Data protection and cybersecurity laws in Luxembourg

• Act of 1 August 2018 on the organisation of the CNPD and the general data protection framework:
  
  The Act of 1 August 2018 repeals the previous act on data protection (amended Act of 2 August 2002) and completes the General Data Protection Regulation (“GDPR”) at the national level.
   
• Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters:
  
  The Act of 1 August 2018 is a transposition into national law of Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
   
• Amended Act of 30 May 2005 concerning the specific provisions for protection of the individual in respect of the processing of personal data in the electronic communications sector:
  
  The amended Act of 30 May 2005 transposes the European Directive 2002/58/EC into national legislation. It governs the protection of personal data in the field of telecommunications and electronic communications and takes recent and foreseeable developments in the field of services and technologies involving electronic communications into account.

• The National Commission for Data Protection (Commission nationale pour la protection des données, “CNPD”) : https://cnpd.public.lu/en.html

There are no anticipated changes to local laws.

The CNPD has investigative and enforcement powers, meaning that it can, among others, conduct investigations and impose administrative fines on companies (as provided for in Article 83 of the GDPR).

The CNPD may also impose periodic penalty payments on the controller or processor, not exceeding 5 % of the average daily turnover of the preceding business year, or of the last ended business year, per day calculated from the date appointed by the decision, in order to compel the controller/processor:

• to communicate all information required by the CNPD pursuant to Article 58, paragraph 1 letter a) of the GDPR;
• to comply with a corrective measure that the CNPD has adopted in accordance with Article 58, paragraph 2, letters c), d), e), f), g), h) and j) of the GDPR.

Any person who wilfully prevents or impedes, in any way, the execution of the tasks of the CNPD, shall be sentenced to imprisonment for a period of eight days to one year and a fine of 251 to 125 000 euros or one of these punishments alone.

N/A

Since the entry into application of the GDPR on 25 May 2018, controllers and processors must communicate the contact details of their designated DPO to the CNPD.

Data controllers must notify personal data breaches to the CNPD within 72 hours of becoming aware of them if the breach in question is likely to result in a risk to the rights and freedoms of the data subjects.

Data controllers shall consult the CNPD prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risks.

There are no additions to the GDPR.

The Act of 1 August 2018 on the organisation of the CNPD and the general data protection framework has amended the Article L. 261-1 of the Luxembourg Labour Code with effect as of 20 August 2018. This provision lays down the conditions for monitoring at the workplace.

There are no additions to the GDPR.

However, the Act of 1 August 2018 on the organisation of the CNPD and the general data protection framework provides for certain limitations on the rights of data subjects:

Processing carried out solely for the purposes of journalism or academic, artistic or literary expression is not subject to the data subject's right of access, which is deferred and limited in that it cannot concern information relating to the origin of the data and which would make it possible to identify a source. Subject to this reservation, access must be exercised through the CNPD in the presence of the Chairman of the Press Council.

Where personal data are processed for scientific or historical research purposes or for statistical purposes, the controller may derogate from the rights of the data subject as laid out in Articles 15, 16, 18 and 21 of the GDPR, insofar as these rights are likely to render impossible or seriously impair the achievement of specific purposes and subject to the implementation of appropriate measures.

There are no additions to the GDPR.

There are no additions to the GDPR.

There are no additions to the GDPR.

There are no additions to the GDPR.

Controllers shall notify data breaches to the CNPD within 72 hours after becoming aware of it if it is likely to result in a risk to the rights and freedoms of natural persons. In case of a high risk, the controller shall also communicate the personal data breach to the data subject without undue delay. There is a data breach notification form to be returned to the CNPD.

In accordance with the European Commission regulation (EU) No. 611/2013 of 24 June 2013, which entered into force on 25 August 2013, providers of publicly available electronic communications services, such as fixed or mobile telephone companies or Internet service providers, must notify the CNPD within 24 hours after the detection of a personal data breach and inform their subscribers if the incident is likely to adversely affect their privacy and data protection.

Direct marketing communications may only be sent with the prior consent of the data subjects. However, the sender may send direct marketing materials to data subjects for similar products or services provided in the past. In this later case, the data subjects must be clearly and expressly given the right to object, free of charge and in a simple manner, to such use of their contact details.

It is not necessary to obtain consent to place or read cookies considered "essential". These are cookies whose sole purpose is to carry out the transmission of a communication via an electronic communications network, or which are strictly necessary for the supplier to provide an information society service expressly requested by the subscriber or user.

On the other hand, it is mandatory to obtain the user's prior consent to the deposit or reading of "non-essential" cookies (e.g., a cookie deposited for behavioural tracking purposes).

Moderate.

• CNPD Website

• Act of 28 May 2019 transposing the Directive (UE) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (“NIS Act”):
  
  The NIS Act designates l’institut luxembourgeois de regulation (“ILR”) as the competent authority for network and information systems security, covering the following sectors in particular: Energy, Transport, Health, Drinking water supply and distribution and Digital infrastructures as well as digital services.
   
• Article 42 and 43 of the Act of 17 December 2021 transposing Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code:
  
  Providers of public electronic communications networks or publicly available electronic communications services shall take adequate and proportionate technical and organisational measures to manage network and service security risks appropriately.
   
• Grand Ducal Regulation dated 12 March 2012 implementing the Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructure and the assessment of the need to improve their protection (“Critical Infrastructures Act”).

Luxembourg is currently in the process of transposing the NIS2 Directive (Directive (EU) 2022/2555), which will supersede certain provisions of the NIS Act. The Draft legislation was published in early 2024, and final adoption is expected by the end of the year 2025.

Luxembourg is also currently in the process of transposing the CER Directive (Directive (EU) 2022/2557), which will supersede certain provisions of the NIS Act. The Draft legislation was published in September 2023, and final adoption is expected by the end of the year 2025.

Critical Infrastructures Act: sets out security obligations for European and national critical infrastructure in the energy and transport sectors.

NIS Act: covers a number of obligations imposed on operators of essential services and digital service providers to take technical and organisational security measures to prevent incidents or limit their impact on and ensure the continuity of (essential) services. It also includes the notification of incidents, supervision and sanctions.

• The High Commission for National Protection (Haut-commissariat à la Protection nationale, “HCPN”) and the National Agency for the Security of Information Systems (“ANSSI”) which is under the responsibility of the HCPN.
• ILR covering the following sectors in particular: Energy, Transport, Health, Drinking water supply and distribution and Digital infrastructures as well as digital services.

NIS Act

Operators of essential services shall take the necessary and proportionate technical and organizational measures to manage the risks that threaten the security of the networks and information systems they use in the course of their activities.

Critical Infrastructure Act

European critical infrastructure operators must:

• Draw up a security plan or take equivalent measures; and
• Appoint a security correspondent to act as a point of contact with the competent authority.

ILR may impose one or more of the following penalties on the essential service operator or digital service provider concerned:

• a warning ;
• a reprimand;
• a fine, the amount of which is proportionate to the seriousness of the breach, the situation of the party concerned, the extent of the damage and the benefits derived, but may not exceed 125,000 euros. The fine may only be imposed insofar as the breaches in question are not the subject of a criminal penalty.

N/A

N/A

Yes: GOVCERT.LU

GOVCERT.LU is the single point of contact dedicated to the treatment of all computer related incidents jeopardising the information systems of the government and defined critical infrastructure operators operating in Luxembourg, whether they are public or private. Incidents that are not related to GOVCERT.LU’s constituency are forwarded to other appropriate CSIRT’s.

• Luxembourg House of Cybersecurity (“LHC”)
  
  As a central player, LHC is home to all types of cybersecurity-related activities and together with its two hosted centres CIRCL (Computer Incident Response Center Luxembourg) and NC3 (National Cybersecurity Competence Center) aims at capitalising on and further developing innovation, competencies, collaboration and capacity building.

https://lhc.lu/

• BEE secure
  
  BEE SECURE aims to raise awareness among the general public of safer and more responsible use of digital technologies, and to empower children, young people and those around them (parents, teachers, educators and others) in particular through targeted programmes.

https://www.bee-secure.lu/fr/

• https://www.nc3.lu/
• https://www.circl.lu/