1. Governing Texts
Since the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which repealed the Data Protection Directive (Directive 95/46/EC), data protection in Luxembourg has been governed primarily by the GDPR and, on a subsidiary basis, by Act of August 1, 2018, on the Organization of the National Commission for Data Protection and Implementing the GDPR ('the Act') which contains very limited derogations to the GDPR. The purpose of the Act is es‐ sentially to complement the GDPR and to define the roles and responsibilities of the National Commission for Data Protection ('CNPD') which is tasked with overseeing and enforcing the GDPR.
Since the constitutional reform, which entered into force on July 1, 2023, data protection has been raised to a constitutional level in Luxembourg.
In addition to the Act, there are a certain number of separate and specific pieces of legislation that deal with aspects of data protection, but in this case, data protection is treated as ancillary.
1.1. Key acts, regulations, directives, bills
The main laws with respect to data protection and privacy in Luxembourg are:
- The Act. Such a law formally repeals the previous law on data protection and implements the GDPR at the national level while introducing certain limited derogations.
- The Act of August 1, 2018, on the Protection of Individuals with regard to the Processing of Personal Data in Criminal and National Security Matters (only available in French here) ('the 'Law on National Security Matters') which transposes into national law Directive (EU) 2016/680 of April 27, 2016.
Act of May 30, 2005, Laying Down Specific Provisions for the Protection of Persons with regard to the Processing of Personal Data in the Electronic Communications Sector and amending Articles 88-2 and 88-4 of the Code of Criminal Procedure, as amended (only available in French here) ('the Electronic Communications Act'), which transposes Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') into national law. It regulates the protection of personal data in the field of telecommunications and electronic communications and takes into account recent and foreseeable developments in the field of electronic communica‐ tions services and technologies.
There are several Grand-Ducal Regulations relating to data protection such as:
- the Grand-Ducal Regulation of October 8, 2020, establishing the seat of the CNPD (only available in French here);
- the Grand-Ducal Regulation of August 1, 2018, setting the allowances payable to the President, members of the College and alternate members of the CNPD (only available in French here); and
- the Grand-Ducal Regulation of July 24, 2010, determining the categories of personal data generated or processed in connection with the provision of electronic communications ser‐ vices or public communications networks (only available in French here).
Apart from the above, there are numerous laws and regulations regulating specific sectors and con‐ taining some data protection and privacy-related aspects, including, for example, the following:
- in relation to data processing by police
authorities: the Grand-Ducal regulation of July 22, 2008,
implementing article 48-24 of the Code of Criminal Procedure and
article 34-1 of the amended law of May 31, 1999, on the Police and
the Inspectorate-General of the Police (only available in French here) which defines how authorities may access
the common reg‐ ister of natural and judiciary persons as
well as databases from the 'Centre commun de la
Sécurité sociale' in the context of
asylum-seekers, visa-requests, business licences, driving licences,
taxes, and firearms licences;
- in relation to data processing by health
services: the Grand-Ducal Regulation of April 18, 2013,
determining the terms and conditions of operation of the national
cancer register and amending the Grand-Ducal Regulation of June 20,
1963, making it compulsory to de‐ clare the causes of death
(only available in French here) which sets up a national cancer register
purported to collect data relating to cancer pathologies and
implemented for pub‐ lic health and research purposes;
- in relation to the fight against money laundering and
terrorist financing: the law of January 13, 2019, creating
a Register of beneficial owners, as amended (only available in
French here) and the Grand-Ducal Regulation of
February 15, 2019, on the arrangements regarding registration and
payment of administrative costs as well as the access to the
in‐ formation registered in the Register of beneficial owners
(only available in French here), which relate to the creation and
management of a beneficial ownership register aimed at identifying,
for transparency purposes, the natural person(s) who ultimately
own(s) or con‐ trol(s) the undertaking being the clients of
professionals and/or the natural person(s) on whose behalf a
transaction or activity is carried out; and
- in relation to whistleblowing: the law of May 16, 2023, transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019, on the pro‐ tection of persons who report breaches of Union law (only available in French here).
The CNPD is the supervisory authority within the meaning of Article 51 of the GDPR and is responsi‐ ble for monitoring the application of the GDPR.
The CNPD has issued various guidelines and fact sheets over the last few years. Among these guide‐ lines, the most notable are those relating to:
- cookies and other tracking devices (only available in French here);
- geolocation of vehicles made available to employees (only
available in French here);
- video surveillance (only available in French here);
- image rights (only available in French here);
- data protection rules for social elections (only available in
French here); and
- election campaigns in compliance with the protection of personal data (only available in French here).
Aside from those guidelines, the CNPD also makes available on its website certain more general guidance for both data subjects and professionals.
In addition to the CNPD, there are a number of other authorities, professional associations and or‐ ders that provide their members with guidance on GDPR compliance.
1.3. Case law
There is at this stage limited public case law available involving specifically breaches and/or interpre‐ tations of the GDPR.
The most notable judicial decisions on the GDPR to date are certainly the decisions of the Luxembourg District Court rendered on November 13, 2020, (ref. 2020TALCH02/01568) and on January 24, 2020, as they gave rise to two requests for preliminary rulings (joined cases C‑37/20 WM and Luxembourg Business Registers and C‑601/20 Sovim SA and Luxembourg Business Registers) on the interpretation of certain provisions of the Directive (EU) 2015/849 of the European Parliament and of the Council of May 20, 2015, ('the 4th AML Directive'), as amended by the Directive 2018/84. Such re‐ quests for preliminary rulings are at the origin of the decision of the Court of Justice of the European Union of November 22, 2022, which ruled that the provision of the amended 4th AML Directive re‐ quiring Member States to ensure that information on the beneficial ownership of companies and of other legal entities incorporated within their territory be accessible in all cases to any member of the general public, was invalid.
Decisions of the CNPD which do not have the character of jurisprudence per se are discussed in the section below on penalties.
Originally published by OneTrust DataGuidance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.