On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) entered into force. The act of 1 August 2018 on the organization of the National Commission for Data Protection (CNPD) and implementation of Regulation (EU) 2016/679 implemented the national framework in Luxembourg concerning data protection.
The GDPR oversees the processing of personal data in the European Union and gives citizens more control over their personal data.
• Who is concerned?
The GDPR targets all organizations and companies (regardless of their size, location and activity) when they process personal data. Personal data is any information relating to an identified or identifiable natural person, such as the name, phone number, email or mailing address or social security number. The rights of persons whose data is collected must be respected.
• What changes?
The national supervisory authority, the CNPD, ensures compliance with the provisions of the GDPR. The formalities with the CNPD are now less burdensome for companies, but companies must now ensure optimum data protection at all times and be able to demonstrate it by documenting their compliance. One area particularly concerned with compliance with GDPR provisions is labour law. The rights of employees are strengthened (for example on the issue of geolocation of employees or video surveillance).
• GDPR Audits
Sanctions for non-compliance with the GDPR can be very important. In addition to possible judicial sanctions (criminal convictions, criminal fines, damages), administrative fines of up to 4% of a company's global turnover or € 20 million are planned. Apart from possible sanctions, the triggering of a procedure by the CNPD (frequent case of the dismissed employee who files a complaint with the CNPD) can damage the reputation of a company and waste valuable time: better to audit and anticipate eventual problems.
Admittedly, the GDPR imposes obligations on companies (informing the data subjects of their rights, processing only the information strictly necessary for a purpose, keeping documentation on data processing, etc.), but also has advantages for the latter. By complying, companies review their internal processes, become more effective and improve their brand image.
It is never too late to comply.