A Q&A guide to data protection in Luxembourg.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
Directive 95/46/EC on data protection (Data Protection Directive) has been implemented in Luxembourg through the Act of 2002 relating to the protection of individuals in relation to the processing of personal data (2002 Act). The Act aims to protect the freedom and fundamental rights of individuals, and notably their private life, in relation to the processing of their personal data.
The National Commission for the Protection of Data (National Commission) (Commission Nationale pour la Protection des Données (CNPD)) is responsible for enforcing these rules.
The Act of 2005 on the specific provisions for the protection of individuals in relation to the processing of personal data in the electronic communications sector (2005 Act) was adopted, as part of the implementation of the EU "telecom package" in Luxembourg.
There are particular laws and decrees regulating the data processing carried out in specific sectors or by public authorities. For instance, some laws apply to data processing carried out in the framework of the free movement of individuals and immigration or cross-border co-operation. Other laws specifically regulate the access to public files by the judicial authorities or the police or regulate the processing carried out by hospitals in the professional health sector.
The law applies to persons who are identified as a data controller. The data controller is defined as a natural or legal person, public entity, service or any other entity, who alone or jointly with others determines the purposes and the means of personal data processing.
The data controller can be specified by law when the purposes and means of given data processing are also determined by law.
Data controllers can subcontract their responsibilities, but always remain responsible for their legal obligations, as subcontractors can only act under the instructions of a data controller.
The Acts define personal data as any information of any type in any media, including sound and image, relating to an identified or identifiable individual.
An identifiable individual is someone who cannot be identified by the use of certain data, but can be identified if crossed with other data that is in, or has come into, the data controller's possession.
Further, the 2002 Act gives special protection to certain types of data known as sensitive data, that is, relating to:
Racial or ethnic origin.
Religious or philosophical beliefs.
Trade union membership.
Health or sexual preference, including the processing of genetic data (see Question 11).
Only processing of personal data as defined by the 2002 Act is regulated, that is, any operation or set of operations performed on personal data, whether or not by automated means. This includes:
Adaptation or alteration.
Disclosure by transmission, dissemination or otherwise.
Locking, deletion or destruction.
The rules apply to any data processing by a data controller:
Established on Luxembourg's territory.
Not established on Luxembourg's territory or in another EU country, but who has recourse to processing means that are located on Luxembourg's territory (except for processing means used for transit purposes only).
Processing carried out by an individual exclusively for personal or domestic activities is not covered by the 2002 Act.
Data processing for criminal investigations and judicial proceedings are subject to specific rules stemming from:
The Criminal Investigation Code.
The Civil Proceedings Code.
Additionally, certain exemptions apply if necessary to adjust the right to privacy with freedom of speech, relating to data processing exclusively journalistic, artistic or literary purposes.
Depending on the type of data and the purposes of the processing, the data controller may have to comply with some administrative formalities before starting the processing. These formalities consist of prior notification to, or authorisation from, the National Commission.
Prior authorisation only concerns processing operations likely to present specific risks to data subjects' rights and freedoms. Processing subject to prior authorisation from the National Commission includes, for example, processing of genetic data or processing for surveillance at the workplace. Authorisations are requested in hard copy or electronically. No form is available.
The 2002 Act was modified in 2007 and a number of processing operations are now exempt from any prior notification, under certain conditions (for example, management of salaries of persons working for the data controller, management of job applications, and recruitment of the data controller's personnel).
All other processing must be notified to the National Commission before the processing starts. Notification can be done by filing a PDF form in hard copy or electronically.
Any data processing, irrespective of the administrative formalities it is subject to, must at all times comply with the general requirements of the 2002 Act.
The main principles to be complied with by data controllers, before and on an ongoing basis during data processing, can be summarised by the following ten principles of personal data protection, as set out in the brochure Data protection and privacy edited by the National Commission:
Necessity and proportionality.
Accuracy of data.
Security and confidentiality (see Question 14).
Sensitive data is subject to more stringent protection (see Question 11).
Surveillance (and notably surveillance in the workplace) is strictly limited by law.
Use of personal data for advertising or marketing purposes requires permission.
A data subject's consent is not systematically necessary to process personal data. Therefore, the data controller can process data when it falls within one or more of the situations restrictively listed by the 2002 Act, including the consent of data subjects.
If data processing is carried out in relation to surveillance at the workplace, considering the subordination link between an employer and its employees, the data subject's consent is neither necessary nor sufficient to legitimise such processing.
According to the 2002 Act, the data subject's consent does not require a specific form and it seems possible to obtain online consent. However, the consent must be (National Commission):
Specific (that is, given for determined processing).
Informed (that is, the data subject must have given his consent with the full knowledge of the facts).
No provision of the 2002 Act specifically deals with the consent of minors. However, according to Luxembourg law, minors do not generally have the ability to enter into a contract. Therefore, consent by minors to process their data can, under these circumstances, be considered void.
In addition to consent, data processing will also be legitimate in the following five situations; if it is necessary for (2002 Act):
Complying with a legal obligation to which the data controller is subject.
Performing a task carried out in the public interest, or in exercising official authority vested in the controller or in a third party to whom the data is disclosed.
A contract to which the data subject is party, or taking steps at the request of the data subject before entering into a contract.
The purposes of the legitimate interests pursued by the data controller, or by the third party or parties to whom the data is disclosed, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Protecting the data subject's vital interests.
Processing for supervision reasons at the workplace cannot be carried out by the employer if the employer is the controller, except in the following cases (Article L.261-1, Employment Code):
For the safety and health of employees.
For the protection of the company's goods.
For the control of the production process (provided this control only applies to the machines).
For the occasional monitoring of the production process, or of the performance of employees, provided this measure is used to determine the exact salaries.
In the framework of a flexitime working organisation.
The processing of sensitive data is, in principle, prohibited. Sensitive data is defined as data relating to:
Racial or ethnic origin.
Religious or philosophical beliefs.
Trade union membership.
Health or sexual preference, including genetic data.
Processing sensitive data is only permitted in certain limited circumstances (2002 Act):
With the express consent of the data subject.
Processing necessary to comply with the data controller's employment law obligations and specific rights.
Processing necessary to protect the vital interest of the data subject where consent cannot be physically or legally given.
Where the data subject has obviously made the data public.
Processing carried out by certain non-profit organisations.
Processing necessary for establishing or defending legal rights.
The prior information that must be given to data subjects about data processing includes:
The identity of the data controller and its representative, if any.
The purpose(s) of the data processing.
The data or categories of data that are to be processed.
The recipients or categories of recipients to whom such data can be disclosed.
Their rights to access and rectify their data and oppose the data processing, and in this case the consequences of the decision (see Question 13).
Any information that may be deemed necessary to ensure fair data processing, given the circumstances under which the data are collected.
Data subjects must, in addition, be informed about automated decision-making processes.
The information must be transmitted, at the latest, at the time the personal data is:
Collected, if collected directly from the data subjects.
Recorded or disclosed for the first time, if not collected directly from the data subjects.
Data subjects have the right to:
Access and rectify their data.
Oppose the data processing.
Data subjects have the right to access information relating to them, free of charge, at reasonable intervals and without excessive waiting periods. Therefore, the data controller must inform data subjects about any data processing to which they are subject. Data subjects have the right to request from the data controller details about the personal information on record and its use (see Question 12).
Data subjects can also ask the data controller to rectify or delete data which is inaccurate or processed in breach of the 2002 Act, free of charge.
Data subjects can oppose, free of charge, the processing of their data, for legitimate reasons relating to their specific situation.
Data subjects have the right to request the deletion of any of their data which has been processed by a data controller in a manner that does not comply with the 2002 Act. Data subjects can request deletion of their data in particular when:
The data is incomplete or inaccurate.
The data is not collected for determined and legitimate purposes as provided by the 2002 Act and is not subsequently processed consistently with the specified purposes.
The data is inadequate, irrelevant, or excessive with respect to the purposes for which it is collected and subsequently processed.
The data is retained for an excessive period in relation to the purposes for which it was collected.
Data controllers must take all appropriate technical and organisational measures to ensure protection of the data they process against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access, in particular where the processing involves transmitting data over a network, and against any other unlawful processing.
In practice, a data controller must set up different security measures, depending on the risk of privacy breach, the state of the art, and costs relating to the implementation of these measures. Generally, these measures consist of:
Preventing physical and virtual unauthorised access to the data and access to, or use of, the information system where the data is stored.
Monitoring of transmissions, transport and availability of the data.
Under the 2002 Act there is no requirement to notify personal data security breaches to data subjects or the national regulator. However, if requested by the National Commission, a description of these measures, and of any subsequent major change to these measures, must be communicated within 15 days of its request.
However, the 2005 Act provides that in the event of violation of personal data, the provider of electronic communications services must promptly inform the Luxembourg national authority of the violation. When the violation of personal data is likely to adversely affect the personal data or privacy of a subscriber or an individual, the provider must also notify the subscriber or individual concerned of the violation without unnecessary delay.
Notification to the data subject is not required if the provider can prove to the National Commission that he has implemented appropriate technological protective measures to the data concerned.
A written agreement must be entered into between data controllers and their subcontractors. This agreement must ensure that the subcontractors:
Only act on the sole instructions of the data controller.
Are subject to the same obligations to their own subcontractors.
Data controllers must choose subcontractors that provide sufficient guarantees for the security measures to be implemented for the data processing.
The 2005 Act transposes Directive 2009/136/EC on consumer protection and users' rights in relation to the processing of personal data and the protection of privacy in electronic communications (Citizens' Rights Directive). Under the 2005 Act, storing information, or gaining access to information already stored, in the terminal equipment of a subscriber or user is only permitted if the subscriber or user concerned has given his consent, having been provided with clear and comprehensive information, among others, about the purposes of the processing.
In addition, the 2005 Act expressly specifies that:
The methods of providing information and offering the right to refuse must be as user-friendly as possible.
Where it is technically possible and effective, the user's consent to processing can be expressed by appropriate browser or other application settings.
The sending of unsolicited electronic commercial communications is regulated by two different Acts:
The 2005 Act.
The Act of 14 August 2000 on electronic commerce, dealing with the sending of communications by a provider of information society services (E-commerce Act).
According to the E-commerce Act, any provider must obtain prior consent from its potential customers before sending unsolicited commercial communications. When providers obtain the electronic addresses of their customers within the framework of a sale of a product or service, they can use these e-mail addresses and send commercial communications to customers by electronic means. However, providers must allow their customers to oppose, free of charge, the use of their electronic address. Customers must be able to oppose this use at the time of the collection of their e-mail address and during the receipt of any new commercial communications.
Any unsolicited electronic commercial communications must comply with the following conditions:
The commercial communication must be clearly identified as such.
The provider who sends the commercial solicitation must be clearly identified.
Raffles and promotional games must be clearly identified as such, and their conditions of participation must be easily accessible and presented in a precise and unambiguous way.
The 2005 Act prohibits the sending of electronic mail for purposes of direct marketing while disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient can send a request that such communications cease.
To the extent data subjects have been properly informed of the transfer, data can be freely transferred within the European Economic Area (EEA).
In principle, data cannot be transferred outside the EEA, except if the destination country ensures an adequate level of protection for the rights and freedoms of individuals. The European Commission (Commission) has recognised several countries outside the EEA ensuring an adequate level of protection. The Commission provides a list of these countries on its website (http://ec.europa.eu/justice_home/fsj/privacy/thirdcountries/index_en.htm).
However, a transfer to a country that does not offer an adequate level of protection can still be possible if:
The data subject has given his consent.
It is necessary to perform a contract to which the data subject and the data controller are parties, or to enter into this agreement at the data subject's demand.
It is necessary to perform or conclude a contract with a third party that is in the interest of the data subject.
It is necessary or legally mandatory for reasons of substantial public interest or for establishing, exercising or defending legal rights.
It is necessary to protect the vital interest of the individual.
It comes from a public register.
Transfer of personal data to businesses or organisations in the US is permitted if the recipients adhere to the EU-US Safe Harbor Agreement 2000.
In other circumstances, the data controller must seek authorisation from the National Commission to make the transfer, by offering sufficient safeguard measures. These measures can consist of adopting contractual clauses (see Question 21). Multinational organisations can use binding corporate rules to transfer personal data within the group.
Guarantees offered by the data controller can result from appropriate contractual clauses.
The National Commission has not approved standard forms of contractual clauses, but agrees to rely on the standard contractual clauses approved by the Commission (also known as the "model clauses"). There are two sets of standard clauses:
The first set includes two model clauses annexed to:
Decision 2004/915/EC on an alternative set of standard contractual clauses for the transfer of personal data to third countries (Data Controller Contractual Clauses Amendment Decision); and
Decision 2001/497/EC on standard contractual clauses for the transfer of personal data to third countries (Data Controller Contractual Clauses Decision).
It refers to transfers where the receiving business will use the data for its own purposes.
The second set is annexed to Decision 2002/16/EC on standard contractual clauses for the transfer of personal data to processors established in third countries (Data Processor Contractual Clauses Decision). It relates to transfers to a business which will only use the data under instruction from the transferring business.
Ideally, these clauses should not be modified.
Provided all other requirements of the law are met, a transfer agreement is sufficient.
It is the data controller's responsibility to ensure sufficient guarantees are offered relating to protection of data subjects' privacy and freedom, fundamental rights, and exercise of these fundamental rights. Data controllers must convey to the National Commission information about the measures that have been taken to ensure these guarantees (see Question 16). A copy of the relevant parts of these measures including, if any, a copy of the data transfer agreement, must accompany the authorisation request form.
The National Commission must ensure proper application of the 2002 Act. It deals with requests and complaints made by data subjects. It must also further investigate any complaint and can temporarily suspend data processing. It has the power to order deletion or destruction of data, and/or prohibit further processing and report the case to the public prosecutor. The data subjects are kept informed of the follow-up to their complaint.
The National Commission recommends that data subjects file their claims in writing with a detailed explanation of the situation and problems they face.
To perform its responsibilities, the National Commission has power to investigate and collect all necessary information. Notably, it can:
Access any data being processed, to carry out all necessary investigations.
Access premises where data processing takes place.
Block, delete or destroy data being processed, or temporarily or definitively prohibit such processing.
Order partial or total publication of the prohibition in newspapers or other means, at the expense of the sanctioned person.
Engage in legal proceedings to enforce the 2002 Act.
Criminal and administrative sanctions are provided to enforce the provisions of the 2002 Act.
Criminal sanctions provided by the Act for infringement can range from imprisonment for eight days to one year and/or fines from EUR251 to EUR125,000 (as at 1 March 2012, US$1 was about EUR0.74). In addition, the National Commission can take the following administrative sanctions:
Alert or admonish controllers who have violated the obligations imposed on them concerning security of processing obligations.
Block, delete or destroy data that has been subject to a processing operation which is contrary to national data protection requirements.
Impose a temporary or definitive ban on a processing operation which is contrary to national data protection requirements, subject to a daily increasing financial penalty as the case may be.
Order publication of the prohibition decision in full or in extracts in newspapers or by any other method, at the cost of the person sanctioned.
Main areas of responsibility. The National Commission is an independent authority. The duties of the National Commission are to:
Ensure implementation of the provisions of the 2002 Act and its implementing regulations, in particular those relating to the confidentiality and security of processing operations.
Receive notifications before the implementation of a processing operation, and changes affecting the content of those notifications, and to monitor the lawfulness of the processing operations notified.
Publish the processing operations notified to it by keeping an appropriate register, unless otherwise provided.
Authorise the implementation of processing operations.
Be consulted during law-making processes relating to the creation of a data processing operation, as well as to all regulatory or administrative measures issued on the basis of the 2002 Act.
Present suggestions to the government to simplify and improve the legislative and regulatory framework on personal data processing.
Receive and, where applicable, follow discussions with the authors, approve codes of conduct relating to a processing operation or a set of processing operations submitted to it by professional associations representing the controllers.
Advise the government on the consequences of developments in information processing technologies regarding individuals' freedoms and fundamental rights.
Regularly promote the dissemination of information relating to data subjects' rights and controllers' obligations, particularly regarding the transfer of data to third countries.
Areas of practice. All technology matters (including telecommunications, internet, domain names, digital signature, data protection and legal aspects of IT security); IP and media; outsourcing.
Assisting a leader in e-commerce in the implementation of a global management data processing system worldwide and a project to enhance payment account data security.
Advising a leading cosmetics company on key aspects relating to data protection.
Assisting a well known internet company in determining how to fulfil its obligations under the Luxembourg data protection act and the very complex possible consequences of setting up a worldwide data centre in Luxembourg.
For more details of recent transactions, publications, and so on, see full PLC Which lawyer? profile here.
Areas of practice. Technology matters; IP and compliance with data protection rules; outsourcing agreements; all types of agreement related to IT and IP.
Advising a clothing chain on the implementation of a new customer loyalty programme, with respect to the application of Luxembourg data protection law and notably in light of the Luxembourg data protection authority practice.
Assisting an American broadband and telecommunications company in assessing its compliance with data protection law in relation to its data processing activities.
Advising a leader in premium lifestyle products in relation to consumer protection rules with regards to electronic contracts, most notably deriving from e-commerce.