The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, "GDPR", available here), repealing Directive 95/46/EC, has imposed many changes in the regulatory landscape applicable to data protection.
The GDPR also gives the Member States a leeway to adapt their respective national frameworks, via local legislations, including the national data protection supervisory authority. The Luxembourg government took that opportunity to draft bills addressing these opportunities.
The law enforcing the GDPR in Luxembourg ("Loi du 1er août portant organisation de la Commission nationale pour la protection des données et mise en oeuvre du règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données), portant modification du Code du travail et de la loi modifiée du 25 mars 2015 fixant le régime des traitements et les conditions et modalités d'avancement des fonctionnaires de l'Etat"), establishing the National Commission for Data Protection (Commission Nationale pour la Protection des Données, "CNPD") as the Luxembourg data protection supervisory authority and changing its control system mechanisms has been published on 16 August 2018 and will enter into force on 20 August 2018.
The previous notification system, based on ex-ante controls, has been replaced by ex-post controls. This approach fits with the accountability principle adopted by the GDPR to empower entities processing personal data. Consequently, it eliminates the previous time-consuming procedure of notification to/authorisation by the CNPD and permits a better focus of the latter on raising awareness, providing support and controlling missions. Another key change lies with the capacity of the CNPD to impose fines and sanctions, as defined by the GDPR:
In addition, this law provides new specific provisions, exceptions and limitations in order to ensure the implementation of the GDPR. The key changes concern:
Another law that has been published on 16 August 2018 and will enter into force on 20 August 2018, concerns the processing of personal data in criminal matters and matters of national security ("Loi du 1er août 2018 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale et portant modification (…)"). The two laws should be read together, as they jointly extend the competences of the CNPD. Specifically, that second law introduces an exemption of the CNPD powers, where "Only personal data processing operations carried out by the courts of the judiciary and the administrative order in the exercise of their judicial functions are subject to the supervision of the judicial supervisory authority". This provision was included in order to preserve the principle of separation of powers, and to maintain the independence of the judiciary order.
As a direct consequence, all Luxembourg companies are discharged of the administrative burden of active declaration or notification of personal data processing to the CNPD before the actual processing. However, they should be ready to be controlled by the local regulator, hence take action and be ready to demonstrate accountability towards the GDPR when necessary.
Consequently, and following the enhanced capacity of the Luxembourg supervisory authority, we are expecting the CNPD to continue its active support to the market place in providing further awareness and guidance on the GDPR, and probably the first controls as to the proper compliance with the GDPR in the coming months.