Luxembourg

[LU] Legislation to Protect the Individual in the Processing of Personal Data Comes into Force

IRIS 2003-1:1/33

Marc Thewes

Thewes and Reuter, Luxembourg

The Act of 2 August 2002 on the protection of the individual in the processing of personal data came into force on 1 December 2002. This legislation transposes Directive 95/46/EEC into national legislation and repeals the Act of 31 March 1979 regulating the use of personal data in computer processing, which has been largely ignored.

In accordance with the guidelines set out in the Directive, the new Act makes every effort to ensure the quality of the data collected (Article 4), the legitimacy of the purpose of the processing (Article 5) and the protection of the processed data (Article 22). It aims to ensure that individuals have a right of access to data about themselves (Article 28) and sets up an appeal procedure (Article 30). The Act completes the provisions set out in the Directive, more particularly as regards surveillance measures set up in the workplace. Thus surveillance of workers in order to determine their remuneration is only allowed on a temporary basis and not until the employer has informed the joint works committee.

According to Article 12 of the Act, personal data may only be processed after notification has been given to the Commission nationale pour la protection des données (national data protection board) instituted by the Act, whose members were appointed in October 2002 for a six-year term of office. Certain types of data processing, considered "sensitive", are even subject to obtaining prior authorisation.

In accordance with the provisions of the Act, the board has adopted internal regulations and is currently drawing up a form to make it easier for people subject to the legislation to notify processing. The adoption of this scheme, on which effective application of the obligation of notification depends, is currently expected in early 2003. According to the terms of the Act, this must take place within no more than four months of the members of the board being appointed.

Article 33 of the Act enables the board to impose administrative sanctions on anyone responsible for data processing that infringes the Act. It may "prohibit processing temporarily or permanently" or "block, delete or destroy data used in wrongful processing". Appeals may be brought against these penalties before the administrative courts.

Interim provisions include the requirement that existing processing must be brought into line with the Act within two years of its coming into force.