Non-compliance with information technology legislation may put the organisation in a delicate situation (impacts) with regard to its customers (brand image). It can also result in financial (fines) or penal (liability of legal persons) consequences. The organisation must therefore respect the law, notably with regard to:
The organisation must also ensure the respect of copyright and licences. Sanctions for non-compliance with these laws may threaten the organisation (SMEs: see Invalid or non-existent licence). This particularly applies to copyright on original literary and artistic works, which includes databases and computer programs, as set out in the Law of 18 April 2001.
The IT team is expected to check the requirements for both programs used and data owned by the organisation. In case of doubt, they can consult Luxembourg law at https://meco.gouvernement.lu/fr/le-ministere/domaines-activite/propriete-intellectuelle.html (in French), or contact a legal expert.
The basic principles on this matter are as follows:
Depending on the nature of the data processed, the organisation is bound by the General Data Protection Regulation (GDPR) to implement appropriate measures to prevent any unauthorised person from accessing the data processing facilities (see legal aspects).
Data corresponding to commercial activity must be kept, in one form or another, for ten years from the end of the financial year to which it applies.
Any file or database created must comply with the General Data Protection Regulation (GDPR). The same applies to processing involving both newly created data and pre-existing data. (SMEs: see Unauthorised processing of personal data – Employee monitoring)
In order to work within the confines of the laws, the IT manager and the legal manager, having obtained the applicable texts from the National Commission for Data Protection (hereinafter the Commission) ensure the adequacy of the structure, notably in the following areas: