5 minutes read
As a European regulation, the GDPR is directly applicable in Luxembourg law and does not require to be transposed into national law. Therefore, except where permitted by the GDPR and necessary, Luxembourg has not adopted any other law to govern personal data collection, processing, and protection. The GDPR became applicable on the 25 May 2018.
Although the GDPR is the main source of legal obligations for processing of personal data in Luxembourg, other laws should also be mentioned as source of the obligations.
Two laws of 1st August 2018:
- the Law on the organization of the National Data Protection Commission and the implementation of the GDPR (Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données);
- the Law on the protection of individuals regarding the processing of personal data in criminal matters and in matters of national security, which transposes into national criminal law the principles and obligations provided by the GDPR (Loi du 1er août 2018 relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale).
Law of 30 May 2005 on specific provisions for the protection of individuals with regard to the processing of personal data in the electronic communications sector (Loi du 30 May 2005 relative aux dispositions spécifiques de protection de la personne à l'égard du traitement des données à caractère personnel dans le secteur des communications électroniques).
Finally, for the specific purpose of data retention, there may be other applicable laws which will be indicated below when relevant.
Guidelines
Several steps shall be followed in order to comply with Luxembourg Law:
1) Adoption and implementation of a retention and deletion policy
In order to comply with the obligations set out in the GDPR, companies shall adopt and implement a retention and deletion policy (the “Policy”).
Such Policy shall serve as one of the internal norms on the basis of which personal data collected by the company in the course of its business shall be processed.
The Policy shall be comprehensive, meaning that its scope shall cover all relevant data collected and processed by the company, on any material support (e.g., paper, electronically, or any other support); and shall include all types of records which the company creates or holds (e.g., employee information; information on clients and/or external parties; corporate files; contracts and invoices; tax files; registers; legal files; etc.)
The Policy shall also apply to all members of the company.
The Policy shall set forth a clear and precise retention schedule for all records, but which varies according to their nature and considering the support on which they are stored.
Finally, the Policy shall provide for a period of time after which it will have to be reviewed and amended where relevant.
2) Identifying the roles played in respect of the Policy \
The Policy shall clearly identify the persons responsible for its implementation.
Usually:
- the executive board is in charge of drafting and adopting the Policy and also of reviewing the Policy after a reasonable period of time;
- the management (g., directors, etc.) is responsible for ensuring that the Policy is correctly applied and enforced within the company. They are also in charge of deciding on extending the retention period of a specific record and on disposing of such record;
- the Data Protection Officer, if appointed, is responsible for administering the Policy and dealing with the everyday queries and challenges.
3) Define a retention schedule
The Policy shall set out a comprehensive retention schedule which will list each type of data that will be collected and processed by the company in the course of its business.
The general principle is that the collected and processed data shall not be retained by the company for a period longer than what is necessary for achieving the purposes for which the data was collected and processed in the first place. The idea behind this principle is that the company shall find the right balance (proportionality) between its commercial needs – justifying that personal data is retained for a certain period of time – and the privacy rights of the people whose data has been collected and processed.
The company shall identify the proportionate retention period for each type of collected and processed data, depending on its nature and on the support on which it was recorded. The Policy shall provide for the minimum amount of time during which the data will be stored by the company, but also a general maximum period after which the data will be destroyed.
Generally personal data should not be kept longer than the applicable limitation period in accordance with applicable law.
Therefore, most retention policies in Luxembourg provide for an average minimum retention period of 10 years for most of the collected and processed data. This is due to the fact that general prescription for claims in commercial matters, i.e. involving companies is 10 years.
Nevertheless, the company has the right to individually and proportionally extend the retention period of a specific record, as long as it is justified by the legitimate interests of the company. The circumstances in which such decision may be taken shall be duly provided by the Policy, and the Policy shall also clearly identify the persons within the company responsible for taking such decision. In any case, the decision to extend a retention period shall be duly motivated and record in particular why the legitimate interests pursued by the company are not overridden by the interests or fundamental rights and freedoms of the data subject.
The maximum retention period is usually 30 years, as this is the longest limitation period applicable under Luxembourg Civil Code.
See Annexes for examples of applicable retention periods.
4) Define a deletion policy
The Policy shall also regulate the deletion of the retained data.
Once a retention period has expired, the company shall delete the recorded data if the retention period has not been extended.
Deletion can take the form of either:
- destruction; or
- anonymization
The Policy shall clearly provide for the circumstances in which a record shall be destroyed and in which it shall be anonymized.
Confidentiality of the data shall always be ensured during the process.
5) Communication of and information about the Policy
Finally, once the Policy has been adopted, the company shall ensure that all its employees and all the third parties who may have their data collected and processed by the company have been informed about the Policy and have access to such Policy.
The retention schedules provided below serve only as examples of a common practice in Luxembourg:
| Legal files / contracts and agreements | ||||
Document description |
Retention Period |
Start of the retention period |
Relevant legal provision |
|
| 1 | Contracts, agreements and other arrangements | Min. 10 years | Once the document has lost its business value | Art. 189 Commercial code |
| 2 | Permits, licenses, certificates | Min. 10 years | After the end of the financial year during which it has been issued | Art. 14 and 16 Commercial code |
| 3 | Confidentiality and non-competition agreements (if a penalty is attached to the non-competition or confidentiality clause) | Min. 10 years | From the termination of the agreement | Art. 189 Commercial code |
| 4 | Legal files concerning provision of services | Min. 10 years | From the date of the service provider’s last involvement with the company / client | Art. 189 Commercial code |
| General company records | ||||
Document description |
Retention period |
Start of the retention period |
Relevant legal provision |
|
| 1 |
Company’s articles of association and any modifications or amendments thereof, shareholders’ register |
During the company’s existence | Incorporation of the company | Article 710-8 of the law of 10 August 1915 on commercial companies (for private limited liability companies) |
| 2 |
Company’s accounting books and records, related supporting documents and correspondence received and copies of the outgoing correspondence (to be kept in a chronological order and in accordance with a methodical classification) Note: With the exception of the balance sheet and the profit and loss accounts, the documents and information can be stored in copy form. |
Min. 10 years | End of the financial year to which the documents relate |
Articles 11, 12, 14, 15 and 16 of the Commercial Code |
| 3 | Corporate documentation such as ordinary shareholder general meeting’s minutes or written resolutions, board / management meeting minutes or written resolutions, etc. | Min. 10 years | Once the document has lost its actual value |
Article 1400-6 of the law of 10 August 1915 on commercial companies Article 189 of the Commercial Code Article 1315 of the Civil Code |
| 4 | Records and documents of the dissolved company, and the information regarding the company’s beneficial owners as well the relevant supporting documents | Min. 10 years |
Publication of the closing of the liquidation of the company in the RESA For the information on the company’s beneficial owners the period starts to run as from the date of the striking-off of the company from the RCS |
Article 1100-15 and article 1400-6 of the law of 10 August 1915 on commercial companies Article 17 of the law of 13 January 2019 establishing the Beneficial Owners Register |
| 5 | Insurance policies | Min. 10 years | Once the contract has been terminated | Art. 189 Commercial code |
| 6 | Correspondence | Min. 10 years | Once the document has lost its actual value | Art. 189 Commercial code |
| 7 | Login and logout data of visitors | 3 months | Following the end of the visit | N/A |
| Tax and accounting records - General taxes | ||||
Document description |
Retention period |
Start of the retention period |
Relevant legal provision |
|
| 1 | Information relevant to the tax position of the taxpayer, including all books, records and other data carriers | Min. 10 years | Following the tax year to which the information relates | |
| 2 | Books, records and other data carriers form which the taxpayer can at all times show its rights and obligation in the interest of levying taxes | Min. 10 years | Following the tax year to which the information relates | |
| 3 | Tax liabilities of third parties | Min. 10 years | Following the tax year to which the information relates | |
| Tax and accounting records - VAT | ||||
Document description |
Retention period |
Start of the retention period |
Relevant legal provision |
|
| 4 | Sufficiently detailed company accounts that allow for the correct application of VAT and their control by the VAT Authorities | Min. 10 years | Following (i) the closing of the books for accounting, (ii) date of issuance of invoices (iii) date of the documents for other documents | Art. 65 VAT Act & GDR 21 Dec. 1979 |
| 5 | General obligation to keep at least the following records: (i) VAT invoices sent and received; (ii) documentation relating to supplies of goods and supplies of services, imports, and deemed supplied of goods and services (self-supplies); (iii) documentation relating to goods imported form, and exported to, outside the EU. | Min. 10 years | Following (i) the closing of the books for accounting, (ii) date of issuance of invoices (iii) date of the documents for other documents | Art. 65 VAT Act & GDR 21 Dec. 1979 |
| Tax and accounting records - Corporate income | ||||
Document description |
Retention period |
Start of the retention period |
Relevant legal provision |
|
| 6 | Information concerning intra-group price setting | Min. 10 years | Following the tax year to which the information relates | Art. 171(3) AO |
| Payroll and salary records | ||||
Document description |
Retention period |
Start of the retention period |
Relevant legal provision |
|
| 1 | Wages and other benefits records, including tax-exempt benefits. | Min. 10 years | As of the end of the financial year to which the information relates | Art. 14 and 16 Commercial code |
| 2 | General information about employees such as name, date of birth, tax registration number and address. | Min. 10 years | As of the end of the financial year during which the employment contract ended |
Art. 14 and 16 Commercial Code No specific period provided by labor law. |
| 3 | Payroll records (wages, tax and social security records, payslips, overtime compensation, bonuses, expenses, benefits in kind) | Min. 10 years |
As of the end of the financial year during which the employment contract ended Regarding payslips from the end of financial year to which they relate |
Art.14 and 16 Commercial Code and 162(8) General Tax Law of 22 May 1931 |
| 4 | Severance pay records (e.g. decisions of the court regarding dismissal, correspondence with the competent authorities regarding dismissal, outplacement records, calculation of termination payments) | Min. 10 years | From the closure of the financial year during which the dismissal occurred |
Art.14 and 16 Commercial Code |
| HR / Employment / Pension records | ||||
Document description |
Retention period |
Start of the retention period |
Relevant legal provision |
|
| 5 | Employment contract | Min. 10 years |
As of the end of the financial year during which the employment contract ended |
Art.14, 16 and 189 Commercial Code |
| 6 | Copy of identification documents | Min. 10 years |
As of the end of the financial year during which the employment contract ended |
Art.14, 16 and 189 Commercial Code |
| 7 | Business data and documents concerning pension schemes and related subjects | Min. 10 years | As of the end of the financial year to which they relate |
Art.14, 16 and 189 Commercial Code According to article 4 (3) CNIL Deliberation 2004-09 of December 9, 2004 the information required to establish pension rights may be kept for an unlimited period of time. |
| 8 | Pension plans and schemes, career and talent development programs, diversity programs, other HR policies (e.g. alcohol and drugs policy) personnel handbook, social plans | No retention period | Concerning career and talent development programs, as long as the employee works for the company | No specific legal basis exists, advice is based on recommendation from the French data protection authority CNIL Deliberation 2005-002 of January 13, 2005, See article 3(b) (5) |
| 9 | Data of rejected job applicants, (e.g. application letters, CVs, references, certificates of good conduct, job interview notes, assessment and psychological test results) | 2 years | From the date the application procedure ended. |
No specific legal basis exists. Option to defer the start of the retention period from the last date of contact with the candidate, if this happens at a later date (Recommendation CNIL n°02-017) |
| 10 | Data concerning a temporary worker | As long as the employee works for the company | ||
| 11 | Reports on employee performance review meetings and assessment interview (e.g. evaluations, employments application forms of successful applicants, copies of academic and other training received, employments contracts and their amendment, correspondence concerning appointments, appraisals, promotions and demotions, agreements concerning activities in relation to the works council, references and sick leave records) |
As long as the employee works for the company.
In case of dismissal, data shall be kept until the end of the legal period within which the employee may challenge the termination of his/her employment contract and, in case of litigation, for the duration of the legal proceedings. |
No specific legal basis exists, advice is based on recommendation from the French data protection authority CNIL Deliberation 2005-002 of January 13, 2005 – simplified standard No. 46 | |
| 12 | Employee stock purchases and option records | Max. 2 years | Once the employment has ended. The data may need to be kept longer in cases where this would be necessary to fulfil other legal retention duties | |
| 13 | Expats records and other records relating to foreign employees (e.g. visa, work permit) | As long as the employee works for the company | CNIL Deliberation 2005-002 of January 13, 2005 – simplified standard No. 46 | |
| 14 | Data concerning pension and early retirement | Min. 2 years | Once the employment has ended. The data may need to be kept longer in cases where this would be necessary to fulfil other legal retention duties | |
| 15 | Personal data of employees in network systems, computer systems, communication equipment used by employees, access controls and other internal management / administration | Max. 6 months | After obtaining the data. The data may be kept longer if necessary to comply with a statutory retention obligations | |
| 16 | Camera recordings |
In principle, 8 days Exceptionally, 30 days (specific reasons, such as the occurrence of an incident or infraction) |
From the day, hour and minute of the fragment making (automatic erasure) | CNPD, « lignes directrices en matière de vidéosurveillance » |
| Purchasing records | ||||
Document description |
Retention period |
Start of the retention period |
Relevant legal provision |
|
| 1 | Records of all delivery of goods or services, intra- EU acquisitions, import and export | Min. 10 y | Following (i) the closing of the books for accounting, (ii) date of issuance of invoices (iii) date of the documents for other documents. | Art. 65 VAT Act & GDR 21 Dec. 1979 |
| 2 | General ledger, account receivable department, accounts payable department (procurement and) sales administration, inventory records | Min. 10 y | Following the tax year to which the information relates | |
| 3 | Debtors and creditors reports | Max. 2 y | Once the transaction in question is concluded, unless longer retention is necessary to satisfy a legal obligation | |
View the full comparative table published by OneTrust DataGuidance HERE.
