I need to bring my Luxembourg organisation into compliance with recital 89 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 89 GDPR — Recital 89

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 89

General Data Protection Regulation · UE 2016/679

(89)

Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.

Luxembourg specificity

Deliberation CNPD n. 422/2018 du 5 octobre 2018 fixant la liste des traitements pour lesquels une AIPD est requise

In Luxembourg, the CNPD published on 5 October 2018 a list of 10 types of processing operations for which a DPIA is mandatory, as well as a list of processing activities for which a DPIA is not required. This national list complements EDPB WP248 criteria and is the enforceable reference during a CNPD audit.

Luxgap practice: systematically check each new processing activity against the 10 categories of the CNPD list of 5 October 2018 before deployment, and keep written evidence of this arbitration even when the conclusion is that no DPIA is required.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 89 marks a paradigm shift: no more systematic notification to the CNPD, replaced by a risk-based targeting logic. In practice, controllers believe they have been relieved of a burden but face a more demanding obligation: identifying themselves which processing activities are high-risk and triggering a DPIA (article 35). The CNPD today sanctions not the absence of notification, but the absence of a documented identification process for processing requiring a DPIA, especially when new technologies (AI, biometrics, scoring) are deployed without prior assessment.

Trigger criteria to monitor continuously

New technologies: deployment of an AI model, a biometric tool, a behavioral tracker, a new HR scoring SaaS.
Processing of a new kind: no prior DPIA, no documented sectoral precedent from the EDPB or CNPD.
Evolution over time: processing legitimate in 2018 may become high-risk in 2025 (volume, cross-referencing with other sources, purpose change).
EDPB WP248 criteria combination: evaluation/scoring, automated decision, systematic monitoring, sensitive data, large-scale processing, dataset matching, vulnerable individuals, innovative use, prevention of rights exercise.
CNPD list of 5 October 2018: 10 types of operations that mandatorily require a DPIA in Luxembourg.

The trap: believing that removing general notification means less work. The opposite is true. The legislator delegated to the controller the duty to continuously assess processing activities, and proof of this process must be available at any time.

How Luxgap automates this risk

Our Luxgap DPIA Radar replaces the static Excel spreadsheet nobody updates with a continuous radar that automatically detects, within your IT environment, the emergence of processing activities likely to trigger a DPIA according to EDPB WP248 criteria and the CNPD list of 5 October 2018. The tool connects to your Active Directory, M365 tenants, Salesforce, Workday, Odoo and your Azure/AWS pipelines to spot new data flows, newly deployed AI models, and scope changes in existing processing.

Automatically detects each new processing activity via M365 logs, Azure AD, Salesforce and Odoo connectors, with no manual input from the DPO.
Calculates a risk score against the 9 EDPB WP248 criteria and matches each processing activity against the CNPD list of 5 October 2018 to automatically trigger the DPIA obligation.
Alerts in real time (Teams, Slack, email) as soon as a new AI, biometric or scoring technology appears in the connected perimeter.
Periodically reassesses existing processing activities to detect purpose drift or volume changes that make a DPIA necessary given elapsed time.
Generates a pre-filled DPIA in CNPD format with the mandatory sections of article 35(7), ready to be completed by the business owner.
Produces a timestamped arbitration register, enforceable before the CNPD, demonstrating for each processing activity the risk identification process, even when a DPIA was ultimately deemed unnecessary.

Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your perimeter. Request a tailored quote and our teams will prepare a demonstration on your actual processing activities, with a free 48-hour scan to identify missing DPIAs in your organization before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 89

They trust us

Before we chat