On 12 September 2017, the Luxembourg Parliament issued bill of law n°7184 (the “Bill of Law”) in order to complement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
Through the Bill of Law, the Luxembourg legislator intends to make use of the margin for manoeuver that the GDPR grants to EU Members States to enact additional legislation vis-à-vis the protection of personal data.
Pursuant to the publication of the Bill of Law, several public and private bodies have issued detailed opinions, in some cases criticising certain points of the Bill of Law. This led the Luxembourg Government to introduce some amendments to the Bill of Law on 8 March 2018 (the “Amendments”).
The Amendments introduce three major changes to the Bill of Law.
The changes are as follows:
I. Amendments to Luxembourg labour law, especially with respect to the monitoring of employees;
II. Insertion of a specific procedure relating to the imposition of penalty payments by the Luxembourg data protection supervisory authority (the “CNPD”);
III. Establishment of a Commissariat du Gouvernement à la protection des banques de données de l’Etat (the “Commissariat”).