The classic trap
Article 98 is an institutional provision: it addresses the European Commission, not your organisation. It is the basis that justified aligning Regulation (EU) 2018/1725, applicable to EU institutions, with the GDPR. The real-world trap is therefore not a direct sanction risk, but a scope error: believing that a single text governs all your data. In practice, authorities (CNPD in Luxembourg, CNIL, the Belgian DPA) sanction controllers who apply the GDPR in a monolithic way when a sectoral act or a connected text (ePrivacy, 2018/1725 if you process for an EU institution) imposes stricter or specific rules.
Why mapping the applicable legal bases is your real issue
This article reminds us that the GDPR lives within an ecosystem of interconnected acts. A single processing operation may fall under several bodies of law at once, and the strictest rule prevails. In practice you must identify:
- Processing carried out for EU institutions or bodies, subject to Regulation 2018/1725 rather than the GDPR alone.
- Electronic communications and cookies, governed by the ePrivacy directive (and its Luxembourg transposition), which prevails over the GDPR for consent to trackers.
- Sectoral acts (DORA for finance, NIS 2 for essential and important entities) that add security and notification obligations.
- National rules adopted under the margins of manoeuvre left by the GDPR.
- Transfers outside the EU, framed by Schrems II (CJEU 2020) and the Data Privacy Framework (2023).
Ignoring this layering means documenting a perfect GDPR legal basis that is incomplete against the text that actually applies.
How Luxgap automates this risk
Our Luxgap Regulatory Mapping Engine makes the legal blind spot impossible by mapping, for each processing operation in your register, the full set of European and national acts that actually apply, not just the GDPR. A dedicated AI agent reads your Article 30 register, your Odoo contracts and your M365 and Azure flows to automatically qualify the legal corpus of each purpose, cross-referencing GDPR, Regulation 2018/1725, ePrivacy, DORA and NIS 2.
- Detects processing carried out for EU institutions or bodies and flags the application of Regulation 2018/1725 rather than the GDPR alone.
- Classifies each purpose against the grid of applicable acts and identifies the strictest rule that prevails.
- Scans your public sites via a lightweight JS snippet to spot trackers falling under ePrivacy and not GDPR consent alone.
- Alerts in real time via Teams as soon as a new flow or contract shifts a processing operation under a sectoral corpus (DORA, NIS 2).
- Produces a timestamped PDF report, enforceable before the CNPD during an inspection, demonstrating command of the applicable legal scope.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real register, with a free blank audit within 48h to measure your exposure before any commitment.