: Marcus Dury, Sandra Dury, Martin Kerz
: Data Protection in Luxembourg Handbook
: Fachmedien Recht und Wirtschaft
: 9783800592555
: 1
: CHF 112.50
:
: Sonstiges
: English
: 308
: Wasserzeichen
: PC/MAC/eReader/Tablet
: ePUB
This book offers a practical presentation of the special features of data protection law in Luxembourg and the way it interacts with the General Data Protection Regulation (GDPR). The GDPR has been effective since 25 May 2018. It has been obligatory to comply with the new Luxembourg Data Protection Act in all data processing operations that relate to Luxembourg as a supplement to the GDPR since 20 August 2018. In the first part of this book, you can learn what new legal requirements the GDPR and the new Luxembourg Data Protection Act impose on companies in Luxembourg and group structures with relationships to Luxembourg respectively. The second part contains a systematic presentation of the GDPR and the Luxembourg Data Protection Act. The book aims to help you to meet the requirements of data protection law in Luxembourg in everyday corporate life and implement them in practice with as little expense and effort as possible. The book, which also includes the text of the Luxembourg Data Protection Act, is available in three languages: French, English and German. The German and English translations of the legal text have moreover been authorised by the supervisory authority in Luxembourg, the CNPD, so you can be sure that using the translations will not cause any disadvantage as compared with applying the law in its original wording.

Exclusively, the authors advise companies in Germany and Luxembourg in the fields of data protection law, IT law and IP law. Attorney at law Marcus Dury LL.M. (legal informatics), who specialises in IT law, has been giving advice as a lawyer in these legal areas since 2007. Attorney at law Sandra Dury and attorney at law Martin Kerz , furthermore, can draw on many years of experience in international companies. Ms. Dury worked in compliance as corporate counsel in Luxembourg for approximately 8 years.

2.3. Roles and agents


The following normative terms form the framework or set the scene within which the data protection takes place. The GDPR specifies the specific definition of the roles. The GDPR defines who can take on which role and which rights and obligations are connected with the respective role. In the following, individuals who can take on theseroles are calledagents.

2.3.1.Data subjects


Thedata subject is referred to as any identified or identifiable natural person (Art. 4 No. 1 GDPR). It has already been explained above (2.1 on Page 5) when a person is deemed as identifiable.

2.3.2.The controller


The controller is the counterpart of the data subject. Whenever personal data is processed, there must be a controller who assumes the responsibility and is ultimately responsible for processing the processed data adequately (meaning GDPR compliant).11 The controllermay be a natural person as well as a legal person, such as a company, government authorities, associations or other organisations. The GDPR goes even further.Each establishment or body can be a controller.

What does that mean in specific terms? In terms of the economy, every company should be able to be a controller. Individual employees of companies are not themselves responsible for data protection, but rather their respective employer is. This only changes for the employee if they process personal data of a data subject for their own purposes, which are beyond the control of their employer.12 In terms of content, Art. 4 No. 7 GDPR lays down characteristics that qualify a controller: If they “alone or jointly with others determine the purposes and means of the processing of personal data”. The essential criterion is therefore the (independent) decision-making power regarding thepurpose for data processing and themeans with which it takes place. If the focus is placed on the decision-making authority regarding the means of and purposes for the processing, then it becomes clear, why the person is calledcontroller in English. Ultimately, it is thecontroller who has thecontrol (the controlling decision-making power) regarding the data processing and therefore the designation as acontroller is fair.

Examples

A sole trader stores their customers’ contact details and purchasing volumes in a database (the means of processing, the type and the way) in order to be able to submit customised offers to customers in the future that are tailored to their needs (the purpose of the processing).

A handwritten file is kept in a dental practice, in which the condition and course of treatment for the patient’s teeth are documented (the means of processing,the type and the way). The purpose of this file is to comply with the legal and statutory duty of documentation. Likewise, the file helps the attending physician to quickly gain an overview of the condition of their patient’s teeth and also serves as a reference for the treatment of the patients (the purpose of the processing, the purpose forit).

In the corporate environment, thecontroller is often a legal person, for example, a corporation such as a limited liability company, public limited company, partnership or an organic market participant. In the case of a sole proprietorship, sole traders, self-employed persons or freelancers, the proprietor or owner is responsible for the handling of this data.

The controller is responsible for all legal obligations for the implementation (above all according to Art. 5 and chapter 3 of the GDPR), justification (above all according to Art. 6 to 11 GDPR) and protection (above all chapter 4 and 5 GDPR) of the processing of personal data. Accordingly, the controller is also the recipient of any possible fines and is liable according to Art. 82 (1) GDPR of civil law for breaches of the Basic Regulations (Art. 82 to 84 GDPR).<