Non-compliance with information technology legislation may put the organisation in a delicate situation (impacts) concerning its customers (brand image). It can also result in financial (fines) or penal (liability of legal persons) consequences. The organisation must, therefore, respect the law about:
The organisation must also ensure the respect of copyright and licences. Sanctions for non-compliance with these laws may threaten the organisation (SMEs: see Invalid or non-existent licence). This particularly applies to copyright on original literary and artistic works, which includes databases and computer programs, as set out in the Law of 18 April 2001.
The IT team is expected to check the requirements for both programs used and data owned by the organisation. In case of doubt, they can consult Luxembourg law at https://meco.gouvernement.lu/fr/le-ministere/domaines-activite/propriete-intellectuelle.html (in French), or contact a legal expert.
The basic principles in this matter are as follows:
Depending on the nature of the data processed, the organisation is bound by the General Data Protection Regulation (GDPR) to implement appropriate measures to prevent any unauthorised person from accessing the data processing facilities (see legal aspects).
Data corresponding to commercial activity must be kept, in one form or another, for ten years from the end of the financial year to which it applies.
Any files or databases created must comply with the General Data Protection Regulation (GDPR). The same applies to processing both newly created and pre-existing data (SMEs: see Unauthorised processing of personal data – Employee monitoring).
In order to work within the confines of the laws, the IT manager and the legal manager, having obtained the applicable texts from the National Commission for Data Protection (hereinafter the Commission) ensure the adequacy of the structure in the following areas: