GDPR Enforcement in Luxemburg

Trend: Have the national data protection authorities in Luxembourg focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

The Luxembourg data protection authority ("Commission nationale pour la protection des données", "CNPD") has concentrated its efforts in 2025 on two main topics: compliance with the obligations related to the record of processing activities and compliance of video surveillance systems with the GDPR.

This year’s decisions also demonstrate a particular focus on the fundamental principles of the GDPR, such as transparency, informing data subjects and meeting deadlines when rights are exercised. In 2025, the CNPD issued 7 corrective measures, including 6 fines (ranging from EUR 1,277 to EUR 175,000), primarily for failures to comply with the principles of data minimisation or data retention limits.

These enforcement trends are consistent with the broader strategic priorities highlighted in the CNPD’s 2024 annual report, which underscored the authority’s cross sectoral supervisory role. Overall, the CNPD’s approach remains transversal rather than targeted at specific industries, while maintaining a practical emphasis on both public and private entities processing sensitive data or deploying surveillance technologies.

Overall, what was the most significant fine in Luxembourg to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

On 16 July 2021, the CNPD imposed a fine of EUR 746 million on Amazon. Pursuant to the procedures for cooperation between authorities introduced by the GDPR, the CNPD had jurisdiction to deal with this case, as Amazon Europe Core was established in Luxembourg. Amazon was mainly found liable for processing user data for targeted advertising without asking permission.
Following the Luxembourg Administrative Court's initial acceptance of the CNPD's decision on 18 March 2025, Amazon appealed against the ruling.

On 13 March 2026, the Administrative Appeal Court overturned the fine of EUR 746 million, annulling the CNPD’s decision and sending the entire case back to the CNPD. 

According to the court:

(i) The watchdog had failed to analyse whether the company had intentionally violated the GDPR or had been merely negligent. Indeed, since the judgments handed down by the CJEU on 5 December 2023 in the "Deutsche Wohnen" and "Nacionalinis" cases, such analysis has been a necessary prerequisite for the imposition of an administrative fine in relation to the GDPR.

(ii) The CNPD also did not examine other sanction options and had almost automatically handed out the fine.

However, the court upheld the regulator's findings that Amazon had violated the GDPR by relying on 'legitimate interests' for its extensive behavioural advertising operations.

The case is now back in the hands of the CNPD, which must properly establish negligence and consider whether a new penalty would be applicable. In this regard, we note that at the oral hearing on 8 January 2026, both parties confirmed that the disputed processing operations had since been modified and that Amazon no longer relied on legitimate interest, but on user consent as the legal basis for such data processing.

How is the data protection authority organised in Luxembourg? Budget, staff, assignment to a ministry?

• The CNPD is an independent public body with legal personality and with financial and administrative autonomy.
• The CNPD is divided into five departments: a “Guidance” department, a “Compliance” department, a “Claims” department, an “Investigations” department and an “Administration” department.
• In 2024, CNPD had 66 employees. The CNPD's budget for the 2024 financial year amounts to EUR 10.3 million (an increase of 11.56% on the previous year's budget). 

How does a fine procedure work in Luxembourg? Can the authority impose fines itself? Procedural steps? Legal remedies?

• Fines may be directly imposed by the CNPD as part of administrative proceedings.
• If the CNPD decides to initiate fine proceedings following audits or inspections, the company will be notified to this effect. A report proposing that an enforcement measure be imposed will be sent to the company, which may submit its observations to the CNPD.
• An appeal against the decisions of the CNPD can be made before the Administrative Tribunal, which rules on the merits of the case. The time limit for lodging an appeal is three months.
• Following the Administrative Tribunal’s judgment, in certain cases, the decision can be further appealed to the Administrative Court of Luxembourg.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Fines are transferred to the state treasury.

Is there an official calculation methodology for fines in Luxembourg?

There is no common or official methodology for calculating fines. They are calculated based on the criteria set out in Articles 83 (5) and (6) GDPR.

The CNPD may also consider fines issued by other EU supervisory authorities in similar cases to ensure consistency and proportionality. While there is no formal numeric formula, these factors guide the CNPD in determining the amount of an administrative fine.

Can public authorities be fined in Luxembourg? If yes: Where does this money go?

The CNPD may impose fines on public authorities, except the state and municipalities. Fines are transferred to the state treasury. 

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

All decisions issued by the CNPD are published on the CNPD’s website. These decisions contain information on the relevant facts, imposed fines and other procedural steps. Often the parties involved are anonymised.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

See our answer to previous question.

Does Luxembourg have model declaratory proceedings/class actions in data protection law?

Since the law of 20 November 2025, there has been a specific framework allowing class action.

This new legal framework allows qualified entities only (i.e. associations or sectoral authorities) to bring legal action on behalf of a group of consumers in a similar situation, in order to secure cessation of a violation, financial compensation for damages or both. This mechanism is subject to strict admissibility requirements, including the absence of conflicts of interest and transparency requirements.

Such proceedings increase companies’ liability and exposure, including in the area of data protection, by facilitating class actions alongside administrative sanctions.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

Currently, fines imposed by the CNPD remain much more common than court proceedings, which are still relatively rare in Luxembourg. However, this may gradually evolve following the introduction of class actions, which could facilitate damages and injunctive claims, including in data protection matters. In the short term, administrative enforcement is expected to remain the primary driver.