Luxembourg - Data Breach Guide

Luxembourg

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

In the event of a data breach and in accordance with Articles 33 and 34 of the GDPR, the data controller shall:

1.1.1 without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Luxembourg National Data Protection Supervisory Authority (the "CNPD") unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; and

1.1.2 communicate the personal data breach to the data subjects without undue delay when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

The Luxembourg law of 1 August 2018 on the organisation of the National Commission for Data Protection and the general regime on data protection adopted to complement the GDPR (the "Luxembourg Data Protection Law") does not add any specific requirements with respect to notifications to the CNPD or the data subjects in the event of a data breach.

Under the Law of 30 May 2005 on specific provisions for the protection of individuals with regard to the processing of personal data in the electronic communications sector (the "Law of 2005"), a provider of publicly available electronic communications services (a "Provider") has the obligation to notify without delay in the event of personal data breach (i) the CNPD and (ii) the subscriber or the individual where the breach is likely to adversely affect the personal data or the privacy of the subscriber or the individual.

The notification to the subscribers or the individuals is not required if the Provider is able to prove to the CNPD that it has put in place appropriate technological protection measures and that these measures have been applied to the personal data concerned by the breach. Such measures shall render the data incomprehensible to any unauthorized third party.

If the Provider has not yet informed the subscribers or the individuals of the breach, the CNPD has the power, after having examined the possible negative effects of the breach, to request the Provider to make such notification to the subscribers or the individuals.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

There is no specific type of personal data to be breached to trigger a notification obligation. As explained above in clause 1.1, a notification should be made to the CNPD for any personal data breach unless it is unlikely to result in a risk to the rights and freedoms of natural persons, and to the data subjects if it is likely to result in a high risk to the rights and freedoms of natural persons.

The data controller does not have to inform the data subjects where:

• it has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
• it has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in clause 1.1 is no longer likely to materialize;
• it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Pursuant to Articles 33 and 34 of the GDPR, the data processors do not have any obligation to inform the CNPD or the data subjects but, in accordance with Article 28 of the GDPR, the data processors are obliged to provide to the data controller any information necessary to allow it complying with its legal obligations including any information with respect to the existence of a data breach. In addition, pursuant to Article 33 (2) GDPR, processors have to notify the controller without undue delay after becoming aware of a personal data breach.

Under the Law of 2005, a personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision of publicly available electronic communications services". Personal data is not defined by the Law of 2005 but should be understood as defined by the GDPR. In the event of a personal data breach, a Provider has to notify the CNPD and/or the subscribers or individuals as described above in clause 1.1.

With respect to the notification obligation, the Law of 2005 does not differentiate between data controllers and data processors but the notification obligation (where the conditions of the Law of 2005 are met) applies to any provider of publicly available electronic communications services.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

Where the data controller is under the obligation to notify the CNPD pursuant to Article 33 of the GDPR, the information to be provided are as follow:

• the facts relating to the personal data breach;
• a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• the name and contact details of the data protection officer or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach;
• a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where the data controller is under the obligation to notify the data subjects pursuant to Article 34 of the GDPR, the information to be provided shall include:

• a description in clear and plain language of the nature of the personal data breach;
• the name and contact details of the data protection officer or other contact point where more information can be obtained;
• the likely consequences of the personal data breach;
• the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Under the Law of 2005, the notification to the subscribers or the individuals should at least describe the breach and the points of contact from which additional information may be obtained but also to recommend measures to be taken to mitigate the possible negative consequences of the breach. The notification to the CNPD should further describe the consequences of the breach and the measures proposed or taken by the Provider.

With respect to the time period in which the notice must be given, please refer to the above clause 1.1.

With respect to the method of giving the notice, please note that there is no mandatory method to inform the data subjects (e.g. the regular mail, email, web-posting or publication) but the CNPD has made available a form on its website to be used by the data controllers to inform it of data breaches. The data breach notification form can be sent to the CNPD by using the following email address: databreach@cnpd.lu.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

In accordance with Article 83 (4) lit. a) of the GDPR, failure to notify a data breach to the data subjects or the CNPD may result in an administrative fine of up to EUR 10,000,000 or up to 2 % of the total worldwide annual turnover of the preceding financial year (whichever is higher).

Under the Law of 2005, a first failure to notify may result in a warning from the CNPD and, in the event of repeated failure to notify, the CNPD may impose an administrative fine which can be up to EUR 50,000.

It should also be noted that, under the GDPR as well as the Law of 2005, the data controller and the provider shall maintain a record of personal data breaches, including the context of the breaches, their effects and the remedial measures taken by the provider. The data recorded must be sufficient to enable the CNPD to verify the provider’s compliance with the provisions of the Law of 2005 and the GDPR.

The failure to maintain the personal data breaches record can be criminally sanctioned by imprisonment between 8 days and one year and/or penalties ranging between EUR 251 and 125,000 under the Law of 2005 and an administrative fine up to EUR 10,000,000 or up to 2 % of the total worldwide annual turnover of the preceding financial year (whichever is higher) under the GDPR.

Finally, it is also worth mentioning that any data subject who incurred damages due to the failure of the data controller or the Provider to notify the data breach is entitled to seek compensation in accordance with the general principles of civil responsibility under Luxembourg law.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Pursuant to Article 34 of the GDPR and even if the data controller is not located in Luxembourg, it is an obligation for any data controller subject to the GDPR to inform the data subjects residing in Luxembourg in the event of a breach concerning their personal data which is likely to result in a high risk to the rights and freedoms of those persons.

1.6 What are the applicable (data protection) laws or guidelines within your country?

The applicable data protection laws in Luxembourg with respect to data breaches are (i) the GDPR, (ii) the Luxembourg Data Protection Law and (iii) the Law of 2005.

On its website the CNPD provides some general guidance and information with respect to data breaches and notifications as well as referring to the guidelines on personal data breaches of the Article 29 Data Protection Working Party.

1.7 Contact information for the local Data Protection Authority:

For more information, contact: