The Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) which entered into force in May 2018 provides for the possibility for the EU Member States to adopt additional rules and provisions with respect to certain specific matters. In that respect the Luxembourg legislator has adopted the Law of 1 August 2018 on the organisation of the Commission Nationale pour la Protection des Données and the general data protection regime, meaning Luxembourg complements GDPR with its new Law.
The Luxembourg GDPR Law (i) provides for more details about the mission, procedure and competences (including regarding sanction powers) of the CNPD in its capacity as national supervisory authority, as well as provisions on its internal organisation and (ii) introduces provisions regarding certain specific processing situations, in particular with respect to:
- Processing and freedom of expression and information where Luxembourg applies an exception for personal data processing for journalistic purposes and the purposes of academic, artistic or literary expression.
- Processing for scientific or historical research purposes or for statistical purposes. The Luxembourg GDPR Law provides that where the controller implements appropriate additional measures to ensure the safeguarding of the rights and freedoms of the data subject it may process special categories of data in the context of Article 9 2 j) of the GDPR and may derogate from certain rights of the data subject if such rights would prevent or seriously hinder the achievement of the research project. The Law provides for list of the appropriate additional measures.
- Processing of genetic data for the purpose of exercising the rights of the controller in respect of labour law and insurance. The Law prohibits such processing.
- Processing in the context of employment. The Law amends the current provisions of the Labour Code regarding processing of personal data for monitoring purposes and introduces a prior mandatory information procedure to be completed by the employer towards the professional staff representative bodies other competent bodies. The staff delegation or employees can request the prior opinion of the CNPD on the conformity of the intended processing for monitoring purposes. The Law also provides that employees may lodge a complaint before the CNPD in relation to the proposed monitoring.
The provisions introduced in relation to specific processing situations (see (ii) above) are only applicable to controllers and processors established on Luxembourg territory.
This article was originally published by aphaia.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.