Luxembourg - National Data Protection Law


    Luxembourg - National Data Protection Law

    Law of 1 August 2018 establishing the organisation of the national Commission for the Protection of Personal Data and implementing the EU Regulation 2016/679 of the European Parliament modifying the Labour Code and the law of 25 March 2015 establishing the rules, conditions and modalities for the processing of data by public authorities

    Luxembourg’s national law implementing the GDPR was passed on 1 August 2018 and came into effect after its publication on 16 August 2018. The aim of this Act is twofold: a) implement the GDPR in Luxembourg; and b) define the organisation, competence, role and powers of the local DPA.

    Last Updated: July 24, 2019

  • General

    The aim of this law is twofold. On the one hand, it establishes the organisation, role, powers, and competence of the Commission National pour la Protection des Données (CNPD). On the other hand, it implements the GDPR in Luxembourg.

    Concerning the latter, this law:

    1. mirrors the GDPR in general; and
    2. implements derogations and specific requirements were permitted by the GDPR.

    Derogations and opening clauses

    In particular, this law:

    • remained silent concerning the age limit for consenting to information society services, hence Luxembourg sets its age limit to 16 years of age by reference to the GDPR;
    • extends the previous exception concerning freedom of expression (granted to journalists, artists and writers) to cover academic output, as well exempting them from the general prohibition to the processing of sensitive data, and from limitations to the processing of public judicial information, as well as from special requirements for transfer of data to third countries, to provide access to data subjects, and from the obligation to provide information to the concerned data subjects;
    • by reference to article 89 GDPR, it sets appropriate safeguards for the processing of personal data for scientific, historical or research purposes (i.e. designation of a DPO, pseudonymisation or anonymisation of personal data, and raising awareness of staff concerning professional secrecy and encryption), and allows derogations to these safeguards provided that the data controller properly justifies any derogations implemented;
    • prohibits the processing of genetic data on the grounds of exercising the controller’s rights concerning employment and insurance purposes;
    • lays down (more lenient) requirements for the processing of personal data for the purpose of monitoring employees and for the protection of employees’ security (i.e., before commencing, the employer ought to notify the employees’ representatives about the modalities and duration of storage of said data; does not exclude consent as the legal basis for processing personal data of employees; in the absence of employee representatives, the controller may, within 15 days of the notice, seek a preliminary opinion from the CNPD);
    • grants the CNPD the power to impose periodic penalties (amounting to up to 5% of the daily turnover generated during the last financial year) per day that controllers or processors fail to comply with orders issued by the CNPD to provide information or to implement corrective measures; and,
    • focuses heavily on the organisation, role, powers, and competence of the CNPD. In addition to the power of imposing additional sanctions, the CNPD has enough leeway to order the publication of its decisions at the expense of the sanctioned controllers or processors (except for sanctions concerning periodic penalty payments, when all remedies have been exhausted) as long as said publication does not cause disproportionate harm to the data subjects and other parties involved.
  • DatabreachPedia


    In Luxembourg, there is a general requirement under the General Data Protection Regulation for data controllers to notify personal data breaches to their regulator and in cases of likely high risk to the rights and freedoms of natural persons, also to them.

    Is it Mandatory to Notify Individuals?

    Yes, if the personal data breach is likely to result in a high risk to their rights and freedoms.

    Is it Mandatory to Notify Regulator?

    Yes, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

    Notification Deadline

    72 hours

    Responsible Regulator

    The National Commission for Data Protection
    Commission Nationale pour la Protection des Données
    R1, avenue du Rock’n’Roll
    L-4361 Esch-sur-Alzette

    Tel. +352 2610 60 1
    Fax +352 2610 60 29
    E-mail: [email protected]

    Breach Notification Format

    Minimum requirements: nature of the breach, categories and approx. number of data subjects concerned, name and contact details of the DPO, likely consequences, measures taken/proposed to be taken. Luxembourg regulator published a breach notification form that can be submitted via email, also it provides online Breach Q&A Section.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.