I need to bring my Luxembourg organisation into compliance with recital 94 of GDPR (UE 2016/679). What are the concrete requirements, the sanctions, and how can Luxgap support me?

The classic trapRecital 94 sheds light on Article 36: prior consultation of the supervisory authority is not a courtesy formality, it is an obligation mechanically triggered as soon as a DPIA reveals a high residual risk that cannot be mitigated. The CNPD and CNIL regularly sanction two symmetrical drifts: either the controller runs a complacent DPIA that artificially concludes the risk is mitigated to avoid consultation, or it correctly identifies the high residual risk but launches processing without contacting the CNPD, hoping to go unnoticed. The EDPB (WP248 guidelines) recalls that the trigger threshold is objective, not discretionary.The residual risk test: when must you really contact the CNPD?Recital 94 sets a three-step test every DPO must master:Step 1 - Inherent high risk: the DPIA identifies a high risk to rights and freedoms (mass profiling, sensitive data at scale, systematic monitoring of public areas, automated decisions with legal effect).Step 2 - Available measures: the controller maps the technical and organisational measures available (pseudonymisation, encryption, minimisation, access control, reduced retention).Step 3 - Residual risk: if despite those measures the risk remains high, or if measures are disproportionate in cost, consultation is mandatory before any go-live.Do not confuse with breach notification (Article 33): here we discuss a future processing, not a past incident.CNPD response time is 8 weeks, extendable by 6 weeks for complex cases (Article 36(2)).No response does NOT mean tacit approval: the CNPD retains all its later intervention powers, including the power to ban the processing.How Luxgap automates this riskOur Luxgap Residual Risk Gauge turns the subjective decision 'should we contact the CNPD?' into an objective, timestamped and defensible verdict. The tool automatically replays your DPIA through a specialised AI agent that applies the EDPB WP248 and WP250 grid, recomputes residual risk after each mitigation, and triggers a pre-filled prior consultation workflow as soon as the threshold is crossed.Imports existing DPIAs (CNIL PIA, OneTrust, in-house Excel) and normalises them into a common framework aligned with the nine EDPB criteria.Computes a residual risk score after mitigation, broken down by data subject category and by purpose, to substantiate the 'risk mitigated' or 'residual high risk' argument.Automatically detects processing activities listed in the CNPD deliberation of 17 October 2018 (Luxembourg mandatory DPIA list) present in your Article 30 register.Generates the Article 36 prior consultation file ready to send: processing description, full DPIA, envisaged measures, DPO contact details, all in the format expected by the CNPD.Tracks the 8-week deadline with automatic reminders and logs the full timeline to demonstrate the controller's good faith.Produces a cryptographically sealed timestamped PDF report, enforceable during later audits, proving that the decision to contact the CNPD or ...

Recital 94 GDPR — Recital 94

EU frameworkGDPRNIS 2 DORA AI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 94

General Data Protection Regulation · UE 2016/679

(94)

Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory authority should be consulted prior to the start of processing activities. Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person. The supervisory authority should respond to the request for consultation within a specified period. However, the absence of a reaction of the supervisory authority within that period should be without prejudice to any intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations. As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

Luxembourg specificity

loi luxembourgeoise du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees ; deliberation CNPD du 17 octobre 2018

In Luxembourg, the CNPD (not APDL, which does not exist) published on 17 October 2018 the list of processing types subject to mandatory DPIA, which acts as the factual trigger for the Article 36 prior consultation duty. The law of 1 August 2018 organising the CNPD specifies the authority's intervention powers, including after the 8-week deadline expires.

Luxgap practice: before any CNPD filing, we recommend a DPIA pre-screening by a Luxgap-certified DPO to avoid premature filings or, conversely, the omission of a mandatory filing that could later be reclassified as an Article 5(2) accountability failure.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 94 sheds light on Article 36: prior consultation of the supervisory authority is not a courtesy formality, it is an obligation mechanically triggered as soon as a DPIA reveals a high residual risk that cannot be mitigated. The CNPD and CNIL regularly sanction two symmetrical drifts: either the controller runs a complacent DPIA that artificially concludes the risk is mitigated to avoid consultation, or it correctly identifies the high residual risk but launches processing without contacting the CNPD, hoping to go unnoticed. The EDPB (WP248 guidelines) recalls that the trigger threshold is objective, not discretionary.

The residual risk test: when must you really contact the CNPD?

Recital 94 sets a three-step test every DPO must master:

Step 1 - Inherent high risk: the DPIA identifies a high risk to rights and freedoms (mass profiling, sensitive data at scale, systematic monitoring of public areas, automated decisions with legal effect).
Step 2 - Available measures: the controller maps the technical and organisational measures available (pseudonymisation, encryption, minimisation, access control, reduced retention).
Step 3 - Residual risk: if despite those measures the risk remains high, or if measures are disproportionate in cost, consultation is mandatory before any go-live.
Do not confuse with breach notification (Article 33): here we discuss a future processing, not a past incident.
CNPD response time is 8 weeks, extendable by 6 weeks for complex cases (Article 36(2)).
No response does NOT mean tacit approval: the CNPD retains all its later intervention powers, including the power to ban the processing.

How Luxgap automates this risk

Our Luxgap Residual Risk Gauge turns the subjective decision 'should we contact the CNPD?' into an objective, timestamped and defensible verdict. The tool automatically replays your DPIA through a specialised AI agent that applies the EDPB WP248 and WP250 grid, recomputes residual risk after each mitigation, and triggers a pre-filled prior consultation workflow as soon as the threshold is crossed.

Imports existing DPIAs (CNIL PIA, OneTrust, in-house Excel) and normalises them into a common framework aligned with the nine EDPB criteria.
Computes a residual risk score after mitigation, broken down by data subject category and by purpose, to substantiate the 'risk mitigated' or 'residual high risk' argument.
Automatically detects processing activities listed in the CNPD deliberation of 17 October 2018 (Luxembourg mandatory DPIA list) present in your Article 30 register.
Generates the Article 36 prior consultation file ready to send: processing description, full DPIA, envisaged measures, DPO contact details, all in the format expected by the CNPD.
Tracks the 8-week deadline with automatic reminders and logs the full timeline to demonstrate the controller's good faith.
Produces a cryptographically sealed timestamped PDF report, enforceable during later audits, proving that the decision to contact the CNPD or not was based on a traceable methodology.

Available as an add-on to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request your demonstration and our teams will replay your three most sensitive DPIAs free of charge within 48h to materialise your actual exposure before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 94

They trust us

Before we chat