Is time required to ensure compliance (other than reviewing the terms and conditions)?
Yes, if the organizer decides to apply the principles of the previously applicable 2002 Law, time should be allowed to file the terms and conditions with a bailiff, which may take a few hours or up to a couple of business days.
It is uncertain whether such conditions remain applicable given the current status of the law (see Governing law). A number of operators on the Luxembourg market nonetheless continue to apply the principles of the previously applicable law as good practice.
Furthermore, time should also be allowed if the organizer has not yet made the appropriate steps towards becoming compliant with the GDPR requirements as regards the management of the personal data collected and processed in connection with promotional operations, including, without limitation, the creation and maintenance of a record of data processing activities, appropriate information notices provided to data subjects, and formal processes implemented in order to enable the latter to exercise their rights (i.e. access, rectification and erasure, data portability, objection, restriction of processing, the right to digital legacy).
Where the processing of personal data in the context of promotional operations is likely to result in high risks to the rights and freedoms of natural persons (e.g. where such data is used to profile participants), the organizer must also proceed with a Personal Data Impact Assessment.
In Luxembourg, since the entry into force of the GDPR on May 25, 2018, the general principle is that each processing purpose for which personal data is processed must be evidenced with a record of data processing activities. Therefore, it is not a requirement to make a record entry for each promotion, but to have one record entry encompassing the management of the personal data collected and processed in the course of such operations (provided that means of processing and data processed are similar). If personal data is transferred outside of the European Economic Area, it is necessary to ensure that the recipient is located in a country recognized by the European Commission as ensuring an adequate level of personal data protection, or that a proper transfer mechanism is implemented (e.g. binding corporate rules, European Commission model clauses).
In addition, the organizer may need to allow time to implement 'Privacy by Design' and 'Privacy by Default' principles to any further processing of personal data in the context of promotional operations (i.e. ensure that appropriate technical and organizational measures are implemented to meet the requirements of the GDPR and that, by default, only the personal data that is necessary for the purposes of promotional operations is collected and processed).