Data Protection in Luxembourg

Data protection laws in Luxembourg

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Luxembourg regulation

In addition to the GDPR, the legal regime of data protection in Luxembourg is completed by the following laws:

  • The Law of August 1, 2018 on the organization of the National Data Protection Commission (CNPD) and the general data protection framework. It has repealed the previous Law on Data Protection (amended Law of August 2, 2002) and completes the GDPR at the national level. Most of all it gives the framework for the CNPD's organization, composition and powers under the GDPR and the applicable national law;
  • The Law of August 1, 2018 on the protection of individuals with regard to the processing of personal data in criminal matters as well as in matters of national security, implementing Directive (EU) 2016/680; and
  • The amended Law of May 30, 2005 on data protection and electronic communications governs the protection of personal data in the field of telecommunications and electronic communications, implementing the Directive 2002/58/EC.

It is also to be noted that Article L. 261-1(1) of the Labour Code provides specific regulations concerning employer workplace surveillance.

Along with several CNPD’s recommendations, the Law of July 17, 2020 introducing a series of measures to combat the Covid-19 pandemic as amended provides a legal framework on the processing of personal data in the context of the COVID-19 crisis.

Furthermore, two draft bills are currently being discussed in Luxembourg's data protection landscape:  

  • Draft bill 8148 on the retention of personal data and amending the amended Law of May 30, 2005 on data protection and electronic communications; and
  • Draft bill 8395 on the use of data in a trusted environment.

Continue reading

  • no results

Back to top