top of page

New Luxembourgish Law implementing the GDPR

The law implementing the GDPR in Luxembourg ("Law of 1 August 2018”) has finally established the National Commission for Data Protection (Commission Nationale pour la Protection des Données, "CNPD") as the Luxembourg data protection supervisory authority. This law was published on 16 August 2018 and entered into force on 20 August 2018.

According to the law, Luxembourg companies have no administrative burden of active declaration or notification of personal data processing to the CNPD before the actual processing.

Some of the more relevant changes:

  • The previous, ex-ante notification system has been replaced by ex-post controls. No need for time-consuming prior notification and red-tapes.

  • The capacity of the CNPD to impose fines and sanctions has been adjusted with the GDPR, too. (fines of up to €20 million EUR or 4% of the entity’s annual worldwide turnover, whichever is higher).

  • The supervisory authority may use its powers to monitor the companies’ data processing activities, including the possibility to impose a temporary or definitive limitation, e.g. a ban on processing of data or a suspension of data flows to a recipient in a third country.

  • Similar exceptions and limitations apply to academic, journalistic access to the data processed. E.g., the controller has to provide access to the information processed regarding the data subject for the above-mentioned purposes.

  • The data controllers processing personal data for the purposes of scientific, statistical and historic research will have the possibility to limit the rights and freedoms of data subjects, too.

The law concerning the processing of personal data in criminal matters and matters of national security has also entered into force on 20 August. The two laws should be read together, as they jointly extend the competences of the CNPD.

The texts of the laws are available here:



bottom of page