Data Protection in Luxembourg E-Book

ISBN 978-3-8005-1695-7

© 2019 Deutscher Fachverlag GmbH, Fachmedien Recht und Wirtschaft, Frankfurt am Mainwww.ruw.deThis work and all its individual parts are protected by copyright law. Any unauthorized use outside the narrow limitations laid down by copyright law (Urheberrechtsgesetz) is unlawful and liable for prosecution. This applies in particular to reproduction, editing, translation, microfilming and storage and processing in electronic systems.

Printing and production: WIRmachenDRUCK GmbH, Backnang

Printed in Germany

Foreword CNPD

With the entry into force of the European General Data Protection Regulation (hereinafter referred to as the “GDPR”) on 25 May 2018, the topics of data protection and privacy have been heavily publicised across Europe, but also on an international scale. It has frequently been the case that the main focus of the new Regulation was pushed into the background: the individual person whose rights are strengthened is at the centre of the GDPR. The strengthening of these rights is even more important in an increasingly networked society, where the rise of new technologies is gathering, sharing and processing more and more personal information. Networked cities, the Internet of Things, autonomous driving and a sharing economy are all areas where personal data is increasingly being shared. Unfortunately, security breaches, data loss, cyber attacks and privacy breaches have become a reality. The GDPR allows any natural person to control the use of their personal data and, if they consider that the processing of personal data that concerns them violates this Regulation, they may exercise their right to complain to up to three different supervisory authorities, either to the supervisory authority of the Member State of their domicile, the supervisory authority of their place of work or the place of alleged violation.

The core objective of the Luxembourg “Commission nationale pour la protection des données” (“CNPD”) and its 27 counterparts in the European Union is to supervise the application of the GDPR, in order to protect the fundamental rights and freedoms of individuals, and free movement of personal data in the European Union in the event of processing. By means of innovative procedures for cooperation and consistency, national authorities can cooperate with each other transnationally to effectively enforce decisions against multinational controllers or processors.

In the course of the mediatisation, several falsehoods were also spread about the actual requirements of the Regulation. One of the tasks of the CNPD is to correct the myths and misinformation that have circulated in recent months and weeks. Subject to compliance with the provisions laid down in the Regulation, names on doorbell panels need not be removed; day-care centre portfolios may continue to contain photos of children; the traditional wish list for Father Christmas is not forbidden; dentists are still allowed to contact their patients by phone to remind them of their appointments; non-profit organisations and small businesses are not being forced into bankruptcy by the CNPD due to substantial fines, and above all, the consent of data subjects continues to be one of six different legitimacy criteria that allow for data processing.

The objectives of the GDPR, namely to harmonise and modernise the Data Protection Law within Europe, have certainly been achieved. However, with the new approach for Luxembourg of the GDPR, from the a priori control to the a posteriori control, all agents concerned have to undergo a learning process so that they can handle their respective rights and obligations in a globalised world where personal data is the gold of the post-industrial society, and to better understand; in a world where the boundaries between physical-biological reality and digital reality are increasingly merging to form a virtual world that consists of a combination of artificial intelligence, robotics, quantum computers, nanotechnology and genetic engineering. It is very important that this does not create a legal framework in which personal data remains unprotected.

These developments require a solid, transparent and clearly enforceable European data protection framework that allows for a basis of trust between all economic operators, including small and medium-sized enterprises, in order to promote the digital single market. The digital economy can only develop beyond the national and European borders with the confidence of consumers, which is strengthened by the innovations of the GDPR. At the same time, the GDPR should enable individuals to use new technologies on the one hand, but on the other hand to also protect against excessive and unfair processing. Due to the general obligation to guarantee data protection by means of privacy by design and privacy by default, the subject of data protection becomes a basic component of all innovative developments and considerations.

The new accountability principle promotes the individuality and flexibility of individual controllers and processors, but at the same time presents them with new challenges and more extensive documentation requirements.

The work and organisation of the CNPD also needed to be reconsidered and restructured, so that it could fulfil its dual role as an information and advice centre, as well as a supervisory body. In this context, it should not be forgotten that all supervisory authorities are direct witnesses of the digital evolution, which results in a significant change in society and in the daily lives of citizens. Nowadays, it is no longer sufficient to verify that processing activities are in line with the new General Data Protection Regulation, given that one non-negligible factor has been the ethical review of the impact of data processing on the privacy of data subjects and how it can help combat inequalities and injustice in the era of digitisation. These are the key challenges to be faced in the future in the field of data protection.

Finally, the CNPD would like to thank the authors for their significant commitment and expertise in writing this Practical Handbook. Even though the GDPR harmonises the data protection provisions at a European level, nevertheless it contains more than 70 opening clauses that allow the individual Member States to specify more precise regulations in different areas. The Luxembourg Government has seized the opportunity to take into account some characteristics of the national data cosmos. These specific regulations support Luxembourg’s aspirations to position itself as a digital pioneer in Europe. The CNPD is convinced that this Practical Handbook will be of great support to everyone working in the field of data protection and interest groups in their day-to-day work.

Esch/Belval, 21 January 2019

Tine A. Larsen

Foreword DURY

With its location in the heart of Europe, its language policy, its multicultural population and its multitude of European institutions, Luxembourg is an example of a modern and pluralistic understanding of a European identity.

At the same time, Luxembourg has become an international business hub, while assuming an important role worldwide. Some multinational corporations have chosen Luxembourg as its headquarters, and many have branch offices in Luxembourg that perform essential functions within the corporate structures.

Considering the economic importance of Luxembourg, it was all the more surprising for us as consultants that we could find no significant literature or practical support in the form of a book in the field of data protection and the GDPR. Our research in the run-up to the preparation of this Practical Handbook confirmed this impression and motivated us to give data protection professionals reliable support in the field of data protection in Luxembourg in the form of a Practical Handbook.

In doing so, the authors combine practical experience and specialist expertise that they convey and contribute, because such a dynamic, vibrant and vital field of consulting like the field of data protection is designed for the discourse of creative practitioners and specialists.

From our consultancy practice with a primarily German-influenced legal and technical background, we experience data protection consulting in Luxembourg as a European enrichment, due to the multinational mixture of the different stakeholders and business models.

This is particularly the case because the National Commission for Data Protection (CNPD) pays particular attention to the European development of data protection, which – by its own admission – pragmatically interprets the protection interests of EU citizens, but also the interests of the companies, to whom the General Data Protection Regulation should provide legal certainty and security in the sense of a unified Europe.

With our consulting practice, we have also gained the impression in recent years that the goal of the GDPR to standardise and harmonise European data protection law is to be experienced by the CNPD and that fragmented national responses do not have as much place in Luxembourg as they do in larger Member States of the European Union. Luxembourg has also only used a few opening clauses and, with the Act of 01 August 2018 on the protection of natural persons with regard to the processing of personal data, has created a flanking legal framework for the processing of personal data in Luxembourg, which is only of marginal legal effect.

The new data protection law, the Act of 1 August 2018, provides specific regulations and exceptions. For example, it deals with the handling of data for scientific and research purposes, regulates the protection of sources for journalists and the handling of health data. The area of employee data protection is also addressed in the Act of 1 August 2018.

Officially accredited translations of the Act of 1 August 2018 into English and German can be found in the respective language version of this book.

Of great value to practitioners is the sample of the Data Protection Declaration that we have included as a source of inspiration.

We thank the many supporters of this book in Luxembourg and other countries of the EU and hope that this book will contribute to some extent to the great idea of Europe that drives us all: A Europe for the people.

The authors are always open to proposals, suggestions and criticism and will be delighted if this Practical Handbook serves as a reference book in daily data protection practice and helps with its practical tips on embarking on data protection pitfalls.

We would like to thank our employees for their active support. Special thanks go to Karoline Penner for the solutions of so many big and small problems and Carolin Buchheit, who supported us with its multilingual content.

Sandra Dury

Martin Kerz

Marcus Dury

Table of Contents

Cover

Titel

Impressum

Foreword CNPD

Foreword DURY

Table of Contents

List of Abbreviations

1. Overview of data protection

1.1. When may personal data be processed?

1.2. What should be done if the processing is justified in accordance with the GDPR?

1.2.1. Ensuring an adequate level of protection

1.2.2. What is deemed adequate protection for the processing of personal data?

1.3. Data protection as a competitive advantage

2. Terms, roles and agents in the GDPR

2.1. Personal data and its processing according to Art. 4 GDPR

2.1.1. Identification

2.1.2. (Lack of) reference to the person

2.1.3. Supplementary

2.2. Processing

2.3. Roles and agents

2.3.1. Data subjects

2.3.2. The controller

2.3.3. The processor

2.3.4. CNPD – The supervisory authority

2.3.5. Third parties and recipients

2.4. How to deal with these terms

3. Working with the laws

3.1. General

3.2. Objectives of the GDPR

3.3. Structure of the GDPR

3.4. Opening clauses

3.5. Interpretation of the GDPR in practice

4. What is new in the Luxembourg Data Protection Act of 1 August 2018?

4.1. New responsibilities and powers for the CNPD

4.2. Fines

4.3. Further authorisations

4.4. Special regulations on the processing of personal data in specific areas

4.5. Particularities in the processing for journalistic or scientific, artistic or literary purposes according to Art. 85 (2) GDPR

4.6. Particularities in the processing of personal data in the context of employment

4.7. Particularities in the processing of personal data for scientific or historical research purposes or for statistical purposes

4.8. Tabular overview

5. Collaboration with the CNPD: Particularities in the Luxembourg Data Protection Act

5.1. Tasks

5.2. Most important change as a result of the Luxembourg Data Protection Act of 1 August 2018

5.3. The CNPD provides information, increases awareness and offers guidance

5.4. How collaboration with the CNPD should take place

5.5. Notification of the Data protection officer, Art. 37 (7) GDPR

5.6. Data Breach Notifications – according to Art. 33 GDPR

5.7. What is a data breach?

5.8. A reporting requirement exists, Art. 33 GDPR

5.9. Content of the notification of data breaches

5.10. Consultation obligation according to Art. 36 GDPR

5.11. What is a Data Protection Impact Assessment?

5.12. EU representative according to Art. 27 GDPR

5.13. What kind of support does the CNPD offer?

5.14. Data Protection Laboratory (DAPRO LAB)

5.15. Controls by the CNPD

6. The data protection officer

6.1. When does a data protection officer have to be designated?

6.2. Who should be selected as data protection officer (internal or external designation)?

6.3. A data protection officer for several companies, Art. 37 (2–4) GDPR

6.4. Which professional and personal skills should the data protection officer have?

6.5. Position of the data protection officer

6.6. Form and term of the designation of the data protection officer

6.7. Notification and publication of the designation of the data protection Officer, Art. 37 (7) GDPR

6.8. The tasks of the data protection officer, Art. 39 GDPR

6.8.1. Informing and advising the controller and processor (Art. 39 (1)(a) GDPR).

6.8.2. Monitoring compliance with data protection (Art. 39 (1)(b) GDPR)

6.8.3. The data protection officer needs information, so that they can take on this task

6.8.4. Advisory function in connection with the Data Protection Impact Assessment (Art. 39 (1)(c) GDPR)

6.8.5. Collaboration with the CNPD, Art. 39 (1)(d) and (e) GDPR

6.8.6. Other tasks of the data protection officer

6.9. How the data protection officer should be presented in the company

6.10. Management as a role model in data protection

7. Record of processing activities

7.1. Why is a record of processing activities necessary?

7.2. Who has to keep a record of processing activities?

7.3. Updating the record

7.4. Necessary content and structure

7.5. Information relating to the whole record

7.6. Designation of processing activities

7.7. Precise purpose description

7.8. Categories of data subjects and processed data

7.9. Disclosure (data transfer)

7.10. Data transfer to third countries

7.11. Erasure periods and technical and organisational measures

7.12. Technical and organisational measures

7.13. The record of processing activities of the processor

7.14. Cooperation with the data protection officer

8. Rights of data subjects – dealing with enquiries

8.1. The right to transparent information

8.2. Formal requirements

8.3. Art. 13 and 14 GDPR: Pro-activity

8.3.1. Documentation of the information requirement

8.3.2. Content of the information requirement

8.3.3. Exceptions of the information requirement

8.3.4. Particular challenge in the information requirement

8.3.5. Further information requirements

8.4. The right to information, Art. 15 GDPR

8.4.1. Extension of the deadline

8.4.2. Refusal of information – identification of the data subject

8.4.3. Free provision of information

8.5. The right to rectification

8.6. The right to erasure of data (right to be forgotten)

8.7. The right to restriction of processing

8.8. Reporting obligations

8.9. The right to data portability

8.10. Right to object

8.11. Automated decisions

9. Data breaches and their consequences

9.1. Risk assessment for data breaches

9.2. Reporting obligations – Notifying the CNPD

9.3. Notification of the data subjects themselves

9.4. The documentation of data breaches

9.5. Consequences for companies in the event of data breaches

10. Processor

10.1. Obligations for the processor

10.2. Selection of processors by the controllers

10.3. Selection of a suitable processor

10.4. Obligations of the processor according to Art. 28 (3) GDPR

10.5. Involvement of subcontractors

11. Data flows within the Group

11.1. When is a data transfer allowed within the Group?

11.2. Processing by order in the Group, Art. 28 GDPR

11.3. Legitimate interests for the data transfer in the Group, Art. 6 (1)(f) GDPR

12. Data protection relating to apps, websites, online shops and other internet services; data export to third countries

12.1. Data protection relating to apps, websites, online shops and other internet services

12.2. Application of the GDPR in internet services

12.3. Overview: Data protection aspects of an online project

12.3.1. Processing of data outside of the EU according to 45 et seq. GDPR and related information requirements

12.3.2. Alternative suitable protective measures according to Art. 46 et seq. GDPR as the legal basis for data transfer

12.3.2.1. Standard data protection clauses as the legal basis for data transfer to a third country in the context of the use of web services on websites of Luxembourg companies

12.3.2.2. Binding Corporate Rules (BCR) – Art. 47 GDPR

12.3.2.3. The GDPR allows for industry-specific codes and data protection certifications

12.3.2.4. The EU-US Privacy Shield as the legal basis for a data transfer to a third country in the context of the use of web services on websites of Luxembourg companies

12.3.2.5. What can you do if you use a web service that is not data protection compliant, but which you would like to (need to) continue to use?

12.4. Data protection and web analysis – use of cookies

12.4.1. Web tracking/the need for cookie banners/requirements for the use of cookies and similar technologies in an online context

12.4.2. Dynamic IP addresses as personal information

12.4.3. Admissibility of establishing cookies in Luxembourg

12.4.4. Future impact of the ePrivacy Regulation

12.4.5. ePrivacy Regulation and external web tracking using the example of Google Analytics

12.4.6. What are the requirements for the declaration of consent to web tracking?

12.5. General requirements for declarations of consent in the online context

12.5.1. Consent to processing of personal data according to Art. 6 (1)(a) GDPR

12.5.2. Consent for processing of special categories of personal data according to Art. 9 (2) GDPR

12.6. Sending of newsletters

12.6.1. Consent for the sending of newsletters – Art. 6 (1)(a) GDPR

12.6.2. Newsletter – principle of data minimisation – Art. 5 (1)(c) GDPR

12.6.3. Newsletter – notice of the possibility to unsubscribe from the newsletter – Art. 21 (4) GDPR

12.6.4. Newsletter – information about the right to object – Art. 21 (2) GDPR

12.6.5. Newsletter web tracking

12.6.6. What is to be considered in the declaration of consent regarding the sending of newsletters and newsletter tracking?

12.7. Principle of data minimisation – Art. 5 (1)(c) GDPR

12.8. Requirements for the content of a data protection declaration

12.8.1. Naming of the controller – Art. 13 (1)(a) GDPR

12.8.2. Information about special features of the website – Art. 12 (1) GDPR

12.8.3. Information on the use of web tracking techniques

12.8.3.1. Fundamental distinction: External web tracking services or self-hosted web tracking services

12.8.3.2. Special features of using Google Tag Manager for web tracking

12.8.4. Information about data exchange with other websites – inclusion of external web services – Art. 13 (1)(c) GDPR

12.8.5. Information on the processing of data outside the EU – Art. 13 (1)(f) GDPR in conjunction with Art. 44 et seq. GDPR

12.8.6. Information on profiling/credit assessment with automated decision making with the conclusion of a contract – Art. 13 (2)(f) GDPR in conjunction with Art. 22 (2)(a) GDPR

12.8.7. Mention of the contact details of the operational data protection officer – Art. 37 (7) GDPR

12.8.8. Information on the rights of data subjects

12.8.8.1. Right to lodge a complaint with a supervisory authority – Art. 77 GDPR

12.8.8.2. Right to information/right to rectification/right to erasure/right to restriction of data – Articles 15, 16, 17, 18 GDPR.

12.8.8.3. Right to object to data processing – Art. 21 GDPR

12.8.8.4. Information on the right to data portability – Art. 20 GDPR (data portability)

12.8.9. Details of the transparency requirement

12.8.9.1. Data protection declaration(s) free of contradictions

12.8.9.2. Clickable links in the data protection declaration – Art. 12 GDPR

12.9. Data protection checklist for websites of companies based in Luxembourg

13. Employee data protection law

13.1. Introduction

13.2. What is new?

13.3. Data protection requirements for the monitoring of employee data according to Art. 71 of the Act of 1 August 2018, L. 261-1 Labour Code:

13.3.1. Fulfilment of at least one general permission according to Art. 6 (1) GDPR (1st requirement)

13.3.2. Art. 6 (1)(a) GDPR (consent)

13.3.3. Data processing to fulfil an employment contract or to initiate an employment contract, Art. 6 (1)(b) GDPR

13.3.4. Data processing is required to fulfil legal obligations, Art. 6 (1)(c) GDPR

13.3.5. Processing is necessary for legitimate interests, Art. 6 (1)(d) GDPR

13.3.6. The data processing for the public interest and exercise of public authority is necessary according to Art. 6 (1)(e).

13.3.7. The processing of personal data is necessary for the protection of legitimate interests, Art. 6 (1)(f) GDPR

13.4. Information requirements of the employer (2nd requirement)

13.5. Voting Rights of the Joint Works Council/Staff Committee, Art. L. 261-1 (4) Labour Code (3rd requirement)

13.6. Opinion of the CNPD, Art. 261-1 (4) Labour Code (4th requirement)

13.7. Rights of employees according to Art. 261-1 (4) Labour Code

13.8. Record of processing activities and Data Protection Impact Assessment

Appendix I – Sample data protection declaration

Appendix II – Data protection tools

a. Luxembourg

b. France

c. Germany

d. The Netherlands

e. Spain

f. Belgium

g. Finland

h. Poland

i. Ireland

j. United Kingdom

Appendix III – The most important terms in three languages

Appendix IV – Act of 1 August 2018 (official translation of the Luxembourg Data Protection Act accredited by the CNPD)

Appendix V – Frequently asked questions (FAQ) on data protection

Keyword index

A

B

C

D

E

F

G

H

I

L

M

N

O

P

R

S

T

U

V

W

Bibliography

List of Abbreviations

acc.

according to

Act of 1 August 2018

Act of 1 August 2018 concerning the organisation of the National Data Protection Commission of the Grand Duchy of Luxembourg and the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, the free movement of persons and the resolution of the Directive 95/46/EC (General Data Protection Regulation), as well as the amendment of the Labour Code and the amended Act of 25 March 2015 on the remuneration regulation, as well as the conditions and modalities of the promotion government officials

Act of 2 August 2002

Act of 2 August 2002 on data protection in data processing.

AEPD

Agencia Española de Protección de Datos (Spanish Data Protection Authority)

al.

Alinéa (French for paragraph)

Alt.

Alternative

APD

Autorité de protection des données (Belgium Data Protection Authority)

Art.

Article (“Artt.” means several Articles)

BCR

Binding Corporate Rule

BPMN

Business Process Model and Notation

Ca.

Circa

CC:

Carbon Copy (meaning several recipients copied in)

CCSS

Centre commun de la sécurité sociale

CIO

Chief Information Officer

CMO

Chief Marketing Officer

CNIL

Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority)

CNPD

Commission Nationale pour la Protection des Données (Luxembourg Data Protection Commission)

CoC

Code of Conduct

DAPRO LAB

Data Protection Laboratory

Data subject

Data subject

DPA

Data processing agreement

DPIA

Data Protection Impact Assessment

DPMS

Data Protection Management System

DPO

Data protection officer/Délégué à la protection des données

e.g.

for example

ECJ

European Court of Justice

EDPB

European Data Protection Board

E-mail

Electronic Mail

Engl.

English

Etc.

Et cetera

EU

European Union

FAQ

Frequently Asked Questions

Fn.

Footnote

GDPR

General Data Protection Regulation

GDPR

General Data Protection Regulation

GPS

Global Positioning System

HIV

Human Immunodeficiency Virus

HR

Human Resources

IaaS

Infrastructure as a Service

ID

Identification number

IP

Internet protocol

ISMS

Information Security Management System

ISO

International Organization for Standardization

IT

Information Technology

LIST

Luxembourg Institute of Science and Technology

lit.

Litera (latin for letter)

No.

Number

PaaS

Platform as a Service

Para.

Paragraph

PC

Personal Computer

Pdf.

Portable Document Format

PIA

Privacy Impact Assessment

PRISM

Planning tool for Resource Integration, Synchronization, and Management

Recital

Recital

Rev.

Revue

RGPD

Règlement général sur la protection des données

S.

Sentence

S.A.

société anonyme

S.à.r.l.

Société à responsabilité limitée

SaaS

Software as a Service

SME

Small and medium-sized enterprise

USA

United States of America (also U. S.)

WP

Working Papers

XaaS

Anything as a Service

1. Overview of data protection

One of the main purposes of the General Data Protection Regulation (GDPR) is to protect the privacy of individuals.1 This is all the more important as digitisation further progresses. For example, in Recital 6:

“Rapid technological developments and globalisation have brought new challenges for the protection of personal data.”

The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities.

If we use the internet we automatically disclose information, not just when we are surfing the internet. An increasing number of everyday devices are networked and equipped with voice recognition and video cameras, sometimes without our knowledge. The GDPR is the attempt of the European legislator to counteract the misuse of our data.

Two main points of the GDPR follow from this fundamental knowledge: The justification of data processing in each individual case and ensuring adequate protection of the data during processing itself.

1

See in particular Recitals 1 to 4 GDPR.

1.1. When may personal data be processed?

In principle the following applies: Information about an identifiable person (“personal data”) must not be processed by anyone else. “Processing” is understood very broadly in the GDPR and means that as a company you are not allowed to do anything (systematically) with other people’s personal data, unless you comply with the data protection regulations. The GDPR allows processing in certain cases and conditions:2

• There are cases where the processing of data is necessary, e.g. for the performance of contract with another person (Art. 6 (1)(b) GDPR).

• Likewise, processing may even be mandatory, for example in the event that the factual processor of the data is obliged to do so by the legislator (Art. 6 (1)(c) GDPR).

• In addition, there are cases where processing to achieve vital interests and objectives is permitted, because the processing of the data itself is not significant in comparison to the interests and objectives (e.g. in general societal interests such as public health or science, but also in the case of important economic interests of companies) (Art. 6 (1)(d) (e) and in particular (f) GDPR).

• Finally, the person whose data is processed can allow processing by giving consent (Art. 6 (1)(a) GDPR).

Therefore, there is a rule-exception principle, or technically a prohibition subject to permission. The prohibition is the rule that means that in exceptional cases the processing of personal data is allowed.

If you want to process personal data of others, you need one of the aforementioned justifications: a contract, a legal obligation, legitimate interest that outweighs the interests of individuals in the waiver of processing or the explicit consent of the person whose data you want to process.

2

These conditions are mainly laid down in Chapter 2 of the GDPR and in particular in Articles 5 and 6.

1.2. What should be done if the processing is justified in accordance with the GDPR?

1.2.1.Ensuring an adequate level of protection

Since personal data may only be processed in exceptional cases, the security of the data must be guaranteed in these exceptional cases (Art. 24, 32 GDPR). As a European law, the GDPR is available in several languages. The German translation of the (Data Protection) “controller”, expresses the special responsibility for the data subjects involved in data processing. They assume responsibility for the adequate protection of the personal data of the data subject.

1.2.2.What is deemed adequate protection for the processing of personal data?

The GDPR determines that adequate protection of the data depends on the risk to the rights and freedoms of the people whose data is being processed.3 The higher the risk of injury or restriction of people’s rights and freedoms, the greater the need for security measures.

What is meant by rights and freedoms? In Europe, various rights and freedoms are guaranteed by law (in the European Charter of Fundamental Rights or the TFEU);4 for example the right to freedom of expression, freedom of movement, freedom of religion, free choice of profession, equal rights and the principle of non-discrimination. In any case, as a minimum these legally guaranteed rights are included, if it is referred to in the GDPR of rights and freedoms.

The risk depends on the threat to the rights and freedoms, for example, if the data falls into the wrong hands or is made public, and the likelihood of this threat materialising.

For example, the greater the right to the freedom to choose a profession is affected by publishing the data, and the more likely it is to be published by mistake, the greater the risk for that right.

This of course means that in the interests of data subjects, high security measures must be taken to protect this information.

3

This risk principle is standardised in the GDPR, for example in the following paragraphs: Articles 23; 24(1); 25(1); 27 (2)(a); 30 (5); Art. 32 (1) and (2); 33 (1); 34 (1), (3)(b), (4); 35 (1), (7)(c) and (d), (11); 36 (1) and (2); 39 (2); 49 (1)(a); 70 (1)(h) and in Recitals 51, 74–77, 80, 81, 83–86, 89–91, 94, 96 and 98.

4

See only Recital 1 GDPR.

1.3. Data protection as a competitive advantage

The GDPR is a protective law for citizens. It also facilitates cooperation with other companies within the EU. The expense of data protection is ultimately an investment in the future. The intention of the European Union to secure privacy with the GDPR is clear: It is about strengthening civil rights in the digitised world.

However, in international competition data protection is also a monetarised distinguishing feature compared to companies from other economic areas. The GDPR is not exclusively a protective law for citizens. By behaving in a manner that is compliant with data protection, business participants invest in the relationship of trust between their business and their customers, suppliers and all the service providers, with whom they work.

2. Terms, roles and agents in the GDPR

The GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. (Art. 1 (1)(1) GDPR). This first sentence of the General Data Protection Regulation describes its scope of application and contains some legal terms that require explanation. What exactly is meant by personal data and what is meant by processing?

In order to properly understand data protection in Luxembourg and to be able to correctly implement the legal requirements, it is important to familiarise ourselves with the key terms and the relevant agents (e.g. the CNPD, the controller, the data subjects) and the functions that they can assume. The legal text of the GDPR contains numerous normative terms that will be defined more substantially in the coming years by future jurisdiction of the European Court of Justice. Similarly, the Guidelines of the Joint European Data Protection Board (EDPB)5, which serve as recommendations, can contribute to a common understanding.

In order to facilitate the interpretation and application of the General Data Protection Regulation, the legislator has summarised the definitions of the most important terms in Art. 4 GDPR. Some of the terms used in Article 4, which are frequently used in this Practical Handbook, are discussed in more detail below.

5

https://edpb.europa.eu/.

2.1. Personal data and its processing according to Art. 4 GDPR

“Personal data” is the most important term in the GDPR and in the Act of 1 August 2018. The scope of application of the GDPR (Art. 2 (1)) and the Act of 1 August 2018 (Art. 1) opens with this. Therefore, data protection provisions only apply if personal data is processed.6

Art. 4 No. 1 GDPR defines personal data as “any information relating to an identified or an identifiable natural person”. What is defined as information is not included in the GDPR. In order to implement data protection as a European fundamental right (Recital 1 (1) GDPR), a broad understanding of the term information has to be presumed.7

The information must have a reference (see b below) to an identifiable or identified (see a below) natural person.

2.1.1.Identification

A person is considered identifiable if they can be identified “in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art. 4 No. 1 Clause 2 GDPR).

“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller [see below; Note d Ed.] or by another person to identify the natural person directly or indirectly.” (Recital 26 (3) GDPR).

The information, which may have a personal reference, can therefore also be used as a means to identify the person. However, it is not the only information that contributes to identification. The identification itself results from the interaction, the linking of all information,8 which can be accessed by likely means.

With the aid of these examples, the importance of any individual information is made clear with regard to the identification of persons: In their overall view and combination, they allow unambiguous conclusions to be drawn about the person who is concealed behind the individual information. Equally important is the context in which the information is available. A single piece of information is never context independent. It is related to other information that is either already known or made publicly available. Léa Linster and Andy Schleck have made a lot of this information public and also publicly available. Therefore, both – especially in the age of the Information Society – could be identified relatively quickly.

All these pieces of information, be it the law studies of Mrs. Linster or the star sign of Mr. Schleck, are already personal data in themselves. Decisive for the personal reference and therefore also the identifiability is the respective context in which the information is available. That is because it determines how individual information contributes to making a person identifiable.

2.1.2.(Lack of) reference to the person

If the person is (in all probability) identifiable, then the information must also be related to this identifiable person. The amount of information with personal references is very large. Therefore, it makes sense to exclude any information that does not have a personal reference. For example, statements about facts that only relate to subjects, such as “Luxembourg is the name of a country and the name of a city.” This (true) statement has no relation to an identifiable person.

Similarly, information about groups of people has no personal reference, unless the group is so small that one person within the group could be deduced. This is the case, for example, when a law firm publishes revenues of all lawyers and one of them can attribute particular revenue to a single lawyer from the social context (such as belonging to a particular department that has achieved particularly high or low revenue).

Explicit Luxembourg jurisdiction or a statement from the CNPD is not known for this purpose.

2.1.3.Supplementary

The term personal data is very diverse. Businesses typically process a variety of personal data, such as for example employee data, customer data, wage data, health data, IP addresses, log data, insurance data, creditworthiness data.

Anonymous9 information cannot be related to any person. Therefore, the application of the principles for anonymous data is excluded in Recital 26 GDPR. Similarly, anonymised personal data is excluded. This is such data that has been rendered in such a manner that the data subject is not or no longer identifiable. (Recital 26 (5))

6

More information follows later on regarding the term processing.

7

See also Kühling/Buchner-Klar/Kühling Art. 4 No. 1, Margin No. 8. The term information is also not used in a consistent manner. (see Simitis/Hornung/Spiecker mentioned in Döhmann, Data Protection Law – Karg, Art. 4, Margin No. 26 including further evidence).

8

See also Kühling/Buchner-Klar/Kühling Art. 4 No. 1, Margin No. 19.

9

The adjective anonymous comes from the ancient Greek word ἀνώνυμος, which translates as “without name”.

2.2. Processing

Art. 4 No. 2 GDPR defines the term processing as

• “… any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

In order to process personal data, it is therefore irrelevant if a company collects, records, registers, structures, stores, reads, alters, discloses, communicates, disseminates, erases or even destroys said data. All this comes under processing, each handling of personal data in its entire life cycle, from its collection to destruction.

Even if a company only receives personal data without having collected it personally from data subjects or third parties, this is still deemed a processing operation. The data is saved. In this case, the company must also comply with the provisions of the Data Protection Regulation.

A crucial point as to whether processing that is relevant in terms of data protection regulations takes place, is whether the data is stored in at least one filing system (Art. 2 (1), Recital 15 GDPR). According to Art. 4 No. 5 GDPR, such a filing system is “any structured set of personal data that is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.10

It is important that the data is recorded in a systematic structured arrangement. This can be a (digital) file, but also another digital or analogue filing structure. In today’s age of progressive digitisation, there is almost always systematic data processing. If an e-mail is sent, then the recipient’s e-mail address inevitably gets into the structured arrangement of the software used.

10

It does not matter whether it involves automated or non-automated processing.

2.3. Roles and agents

The following normative terms form the framework or set the scene within which the data protection takes place. The GDPR specifies the specific definition of the roles. The GDPR defines who can take on which role and which rights and obligations are connected with the respective role. In the following, individuals who can take on these roles are called agents.

2.3.1.Data subjects

The data subject is referred to as any identified or identifiable natural person (Art. 4 No. 1 GDPR). It has already been explained above (2.1 on Page 5) when a person is deemed as identifiable.

2.3.2.The controller

The controller is the counterpart of the data subject. Whenever personal data is processed, there must be a controller who assumes the responsibility and is ultimately responsible for processing the processed data adequately (meaning GDPR compliant).11 The controller may be a natural person as well as a legal person, such as a company, government authorities, associations or other organisations. The GDPR goes even further. Each establishment or body can be a controller.

What does that mean in specific terms? In terms of the economy, every company should be able to be a controller. Individual employees of companies are not themselves responsible for data protection, but rather their respective employer is. This only changes for the employee if they process personal data of a data subject for their own purposes, which are beyond the control of their employer.12 In terms of content, Art. 4 No. 7 GDPR lays down characteristics that qualify a controller: If they “alone or jointly with others determine the purposes and means of the processing of personal data”. The essential criterion is therefore the (independent) decision-making power regarding the purpose for data processing and the means with which it takes place. If the focus is placed on the decision-making authority regarding the means of and purposes for the processing, then it becomes clear, why the person is called controller in English. Ultimately, it is the controller who has the control (the controlling decision-making power) regarding the data processing and therefore the designation as a controller is fair.

In the corporate environment, the controller is often a legal person, for example, a corporation such as a limited liability company, public limited company, partnership or an organic market participant. In the case of a sole proprietorship, sole traders, self-employed persons or freelancers, the proprietor or owner is responsible for the handling of this data.

The controller is responsible for all legal obligations for the implementation (above all according to Art. 5 and chapter 3 of the GDPR), justification (above all according to Art. 6 to 11 GDPR) and protection (above all chapter 4 and 5 GDPR) of the processing of personal data. Accordingly, the controller is also the recipient of any possible fines and is liable according to Art. 82 (1) GDPR of civil law for breaches of the Basic Regulations (Art. 82 to 84 GDPR).

These various behavioural and liability obligations cannot be relinquished by the controller to individual employees or external service providers (such as an external Data protection officer (see chapter 6 in this Practical Handbook). However, recourse claims in the case of incorrect advice by the data protection officer are possible.

However, recourse claims and employment sanctions are not excluded in the internal relationship with the employee. However, any recourse does not change the responsibility of the controller.

It should be noted that in some parts this book puts the company in the limelight when referring to the controller. Of course, most of the explanations are also applicable to other controllers. As this is a Practical Handbook, the focus has been placed in some parts on companies as controllers.

2.3.3.The processor

The trio of the most important roles in data protection is completed by the role of the processor. The circle of addressees who can take on this function is the same as in the role of the controller.

The processor processes personal data “on behalf of the controller” (Art. 4 No. 8 GDPR). Therefore, the role of the processor presupposes that the role of the controller is already filled. The processor always only acts as the third actor of a triangular constellation, if and only if a

1. controller has determined the means and purposes of the data processing of a

2. data subject and does not carry out this processing themselves,

3. but rather assigns this task to a processor.

The decisive feature of the processor is that while they perform processing activities for another controller, they themselves cannot decide on the means and purposes of the processing. They are subject to the instructions given by the controller. If they make unauthorised decisions about the means and purposes of the processing, they become the controller.

The processor also has a number of obligations to fulfil. However, the fact that they only carry out the instructions given by the controller means that the obligations only relate to the dutiful execution of the instructions and the adequate protection of the data in accordance with the general provisions of the GDPR (Art. 32). Accordingly, these fines and liability risks are limited to these specific duties of the processor. However, only in terms of processing on behalf of a controller.

You can read about the particularities in the relationship between the controller and the processor in chapter 10 on Page 117 on processing on behalf of the controller.

2.3.4.CNPD – The supervisory authority

The supervisory authority – the National Data Protection Commission (CNPD) – has a special role. This is laid down in the sixth chapter of the GDPR (Art. 51 to 59) and in the first chapter of the Act of 1 August 2018 (Art. 1 to 55). Accordingly, the CNPD is an independent government agency whose main task is to monitor legal compliance with data protection legislation.

How cooperation with the CNPD must take place in Luxembourg and what companies in Luxembourg must comply with in the area of data protection is described in detail in chapter 4.

2.3.5.Third parties and recipients

Another important role is the so-called third party