A New Legal Framework for Data Processing in Luxembourg

A New Legal Framework for Data Processing in Luxembourg
January 18, 2022 | 4 minutes read

Luxembourg’s Act of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR or the Data Protection Act for short is a data privacy law that was passed in 2018. As the name of the law suggests, the Data Protection Act was enacted for the purposes of implementing the provisions of the General Data Protection Regulation or GDPR into Luxembourgish law. As such, Luxembourg’s Data Protection Act establishes the legal framework that data controllers and processors within the country are responsible for adhering to when engaging in data processing activities. Additionally, the law also gives the National Data Protection Commission or the CNPD the authority to impose punishments against individuals and organizations who fail to comply with the law.

What is the scope and application of the Data Protection Act?

In terms of the scope and application of Luxembourg’s Data Protection Act, the personal scope of the law applies to all data controllers, processors, and related third parties that are established within the country. Alternatively, the territorial scope of the law is applicable “in the context of the processing of the personal data of data subjects who are in Luxembourg by a controller or processor located outside of the EU/EEA, if the latter offers goods or services to the concerned data subjects, or monitor their behavior.” Furthermore, the material scope of the law applies to “the processing of personal data conducted wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” Conversely, the scope of the law does not apply to personal data that is processed in the context of household activities or other personal reasons.

What are the variations between Luxembourg’s Data Protection Act and the EU’s GDPR law?

In terms of the variations between Luxembourg’s Data Protection Act and the EU’s GDPR law, the difference between the two laws are rather minimal. For instance, Luxembourg’s Data Protection Act mandates that data controllers within Luxembourg adhere to the regulations of the EU’s GDPR law as it concerns the appointment of data protection officers or DPOs, the procedures that must be followed when transferring personal data to another country, and the period of time in which personal data may be legally retained, among other things. However, the two laws do vary as it relates to data processing notifications. Prior to the establishment of Luxembourg’s Data Protection Act, data controllers and processors within the country were responsible for registering with the CNPD prior to collecting or processing personal data. Contrarily, under the EU’s GDPR law, these requirements were abolished, subject to certain exceptions. These exceptions include cases in which:

  • A data breach has occurred.
  • A DPO has been appointed.
  • If, following a DPIA, it has been determined that prior consultation is necessary in accordance with Article 36 of the GDPR.

What are the penalties for violating Luxembourg’s Data Protection Act?

In terms of the enforcement of Luxembourg’s Data Protection Act, the CNPD has the authority to impose a variety of fines, penalties, and sanctions against data controllers within the country who fail to comply with the provisions that are established in the law. Such punishments include monetary penalties ranging from a fine of up to €10 million or up to 2% of the total global annual turnover for a business’s previous financial year, whichever amount is higher, to a fine of up to €20 million or up to 4% of the total global annual turnover for a business’s previous financial year, whichever amount is higher. What’s more, “anyone who knowingly obstructs or prevents the exercise of the CNPD’s mandate may be subject to a prison sentence of eight days to one year and/or a fine of €251 to €125,000.”

As the country of Luxembourg is one of a number of nations that comprise the European Union or EU, the Data Protection Act was passed in 2018 for the purpose of facilitating the requirement that all member states within the EU create their own national legislation for the purposes of implementing the provisions of the EU’s GDPR law. As such, data subjects within Luxembourg can have the peace of mind that should their personal data be used in any way that is inappropriate, they will have the means to seek both justice and compensation, as the punishments that can be imposed on behalf of the country’s data protection authority represent a strong deterrent against potential crimes involving the illegal or unauthorized access of personal data.