Bonn & Schmitt
22-24, rives de Clausen
The law dated 2 August 2002 on the Protection of Persons with regard to the Processing of
Personal Data as modified (“Law”).
The Law dated 30 May 2005 lays down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector.
Definition of Personal Data
The Law defines “personal data” as follows: any information of any type regardless of the type of medium, including sound and image, relating to an identified or identifiable natural person (“data subject”); a natural person will be considered to be identifiable if it can be identified, directly or indirectly, in particular by reference to an identification number or
one or more factors specific to its physical, physiological, genetic, mental, cultural, social or economic, identity.”
Definition of Sensitive Personal Data
Sensitive data relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the health or sex life, including the processing of genetic data.
National Data Protection Authority
Commission national pour la Protection des Données (“cnPD”)
41, avenue de la Gare
L-1611 Luxembourg 4ième étage
The CNPD is responsible for overseeing the Data Protection Act and the Privacy and Electronic
Prior notification to the cnPD
As the processing of personal data is not exempt from notification and is not subject to prior authorisation, it must be notified to the CNPD in advance. The notifications must contain the information referred to in Article 13 of the Law.
The notifications are effected by completing and signing the notification form provided by the CNPD. Article 13 of the Law provides 14 specific cases of conditional exemption from the obligation to notify which are added to the more general cases referred to in Article 12 § 2.
The most important exceptions relate to the following processing:
General exemptions (art. 12 § 2)
- processing carried out by the controller if that person appoints a data protection officer unless
- for the supervision purposes referred to in Article 10 (“DPO”);
- processing operations for the sole purpose of keeping a public register;
- processing operations carried out by lawyers, notaries and process servers;
- processing carried out solely by journalists, for artistic or literary expression; or
- processing necessary to protect the vital interests of the data subject or of another where the data subject is physically or legally incapable of giving his consent.
- processing of data relating exclusively to personal data necessary for the administration of the salaries of persons in the service of or working for the controller;
- processing of data relating exclusively to the management of applications and recruitment, provided that the collected data is not sensitive data (including health) or data intended for assessing the data subject;
- processing of data relating exclusively to the controller’s bookkeeping provided that this data is used exclusively for such bookkeeping and the processing covers only the persons whose data is necessary for bookkeeping purposes;
- processing of data referring exclusively to the administration of shareholders, debenture holders and partners, provided that the processing covers solely the data necessary for such administration, the data covers only those persons whose data is necessary for such administration;
- processing of data relating exclusively to the management of the controller’s client or supplier
- base, provided that the processed data is not sensitive data (including health);
- processing of data carried out by a foundation, an association or any other non-profit organisation;
- processing of data relating exclusively to the recording of visitors carried out in the context of manual access control, provided that the data processed is restricted to only the name and business address of the visitor, his/her employer, his/her vehicle, the name, department and function of the person visited, and the time and date of the visit;
- processing of identification data essential for communication, which is carried out with the sole purpose of contacting the person concerned provided that this data is not communicated to any other third party;
- processing for the management of IT systems, provided that it is not used for the purpose of supervision;
- processing carried out in hospitals or by a doctor concerning his/her patient, except for the processing of genetic data; or
- processing carried out by a pharmacist.
The Law has also reduced the procedures concerning processing in the health professions. Except for the processing of genetic data, there is no more requirement of prior authorisation concerning such a processing, and doctors and hospitals are exempt to the obligation to notify.
Prior authorization by the cnPD
Most processing of personal data must only be notified (or is exempt from notification). However, the Law provides for stricter control for processing likely to present specific risks in respect of the rights and freedoms of individuals concerned. Such processing must be
authorised by the CNPD before it may be carried out. The amended Law contains a closed list of these categories of processing in Article 14.
Article 14 1 of the Law sets forth that the prior authorization by the CNPD is required in the following cases:
- the processing of genetic data;
- when processing is recorded and carried out for supervision purposes;
- when data is processed for statistic, scientific or historic purposes;
- in the event of the combination of data;
- when the processing relates to the credit status and solvency of the data subjects, if the processing is carried out by persons other than professionals of the financial sector or by insurance companies regarding their clients;
- processing involving biometric data necessary for checking personal identity; or
- the usage of data for purposes other than that for which it was collected. Such processing may be carried out only when the data subject gives prior consent or if it is necessary to protect the vital interests of the data subject.
Processing operations that reveal race or ethnicity, political opinions, religious or philosophical
beliefs, trade union membership, and the processing of data concerning health or sex life,
except for certain processing of genetic data, may only be notified to the CNPD and may not be authorised by the CNPD.
The processing of genetic data may only be notified to the CNPD when the processing is necessary to protect vital interests or when it is necessary for the purpose of preventive medicine, medical diagnostics, or the provision of care or treatment.
An authorisation from the CNPD is normally required before using technical means for monitoring people, particularly by video camera, electronic trading, etc. However, the Law has introduced a distinction according to if the data is recorded or not recorded. The prior authorisation by the CNPD is required for processing for supervision purposes, if the data
resulting from the supervision is recorded. A simple notification is required if the data resulting from the supervision is not recorded.
For the processing of credit status and solvency of the data subject, a simple notification is
required, if the processing is carried out by professionals in the financial sector or insurance companies on behalf of their clients.
The processing of biometric data is subject to prior authorization.
Data Protection officers
The controller may designate a DPO. Such designation releases the controller from the obligation to carry out the notifying process. Such a designation does not exempt the person responsible for processing from entering prior requests for authorization before carrying out processing for which authorization is required.
The power of the data protection official are as follows:
- investigative powers to ensure supervision of the controller’s compliance with the provisions of the Law and its implementing regulations, and
- a right to be informed by the controller and the relating right to inform the controller of the formalities to be carried out in order to comply with the provisions of the Law and its implementing regulations.
Collection and Processing
Chapter 2 of the Law deals with the conditions under which processing may take place. The controller must ensure that he processes the data in a fair and lawful manner, which means that:
- data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way that is incompatible with those purposes;
- the collection, recording and use of personal data is strictly limited to what is necessary to achieve the aims specifically declared in advance by the authority, agency, company, association, professional or self-employed worker involved;
- processing must be adequate and not excessive in relation to the purposes for which they are collected and/or further processed;
- the processing of personal data is limited to cases where there is a direct connection with the initial purpose of the processing. The information must not only be useful, but also necessary to whoever is processing personal data. The data being processed must not be excessive in relation to the aim pursued;
- an update of the collected data must be made;
- as inaccurate or incomplete information can harm the person to whom it relates, every effort must be made to ensure the data being processed is correct and up to date. If this is not the case, the personal data must be rectified or erased. The Law also protects the data subject against any negative decision automatically made about him by a computer, without him being able to provide his personal point of view; and
- data which permits identification of data subjects is only kept for the necessary period of time.
- Legitimacy of processing
- The processing of personal data is allowed only if there is a legitimate reason to justify it. Article 5 of the Law sets forth the criteria for the legitimacy of data processing, which is as follows:
- Data may be processed only if it is necessary:
- for compliance with a legal obligation which the controller is subject to;
- for the performance of a task carried out in the public interest;
- for the performance of a contract to which the data subject is a party;
- for the purpose of legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interest, fundamental rights and/or freedoms of the data subject; or
- in order to protect the vital interests of the data subject.
- Finally, the data processing is legitimate if the data subject has given his consent.
Processing of specific categories of data
Processing operations that reveal racial or ethnic origin, politic opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life, including the processing of genetic data, are forbidden and may only be allowed under very exceptional circumstances. Processing of specific categories of data by health services is strictly regulated. Legal data and freedom of expression are also strictly regulated.
Processing for supervision purposes
Article 10 sets out the conditions under which processing for supervision purposes in any place accessible or inaccessible to the public can be made. Processing for supervision purposes is considered legitimate in and around any place presenting a risk where it is necessary not only for the safety of users and the prevention of accidents, but also for the protection of property if there is a risk of theft or vandalism. The criteria of necessity and proportionality will be assessed for each individual case by the CNPD.
Article 10 1 of the Law sets forth that “the data may only be processed for supervision
- if the data subject has given his consent; or
- in surroundings or in any place accessible or inaccessible to the public other than residential premises, particularly indoor car parks, stations, airports and on public transport, provided the place in question due to its nature, position, configuration or frequentation presents a risk that makes the processing necessary for the safety of users and for the prevention of accidents, for the protection of property, if there is a characteristic risk of theft or vandalism; or in private places where the resident natural or legal person is the controller; or
- to the competent legal authorities to record a criminal offence or take legal action in respect
- of it and to the legal authorities before which a legal right is being exercised or defended”.
Processing for the purposes of supervision at the workplace
The supervision at the workplace is only possible under certain circumstances. Article 11 of the Law refers to Article L.261 1 of the Employment Code. Such processing may be carried out only if it is necessary:
- for the safety and health of employees;
- to protect the company’s property;
- to control the production process relating solely to machinery;
- temporarily control production or the employee’s services if such a measure is the only way
- of determining the exact earnings; or
- in connection with the organization of work under a flexible hours scheme in accordance with the Employment Code.
The person whose data is processed must be informed prior to processing. The data subjects’
consent to the processing does not, however, render the processing legitimate.
Article 18 of the Law provides that data may be transferred to a third country, if this country ensures an adequate level of protection and if the provisions of the Luxembourg Law on data protection as well as its regulations are respected. The adequacy of the level of protection afforded by a third country must be assessed by the controller in light of all circumstances surrounding a data transfer operation or set of data transfer operations; particularly, the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectored, in
force in the third country in question and the professional rules and security measures which are complied with by that country. In case of any doubt, the controller will immediately inform the CNPD which will consider whether the third country offers an adequate level of protection.
The transfer of data to a third country that does not offer an adequate level of protection may
take place provided:
- the data subject has given his consent to the proposed transfer;
- the transfer is necessary for the performance of a contract to which the data subject and the controller are parties, or the implementation of pre contractual measures taken at the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract entered into in the interest of the data subject between the controller and a third party;
- the transfer is necessary or legally required on important public interest grounds, or to
- establish, exercise or defend a legal claim; or
- the transfer is necessary for a public register.
The CNPD may authorize, as a result of a duly reasoned request, a transfer of data to a third country that does not provide an adequate level protection, if the controller offers sufficient guarantees in respect of the protection of the privacy, freedoms and fundamental rights of the data subjects, as well as the exercise of any corresponding rights. These guarantees may result from appropriate contractual clauses.
The controller must implement all appropriate technical and organizational measures to ensure the protection of the data he processes against accidental or unlawful destruction or accidental loss, falsification, unauthorized dissemination or access in particularly where the processing involves the transmission of data over a network, and against all other unlawful forms of procession. The initial Law sets forth these measures had to be contained in an annual report
to be submitted by the controller to the CNPD. The 2007 Law has amended this automatic obligation. Article 22 of the Law provides that “a description of these measures and of any subsequent major change must be communicated to the CNPD at its request, within fifteen days”.
If the processing is carried out on behalf of the controller, the latter must choose a processor that provides sufficient guarantees as regards the technical and organizational security measures. Any processing carried out on another’s behalf must be governed by a written contract binding the processor to the controller and providing in particular that the processor will act only on instructions from the controller and the obligations relating to security of processing operations will be also incumbent on the processor.
Any party that does not carry out the obligation to notify or supplies incomplete or inaccurate information is liable to a fine of between EUR 251 and EUR 125,000.
Any party who carries out processing in breach of obtaining a prior authorization will be liable to a prison sentence of between 8 days and 1 year and a fine between EUR 251 to EUR 125,000.
Without prejudice to criminal sanctions provided for by the Law, and any actions for damages under ordinary civil law, in the event a processing operation violates formalities provided
for under Law, the State Prosecutor, the CNPD or any injured party is entitled to file a discontinuance action pursuant to Article 39 of the Law.
Luxembourg implemented part of Directive 2009/136/EC by a law of 28 July 2011, which modified the law of 30 May 2005 and came into effect on 1 September 2011.
The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing is permissible only in respect of subscribers who have given their prior consent.
Where a supplier obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, that supplier may use those electronic contact details for direct marketing of its own similar products or services provided that customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner,
to such use of electronic contact details when they are collected and on the occasion of each message where the customer has not initially refused such use.
The transmission of unsolicited communications for purposes of direct marketing by means other than those referred to in the previous paragraphs shall be permissible only with the prior consent of the subscriber concerned.
Online Privacy (Including cookies and Location Data)
Traffic Data – For the purposes of the investigation, detection and prosecution of criminal offences, and solely with a view to enabling information to be made available, in so far as may be necessary, to the judicial authorities, any service provider or operator processing traffic
data must retain such data for a period of 6 months. This obligation includes data related to the missed phone calls wherever these data are generated, stored or recorded. Beyond this period, the service provider or operator must erase these data unless such data have been made anonymous.
Traffic data may be processed for the purposes of marketing electronic communications services or providing value added services, to the extent and for the duration necessary for such supply or marketing of such services, provided that the provider of an electronic communications service or the operator has informed the subscriber or user concerned in
advance of the types of traffic data processed and of the purpose and duration of the processing, and provided that the subscriber or user has given his/her consent, notwithstanding his/her right to object to such processing at any time.
Location Data other than Traffic Data – Service providers or operators have also an obligation of retaining location data other than traffic data for a period of 6 months for the purposes of the investigation, detection and prosecution of criminal offences. This obligation includes data related to the missed phone calls wherever these data are generated, stored or recorded. Beyond this period, the service provider or operator must erase these data unless such data have been made anonymous.
Service providers or operators may process location data other than traffic data relating to subscribers and users only if such data have been made anonymous or the subscriber or user concerned has given his/her consent thereto, to the extent and for the duration necessary for the supply of a value added service.
Service providers and, where appropriate, operators shall inform subscribers or users in advance of the types of location data other than traffic data processed, of the purposes and duration of the processing and whether the data will be transmitted to third parties for the purpose of providing the value added service. Subscribers or users shall be given the possibility to withdraw their consent to the processing of location data other than traffic data at any time.
Where consent of the subscribers or users has been obtained for the processing of location
data other than traffic data, the subscriber or user must continue to have the possibility, using
a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.
Cookies – Prior informed consent of a subscriber/user is required. The method of providing information and the right to refuse should be as user friendly as possible and, where it is technically possible and effective, the users consent may be expressed by appropriate browser/ application settings.