General Data Protection Regulation

Bruno Gossart - Legal & Tax Expert
May 24, 2018
The right to privacy is one of the essential rights recognised in the Charter of Fundamental Rights of the European Union. Starting on 25 May 2018, the European GDP regulation modifies the existing legislation on the protection of personal data. Faced with technological developments enabling almost limitless processing, the European Union wanted to create a set of rules for the protection of privacy where individuals can maintain control of their data and benefit from rights, while also allowing those responsible for processing data (businesses) to operate.

What exactly are personal data? They are all the data which enable a person to be identified, and thanks to technological developments they have become many and varied and are also the subject of many types of processing by businesses.

In order to conduct its insurance business correctly, Bâloise Vie Luxembourg processes many personal data which are communicated to it by its customers and partners. It should be noted that Bâloise Vie Luxembourg was already subject to the Loi modifiée du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel (Amended Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data)[1].

What new features are introduced by GDPR?

A. New rights for individuals:

  • greater transparency, more information to be given, and limiting the data processed to what is necessary;
  • restricting the use of data to the cases permitted by law, namely, for an insurance company: when entering into a contract (or policy), or if a person gives their consent, or on the basis of a legitimate interest or legal obligation;
  • strengthening existing rights such as the right of access, the right to correct and the right to object;
  • the creation of new rights such as the right of deletion or the right to portability;
  • strengthening the conditions for obtaining consent to the processing of medical data; consent which may be withdrawn at any time.

B. New obligations are imposed on data controllers:

  • to keep a record of all data processing performed;
  • to be in a position to document and prove that the company’s organisation is GRDP compliant;
  • to conduct GRDP impact assessments when developing products and procedures;
  • to appoint a Data Protection Officer (DPO) whose role is to inform and advise on GDPR, and to ensure compliance;
  • to establish a variety of high level security measures to ensure the safeguarding and confidentiality of data when processed by the company, or by its subcontractors who must also comply with GRDP;
  • to set up systems for rapid reaction to data leaks, with notifications to be made to the CNPD[2] and in some cases also to the persons concerned.

C. Strengthening the powers of the supervisory authorities

The National Commission for Data Protection receives greater powers of control and is authorised to impose much more severe penalties: increasing from 2 to 4% of a group’s global turnover or from EUR10 to 20 million.


Non-compliance with GDPR is simply not an option.

GDPR is the introduction of a new culture of systematic, daily and continuous data protection. It is the business of each and every one of us in our company. This is why it is vital for all staff at Bâloise Vie Luxembourg to be trained in GDPR. GDPR, through its quality standards, also aims to restore a climate of trust between individuals and data controllers.

If you would like to know more about the protection and processing of personal data at Bâloise Vie Luxembourg, please contact us or our Data Protection Officer.

[1]The Law of 2 August 2002 came into force on 1 December 2002 as was, in particular, amended by the Law of 27 July 2007 (overview of the main changes) and by the Law of 28 July 2011. It transposes into Luxembourg law the provisions of the Directive 95/46/EC of the European Parliament and Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.

[2] Commission Nationale pour la Protection des Données (the National Commission for Data Protection) in the Grand Duchy of Luxembourg -