With the entry into force of the European General Data Protection Regulation (hereinafter referred to as the “GDPR”) on 25 May 2018, the topics of data protection and privacy have been heavily publicised across Europe, but also on an international scale. It has frequently been the case that the main focus of the new Regulation was pushed into the background: the individual person whose rights are strengthened is at the centre of the GDPR. The strengthening of these rights is even more important in an increasingly networked society, where the rise of new technologies is gathering, sharing and processing more and more personal information. Networked cities, the Internet of Things, autonomous driving and a sharing economy are all areas where personal data is increasingly being shared. Unfortunately, security breaches, data loss, cyber attacks and privacy breaches have become a reality. The GDPR allows any natural person to control the use of their personal data and, if they consider that the processing of personal data that concerns them violates this Regulation, they may exercise their right to complain to up to three different supervisory authorities, either to the supervisory authority of the Member State of their domicile, the supervisory authority of their place of work or the place of alleged violation.

The core objective of the Luxembourg “Commission nationale pour la protection des données” (“CNPD”) and its 27 counterparts in the European Union is to supervise the application of the GDPR, in order to protect the fundamental rights and freedoms of individuals, and free movement of personal data in the European Union in the event of processing. By means of innovative procedures for cooperation and consistency, national authorities can cooperate with each other transnationally to effectively enforce decisions against multinational controllers or processors.

In the course of the mediatisation, several falsehoods were also spread about the actual requirements of the Regulation. One of the tasks of the CNPD is to correct the myths and misinformation that have circulated in recent months and weeks. Subject to compliance with the provisions laid down in the Regulation, names on doorbell panels need not be removed; day-care centre portfolios may continue to contain photos of children; the traditional wish list for Father Christmas is not forbidden; dentists are still allowed to contact their patients by phone to remind them of their appointments; non-profit organisations and small businesses are not being forced into bankruptcy by the CNPD due to substantial fines, and above all, the consent of data subjects continues to be one of six different legitimacy criteria that allow for data processing.

The objectives of the GDPR, namely to harmonise and modernise the Data Protection Law within Europe, have certainly been achieved. However, with the new approach for Luxembourg of the GDPR, from the a priori control to the a posteriori control, all agents concerned have to undergo a learning process so that they can handle their respective rights and obligations in a globalised world where personal data is the gold of the post-industrial society, and to better understand; in a world where the boundaries between physical-biological reality and digital reality are increasingly merging to form a virtual world that consists of a combination of artificial intelligence, robotics, quantum computers, nanotechnology and genetic engineering. It is very important that this does not create a legal framework in which personal data remains unprotected.

These developments require a solid, transparent and clearly enforceable European data protection framework that allows for a basis of trust between all economic operators, including small and medium-sized enterprises, in order to promote the digital single market. The digital economy can only develop beyond the national and European borders with the confidence of consumers, which is strengthened by the innovations of the GDPR. At the same time, the GDPR should enable individuals to use new technologies on the one hand, but on the other hand to also protect against excessive and unfair processing. Due to the general obligation to guarantee data protection by means of privacy by design and privacy by default, the subject of data protection becomes a basic component of all innovative developments and considerations.

The new accountability principle promotes the individuality and flexibility of individual controllers and processors, but at the same time presents them with new challenges and more extensive documentation requirements.

The work and organisation of the CNPD also needed to be reconsidered and restructured, so that it could fulfil its dual role as an information and advice centre, as well as a supervisory body. In this context, it should not be forgotten that all supervisory authorities are direct witnesses of the digital evolution, which results in a significant change in society and in the daily lives of citizens. Nowadays, it is no longer sufficient to verify that processing activities are in line with the new General Data Protection Regulation, given that one non-negligible factor has been the ethical review of the impact of data processing on the privacy of data subjects and how it can help combat inequalities and injustice in the era of digitisation. These are the key challenges to be faced in the future in the field of data protection.

Finally, the CNPD would like to thank the authors for their significant commitment and expertise in writing this Practical Handbook. Even though the GDPR harmonises the data protection provisions at a European level, nevertheless it contains more than 70 opening clauses that allow the individual Member States to specify more precise regulations in different areas. The Luxembourg Government has seized the opportunity to take into account some characteristics of the national data cosmos. These specific regulations support Luxembourg’s aspirations to position itself as a digital pioneer in Europe. The CNPD is convinced that this Practical Handbook will be of great support to everyone working in the field of data protection and interest groups in their day-to-day work.

With its location in the heart of Europe, its language policy, its multicultural population and its multitude of European institutions, Luxembourg is an example of a modern and pluralistic understanding of a European identity.

At the same time, Luxembourg has become an international business hub, while assuming an important role worldwide. Some multinational corporations have chosen Luxembourg as its headquarters, and many have branch offices in Luxembourg that perform essential functions within the corporate structures.

Considering the economic importance of Luxembourg, it was all the more surprising for us as consultants that we could find no significant literature or practical support in the form of a book in the field of data protection and the GDPR. Our research in the run-up to the preparation of this Practical Handbook confirmed this impression and motivated us to give data protection professionals reliable support in the field of data protection in Luxembourg in the form of a Practical Handbook.

In doing so, the authors combine practical experience and specialist expertise that they convey and contribute, because such a dynamic, vibrant and vital field of consulting like the field of data protection is designed for the discourse of creative practitioners and specialists.

From our consultancy practice with a primarily German-influenced legal and technical background, we experience data protection consulting in Luxembourg as a European enrichment, due to the multinational mixture of the different stakeholders and business models.

This is particularly the case because the National Commission for Data Protection (CNPD) pays particular attention to the European development of data protection, which – by its own admission – pragmatically interprets the protection interests of EU citizens, but also the interests of the companies, to whom the General Data Protection Regulation should provide legal certainty and security in the sense of a unified Europe.

With our consulting practice, we have also gained the impression in recent years that the goal of the GDPR to standardise and harmonise European data protection law is to be experienced by the CNPD and that fragmented national responses do not have as much place in Luxembourg as they do in larger Member States of the European Union. Luxembourg has also only used a few opening clauses and, with the Act of 01 August 2018 on the protection of natural persons with regard to the processing of personal data, has created a flanking legal framework for the processing of personal data in Luxembourg, which is only of marginal legal effect.

The new data protection law, the Act of 1 August 2018, provides specific regulations and exceptions. For example, it deals with the handling of data for scientific and research purposes, regulates the protection of sources for journalists and the handling of health data. The area of employee data protection is also addressed in the Act of 1 August 2018.

Officially accredited translations of the Act of 1 August 2018 into English and German can be found in the respective language version of this book.

Of great value to practitioners is the sample of the Data Protection Declaration that we have included as a source of inspiration.

We thank the many supporters of this book in Luxembourg and other countries of the EU and hope that this book will contribute to some extent to the great idea of Europe that drives us all: A Europe for the people.

The authors are always open to proposals, suggestions and criticism and will be delighted if this Practical Handbook serves as a reference book in daily data protection practice and helps with its practical tips on embarking on data protection pitfalls.

We would like to thank our employees for their active support. Special thanks go to Karoline Penner for the solutions of so many big and small problems and Carolin Buchheit, who supported us with its multilingual content.

Sandra Dury

Martin Kerz

Marcus Dury

One of the main purposes of the General Data Protection Regulation (GDPR) is to protect the privacy of individuals.1 This is all the more important as digitisation further progresses. For example, in Recital 6:

“Rapid technological developments and globalisation have brought new challenges for the protection of personal data.”

The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities.

If we use the internet we automatically disclose information, not just when we are surfing the internet. An increasing number of everyday devices are networked and equipped with voice recognition and video cameras, sometimes without our knowledge. The GDPR is the attempt of the European legislator to counteract the misuse of our data.

Two main points of the GDPR follow from this fundamental knowledge: The justification of data processing in each individual case and ensuring adequate protection of the data during processing itself.

In principle the following applies: Information about an identifiable person (“personal data”) must not be processed by anyone else. “Processing” is understood very broadly in the GDPR and means that as a company you are not allowed to do anything (systematically) with other people’s personal data, unless you comply with the data protection regulations. The GDPR allows processing in certain cases and conditions:2

• • There are cases where the processing of data is necessary, e.g. for the performance of contract with another person (Art. 6 (1)(b) GDPR).
  

• • Likewise, processing may even be mandatory, for example in the event that the factual processor of the data is obliged to do so by the legislator (Art. 6 (1)(c) GDPR).
  

• • In addition, there are cases where processing to achieve vital interests and objectives is permitted, because the processing of the data itself is not significant in comparison to the interests and objectives (e.g. in general societal interests such as public health or science, but also in the case of important economic interests of companies) (Art. 6 (1)(d) (e) and in particular (f) GDPR).
  

• • Finally, the person whose data is processed can allow processing by giving consent (Art. 6 (1)(a) GDPR).
  

Therefore, there is a rule-exception principle, or technically a prohibition subject to permission. The prohibition is the rule that means that in exceptional cases the processing of personal data is allowed.

If you want to process personal data of others, you need one of the aforementioned justifications: a contract, a legal obligation, legitimate interest that outweighs the interests of individuals in the waiver of processing or the explicit consent of the person whose data you want to process.

The GDPR is a protective law for citizens. It also facilitates cooperation with other companies within the EU. The expense of data protection is ultimately an investment in the future. The intention of the European Union to secure privacy with the GDPR is clear: It is about strengthening civil rights in the digitised world.

However, in international competition data protection is also a monetarised distinguishing feature compared to companies from other economic areas. The GDPR is not exclusively a protective law for citizens. By behaving in a manner that is compliant with data protection, business participants invest in the relationship of trust between their business and their customers, suppliers and all the service providers, with whom they work.

The GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. (Art. 1 (1)(1) GDPR). This first sentence of the General Data Protection Regulation describes its scope of application and contains some legal terms that require explanation. What exactly is meant by personal data and what is meant by processing?

In order to properly understand data protection in Luxembourg and to be able to correctly implement the legal requirements, it is important to familiarise ourselves with the key terms and the relevant agents (e.g. the CNPD, the controller, the data subjects) and the functions that they can assume. The legal text of the GDPR contains numerous normative terms that will be defined more substantially in the coming years by future jurisdiction of the European Court of Justice. Similarly, the Guidelines of the Joint European Data Protection Board (EDPB)5, which serve as recommendations, can contribute to a common understanding.

In order to facilitate the interpretation and application of the General Data Protection Regulation, the legislator has summarised the definitions of the most important terms in Art. 4 GDPR. Some of the terms used in Article 4, which are frequently used in this Practical Handbook, are discussed in more detail below.

“Personal data” is the most important term in the GDPR and in the Act of 1 August 2018. The scope of application of the GDPR (Art. 2 (1)) and the Act of 1 August 2018 (Art. 1) opens with this. Therefore, data protection provisions only apply if personal data is processed.6

Art. 4 No. 1 GDPR defines personal data as “any information relating to an identified or an identifiable natural person”. What is defined as information is not included in the GDPR. In order to implement data protection as a European fundamental right (Recital 1 (1) GDPR), a broad understanding of the term information has to be presumed.7

The information must have a reference (see b below) to an identifiable or identified (see a below) natural person.

Art. 4 No. 2 GDPR defines the term processing as

• • “… any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
  

In order to process personal data, it is therefore irrelevant if a company collects, records, registers, structures, stores, reads, alters, discloses, communicates, disseminates, erases or even destroys said data. All this comes under processing, each handling of personal data in its entire life cycle, from its collection to destruction.

Even if a company only receives personal data without having collected it personally from data subjects or third parties, this is still deemed a processing operation. The data is saved. In this case, the company must also comply with the provisions of the Data Protection Regulation.

A crucial point as to whether processing that is relevant in terms of data protection regulations takes place, is whether the data is stored in at least one filing system (Art. 2 (1), Recital 15 GDPR). According to Art. 4 No. 5 GDPR, such a filing system is “any structured set of personal data that is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”.10

It is important that the data is recorded in a systematic structured arrangement. This can be a (digital) file, but also another digital or analogue filing structure. In today’s age of progressive digitisation, there is almost always systematic data processing. If an e-mail is sent, then the recipient’s e-mail address inevitably gets into the structured arrangement of the software used.

The following normative terms form the framework or set the scene within which the data protection takes place. The GDPR specifies the specific definition of the roles. The GDPR defines who can take on which role and which rights and obligations are connected with the respective role. In the following, individuals who can take on these roles are called agents.

In order to avoid false interpretations of data protection laws, it is essential that you familiarise yourself with the key concepts of the GDPR. The example of the processor makes this clear: It does not appear from the name itself that these may be other companies that process personal data that is provided by the controller, even if only temporarily. Unless a corresponding processing by order agreement has been concluded, this constitutes a breach of the GDPR in accordance with Art. 28 (1) GDPR (for details on processing by order see chapter 10 of this Practical Handbook). This, in turn, can potentially result in particularly high fines.

The intelligent use of terms that are relevant in terms of data protection regulations helps in communication in the context of data protection. This helps avoid misunderstandings between companies in their data protection roles, while at the same time simplifying cooperation with the CNPD.

In practice, there are questions again and again about the relationship of the GDPR to other data protection laws (national and other EU law) and questions about interpretation. The interpretation is therefore problematic, because the GDPR contains numerous indefinite legal terms and general clauses.

The GDPR is a Regulation of the European Union (Art. 288 (2) TFEU). As such, it is a legally binding legal act that enters into force immediately after the decree, which is universally applicable to the Member States. It is not necessary13 to implement the Regulation into national law of the Member States.

The GDPR prescribes the data protection measures that must be taken at European level. The primary objective of the General Data Protection Regulation is to implement a uniform EU-wide solution for the correct processing of personal data and to regulate the free movement of such data (see Art. 1 (1) GDPR, Recital 10). The purpose of this standardisation, as highlighted in Recitals 2 and 10, is to strengthen the EU internal market in the long term.

The GDPR consists of 99 Articles and 173 Recitals.

Like most legislative acts, the Articles of the Regulation contain facts and legal consequences. On the other hand, the Recitals do not contain a description of the facts or establish legal consequences. The Recitals provide a lot more information on the objectives, background and the (political) intention of the legislator. Furthermore, the Recitals illustrate, justify and defend the Articles to which they refer. Therefore, they are an important interpretation aid in practice. Unlike the Articles, the Recitals are non-binding. However, they are an integral part of the GDPR and the preceded Articles.14

As can already be deduced from its name “Basic Data Protection Regulation”, it regulates European data protection in principle.15 By numerous so-called “opening clauses” the legal text allows the national legislators to adapt and specify the GDPR by means of national regulations to their specific needs and ideas.16

Here are some examples of categories of “opening clauses” in the GDPR and their functions17:

• 1) Possibility of specifying the provisions of the GDPR:
  

“Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of rights and freedoms… in the employment context” (Art. 88 (1) GDPR).

The Luxembourg legislator has specified this provision in Art. 71 of the Act of 1 August 2018 in connection with Art. L 261-1 Labour Code – Processing of personal data for monitoring purposes in the employment context.

• 2) Supplement of selected Articles from the GDPR: “…controllers or processors… [may or, even if the GDPR does not explicitly require this], or, where required by Union or Member State law shall, designate a data protection officer.” (Art. 37 (4) (1) GDPR).
  

The Luxembourg legislator has supplemented this provision by Art. 65 (1) of the Act of 1 August 2018 – Processing for scientific or historical research purposes or for statistical purposes.

• 3) Deviations and exceptions: The rules of the GDPR [are] not applicable insofar as the law of the Member States imposes different legal obligations on the controller. (cf. Art. 85 (2) GDPR18).
  

Once again, the Luxembourg legislator used the opening clause and a divergent national provision in Art. 62 of the Act of 1 August 2018 on the Processing of personal data exclusively for journalistic or scientific, artistic or literary purposes. Further details can be found in Chapter 4 “What is new in the Luxembourg Data Protection Act of 1 August 2018?” on Page 23.

The short description of the so-called “opening clauses” of the GDPR clarifies the order of priority of the laws (so-called hierarchy of standards), which must be observed when working with the laws:

The GDPR is at the top of the hierarchy. It contains EU19 and Member State laws and legal systems.