Processing personal data

This page was last modified on 11-03-2016

An employer may need to collect and record personal data in the context of his professional activities. For example, data may be collected for commercial purposes, for surveillance purposes or even for safety purposes.

The collection and processing of personal data must always be proportional to the objective pursued. The National Commission for Data Protection (Commission nationale pour la protection des données - CNPD) verifies this proportionality as well as the legitimacy of the motives for data processing.

The business must, as a general rule, notify all data processing of a personal nature to the CNPD.

Certain types of data processing are however exempt from notification while others are subject to prior authorisation. In certain cases, prior authorisation can be applied for with a simplified procedure.

The business must also inform each person concerned about the data processing procedures in place.

Forms / Online services

Carry out your procedure:

* May be submitted via MyGuichet

Who is concerned

The prior declarations for the processing of personal data have to be submitted by the person responsible for processing, i.e.:

  • the natural person himself;
  • or, in the case of a legal entity, the persons authorised to represent the company.

The person responsible for the data processing may also appoint a third party (e.g. a lawyer).

He may, in addition, designate a person responsible for data protection (data controller) approved by the CNPD in order to delegate the notification procedures concerning the data processing. Nevertheless, he is still required to submit all applications for authorisation, where needed.

For all processing of personal data, the business must inform:

  • the employees concerned;
  • the external parties not employed by the business (clients, suppliers, visitors) who may also be concerned;
  • in the event of surveillance of the workplace, the staff representatives (the joint works committee - until the next social elections - or, failing this, the staff delegation or, failing this, the Inspectorate of Labour and Mines - ITM).

It should be noted that joint works committees (also "joint works councils") will cease to exist after the social elections which take place after 1 January 2016. As from these elections, the tasks and duties assigned to joint works committees will be transferred to the staff delegations in companies which had at least 150 staff during the 12 months preceding the first day of the posting of the announcement of elections.


Until these elections, the joint works committees currently in place will continue to carry out their tasks.

How to proceed

Processing of specific data

Prior notification

Any processing of personal data which is neither exempt from notification nor subject to prior authorisation must be notified to the CNPD.

Any changes to the processing as well as the cessation (permanent cessation) of the processing must also be communicated to the CNPD.

Special case:


employers who have designated a data controller are not required to notify any processing to the CNPD, except in the case of processing for surveillance purposes.

Exemption

For instance, the required processing of personal data in the following areas is exempt from notification:

  • the administration of salaries;
  • the candidacies and recruitment management, as well as the administration of staff;
  • data processing exclusively related to accounting;
  • the administration of data concerning shareholders, bondholders and partners only;
  • the management of clients or suppliers;
  • the processing of data required for the purposes of communication (entry into contact) with the interested party;
  • the registration of visitors in the case of manual access control.

In most of these cases, the exemption is valid on condition that the data gathered is not communicated to third parties.

Prior authorisation

The following are subject to the application for prior authorisation:

  • the processing of data collected from surveillance and more specifically surveillance in the workplace, including:
    • video surveillance (form - application for authorisation);
    • electronic access control (e.g. electronic ID badges);
    • electronic monitoring of working time;
    • tracing and/or recording telephone conversations;
    • controlling the use of internet and emails;
    • global positioning systems (GPS), etc.;
  • processing biometric data, such as digital fingerprints used for identification;
  • the transfer of data outside the European Union;
  • processing genetic data (for reasons other than just to protect vital interests, preventive medicine, medical diagnosis or the administration of treatment and care);
  • interconnection of data;
  • the subsequent processing of data for other reasons (historical, statistical, scientific, etc.);
  • processing personal data concerning the credit and solvency situation of individuals (when not carried out by a professional in the financial sector for his own clients).
The following applications for authorisation among the above are can be submitted with a simplified procedure: the monitoring of working time and electronic access control.

Prior notification

Applicants must send a prior notification duly completed and signed to the CNPD. The form must be sent together with the explanatory documents, where applicable:

  • either via email to notifications@cnpd.lu, after the electronic signature with a Luxtrust device;
  • or on paper, duly signed and in this case with an electronic copy on a data storage device (CD-ROM, USB stick, etc.).
The submission via email or on a data storage device gives the right to an EUR 25 discount (see table below).

The same form is used for initial notifications or amendments to notifications.

After the prior notification has been submitted, the applicant must pay a fee into the CNPD's CCP account IBAN LU31 1111 2052 2570 0000 (BIC: CCPLLULL)

Type of application

Application form

Fee

Prior notification

Paper only

EUR 125

Paper and electronic version

EUR 100

Electronic version with electronic signature

EUR 100

Notification of amendment *

Paper only

EUR 75

Paper and electronic version

EUR 50

Electronic version with electronic signature

EUR 50

Notification of end of processing

No fee

* Declarations concerning "minor" amendments only (company name, address, etc.) not directly related to data processing are free of charge.

Furthermore, a notification of end of processing is necessary if the processing has ceased permanently. This notification is free of charge.

Special case

Employers who have designated a data controller are not required to notify the data processing to the CNPD, except in the case of processing for surveillance purposes.

Authorisation - simplified procedure

The National Commission for Data Protection (CNPD) may grant a general authorisation for a specific type of data processing.

The data processing system hereby authorised is described in detail in the document entitled 'single decision' (décision unique).

Employers who implement a system which is compliant with the requirements in the document may be granted this authorisation.

In order to obtain said authorisation, the employer must send a formal commitment of compliance to the CNPD declaring that the data processing procedures in place are compliant with the description stated in the single decision.

Currently, there are 3 types of 'single decisions' related to businesses which could be subject to a formal commitment of compliance:

The formal commitments of compliance are not subject to the payment of a fee.

As soon as the file contains the information required, the CNPD can decide whether and how to grant the authorisation or not.

Where required, the CNPD will contact the applicant to complete the file.

Informing the persons concerned

For all types of personal data processing, employers must, in principle, inform every person concerned individually and in writing.

This information must include:

  • the purposes for which the data was collected;
  • the identity of the person responsible for processing the data (the data controller).

Furthermore, the information must also include (insofar as it is necessary to ensure reliable data processing):

  • the categories of data concerned;
  • the recipients or categories of recipients to whom the data is likely to be communicated;
  • the existence, for the persons concerned, of a right of access to their personal data as well as a right of correction of the data.

In practice, the person is often informed by means of a countersigned document (internal note, employment contract, additional clause to the contract, collection of data document, etc.).

In the case of video surveillance, the persons accessing the site under video surveillance can be informed by means of a pictogram which is clearly displayed at the entrance of the site. The above-mentioned information will be provided on request.

Who to contact

1, avenue du Rock'n'Roll
4e étage
L-4361 - Esch-sur-Alzette
Luxembourg
Phone: (+352) 26 10 60-1
Fax: (+352) 26 10 60-29