• Insights

Luxembourg – The GDPR one year on

Written by
CASTEGNARO, your partner in labour and employment law in Luxembourg.
This article provides details of the local data protection law introduced in Luxembourg in August 2018 following the entry into force of the GDPR on 25 May last year. 

In Luxembourg, the GDPR was implemented by the Law of 1 August 2018 on the organisation of Luxembourg’s National Commission for Data Protection (‘Commission Nationale pour la Protection des Données’, CNPD) and the general system for protecting data (the ‘Law’). The Law came into force on 20 August 2018.

The Law modifies article L. 261-1 of the Labour Code concerning the monitoring of employees by the employer.

The main changes are set out below.

An employer can process personal data to monitor employees (if it is the responsible party) in the circumstances described in Article 6(1) of the GDPR. This extends the scope of such processing: the old legislation only allowed employers to use a monitoring system in the workplace in five limited circumstances, listed in the Labour Code. The employer also no longer has to secure the prior authorisation of the CNPD.

The employer is still obliged to inform the person in question, as well as the staff delegation or, failing that, the Inspectorate of Labour and Mines in advance of any processing of personal data to monitor employees’ activities.

The Law now specifies what this prior notice should include: a detailed description of the purpose of the planned processing, the process for implementing the monitoring system and, if applicable, the duration and criteria for storing the data as well as a formal commitment by the employer not to use the data collected for any purpose other than the one specifically defined in the notice.

When the employer plans to process data in order to monitor employees, the staff delegation, or failing this the employees concerned, can submit a request for an advance compliance opinion to the CNPD within 15 days of receipt of the notice. The CNPD will have to provide its opinion within a month of the request. The request for an advance compliance opinion has a suspensive effect, meaning the planned monitoring cannot be implemented until the CNPD has given its opinion.

Data processing for monitoring for employee health and safety reasons purposes, for temporarily monitoring the employee’s production or services when this is the only way to determine an exact salary, or for organising work on a flexitime basis is still subject to the co-decision system in accordance with the Labour Code, unless the processing is to fulfil a legal or regulatory obligation.

Since the GDPR and the Law entered into force, the CNPD has received many notifications of data breaches, however no major fines have been imposed yet.

Noémie Haller
Senior Associate - Luxembourg