Scope of application of the Law – limited to natural persons
Data concerning legal persons (companies, associations, foundations, public establishments, etc) is no longer protected by law; protection is now limited to information concerning natural persons.
Definition of consent of the data subject
This definition has been brought into line with the one given in the European Directive. The adjectives “express” and “non-equivocal” have been deleted. For sensitive (Art. 6 § 2 (a)) and genetic (Art. 6 § 3 (d)) data however, consent must be given expressly.
It should be recalled that this is a case provided for by law as an exception to the principle of the prohibition of processing specific categories of data referred to in Article 6 § 1 (concerning opinions, beliefs, racial origin and health, including genetic data).
Restructuring of Article 6(3) on the processing of genetic data and of Article 7 of the Law with reference to health services, to make them more understandable
NB: Insurance companies, administrations, social security bodies, the Caisse Médico-Chirurgicale Mutualiste and ASFT bodies (for socio-family and therapeutic action) can no longer be authorised to process genetic data except where public, historical, statistical or scientific interest is involved.
The communication of a patient’s health data to the general practitioner, to the social security bodies and to the Caisse Médico-Chirurgicale Mutualiste and by service providers and suppliers of health care is authorised by the Law, while the communication of health data by other third parties and their use for research purposes remain subject to conditions to be determined by a forthcoming Luxembourg regulation.
Processing for supervision purposes
New definition of supervision taken from a Council of Europe expert’s report.
Article 10: Processing for purposes of supervision is deemed legitimate in and around any places presenting a risk where it is necessary not only for the security of users and the prevention of accidents, but henceforth also for the protection of property.
In this last case there must nevertheless be a characteristic (greater than usual) risk of theft or vandalism and the criterion of necessity/proportionality will be appreciated for each individual case by the Commission Nationale.
The protection of an individual’s vital interests has also been added as one of the new conditions for legitimacy.
Prior authorisation is no longer required (although notification is) if the data (images, etc) resulting from the supervision is not recorded.
The conditions for processing for purposes of supervision in the workplace by the employer, if the employer is the controller, are now covered by Article L-261 of the Employment Code (identical to the former Article 11 of the Law).
Formalities prior to processing
Simplified notification no longer exists.
Article 12 § 3 now provides for 14 cases of conditional exemption from the obligation to notify which are added to those more general cases referred to in paragraph 2 (processing of data in the context of a public register or the exercise of the professions of lawyer, notary, process-server, journalist, writer or artist, or necessary to protect a person’s vital interests).
NB: The processing of genetic data by the medical authorities (doctors and hospitals) for the purposes of preventive medicine, medical diagnosis or provision of care and treatment is henceforth subject to notification.
- Data protection officer (article 40 of the Law)
Henceforth, this person may be an employee of the company, administration, body, etc responsible for the data processing.
The processing of sensitive data (more particularly data on health and sex life other than genetic data) is no longer subject to authorisation, but to prior notification to the Commission Nationale.
This is also the case for the processing of genetic data where it is necessary to protect the vital interests or for the purposes of preventive medicine, medical diagnosis or provision of care and treatment (Article 6 § 3 (b) and (e)).
The processing of genetic data (Article 6 § 3 (c)) where it is necessary for reasons of public interest or where it is carried out in the field of (scientific or healthcare) research with the consent of the data subject (section (d)) remains subject to prior authorisation.
A representative of the CNPD will take part in the deliberations of the national committee for ethics in research in order to ensure observance of the legal provisions on data protection in scientific research projects other than those involving genetic data.
If the data is not recorded, processing no longer requires prior authorisation, but only prior notification.
- Biometric data
The processing of data of this type is henceforth subject to prior authorisation (Article 14 § 1 (f)).
- Creditworthiness and solvency of individuals
The processing of such data is no longer subject to prior authorisation (but only to notification) if it is carried out by banks, insurance companies or other professionals of the financial sector concerning their clients.
- Use for purposes other than those for which the personal data was collected.
This use remains subject to prior authorisation and requires the consent of the data subject unless the protection of the person’s vital interests is involved.