On August 1st, 2018 the Luxembourg government adopted two new data protection laws implementing the General Data Protection Regulation (Regulation (EU) 2016/679 – the “GDPR”).

  • The first law (the Luxembourg Data Protection Law) defines the organisation of the Luxembourg data protection authority (the CNPD) and provides for specific requirements or exceptions in implementation of the GDPR;
  • The second law (the Luxembourg Law on Criminal Data Processing) specifically relates to the protection of individuals with regard to the processing of personal data in criminal matters and national security.

The final versions of these laws were published on August 16th, 2018 in the Official Gazette of Luxembourg.

Major highlights of the Luxembourg Data Protection Law

The Luxembourg Data Protection Law is only 17 pages long and can be divided in two parts (corresponding to Title 1 and Title 2 of the Law).

The first part of the Luxembourg Data Protection Law determines the organization, missions and competences of the CNPD (the Luxembourg national data protection authority). It is interesting to note in this respect that:

  • The CNPD is granted broad investigation powers; the CNPD may obtain access from any controller or processor to all personal data and information necessary to verify compliance with the GDPR;
  • The CNPD may either issue warnings or order any controller or processor to bring processing operations into compliance with the provisions of the GDPR, including by ordering the controller or processor to erase or rectify the personal data, or to suspend, limit or stop the unlawful processing of personal data;
  • The CNPD may impose administrative fines in accordance with the amounts provided in the GDPR (i.e. up to 20,000,000 EUR or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher);
  • In order to force a controller or a processor to provide information or to take the corrective measures imposed by the CNPD, the CNPD may also impose periodic penalty payments (“astreintes”) up to 5% of the average daily turnover in the preceding business year for each day of delay.
  • The CNPD may order the infringer to publish at its own costs (extracts of) any decision or order issued by the CNPD (except for decisions concerning periodic penalty payments).
  • Anybody who is knowingly obstructing or preventing the CNPD’s missions may be subject to a prison sentence of 8 days to 1 year and/or a fine of 251 to 125 000 EUR.

The second part of the Law provides for specific rules (exceptions, exemptions or additional requirements) regarding (i) the processing of personal data for journalistic, academic or artistic/literary purposes; (ii) the processing of personal data for scientific research, historical research or statistical purposes; and (iii) the processing of personal data in the context of employees’ surveillance.

Finally, it should be noted that the Luxembourg Data Protection Law specifically prohibits the processing of genetic personal data in the field of employment law and insurance.