I need to bring my Luxembourg organisation into compliance with recital 40 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 40 GDPR — Recital 40

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 40

General Data Protection Regulation · UE 2016/679

(40)

In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Luxembourg specificity

loi luxembourgeoise du 1er aout 2018 relative a l'organisation de la Commission nationale pour la protection des donnees et au regime general sur la protection des donnees

In Luxembourg, the CNPD is the exclusive supervisory authority (not the APDL, which does not exist) to assess the lawfulness of processing under Article 6 GDPR. The law of 1 August 2018 on the organisation of the CNPD and the general data protection regime sets out the national implementation conditions of the GDPR, in particular for processing based on Article 6.1.c (legal obligation) and 6.1.e (public interest task), which must rely on a clear and foreseeable Luxembourg legal basis.

Luxgap practice: during a CNPD audit, expect to have to produce a written legitimate interest assessment (LIA) for each processing relying on Article 6.1.f. The absence of a documented LIA is considered a breach of the Article 5(2) accountability principle, sanctionable independently of the lawfulness of the processing itself.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 40 lays down the principle that the CNPD and CNIL enforce relentlessly: no processing is lawful without a legal basis identified and documented in advance. In practice, audits show that organisations mix legal bases (consent + legitimate interest for the same processing), switch basis mid-way, or invoke contract performance for marketing activities. The result is that the entire processing becomes unlawful, and the EDPB reminds in guidelines 5/2020 and 2/2019 that you cannot retroactively switch legal basis to fix a non-compliance.

The 6 legal bases of Article 6 and their pitfalls

Consent (6.1.a): freely given, specific, informed, unambiguous, revocable at any time. Unusable in employer-employee relationships according to the EDPB.
Contract performance (6.1.b): strictly limited to data necessary to perform the contract. Billing yes, marketing profiling no.
Legal obligation (6.1.c): the law must be clear, precise and foreseeable. Best practice or sectoral usage are not enough.
Vital interests (6.1.d): reserved for life-or-death situations, not a catch-all.
Public interest task (6.1.e): reserved for the public sector or explicit delegations.
Legitimate interest (6.1.f): requires a documented 3-step balancing test (LIA), unavailable to public authorities in the performance of their tasks.

Recital 40 imposes a simple discipline: one purpose = one legal basis = one documentation set. The common pitfall is to record in the Article 30 register a generic legal basis (legitimate interest) without having run the balancing test, or to tick consent when the data subject had no real choice.

How Luxgap automates this risk

Our Luxgap Lawful Basis Mapper eliminates the grey zone around legal bases by automatically assigning the right basis to each processing activity in your register, with a CNPD-ready justification. The tool queries your connected systems (Odoo, M365, Salesforce, HR Suite, Sage BOB 50) to identify each real purpose, then maps it against the EDPB framework and CJEU case law to suggest the most defensible basis, not the most convenient one.

Detects each new processing purpose as soon as a workflow appears in Odoo, Salesforce or M365, without waiting for the annual register review.
Runs the documented 3-step legitimate interest assessment (LIA), with weighting of data subject rights, opposable during an audit.
Sends instant Teams or email alerts when a marketing processing relies on contract performance, the most frequently sanctioned mistake by CNIL and CNPD.
Generates a timestamped consent register, with cryptographic proof of the moment the box was ticked, compliant with EDPB guidelines 5/2020.
Produces a sealed lawfulness audit PDF, demonstrating that each processing relies on a real and pre-documented legal basis, respecting the spirit of Recital 40.
Blocks retroactive changes of legal basis, a practice sanctioned by the CJEU and the EDPB.

Available as part of a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your actual processing activities, with a free 48-hour blind audit to measure how many of your processings currently rely on a fragile legal basis.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 40

They trust us

Before we chat