I need to bring my Luxembourg organisation into compliance with recital 45 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 45 GDPR — Recital 45

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 45

General Data Protection Regulation · UE 2016/679

(45)

Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

Luxembourg specificity

loi luxembourgeoise du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees

In Luxembourg, the law of 1 August 2018 on the organisation of the CNPD and the implementation of the GDPR specifies several sector-specific legal bases (public sector, health, scientific research) that operationalise Recital 45. For municipal administrations and public bodies, legal anchoring must also be consistent with the amended municipal law and sector-specific organic laws. During thematic audits, the CNPD systematically checks that each 6(1)(c) or 6(1)(e) processing cites a precise and up-to-date Legilux article.

Luxgap practice: for Luxembourg public entities, we pre-map standard legal anchors (municipal law, civil service general statute, social security code) and detect orphan processings within 48 hours.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 45 clarifies the legal bases under Article 6(1)(c) and 6(1)(e): legal obligation and public interest task. The CNPD and CNIL regularly sanction organisations that invoke these grounds without being able to cite the precise EU or national law anchoring the processing. Worse: many Luxembourgish municipalities, hospitals, UCIs and foundations mix 6(1)(c) and 6(1)(e) across their registry sheets without documenting which law grounds what. Yet Recital 45 confirms that an identified legal text is required, one that determines the purpose and may specify recipients, retention periods and data categories.

The legal anchor test: 5 questions to pass for each 6(1)(c) or 6(1)(e) processing

What is the precise reference of the legal text (law, grand-ducal regulation, transposed directive, decree)? Not 'the labour code' but 'article L.211-X of the Luxembourg labour code'.
Does this text explicitly determine the purpose of processing, or only a general obligation?
Does the text specify data categories, recipients and retention period, or does it leave these to your discretion?
For a public interest task: are you actually a public authority or a private legal entity vested with such a mission (professional order, accredited federation, healthcare service manager)?
Where several processings share the same basis: have you documented the exact scope covered by the single text, as permitted by Recital 45?

Without a written answer to these 5 questions in the Article 30 registry, the legal basis is legally fragile and Article 5(2) accountability collapses.

How Luxgap automates this risk

Our Luxgap Legal Basis Anchor turns the 'legal obligation' or 'public interest task' justification into enforceable legal proof, processing by processing. A specialised LLM agent reads each sheet of your Article 30 registry, automatically identifies the EU or Luxembourg law provision anchoring the processing (Legilux, EUR-Lex, labour code, social security code, sector-specific CSSF or ILR law) and detects missing or inconsistent anchors before the CNPD does.

Cross-references each processing in your registry with Legilux and EUR-Lex to propose the exact legal reference (article, paragraph, date) grounding the declared purpose.
Detects common confusions between 6(1)(c) and 6(1)(e) and automatically reclassifies misqualified processings based on EDPB Guidelines 03/2019 and 06/2020.
Verifies that the cited text actually covers the declared data categories, recipients and retention period, and flags discrepancies.
Generates a timestamped legal anchor sheet per processing, enforceable before the CNPD during an audit, proving compliance with Recital 45 and Article 6(3).
Sends an email or Teams alert whenever a cited law is repealed, amended or replaced on Legilux, to avoid grounding a processing on a dead text.
Identifies public interest tasks performed by private legal entities (professional orders, sector federations) and validates eligibility under the final part of Recital 45.

Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will run a demonstration on your actual registry, with a free 48-hour blind audit to identify your fragile legal-basis processings before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 45

They trust us

Before we chat