I need to bring my Luxembourg organisation into compliance with recital 75 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 75 GDPR — Recital 75

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 75

General Data Protection Regulation · UE 2016/679

(75)

The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Luxembourg specificity

délibération CNPD n°2018-2019 du 16 novembre 2018 et loi du 1er août 2018 portant organisation de la CNPD

In Luxembourg, the CNPD has published a list of processing operations subject to mandatory DPIA (deliberation no. 2018-2019 of 16 November 2018) which directly operationalises Recital 75: large-scale profiling, biometric data for identification, systematic employee monitoring, large-scale processing of minors' data. The Law of 1 August 2018 organising the CNPD confirms the exclusive competence of the Luxembourg authority to assess the risk level on the territory.

Luxgap practice: we systematically cross-check your register against the CNPD 2018-2019 list during mission scoping, and document in writing the reasoning for each borderline processing operation to build the Article 5(2) accountability evidence.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 75 sets out the official taxonomy of risks that the CNPD and CNIL use to assess whether a DPIA was required (Article 35) and whether security measures were appropriate (Article 32). The trap: most organisations score risks thinking only of cyberattacks, while the legislator explicitly lists discrimination, identity theft, reputational damage, loss of control, profiling, special category data, vulnerable persons and scale. A risk mapping that ignores these seven dimensions is mechanically insufficient during an inspection.

The 7 risk families to integrate in your methodology

Discrimination and identity theft: credit scoring, HR, insurance, automated processing creating disadvantage.
Financial or reputational damage: leak of data protected by professional secrecy (lawyers, doctors, private bankers).
Loss of control: the data subject can no longer exercise rights, no longer knows where data is, suffers unexpected reuse.
Article 9 sensitive data: health, ethnic origin, opinions, union, genetic, sex life, convictions.
Profiling and prediction: work performance, economic situation, preferences, location, behaviour analysis.
Vulnerable persons: children, patients, employees, jobseekers, welfare recipients.
Volume and scale: large number of data subjects or large volume per person.

A DPIA that does not explicitly question these seven axes is challengeable. The CNPD applies this Recital 75 grid combined with the Luxembourg list of processing operations subject to mandatory DPIA (CNPD deliberation no. 2018-2019).

How Luxgap automates this risk

Our Luxgap Risk Taxonomy Engine transforms the narrative list of Recital 75 into a scoring engine that automatically triggers your DPIAs. The tool reads your Article 30 register, your database schemas and your integration flows (Odoo, Salesforce, M365, Workday, Sage BOB 50) to automatically detect the presence of each of the seven risk families, without any questionnaire for the business to fill in.

Automatically detects Article 9 sensitive data in your databases via AI classification (fields, column labels, sampled content) and tags each affected processing operation.
Identifies profiling operations by scanning your Salesforce workflows, Power Automate rules and ML models deployed on Azure or AWS SageMaker.
Computes a multidimensional criticality score across the seven Recital 75 axes, weighted by the actual volume of data subjects extracted from your databases.
Alerts in real time when a new processing operation crosses the threshold triggering a mandatory DPIA under the Luxembourg CNPD list.
Generates a timestamped risk analysis report, opposable to the CNPD, demonstrating that the seven Recital 75 categories were explicitly assessed.
Automatically detects processing operations involving vulnerable persons (minors, patients, employees under subordination) via the relational schemas of your HR and CRM applications.

Available as part of a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your actual register, with a free 48h white audit to measure how many of your current processing operations should trigger a DPIA under Recital 75.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 75

They trust us

Before we chat