What is the minimum salary to apply for a EU blue card in Luxembourg?

Third-country nationals that want to apply for a highly qualified work permit (EU Blue card) must meet certain requirements. One of the requirements, is to have an offer for a remuneration of at least:

Option 1: 1.5 times the amount of the Luxembourg average gross annual salary or;
Option 2: at least equivalent to 1.2 times the Luxembourg average gross annual salary for work in certain professions and for which the government has noticed a particular need to employ third-country nationals.

By Grand-Ducal Regulation of 13 September 2019, the requirements have now been set as follows:
Option 1: EUR 78,336 (previously EUR 73,998)
Option 2: EUR 62,668.80 (previously EUR 59,198.40)

Please do not hesitate to contact us, should you have further questions on the highly qualified work permit or need assistance with an application.

GDPR: New Guideline on territorial scope

The European Data Protection Board (« EDPB ») issued a new draft guideline (“Guideline 3/2018”) on the territorial scope of the General Data Protection Regulation (“GDPR”).

The Guideline 3/2018 brings long awaited clarifications on questions in relation to the criteria of “establishment” and “targeting”, processing in places where Member State law applies by virtue of public international law (which will not be analysed here) and the need for a representative for controllers or processors not established in the EU.

As a reminder, Article 3 GDPR foresees that the EU Regulation applies to processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the EU or not.

The EU legislator’s intention was, with regard to territorial scope, to establish a level playing field for companies active in the EU markets, in a context of worldwide data flows.

The territorial scope uses two main criteria: establishment (1) and targeting (2). If one of these 2 criteria is met, the relevant provisions of the GDPR will apply. In cases where the controller or the processor does not have an establishment in the EU, he must designate a EU representative (3).

(This article gives an overview only of the Guideline 3/2018 and shall not be considered as exhaustive and/or legal advice.)

  • Establishment

The GDPR does not provide a definition of the term “establishment” for the purpose of Article 3. However, the EDPB reminded that ECJ Case law on the interpretation of this term remains applicable (see for example ECJ Google Spain and ECJ Weltimmo). While the Guideline 3/2018 confirms that the interpretation of the term establishment is broad (and the legal form of the establishment is irrelevant), it also insisted that is not without limits (e.g. the mere fact that an undertaking’s website is accessible in a Member State of the EU is not sufficient to conclude that it has an establishment).

Another interesting clarification provided by the Guideline 3/2018 is that processing by the establishment is not necessary: it is sufficient that the processing is carried out “in the context of the activities” (EDPB also refers to applicable EU Case Law to understand this difference).

The Guideline 3/2018 further confirms that, with regard to “processing in the context of the activities”, location and nationality of the data subjects who are in the EU is not relevant. This means that neither the controller / processor, nor the data subjects need to be in EU in order for the GDPR to apply.

  • Targeting

The EDPB reminds that the absence of an establishment in the EU does not mean that a data controller or procession is excluded from the scope of GDPR (However, it is also reminded that in the absence of an establishment, the data controller or processor cannot benefit from the one-stop shop)

To see whether the targeting criteria applies (i.e. criteria applicable to a controller or processor without an establishment in the EU) the EDPB recommends to:

  1. determine that the processing relates to personal data of data subjects who are in the EU and
  2. whether it relates to the offering of goods or services or to the monitoring of data subject’s behavior in the EU.
  1. Data subjects in the EU

The EDPB reminds that this criteria is not limited by citizenship, residence or other type of legal status. This criterion must be assessed at the moment when the relevant trigger activity takes place (i.e. moment of offering goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer). The EDPB however also reminds that the processing alone is not sufficient, the controller or processor must also target individuals in the EU.

These 2 examples provided in the Guideline 3/2018 helps to clarify the distinction:

Example GDPR is applicable

A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, London, Paris and Rome. The US start-up, via its city mapping application, is offering services to individuals in the Union (specifically in London, Paris and Rome). The processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR as per Article 3(2).

Example GDPR is not applicable

A bank in Taiwan has customers that are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank’s processing of the personal data of its German customers is not subject to the GDPR.

  1. Offering of goods and services

The Guideline 3/2018 referred once more to EU law and Case law where the concept of these terms have already been defined and reminding that the payment by the data subject for the offered goods or services is not a criteria to fall within the territorial scope of GDPR.

The Guideline 3/2018 then mentions that ECJ Case Law Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Case Law on the interpretation of the Brussel I Regulation which clarifies when a trader is directing his activity towards the Member State of the consumer’s domicile) might be of assistance to determine whether goods or services are offered to a data subject in the EU. The Guideline provides a non-exclusive list of factors that may be taken into consideration:

– The EU or at least one Member State is designated by name with reference to the good or service offered;

– The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and  advertisement campaigns directed at an EU country audience

– The international nature of the activity at issue, such as certain tourist activities;

– The mention of dedicated addresses or phone numbers to be reached from an EU country

– The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;

– The description of travel instructions from one or more other EU Member States to the place where the service is provided;

– The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;

– The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;

– The data controller offers the delivery of goods in EU Member States.

The following examples provided by the Guideline 3/2018 clarify when goods or services are offered to EU data subjects in a manner that renders GDPR applicable or not:

Example GDPR is applicable

A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany. In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union. As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a). In accordance with Article 27, the data controller will have to designate a representative in the Union.

Example GDPR is not applicable

A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents. In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company cannot be considered as an offer 17 Adopted of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3. This assessment is without prejudice to the applicable law of the third country concerned

  • Monitoring of data subject’s behaviour

The Guideline clarifies that behavioural monitoring can be undertaken not only through the internet (as suggested by Recital 24 GDPR), but also other types of network or technology (e.g.. wearable and other smart devices). Other than for offering of goods and services, monitoring does not require an “intention to target” to trigger the application of the GDPR, it is sufficient that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data.

The mere collection of data is not automatically considered as monitoring. The purpose of the processing needs to be considered (e.g. the subsequent behavioural analysis or profiling techniques).

Monitoring activities include, among others:

– Behavioural advertisement

– Geo-localisation activities, in particular for marketing purposes

– Online tracking through the use of cookies or other tracking techniques such as fingerprinting

– Personalised diet and health analytics services online – CCTV – Market surveys and other behavioural studies based on individual profiles

– Monitoring or regular reporting on an individual’s health status

  • Representatives of controllers or processors not in the EU

If a data controller or processor is subject to the GDPR, he shall designate a representative in the EU. The EDPB clarified that this provision was not entirely new and already existing under the previous Directive 95/46/EC.

It is also clarified that the designation of an EU representative will not be considered as an “establishment” by virtue of article 3(1) GDPR.

The written mandate given to the EU representative will typically be a service contract concluded with an individual or an organization (e.g. law firms, consultancies, private companies etc…) provided that these individuals / organizations are established in the EU. If the representative is a company or any other type of organization, it is recommended that a lead person (person in charge) within the company / organization is appointed.

The EDPB also confirmed that, in their view, the role of EU representative is not compatible with the external data protection officer (DPO).

The Guideline 3/2018 also clarifies the obligations and responsibilities of the EU representative.

While not itself responsible for complying with data subject rights, the legal representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights effective. The EDPB further considers that the maintenance of a record of processing activities is a joint obligation of the controller and the processor and that if they are not established in the EU, they must provide to the representative with all accurate and updated information so that the record can be maintained and made available by the representative.

The EU representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the Union, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the Union.

With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.

It should however be noted that the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.

  • Conclusion

The Guideline 3/2018 provides useful insight on the scope of GDPR to controllers and processors outside the EU and the role of the EU representative. Unfortunately, the Guideline 3/2018 (in its current draft form) does not provide any further specifications on the responsibility of a controller or processor that falls within the scope of GDPR, but does not comply with it and how such third country controller / processor will be sanctioned. Hopefully there will be some further clarification on this point in the final version of Guideline 3/2018.  Indeed, the draft version is still subject to comments from the public until 18 January 2019. Thereafter, a final version of the Guideline 3/2018 will be published.

Residence permit in Luxembourg for temporary Intra-company transfers (ICT)

Besides introducing a new regime for certain investors, the law of 8 March 2017 (modifying the law of 29 August 2008, the “Law of 2008”) foresees a new status for third-country nationals (“TCN”) in the case of temporary Intra-company transfer (“ICT”). This new law implements the Directive 2014/66/EU on the conditions of entry and residence of TCNs in the framework of an intra-corporate transfer (“Directive 2014/66/EU”)

An Intra-group temporary transfer is defined, by the Law of 2008 (in identical terms to the definition provided by the Directive 2014/66/EU), as the temporary secondment for occupational or training purposes of a TCN who, at the time of application for an intra-corporate transferee permit, resides outside the territory of the Member States, from an undertaking established outside the territory of a Member State, and to which TCN is bound by a work contract prior to and during the transfer, to an entity belonging to the undertaking or to the same group of undertakings which is established in that Member State, and, where applicable, the mobility between host entities established in one or several second Member States.

This new regime applies to qualified executives, experts and trainees (as defined by the Law of 2008).

The application is filed by the host entity that shall, among others:

  • provide proof that the host entity and the company established in the third country belong to the same undertaking or group,
  • provide evidence of employment within the same company or group from 3-12 months (for managers and experts) and 3-6 months (for trainees)
  • provide a work contract containing certain information on the details of the transfer and the work conditions (e.g. duration, location, remuneration, required qualification, etc…)

The authorisation of stay as ICT is granted for a minimum of 1 year up to the duration of the assignment (however max. 3 years). For trainees, the authorisation of stay is limited to 1 year maximum.

A new application by the same TCN for an ICT work permit is possible, however only after a period of 6 months after the end of the validity of the ICT work permit and the new application.

Once issued, this authorisation to stay gives an employee and his/her family members the right to reside and to work in Luxembourg. The authorization of stay of the family members expires simultaneously with the ICT work permit.

With regard to intra-EU mobility, the ICT regime foresees the following:

For short term mobility:

A TCN that holds a valid ICT work permit of another EU country is entitled to work in Luxembourg in a company part of the same group for a period of up to 90 days in any 180-day period, provided certain notification requirements are fulfilled.

For long-time mobility:

A TCN that holds a valid ICT work permit of another EU country may also be authorized to work in Luxembourg in a company part of the same group for a longer period than 90 days. Such authorization is however subject to a separate authorization and a simple notification to Luxembourg authorities is not sufficient. In certain cases, the TCN may already start working in Luxembourg also before the Luxembourg authorities have decided upon the application.

 

Autorisation d’établissement au Luxembourg : Abrogation des demandes d’autorisations spéciales pour les grandes surfaces

Un projet de loi a été déposé fin décembre 2017 (n° 7228), en vue de l’abrogation de l’autorisation particulière demandée pour l’implantation des grandes surfaces commerciales au Luxembourg (actuellement prévue par la loi modifiée du 2 septembre 2011 sur le droit d’établissement (la « Loi de 2011 »).

En effet, en 2016, la Commission Européenne avait estimé que le Luxembourg était le pays de l’Union Européenne possédant la réglementation la plus restrictive en matière d’établissements de vente au détail.

Le projet de loi indique que ces conclusions sont en contradiction avec l’attrait principal du pays qui s’identifie comme un pays ouvert.

Les auteurs du projet de loi rappellent que cette procédure pour l’obtention d’une autorisation particulière pour les grandes surfaces commerciales fait aujourd’hui double emploi avec les instruments existants en matière de droit de la concurrence et en matière d’aménagement du territoire et de l’urbanisme.

En supprimant cette charge administrative additionnelle, les auteurs du projet de loi espèrent favoriser la compétitivité du Luxembourg dans la Grande Région.

Par la même occasion, les auteurs du projet de loi en profitent pour mettre à jour quelques autres aspects de la Loi de 2011:

– élimination de la condition de qualification professionnelle pour les commerçants de manière générale, pour l’activité commerciale dans le secteur de l’HORECA et de l’immobilier (actuellement au minimum le DAP luxembourgeois), sachant que la formation accélérée pour les exploitants d’un débit de boissons, d’un établissement de restauration et d’un établissement d’hébergement sera donc ouverte à tous,

– abrogation de l’autorisation particulière pour foires et marchés,

– abrogation des professions de «conseil économique» et «conseil en» (dont les activités sont déjà couvertes par une simple autorisation d’établissement pour activités et services commerciaux).

Absence injustifiée : Quand est-ce que l’employeur est en droit de licencier ?

En cas de maladie, le salarié est tenu d’informer l’employeur le premier jour de sa maladie. Il doit, en outre, soumettre à l’employeur, dans les 3 jours au plus tard, un certificat de maladie attestant l’incapacité de travail ainsi que la durée prévisible de la maladie.

Un arrêt de la Cour d’appel du 20 juin 2016 donne un exemple pratique de la rigueur avec laquelle cette règle est appliquée.

Dans cette affaire, une salariée, ayant appris le décès de son père, s’est absentée de son lieu de travail un samedi. L’employeur a été informé de l’absence indirectement par une collègue de travail de cette dernière et par le mari le jour même. Un congé extraordinaire avait été sollicité (en raison du décès, article L. 233-16 du Code du Travail) ainsi qu’un congé ordinaire de 3 jours additionnels.

Cependant, à la fin du congé ordinaire, la salariée ne s’est pas présentée sur son lieu du travail pendant 3 jours consécutifs (le 28, 29 et 30 janvier) et ce sans en informer l’employeur.

Le 4ème jour de l’absence (le 31 janvier), l’employeur a reçu un certificat de maladie de 3 jours (attestant d’une incapacité de travail du 30 janvier au 2 février).

Suite à ces absences, considérées comme injustifiées par l’employeur, ce dernier a procédé à un licenciement avec préavis.

En première instance, le tribunal avait déclaré le licenciement abusif au motif qu’« en licenciant … – même avec préavis – au seul motif qu’elle est revenue avec trois jours de retard des obsèques de son père, retard dont l’origine a été portée à sa connaissance par un certificat du …, [l’employeur] a procédé de façon intempestive et avec une légèreté blâmable, la salariée se trouvant à ses services depuis plus de 6 ans sans qu’elle n’ait jamais fait l’objet d’aucun avertissement. »

En appel, la Cour d’appel a rappelé la règle légale :

Le salarié a l’obligation contractuelle de prester son travail les jours prévus. En cas de maladie, il est tenu d’informer son employeur dès le premier jour de maladie. En cas d’empêchement pour un autre motif, il est aussi tenu d’informer son employeur de son empêchement et il ne peut pas se contenter d’expliquer son absence de plusieurs jours au moment de son retour.

La Cour d’appel a encore relevé que pendant les 3 jours d’absence injustifiée, l’employeur était sans nouvelles de sa salariée absente.

Dans ces circonstances, la Cour d’appel a considéré le licenciement avec préavis comme justifié.

New investor status in Luxembourg

Since the Law of 8 March 2017 amending the Law of 28 August 2008 on free movement and immigration came into force (on 24 March 2017), the regulation for third-country nationals (i.e. nationals who are not citizens of a Member State of the European Union or the European Free Trade Association, “TCN”) have been modified.

One of the major changes with this law is the possibility for TCN investors to obtain a specific residence authorisation/permit based on four investment options:

  1. Who will invest at least 500,000 euros in an existing company, having its registered seat in the Grand Duchy of Luxembourg, while committing to maintain the investment as well as the employment level for at least 5 years (does not apply if the acquired company has financial difficulties and fulfills certain requirements) , or
  2. Who will invest at least 500,000 euros in a company to be created, having its registered seat in the Grand Duchy of Luxembourg, and having a commercial or artisanal activity with the commitment to create at least 5 jobs to be filled in collaboration with the Luxembourg Unemployment Authority (ADEM) within 3 years of the creation of the company, or
  3. Who will invest at least 3,000,000 euros in an existing or to be created investment and management structure with its registered seat in the Grand Duchy of Luxembourg and maintaining locally an appropriate structure, or
  4. Who will invest at least EUR 20,000,000 in the form of a deposit in a Luxembourg financial institution (cash or financial instruments) with the commitment to maintain this investment for a minimum period of 5 years.

The investments can be made by the applicant in his own name or through an investment structure.

Regarding the first 2 options, the investment shall be made into companies from a specific economical sector determined by Grand-Ducal Regulation

Regarding the first 3 options, the investments shall be composed of at least 75% of the applicant’s own funds whilst the remaining 25% may be borrowed for a period of 3 years at least.

The last option (deposit of at least EUR 20,000.000) was clearly aimed at high net worth individuals (HNWI) wishing to have (part of) their fortune managed by Luxembourg professionals (loans for this option are excluded).

One exception is that the investments cannot be related directly or indirectly to the real estate market (sale or lease).

The residence permit for investors will be valid for an initial period of 3 years, subject to renewal for further 3 years.

The TCN investor also authorizes to make an application for a business license (provided the requirements therefore are fulfilled).