I need to bring my Luxembourg organisation into compliance with recital 16 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 16 GDPR — Recital 16

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 16

General Data Protection Regulation · UE 2016/679

(16)

This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

Luxembourg specificity

loi du 5 juillet 2016 portant organisation du Service de renseignement de l'Etat et loi du 1er aout 2018 relative a la protection des personnes physiques a l'egard du traitement des donnees a caractere personnel en matiere penale

In Luxembourg, the activities of the State Intelligence Service (SREL) are governed by the law of 5 July 2016 on the organisation of the SREL and fall outside the GDPR on national security grounds. Conversely, processing carried out by the Grand-Ducal Police in a judicial context falls under the law of 1 August 2018 transposing the Police-Justice Directive (EU 2016/680), not the GDPR. The CNPD remains competent to verify that the boundary between the two regimes is not misused.

Luxgap practice: for any contract with a Luxembourg public entity (ministries, municipalities, institutions), we systematically verify whether the processing falls under the GDPR, the law of 1 August 2018 or the SREL exception, and document this qualification in an opposable memo.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 16 excludes national security and CFSP from the GDPR's scope, but the CJEU interprets this exclusion strictly (La Quadrature du Net, Privacy International rulings). The trap: a private company responding to a foreign intelligence request does NOT automatically fall outside the GDPR. The CNPD and CNIL regularly sanction organisations that wrongly invoke a national security exception to justify opaque transfers or processing, notably toward US authorities under the Cloud Act or FISA 702.

The line in practice

OUTSIDE GDPR: processing by Luxembourg's SREL, France's DGSE, or armed forces under a CFSP mandate.
INSIDE GDPR: all processing by a private company, even when subcontracting for the State, even classified, as long as it does not directly relate to a sovereign activity.
Critical grey zone: US hyperscalers (AWS, Azure, GCP) which may be compelled by US authorities under US national security law. This compulsion does NOT exclude their European customers from GDPR; it creates instead a risk of unlawful transfer (post Schrems II).
Practical test: if the activity is governed by Union law (Police-Justice Directive, NIS 2, DORA), it remains within GDPR or an equivalent text.
Common mistake: invoking 'national security' to refuse an employee's GDPR access request. CNPD systematically requalifies.

How Luxgap automates this risk

Our Luxgap Sovereignty Radar continuously maps your processing activities to identify those potentially exposed to non-EU requisition (Cloud Act, FISA 702, Chinese intelligence law) and automatically distinguishes processing genuinely outside GDPR scope from those merely claiming to be. The tool cross-references your vendor contracts, network flows (Defender for Cloud, Azure Sentinel, AWS CloudTrail) and the actual nationality of your subprocessors' parent entities to materialise the full sovereignty chain.

Automatically detects each vendor subject to non-EU surveillance legislation (US, CN, RU, IN) by cross-referencing parent company registries and public certifications.
Classifies each processing activity on a four-tier scale: fully GDPR, GDPR with reinforced safeguards, CFSP grey zone, sovereign out-of-scope.
Issues real-time Teams or Slack alerts whenever a new data flow toward a high-requisition-risk jurisdiction is detected.
Generates Transfer Impact Assessments (TIA) prefilled with Schrems II case law and up-to-date EDPB 01/2020 guidelines.
Produces a timestamped PDF report opposable to the CNPD, proving you do not abusively invoke the national security exception to circumvent your obligations.

Available alongside a Luxgap DPO or CISO mandate or as a standalone SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your actual flows, including a free 48-hour scan to map your exposure to non-EU requisitions before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 16

They trust us

Before we chat