I need to bring my Luxembourg organisation into compliance with recital 35 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 35 GDPR — Recital 35

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 35

General Data Protection Regulation · UE 2016/679

(35)

Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (9) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

Luxembourg specificity

loi du 1er aout 2018 portant organisation de la CNPD et mise en oeuvre du RGPD ; loi du 24 juillet 2014 relative aux droits et obligations du patient

In Luxembourg, health data processing in hospitals is governed by the law of 24 July 2014 on patients' rights and obligations and by the law of 1 August 2018 organising the CNPD and implementing the GDPR, which preserves specific regimes for medical research and health registries. The CNPD is the competent authority and has published specific guidance on occupational medicine and electronic patient records.

Luxgap practice: for healthcare institutions, mutual insurers and employers with in-house occupational medicine in Luxembourg, we calibrate the Health Data Radar with CNPD reference frameworks and integrate eHealth specificities (shared care record, Agence eSante platform) to ensure operational compliance from the very first scan.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 35 dramatically broadens the notion of health data well beyond the medical file. A patient number, a lab result, a smartwatch metric, a mutual insurance enrollment form, an archived COVID test in Outlook: all fall under Article 9. The CNPD and CNIL regularly sanction employers, HR teams and insurers who process these data without an appropriate Article 9(2) legal basis, wrongly believing they are not handling sensitive data. The trap is to reason by document category rather than by information revealed.

The 6 grey zones where health data hides unnoticed

HR notes about sick leave, even without a diagnosis (duration and frequency reveal health status).
Badges granting access to the company infirmary or occupational physician.
Expense reports mentioning pharmacy, physio or optician.
Wearable data connected to Microsoft Teams or Slack via wellness integrations.
Attendance lists for employer-organised vaccination or testing campaigns.
HR emails archived on M365 containing scanned medical certificates as attachments.

Each of these triggers Article 9, requires a reinforced legal basis, and imposes specific technical measures (encryption, segregation, access logging).

How Luxgap automates this risk

Our Luxgap Health Data Radar makes unidentified processing of health data impossible by continuously scanning your business systems to detect any data that reveals a health status, even indirectly. The tool plugs a specialised AI agent into your M365 tenants, SharePoint, Outlook, Teams, Odoo HR, Sage BOB 50 and S3 storage, classifying every file, email and database field against Recital 35 and EDPB guidance.

Automatically detects medical certificates, sick notes and scanned prescriptions in HR mailboxes and SharePoint sites via OCR and AI classification.
Identifies database fields (Odoo, Sage, SAP) indirectly containing health information (absence codes, reimbursement labels, occupational medicine visit reasons).
Alerts in real time on Teams or Slack whenever a new email with a medical-type attachment lands in a shared HR mailbox without proper authorisation.
Automatically generates the appropriate Article 9(2) record (explicit consent, occupational medicine, vital interest, public health) for each detected flow.
Produces a cartographic registry of health data with encryption level, legal basis and retention period, opposable to the CNPD during an audit.
Verifies access consistency: only authorised personnel (occupational physician, nurse, DPO) should read these data, and the tool flags abnormal access by operational HR staff.

Available as part of a Luxgap DPO mandate or as a standalone SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real data, with a free 48h scan to map your health data exposure before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 35

They trust us

Before we chat