A new draft bill N°7184 adapting and completing Luxembourg law to Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) was lodged with the Luxembourg Parliament on 12 September 2017.
On 3 October 2017, the Article 29 Working Party adopted two new guidelines: the first one on data breach notification and another on automated individual decision-making and profiling.
The guidelines on data breach notification are a consequence of the requirement imposed by the GDPR to notify to the competent national supervisory authority (the CNPD in Luxembourg) any breach which is likely to result in a risk to the rights and freedoms of individuals and, in certain cases, to also notify the individuals whose personal data have been affected by the breach.
Such notification will be mandatory for controllers, but also for processors who will have to inform their controllers if there is a breach. Therefore, controllers and processors are encouraged in these guidelines to plan in advance and put in place processes to be able to detect and promptly contain a breach. Thus, these guidelines explain the steps controllers and processors can take to meet these new obligations.
Such a failure to report a breach should be taken seriously since it may lead to a sanction, including an administrative fine, the value of which can be up to EUR 10 million or up to 2 per cent of the worldwide annual turnover of the controlling entity.
As a consequence of advances in new technologies and the widespread availability of personal data on the internet, the Article 29 Working Party also decided to adopt guidelines on automated individual decision-making and profiling.
Automated individual decision-making and profiling are used in a large number of sectors, including in banking and finance, health, taxation, insurance, marketing and advertising.
The Article 29 Working Party recognises that there are two general benefits of these technologies: increased efficiencies and resource savings.
However, automated individual decision-making and profiling may also pose significant risks for individuals, which is the reason why the GDPR introduces new provisions to address these risks.
These guidelines clarify these new provisions and give good practice recommendations to the actors involved.