I need to bring my Luxembourg organisation into compliance with recital 38 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 38 GDPR — Recital 38

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 38

General Data Protection Regulation · UE 2016/679

(38)

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

Luxembourg specificity

loi luxembourgeoise du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees

In Luxembourg, the digital age of consent for minors is set at 16 years by the law of 1 August 2018 on the organisation of the CNPD, unlike France which lowered it to 15. Below 16, consent must be given or authorised by the holder of parental responsibility, and the CNPD expects a real verification mechanism (email to parent with validation link, symbolic payment via parental card, parental ID document).

Luxgap practice: if you operate a consumer service from Luxembourg with simultaneous FR, BE, DE users, configure Luxgap Minor Shield to apply the highest threshold detected by geolocation (16 LU/DE, 15 FR, 13 BE) to avoid an interface patchwork and guarantee multi-jurisdictional compliance in a single rule.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 38 targets three high-risk uses involving minors: marketing, personality profiling and data collection via services offered directly to children. The CNIL and CNPD consider that any platform accessible to minors (mobile game, social network, educational app, e-commerce with account) must demonstrate enhanced vigilance, even if the service is not exclusively aimed at children. The trap: believing that writing 'reserved for 16 and older' in the terms of service is enough, when the absence of a real age-verification mechanism is sanctionable under Article 25 (privacy by design).

Four concrete obligations derived from Recital 38

De facto ban on advertising profiling of minors: even with parental consent, the EDPB in Guidelines 8/2020 considers that the interest balance systematically tips against marketing profiling.
Proportionate age verification: a simple free 'date of birth' field is not sufficient if your service visibly attracts minors (graphic universe, targeted influencers, school partnerships).
Age-adapted information: the privacy notice must be drafted in clear and visual language (Article 12), with a specific version for minors if the service targets them.
Preventive services exception: psychological support, helplines, sexual health counselling and addiction prevention do not require parental consent, avoiding blocked access to vital services.

How Luxgap automates this risk

Our Luxgap Minor Shield makes non-compliant collection of minors' data impossible by intercepting every signup in real time and blocking marketing flows before they reach your advertising vendors. The tool installs via a lightweight JS snippet on your sites and apps, and connects to your CRM (Salesforce, HubSpot, Odoo), CMP (OneTrust, Didomi, Axeptio) and ad-tech platforms (Meta Pixel, Google Ads, TikTok) to block transmissions as soon as a minor account is detected.

Detects suspicious minor signups via behavioural cross-referencing (vocabulary, connection times, device, traffic sources) beyond simple age declaration.
Automatically blocks signals to advertising pixels and retargeting platforms as soon as a user is qualified as likely minor.
Generates a 'child' version of the privacy notice with illustrations, compliant with CNIL recommendations on age-adapted information.
Verifies the presence of a verifiable parental consent mechanism for under-16 (Luxembourg) or under-15 (France) depending on the user's jurisdiction detected by IP geolocation.
Automatically identifies services qualifying as 'preventive or counselling' within the meaning of Recital 38 to apply the exception and not block minors in distress.
Produces a timestamped PDF report enforceable before the CNPD demonstrating compliance with Article 8 and Recital 38, with full history of blocks performed.

Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS brick depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your actual environment, with a free 48-hour white audit to measure your minor exposure before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 38

They trust us

Before we chat