Data protection and cybersecurity laws in Luxembourg

Data protection

1. Local data protection laws and scope

  • Law dated 1 August 2018, reference A686, on the organisation of the National Data Protection Commission (CNPD) and the general data protection framework. This law has implemented Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the law dated 2 August 2002 on the protection of individuals with regard to the processing of personal data and on the free movement of such data); https://cnpd.public.lu/dam-assets/fr/legislation/droit-lux/Act-of-1-August-2018-on-the-organisation-of-the-National-Data-Protection-Commission-and-the-general-data-protection-framework.pdf
  • Law dated 1 August 2018, reference A689, on the protection of individuals with regard to the processing of personal data in criminal and national security matters. This law has implemented Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;
  • Law dated 1 August 2018 on the processing of passenger name record data in the context of the prevention and repression of terrorism and serious crime and amending the Act of 5 July 2016 on the reorganisation of the State Intelligence Service;
  • Amended law dated 30 May 2005 concerning the processing of personal data and the protection of privacy in the electronic communications sector. This law has implemented Directive 2002/58/EC;
  • Article L. 261-1(1) of the Luxembourg Labour Code provides specific regulations concerning monitoring and surveillance at work by the employer.

2. Data protection authority

3. Anticipated changes to local laws

There are no anticipated changes.

4. Sanctions & non-compliance

Administrative sanctions:

The CNPD may impose administrative fines pursuant to Article 83 of the General Data Protection Regulation (EU) 2016/679 (GDPR), in addition to - or instead of - other corrective measures, depending on the circumstances of each individual case.

The CNPD may also impose on the controller or processor a penalty of up to 5% of its average daily turnover in the previous financial year, respectively during the last financial year closed, as long as such controller or processor does not communicate information requested by the CNPD pursuant to Article 58(1)(a) GDPR, or as long as such controller or processor does not abide by a corrective measure adopted by the CNPD pursuant to Article 58(2)(c)-(j) GDPR.

Criminal sanctions:

The CNPD may impose criminal sanctions (an imprisonment of eight days or a fine of between EUR 251 and EUR 125,000) against anyone who knowingly prevents or hinders the performance of the CNPD's missions.

Others: 

In the context of its tasks set out in the law dated 1 August 2018, reference A686, article 8, the CNPD has the following powers:

  • to obtain from controllers and/or processors access to all personal data processed and all information necessary for the performance of its tasks;
  • to issue warnings to a controller or a processor that planned data processing operations are likely to infringe provisions adopted pursuant to the law dated 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters;
  • to order the controller or processor to bring processing operations into compliance with the provisions adopted pursuant to the law dated 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, where appropriate, in a specified manner and within a specified period, in particular by ordering the rectification or erasure of personal data or restriction on processing in accordance with Article 15 of the law dated 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters;
  • to impose a temporary or definitive limitation, including a ban, on processing;
  • to advise the controller in accordance with the prior consultation procedure referred to in Article 27 of the law dated 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters;
  • to issue, on its own initiative or on request, opinions to the Chamber of Deputies (Chambre des Députés) and its Government or other institutions and organisations as well as the public, on any question relating to personal data processing.

5. Registration / notification / authorisation

There is no general requirement to register with or notify the CNPD when a business processes personal data.

6. Main obligations and processing requirements

Before data may be processed by the controller, a number of conditions of lawfulness must be met to ensure an adequate protection of privacy. When personal data are processed, the following principles must be respected:

  • Principles of lawfulness, fairness and transparency;
  • Purpose limitation principle;
  • Principle of data minimisation;
  • Principle of accuracy;
  • Principle of retention limitation;
  • Principle of integrity and confidentiality;
  • Principle of accountability.

7. Data subject rights

The data subjects are granted with the following rights:

  • Right to information;
  • Right of access;
  • Right to erasure (“right to be forgotten”)
  • Right to data portability;
  • Right to restriction of processing;
  • Right to contest a decision based solely on automated processing, including profiling;
  • Right to rectification;
  • Right to delisting;
  • Right to object.

8. Processing by third parties

There is a need to enter into a data processing agreement in which the processor agrees to act only on behalf of the controller, to take appropriate technical and organisational security measures to protect the personal data, and to be bound by the same data protection obligations as to which the controller is bound. Such agreement should also contain clear provisions on liability between the controller and processor in the event of a breach of privacy.

9. Transfers out of country

It is not possible to transfer personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. EU model clauses, ad hoc data transfer agreement, Privacy Shield certification) or with consent of data subject.

10. Data Protection Officer

The Data Protection Officer (DPO) has an important role in the legal framework created by the GDPR. Articles 37 to 39 GDPR lay down the rules applicable to the designation, position and tasks of the DPO.

11. Security

There is a need to take appropriate technical and security measures to protect personal data.

12. Breach notification

Two types of data breaches must be notified to the CNPD:

Data breaches under the GDPR. Controllers shall notify data breaches to the CNPD within 72 hours after becoming aware of it if it is likely to result in a risk to the rights and freedoms of natural persons. In case of a high risk, the controller shall also communicate the personal data breach to the data subject without undue delay.

Data breaches in the electronic communications sector. In accordance with the European Commission regulation (EU) No. 611/2013 of 24 June 2013, which entered into force on 25 August 2013, providers of publicly available electronic communications services, such as fixed or mobile telephone companies or Internet service providers, must notify the CNPD within 24 hours after the detection of a personal data breach and inform their subscribers if the incident is likely to adversely affect their privacy and data protection.

13. Direct marketing

Need to obtain consent (exemption for B2B).

14. Cookies and adtech

No specific local provisions in the applicable law.

15. Risk scale

Moderate

*mature data protection regime with heavy sanctions for non-compliance, but with passive regulator OR mature data protection regime with low sanctions for non-compliance, but with repressive regulator

Cybersecurity

1. Local cybersecurity laws and scope

Grand Ducal Regulation dated 12 March 2012 implementing the Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructure and the assessment of the need to improve their protection (Critical Infrastructures Act).

2. Anticipated changes to local laws

There are no anticipated changes to local laws.

3. Application 

Critical Infrastructures Act: sets out security obligations for European and national critical infrastructure in the energy and transport sectors.

4. Authority

The High Commission for National Protection (Haut-commissariat à la Protection nationale, HCPN) is a body that falls under the responsibility of the Prime Minister and Minister of State. Its main mission is to ensure that the nation is always, and in all circumstances, protected against threats that could seriously infringe upon its sovereignty and independence, the free functioning of its institutions, the safeguarding of its national interests and the safety of the population. The National Agency for the Security of Information Systems (ANSSI) is under the responsibility of the HCPN. The role of the HCPN has been consolidated by the law dated 23 July 2016 (Consolidation Act) and modified by the law dated 28 May 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to be taken to ensure a high level of network and information security in the Union.

5. Key obligations 

Critical Infrastructure Acts: need to appoint a security officer and establish a security plan.

6. Sanctions & non-compliance 

Administrative sanctions:

N/A

Criminal sanctions:

Law dated 28 May 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to be taken to ensure a high level of network and information security in the Union:

  • Fine of up to EUR 125,000.  
Others:

N/A

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes.

Computer Incident Response Center Luxembourg (CIRCL) is the cyber emergency team and acts as the CERT for the private sector, communes and non-governmental entities in Luxembourg that assists companies with: (i) the coordination of the event in cyber incidents; (ii) advice about finding a solution when cyber incidents arise; and (iii) support to prevent these security incidents occurring.

The Computer Emergency Response Team of the Government of the Grand-Duchy of Luxembourg (GOVCERT.LU) is the Luxembourg Computer Security Incident Response Team (CSIRT). The services oversee the management of cyber-security incidents compromising Luxembourg, its citizens or its economy and is responsible for receiving, reviewing and responding to report of such.

GOVCERT.LU is the single point of contact dedicated to the treatment of all computer-related incidents that could jeopardise the information systems of the government and defined critical infrastructure operators operating in Luxembourg, whether they are public or private.
Incidents that are not related to GOVCERT.LU’s constituency are forwarded to other appropriate CSIRTs.

8. National cybersecurity incident management structure

The national management structure for responding to cybersecurity incidents is GOVCERT.LU

9. Other cybersecurity initiatives 

SMILE “Security Made In Lëtzebuerg” GIE, operator of the CERT “CIRCL”, is also the host organisation for CASES and BEE SECURE. 

Portrait of Vivian Walry
Vivian Walry
Partner | Avocat à la Cour
Luxembourg
Portrait of Gilles Bropsom
Gilles Bropsom
Senior Associate
Luxembourg