Information on the protection of personal data
The aim of this document is to provide interested parties with information about how the Luxembourg Independent Media Authority (Autorité luxembourgeoise indépendante de l’audiovisuel, hereafter “ALIA”) processes and protects personal data, and to inform them about their rights arising from the new European legislation on the protection of personal data, especially the General Data Protection Regulation (hereafter “GDPR”1). In the performance of its duties, ALIA, as a “data controller” within the meaning of the GDPR, ensures that it complies with applicable European and Luxembourgish legal provisions in the area of data protection.
I. The nature of the personal data processed
ALIA processes personal data provided by individuals making a complaint. The personal data that need to be processed are therefore identity data, i.e. the name, address and title of the individual making the complaint, as well as his or her email address and telephone number. ALIA considers these data as essential for the performance of its duties, since they enable ALIA’s agents to identify and contact the individual making the complaint. In this way, the Authority complies with the principle of “data minimisation” as laid down in Article 5(1)(c) GDPR. ALIA’s regulation on procedures against an audio or audiovisual media service clearly provides, in Article 3(5), that any complaint must “identify the individual making it” and that “it must include his/her last name and first name or title, and his/her address or registered office”.
Complaints are by nature related to part of an audio or audiovisual programme broadcast by a provider of audiovisual media services. This recording may contain a voice and/or images or other elements that can be used to identify the person making the complaint or a third person. Any examination of the complaint requires the recording to be listened to/viewed repeatedly and therefore to be stored.
The data processed by ALIA as identified above must therefore be considered as “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.2
II. The legal basis and reason for processing personal data
When an individual makes a complaint, he/she consents to his/her personal data being processed by ALIA on the basis of Article 6 (1)(e) GDPR. This provides that it is lawful to process personal data in the event that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.3
With regard to the reasons for processing personal data, Article 35(2) of the Amended Law of 27 July 19914 on Electronic Media lays down ALIA’s missions. These particularly include monitoring and supervising audiovisual media to ensure compliance with European and Luxembourgish legal and regulatory provisions, by addressing any complaints received. All of ALIA’s missions are related to the performance of a task carried out in the public interest or in the exercise of official authority, within the meaning of the aforementioned provision.
The performance of this task requires the decisions taken by the Authority to be published on its website. When publishing these decisions, they are anonymised in such a way that individuals making complaints may not be identified.
III. Access to personal data
The data of anyone making a complaint is accessible only to agents of ALIA who need access to these personal data. When informing the provider of audiovisual media services about the nature of a complaint, the Authority may be required to forward the complaint to the operator in question, including the identity of the individual(s) who made it. The Authority may also be required to forward complaints to the relevant authority in another European Union Member State in connection with its cooperation with other EU regulatory authorities.
ALIA does not share personal data with third parties, either free of charge or to generate profit. ALIA does not systematically exploit these data for its internal requirements.
IV. Retention period
ALIA processes and keeps personal data for as long as is necessary for the performance of its tasks carried out in the public interest. This unspecified period may vary from case to case depending on the substance and complexity of the complaint. At any event, the data is kept until the procedure carried out by ALIA is completed, including any legal remedies. ALIA may decide to keep the personal data beyond the end of the complaint procedure, not only to detect any breaches of procedure on the part of individuals submitting repeated complaints but also for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.5
V. Transferring personal data to third countries
The Authority does not transfer personal data to companies or authorities in third countries outside the European Union. On an exceptional basis, when the supervisory task concerns a provider based outside the European Union over which ALIA has jurisdiction, the Authority may be required to transfer personal data to authorities based outside the European Union. In this case, ALIA makes sure, by examining each case individually, that the level of protection of personal data is the same as that applied under the GDPR.
VI. The rights of data subjects with regard to personal data processing
Any individuals making a complaint have the right to access their personal data. They may contact ALIA at any time to receive all the relevant information concerning the processing of personal data. Data subjects also have the right to request rectification of their personal data.
Data subjects equally have the right to be forgotten, in other words the right to obtain the erasure of their personal data. Any individual who has made a complaint may at any time request the erasure of his or her personal data by contacting the ALIA Data Protection Officer. It is important to note, however, that the Authority may oppose this request if it considers the data to be necessary for the performance of a task carried out in the public interest or in the exercise of its role as an official authority,6 or if it considers the data to be necessary “for archiving purposes in the public interest”.7
If a data subject considers that the Authority has violated the provisions laid down by the GDPR, he or she has two available remedies. The individual may lodge a complaint with the supervisory authority, namely the Luxembourg National Commission for Data Protection (hereafter “CNPD”), in accordance with Article 77 GDPR. Without prejudice to any other available administrative or non-judicial remedy, data subjects may also bring proceedings before the courts (Article 79 GDPR), without first having to lodge a complaint with the CNPD.
VIII. Useful information
For further information about ALIA’s processing of personal data, data subjects may contact the Data Protection Officer:
ALIA – Data Protection Department
18, rue Erasme
Tel. : +352 247-70140
Email : email@example.com
To contact the CNPD, data subjects may use the form on the CNPD website via the following link or use the contact form here.
The form may be sent to the CNPD by email or by post to the following address:
Commission nationale pour la protection des données
Service des réclamations
1, avenue du Rock’n’Roll
Tel. : (+352) 26 10 60-1
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (JO 2016, L 119, 4.5.2016, pp. 1-88).
2 Ibid., Art. 5(1)(c).
3 Ibid., Art. 6(1)(e).
4 Law of 27 August 2013 on the Establishment of the Public Institution “Luxembourg Independent Media Authority” (ALIA), amending the Amended Law of 27 July 1991 on Electronic Media, Memorial A, no. 163, p. 3113, available at: http://legilux.public.lu, last consulted on 30.5.2018.
5 This processing is explicitly provided for in Art. 5(1)(b) and 89 GDPR (“Specific processing situations”).
6 Regulation (EU) 2016/679, op. cit., Art. 17(3)(b).
7 Ibid., Art. 17(3)(d).