|
What
Needs to be Done Prior to Collection
Contact
the data subject
Contact the Commission
Article 26 The
data subject’s right to information
(1) When the data
is collected directly from the data subject, the
controller must supply the data subject, no later than the point at
which the data
is collected and regardless of the type of media used,
with the following information unless the data subject has already
been informed thereof:
(a) the identity
of the controller and of his representative, if any;
(b) the purpose or
purposes of the processing for which the data
is intended;
(c) any further
information such as
- the recipients
or categories of recipients to whom the data might be disclosed;
- whether
answering the questions is compulsory or voluntary, as well as the
possible consequences of failure to answer;
- the existence of
the right of access to data concerning him and the right to rectify
them inasmuch as, in view of the specific circumstances in which the
data is collected, this additional information is necessary to
ensure the fair processing of the data in respect of the data
subject;
(…) abolished
by the Law of 27 July 2007
(Law of 27 July
2007)
“inasmuch as, in
view of the specific circumstances in which the data is collected,
this additional information is necessary to ensure the fair
processing of the data in respect of the data subject.”
(2) Where the data
has not been obtained from the data subject, the
controller must at the time of undertaking the recording of personal
data or if a disclosure to a third party is envisaged, no later than
the time when the data
is first disclosed, provide the data subject with the
following information, except where the data subject already has it:
(a) the identity
of the controller and of his representative, if any;
(b) the purpose or
purposes of the processing for which the data
is intended;
(c) any further
information such as
- the categories
of data concerned;
- the recipients
or categories of recipient of the data to whom the data might be
disclosed;
- the existence of
the right of access to data concerning him and the right to rectify
them;
(…) abolished
by the Law of 27 July 2007
(Law of 27 July
2007)
“inasmuch as, in
view of the specific circumstances in which the data is collected,
this additional information is necessary to ensure the fair
processing of the data in respect of the data subject.”
(3) Any party who
is in breach of the provisions of this article will be liable to a
prison sentence of between eight days and one year and a fine of 251
to 125,000 euros or only one of these penalties. The court hearing
the case may order the discontinuance of processing that is contrary
to the provisions of this Article, subject to a financial penalty
the maximum amount of which will be set by the said court.
Contact the Commission
Article 12 Prior
notification to the Commission Nationale
(1) (a) Apart from
cases that fall within the scope of the provisions of Articles 8, 14
and 17, the controller will notify the Commission Nationale of the
processing of data beforehand.
(b) Processing
operations carried out by a single controller that are for identical
or interlinked purposes may be contained in a single notification.
In this case, the information required under Article 13 will be
supplied for each processing operation only where it is specific to
that operation.
“(2) The following
are exempt from the obligation to notify:
(a) processing,
unless for the supervision purposes referred to in Article 10 above
and Article L.261-1 of the Employment Code, carried out by the
controller if that person appoints a data protection official. The
data protection official shall be responsible for establishing and
forwarding to the Commission Nationale a register listing the
processing operations carried out by the controller except those
exempt from notification in accordance with paragraph (3) of the
present Article and in accordance with the provisions relating to
the disclosure of processing operations as provided under Article
15;
(b) processing
operations for the sole purpose of keeping a register which, under a
legal provision, is intended for public information purposes and
which is open to consultation either by the public in general or by
any person demonstrating a legitimate interest;
(c) processing
operations carried out by lawyers, notaries and process-servers and
necessary to acknowledge, exercise or defend a right at law;
(d) processing
carried out solely for journalistic, artistic or literary expression
referred to in Article 9;
(e) processing
necessary to protect the vital interests of the data subject or of
another where the data subject is physically or legally incapable of
giving his consent;
(3) The following
are also exempt from the obligation to notify:
(a) The processing
of data relating exclusively to personal data necessary for the
administration of the salaries of persons in the service of or
working for the controller, inasmuch as this data is used
exclusively for the said administration of salaries and is only
communicated to such persons as are entitled.
(b) The processing
of data relating exclusively to the management of applications and
recruitments and the administration of the staff in the service of
or working for the controller.
The processing may
not cover data on the health of the data subject, or sensitive or
legal data within the meaning of Articles 6 and 8 of the Law, or
data intended for assessing the data subject.
Such data may not
be communicated to third parties except in the context of
application of a provision of law or regulation, or if they are
essential to achieving the objectives of the processing.
(c) The processing
of data relating exclusively to the controller’s bookkeeping,
inasmuch as this data is used exclusively for such bookkeeping and
the processing covers only the persons whose data is necessary for
the bookkeeping.
Such data may not
be communicated to third parties except in the context of
application of a provision of regulation or law, or if such
communication is essential to the bookkeeping.
(d) The processing
of data referring exclusively to the administration of shareholders,
debenture holders and partners, inasmuch as the processing covers
solely the data necessary for such administration, the data covers
only those persons whose data is necessary for such administration,
and the data is not communicated to any third party except in the
context of application of a provision of law or regulation.
(e) The processing
of data relating exclusively to the management of the controller’s
client or supplier base.
The processing may
only cover the controller’s potential, current or former clients or
suppliers.
The processing may
not cover either data relating to the health of the data subject or
sensitive or legal data within the meaning of Articles 6 and 8.
(f) The processing
of data carried out by a foundation, an association or any other
non-profit-seeking
organization
in the context of their ordinary activities.
The processing
must refer exclusively to the administration of its own members,
persons with whom the controller maintains regular contact, or
benefactors of the foundation, association or
organization.
This data may not
be communicated to any third party except in the context of the
application of a provision of law or regulation.
(g) The processing
of identification data essential for communication carried out with
the sole purpose of entering into contact with the party concerned,
inasmuch as this data is not communicated to any third party.
Letter (g) shall
only apply to the processing of data not covered by any of the other
provisions of the present Law.
(h) The processing
of data related exclusively to the recording of visitors carried out
in the context of manual access control insofar as the data
processed is restricted to only the name and business address of the
visitor, his/her employer, his/her vehicle, the name, department and
function of the person visited, and the time and date of the visit.
This data may only
be used exclusively for manual access control.
(i) The processing
of data carried out by educational establishments with a view to
managing their relations with their pupils or students.
Processing covers
exclusively data of a personal nature concerning potential, current
or former pupils or students of the educational establishment.
This data may not
be communicated to any third party except in the context of
application of a provision of law or regulation.
(j) The processing
of data of a personal nature carried out by administrative
authorities if the processing is subject to specific regulations
adopted by or by virtue of the law regulating access to the data
processed and its use and the manner in which it is obtained.
(k) The processing
of data of a personal nature necessary for the management of
computerised
and electronic communications systems and networks provided that it
is not carried out for the purpose of supervision within the meaning
of Article 10 and Article 11 (new).
(l) Processing
carried out in accordance with Article 36 of the Law of 28 August
1998 on hospitals, except for the processing of genetic data.
(m) Processing
carried out in accordance with Article 7, paragraph (1) of the
present Law by a doctor concerning his/her patients, except for the
processing of genetic data.
(n) Processing
carried out by a pharmacist or a professional subject to the amended
Law of 26 March 1992 on the exercise and enhancement of certain
health professions. The processing of data of a personal nature
relates exclusively to the supply of medicines and care or services
provided. This data may not be communicated to a third party except
in the context of the application of a provision of law or
regulation.”
(4) Any party that
does not carry out the obligation to notify or supplies incomplete
or inaccurate information is liable to a fine of between 251 and
125,000 euros. The court hearing the case may order the
discontinuance of processing that is contrary to the provisions of
this Article, subject to a financial penalty the maximum amount of
which will be set by the said court.
Article 13 Content
and form of the notification
(1) The
notification will include at least the following information:
(a) the name and
address of the controller and of his representative (…), if any;
(b) the cause of
legitimacy of the processing;
(c) the purpose or
purposes of the processing;
(d) a description
of the category or categories of data subjects and of the data or
categories of data relating
to them;
(e) the recipients
or categories of recipients to whom the data might be disclosed;
(f) the third
countries to which it is proposed to transfer the data;
(g) a general
description allowing a preliminary assessment to be made of the
appropriateness of the measures taken pursuant to Articles 22 and 23
to ensure security of processing.
(2) Any amendment
affecting the information stated in paragraph (1) must be notified
to the Commission Nationale prior to the processing.
3) Notification
will be made to the Commission Nationale on paper accompanied, as
appropriate, by a
computerised
document or an electronic transmission in a manner that it will
establish. Acknowledgement of receipt of notification will be given.
A Luxembourg
regulation sets forth the amount and methods of payment of the fee
to be collected for any notification and amendment to a
notification.
(4) Processing
operations that have a single purpose relating to categories of
identical data and intended for the same recipients or categories of
recipients may be covered by a single notification to the Commission
Nationale. In this case, the controller for each processing
operation sends the Commission Nationale a formal undertaking of its
compliance with the description that appears in the notification.”
There is a fee for
notification – details are on the website
|
