Processing of Personal Data under the upcoming General Data Protection Regulation (GDPR)

Members of the ILA in their capacity as board members are invited to consider the main obligations that will derive from Regulation (EU) No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movements of such data and repealing Directive 95/46/EC (the “GDPR”) and related national implementation measures inter alia those that will result from the bill of law 7184 creating the Commission nationale de la protection des données and implementing GDPR and repealing the 2002 Law (as defined below).

In your capacity as board members of (in particular) Luxembourg companies, it is important to keep in mind that the Board is accountable for GDPR compliance.

Please keep in mind that professional secrecy rules and data protection rules are closely linked but are separate and need to be considered separately.

The GDPR will replace the Luxembourg Law of 2 August 2002 on the protection of persons with regard to the processing of personal data (the “2002 Law”) and will be directly effective in Luxembourg as from 25 May 2018.

This regulation notably establishes a principle of “accountability”. In this respect, proper measures and documentation shall be implemented as evidence of data protection compliance in order to demonstrate such compliance in case of control by the data protection authority (“CNPD” in Luxembourg). This accountability principle is aiming to replace our current prior notification/authorization administrative mechanism to be addressed to the CNPD based on the 2002 Law.

In this respect, directors who are actors of the corporate governance of legal entities shall keep in mind that any entity, either acting as data controller or data processor when processing personal data, shall respect the obligations set out in the GDPR notably by taking into account this key-concept of accountability.

1.Scope of the GDPR: controller and/or processor role to be defined

The territorial scope of the GDPR (Article 3) will be broader than the current territorial scope of the 2002 Law as its requirements will notably apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not.

Thus, obligations are imposed by the GDPR on:

  • data controllers, i.e. the legal or natural persons which/who determine the purposes and the means of the personal data processing; and/or

  • data processors, i.e. the legal or natural persons which/who process the personal data on behalf of the controller and upon its/their instructions.

In this context, it is important for the directors to have an overview of all the flows of personal data processed by a company as data controller and/or as data processor depending on the data processing operations concerned (see our remark regarding “mapping” in point 3 below).

2.Main principles governing any processing to be verified

The GDPR still follows the main principles related to any processing as set up in the repealed Directive while strengthening them.

Those main principles are:

  • the lawfulness, the fairness and the transparency of any processing,

  • the limitation of a processing to its purposes,

  • data minimisation (not to collect more data than needed),

  • the accuracy of the data processed (only collect relevant data for a defined purpose),

  • limited duration of storage,

  • integrity and confidentiality,

  • accountability (the controller shall be responsible for, and be able to demonstrate compliance with, the previous principles to be respected).

Any data controller (or data processor) will have to implement appropriate technical and organisational measures (privacy by design and by default – see below in point 4.) to ensure and to be able to demonstrate that processing is performed in accordance with those principles. These measures will have to be appropriate to the processing and proportionate (proper balance between the fundamental rights of the individuals and the controllers/processors to be considered).

3.Records of processing activities

Based on the foregoing, an organisation, whether it acts as data controller or as data processor, must record all its personal data processing activities (i.e. shareholders register, clients register, employees, suppliers, etc.) including the information listed by the GDPR (i.e. the purposes of the processing, the categories of data, data subjects, and recipients, the transfers to third countries, the time limits for erasure, etc.).

This requirement to keep records of processing is not applicable when the legal entity is employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) of the GDPR (e.g. health data) or personal data relating to criminal convictions and offences. In practice, this exception shall be applied very rarely as processing activities are hardly implemented in an occasional manner.

From a practical standpoint it may be necessary to establish a mapping of all processing activities of a company with each corresponding purpose (HR, suppliers, shareholders registers, administrators). This initial mapping operation will provide support for the record-keeping filling of processing activities and determining the measures to be adopted and information to be given to data subjects.

The GDPR will be implemented on 25 May 2018, and will replace the Luxembourg Law of 2 August 2002  

4.Data protection by design and by default

In order to respect its obligations towards the GDPR, when processing personal data, a data controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation.

In this respect, those issues shall be analysed at the very beginning of every IT project notably when negotiating a contract with a service provider (acting as data processor).

The data controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

5.Data subjects' rights to be guaranteed 

Rights of individuals are also being enhanced with the GDPR. An organisation acting as data controller will have to provide an increased level of information as listed by article 13 of the GDPR to the persons whose personal data is processed with notably new consecrated rights such as the right to data portability (i.e. the right to receive the transmitted personal data in a structured and machine-readable format).

When consent is used as legal basis to implement a processing, the data controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data (still in light of the principle of accountability) while such consent can be withdrawn at any time by the data subject. Such withdrawal faculty shall be given to the data subject as information based on the foregoing.

Directors are invited to verify that all data subjects concerned by a processing (e.g. employees for payroll, clients, third parties, service providers, prospects, customers, competitors) benefit from a proper information regarding the processing and correlated rights.

6.Designation of a Data Protection Officer 

A new requirement under the GDPR (Chapter IV, section 4) will be the duty for an organisation to appoint a Data Protection Officer (the “DPO”) where the core activities of the organisation consist (i) of processing operations which require regular and systematic monitoring of data subjects on a large scale or (ii) in the processing of special categories of data on a large scale. A Data Protection Officer can also be designated on a voluntary basis, as is currently the case.

In this context, it is worth noting that the DPO is not required to be an employee of the relevant organisation and may, for example, be appointed at group level or be an external DPO.

Directors shall take into account the foregoing information and define, based on a company’s activity, if a DPO shall be appointed.

7.Relation with data processors

As already required under the 2002 Law, a contract or other similar legal act shall bind the data processor to the data controller.

However, the minimum contractual provisions to be contained in this type of contract have been further detailed by the GDPR which establishes a list of provisions (article 28 of the GDPR) which are mandatory to be inserted in those contracts. The GDPR also states that processors may not engage sub-processors without the appropriate written authorisation/information (in the case of a general authorisation) of the data controller.

In this respect, directors of companies are invited to operate a review of their current contracts with their sub-contractors when processing of personal data is involved. The obligation to provide for the article 28 list of provisions is an obligation on all parties, not only of the processor. Irrespective of whether the company is a controller or processor, the board should take appropriate steps or cause appropriate steps to be taken to include provisions in such contracts or agreements.

8.Transfer to non-EU countries/impact assessments

The GDPR contains various provisions, notably in regard of data transfers outside the European Union, which remain permitted subject to certain conditions to ensure that individuals’ rights under the GDPR remain effective. Appropriate safeguards shall be implemented in the absence of an adequacy decision from the European Commission while no prior authorisation form to be addressed to the CNPD shall be needed anymore (except in specific circumstances).

The GDPR imposes a duty on organisations acting as data controller to carry out a data protection impact assessment (a “DPIA”) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons (e.g. monitoring of employees, evaluation based on automated processing and which result in decisions that affect the natural person, processing of special categories of data on a large scale, profiling of vulnerable persons, etc.).

As the case may be, directors of companies shall implement a risk-based approach survey regarding a company’s activity to decide if the conduct of a DPIA shall be implemented. For further indication regarding your compliance requirements to be implemented in the light of the GDPR, please find below a link to a checklist (which is indicative but in no event exhaustive): Data Protection Checklist ILA

9.Administrative fines

Depending on the type of infringement and in addition to other measures that can be imposed (reprimands, ban processing of data, etc.), administrative fines may be imposed of an amount of up to EUR 10,000,000 or in case of an undertaking 2% of the total worldwide annual turnover of the preceding financial year whichever is higher or up to EUR 20,000,000 or in case of an undertaking up to 4% of the total worldwide annual turnover of the preceding financial year whichever is higher.

This article and related checklist pertains to give a very summary overview of the various requirements of the GDPR but does not claim to be complete or exhaustive. It does not replace the review of the GDPR or the necessary related guidance from the relevant data protection authorities and the Article 29 Working Party. Appropriate legal advice shall be taken to ensure GDPR compliance by all relevant entities.

It is also to be noted that GDPR does not only apply to entities (irrespective of form) but also applies to natural persons who process personal information within the scope of their professional activities.