← All laws

Compliance · Personal data

GDPR, the EU data protection regulation.

Regulation (EU) 2016/679 imposes around twenty precise obligations on every organisation that processes personal data of EU residents. In Luxembourg, the CNPD (National Data Protection Commission) is the supervisory authority. Here is what really applies, without the jargon.

Build my quote → Contact us

Who is concerned?

Any organisation, of any size, that processes personal data of EU residents. No size threshold exemption.

Examples: private companies (HR, customers, suppliers), associations, municipalities, hospitals, liberal professions, schools, banks, trust companies, investment funds, websites collecting emails. If you have a spreadsheet with names, GDPR applies to you.

Key obligations

  • Maintain a record of processing activities (Article 30): describe every personal data processing operation (payroll, applications, marketing, CCTV, etc.) with purpose, legal basis, retention period, recipients.
  • Appoint a DPO (Article 37) if your core activity involves large-scale regular and systematic monitoring, or large-scale processing of sensitive data. In Luxembourg, recommended above 50 employees.
  • Run impact assessments (DPIAs, Article 35) for new high-risk processing (CCTV, biometrics, HR profiling, decision-making AI).
  • Notify data breaches within 72 hours to the CNPD and, in case of high risk, to data subjects (Articles 33-34).
  • Reply to data subject requests within one month (access, rectification, erasure, objection, portability).
  • Frame processors with a GDPR Article 28 contract (DPA).
  • Frame transfers outside the EU/EEA (Standard Contractual Clauses, BCRs, etc.).

Deadlines

GDPR has been in force since 25 May 2018. The Luxembourg CNPD has been actively enforcing since then, with a notable intensification since 2022.

Sanctions for non-compliance

Administrative sanctions under GDPR Article 83 reach up to 20 million euros or 4% of worldwide annual turnover (whichever is higher). The Luxembourg CNPD has issued more than 30 million euros in fines in recent years, including to SMBs and associations.

How Luxgap helps

Our external DPO mandate covers all GDPR obligations listed above. You officially appoint us DPO with the CNPD; we take operational ownership. Our 9-axis method (training, register, DPIA, data security, etc.) is proven across dozens of active mandates in Luxembourg.

Let's set up your GDPR compliance.

Configure a quote for a DPO mandate or a one-off support. Reply within one business day.

Build my quote →