The Luxembourg data protection legislation is mainly set forth in the law dated August 2, 2002 (the “2002 Law”) which implements the principles and rules adopted by the Directive 95/46/EC.
Technological evolutions and practices have nevertheless demonstrate that this set of legislation is no longer adapted. The European Council has therefore adopted on April 14, 2016 the Regulation EU 2016/679 (the “General Data Protection Regulation” or “GDPR”) aimed to face the digital and technological innovations, which will enter into force on May 25, 2018.
Further to the adoption of the GDPR, Luxembourg has launched the draft bill N°7049 in order to specify some aspects and simply the transition (the “Draft Bill”).
1 Authorization process leaves room for a notification process
The 2002 Law provides that the supervision of employees by use of technical means (through video cameras, tracing of phone conversations, control of the uses of internet and emails, etc.) is only possible under the conditions that the data are collected for a specified and legitimate purpose given that their processing is necessary and strictly linked to such purpose.
These conditions are under the current legislation assessed by the Commission Nationale de la Protection de Données (“CNPD”) since each monitoring of data on workplace has to be authorised prior to its implementing.
The main innovation of the Draft Bill is the removal of the prior authorization process and the instauration of a simple notification procedure. Each employer will thus from May 25, 2018 be entitled to supervise employees emails, phone conversations, without requiring the assessment of the CNPD before implementing such supervision.
This innovation is majorly due to the fact that the CNPD will in the coming years change its prerogatives by focusing its missions on an a posteriori control and will see its investigation powers largely extended. Furthermore, such innovation will also permit an harmonization at the European level as the Luxembourg is currently one of the sole European country requiring such prior authorization.
The abolishment of the prior authorization was widely discussed, since it may jeopardize the employees’ privacy rights leaving doors open for all kind of abuses.
The Chambre des Salariés has issued on November 2016 a very critical opinion and concluded that the removal of the prior authorization was actually driven by a will to reduce costs without taking into account employees interests; the Chambre des Salariés was therefore formally opposed to such reform.
But will our workplaces really look like “Big Brothers” sets? The answer to this question is of course negative as we remind that even if no prior authorization is required under the new regime, employers will have to make sure that the supervision is legitimate, proportional, limited and precisely defined as regarding its purpose.
Moreover, in order to refrain data processors (as employers) from any abuses, the amounts of the fines have been considerably increased and will under the new regime be up to 20 million euros or up to 4% of the worldwide annual turnover of the data processor.
2 Data subjects: The force will be with you
To reassure employees, and all data subjects, it is important to raise that the GDPR has introduced innovations aimed to reinforce the data subject’s protection.
(a) Establishment of a register
Employers will have to establish a register identifying any processing of data, if they notably:
- have more than 250 employees; or
- process data which can represent a risk for the data subject’s rights and /or freedom; or
- process data on a regular basis.
Such register will in particular have to identify each data processing, the purposes of such processing, any information about transfers of such data to third countries, etc.
The CNPD will be entitled to inspect such register on site and check if the processing is in line with the legal requirements.
(b) Notification of a data breach
Employers will have to notify data breaches to the relevant supervision authority within 72 hours at the very latest, unless such breaches do not affect the rights’ and freedom of the data subject; no doubt that such concept will nevertheless raise interpretation questions and risk assessment issues.
Such notification will notably give the opportunity to the relevant authority to question the data processor as regarding the security of the processing and will as the case maybe give them the opportunity to investigate further and to sanction the data processor in the case any failure is discovered.
Finally, if the data breach raises a high risk for the data subject, the data processor will have to inform him as soon as possible.
(c) Right to lodge a claim
Shall data be processed in contravention to the rules set forth by GDPR, the data subject or any affected party will be entitled to lodge a claim with the supervision authority where the data are processed, or where the data subject has his residence or where the data subject is working. This multiplicity of choices will permit to the data subject to choose the most appropriate and adequate authority.
In such aim, the CNPD has for instance created a specific website on which the data subject can lodge a claim online; this procedure will thus accelerate the review and processing of the claims.
The data subject will also be entitled to launch a juridical procedure against the decision rendered by such national data protection authority.
Furthermore it is worth to mention that unlike the Directive 95/46/EC, the GDPR expressly offers the right to indemnify the pecuniary and non-pecuniary losses suffered by the data subject.
Finally, it is worth to also underline that the GPDR introduces new concepts as the right to obtain the erasure of the data, the new right of data portability or the right not to be subject to an automated decision (i.e.: profiling decision).