The classic trap
Article 94 repeals Directive 95/46/EC and requires every reference to the old text to be read as a reference to the GDPR. The trap is not theoretical: many Luxembourg organisations still run on contracts, internal policies, privacy notices and confidentiality clauses that cite Directive 95/46/EC, the repealed Law of 2 August 2002 or the Article 29 Working Party. The CNPD, like the CNIL or the APD/GBA, treats these obsolete references as a sign of unmaintained documentation, which undermines the accountability obligation of Article 5(2) during an inspection.
The ghost references authorities spot first
- Contractual clauses pointing to Directive 95/46/EC or its repealed national transposition.
- Privacy notices and policies citing the Luxembourg Law of 2 August 2002 instead of the GDPR and the Law of 1 August 2018.
- References to the Article 29 Working Party (WP29) where the EDPB (European Data Protection Board) should be named.
- Internal procedures, IT charters and HR clauses never revised since 2018.
- Legacy DPA templates and processing commitments still circulating in contractual annexes.
- Legal bases documented by reference to articles of the repealed Directive rather than Articles 6 and 9 of the GDPR.
An outdated reference does not trigger a fine on its own, but it signals to the authority that documentation has not been maintained, and feeds the suspicion of a declarative rather than living compliance framework.
How Luxgap automates this risk
Our Luxgap Legal Reference Sweeper makes it impossible for repealed legal references to survive in your documentary corpus. A specialised AI agent continuously scans your contracts, policies and web pages stored in M365 (SharePoint, OneDrive), Odoo, Google Workspace and your contractual repositories, detects every mention of Directive 95/46/EC, the WP29 or repealed national laws, and proposes the up-to-date GDPR wording, timestamped and traceable.
- Automatically detects every occurrence of Directive 95/46/EC, Article 29 Working Party or the Law of 2 August 2002 across your M365, Odoo and Google Workspace documents, without asking the DPO to read a single file.
- Classifies each outdated reference by criticality: enforceable contractual clause, public privacy notice, internal procedure or dormant template.
- Generates the matching GDPR correction (pointing to Articles 6, 9, 28 or 32, replacing the WP29 with the EDPB) and submits it for review before publication.
- Scans your public websites via a lightweight JS snippet to spot privacy notices still based on the old framework.
- Produces a timestamped PDF report, enforceable before the CNPD, demonstrating the full revision of your corpus and Article 5(2) accountability.
Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real documents, with a free blind audit within 48h to measure your exposure before any engagement.