Luxembourg - Data Protection
History of Data Protection in LUXEMBOURG
Luxembourg's first personal data legislation was the Act concerning the Use of Nominal Data in Computer Processing. This was adopted in 1979.
A decree of August 1979 created the Commission à la protection des données nominatives. The role of the Commission is to oversee the law and manage the National Register of Databanks alongside the Minister of Justice.
The Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data implemented Directive 95/46/EC. The 2002 Act created a new data protection authority, the Commission nationale pour la protection des données, also known as the CNPD. The CNPD became operative on December 12 2002. It controls the processing of personal data in Luxembourg, and ensures compliance with the data protection regulations.
Summary of Data Protection in LUXEMBOURG
| Title of Data Protection Legislation | Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data (in French) |
| Name of supervisory authority | Commission à la Protection des Données Nominatives |
| General Powers of supervisory authority |
Article 32(3) of the Law of 2 August 2002 sets out the
duties of the Commission. The key duty is
32(3)(a) "to ensure implementation of the provisions
of this Law and its implementing regulations, in particular those relating
to the confidentiality and security of processing operations".
Article 33(1) sets out the administrative sanctions that
the commission can take. These are:
"(a) alert or admonish controllers who have violated
the obligations imposed upon them by Articles 21 to 24; (b) block, delete or destroy data that have been subject to a processing operation contrary to the provisions of this Law or its implementing regulations; (c) impose a temporary or definitive ban on a processing operation that is contrary to the provisions of this Law or to its implementing regulations; (d) order publication of the prohibition decision in full or in extracts in newspapers or by any other method, at the cost of the person sanctioned". |
| Who has standing to notify the supervisory authority of breaches? | Anybody |
| What are the penalties for data controllers if they breach the law? | Article 6(5) of the 2002 law states that controllers who breach the regulations regarding processing or notifying a third party is liable to a fine or imprisonment. The same penalties apply to unlawful processing by the health services (Article 7(5)), unlawful processing of legal data (Article 8(4)), and unlawful processing of data collected during surveillance operations (Article 10(4)) (and also surveillance operations in the workplace (Article 11(3)). If prior notification is not given, then the same penalties apply, and processing operations can be stopped (Article 12). |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Article 2(e) of the Luxembourg Data Protection Law defines personal data as "any information of any type regardless of the type of medium, including sound and image, relating to an identified or identifiable person ('data subject'); a natural or legal person will be considered to be identifiable if they can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to their physical, physiological, genetic, mental, cultural, social or economic, identity". There are no other references to it in the law, so it is presumably to be treated as normal personal data. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. |
| Does the Data Protection Legislation cover the deceased? | The legislation uses the term "natural person". It is unclear whether this would be interpreted to include the deceased. |
| Who is able to indirectly identify the data subject? | Anybody |
Laws and Regulations
- Law of August 2002 on the Protection of Persons with regard to the Processing of Personal Data -in French
Institutions
- Luxembourg Data Protection Commission- in French and German