News
Final straight for Luxembourg in implementing the European package on Data Protection
A rapid overview of Luxembourg’s latest legislative measures in its preparation for European package on Data Protection with a specific focus on the GDPR.
After years of discussion on how to adapt the Directive 95/46/EC to better fit the new challenges of our modern society and its massive technological evolution, the EU Members States finally adopted a European Package on Data Protection on the 27th April 2016.
This package, which is actually broader than just the very famous “GDPR” – contains indeed:
- the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) ;
- the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties and on the free movement of such data;
- the Directive 2016/681 on the use of passenger name record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (PNR).
Though this package was adopted under Luxembourg’s presidency of the European Union, Luxembourg does not have, as yet, fully implemented these measures into its legal arsenal.
As for now, those three European measures are still in the form of three specific and distinct bills, even for the GDPR despite its direct effect. Indeed, the GDPR still gives to the Member States a certain flexibility to take additional local provisions and even requires the adoption of complementary national legislations in some cases.
The draft law was issued in this context.
Although having already on the 24th August 2016 introduced a bill (cf. projet de loi n°7049) aiming to adapt our current legal legislation on Data protection, this bill was never presented before the Parliament for vote and is actually been replaced by a new one (cf. projet de loi n°7184), presented officially on the 12th September 2017.
If this bill was to be adopted, it will end Luxembourg’s current legal framework on Data protection as it mainly relies on the amended Law of 2 August 2002, which is to be abrogated.
This draft law is to be read in conjunction with the GDPR and confines itself in supplementing this European Framework with the national provisions when necessary. In this regards, the draft bill completes the GDPR by:
- recreating the legal framework of our current data protection supervisory authority (given the fact it was created per the Law of 2002 that is due to disappear) and adapting it to the requirements of the GDPR by giving it a new orientation and new powers (I),
- providing specific provisions on aspects for which the GDPR allows/requires the adoption of complementary national legislations (I).
I. The new role CNPD (Commission Nationale de Protection des Données) (chapter 1 of the bill n°7184)
The accountability approach – that creates an obligation of self-control for data controllers and processors – being one of the major changes induced by the GDPR, it is only normal that the revised role of the CNPD follows and adjust to such an approach.
As a result, the control process operated by the CNPD is moving from an ex ante control to an ex post control, the bill suppressing the previous obligation for data controllers and/or processors to notify their data processing to or even to get prior authorization to process (when applicable) from the CNPD.
The bill also extends CNPD’s competence to the processing of personal data in criminal as well as national security matters.
Last but not least, the new bill strengthens the CNPD’s mission and powers in particular by introducing the possibility for the CNPD to impose administrative penalties, finally regaining a power that had initially been granted to them in the draft Law of 2002 but was suppressed in its final version.
II. The specific provisions required by the GDPR (chapter 2 of the bill n°7184)
1. According to article 85 of the GDPR, EU Member States must adopt local legislation to find a balance between the right to the protection of personal data and the rules regulating the right to freedom of expression and information, including processing for journalistic purposes as well as academic, artistic or literary expression purposes.
Therefore, article 56 of the bill introduces several derogations to the prohibitions and restrictions of the GDPR (both with regard to the data itself (article 9 and 10 of the GDPR) and the rights and obligations relating thereto (article 13 and 14, chapter V of the GDPR)).
2. According to article 89 (2) of the GDPR, EU Member States may foresee derogations for certain rights of the data subject when personal date are processed for scientific or historical research or statistical purposes.
Article 57 and 58 of the bill are meant to implement such derogations under Luxembourg Law. Otherwise it is likely that data subject’s rights would seriously impair the achievement of those purposes.
In order to be able to process data for such purposes, one must put in place appropriate safeguards measures which are quite extensively listed in the law (for instance: mandatory DPO, performing an analysis of the impact of the contemplated processing on the protection of personal data, anonymizing and encrypting personal data, implementing log files that establish the purpose, the date and the hour the files were consulted and by who, etc.).
3. Finally, the last specific provision under this bill concerns the processing of special categories of data by “health services”.
Indeed, if article 9 (1) of the GDPR instates a general prohibition to process “special categories of data”, article 9 (2) provides a list of exemptions to this prohibition and article 59 of the bill was taken in order to adapt such exemptions under Luxembourg law.
The primordial criteria on which is based this permission of treatment is necessity.
Thus, processing data such as the ones listed in article 9 (1) of the GDPR can be done when necessary (i) for the purpose of preventive medicine, medical diagnosis and cares and treatments, (i) for medical or scientific research and (iii) for managing health services.
The categories of the admissible controllers, which depend on the reasons of processing, are also identified in article 59 of the bill: medical authorities, public bodies, insurances, companies managing pension funds, etc.
More surprisingly, the bill states that, provided their processing to be lawful, such kind of data can be communicated to third parties.
The bill n°7184 being in its first version one must outline to be complete that it is likely to be amended throughout the legislative process.
But for now, these are the specificities of Luxembourg’s data protection law, the rest of it being the GDPR itself.
Article provided by: Cécile Porcher, Avocat à la Cour (Etude Reding)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010