Privacy Law at Luxembourg
Luxembourg's data protection framework is anchored in the General Data Protection Regulation (GDPR), complemented by national legislation that establishes the Commission Nationale pour la Protection des Données (CNPD) as the independent supervisory authority.
Key Legal Instruments
Act of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework
This Act implements the GDPR at the national level, detailing the structure and responsibilities of the CNPD. It also amends the Labour Code and the law of 25 March 2015 concerning civil servants.
Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters
This Act transposes EU Directive 2016/680, regulating data processing by competent authorities for criminal justice and national security purposes.
Amended Act of 30 May 2005 concerning the specific provisions for protection of the individual in respect of the processing of personal data in the electronic communications sector
This Act transposes EU Directive 2002/58/EC, addressing data protection in the electronic communications sector.
🏛️ CNPD: Luxembourg's Data Protection Authority
The CNPD is an independent public institution with legal personality, financially and administratively autonomous. It ensures compliance with data protection laws and safeguards individuals' rights concerning personal data processing.
Powers of the CNPD include:
*Investigative Powers: Conducting audits, reviewing certifications, and accessing data processing facilities.
*Corrective Powers: Issuing warnings, reprimands, ordering compliance with data subjects' rights, and imposing administrative fines up to €20 million or 4% of global annual turnover.
*Advisory Powers: Providing guidance on data protection matters and accrediting certification bodies.
⚖️ Enforcement Highlights
In March 2025, Luxembourg's administrative court upheld a record €746 million fine imposed by the CNPD on Amazon for breaching GDPR provisions The court dismissed Amazon's appeal, reinforcing Europe's stringent stance on privacy violations.
📌 Summary
Luxembourg's data protection regime, underpinned by the GDPR and national legislation, establishes a robust framework for safeguarding personal dt. The CNPD plays a pivotal role in enforcing compliance, ensuring that individuals' privacy rights are upheld and that organizations adhere to data protection standards.
RELATED Blog
0 comments