E-Book, Englisch, 308 Seiten, Format (B × H): 148 mm x 210 mm, Gewicht: 499 g
Reihe: Kommunikation & Recht
Dury / Kerz Data Protection in Luxembourg
1. Auflage 2019
ISBN: 978-3-8005-9255-5
Verlag: Fachmedien Recht und Wirtschaft in Deutscher Fachverlag GmbH
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Handbook
E-Book, Englisch, 308 Seiten, Format (B × H): 148 mm x 210 mm, Gewicht: 499 g
Reihe: Kommunikation & Recht
ISBN: 978-3-8005-9255-5
Verlag: Fachmedien Recht und Wirtschaft in Deutscher Fachverlag GmbH
Format: EPUB
Kopierschutz: 6 - ePub Watermark
This book offers a practical presentation of the special features of data protection law in Luxembourg and the way it interacts with the General Data Protection Regulation (GDPR). The GDPR has been effective since 25 May 2018. It has been obligatory to comply with the new Luxembourg Data Protection Act in all data processing operations that relate to Luxembourg as a supplement to the GDPR since 20 August 2018.
In the first part of this book, you can learn what new legal requirements the GDPR and the new Luxembourg Data Protection Act impose on companies in Luxembourg and group structures with relationships to Luxembourg respectively. The second part contains a systematic presentation of the GDPR and the Luxembourg Data Protection Act. The book aims to help you to meet the requirements of data protection law in Luxembourg in everyday corporate life and implement them in practice with as little expense and effort as possible.
The book, which also includes the text of the Luxembourg Data Protection Act, is available in three languages: French, English and German. The German and English translations of the legal text have moreover been authorised by the supervisory authority in Luxembourg, the CNPD, so you can be sure that using the translations will not cause any disadvantage as compared with applying the law in its original wording.
Zielgruppe
This practitioner's handbook is directed at anyone professionally involved with the issue of data protection in Luxembourg, e.g. data protection officers in companies or associations, consultants, executives and other IT controllers.
Autoren/Hrsg.
Weitere Infos & Material
2.3. Roles and agents
The following normative terms form the framework or set the scene within which the data protection takes place. The GDPR specifies the specific definition of the roles. The GDPR defines who can take on which role and which rights and obligations are connected with the respective role. In the following, individuals who can take on these roles are called agents. 2.3.1. Data subjects
The data subject is referred to as any identified or identifiable natural person (Art. 4 No. 1 GDPR). It has already been explained above (2.1 on Page 5) when a person is deemed as identifiable. 2.3.2. The controller
The controller is the counterpart of the data subject. Whenever personal data is processed, there must be a controller who assumes the responsibility and is ultimately responsible for processing the processed data adequately (meaning GDPR compliant).11 The controller may be a natural person as well as a legal person, such as a company, government authorities, associations or other organisations. The GDPR goes even further. Each establishment or body can be a controller. What does that mean in specific terms? In terms of the economy, every company should be able to be a controller. Individual employees of companies are not themselves responsible for data protection, but rather their respective employer is. This only changes for the employee if they process personal data of a data subject for their own purposes, which are beyond the control of their employer.12 In terms of content, Art. 4 No. 7 GDPR lays down characteristics that qualify a controller: If they “alone or jointly with others determine the purposes and means of the processing of personal data”. The essential criterion is therefore the (independent) decision-making power regarding the purpose for data processing and the means with which it takes place. If the focus is placed on the decision-making authority regarding the means of and purposes for the processing, then it becomes clear, why the person is called controller in English. Ultimately, it is the controller who has the control (the controlling decision-making power) regarding the data processing and therefore the designation as a controller is fair. Examples A sole trader stores their customers’ contact details and purchasing volumes in a database (the means of processing, the type and the way) in order to be able to submit customised offers to customers in the future that are tailored to their needs (the purpose of the processing). A handwritten file is kept in a dental practice, in which the condition and course of treatment for the patient’s teeth are documented (the means of processing, the type and the way). The purpose of this file is to comply with the legal and statutory duty of documentation. Likewise, the file helps the attending physician to quickly gain an overview of the condition of their patient’s teeth and also serves as a reference for the treatment of the patients (the purpose of the processing, the purpose for it). In the corporate environment, the controller is often a legal person, for example, a corporation such as a limited liability company, public limited company, partnership or an organic market participant. In the case of a sole proprietorship, sole traders, self-employed persons or freelancers, the proprietor or owner is responsible for the handling of this data. The controller is responsible for all legal obligations for the implementation (above all according to Art. 5 and chapter 3 of the GDPR), justification (above all according to Art. 6 to 11 GDPR) and protection (above all chapter 4 and 5 GDPR) of the processing of personal data. Accordingly, the controller is also the recipient of any possible fines and is liable according to Art. 82 (1) GDPR of civil law for breaches of the Basic Regulations (Art. 82 to 84 GDPR). These various behavioural and liability obligations cannot be relinquished by the controller to individual employees or external service providers (such as an external Data protection officer (see chapter 6 in this Practical Handbook). However, recourse claims in the case of incorrect advice by the data protection officer are possible. Example An employee of a company incorrectly deals with customer data. The employee was not informed about how the customer’s personal data should be processed in accordance with the GDPR. In this case, the employer is liable for the improper processing of personal data. The company cannot pass on liability to its employees. It must take full responsibility for the misconduct of its employee in the external relationship. However, recourse claims and employment sanctions are not excluded in the internal relationship with the employee. However, any recourse does not change the responsibility of the controller. It should be noted that in some parts this book puts the company in the limelight when referring to the controller. Of course, most of the explanations are also applicable to other controllers. As this is a Practical Handbook, the focus has been placed in some parts on companies as controllers. 2.3.3. The processor
The trio of the most important roles in data protection is completed by the role of the processor. The circle of addressees who can take on this function is the same as in the role of the controller. The processor processes personal data “on behalf of the controller” (Art. 4 No. 8 GDPR). Therefore, the role of the processor presupposes that the role of the controller is already filled. The processor always only acts as the third actor of a triangular constellation, if and only if a 1. controller has determined the means and purposes of the data processing of a
2. data subject and does not carry out this processing themselves,
3. but rather assigns this task to a processor.
The decisive feature of the processor is that while they perform processing activities for another controller, they themselves cannot decide on the means and purposes of the processing. They are subject to the instructions given by the controller. If they make unauthorised decisions about the means and purposes of the processing, they become the controller. Example A company commissions a printing company to send mail to customers. For this purpose, the marketing department sends an Excel spreadsheet with the recipient addresses to the printing company. The printing company prints the letters and puts them in envelopes, which in turn have had the customer addresses and franking stamps printed on them. Afterwards, the letters are picked up by the mail carrier from the printing company. The processor also has a number of obligations to fulfil. However, the fact that they only carry out the instructions given by the controller means that the obligations only relate to the dutiful execution of the instructions and the adequate protection of the data in accordance with the general provisions of the GDPR (Art. 32). Accordingly, these fines and liability risks are limited to these specific duties of the processor. However, only in terms of processing on behalf of a controller. Warning Of course, a company that performs processing on behalf of a controller is responsible for the processing of personal data of its employees. You can read about the particularities in the relationship between the controller and the processor in chapter 10 on Page 117 on processing on behalf of the controller. 2.3.4. CNPD – The supervisory authority
The supervisory authority – the National Data Protection Commission (CNPD) – has a special role. This is laid down in the sixth chapter of the GDPR (Art. 51 to 59) and in the first chapter of the Act of 1 August 2018 (Art. 1 to 55). Accordingly, the CNPD is an independent government agency whose main task is to monitor legal compliance with data protection legislation. How cooperation with the CNPD must take place in Luxembourg and what companies in Luxembourg must comply with in the area of data protection is described in detail in chapter 4. 2.3.5. Third parties and recipients
Another important role is the so-called third party (Art. 4 No. 10 GDPR). Third parties may be any entity that is relevant to data protection, but not directly responsible for data collection or data processing. For example, third parties may be organisations that gain access to personal data in the event of data breaches (unauthorised access). If data is explicitly transferred to other locations without being in the scope of a processing by order relationship, then these other locations are deemed as recipients. Such recipients are often members of independent professions within their freelance profession, such as tax consultants or lawyers. Example This means that if your company’s sales representative mistakenly sends sensitive personal data of its customers to a supplier, this is deemed as a breach of data protection. The incident must be reported to the CNPD (see chapter 10 on cooperation with the CNPD and chapter 9 dealing with data protection breaches). In the...
