As a European regulation, the GDPR is directly applicable in Luxembourg law and does not require to be transposed into national law. Therefore, except where permitted by the GDPR and necessary, Luxembourg has not adopted any other law to govern personal data collection, processing, and protection. The GDPR became applicable on the 25 May 2018.

Although the GDPR is the main source of legal obligations for processing of personal data in Luxembourg, other laws should also be mentioned as source of the obligations.

Two laws of 1st August 2018:

  • the Law on the organization of the National Data Protection Commission and the implementation of the GDPR (Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données);
  • the Law on the protection of individuals regarding the processing of personal data in criminal matters and in matters of national security, which transposes into national criminal law the principles and obligations provided by the GDPR (Loi du 1er août 2018 relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale).

Law of 30 May 2005 on specific provisions for the protection of individuals with regard to the processing of personal data in the electronic communications sector (Loi du 30 May 2005 relative aux dispositions spécifiques de protection de la personne à l'égard du traitement des données à caractère personnel dans le secteur des communications électroniques).

Finally, for the specific purpose of data retention, there may be other applicable laws which will be indicated below when relevant.

Guidelines

Several steps shall be followed in order to comply with Luxembourg Law:

1) Adoption and implementation of a retention and deletion policy 

In order to comply with the obligations set out in the GDPR, companies shall adopt and implement a retention and deletion policy (the Policy”).

Such Policy shall serve as one of the internal norms on the basis of which personal data collected by the company in the course of its business shall be processed.

The Policy shall be comprehensive, meaning that its scope shall cover all relevant data collected and processed by the company, on any material support (e.g., paper, electronically, or any other support); and shall include all types of records which the company creates or holds (e.g., employee information; information on clients and/or external parties; corporate files; contracts and invoices; tax files; registers; legal files; etc.)

The Policy shall also apply to all members of the company.

The Policy shall set forth a clear and precise retention schedule for all records, but which varies according to their nature and considering the support on which they are stored.

Finally, the Policy shall provide for a period of time after which it will have to be reviewed and amended where relevant.

2) Identifying the roles played in respect of the Policy \

The Policy shall clearly identify the persons responsible for its implementation.

Usually:

  • the executive board is in charge of drafting and adopting the Policy and also of reviewing the Policy after a reasonable period of time;
  • the management (g., directors, etc.) is responsible for ensuring that the Policy is correctly applied and enforced within the company. They are also in charge of deciding on extending the retention period of a specific record and on disposing of such record;
  • the Data Protection Officer, if appointed, is responsible for administering the Policy and dealing with the everyday queries and challenges.
3) Define a retention schedule 

The Policy shall set out a comprehensive retention schedule which will list each type of data that will be collected and processed by the company in the course of its business.

The general principle is that the collected and processed data shall not be retained by the company for a period longer than what is necessary for achieving the purposes for which the data was collected and processed in the first place. The idea behind this principle is that the company shall find the right balance (proportionality) between its commercial needs – justifying that personal data is retained for a certain period of time – and the privacy rights of the people whose data has been collected and processed.

The company shall identify the proportionate retention period for each type of collected and processed data, depending on its nature and on the support on which it was recorded. The Policy shall provide for the minimum amount of time during which the data will be stored by the company, but also a general maximum period after which the data will be destroyed.

Generally personal data should not be kept longer than the applicable limitation period in accordance with applicable law.

Therefore, most retention policies in Luxembourg provide for an average minimum retention period of 10 years for most of the collected and processed data. This is due to the fact that general prescription for claims in commercial matters, i.e. involving companies is 10 years.

Nevertheless, the company has the right to individually and proportionally extend the retention period of a specific record, as long as it is justified by the legitimate interests of the company. The circumstances in which such decision may be taken shall be duly provided by the Policy, and the Policy shall also clearly identify the persons within the company responsible for taking such decision. In any case, the decision to extend a retention period shall be duly motivated and record in particular why the legitimate interests pursued by the company are not overridden by the interests or fundamental rights and freedoms of the data subject.   

The maximum retention period is usually 30 years, as this is the longest limitation period applicable under Luxembourg Civil Code.

See Annexes for examples of applicable retention periods.

4) Define a deletion policy 

The Policy shall also regulate the deletion of the retained data.

Once a retention period has expired, the company shall delete the recorded data if the retention period has not been extended.

Deletion can take the form of either:

  • destruction; or
  • anonymization 

The Policy shall clearly provide for the circumstances in which a record shall be destroyed and in which it shall be anonymized.

Confidentiality of the data shall always be ensured during the process.

5) Communication of and information about the Policy 

Finally, once the Policy has been adopted, the company shall ensure that all its employees and all the third parties who may have their data collected and processed by the company have been informed about the Policy and have access to such Policy.

The retention schedules provided below serve only as examples of a common practice in Luxembourg:

Legal files / contracts and agreements 
 
Document description
Retention Period
Start of the retention period
Relevant legal provision
1 Contracts, agreements and other arrangements   Min. 10 years   Once the document has lost its business value Art. 189 Commercial code  
2 Permits, licenses, certificates   Min. 10 years   After the end of the financial year during which it has been issued    Art. 14 and 16 Commercial code  
3 Confidentiality and non-competition agreements (if a penalty is attached to the non-competition or confidentiality clause)   Min. 10 years   From the termination of the agreement   Art. 189 Commercial code  
4 Legal files concerning provision of services   Min. 10 years   From the date of the service provider’s last involvement with the company / client   Art. 189 Commercial code  

 

 

General company records
 
Document description
Retention period
Start of the retention period
Relevant legal provision 
1

Company’s articles of association and any modifications or amendments thereof, shareholders’ register

During the company’s existence   Incorporation of the company   Article 710-8 of the law of 10 August 1915 on commercial companies (for private limited liability companies)  
2

Company’s accounting books and records, related supporting documents and correspondence received and copies of the outgoing correspondence (to be kept in a chronological order and in accordance with a methodical classification)

Note: With the exception of the balance sheet and the profit and loss accounts, the documents and information can be stored in copy form.  

Min. 10 years   End of the financial year to which the documents relate  

Articles 11, 12, 14, 15 and 16 of the Commercial Code

3 Corporate documentation such as ordinary shareholder general meeting’s minutes or written resolutions, board / management meeting minutes or written resolutions, etc. Min. 10 years   Once the document has lost its actual value  

Article 1400-6 of the law of 10 August 1915 on commercial companies

Article 189 of the Commercial Code

Article 1315 of the Civil Code  

4 Records and documents of the dissolved company, and the information regarding the company’s beneficial owners as well the relevant supporting documents   Min. 10 years  

Publication of the closing of the liquidation of the company in the RESA

For the information on the company’s beneficial owners the period starts to run as from the date of the striking-off of the company from the RCS  

Article 1100-15 and article 1400-6 of the law of 10 August 1915 on commercial companies

Article 17 of the law of 13 January 2019 establishing the Beneficial Owners Register  

5 Insurance policies   Min. 10 years   Once the contract has been terminated   Art. 189 Commercial code  
6 Correspondence   Min. 10 years   Once the document has lost its actual value   Art. 189 Commercial code  
7 Login and logout data of visitors   3 months Following the end of the visit   N/A

 

 

Tax and accounting records - General taxes
 
Document description
Retention period
Start of the retention period
Relevant legal provision 
1 Information relevant to the tax position of the taxpayer, including all books, records and other data carriers   Min. 10 years   Following the tax year to which the information relates    
2 Books, records and other data carriers form which the taxpayer can at all times show its rights and obligation in the interest of levying taxes   Min. 10 years Following the tax year to which the information relates    
3 Tax liabilities of third parties Min. 10 years Following the tax year to which the information relates    
Tax and accounting records - VAT
 
Document description
Retention period
Start of the retention period
Relevant legal provision 
4 Sufficiently detailed company accounts that allow for the correct application of VAT and their control by the VAT Authorities   Min. 10 years Following (i) the closing of the books for accounting, (ii) date of issuance of invoices (iii) date of the documents for other documents Art. 65 VAT Act & GDR 21 Dec. 1979  
5 General obligation to keep at least the following records: (i) VAT invoices sent and received; (ii) documentation relating to supplies of goods and supplies of services, imports, and deemed supplied of goods and services (self-supplies); (iii) documentation relating to goods imported form, and exported to, outside the EU.   Min. 10 years Following (i) the closing of the books for accounting, (ii) date of issuance of invoices (iii) date of the documents for other documents Art. 65 VAT Act & GDR 21 Dec. 1979
Tax and accounting records - Corporate income
 
Document description
Retention period
Start of the retention period
Relevant legal provision 
6 Information concerning intra-group price setting Min. 10 years Following the tax year to which the information relates   Art. 171(3) AO  

 

 

Payroll and salary records
 
Document description
Retention period
Start of the retention period
Relevant legal provision 
1 Wages and other benefits records, including tax-exempt benefits.   Min. 10 years   As of the end of the financial year to which the information relates   Art. 14 and 16 Commercial code  
2 General information about employees such as name, date of birth, tax registration number and address.   Min. 10 years As of the end of the financial year during which the employment contract ended  

Art. 14 and 16 Commercial Code

No specific period provided by labor law.  
3 Payroll records (wages, tax and social security records, payslips, overtime compensation, bonuses, expenses, benefits in kind)   Min. 10 years

As of the end of the financial year during which the employment contract ended

Regarding payslips from the end of financial year to which they relate  

Art.14 and 16 Commercial Code and 162(8) General Tax Law of 22 May 1931

4 Severance pay records (e.g. decisions of the court regarding dismissal, correspondence with the competent authorities regarding dismissal, outplacement records, calculation of termination payments)   Min. 10 years From the closure of the financial year during which the dismissal occurred   

Art.14 and 16 Commercial Code

HR / Employment / Pension records
 
Document description
Retention period
Start of the retention period
Relevant legal provision 
5 Employment contract   Min. 10 years

As of the end of the financial year during which the employment contract ended

Art.14, 16 and 189 Commercial Code  
6 Copy of identification documents   Min. 10 years

As of the end of the financial year during which the employment contract ended

Art.14, 16 and 189 Commercial Code  
7 Business data and documents concerning pension schemes and related subjects   Min. 10 years As of the end of the financial year to which they relate  

Art.14, 16 and 189 Commercial Code

 

According to article 4 (3) CNIL Deliberation 2004-09 of December 9, 2004 the information required to establish pension rights may be kept for an unlimited period of time.  
8 Pension plans and schemes, career and talent development programs, diversity programs, other HR policies (e.g. alcohol and drugs policy) personnel handbook, social plans   No retention period Concerning career and talent development programs, as long as the employee works for the company   No specific legal basis exists, advice is based on recommendation from the French data protection authority CNIL Deliberation 2005-002 of January 13, 2005, See article 3(b) (5)  
9 Data of rejected job applicants, (e.g. application letters, CVs, references, certificates of good conduct, job interview notes, assessment and psychological test results)   2 years From the date the application procedure ended.  

No specific legal basis exists.

Option to defer the start of the retention period from the last date of contact with the candidate, if this happens at a later date (Recommendation CNIL n°02-017)  
10 Data concerning a temporary worker     As long as the employee works for the company    
11 Reports on employee performance review meetings and assessment interview (e.g. evaluations, employments application forms of successful applicants, copies of academic and other training received, employments contracts and their amendment, correspondence concerning appointments, appraisals, promotions and demotions, agreements concerning activities in relation to the works council, references and sick leave records)    

As long as the employee works for the company.

 

In case of dismissal, data shall be kept until the end of the legal period within which the employee may challenge the termination of his/her employment contract and, in case of litigation, for the duration of the legal proceedings.

No specific legal basis exists, advice is based on recommendation from the French data protection authority CNIL Deliberation 2005-002 of January 13, 2005 – simplified standard No. 46  
12 Employee stock purchases and option records   Max. 2 years Once the employment has ended. The data may need to be kept longer in cases where this would be necessary to fulfil other legal retention duties    
13 Expats records and other records relating to foreign employees (e.g. visa, work permit)     As long as the employee works for the company   CNIL Deliberation 2005-002 of January 13, 2005 – simplified standard No. 46  
14 Data concerning pension and early retirement Min. 2 years Once the employment has ended. The data may need to be kept longer in cases where this would be necessary to fulfil other legal retention duties    
15 Personal data of employees in network systems, computer systems, communication equipment used by employees, access controls and other internal management / administration   Max. 6 months After obtaining the data. The data may be kept longer if necessary to comply with a statutory retention obligations    
16 Camera recordings  

In principle, 8 days

Exceptionally, 30 days (specific reasons, such as the occurrence of an incident or infraction)  

From the day, hour and minute of the fragment making (automatic erasure)   CNPD, « lignes directrices en matière de vidéosurveillance »  

 

 

Purchasing records
 
Document description
Retention period
Start of the retention period
Relevant legal provision 
1 Records of all delivery of goods or services, intra- EU acquisitions, import and export   Min. 10 y   Following (i) the closing of the books for accounting, (ii) date of issuance of invoices (iii) date of the documents for other documents.   Art. 65 VAT Act & GDR 21 Dec. 1979  
2 General ledger, account receivable department, accounts payable department (procurement and) sales administration, inventory records   Min. 10 y   Following the tax year to which the information relates    
3 Debtors and creditors reports   Max. 2 y   Once the transaction in question is concluded, unless longer retention is necessary to satisfy a legal obligation    

 

View the full comparative table published by OneTrust DataGuidance HERE