← All articles

Veille reglementaire

CNPD 2025 report: 846 complaints (+40%), key takeaways for Luxembourg

CNPD 2025 annual report: 846 complaints (+40% in one year), 425 breach notifications (49% human error), 59 investigations, 16 opinions. The shift to risk-based regulation, AI as a priority, and 5 concrete actions for DPOs and CISOs in Luxembourg.

Luxembourg's data protection authority, the CNPD, presented its 2025 annual report on 10 July 2026. For DPOs, CISOs and executives in Luxembourg, this is the most reliable barometer of what the authority actually monitors on the market — and therefore what belongs on your 2026 roadmap. Here are the key takeaways, our reading of the signals, and what we concretely recommend.

The figures to remember

  • 846 complaints received in 2025, up +40% in one year. This is the report's standout figure.
  • 1,909 complaint files handled in total over the year (the backlog, not just new entries).
  • 425 data breach notifications handled — and critically, 49% of breaches result from human error.
  • 59 investigation files conducted and 16 opinions adopted on draft laws and regulations.
  • 623 information requests handled and 36 training sessions organised: the authority invests in guidance as much as in enforcement.

Complaint breakdown: right of access 25%, right to erasure 22%, processing compliance 21%. Individuals know their rights and increasingly exercise them.

+40% complaints: what it really means

A 40% jump in a year does not reflect a sudden collapse in practices — it reflects rising maturity among data subjects. Employees, customers, patients and users now know they can request access to or erasure of their data, and escalate to the CNPD if the organisation fails to respond, or responds poorly.

The operational consequence is direct: data subject rights requests (access and erasure alone make up ~47% of complaints) become a flow to industrialise. An organisation without a clear procedure — one-month deadline, identity verification, response scope, logging — mechanically ends up in the complaint statistics. That is the first "anti-complaint" area to secure.

49% of breaches = human error: the message for CISOs

Where the French CNIL notes that one breach in two results from hacking, the CNPD reminds us that in Luxembourg nearly one breach in two comes from human error: wrong recipient, unauthorised disclosure, mishandling. The technical factor (cyberattack) is present, but internal error remains dominant.

Translation for your 2026 plan: the highest-return measures are not only EDR and MFA, but also everyday guardrails — email DLP, external-recipient confirmation, least-privilege access, and above all trained teams. A "pause before you send" culture avoids a large share of the year's 425 notifications.

The real shift: risk-based regulation

The report's most important editorial signal is not a number, it is a method: the CNPD embraces a risk-based approach. The authority focuses its resources where the risk to individuals is highest, and expects organisations to follow the same logic.

Concretely, an up-to-date processing register, proportionate impact assessments (DPIAs) on sensitive processing, and a documented prioritisation of your risks are no longer "just-in-case" paperwork: they are exactly the lens the authority applies. In an inspection, showing that you identified, prioritised and handled your risks weighs more than exhaustive but disembodied formal compliance.

AI at the heart of priorities

Of the 16 opinions issued in 2025, artificial intelligence is central, alongside the Data Governance Act (new tasks for the CNPD) and electronic communications. The authority positions itself as a key player in AI governance in Luxembourg, in the wake of the AI Act (Regulation (EU) 2024/1689).

For any organisation that has deployed Claude, ChatGPT or Copilot without an inventory, AI Act risk classification or usage charter: the topic is now on the authority's table. Our AI & compliance page details the path — inventory, Annex III classification, internal governance.

2025 novelties worth knowing

  • First sectoral GDPR code of conduct approved in Luxembourg: a reference framework for a sector, a token of shared compliance.
  • Digital culture and the Leonora project: the CNPD strengthens awareness, notably among young people. The message: data protection is also won upstream, through education.

President Tine A. Larsen and Commissioner Alain Herrmann carried the same message: data protection has become an everyday concern and a trust enabler — therefore a driver of innovation, not a brake. That has been our conviction since 2018.

What we recommend for Luxembourg organisations in 2026

  1. Harden the "rights exercise" chain. Written access and erasure procedure, one-month deadline met, identity verification, traced response. It is the number-one complaint source.
  2. Reduce human error, not just hacking. Email DLP, external-recipient confirmation, least privilege, and regular team awareness.
  3. Move to "risk" logic. Up-to-date register, proportionate DPIAs, prioritised risk mapping — the authority's exact lens. A tooled external DPO speeds this up.
  4. Inventory AI and frame the AI Act. List AI systems (including shadow IT), classify by risk, formalise a usage charter. See AI & compliance.
  5. Test the 72h breach alert chain. Simulate a real scenario (accidental send, ransomware, stolen laptop) and time it through to the pre-filled CNPD form. Gaps surface within an hour.

DPO and CISO: the same fight

The report confirms a deep trend we see across our mandates: the boundary between data protection and cybersecurity is fading. Notifying a breach to the CNPD within 72h often also means qualifying an incident under NIS 2. Both functions must share the same registers, action plans and tested incident scenarios. This is the logic of our DPO Assist platform (GDPR tickets, 72h breaches, severity qualification, processor tracking).

Also worth reading, to compare with neighbouring France: our breakdown of the CNIL 2025 report (EUR 487M in fines, one breach in two = hacking).

In short

The CNPD 2025 report sketches a clear trajectory: individuals exercising their rights (+40% complaints), human error still dominant in breaches, an authority regulating by risk and making AI a priority. None of this is out of reach: an up-to-date register, rights-exercise procedures, awareness, proportionate DPIAs and a tested alert chain cover the essentials.

Want to discuss your specific case? Our external DPO and external CISO team has been working these topics together since 2018. Contact us or request a tailored quote within 24 hours.

Official sources

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →