← All articles

consultant

Processors: CNPD (Art. 28 GDPR) vs CSSF 22/806 — two contractual layers

CSSF’s 9 April 2025 update widens the gap with the CNPD/EDPB approach: beyond the GDPR DPA, financial entities must add access/audit clauses, prudential notifications, reversibility, and cloud-specific requirements.

Trigger. On 9 April 2025, the CSSF updated Circular 22/806 via Circular 25/883. Bottom line: for financial entities, a GDPR-compliant DPA is no longer sufficient; an additional contractual layer is required for access/audit, prudential notifications, reversibility, and cloud. See the official page “CSSF Circular 22/806 (as amended by 25/883)”: cssf.lu.

The case

22/806 governs outsourcing (including ICT and cloud) in addition to GDPR obligations. The CSSF page links to the consolidated text and Circular 25/883. Primary sources: CSSF — 22/806 page and CSSF — 22/806 PDF. On data protection, the CNPD publishes Article 28 GDPR and refers to the EDPB guidelines: CNPD — Chapter IV and EDPB — Guidelines 07/2020.

For a GDPR overview, see our page on Article 28 requirements and GDPR references. For the prudential angle, see the DORA framework and operational resilience.

Legal reasoning

1) The CNPD/EDPB baseline — Article 28 GDPR

  • Mandatory contract between controller and processor covering 28(3)(a)–(h): documented instructions, confidentiality, security (Art. 32), sub‑processing (28(2) and (4)), assistance with data subject rights and compliance (Arts. 32–36), end‑of‑contract (erasure/return), information and an audit right (28(3)(h)). Sources: CNPD — Article 28; EDPB — Guidelines 07/2020.
  • The EDPB requires a concrete contract detailing implementation, not a mere copy of the law.

2) The CSSF “superset” — 22/806 (as amended by 25/883)

  • Effective access and audit rights for the entity, its auditors, the competent authority, and mandated third parties; risk‑based frequency and scope (paras. 90–94, Section 4.3.2.3). Source: 22/806 PDF.
  • Additional ICT/Cloud requirements (Part II): definitions, “cloud officer,” segregation of duties, control over the chain, prior notifications for certain setups (paras. 114–119, 140–142; 141(a) et seq.). Source: 22/806 PDF.
  • Governed reversibility and exit plans: measurable success criteria, indicators, and exit triggers (paras. 104–110; 4.3.3). Source: 22/806 PDF.
  • The CSSF page confirms the 2025 update and its link to DORA; expectations on access/audit and outsourcing governance remain high. Source: CSSF — 22/806 page.

Diverging positions

  • CNPD/EDPB: focus on the “what” of the contract (Art. 28(3)) and role qualification; no sectoral prudential template. Sources: CNPD — Art. 28; EDPB — Guidelines 07/2020.
  • CSSF: prescribes the prudential “how”: irreducible audit rights, outsourcing registers, criticality thresholds, cloud notifications, measured exit plans, organisation (“cloud officer”), and control of lower‑tier processors. Source: 22/806 PDF.

What this changes in practice

  • CSSF‑supervised entities: complement the DPA with 22/806 annexes: unhindered access/audit (90–94), mapping of the chain, criticality and notifications (141(a)), provable reversibility (4.3.3), cloud requirements (definitions, “cloud officer,” access restrictions). Source: 22/806 PDF. To operationalise these controls, a fractional CISO for cyber governance can accelerate compliance.
  • Non‑supervised entities: the bar remains Article 28 GDPR and EDPB doctrine: assistance with rights, breach notification SLAs, end‑of‑contract procedures, and an exercisable audit right. References: CNPD — Art. 28; EDPB — Guidelines 07/2020. A certified DPO mandate to structure Article 28 is often decisive.

Typical examples

  • HR SaaS for a bank: beyond the DPA, provide on‑site or pooled audit rights, change notifications and right to object for sub‑processors, tested reversibility (full export + erasure evidence), and prior CSSF notification if the function is critical and hosted in cloud (141(a)). Source: 22/806 PDF.
  • Regulatory archiving on public cloud: define the “cloud officer,” restrict provider access, prohibit manual provider intervention except listed cases, and require an annual security review (Chapter 2, paras. ~1932–1949). Source: 22/806 PDF.

Common pitfalls

  1. Limiting audits to SOC/ISO reports without a true access right. 22/806 requires the agreement not to hinder access/audit rights, including for the authority (paras. 92–94). Source: 22/806 PDF.
  2. Overlooking chain sub‑processing: authorisation (28(2)–(4)) and “same obligations”; 22/806 adds cloud notifications/conditions (141(b)–(c)). Sources: CNPD — Chapter IV; 22/806 PDF.
  3. Not formalising reversibility: GDPR mandates erasure/return (28(3)(g)); 22/806 requires criteria, indicators, and triggers (4.3.3). Source: EDPB — Guidelines 07/2020.
  4. Conflating a DPA with prudential outsourcing: an EDPB‑compliant DPA does not by itself cover prior notifications, cloud governance (“cloud officer”), or provider access restrictions (Part II). Source: EDPB — Guidelines 07/2020.
  5. Poorly operationalised right to object to sub‑processor changes: EDPB requires meaningful notification; in CSSF practice, align with the outsourcing register and criticality (EDPB 07/2020; 22/806 Part I). Sources: EDPB — Guidelines 07/2020; 22/806 PDF.

In short

GDPR (CNPD/EDPB) sets the Article 28 core; CSSF (22/806 as amended by 25/883) adds a structuring prudential layer — access/audit, cloud, notifications, reversibility — to be contracted in addition to the DPA. Compliance audits for supervised entities now test both layers. For hands‑on support, reach our team.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →