I need to bring my Luxembourg organisation into compliance with recital 15 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 15 GDPR — Recital 15

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 15

General Data Protection Regulation · UE 2016/679

(15)

In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

Luxembourg specificity

loi luxembourgeoise du 1er août 2018 portant organisation de la Commission nationale pour la protection des données

In Luxembourg, the law of 1 August 2018 organising the CNPD confirms the application of the recital 15 structuring criterion without any minimum headcount or volume threshold. The CNPD regularly audits law firms, fiduciaries and family offices whose paper client files constitute structured filing systems within the meaning of the regulation, even without any IT tool.

Luxgap practice: for Luxembourg structures with heavy paper-based documentation (notaries, fiduciaries, lawyers), we systematically trigger an OCR plus physical classification workstream in parallel to the digital scan, because the CNPD treats the alphabetical filing of client archives as full-fledged processing.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 15 establishes technological neutrality: it does not matter whether your data lives in a cloud CRM, an Excel sheet, a paper filing cabinet, or a Notion database improvised by marketing. As soon as a set is structured according to specific criteria (by name, by hire date, by case number), the GDPR applies fully. The CNPD and CNIL regularly sanction organisations that thought they were out of scope because they used physical cabinets, shared PDFs, or shadow IT tools outside the official IT system.

The concrete test of a 'structured filing system'

A paper HR binder sorted alphabetically by employee name: GDPR applies.
A box of unsorted business cards: out of scope (no structuring criterion).
A SharePoint folder with one file per client: GDPR applies even without a database.
Archived emails indexed by sender in Outlook: GDPR applies.
A team WhatsApp with client discussions: GDPR applies as soon as a person can be retrieved by search.
A CCTV camera with timestamp and zone metadata: GDPR applies (automated processing).

The frequent mistake is to inventory only official applications (Odoo, M365, Salesforce) while forgetting Excel files shared on OneDrive, marketing Airtable bases, HR Trello boards, sales Google Sheets, and paper folders held by facilities. That is precisely where undeclared processing operations sit, outside the article 30 register.

How Luxgap automates this risk

Our Luxgap Shadow Data Discovery definitively eliminates the risk of forgotten processing by mapping every structured file containing personal data, whether it sits in an official application, a wild OneDrive share, a scanned paper binder, or a SaaS base bought by marketing on a corporate card without IT involvement. An AI agent continuously analyses your connected sources (Microsoft Purview, Google Workspace DLP, AWS Macie, Box, Dropbox Business, Egnyte) and applies semantic structuring heuristics to distinguish a real filing system under recital 15 from an unstructured pile of documents.

Continuously scans your M365, Google Workspace, Slack, Teams, SharePoint and shared drives to detect any file containing structured personal data (name/email/IBAN/NIN columns).
Classifies each detected set under recital 15: structured (in scope) or unstructured (out of scope), with a written, defensible justification.
Detects SaaS tools paid via corporate card through Pleo, Spendesk or Revolut Business integration and flags the personal databases they create.
Maps manual paper processing via OCR recognition of scans archived on your NAS and Synology appliances.
Alerts instantly on Teams or Slack as soon as a new structured set appears outside the official article 30 register.
Produces a timestamped, cryptographically sealed PDF report, defensible before the CNPD, demonstrating the completeness of your mapping in light of technological neutrality.

Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS brick depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real environment, with a free blind audit within 48h to reveal the undeclared processing operations you still ignore.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 15

They trust us

Before we chat