Security Policy – Compliance

Comply with legislation

Non-compliance with information technology legislation may put the organisation in a delicate situation (impacts) with regard to its customers (brand image). It can also result in financial (fines) or penal (liability of legal persons) consequences. The organisation must therefore respect the law, notably with regard to:

Intellectual property

The organisation must also ensure the respect of copyright and licences. Sanctions for non-compliance with these laws may threaten the organisation (SMEs: see Invalid or non-existent licence). This particularly applies to copyright on original literary and artistic works, which includes databases and computer programs, as set out in the Law of 18 April 2001.

The IT team is expected to check the requirements for both programs used and data owned by the organisation. In case of doubt, they can consult Luxembourg law at (in French), or contact a legal expert.

The basic principles on this matter are as follows:

  • any reproduction, public broadcasting or distribution must be authorised by the author;
  • this also applies to online distribution;
  • software licences must be respected;
  • patents must be respected;
  • brands, designs and models must be respected;

Protection of operational data

Depending on the nature of the data processed, the organisation is bound by the General Data Protection Regulation (GDPR) to implement appropriate measures to prevent any unauthorised person from accessing the data processing facilities (see legal aspects).

Data corresponding to commercial activity must be kept, in one form or another, for ten years from the end of the financial year to which it applies.

Applying security measures to:

  • All vital or important data processing systems.

Behavioural measures:

Directly associated organisational measures:

Technical measures:

Personal data protection

Any file or database created must comply with the General Data Protection Regulation (GDPR). The same applies to processing involving both newly created data and pre-existing data. (SMEs: see Unauthorised processing of personal data – Employee monitoring)

In order to work within the confines of the laws, the IT manager and the legal manager, having obtained the applicable texts from the National Commission for Data Protection (hereinafter the Commission) ensure the adequacy of the structure, notably in the following areas:

  • declaration of data and processing to the Commission;
  • obtaining authorisation from the Commission whenever necessary;
  • data quality and the legitimacy of processing;
  • the rights of the individuals involved to receive information and submit objections;
  • potentially discriminatory data (racial, ethnic, political, religious, philosophical, union membership) or health-related data.

Applying security measures to:

  • all vital or important data processing systems
  • See also legal aspects

Behavioural measures:

Directly associated organisational measures:

Technical measures:

Table of Contents