Data protection in Luxembourg: overview
A Q&A guide to data protection in Luxembourg.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
Directive 95/46/EC on data protection (Data Protection Directive) has been implemented in Luxembourg through the Law of 2 August 2002 relating to the protection of individuals in relation to the processing of personal data (Data Protection Law). The Data Protection Law aims to protect the freedom and fundamental rights of individuals, and notably their private life, in relation to the processing of their personal data.
The National Commission for the Protection of Data (Commission Nationale pour la Protection des Données ) (CNPD) is responsible for enforcing these rules.
Reform of EU data protection rules: the general data protection regulation
After four years of political discussion, the General Data Protection Regulation (GDPR) was finally adopted by the European Parliament on 14 April 2016. The GDPR will replace Directive 95/46/EC. A transitional period of two years is provided until the GDPR becomes fully enforceable in the EU member states.
The GDPR will be directly applicable in all member states without the need for implementing national legislation.
The GDPR pursues the objective of ensuring a consistent and high level of protection of natural persons, and addresses the following fundamental issues:
Reinforcing individuals' rights.
Strengthening the EU internal market.
Ensuring stronger enforcement of the rules.
Streamlining international transfers of personal data.
Setting global data protection standards.
The Law of 30 May 2005 on the specific provisions for the protection of individuals in relation to the processing of personal data in the electronic communications sector (Law of 2005) was adopted, as part of the implementation of the EU "telecom package" in Luxembourg.
A Grand-Ducal Regulation of 2 October 1992 relates specifically to the terms and conditions of use of personal data in medical databases, their use for therapeutic purposes, for research and disclosure to third parties. Under the Law of 29 March 2013 on the organisation of the criminal record and the exchange of information extracted from criminal records between member states of the European Union, as amended by the law of 23 July 2016, the employer can, in the framework of the staff management and hiring process, request from the concerned person that they produce an extract of his or her criminal record (Bulletin No. 2).
Other specific laws or grand ducal regulations apply to specific sectors (such as rail, police or tourist accommodation).
Scope of legislation
The Data Protection Law applies to persons who are identified as a data controller. The data controller is defined as a natural or legal person, public entity, service or any other entity, who alone or jointly with others determines the purposes and the means of personal data processing.
The data controller can be specified by law when the purposes and means of given data processing are also determined by law.
Data controllers can subcontract their responsibilities, but always remain responsible for their legal obligations, as subcontractors can only act under the instructions of a data controller.
The Data Protection Law defines "personal data" as any information of any type regardless of the type of medium, including sound and image, relating to an identified or identifiable natural person (data subject).
Natural persons will be considered to be identifiable if they can be identified directly or indirectly, in particular by reference to an identification number or one or more factors specific to their physical, physiological, genetic, mental, cultural, social or economic identity.
Further, the Data Protection Law gives special protection to certain types of data known as sensitive data, that is, relating to:
Racial or ethnic origin.
Religious or philosophical beliefs.
Trade union membership.
Health or sexual preference, including the processing of genetic data (see Question 11).
The Data Protection Law governs the "processing of personal data", which is any operation or set of operations performed on personal data, whether or not by automated means.
Adaptation or alteration.
Disclosure by transmission, dissemination or otherwise.
Locking, deletion or destruction.
The Data Protection Law distinguishes between the "data controller", who determines the purposes and means of processing personal data, and the "data processor", who processes the personal data on behalf of the data controller. The purposes and methods of processing personal data may be determined jointly by co-controllers. The Data Protection Law does not distinguish between the data controller/processor and the data owner.
Processing carried out by an individual exclusively for personal or domestic activities is not covered by the Data Protection Law.
Data processing for criminal investigations and judicial proceedings are subject to specific rules stemming from:
The Criminal Investigation Code.
The Civil Proceedings Code.
Other specific laws.
Additionally, exemptions apply if necessary to adjust the right to privacy with freedom of speech, relating to data processing exclusively journalistic, artistic or literary purposes.
Depending on the type of data and the purposes of the processing, the data controller may have to comply with some administrative formalities prior to processing the data. These formalities consist of a prior notification to, or prior authorisation from, the National Commission (CNPD).
In principle, any data processing is subject to prior notification except where the prior authorisation from the CNPD is required or when the data processing is exempted by the law.
The Data Protection Law was amended in 2007 to provide for a number of exemptions from prior notification, under certain conditions (for example, management of salaries of persons working for the data controller, management of job applications, and recruitment of the data controller's personnel).
Any data processing, irrespective of the administrative formalities it is subject to, must at all times comply with the general requirements of the Data Protection Law.
Processing submitted to prior authorisation from the CNPD include, for example, processing of genetic data, processing relating to the credit status and solvency of the data subjects (when carried out by persons not acting in the financial sector), data processing operations for historical, statistical or scientific purposes, or data processing operations for surveillance and surveillance at the workplace. Prior authorisation only concerns processing operation that are likely to present specific risks to the rights and freedoms of data subjects.
The notification form will include at least the following information:
The name and address of the data processor and his representative, if any.
The background to the legitimacy of the processing.
The purpose or purposes of the processing.
A description of the category or categories of data subjects and of the data or categories of data relating to them.
The recipients or categories of recipients to whom the data may be disclosed.
The third countries to which it is proposed to transfer the data.
A general description allowing a preliminary assessment to be made of the appropriateness of the measures taken to ensure security of processing.
Main data protection rules and principles
Main obligations and processing requirements
The main principles to be complied with by data controllers, before and on an ongoing basis during the data processing, can be summarised by the following ten principles of personal data protection, as set out in the brochure Data protection and privacy edited by the CNPD:
Necessity and proportionality.
Accuracy of data.
Security and confidentiality (see Question 14).
Sensitive data is subject to more stringent protection (see Question 11).
Surveillance (and notably surveillance in the workplace) is strictly limited by law.
Use of personal data for advertising or marketing purposes requires permission.
A data subject's consent is not systematically necessary to process personal data. A data controller can process data when it falls within one or more of the situations restrictively listed by the Data protection Law, including the consent of data subjects.
Whenever a data processing is carried out in relation to surveillance at the workplace, the data subject's consent is neither necessary nor sufficient to legitimise such processing, due to the subordination link between an employer and its employees.
According to the Data Protection Law, the data subject's consent does not require a specific form and it seems possible to obtain online consent. However, the consent must have the following characteristics:
Free (freely given consent may at any time be withdrawn by the person concerned).
Specific (that is, given for determined processing).
Informed (that is, the data subject must have given his consent with the full knowledge of the facts).
No provision of the Data Protection Law specifically deals with the consent of minors. However, according to Luxembourg law, minors do not generally have the ability to enter into a contract. Therefore, consent by minors to process their data will be considered void.
In addition to consent, the processing of personal data is legitimate if:
It complies with a legal obligation to which the data controller is subject.
It fulfils a task in the public interest, or in exercising official authority vested in the data controller or in a third party to whom the data is disclosed.
It takes place for the performance of a contract to which the data subject is party, or taking steps at the request of the data subject before entering into a contract.
The purposes of the legitimate interests pursued by the data controller, or by the third party or parties to whom the data is disclosed, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject.
It protects the data subject's vital interests.
Processing for supervision reasons at the workplace cannot be carried out by the employer if the employer is the controller, except in the following cases (Article L.261-1, Employment Code):
For the safety and health of employees.
For the protection of the company's goods.
For the control of the production process (provided this control only applies to the machines).
For the occasional monitoring of the production process, or of the performance of employees, provided this measure is used to determine the exact salaries.
In the framework of a flexitime working organisation.
Sensitive data is defined as data relating to:
Racial or ethnic origin.
Religious or philosophical beliefs.
Trade union membership.
Health or sexual preference, including genetic data.
The processing of sensitive data is, in principle, prohibited. It may only be permitted in certain limited circumstances:
With the express consent of the data subject.
Processing necessary to comply with the data controller's employment law obligations and specific rights.
Processing necessary to protect the vital interest of the data subject where consent cannot be physically or legally given.
Where the data subject has obviously made the data public.
Processing carried out by certain non-profit organisations.
Processing necessary for establishing or defending legal rights.
Rights of individuals
When the data is collected directly from the data subject, the data controller must provide the data subject at least with the following information:
The identification of the data controller and of his representative (if any).
The purpose of the processing for which the data is intended.
Any further information such as:
the categories of recipients to whom the data may be disclosed;
whether answering the questions is compulsory or voluntary, as well as the possible consequences of failure to answer; and
the existence of the right of access to data concerning the data subject and the right to rectify them.
Additionally, when the data is not collected directly from the data subject, the data controller must inform the data subject of the categories of data concerned by the processing.
Regarding timing, when data is collected directly from individuals, such individuals must be informed of the processing at the time the data is collected. When data is collected indirectly from individuals, such individuals must be informed of the processing at the time the data is transferred from third parties.
Individuals have a right of access to their personal data. This right includes the confirmation as to whether or not data relating to them is being processed and information at least regarding the purposes of the processing. Individuals may ask for incorrect or inadequate information to be rectified or deleted.
The Data Protection Law specifies that the right of access may be exercised free of charge, at reasonable intervals and without excessive waiting periods.
Data subjects can also ask the data controller to rectify or delete data that is inaccurate or processed in breach of the Data Protection Law, free of charge.
Additionally, data subjects can oppose, free of charge, to the processing of their data, for legitimate reasons relating to their specific situation.
Data subjects have the right to request the deletion of any of their data, which has been processed by a data controller in a manner that does not comply with the Data Protection Law. Data subjects can request deletion of their data in particular when the data is:
Incomplete or inaccurate.
Not collected for determined and legitimate purposes as provided by the Data Protection Act and not subsequently processed consistently with the specified purposes.
Inadequate, irrelevant, or excessive with respect to the purposes for which it is collected and subsequently processed.
Retained for an excessive period in relation to the purposes for which it was collected.
Data controllers must take all appropriate technical and organisational measures to ensure protection of the data they process against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access, in particular where the processing involves transmitting data over a network, and against any other unlawful processing.
In practice, a data controller must set up different security measures, depending on the risk of privacy breach, the state of the art, and costs relating to the implementation of these measures.
Generally, these measures consist of:
Preventing physical and logical unauthorised access to the data and access to, or use of, the information system where the data is stored.
Safeguarding data by creating backups.
Preventing data from being read, copied, amended or deleted in the event of disclosure or transport of such data.
Monitoring of transmissions, transport and availability of the data.
Under the Data Protection Law, there is no requirement to notify personal data security breaches to data subjects or the national regulator. However, a description of measures, and of any subsequent major change to these measures, must be communicated to the CNPD within 15 days on request.
The Law of 2005 provides that in case of violation of personal data, the provider of electronic communication services must promptly inform the CNPD of such violation.
When the violation of personal data is likely to adversely affect the personal data or privacy of a subscriber or an individual, the provider must also notify the subscriber or individual concerned of such violation without unnecessary delay.
However, the notification to the data subject is not required if the provider can provide to the CNPD that he has implemented appropriate technological protective measures to the data concerned by the security breach.
Processing by third parties
Any processing carried out on another's behalf must be governed by a written contract binding the subcontractor (that is, the data processor) and providing in particular that the data processor:
Will act only on instructions from the data controller.
Are subject to the same obligations to their own subcontractors.
The data controller must choose subcontractors that provide sufficient guarantees with regards to the security measures to be implemented.
The Law of 2005 provides that the storage of information or the gaining of access to information already stored, in the terminal equipment of a subscriber or user, is only permitted if the subscriber or user has given his consent, having been provided with clear and comprehensive information (that is, about the purposes of the processing).
The Law of 2005 also expressly specifies that:
The methods of providing information and offering the right to refuse must be as user-friendly as possible.
Where it is technically possible and effective, the user's consent to processing may be expressed through appropriate browser or other application settings.
The sending of unsolicited electronic commercial communications is regulated by two different Acts:
The Law of 2005.
The Law of 14 August 2000 on electronic commerce, dealing with the sending of communications by a provider of information society services (Law on E-commerce).
According to the Law on E-commerce, any provider must obtain prior consent from its potential customers before being able to send unsolicited commercial communications.
When providers obtain the electronic addresses of their customers through the sale of a product or service, such providers may use these e-mail addresses for commercial or marketing purposes and, notably, send commercial communication to such customers by electronic means. However, providers must allow their customers to oppose, free of charge, the use of their electronic address. Customers must be able to oppose such use at the time of the collection of their e-mail address and during the reception of any new commercial communications.
Any unsolicited electronic commercial communications must comply with the following conditions:
The commercial communication must be clearly identified as such.
The provider who sends the commercial solicitation must be clearly identified.
Raffles and promotional games must be clearly recognisable as such, and their conditions of participation must be easily accessible and presented in a precise and unambiguous manner.
In addition, the Law of 2005 prohibits the sending of electronic mail for the purpose of direct marketing while disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient can send a request that such communications cease.
International transfer of data
Transfer of data outside the jurisdiction
Transfer of data within the EEA
To the extent data subjects have been properly informed of the transfer, data can be freely transferred within the European Economic Area (EEA).
Transfer of data outside the EEA
In principle, data cannot be transferred outside the EEA, except if the destination country ensures an adequate level of protection for the rights and freedoms of individuals. The European Commission has recognised several countries outside the EEA ensuring an adequate level of protection, a list of which is on its website (http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/index_en.htm).
A data transfer to a country that does not offer an adequate level if protection can still be possible, provided:
The data subject has given his consent.
It is necessary to perform a contract to which the data subject and the data controller are parties, or to enter into this agreement at the data subject's request.
It is necessary for the performance or the conclusion of a contract to which the data controller or the data subject are parties.
It is necessary or legally mandatory for reasons of substantial public interest or for establishing, exercising or defending legal rights.
It is necessary to protect the vital interest of the individual.
It comes from a public register.
In addition, transfers outside the EEA can be authorised where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights. Such adequate safeguards may result from appropriate contractual clauses (standard data protection clauses) or binding corporate rules, according to Article 29 Working Party.
Transfer to the United States
The US is not a country considered to be offering an adequate level of protection of data. Therefore, any transfer of personal data is subject to restrictions. Until October 2015, in order to ease the relationship between the US and the EU, an US-EU Safe Harbor framework allowed any transfer of personal data to a business or organisation in the US, provided the recipients adhered to the "safe-harbor principles" (Safe Harbor). The Safe Harbor arrangement consisted of data protection principles to which American undertakings could subscribe voluntarily. Therefore, it was based on the self-assessment and self-certification of private companies.
On 6 October 2015, the ECJ issued a ruling in the case Schrems v Data Protection Commissioner (Case C-362/14), declaring as invalid the Commission Decision 2000/520/EC of 26 July 2000, which formed the basis of data transfers between the EU and the US.
As a consequence, companies now must use alternative grounds to transfer data to the US in accordance with the requirements of both the Data Protection Act and the EU Data Protection Directive 95/46/EC.
An alternative solution has been negotiated between the US and the EU. On 12 July 2016, the European Commission approved the EU-US Privacy Shield. This political agreement aims to protect the personal data of EU member state nationals transferred to the IS. The new EU-US Privacy Shield framework ensures an adequate level of protection for personal data transferred to the US and gives clear safeguards as to the possiblity for the US government to access data. Once US companies have had an opportunity to review the framework and update their compliance, they will be able to certify with the Department of Commerce.
The Data Protection Law does not provide for an obligation to store specific types of personal data in Luxembourg. However, specific rules apply to:
IT outsourcing in the financial sector, that is, the use of IT sub-contracting by credit institutions (banks) and professionals of the financial sector (PFS).
The retention of some corporate documents at the company's registered office.
Data transfer agreements
Guarantees offered by the data controller can result from appropriate contractual clauses.
The CNPD has not approved standard forms of contractual clauses, but agrees to rely on the standard contractual clauses approved by the Commission (also known as "model clauses"). There are two sets of standard clauses:
The first set includes two model clauses annexed to:
Decision 2004/915/EC on an alternative set of standard contractual clauses for the transfer of personal data to third countries (Data Controller Contractual Clauses Amendment Decision); and
Decision 2001/497/EC on standard contractual clauses for the transfer of personal data to third countries (Data Controller Contractual Clauses Decision).
It refers to transfers where the receiving business will use the data for its own purposes.
The second set is annexed to Decision 2002/16/EC on standard contractual clauses for the transfer of personal data to processors established in third countries (Data Processor Contractual Clauses Decision). It relates to transfers to a business which will only use the data under instruction from the transferring business.
Ideally, these clauses should not be modified.
Provided all other requirements of the law are met, a transfer agreement is sufficient.
Multinational organisations can use binding corporate rules (BCRs) to transfer personal data within the group. This is an alternative to the company having to sign standard contractual clauses each time it needs to transfer data to a member of its group and may be preferable where it becomes too burdensome to sign contractual clauses for each transfer made within a group. The BCR do not provide a basis for transfers made outside the group.
It is the data controller's responsibility to ensure sufficient guarantees are offered relating to protection of data subjects' privacy and freedom, fundamental rights, and exercise of these fundamental rights. Data controllers must convey to the CNPD information about the measures that have been taken to ensure these guarantees (see Question 16). A copy of the relevant parts of these measures including, if any, a copy of the data transfer agreement, must accompany the authorisation request form.
Enforcement and sanctions
The CNPD must ensure proper application of the Data Protection Law. It deals with requests and complaints made by data subjects. It must also further investigate any complaint and can temporarily suspend data processing. It has the power to order deletion or destruction of data, and/or prohibit further processing and report the case to the public prosecutor. The data subjects are kept informed of the follow-up to their complaint.
The CNPD recommends that data subjects file their claims in writing with a detailed explanation of the situation and problems they face.
To perform its responsibilities, the CNPD has power to investigate and collect all necessary information. Notably, it can:
Access any data being processed, to carry out all necessary investigations.
Access premises where data processing takes place.
Block, delete or destroy data being processed, or temporarily or definitively prohibit such processing.
Order partial or total publication of the prohibition in newspapers or other means, at the expense of the sanctioned person.
Engage in legal proceedings to enforce the Data Protection Law.
Criminal and administrative sanctions are provided to enforce the provisions of the Data Protection Law. Criminal sanctions provided by the Data Protection Law for infringement can range from imprisonment for eight days to one year and/or fines from EUR251 to EUR125,000.
In addition, the CNPD can take the following administrative sanctions:
Alert or admonish controllers who have violated the obligations imposed on them concerning security of processing obligations.
Block, delete or destroy data that has been subject to a processing operation which is contrary to national data protection requirements.
Impose a temporary or definitive ban on a processing operation which is contrary to national data protection requirements, subject to a daily increasing financial penalty as the case may be.
Order publication of the prohibition decision in full or in extracts in newspapers or by any other method, at the cost of the person sanctioned.
The regulatory authority
National Commission for Data Protection (Commission nationale pour la protection des données) (CNPD)
Main areas of responsibility. CNPD is an independent authority. The duties of the CNPD are to:
Ensure implementation of the provisions of the Data Protection Law and its implementing regulations, in particular those relating to the confidentiality and security of processing operations.
Receive notifications before the implementation of a processing operation, and changes affecting the content of those notifications, and to monitor the lawfulness of the processing operations notified.
Publish the processing operations notified to it by keeping an appropriate register, unless otherwise provided.
Authorise the implementation of processing operations.
Be consulted during law-making processes relating to the creation of a data processing operation, as well as to all regulatory or administrative measures issued on the basis of the Data Protection Law.
Present suggestions to the government to simplify and improve the legislative and regulatory framework on personal data processing.
Receive and, where applicable, follow discussions with the authors, approve codes of conduct relating to a processing operation or a set of processing operations submitted to it by professional associations representing the controllers.
Advise the government on the consequences of developments in information processing technologies regarding individuals' freedoms and fundamental rights.
Regularly promote the dissemination of information relating to data subjects' rights and controllers' obligations, particularly regarding the transfer of data to third countries.
Marielle Stevenot, Partner
Areas of practice. Data protection; contractual and commercial matters (notably for e-commerce and Fintech actors)
Advising an American multinational corporation, which provides internet-related products and services as its representative with the Luxembourg data protection authority while implementing a geolocation project in Luxembourg.
Assisting one of the largest private company in the US and global industrial company in analysing its business activities from a data protection perspective and filing the necessary formalities to ensure legal and administrative compliance with data protection law.
Assisting a global leading insurance group and the largest insurer in the UK, in the framework of the implementation of a professional whistleblowing scheme and more particularly on the relating data protection aspects of this project.
Audrey Rustichelli, Head of Technologies and IP
Areas of practice. Technology and e-commerce; data protection and privacy; IP (notably trade mark litigation and IP licensing)
Charles-Henri Laevens, Senior Associate
Areas of practice. Technology; IP; commercial; data protection and privacy (particularly international data transfers and surveillance in the workplace)