Happy World Privacy Day 2019!

CNPD on-site inspections and fines
The CNPD (Commission Nationale pour la Protection des données, or “CNPD”) has, until now, adopted a cooperative approach with the entities requesting guidance and has, in particular, met representatives of important sectors in Luxembourg.

On-site inspections have been carried out in relation to DPOs (appointment and means to carry out their activities) and further complaints.  The number of complaints have nevertheless been growing exponentially and the CNPD will mainly focus its audits on certain selected topics.  To the best of our knowledge, no fines have been yet imposed, but the CNPD has indicated the door is open to this possibility, in particular in the event of poor cooperation of audited entities.

If you want to ensure that your organisation is ready to respond to such an on-site inspection, we strongly advise you to implement an appropriate process, which may be described in dawn-raid guidelines for instance.

Certification scheme
In addition to a public consultation, the CNPD presented in October 2018 a certification scheme  (“Scheme”) which will provide the opportunity to organisations to demonstrate that a given processing is in line with GDPR  requirements on the basis of an official certification (“Certified Assurance Report based Processing Activities”, or “CARPA”).  Such CARPA will be delivered after a thorough audit has been carried out by certification bodies accredited by the CNPD.

The CNPD will continue to carry out the work, notably in order to align the Scheme with the EDPB's own guidance on certification , while making it known  that it will communicate these criteria to the EDPB after finalising this Scheme - probably towards the beginning of this year.

The challenge of processing for research purposes
The Law of 1 August 2018 relating to the organisation of the CNPD  (the “Law”), which implements and complements the GDPR in Luxembourg, introduces specific provisions for personal data processing for scientific or historical research purposes and for statistical purposes .

The Law states that TWELVE additional safeguards shall be implemented by the data controller when carrying such processing. In accordance with the Law for instance, the effectiveness of the technical and organisational measures shall be regularly assessed by an independent audit and the data shall be anonymized or pseudonymised by a trusted third-party which is functionally independent from the data controller.

The Law thus creates a heavy burden for bodies carrying out research from which data controllers may only derogate after having duly documented and justified why a measure or another would not be mandatory in the case at hand.

Monitoring of employees at the workplace
The Law provides for a new Article L. 261-1 of the Luxembourg Labour Code which imposes specific provisions regarding the processing of personal data for monitoring purposes in the context of the employment relationship.

Following the GDPR's abolition of the administrative formalities, employers no longer need to ask for the prior authorisation of the CNPD to put in place a monitoring activity of their employees in the workplace. Employers do, nonetheless, need to inform the staff representative bodies (or in the absence thereof the Luxembourg Labour Inspectorate) in advance of this monitoring activity. Thereafter, the concerned staff body may ask the CNPD for prior advice on the compliance of the monitoring project (such advice having suspensive effect).

In addition, a data protection impact assessment should, in principle, be carried out before starting the processing and the monitoring shall be appropriately documented in the record of processing activities.

Zie ook : Nautadutilh Avocats Luxembourg Sàrl ( Mr. Vincent Wellens ,  Ms. Anne-Sophie Morvan )

[+ http://www.nautadutilh.com]

Mr. Vincent Wellens Mr. Vincent Wellens
Ms. Anne-Sophie Morvan Ms. Anne-Sophie Morvan
Senior Associate

Click here to see the ad(s)

Laatste artikels van Mr. Vincent Wellens

Finally some practical EDPB guidance on how to make international data transfers lawful

After a long, four-month wait, we finally have recommendations from the European Data Protection Board (EDPB) on “su...

Read more

The Court of Justice of the EU clarifies the assessment of position marks for services

The Court of Justice of the EU recently clarified the criteria to take into account when assessing the distinctive charact...

Read more

New controller-processor guidelines: beware of impact on data processing agreements

Armed with useful flowcharts to help organisations determine their role, the European Data Protection Board (EDPB) has pub...

Read more

Benelux Regulators to Apply EIOPA Guidelines on Outsourcing to Cloud Service Providers by Insuran...

On 24 April 2020, the European Insurance and Occupational Pensions Authority (EIOPA) issued new guidelines on outsourcing ...

Read more

Laatste artikels van Ms. Anne-Sophie Morvan

GDPR: CNPD Releases Black List of Processing Operations Subject to a Data Protection Impact Asse...

Further to Article 35(4) and (6) GDPR, the competent supervisory authority, i.e. the CNPD in Luxembourg, must establish a ...

Read more

CSSF Circular 18/698: impact on IT organisation and (cloud based) outsourcing for investment fu...

IT is key. This is not the slogan of an IT service provider but one of the lessons to be drawn from the CSSF Circular 18/6...

Read more

No, Employee Hard Drive Labelled "Personal Data" Is Not Private

For various reasons, employers may wish or need to check files on an employee's desktop or laptop. From a legal point ...

Read more

Luxembourg anticipates the GDPR - Abolition of authorisation for several critical data processin...

On 31 August 2016 a law proposal was submitted to the Luxembourg Parliament in order to abolish several authorisation regi...

Read more

LexGO Network