of individuals as regards the processing of personal data (the "Luxembourg Data Protection Law"), and will be applied in parallel to the GDPR.

National Commission for Data Protection (NCDP)

The draft bill confirms and extends the competences of the NCDP, the current guardian of the Luxembourg Data Protection Law, and the future watchdog of the GDPR.

Among others, the NCDP will be empowered to:

  • monitor compliance with the GDPR by any data controller or processor (as well as with the draft bill n°7168 regarding data processing in criminal matters and matters of national security);
  • have legal standing and initiate judicial proceedings in the interests of the GDPR;
  • require from any data controller or processor all the necessary information to assess their compliance with the GDPR;
  • order a data controller / processor to suspend or stop the processing of personal data;
  • impose administrative penalties and sanctions on parties found to have infringed the GDPR (with periodic penalty payments when necessary).

On September 4, the 2016 annual accounts of the NCDP were published, revealing an increase in budget of 14,18% in comparison with the previous year. It is expected that this budget will continue increasing in the future, along with the activities of the NCPD.

For more information on the current mission of the NCPD, click here.

Additional specific provisions

The draft bill also provides for specific provisions that would "complement" the GDPR in matters that were left to the discretion of the Member States:

1) First, the draft bill grants some exemptions from the GDPR’s obligations in case of:

  • data processing for the purposes of journalism, university research, art or literature (art. 56 of the draft bill); and in case of
  • data processing for the purposes of statistics or scientific or historical research, provided that such "limitations" are proportional to the aim pursued and take into consideration the nature of the data and of the processing (art. 57 of the draft bill).The counterpart of the exemptions is a long list of additional safeguards that data controllers processing data for statistics or scientific or historical research must put in place, including, as the case may be, the designation of a Data Protection Officer and the conduct of a Data Protection Impact Assessment (art. 58 of the draft bill).

2) Second, regarding the processing of sensitive data, including health data, the draft bill confirms that such processing is allowed for the relevant medical bodies and healthcare professionals in the framework of their activities, as well as for research bodies (with appropriate safeguards), social security organisms, insurance companies, pension funds, the Medical and Surgical Mutual Fund and other approved organisms. The lawful transfer of sensitive data between these actors is also facilitated.

By filing this draft bill, the government of Luxembourg has taken the first step towards the entry into force of the GDPR (on 25 May 2018) and has consolidated a comprehensive legal framework for the processing of personal data in Luxembourg.

Link to the draft bill: here (in French only).