The classic trap
Article 84 is often overlooked because organisations focus solely on the administrative fines of Article 83. Yet there is a second layer of penalties, defined by each Member State, covering in particular criminal infringements and those not directly targeted by Article 83. In Luxembourg these complementary penalties appear in the national implementing law and may include criminal sanctions for certain unlawful processing operations. The trap: believing you are covered because you anticipated the CNPD administrative fine, when the same breach can trigger proceedings on a different legal basis.
The infringements that fall outside Article 83 alone
Member States have transposed varied penalty regimes. You must map your real exposure beyond the GDPR ceiling (20 M EUR or 4% of worldwide turnover):
- Unlawful processing of sensitive data or criminal conviction data, often carrying national criminal sanctions.
- Obstructing a CNPD investigation or refusing to cooperate, classified as a separate offence in several national laws.
- Misuse of purpose and fraudulent reuse of files, liable to criminal prosecution in France (CNIL) and Belgium (APD/GBA).
- Breach of rules set under national margins of manoeuvre (Article 88 on employee data, processing of national identification numbers).
- Failures to meet overlapping sectoral obligations whose penalties do not fall under Article 83.
The operational difficulty is that these regimes differ from one Member State to another. A company active in several countries must maintain an up-to-date multi-jurisdictional penalty grid, which nobody does manually.
How Luxgap automates this risk
Our Luxgap Penalty Exposure Mapper turns the blind spot of national penalties into a living map of your real exposure, administrative fine AND criminal sanction included. A legal AI agent reads your processing register, your countries of establishment and your data categories, then cross-references them with national implementing laws (Luxembourg law of 1 August 2018, French Loi Informatique et Libertes, Belgian law of 30 July 2018) to identify, for each processing operation, every applicable basis for penalty.
- Automatically detects processing operations exposed to national criminal sanctions (sensitive data, identification numbers, offence files) from your Article 30 register.
- Calculates a multi-jurisdictional exposure score distinguishing the Article 83 administrative fine from the other penalties under Article 84.
- Generates a penalty grid per country, updated as soon as a national transposition law is notified to the Commission.
- Alerts the DPO in real time when a new processing operation moves into a criminal-risk category.
- Produces a timestamped PDF report opposable to the CNPD demonstrating that you identified and handled your exposure beyond Article 83 alone.
Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real register, with a free blind audit within 48h to measure your exposure before any commitment.