Luxembourg bill of law completing GDPR

Benoît DuvieusartPartner, duvieusart ebel, avocats associés

  1. Bill of law 7184 was issued on 12 September 2017. It aims to adapt the Luxembourgish legal framework to the GDPR requirements and to complement the provisions of the GDPR with national specificities.

    The first chapter of the bill redefines the powers of the Luxembourgish data protection supervisory authority, the Commission Nationale pour la Protection des Données (“CNPD”). The control process operated by the CNPD will move from an ex ante to an ex post control. In other words, prior formalities (i.e. notification to and authorisation by the CNPD of data processing operations prior to their implementation) will be replaced by subsequent control of the data controllers and data processors by the CNPD.

According to the bill, t
investigative powers as well as the possibility to impose administrative sanctions on companies infringing the

GDPR. It will also be able to initiate judicial proceedings in order to enforce the GDPR.

The second chapter of the bill lays down specific provisions that complement the GDPR in matters that were left to the discretion of the Member States. It introduces exemptions from GDPR obligations under certain conditions in case of:

  • –  data processing for the purposes of journalism, university research, art or literature; or

  • –  data processing for the purposes of statistics or scientific or historical research.
    Another specific provision of the bill regards the processing of sensitive data (including health data). The bill confirms that such data may be processed by medical bodies, healthcare professionals, insurance companies and pension funds.