Employee Personal Data Protection (GDPR) in Luxembourg

1. Applicable lawful bases in an HR context

Article L.261-1, §1 of the Labour Code requires that any processing of personal data within the employment relationship be based on one of the lawfulness conditions of Article 6 GDPR. In practice, three grounds cover almost all HR processing activities:

• Performance of the employment contract (Art. 6-1-b GDPR): processing data necessary to administer the contract — remuneration, leave management, appraisals, absence tracking.
• Compliance with a legal obligation (Art. 6-1-c GDPR): social security declarations to the CCSS, submissions to the ADEM, maintenance of legally required registers, mandatory medical check-ups.
• Legitimate interests of the employer (Art. 6-1-f GDPR): prevention of internal fraud, IT network security, access management — provided those interests are not overridden by the employee's fundamental rights and freedoms.

2. Core GDPR principles applied to HR

Article 5 GDPR sets out six principles the employer must respect for every HR data processing activity:

Lawfulness, fairness and transparency

Employees must be informed of the processing activities that concern them, the purposes and their rights — at the latest at the time of collection (Art. 13 GDPR). This information is typically included in the employment contract, the staff regulations or a GDPR notice provided at onboarding.

Purpose limitation

Data collected for a specific purpose may not be reused for incompatible purposes. Badge data collected for time-tracking cannot, without a new lawful basis, be used to monitor an employee's movements.

Data minimisation

Only the data strictly necessary for the declared purpose may be collected. An employer cannot build a comprehensive HR file as a precaution: each data point must be justified by a concrete and current need.

Accuracy

Data must be kept up to date. An employee who changes their family situation, address or bank details must be able to have their data corrected without difficulty.

Storage limitation

Data may not be retained indefinitely. The GDPR imposes no fixed duration: it is for the employer to define, for each data category, a retention period appropriate to the purpose (see section 5).

Integrity and confidentiality

The employer must protect data against unauthorised access, loss and destruction. Sensitive data (health status, disability) requires enhanced security measures.

3. The HR data lifecycle: what is collected and why

At recruitment

The employer may collect data necessary to assess applications: CV, cover letter, qualifications, professional references. It may not request information unrelated to the position (family situation, health status, religious or political beliefs, etc.) — such data constitute special categories under Article 9 GDPR or are protected by the non-discrimination principle.

During the employment relationship

Data collected throughout the employment relationship includes in particular:

• Identification and contact data (name, address, social security number, bank details).
• Remuneration data (salary, bonuses, benefits in kind, payslip history).
• Time management data (leave, absences, overtime, badge records).
• Health-related data linked to legal obligations (mandatory medical check-ups, sick leave submitted to the CCSS) — processed with enhanced protection.
• Appraisal data (annual reviews, objectives, career progression).
• Training data (qualifications, certifications, training participation).

At termination of contract

When an employee leaves, the employer must delete or anonymise data that is no longer necessary. Certain data must however be retained to meet legal obligations (in particular social security and tax requirements) or to defend against potential employment tribunal claims within applicable limitation periods.

4. Employee rights over their personal data

Each employee has the following rights against their employer at any time, independently of any dispute:

Right of access (Art. 15 GDPR)

The employee may request confirmation that data concerning them is being processed and receive a copy. This includes the HR file, appraisals, badge records, training history and payslips.

Right to rectification (Art. 16 GDPR)

The employee may have inaccurate or incomplete data corrected: incorrect address, wrong family situation, incorrect administrative data. The employer must respond within one month.

Right to erasure (Art. 17 GDPR)

This right is not absolute in an HR context. It does not apply where data retention is required by law (accounting, social security, tax obligations) or necessary for the establishment, exercise or defence of legal claims. Outside these cases, the employee may request deletion of data that has become unnecessary.

Right to restriction of processing (Art. 18 GDPR)

The employee may request temporary suspension of processing where they contest the accuracy of the data, object to the processing, or where processing is unlawful but they prefer restriction to erasure.

Right to object (Art. 21 GDPR)

The employee may object to processing based on the employer's legitimate interests, on grounds relating to their particular situation. The employer may however continue processing if it demonstrates compelling legitimate grounds that override the employee's interests.

Right to lodge a complaint with the CNPD

Any employee may refer the matter to the Commission nationale pour la protection des données (CNPD) if they consider that the processing of their data violates the GDPR. Article L.261-1, §5 of the Labour Code expressly states that such a complaint may constitute neither a serious ground nor a legitimate ground for dismissal.

5. Data retention: no universal legal duration

The GDPR does not set a universal retention period for HR data. The employer must define, for each data category, a duration justified by the purpose of the processing and applicable legal obligations.

6. Mandatory disclosures to third parties

The CCSS: a monthly obligation

The employer is required to transmit monthly to the Centre commun de la sécurité sociale (CCSS) information relating to contributory bases, overtime and periods of incapacity for work (Art. CSS-VI-426). These transmissions are based on a legal obligation within the meaning of Art. 6-1-c GDPR: they do not require employee consent and cannot be refused.

The ADEM and the Minister of Employment

Certain public authorities have access, within the strict limits provided by law, to the data necessary for the exercise of their legal missions — in particular to verify eligibility for unemployment benefits or monitor jobseekers (Art. L.621-3). This access is regulated, authenticated and limited to strictly necessary data.

Social security and occupational health bodies

Data transmitted to the occupational physician in the context of mandatory medical monitoring is subject to medical confidentiality and may not be communicated to the employer in identifiable form without the employee's consent. The employer receives only fitness or unfitness conclusions, not the medical data itself.

7. The Data Protection Officer (DPO)

Designation of a Data Protection Officer (DPO) is mandatory for employers who:

• Carry out large-scale regular and systematic monitoring of data subjects (e.g. systematic monitoring of employees' online behaviour).
• Process special categories of data on a large scale (health data, biometric data, data relating to criminal convictions).
• Are a public authority or body, regardless of the nature of the processing.

Outside these cases, designation of a DPO remains optional (Art. 37 GDPR). An employer may nevertheless voluntarily appoint an internal or external DPO if it wishes to structure its data governance.

8. What employers can and cannot do