Data Law Navigator | Luxembourg
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last updated 25 October 2018
*mature data protection regime with heavy sanctions for non-compliance, but with passive regulator OR mature data protection regime with low sanctions for non-compliance, but with repressive regulator
- Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Privacy Act);
- Law of 30 May 2005 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
Commission Nationale pour la Protection des Données, CNPD; https://cnpd.public.lu/en.html
Anticipated changes to law
- Draft law Nr. 7184 on the creation of a Data Protection Authority (reforming the Commission Nationale pour la Protection des Données) and on implementation of the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- Draft Law Nr. 7168 on implementation of the Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and modifying 12 Luxembourg Laws.
If applicable: stage of legislative implementation of GDPR
- Draft Law Nr. 7184 on the creation of a Data Protection Authority entabled on 12 September 2017; not any information available on when the Law will be adopted;
- Draft Law Nr. 7168 on implementation of the Directive (EU) 2016/680 entabled on 10 August 2017; not any information available on when the Law will be adopted.
If applicable: local derogations as permitted by GDPR
Grand-Duchy of Luxembourg intends to derogate from the provisions of the GDPR in the area of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89).
In fact, it’s provided by the Draft Law Nr. 7184 (Article 57) that the rights granted by Articles 15, 16, 18 and 21 of GDPR can be restricted by a national Règlement Grand-Ducal.
The Privacy Act applies when:
- the processing is carried out wholly or partly by automatic means or otherwise forms part of or is intended to form part of a filing system;
- the processing is carried out in the context of the effective and actual activities of a permanent establishment of the controller (ie the entity which determines the means and purposes of the processing of personal data) on the territory of the Grand-Duchy of Luxembourg or a place where Luxembourg law applies by virtue of private international law;
- the controller does not have a permanent establishment in the European Community, but, for the purposes of processing personal data, makes use of equipment, automated or otherwise, situated on the territory of the Grand-Duchy of Luxembourg, unless such equipment is used only for the purposes of transit through the territory of the Grand-Duchy of Luxembourg.
The other law applies to all processing/marketing activities on the territory of the Grand-Duchy of Luxembourg.
The Commission Nationale pour la Protection des Données may take disciplinary sanctions :
- alert or admonish controllers who have violated the obligations imposed upon them,
- block, delete or destroy data that have been subject to a processing operation contrary to the Law,
- impose a temporary or definitive ban on a processing operation that is contrary to the Law,
- order publication of the prohibition decision in full or in extracts in newspapers or by any other method.
These decisions may be submitted to the Administrative Jurisdictions to judicial review purposes.
Sanctions can also be imposed by a judge by the way of an action for discontinuance (Prohibitory Injunction) or upon basis of criminal proceedings.
Potential sanctions: max. criminal fine of EUR 125.000,- EUR and/or a prison sentence of between eight days and one year in 20 incriminations: Article 4 (3), Article 5 (2), Article 6 (5), Article 7 (5), Article 8 (4), Article 10 (4), Article 11 (3), Article 12 (4), Article 14 (4), Article 17 (3), Article 18 (5), Article 19 (4), Article 25, Article 26 (3), Article 27 (4), Article 28 (2), Article 28 (8), Article 29 (5), Article 30 (2) and Article 32 (11).
Registration / notification
Personal data processing is subject to notification requirement. A notification should be filed with the Commission Nationale pour la Protection des Données for each data processing purpose.
Data transfer agreements that are identical to the EU model clauses have not to be notified to the Commission Nationale pour la Protection des Données. Data transfer agreements that derogate from the EU model clauses need to be notified to the Commission Nationale pour la Protection des Données.
Main obligations and processing requirements
- Information requirement (identical to information requirement under directive),
- Consent requirements (in particular in respect of cookies and sending of direct marketing material via electronic mail),
- Notification requirement.
Data subject rights
Users have (i) the right of access to some information with regards to his/her personal data, (ii) the right to rectify, erase or block the processing of their personal data, in particular because of the incomplete or inaccurate nature of the personal data, and (iii) to object at any time on legitimate grounds to the processing of personal data.
Processing by third parties
Need to enter into data processing agreement in which processor agrees to only act on behalf of the controller, to take appropriate technical and organisational security measures to protect the personal data and to be bound by the same data protection obligations as to which the controller is bound. Such agreement should also contain clear provisions on liability between the controller and processor in the event of a breach of privacy.
Transfers out of country
Not possible to transfer personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. EU model clauses, ad hoc data transfer agreement, Privacy Shield certification) or with consent of data subject.
Data Protection Officer
As amended by the Law of 27 July 2007, the Privacy Act makes possible for each concerned entity to designate a DPO.
The Job Description of the DPO under the Privacy Act is however not so detailed than this under GDPR. The reason why is that duties and responsibilities of the entities have increased upon basis of the GDPR.
Need to take appropriate technical and security measures to protect the personal data.
Clearly, it’s compulsory to notify the Commission Nationale pour la Protection des Données of data breaches that are likely to result in a high risk to the rights and freedoms of the individual.
If by electronic mail: need to obtain consent, unless you can rely on (i) the soft opt-in exemption (customers, own similar products or services, and opt-out at the time of collection and afterwards, in every marketing communication) or (ii) the B2B exemption (if the phone number/email address is of an impersonal nature).
If by regular mail: opt-out regime.
If by (manual) call: opt-out regime (you can freely call consumers unless they subscribed to a do-not-call-me list).
Need to obtain (implicit) consent, unless cookies are functional cookies
Last updated 25 October 2018
*mature cybersecurity regime with low sanctions for non-compliance, but with repressive regulator.
Laws and regulations
Règlement grand-ducal of 12 March 2012 implementing the Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (Critical Infrastructures Act)
Anticipated changes to law
NIS Directive (Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union) has not yet been transposed into Luxembourg law. Neither has its implementation been entabled yet.
Critical Infrastructures Act: sets out security obligations for European and national critical infrastructures in the energy and transport sectors
The national competent authority for network and information security is the “Haut-Commissariat à la Protection nationale” (HCPN), set under the authority of the Prime Ministre and whose role has been consolidated by the Law of 23 July 2016 (Consolidation Act)
Website URL: http://www.gouvernement.lu/hcpn
Critical Infrastructures Acts
- Need to appoint a security officer and establish a security plan
Consolidation Act (applying on this point the Law of 8 December 1981 on requisitions)
- Imprisonment of up to 2 years
- Criminal fine of up to EUR 250,000.-
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Computer Incident Response Center Luxembourg (CIRCL) is the cyber emergency team and acts as the CERT for the private sector, communes and non-governmental entities in Luxembourg that assists companies with: (i) the coordination of the event in cyber incidents; (ii) advice about finding a solution when cyber incidents arise; and (iii) support to prevent these security incidents occurring.
The Computer Emergency Response Team of the Government of the Grand-Duchy of Luxembourg (GOVCERT.LU) is the Luxembourg Computer Security Incident Response Team (CSIRT). The services oversees the management of cyber-security incidents compromising Luxembourg, its citizens or its economy and is responsible for receiving, reviewing and responding to report of such.
GOVCERT.LU is the single point of contact dedicated to the treatment of all computer related incidents jeopardising the information systems of the government and defined critical infrastructure operators operating in Luxembourg, whether they are public or private.
Incidents that are not related to GOVCERT.LU’s constituency are forwarded to other appropriate CSIRT’s.
Is there a national incident management structure for responding to cyber security incidents?
The national management structure for responding to cybersecurity incidents is GOVCERT.LU
Other cyber security initiatives
SMILE “Security Made In LËtzebuerg” GIE, operator of the CERT “CIRCL”, is also the host organization for CASES and BEE SECURE.
- https://www.cases.lu/ : "Cyberworld Awareness Security Enhancement Structure" – Luxembourg Portal for ICT
- https://www.bee-secure.lu/fr : ICT Security in Luxembourg
- http://www.circl.lu/ : Computer Incident Response Center Luxembourg
- https://www.govcert.lu/en/ Computer Emergency Response Team
mature data protection regime with heavy sanctions for non-compliance, but with passive regulator OR mature data protection regime with low sanctions for non-compliance, but with repressive regulator