Flash News - Luxembourg - Personal Data Protection - The GDPR implementing Law is published.



The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, "GDPR", available here), repealing Directive 95/46/EC, has imposed many changes in the regulatory landscape applicable to data protection.

The GDPR also gives the Member States a leeway to adapt their respective national frameworks, via local legislations, including the national data protection supervisory authority. The Luxembourg government took that opportunity to draft bills addressing these opportunities.

What's new?

The law enforcing the GDPR in Luxembourg ("Loi du 1er août portant organisation de la Commission nationale pour la protection des données et mise en oeuvre du règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données), portant modification du Code du travail et de la loi modifiée du 25 mars 2015 fixant le régime des traitements et les conditions et modalités d'avancement des fonctionnaires de l'Etat"), establishing the National Commission for Data Protection (Commission Nationale pour la Protection des Données, "CNPD") as the Luxembourg data protection supervisory authority and changing its control system mechanisms has been published on 16 August 2018 and will enter into force on 20 August 2018.

The previous notification system, based on ex-ante controls, has been replaced by ex-post controls. This approach fits with the accountability principle adopted by the GDPR to empower entities processing personal data. Consequently, it eliminates the previous time-consuming procedure of notification to/authorisation by the CNPD and permits a better focus of the latter on raising awareness, providing support and controlling missions. Another key change lies with the capacity of the CNPD to impose fines and sanctions, as defined by the GDPR:

  • Fines: A failure to comply with the Regulation could result in fines of up to €20 million EUR or 4% of the entity’s annual worldwide turnover, whichever is higher.
  • Sanctions: Article 58 gives corrective powers to the supervisory authority, including the possibility to impose a temporary or definitive limitation, e.g. a ban on processing of data, to issue reprimands to a company, or a suspension of data flows to a recipient in a third country.

In addition, this law provides new specific provisions, exceptions and limitations in order to ensure the implementation of the GDPR. The key changes concern:

  • The processing of personal data and the right to freedom of expression and information processing of personal data for the purposes of journalism or academic, artistic or literary expression. Article 14 of the GDPR states that the controller has an obligation to enable access to the information processed regarding the data subject. The law provides an exception for publishers, for example, where this obligation is limited in a way that the right to access cannot lead to the identification of the source of the information.
  • The processing of genetic personal data will be prohibited for data controllers who intend to process such data in connection to their legal obligations in reference to labour law and for insurance purposes, even if the data subject gives specific consent for such purposes. Certain exceptions will remain where processing genetic personal data will be possible. These being for example, when necessary to verify a genetic link in the context of a judicial proceeding; in the public interest in the context of public health; for the public interest in the context of historical, statistical or scientific purposes; or in the context of protecting the vital interests of the data subject.
  • The data controllers processing personal data for the purposes of scientific, statistical and historic research will have the possibility to limit the rights and freedoms of data subjects, should the exercise of these rights render impossible or seriously impede the achievement of the purposes of the data processing for the aforementioned purposes, defined by the data controller.

Another law that has been published on 16 August 2018 and will enter into force on 20 August 2018, concerns the processing of personal data in criminal matters and matters of national security ("Loi du 1er août 2018 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale et portant modification (…)"). The two laws should be read together, as they jointly extend the competences of the CNPD. Specifically, that second law introduces an exemption of the CNPD powers, where "Only personal data processing operations carried out by the courts of the judiciary and the administrative order in the exercise of their judicial functions are subject to the supervision of the judicial supervisory authority". This provision was included in order to preserve the principle of separation of powers, and to maintain the independence of the judiciary order.

As a direct consequence, all Luxembourg companies are discharged of the administrative burden of active declaration or notification of personal data processing to the CNPD before the actual processing. However, they should be ready to be controlled by the local regulator, hence take action and be ready to demonstrate accountability towards the GDPR when necessary.

What's next?

Consequently, and following the enhanced capacity of the Luxembourg supervisory authority, we are expecting the CNPD to continue its active support to the market place in providing further awareness and guidance on the GDPR, and probably the first controls as to the proper compliance with the GDPR in the coming months.

Contact us

Frédéric Vonner

Partner, Privacy Leader, PwC Luxembourg

Tel: +352 49 48 48 4173

Antonin Jakubse

Manager, PwC Luxembourg

Tel: +352 49 48 48 4412

Follow us