DPIA (Art. 35 GDPR) in Luxembourg: when to trigger and how to succeed

DPIA (Article 35 GDPR) in Luxembourg: when to trigger and how to succeed

Key aims: avoid unmanaged high‑risk processing, document compliance, and consult the CNPD before go‑live if needed. To frame the topic within the Luxembourg GDPR context, this guide covers the rule, CNPD/EDPB sources and a practical method.

The general rule

A Data Protection Impact Assessment (DPIA/AIPD) is mandatory when processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Article 35 GDPR sets the framework: objectives, minimum content and typical cases where a DPIA is required (systematic monitoring, large‑scale processing of special categories, etc.). See the official text on EUR‑Lex, Article 35 and Recitals 84–95. EUR‑Lex – Regulation (EU) 2016/679.

GDPR also provides:

• targeted exemptions (e.g., where an impact assessment was already carried out under the law establishing the processing, Art. 35(10)); and
• prior consultation of the authority where, despite envisaged measures, a “residual high risk” remains (Article 36). EUR‑Lex – Article 36.

What the regulator says

In Luxembourg, the CNPD adopted, under Article 35(4), a list of processing categories that require a DPIA “in all cases.” It notably includes:

• processing including biometric or genetic data combined with other EDPB risk criteria,
• certain geolocation or systematic monitoring operations,
• large‑scale processing of special categories. The official page also explains the link with prior consultation (Article 36). CNPD – DPIA obligations and Art. 35(4) list.

The CNPD’s formal decision adopting this list (Deliberation No 34/2019 of 6 March 2019) recalls the EU consistency mechanism and the anchoring in Article 35(1) and (4) GDPR. CNPD – Deliberation 34/2019 (DPIA list).

On methodology, the European Board (EDPB) endorsed the WP29 “Guidelines on DPIA and determining whether processing is likely to result in a high risk (WP248 rev.01).” They provide:

• 9 practical criteria (scale, monitoring, matching, vulnerable data subjects, innovative use, etc.) to decide if a DPIA is required,
• the recommended structure (description, necessity/proportionality, risk analysis, measures),
• practical examples. EDPB – Endorsed WP29 Guidelines (WP248 rev.01) – Official French version of WP248 rev.01.

If, after the DPIA, the high risk remains, the organisation must consult the CNPD before starting the processing (Article 36). GDPR provides that the authority “shall provide written advice” within up to eight weeks from receipt, extendable for complexity. Consolidated text – Article 36(2) GDPR. The CNPD recalls this duty and offers a dedicated contact point. CNPD – DPIA (EN): prior consultation and contact.

How to apply it in practice

Example 1 (financial/insurance): automated claims scoring with fraud detection, fuelled by geolocation and behavioural data.
Example 2 (public/semi‑public): biometric authentication for building access, coupled with smart video surveillance.

Key steps

Before (design)

1. Map purposes and data, identify actors and flows (Article 30 register is a useful input). CNPD – Article 30 register. Depending on your setup, an engagement of a certified DPO can streamline scoping.
2. Decide whether a DPIA is required:
   • Check the CNPD Article 35(4) list. If your case appears, the DPIA is mandatory. CNPD – DPIA list.
   • Otherwise, apply the 9 EDPB criteria: where “at least two” often apply, a DPIA is required (context‑based judgment). EDPB – WP248 rev.01.
3. Define the DPIA method:
   • Minimum content (Art. 35(7)): processing description, necessity/proportionality assessment, risk analysis, envisaged measures. EUR‑Lex – Article 35.
   • Involve the DPO, business, IT security, legal; consult stakeholders when relevant (WP248). For AI projects, plan governance and documentation early via our AI compliance in Luxembourg page.
4. Think “privacy by design”: less intrusive alternatives, minimisation, pseudonymisation, encryption, access logging, limited retention.

During (implementation)

5. Document decisions: legal basis, legitimate interest balancing, necessity tests, a measurable and traceable DPIA. Align security measures (Art. 32) to identified risks (access control, IAM, MDM, encryption at rest/in transit, testing, logging).
6. If a high risk remains despite measures, prepare a prior consultation file (Art. 36): description, responsibilities, DPIA results, proposed measures, and any information requested by the authority. Article 36 – timelines and expectations.

After (operations)

7. Monitor and review: a DPIA is not static. Any substantial change (new data sources, new purpose, algorithm/AI change, interconnection) triggers a review. WP248 recommends periodic reviews.
8. Keep evidence ready: signed/time‑stamped DPIA, risk matrix, arbitration records, committee minutes, proof of implemented measures and effectiveness testing (Art. 32 controls), updated privacy notices.
9. Organise the lifecycle: retention periods, purge/archiving, data subject rights (access, objection, restriction, etc.) and incident handling procedures (Art. 33/34).

CNPD tip: the infographic “DPIA: required or not” is a handy reminder for project teams. CNPD – DPIA infographic.

Common pitfalls

1. Confusing the “record of processing” with a DPIA. A register (Art. 30) is necessary but insufficient: it never replaces the impact assessment when required. CNPD – Article 30 register
2. Underestimating combined criteria. EDPB guidance stresses that several medium criteria may together trigger a DPIA (e.g., matching + monitoring + vulnerable subjects). EDPB – WP248 rev.01
3. Starting the project before arbitrating residual risks. If a “high risk” persists, prior consultation (Art. 36) is mandatory; skipping it exposes you to orders or prohibition. Article 36 GDPR – duty and advice timeline
4. Forgetting proportionality. The DPIA must justify necessity and compare less intrusive options (privacy by design). This is explicitly required by Article 35(7)(b). EUR‑Lex – Article 35
5. Not revisiting the DPIA after changes. A new non‑EU cloud provider, adding biometrics, or training an AI model with new sources may requalify risk: update the DPIA and, if needed, (re)consult the CNPD. CNPD – DPIA: obligations and prior consultation

Official sources

• Regulation (EU) 2016/679 (GDPR) – official text, Art. 35 (DPIA) and Art. 36 (prior consultation): EUR‑Lex / OJ L119
• CNPD (Luxembourg) – “Analyse d’impact relative à la protection des données (AIPD)” and Article 35(4) list: CNPD official page
• CNPD – Deliberation No 34/2019 of 6 March 2019 adopting the DPIA list: official PDF
• EDPB – Endorsed “Guidelines on DPIA and determining whether processing is likely to result in a high risk” (WP248 rev.01): EDPB page and French version – PDF
• CNPD – Practical infographic “AIPD: required or not”: CNPD PDF

As of May 2026, Luxembourg executives should embed the DPIA as a project governance ritual (with EDPB thresholds) and, when needed, use CNPD prior consultation within Article 36 timelines. If you need assistance, feel free to contact our experts.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.