TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

LUXEMBOURG

 

The Commission Nationale pour la Protection des donnees website:

http://translate.google.co.uk/translate?hl=en&sl=fr&u=http://www.cnpd.public.lu/&ei=i2pRTMu-FYXw0wSklOTyAg&sa=X&oi=translate&ct=result&resnum=1&ved=0CBkQ7gEwAA&prev=/search%3Fq%3Dthe%2BCommission%2BNationale%2Bpour%2Bla%2BProtection%2Bdes%2Bdonnees%26hl%3Den%26sa%3DG

 

The Data Protection Act 2002 as amended in 2006 and 2007:

http://www.cnpd.public.lu/fr/legislation/droit-lux/doc_loi30052005_en.pdf

 

What needs to be done prior to collection?

 

NOTIFY THE COMMISSION

 

Article 12 – Prior notification to the Commission Nationale

 

  1. Apart from cases that fall within the scope of the provisions of Article 8, 14 and 17, the Controller will notify the Commission Nationale of the processing of data beforehand. Processing operations carried out by a single controller that are for identical or interlinked purposes may be contained in a single notification. If this case the information required under Article 13 will be supplied for each processing operation only where it is specific to that operation.

 

  1. The following are exempt from the obligation to notify:

 

    1. Processing carried out by the controller if that person appoints a data protection official. The data protection official shall be responsible for establishing and forwarding to the Commission Nationale a register listing the processing operations being carried out by the controller except those exempt from notification in accordance with paragraph (3) of the present article and in accordance with the provisions relating to the disclosure of processing operations as provided under Article 15
    2. Processing operations for the sole purpose of keeping a register which, under a legal provision, is intended for public information purposes and which is open to consultation either by the public in general or by any person demonstrating a legitimate interest
    3. Processing operations carried out by lawyers, notaries and process-servers and necessary to acknowledge, exercise or defend a right at law
    4. Processing carried out solely for journalistic, artistic or literary expression referred to in Article 9
    5. Processing necessary to protect the vital interests of the data subject or of another where the data subject is physically or legally incapable of giving his consent

 

For a list of further exemptions see the Statute.

 

  1. Any party that does not carry out the obligation to notify or supplies incomplete or inaccurate information is liable to a fine of between EUR 251 and EUR 125,000. The court hearing the case may order the discontinuance of processing that is contrary to the provisions of this Article, subject to a financial penalty the maximum of which will be set by the said court.

 

Article 13 – Content and form of the notification

 

  1. The notification will contain at least the following information:
    1. The name and address of the controller and of his representative, if any;
    2. The cause of legitimacy of the processing;
    3. The purpose or purposes of the processing;
    4. A description of the category or categories of data subject and of the data or categories of data relating to them;
    5. The recipients or categories of recipients to whom the data might be disclosed;
    6. The third countries to which it is proposed to transfer the data;
    7. A general description allowing a preliminary assessment to be made of the appropriateness of the measure taken pursuant to Articles 22 and 23 to ensure security of processing

 

  1. Any amendment affecting the information stated in paragraph (1) must be notified to the Commission Nationale prior to the processing

 

  1. Notification will be made to the Commission Nationale on paper accompanied, as appropriate, by a computerised document or an electronic transmission in a manner that it will establish. Acknowledgment of receipt of notification will be given.

 

A Luxembourg regulation sets forth the amount and methods of payment of the fee to be collected for any notification and amendment to a notification

 

  1. Processing operations that have a single purpose relating to categories of identical data and intended for the same recipients or categories of recipients may be covered by a single notification to the Commission Nationale. In this case, the controller for each processing operation send the Commission Nationale a formal Undertaking of its compliance with the description that appears in the notification

 

Article 14 – Lists some types of processing which require prior authorisation from the Commission Nationale and the information to be included in the request for authorisation.

 

CONTACT THE DATA SUBJECT

 

Article 26 – the data subject’s right to information

 

  1. When the data are collected directly from the data subject, the controller must supply the data subject, no later than the point at which the data are collected and regardless of the type of media used, with the following information unless the data subject has already been informed thereof:
    1. The identify of the controller and of his representative, if any;
    2. The purpose of purposes of the processing for which the data are intended;
    3. Any further information such as

-          The recipients or categories of recipient to whom the data might be disclosed;

-          Whether answering the question is compulsory or voluntary, as well as the possible consequences of failing to answer;

-          The existence of the right of access to data concerning him and the right to rectify them inasmuch as, in the view of the specific circumstances in which the data is collected, this additional information is necessary to ensure the fair processing of the data in respect of the data subject

Inasmuch as, in view of the specific circumstances in which the data is collected, this additional information is necessary to ensure the fair processing of the data in respect of the data subject

 

  1. When the data have not been obtained from the data subject, the controller must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed, provide the data subject with the following information unless the data subject has already has it:
    1. The identify of the controller and of his representative, if any;
    2. The purpose of purposes of the processing for which the data are intended;
    3. Any further information such as

-          The categories of data concerned

-          The recipients or categories of recipient to whom the data might be disclosed

-          The existence of the right of access to data concerning him and the right to rectify them

Inasmuch as, in view of the specific circumstances in which the data is collected, this additional information is necessary to ensure the fair processing of the data in respect of the data subject

 

  1. Any party who is in breach of the provisions of this Article will be liable to a prison sentence of between 8 days and 1 year and a fine of between EUR 251 and EUR 125,000 or only one of these penalties. The court hearing the case may order the discontinuance of processing that is contrary to the provisions of this Article, subject to a financial penalty the maximum of which will be set by the said court.

 

What needs to be done prior to shipping?

 

Article 18 – Transfer of Data into Third Countries – Principles

 

  1. Transfers to a third country of data that are the subject of processing, or that will be the subject of processing after the transfer, may take place only where the country in question provides an adequate level of protection and complies with the provisions of this law and its implementing regulations

 

  1. The adequacy of the level of protection afforded by a third country must be assessed by the controller in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particularly the nature of the data, the purpose and duration of the proposed processing operation or operations, the country or origin and the country of final destination, the rules of law, both general and sectoral,  in force in the third country in question and the professional rules and security measures which are complied with in that country

 

  1. In the event of doubt, the controller will immediately inform the Commission Nationale which will consider whether the third country offers an adequate level of protection. In accordance with Article 20 the Commission Nationale will notify the European Commission of cases where it considers that the third country does not offer an adequate level of protection

 

  1. If the European Commission or Commission Nationale finds that a third country does not have an adequate level of protection, transfer of data to that country shall be prohibited

 

  1. Any party who transfers data to a third country in violation of the above provisions will be liable to a prison sentence of between 8 days and one year and a fine of between EUR 251 and EUR 125,000 or only one of these penalties. The court hearing the case may order the discontinuance of any transfer that is contrary to the provisions of this Article, subject to a financial penalty the maximum of which will be set by the said court.

 

Article 19 – Transfers of Data into Third Countries – Derogations

 

  1. The transfer of data or a set of data to a third country that does not offer an adequate level of protection within the meaning of Article 18, paragraph (2), may, however, take place, provided:
    1. The data subject has given his consent to the proposed transfer; or
    2. The transfer is necessary for the performance of a contract to which the data subject and the controller are parties or the implementation of pre-contractual measures taken at the data subjects request; or
    3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
    4. The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of a legal claim; or
    5. The transfer is necessary in order to protect the vital interests of the data subject; or
    6. The transfer occurs from a public register as provided in Article 12

 

  1. In the case of a transfer made to a third country that does not offer an adequate level of protection within the meaning of Article 18, paragraph (2), the controller must, at the request of the Commission Nationale, provided the Commission within 15 days with a  report stating the conditions under which it made the transfer

 

  1. Without prejudice to the provisions of paragraph (1), the Commission Nationale may authorise, as a result of a duly reasoned request, a transfer of set of transfers of data to a third country that does not provide an adequate level of protection within the meaning of Article 18, paragraph (2) if the controller offers sufficient guarantees in respect of the protection of the privacy, freedom and fundamental rights of the data subjects, as well as the exercise of the corresponding rights. These guarantees may result from appropriate contractual clauses. The controller is required to comply with the decision of the Commission Nationale.

 

  1. Any party who transfers data to a third country in violation of the provisions of this Article will be liable to a prison sentence of between 8 days and 1 year and a fine of between EUR 215 and EUR 125,000 or just one of these penalties. The court hearing the case may order the discontinuance of any transfer that is contrary to the provisions of this Article, subject to a financial penalty the maximum of which will be set by the said court.

 

What are the sanctions for non-compliance?

 

See Article 19 (4), Article 18 (5), Article 26 (3) and Article 12 (3) - Above

 

 

Please see the Commission Nationale pour la Protection des donnees website for further details on the statute

 

 

 
© TRILANTIC - All rights reserved. | Disclaimer | Client Login