Common practice: Prior notification
Processing operations generally have to be notified to the National Commission prior to their implementation (see section “Prior notification”). On one hand, this gives the National Commission a general view of the current situation. On the other hand, transparency for the public is increased by giving people the possibility of consulting the public register of processing operations (see section "Right to information") . The National Commission receives the notifications and publishes their content in the public register.
There are two major exceptions where the principle of the prior notification doesn’t apply:
- If the data processing relates to particularly „sensitive“ data, the law requires additional guarantees: these processing operations require a prior authorization by the National Commission (respectively a Grand-Ducal Regulation);
- if the data processing is “innocuous” or if other legal provisions guarantee a sufficient privacy level, the processing doesn’t need to be notified either.
In both cases, the respective processing operations are defined explicitly and restrictively by the amended Data Protection Act.
Procedure for prior authorization
The prior authorization marks an exception from the principle of notification.
This procedure has been established with regard to the increased risks for privacy inherent to certain „critical“ processing operations. Therefore, the law stipulates that such processing operations may not be carried out without having been explicitly authorized by the National Commission.
In this case, the National Commission does not only receive a notification but is entitled to examine the data processing prior to their execution and decide about its implementation (see section “Prior authorization”)
Exemption from the obligation to notify
- Certain “innocuous” processing operations, implemented in the context of an organisation’s ordinary activities (business, commercial, administrative, associative, etc.), do not need to be notified, provided that they comply to the terms determined by the law. This applies, for example, to processing operations related to accountancy, human resources management or membership administration. (See section “Processing operations exempt from notification”.)
- By appointing a data protection official, the controller is equally exempt from notification (except processing operations relating to surveillance which always require a prior declaration). However, the data protection official has to keep a register including information about all implemented processing operations subject to notification, which has to be transferred regularly to the National Commission.
- In general terms, the law stipulates that the processing operations falling within the scope of Article 8 (legal data) and Article 17 (Police, customs, secret service, armed forces) of the Data protection Act are exempt from notification. However, these processing operations need to comply with other specific criteria defined by the appropriate legal regulations.