Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Luxembourg - Data Protection Overview
Back

Luxembourg - Data Protection Overview

September 2021

1. Governing Texts

Data protection in Luxembourg is primarily governed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which has been implemented into Luxembourg law by virtue of Act of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR ('the Data Protection Act').

1.1. Key Acts, Regulations, Directives, Bills

On 1 August 2018, Luxembourg adopted two new data protection laws implementing the GDPR and Directive (EU) 2016/680 of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data in Criminal Matters ('Law Enforcement Directive'):

  • the Data Protection Act, which establishes the National Data Protection Commission ('CNPD'), and provides for specific requirements or exceptions with respect to the processing of personal data, thereby complementing the GDPR where permitted; and
  • the Act of 1 August 2018 on the Protection of Individuals with regard to the Processing of Personal Data in Criminal and National Security Matters (only available in French here) ('the Data Protection in Criminal Matters Act'). This law specifically relates to the protection of individuals with regard to the processing of personal data in criminal matters and national security by the competent Luxembourg public authorities.

The above two acts were published on 16 August 2018 in the Official Gazette of Luxembourg (available in French here and here, respectively). The CNPD also lists both on its website but only links to an English translation of the former.

In parallel, Luxembourg also amended the Act of 30 May 2005 on the Protection of Privacy in the Context of Electronic Communications ('ePrivacy Act of 2005'). The e-Privacy Act of 2005 transposes the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ( 'E-Privacy Directive') into national legislation. It governs the protection of personal data in the field of telecommunications and electronic communications.

This overview will mainly focus on the Data Protection Act, which can be considered the most general domestic law regulating the processing of personal data in Luxembourg. The Data Protection Act entered into force on 1 August 2018, thereby repealing and replacing the Act of 2 August 2002 on the Protection of Individuals with regard to the Processing of Personal Data ('2002 Act').

The Data Protection Act is divided into two Titles. The first Title determines the organisation, mission, and competences of the CNPD, whilst the second Title provides for specific rules (either exemptions, prohibitions, or additional requirements) with respect to:

  • the processing of personal data for journalistic, academic, or artistic/literary purposes, laying down exceptions to some of the GDPR requirements in view of facilitating such processing activities;
  • the processing of personal data for scientific research, historical research, or statistical purposes, laying down exceptions to some of the GDPR requirements to facilitate such processing activities, but also introducing specific safeguards to reinforce the protection of data subjects whose personal data is processed in the context of scientific or historical research or for statistical purposes; and
  • the processing of personal data in the context of employees' surveillance, laying down additional requirements to reinforce the protection of employees with respect to the processing of their personal data by their employer for surveillance purposes, thereby amending the Labour Code (only available in French here) ('the Labour Code'); and
  • the processing of genetic personal data by controllers exercising their rights in the field of employment and insurance, establishing a total prohibition in this respect.

Apart from the processing activities listed above, the Data Protection Act does not provide for any further specific rules that would complement, or depart from, the general principles or requirements laid down in the GDPR. There are thus no specific national rules regarding the processing of personal data of children, the notification of data breaches, or the appointment of data protection officers ('DPOs'). From a comparative perspective, it can therefore be considered that the substantial content of the Data Protection Act is rather limited compared to national laws from neighbouring EU Member States, such as the implementing data protection laws of Belgium, France, and Germany.

1.2. Guidelines

The CNPD has published several guidelines, thematic dossiers, or factsheets with respect to data protection and privacy matters, mainly:

  • Guidance on International Data Transfers, completed by a statement (only available in French here) following the invalidation of the Privacy Shield (formerly used for personal data transfers towards the US);
  • Guidance on the Use of Novel Information and Communication Technologies (available in French here and in German here): this includes, inter alia, guidance on:
    • e-passport;
    • radio-frequency identification ('RFID');
    • cybersurveillance at work;
    • emails;
    • spam and cookies; and
    • social media (including rights and obligations of users and protection of minors);
  • Guidance on Election Campaigns in Conformity with Data Protection Law (available in French here);
  • a factsheet on webcams and connected objects (only available in French here and in German here);
  • an online information dossier on workplace surveillance (available in French or German here)
  • Guidance for Not-For-Profit Associations (only available in French here);
  • Guidance Regarding the Right to Publicity (only available in French here); and
  • Guidance Regarding Video Surveillance (only available in French here);
  • Guidance Regarding the use of dashcams and other mobile videorecording device (only available in French here); and
  • Recommendations by the CNPD on the Processing of Personal Data in the Context of a Health Crisis (COVID-19).

1.3. Case Law

So far, there is no published case law of the Luxembourg national courts relating to the GDPR or the Data Protection Act.

In the past, however, the Luxembourg labour courts have rendered several judgments in matters of data protection and privacy in the field of employment and video surveillance, pursuant to the 2002 Act. This case law is reflected in the Data Protection Act, which has amended the Labour Code to introduce specific rules in matters of employee surveillance (Article L.261-1 of the Labour Code).

2. Scope of Application

2.1. Personal Scope

The Data Protection Act applies to controllers and processors established in Luxembourg. The Data Protection Act protects living individuals (whether identified or identifiable) whose personal data is processed.

2.2. Territorial Scope

The Data Protection Act applies wherever the GDPR is applicable (for example, in the context of the processing of the personal data of data subjects who are in Luxembourg by a controller or processor located outside of the EU/EEA, if the latter offers goods or services to the concerned data subjects, or monitor their behaviour).

2.3. Material Scope

The Data Protection Act applies to the processing of personal data conducted wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. The terms 'personal data' and 'processing' are defined in the GDPR. Fully anonymised data is not considered personal data and therefore falls outside of the scope of the Data Protection Act. Furthermore, the Data Protection Act does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The supervisory authority is the CNPD (see section 1). The CNPD is a collegiate body operating in the form of a public establishment under the supervision of the Minister for Communications and Media ('the Minister'). Even though the CNPD is under the supervision of the Minister, it acts independently in the exercise of its missions.

3.2. Main powers, duties and responsibilities

At the national level, the CNPD is responsible for promoting and ensuring compliance with the Data Protection Act and the GDPR. The CNPD's duties and responsibilities include:

  • ensuring that data controllers and processors are aware of their obligations under the GDPR and the Data Protection Act;
  • supervising the application of and compliance with the GDPR and the Data Protection Act by controllers and processors;
  • promoting public awareness and understanding of the risks, rules, guarantees, and rights relating to the processing of personal data;
  • advising the Chamber of Deputies, the Government of Luxembourg, and other institutions and bodies on legislative and administrative measures relating to the protection of the rights and freedoms of natural persons with regard to the processing of personal data;
  • providing, upon request, information to data subjects about their rights;
  • managing complaints lodged by data subjects or organisations with respect to the processing of personal data;
  • putting in place effective mechanisms to encourage the confidential reporting of data breaches; and
  • carrying out investigations to assess compliance with data protection law and, where applicable, to take corrective measures against an infringer.

In addition to its national statutory tasks, the CNPD is also responsible for taking part in implementing and supervising observance of data protection and privacy laws at the European and international levels. The CNPD is therefore competent to cooperate with supervisory authorities from other Member States, including as part of cross-border investigations.

Title 1 of the Data Protection Act further determines the main powers of the CNPD. In particular, it should be noted that:

  • the CNPD is granted broad investigation powers (the CNPD may obtain access from any controller or processor to all personal data and information necessary to verify compliance with the GDPR);
  • the CNPD may either issue warnings, or order any controller or processor to bring processing operations into compliance with the provisions of the GDPR, including by ordering the controller or processor to erase or rectify the personal data, or to suspend, limit, or stop the unlawful processing of personal data;
  • the CNPD may impose administrative fines in accordance with the amounts provided in the GDPR (namely, up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher);
  • in order to force a controller or a processor to provide information or to take the corrective measures imposed by the CNPD, the CNPD may also impose periodic penalty payments up to 5% of the average daily turnover in the preceding business year for each day of delay;
  • the CNPD may order the infringer to publish at its own costs (extracts of) any decision or order issued by the CNPD (except for decisions concerning periodic penalty payments); and
  • anyone who knowingly obstructs or prevents the CNPD's missions may be subject to a prison sentence of eight days to one year and/or a fine of €251 to €125,000.

4. Key Definitions

There are no national law variations regarding the above-listed definitions. The GDPR provisions apply.

Data controller: There is no national variation. The GDPR definition applies.

Data processor: There is no national variation. The GDPR definition applies.

Personal data: There is no national variation. The GDPR definition applies.

Sensitive data: There is no national variation. The GDPR definition applies.

Health data: There is no national variation. The GDPR definition applies.

Biometric data: There is no national variation. The GDPR definition applies.

Pseudonymisation: There is no national variation. The GDPR definition applies.

5. Legal Bases

5.1. Consent

There is no national variation. The GDPR applies.

5.2. Contract with the Data Subject

There is no national variation. The GDPR applies.

5.3. Legal Obligations

There is no national variation. The GDPR applies.

5.4. Interests of the Data Subject

There is no national variation. The GDPR applies.

5.5. Public Interest

There is no national variation. The GDPR applies.

5.6. Legitimate Interests of the Data Controller

There is no national variation. The GDPR applies.

5.7. Legal Bases in Other Instances

Research Purposes

Article 63 of the Data Protection Act provides that where personal data is processed for scientific or historical research purposes, or for statistical purposes, the controller may derogate from the rights of the data subject under Articles 15 (right of access), 16 (right to rectification), 18 (right to restriction of processing), and 21 (right to object) of the GDPR, to the extent that such rights may render impossible or seriously impede the achievement of those specific purposes.

The controller must however put 'appropriate measures' in place, considering the nature, scope, context, and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.

Article 65 of the Data Protection Act specifically lists such 'appropriate measures' as:

  • the appointment of a DPO;
  • carrying out a Data Protection Impact Assessment ('DPIA');
  • anonymisation, pseudonymisation, or other functional separation measures ensuring that data collected for scientific or historical research purposes, or for statistical purposes, cannot be used to make decisions or actions with regard to the data subjects;
  • the use of a trusted third party independent from the data controller for the anonymisation or pseudonymisation of the data;
  • encryption of the personal data in transit and at rest, as well as key management in accordance with the state of the art;
  • the use of technologies that strengthen the protection of the privacy of data subjects;
  • the implementation of (technical or organisational) restrictions on access to personal data within the controller;
  • log files which establish the reason, date and time of the consultation and the identification of the person who collected, modified, or deleted the personal data;
  • raising awareness among the staff involved in the processing of personal data and ensuring professional secrecy;
  • the regular evaluation of the effectiveness of the technical and organisational measures put in place through an independent audit;
  • prior establishment of a data management plan; and
  • the adherence to sectoral codes of conduct, as provided for in Article 40 of the GDPR.

It is not mandatory for a controller to automatically implement all the measures above when processing personal data for scientific or historical research purposes, or for statistical purposes. However, if some measures are not implemented, the controller must document and justify for each project why those measures were not implemented.

6. Principles

There is no national variation. The GDPR applies.

7. Controller and Processor Obligations

7.1. Data Processing Notification

In accordance with the GDPR, Luxembourg has abolished its prior registration, notification, and authorisation systems. As a consequence, controllers and processors no longer have to register with the CNPD. It is also no longer mandatory for them to ask for the prior authorisation of the CNPD for implementing employee surveillance measures, or for transferring personal data to a third country.

Presently, it will only be necessary to notify the CNPD in the following cases:

  • if a data breach has occurred (the data breach notification form is available to download in English here or in French here, and can be sent to [email protected]);
  • if a DPO has been appointed (the DPO declaration form is only available to download in French here, and must be sent to [email protected]); or
  • if, following a DPIA, it has been determined that a prior consultation is necessary in accordance with Article 36 of the GDPR (the request form is only available to download in French here, and must be sent to [email protected]).

7.2. Data Transfers

There is no national variation. The GDPR applies.

7.3. Data Processing Records

There is no national variation. The GDPR applies.

7.4. Data Protection Impact Assessment

There is no national variation. The GDPR applies.

7.5. Data Protection Officer Appointment

There is no national variation. The GDPR applies.

7.6. Data Breach Notification

There is no national variation. The GDPR applies.

7.7. Data Retention

There is no national variation. The GDPR applies.

7.8. Children's Data

The Data Protection Act provides no specific rules regarding the processing of children's data or age of consent. It must therefore be concluded that, in Luxembourg, a person may only give their consent in relation to the processing of their personal data when they are at least 16 years old, as provided by Article 8(1) of the GDPR.

7.9. Special Categories of Personal Data

Regarding special categories of data, and genetic data in particular, Article 66 of the Data Protection Act provides that the processing of genetic data for the purposes of the exercise of the specific rights of the controller in the field of labour law and insurance is prohibited.

Regarding criminal conviction data, as already mentioned (see section 1 above), Luxembourg has adopted a separate law, namely, the Data Protection in Criminal Matters Act, which specifically relates to the protection of individuals with regard to the processing of personal data in criminal matters and national security by the competent Luxembourg public authorities.

In cases where an employer requests from a (prospective) employee an extract from the criminal record of the latter (also sometimes called 'certificate of good conduct'), the Act of 29 March 2013 Concerning the Organisation of the Criminal Record and the Exchange of Information from the Criminal Record between Member States of the EU (only available in French here) (as modified by the Act of 23 July 2016) (only available in French here) ('the Criminal Records Act') applies in parallel to the Data Protection Act and to the GDPR. In this respect, a distinction must be made between prospective or existing employees:

  • for prospective employees, the request must be made in writing, substantiated according to the specific needs of the position, and included in the job offer. If the applicant is not hired, the extract must be deleted/destroyed immediately. If the applicant is hired, the extract must be deleted/destroyed within a month from the formation of the employment contract; or
  • for existing employees, an extract can be requested by the employer from an employee in two cases:
    • if an employee is offered a new position; or
    • if a specific legal provision allows such a request to be made for the purpose of human resources management.

Once obtained, the extract must be deleted/destroyed within two months by the employer.

The information contained in the extract depends on the type of extracts that has been sought (Bulletin No. 1, 2, 3, 4 or 5, as defined by Articles 5, 7, 8-1, 8-2 and 8-3 of the Criminal Records Act). Additional conditions may apply in this respect. For example, employers may only request a Bulletin No. 4 (which includes information on offences relating to driving) where a valid driving licence is required in the employment contract, and is a prerequisite for the exercise of the professional activity. Similarly, an employer may only request a Bulletin No. 5 (which includes information on offences towards minors) where the professional activity involves regular contact with minors.

Employers infringing the conditions listed above may be sentenced to a prison term of eight days to one year, and/or a fine of €251 to €10,000. If the maximum storage period is not respected (maximum one or two months), employers may also be sentenced to a fine of €251 to €6.000.

7.10. Controller and Processor Contracts

There is no national variation. The GDPR applies.

8. Data Subject Rights

8.1. Right to be informed

Article 62(3) of the Data Protection Act provides for an exception with respect to the information to be provided to data subjects where personal data is processed for journalistic, academic, or artistic/literary purposes. In such a case, it is indeed not necessary to inform the data subjects in accordance with Articles 13 and 14 of the GDPR, when giving such information would compromise the collection of data from the data subject or the publication of the project, or if this would potentially reveal or provide information as to the protected or confidential source of the data.

Article 71 of the Data Protection Act refers to Article L.261-1 of the Luxembourg Labor Code. This Article provides for specific rules with respect to the information to be provided to certain committees, delegations, or bodies representing employees, in the event an employer intends to monitor its employees (surveillance at work). This prior information must contain a detailed description of the purpose(s) of the intended processing, as well as the procedures for implementing the monitoring system and, where applicable, the duration or criteria for keeping the data, as well as a formal commitment of the employer not to use the data collected for any other purposes.

Furthermore, the staff delegation, or failing that, the employees concerned, may, within 15 days following the prior information, submit a request to obtain a prior opinion from the CNPD relating to the compliance of the intended processing activities with the applicable law. The CNPD must deliver its opinion within one month of the referral. The request lodged by the employees or their representative has a suspensive effect. Furthermore, employees have the right to lodge a complaint with the CNPD regarding surveillance at work, and such a complaint cannot constitute serious or legitimate reason for dismissal.

8.2. Right to access

There is no national variation. The GDPR applies.

8.3. Right to rectification

There is no national variation. The GDPR applies.

8.4. Right to erasure

There is no national variation. The GDPR applies.

8.5. Right to object/opt-out

There is no national variation. The rules of the GDPR and the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ( 'E-Privacy Directive') apply.

8.6. Right to data portability

There is no national variation. The GDPR applies.

8.7. Right not to be subject to automated decision-making

There is no national variation. The GDPR applies.

8.8. Other Rights

Right to restrict processing

There is no national variation. The GDPR applies.

9. Penalties

The CNPD is empowered to impose fines for violations of the Data Protection Act, in accordance with Article 83 of the GDPR. This means that the CNPD may impose administrative fines up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Furthermore, anyone who knowingly obstructs or prevents the exercise of the CNPD's mandate may be subject to a prison sentence of eight days to one year and/or a fine of €251 to €125,000.

9.1 Enforcement Decisions

In the two years following the application date of the GDPR, the CNPD was mainly encouraging compliance without using its corrective powers. Between March and May 2021, however, the CNPD rendered six decisions imposing corrective measures and inflicting an administrative fine for breach of the applicable data protection rules. These fines ranged between €1,000 to €18,000, and mainly concerned the unlawful processing of personal data in the context of video surveillance. Since then, the CNPD has continued to issue new decisions imposing corrective measures and administrative fines. These decisions have been published and made available on the website of the CNPD.

On 16 July 2021, the CNPD issued a decision against Amazon Europe Core S.à r.l. for breach of the GDPR. The decision imposes corrective measures and a fine of €746 million. This is the most important fine that has been inflicted by any data protection authority in the EU so far. The CNPD has not yet made this decision available to the public.

It can be inferred from the decisions issued by the CNPD since March 2021 that the latter has now entered a new phase with respect to enforcement. The CNPD is now actively making use of its investigative and corrective powers, and in particular of its power to inflict administrative fines for breach of the applicable data protection rules.