Luxembourg Publishes Draft GDPR Legislation

The Government of Luxembourg published the draft bill that creates the National Commission for Data Protection (CNPD) and implementation of General Data Protection Regulation (GDPR).

The Bill intends to prepare the legal grounds for the GDPR. This marks the first Bill that complements EU GDPR which will repeal and replace the country’s law of August 2 2002 once adopted. The authorities intend to apply the law in parallel to the Europe’s data protection regulation. Currently, Luxembourgish legal framework concerning data protection depends on the amended law of August 2 2002 regarding the processing of personal data and privacy protection. This Bill was issued in the context of flexibility granted to the EU member states that allow them to take additional local provisions.

The European Commission introduced a reform in 2012 to adapt European legislation to the issues raised by the globalization of communications and technological advancement. This reform was necessitated by the ever-increasing concerns of safeguarding the EU citizens’ personal data. Given GDPR’s widened scope of applicability, EU member countries have some little space to supplement it with local rules. In fulfillment of this obligation, the proposed draft bill completes the EU’s regulation by doing the following:

Adapting the Luxembourgish data protection regulatory authority to the GDPR’s requirements. This authority is the CNPD but with additional powers to execute the missions delineated under the General Data protection regulation.

Giving specific provisions on aspects required by the EU legislation for the adoption of complementary national laws.

Chapter 1: Creation of a new CNPD

The GDPR’s accountability approach gave rise to the new CNPD. This approach obliges data controllers to embrace self-control when processing of personal data. It changes the control process conducted by national data protection authorities. This change moves the process form ex-ante (before the event) control to an ex-post (actual) control. CNPD is in charge of all issues concerning the protection of personal data. The changes in the CNPD were not only necessitated by the introduction of the GDPR but also as a result of strengthening the judicial systems’ autonomy of the EU member states.

The first chapter of this bill confirms the independence of the CNPD and that it assumes the responsibilities of personal data in criminal, public safety, defense, and State security which is currently under the Article 17 Supervisory Authority.

Reinforces the powers and missions of the CNPD. Notably, it gives the CNPD the authority to enforce administrative penalties of up to €20m or up to 4% of the global and annual revenue of the previous year for data breaches.

Chapter 2: The precise provisions required by the GDPR

This chapter of the draft bill deals with the balance between safeguarding of the personal data and:

  1. The right to freedom of expression and information
  2. Processing of personal data for scientific, statistical research, and historical
  3. Processing of sensitive data by medical bodies

Processing of personal data and the right to freedom of expression and information

Through derogation to the GDPR’s general tenet of data protection, personal data processing for the purposes of journalistic, academic, artistic or literary expression will be permitted in Luxembourg under special conditions explained in the Draft Bill. The derogations that facilitate processing of personal data include:

  • Exemption from the prohibitions and restrictions of the GDPR concerning the processing of sensitive data and data relating to criminal convictions and offenses when:
  • The data subject evidently informed the public about the data processed.
  • The data subject’s public life is closely connected to the data.
  • The data has close connection to the event in which the data subject willingly became involved.
  • Exemption from the obligations of the data controller concerning the transfer of personal data to international organizations or third countries.
  • Exemption from the data controller’s responsibility to provide information to the data subjects in cases where personal data is collected form the data controller, under the condition that such responsibility would endanger the collection of such information.
  • Exemption from the data controller’s responsibility to provide information to the data subjects in cases where personal data have not been obtained from the data controller, under the condition that such responsibility would either endanger the collection of personal data, or publication, or informing the public about the data, or would lead to revelation of the source of information.
  • Exemption from the right of access. This is limited to the protection of journalists’ sources.

Processing Personal Data for Scientific, Historical and Statistical Research

Article 57 of the Draft Bill implements GDPR’s derogations under the Luxembourg law. It limits the rights of the data subjects for scientific, historical, and statistical. Article 58 holds that such limitations may only apply if the data controller provides additional protection measures for the rights and freedom of the data subjects.

Processing of sensitive data by health services

Article 59 of the Draft Bill enables the adoption of exemptions contained in GDPR in Articles 9(1) and 9(2). Article 9(1) expresses derogations to processing sensitive data. Article 9(2) outlines exemptions to the derogations. In this regard, the Draft Bill specifies that processing sensitive data carried out by medical authorities when necessary for preventive medicine, medical treatment, or medical care. The sensitive data can also be processed by research bodies, medical authorities, or natural persons after obtaining approval under the legislation governing biomedical research.