Luxembourg Bill Amending the Data Protection Act with regard to the Authorization Regime
On August 31, 2016, a bill was presented to the Luxembourg Parliament (the “Bill”) to amend the Law of August 2, 2002, on the Protection of Persons with regard to the Processing of Personal Data.
The Bill aims to reduce the current administrative burden and anticipates the application of the General Data Protection Regulation (“GDPR”) on May 25, 2018, by abolishing certain authorization requirements to the Luxembourg data protection authority (“CNPD”).
Should this bill be passed, companies will no longer need to obtain an authorization from the CNPD for any international data transfers based on Model Transfer Clauses approved by the European Commission, or Binding Corporate Rules approved by the competent data protection authorities of other EU Member States.
Additionally, the need to obtain an authorization from the CNPD for certain processing operations will also be dropped. This will be the case for (i) processing operations for supervision purposes (including supervision at the workplace); (ii) combination of data and (iii) processing relating to the credit status and solvency of the data subjects.
A notification to the CNPD will still be required until the GDPR applies.