Data Law Navigator | Luxembourg
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last updated 11 July 2019
*mature data protection regime with heavy sanctions for non-compliance, but with passive regulator OR mature data protection regime with low sanctions for non-compliance, but with repressive regulator
- Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”);
- Directive (EU) 2016/680 of 27 April 2016 (“Criminal Justice Directive”);
- Act of 11 August 1982 on the protection of privacy;
- Amended Act of 30 May 2005 concerning the processing of personal data and the protection of privacy in the electronic communications sector. This Act is implementing Directive 2002/58/EC;
- Act of 1 August 2018, reference A686, on the organisation of the National Data Protection Commission (CNPD being the Luxembourg data protection authority) and the general data protection framework. This Act of 1 August 2018 is implementing the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data and on the free movement of such data);
- Act of 1 August 2018, reference A689, on the protection of individuals with regard to the processing of personal data in criminal and national security matters. This Act of 1 August 2018 is a transposition into national law of Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
Commission Nationale pour la Protection des Données, CNPD; https://cnpd.public.lu/en.html
If applicable: local derogations as permitted by GDPR
Grand-Duchy of Luxembourg is derogating from the provisions of the GDPR in the area of processing in the scientific or historical research purposes or statistical purposes (Act of 1 August 2018, reference A686, article 63, 64 and 65).
The provisions of the Luxembourg law apply to controllers and processors established no the territory of Luxembourg.
In the context of its tasks set out in the Act of 1 August 2018, reference A686, article 8, the CNPD has the following powers:
- 1° to obtain from controllers and/or processors access to all personal data processed and all information necessary for the performance of its tasks;
- 2° to issue warnings to a controller or a processor that planned data processing operations are likely to infringe provisions adopted pursuant to the Act of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters;
- 3° to order the controller or processor to bring processing operations into compliance with the provisions adopted pursuant to the Act of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, where appropriate, in a specified manner and within a specified period, in particular by ordering the rectification or erasure of personal data or restriction on processing in accordance with Article 15 of the Act of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters;
- 4° to impose a temporary or definitive limitation, including a ban, on processing;
- 5° to advise the controller in accordance with the prior consultation procedure referred to in Article 27 of the Act of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters;
- 6° to issue, on its own initiative or on request, opinions to the Chamber of Deputies (Chambre des députés) and its Government or other institutions and organisations as well as the public, on any question relating to personal data processing.
Registration / notification
No general requirement to register with or notify the CNPD when a business processes personal data.
Main obligations and processing requirements
Before data may be processed by the controller, a number of conditions of lawfulness must be met to ensure an adequate protection of privacy. When personal data are processed, the following principles must be respected:
- Principles of lawfulness, fairness and transparency;
- Purpose limitation principle;
- Principle of data minimisation;
- Principle of accuracy;
- Principle of retention limitation;
- Principle of integrity and confidentiality;
- Principle of accountability.
Data subject rights
The data subjects are granted with the following rights:
- Right to information;
- Right of access;
- Right to erasure (“right to be forgotten”)
- Right to data portability;
- Right to restriction of processing;
- Right to contest a decision based solely on automated processing, including profiling;
- Right to rectification;
- Right to delisting;
- Right to object.
Processing by third parties
Need to enter into data processing agreement in which processor agrees to only act on behalf of the controller, to take appropriate technical and organisational security measures to protect the personal data and to be bound by the same data protection obligations as to which the controller is bound. Such agreement should also contain clear provisions on liability between the controller and processor in the event of a breach of privacy.
Transfers out of country
Not possible to transfer personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. EU model clauses, ad hoc data transfer agreement, Privacy Shield certification) or with consent of data subject.
Data Protection Officer
The Data Protection Officer (DPO) has an important role in the legal framework created by the General Data Protection Regulation (GDPR). Articles 37 to 39 GDPR lay down the rules applicable to the designation, position and tasks of the DPO.
Need to take appropriate technical and security measures to protect the personal data.
Two types of data breaches must be notified to the CNPD:
- Data breaches under the General Data Protection Regulation. Controllers shall notify data breaches to the CNPD within 72 hours after becoming aware of it if it is likely to result in a risk to the rights and freedoms of natural persons. In case of a high risk, the controller shall also communicate the personal data breach to the data subject without undue delay.
- Data breaches in the electronic communications sector. In accordance with the European Commission regulation (EU) No. 611/2013 of 24 June 2013, which entered into force on 25 August 2013, providers of publicly available electronic communications services, such as fixed or mobile telephone companies or Internet service providers, must notify the CNPD within 24 hours after the detection of a personal data breach and inform their subscribers if the incident is likely to adversely affect their privacy and data protection.
Need to obtain consent (exemption for B2B).
Last updated 11 July 2019
*mature cybersecurity regime with low sanctions for non-compliance, but with repressive regulator.
Laws and regulations
Règlement grand-ducal of 12 March 2012 implementing the Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (Critical Infrastructures Act).
Anticipated changes to law
NIS Directive (Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union) has been transposed into Luxembourg law: Law of 28 May 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to be taken to ensure a high level of network and information security in the Union and modifying 1. Amended Law of 20 April 2009 establishing the State Information Technology Center and 2. Law of 23 July 2016 establishing a High Commission for National Protection.
Critical Infrastructures Act: sets out security obligations for European and national critical infrastructures in the energy and transport sectors.
The High Commission for National Protection (Haut-commissariat à la Protection nationale, HCPN) is a body that falls under the responsibility of the Prime Minister and Minister of State. Its main mission is to ensure that the nation is always and in all circumstances protected against threats that could seriously infringe upon the country's sovereignty and independence, the free functioning of its institutions, the safeguarding of its national interests and the safety of the population. The National Agency for the Security of Information Systems (ANSSI) is under the responsibility of the HCPN. The role of the HCPN has been consolidated by the Law of 23 July 2016 (Consolidation Act) and modified by Law of 28 May 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to be taken to ensure a high level of network and information security in the Union.
Critical Infrastructures Acts: need to appoint a security officer and establish a security plan.
Law of 28 May 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to be taken to ensure a high level of network and information security in the Union:
- fine up to 125.000 Euros.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Computer Incident Response Center Luxembourg (CIRCL) is the cyber emergency team and acts as the CERT for the private sector, communes and non-governmental entities in Luxembourg that assists companies with: (i) the coordination of the event in cyber incidents; (ii) advice about finding a solution when cyber incidents arise; and (iii) support to prevent these security incidents occurring.
The Computer Emergency Response Team of the Government of the Grand-Duchy of Luxembourg (GOVCERT.LU) is the Luxembourg Computer Security Incident Response Team (CSIRT). The services oversees the management of cyber-security incidents compromising Luxembourg, its citizens or its economy and is responsible for receiving, reviewing and responding to report of such.
GOVCERT.LU is the single point of contact dedicated to the treatment of all computer related incidents jeopardising the information systems of the government and defined critical infrastructure operators operating in Luxembourg, whether they are public or private.
Incidents that are not related to GOVCERT.LU’s constituency are forwarded to other appropriate CSIRT’s.
Is there a national incident management structure for responding to cyber security incidents?
The national management structure for responding to cybersecurity incidents is GOVCERT.LU
Other cyber security initiatives
SMILE “Security Made In LËtzebuerg” GIE, operator of the CERT “CIRCL”, is also the host organization for CASES and BEE SECURE.
- https://www.cases.lu/ : "Cyberworld Awareness Security Enhancement Structure" – Luxembourg Portal for ICT
- https://www.bee-secure.lu/fr : ICT Security in Luxembourg
- http://www.circl.lu/ : Computer Incident Response Center Luxembourg
- https://www.govcert.lu/en/ : Computer Emergency Response Team
- https://securitymadein.lu/ : Luxembourg cybersecurity ecosystem
- https://cybersecurite.public.lu/fr/securite-information/mission.html : ANSSI (Agence Nationale de la Sécurité des systèmes d’information)