The national law on the organization of the national commission for data protection (CNPD) and the implementing of the General Data Protection Regulation (GDPR) in Luxembourg which has been voted on the 26th of July 2018 has caused several changes in data processing with the purpose of monitoring and surveillance activities of employees at work.
In fact, based on the change of paradigm caused by this new European regulation, the employer is no longer required to be in possession of an authorization delivered by the CNPD for monitoring and surveillance activities as it was the case under the European data protection directive of the 24th of October 1995, implemented in Luxembourg by the act of the 2nd of August 2002.
Article 71 of the national law on the organization of the CNPD and the implementing of the GDPR in Luxembourg caused a modification of article L. 261-1. of the Luxembourgish labor code which deals with monitoring and surveillance activities at work. In accordance with article 88 of the GDPR, Luxembourg has thus chosen to adopt additional provisions when it comes to employee monitoring and surveillance activities.
The main innovations in this area are:
- No authorization required
The GDPR repeals the texts of the European directive on data protection of the 24th of October 1995 and the Luxembourgish law of the 2nd of August 2002 which transposed the directive into Luxembourgish law, as well as all prior authorizations delivered by the CNPD.
Processing of personal data for monitoring and surveillance purposes is from now on possible for the employer if he respects one of the conditions of article 6 paragraph 1 letters a) to f) of the GDPR and the new provisions of article L. 261-1. of the labor code. Monitoring and surveillance activities aren’t thus limited to the 5 purposes listed in the ancient article L. 261-1. of the labor code.
Indeed, monitoring and surveillance activities were possible only if it was necessary:
- for the safety and health needs of employees, or
- for the purposes of protecting the property of the company, or
- for the control of the production process involving only machines, or
- for the temporary control of production or the employee’s benefits, where such a measure is the only way to determine the exact salary, or
- in the context of a work organization according to the mobile schedule in accordance with the labor code.
Now, it suffices that the employer relies on one of the 6 conditions of lawfulness of article 6 of the GDPR. Treatment can be done if:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Most often, the monitoring and surveillance measures would be justified by the legitimate interest of the employer. FEDIL recommends choosing this legal basis.
The consent of an employee, placed under the subordination of his employer, is not always considered as freely given, a condition necessary to have valid consent within the meaning of the GDPR. In case of dispute, the free nature of the consent of the person concerned will fall within the discretion of the judge.
- Right to information
Besides the individual right to information that every worker has in accordance with articles 13 and 14 of the GDPR, a collective right to information is granted to all the employees concerned. In fact, must also be informed by the employer in advance: the mixed works council or, if none, the staff delegation or, if none, the Labor and Mining Inspectorate.
It is from now on provided that the prior information of the monitoring and surveillance activities must include a detailed description of the purpose of the planned monitoring, the modalities how the monitoring and surveillance activity works and if possible the retention period of the data collected, otherwise, the criteria used to determine the retention period of the data collected and lastly, a formal engagement of the employer that he doesn’t use the collected data for another purpose than the one explicitly indicated in the information in advance of the monitoring and surveillance activity.
The obligation of information of the employer has thus become consolidated.
The processing of data for supervisory purposes motivated by the health and safety needs of the employees, the production control or the employee’s benefits when such a measure is the only way to determine the exact salary, or by an organization of work according to the mobile timetable, remains subject to the co-decision regime, in accordance with the provisions of articles L. 211-8., L. 414-9. and L. 423-1. of the labor code, except when the treatment meets a legal or regulatory obligation.
- Request for prior notice concerning the compliance of the treatment project for monitoring and surveillance activities
Another novelty is that pursuant to article 88 of the GDPR, the staff delegation, or failing this, the employees concerned by the surveillance measures, may, within fifteen days of the prior information, submit a request for prior notice concerning the compliance of the treatment project for monitoring and surveillance activities the employees to the CNPD, which must deliver its opinion within the month of referral.
This request has a suspensive effect during this period. If the period in question has passed, no request for prior notification regarding the compliance of the treatment project for surveillance purposes may be sent to the CNPD. As a result, it is very important for employers to know the exact date from which this period begins to run. Therefore, a suitable form to know the start date of the delay is advisable (eg letter sent by registered mail to the concerned employees with possibly an internal posting).
The employer cannot therefore proceed with the envisaged treatment and must await the opinion of the CNPD, which does not constitute an appealable decision. The employer is also not obliged to follow the advice given but is only advised to do so.
It is also planned that the employees concerned have the right to lodge a complaint with the CNPD (as already provided for in Article 77 of the GDPR). Such a claim is neither a serious reason nor a legitimate ground for dismissal.
It is still essential to note that the new article of the labor code only starts to apply for the new supervisory treatments envisaged after the entry into force of the law on the organization of the CNPD and the implementation of the GDPR in Luxembourg and that it doesn’t call into question the treatments already in place. However, it should be noted that any device in place must of course comply with the GDPR that has been applicable since May 25, 2018.
- Data protection impact assessment
Depending on the chosen system, an impact assessment on the protection of personal data must be carried out in accordance with Article 35 of the GDPR.
Since monitoring and surveillance causes processing of personal data of the employees, the employer has the obligation to indicate the data processing in the record of data processing activities, as described in article 30 of the GDPR.
Finally, it is necessary, from the beginning of the surveillance measures, to adopt adequate security and confidentiality measures in accordance with Article 32 of the GDPR.
Here is the link to the new article L. 261-1. of the labor code (excerpt from the report of the Commission for Higher Education, Research, Media, Communications and Space).
Since the law does not contain a specific date of entry into force, the entry into force of the law will be 3 days after the publication in the Mémorial.
FEDIL will keep you informed about the date of entry into force of the law through its newsletter.
FEDIL also wishes to inform you that a “Frequently Asked Questions (FAQ)” template for the GDPR is currently being prepared to provide companies with an overview of the most frequently asked questions so far. This FAQ will constantly be adapted depending on the issues encountered.
Luxembourg, 27th of July 2018