I need to bring my Luxembourg organisation into compliance with recital 85 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 85 GDPR — Recital 85

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 85

General Data Protection Regulation · UE 2016/679

(85)

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

Luxembourg specificity

loi du 1er août 2018 portant organisation de la CNPD ; circulaire CSSF 24/847

In Luxembourg, the competent authority for notification is the CNPD (not APDL), via its dedicated data breach electronic portal. The law of 1 August 2018 organising the CNPD confirms the 72h delay and the option of phased notification. For CSSF-regulated financial actors, dual notification applies: CNPD under the GDPR and CSSF under circular 24/847 on ICT incidents (DORA), with distinct deadlines and forms that must not be confused.

Luxgap practice: our Breach Clock automatically routes each incident to the CNPD, the CSSF or both depending on the entity qualification (PSF, credit institution, insurance, NIS 2 essential entity), and stores timestamped acknowledgements from both authorities in an opposable vault.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 85 sets the intent behind Article 33: the 72-hour window is not an administrative formality, it is a material reaction obligation. The CNPD and CNIL consistently sanction two failures: a delayed start of the clock (organisations claiming they only 'became aware' days after the SOC had alerted), and the complete absence of an audit trail for breaches that were not notified (where the controller must nonetheless demonstrate the risk was unlikely, under the accountability principle).

The damages listed by recital 85 and their operational translation

The legislator enumerates specific harms that must guide your risk analysis: loss of control, discrimination, identity theft, financial loss, reversal of pseudonymisation, reputational damage, breach of professional secrecy. Each triggers a different notification threshold:

Reversal of pseudonymisation (leak of the re-identification key): notification is almost automatic because the risk is intrinsic.
Professional secrecy (lawyer, doctor, banker): the CNPD considers that the loss of confidentiality is in itself a notable harm.
Identity theft: as soon as a combination of name + date of birth + national ID or IBAN leaks, high risk is presumed.
Discrimination: health, ethnic origin, opinions, orientation, criminal record, distressed financial situation.
Direct financial loss: banking credentials, payment tokens, card data.

The recital expressly allows phased notification: you do not have to wait for all the facts to notify. An initial notification at H+24 enriched at H+72 is far better than prolonged silence followed by a late but perfectly documented notification.

How Luxgap automates this risk

Our Luxgap Breach Clock automatically starts the 72-hour timer as soon as a compromise signal appears in your IS, and produces the pre-filled CNPD notification in under 4 hours. The tool continuously ingests alerts from Microsoft Defender XDR, Azure Sentinel, CrowdStrike Falcon, Wazuh and Microsoft Purview DLP, then qualifies each incident against the EDPB 9/2022 grid to decide in real time whether it crosses the notification threshold.

Detects the exact starting point of the 72h delay by cross-referencing SIEM logs, ServiceNow tickets and SOC emails, eliminating the grey zone of 'becoming aware'.
Automatically classifies the breach against the seven damage categories of recital 85 (identity theft, discrimination, financial loss, pseudonymisation reversal, reputational damage, professional secrecy, other significant economic harm) and computes an auditable risk score.
Generates the pre-filled CNPD notification form, plus CNIL and APD/GBA versions for cross-border processing, with automatic identification of the lead supervisory authority.
Produces phased notifications: initial draft at H+24, enriched version at H+72, final complement within 30 days, each step timestamped and cryptographically signed.
Alerts data subjects through your usual channel (transactional email, SMS, generated postal letter) as soon as the risk is qualified as high under Article 34.
Archives a register of non-notified breaches with documented justification of the unlikely risk, opposable to the CNPD in case of inspection.

Available alongside a Luxgap DPO or CISO mandate or as a standalone SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on an incident scenario modelled on your real IS, with a free 48-hour blank audit to measure your current detection time before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 85

They trust us

Before we chat