Grand Duchy of Luxembourg
Advice & Guidance
Legal Aspects

Legal Aspects

In Brief

Failure to comply with legislation in the field of information technology can put the organisation in a difficult situation vis-à-vis the law, its customers (brand image) and also in terms of financial consequences (fines) or criminal consequences (personal liability).

The legal responsibilities and obligations of companies about the protection of personal data were presented during the Internet Security Day 2007 by Maître Cyril Pierre-Beausse on computer crime: Repression and legal risks for companies relating to personal data.

Thus, the law punishes organisations from which information is stolen even more severely than the thieves themselves due to the breach of their obligation to protect personal and/or sensitive data.

The law recognises and punishes:

  • the liability of the perpetrator of the attack;
  • the liability of the intermediary of the attack;
  • the responsibility of the victim of the attack. The legal consequence of a breach of the security obligation concerning personal data processing is punishable by 8 days to 1 year in prison and by a fine from 251 to 125,000 euros.

All organisations must implement a security policy based on:

  • the risk of invasion of privacy;
  • the state of the art (which implies an obligation to keep itself updated and informed);
  • costs relating to implementation.

Draft and enforce a Sectoral policy on compliance.

Intellectual Property

Copyright on original literary and artistic works, which include databases and computer programs, as defined in the amended Law of 18 April 2001, must be respected. For example, the following basic principles can be cited:

  • any reproduction, communication to the public or distribution to the public must be authorised by the author; this also applies to Internet distribution, except where otherwise required by law;
  • software is also protected by copyright and must be respected. Only the holder(s) of these rights can decide what uses of the respective programs are allowed or not, and whether to make them subject to licence, free or against payment. The question of respect for copyright is therefore not merely limited to the acquisition of software licences;
  • patents must be respected;
  • brands, designs and models must be respected;

For any other question, please contact the Office of Intellectual Property.

Personal Data Protection

All files or databases must be created in accordance with the Law of 2 August 2002 on the protection of individuals in respect of the processing of personal data. The same applies to the process involving both newly created data and pre-existing data.

To ensure compliance with this law, the IT manager and the legal officer must obtain the applicable texts from the National Commission for Data Protection (CNPD) and ensure that the structure is suitable, particularly in respect of:

  • declaration to the CNPD of data and processing;
  • obtaining authorisation from the Commission when required;
  • data quality and the legitimacy of processing;
  • the rights of the individuals involved to receive information and submit objections;
  • potentially discriminatory data (racial, ethnic, political, religious, philosophical, union membership) or health-related data.

It is also important to remember the 10 personal data protection principles:

1. Principle of legitimacy

Personal data may only be processed if there are sufficiently legitimate grounds to do so.

2. Principle of purpose

The use of personal data must be limited to a purpose that is explicitly specified in advance and must be limited to what is necessary to achieve the purposes expressly defined by the organisation requesting the personal data.

3. Principle of necessity and proportionality

Processing should be limited to data for which there is a direct relationship with the original purpose of the processing.

4. Principle of data accuracy

On the basis that inaccurate or incomplete information may be harmful to the person to whom it relates, every effort must be made to ensure that processed data is correct and up to date and that the option to rectify or delete it is available.

5. Principle of fairness

Personal data must be collected, recorded, used and transmitted in good faith and made known to the individuals involved.

6. Principle of security and confidentiality

Personal data must be stored in secure places, on secure equipment.

7. Principle of transparency

Under the law, individuals may: ask to see a copy of their personal data; request information on why the data are being held; object if the processing is unlawful. Registration of all databases with the National Commission for Data Protection upholds the principle of transparency.

8. Certain types of particularly sensitive data are subject to enhanced protection

Processing data revealing opinions or beliefs relating to health and sex life, including genetic data, is prohibited, apart from certain exceptions listed in the law.

9. Surveillance (audio, video, data) of identifiable persons is strictly limited by law

Authorisation by the National Commission for Data Protection is required before technical means can be used to monitor people. The personal data thus collected may only be processed in the specific instances outlined in the law.

10. The use of data for advertising purposes or unsolicited sales prospecting is subject to express authorisation

The use of personal data for commercial purposes may be prohibited at any time. In principle, direct marketing using modern communications media (SMS, email) is prohibited, unless you have expressly agreed to it.

Deviation from one or more of these principles is punishable by law.

Furthermore, the individuals involved must be fully aware of the collection of their personal information and must give their prior consent to any collection and processing of their personal information.

Image Rights

The right to privacy, a basic principle in terms of image rights, is enshrined in a number of legal texts, including:

  1. Article 8 of the European Convention on Human Rights;
  2. Article 14(1) of the Law of 8 June 2004 on Freedom of Expression in the Media, as amended, which provides that everyone has the right to privacy;
  3. the Law of 11 August 1982 on the protection of privacy, prohibiting any deliberate violation of the privacy of others, ‘by holding or commissioning the holding, by any device, of images of a person in a location not accessible to the public without the consent of that individual’. This law also prohibits the publication of such images.

It follows from these texts that everyone has the right to object to their image both being taken and published: agreeing to be photographed does not grant authorisation to disseminate photographs in any circumstances.

It is strongly advised that the consent of an individual is obtained before their picture is taken and (in particular) photographs of them are published. For minors, the consent of their parents or other legal representatives must be obtained, as well as the consent of minors who have reached the age of reason.