Organisation of the CNPD and implementation of the GDPR

23 Aug 2018


Lorraine Chéry

Organisation of the CNPD and implementation of the GDPR

The law of 1 August 2018 on the organisation of Luxembourg’s “Commission Nationale pour la Protection des Données” (National Commission for Data Protection, CNPD) and the general system for protecting data was published in Mémorial A no. 686 of 16 August 2018 (hereinafter referred to as “the Law”). The law came into force on 20 August 2018.

The main purpose of the Law is:

  • to supplement the General Data Protection Regulation (GDPR) with specific national provisions, and
  • to adapt the CNPD’s organic law in order to grant it the new powers needed to fulfil the roles assigned to it by the GDPR.

The Law also revokes the provisions of the modified law of 2 August 2002 on the protection of personal data, which have been applicable until now.

In terms of employment law, the Law modifies article L. 261-1 of the Labour Code concerning the monitoring of employees by the employer.

The main changes in this area are:

1) Processing personal data in order to monitor employees is possible by the employer, if it is the responsible party, in the circumstances described in article 6 paragraph 1, letters a) to f) of the GDPR, extending the possibilities of carrying out such processing. In fact, the old legislation only allowed the employer to use a monitoring system in the workplace in 5 limited circumstances, listed in the Labour Code.

The employer no longer has to secure the prior authorisation of the CNPD.

2) The employer is still obliged to give prior information of processing personal data in order to monitor employees’ activities to the person in question, as well as the joint committee, or failing that, the staff delegation or, failing that, the Inspectorate of Labour and Mines.

The Law now specifies the content of this prior information: a detailed description of the purpose of the planned processing, the process for implementing the monitoring system and, if applicable, the duration and criteria for storing the data as well as a formal commitment by the employer not to use the data collected for any purpose other than the one specifically defined in the prior information.

3) When the employer plans process data in order to monitor employees, the staff delegation, or failing this the employees concerned, can, within 15 days of the prior information, submit a request for an advance compliance opinion to the CNPD. The CNPD will have to provide its opinion within a month of the request. The advance compliance opinion has a suspensive effect, which means that the planned monitoring cannot be implemented until the CNPD has given its opinion.

4) The processing of data for monitoring purposes driven by employee health and safety reasons, by temporarily monitoring the employee’s production or services when such a measure is the only way to determine the exact salary, or by organising work on a flexitime basis, is still subjected to the co-decision system, in accordance with the applicable provisions of the Labour Code, unless the processing is to fulfil a legal or regulatory obligation.

Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the general system for protecting data