Legal mandate · GDPR + AI Act + Whistleblower

A DPO mandate covering GDPR, the AI Act and the whistleblower channel (optional).

You appoint us as your Data Protection Officer with the CNPD. We maintain your records, run impact assessments (DPIAs and AI Act), handle data subject requests, manage any breaches and liaise with the CNPD on your behalf.

Build my quote → Contact us

At a glance: what we handle

Four building blocks in the Luxgap DPO mandate. The whistleblower channel is optional, activate it if you fall under the rule.

GDPR compliance

Records of processing, impact assessments (DPIAs), data subject rights, 72h breach notifications, ongoing dialogue with the CNPD.

Read the GDPR page →

AI Act compliance

Inventory of AI systems deployed in your organisation, risk classification, transparency, human oversight.

Read the AI Act page →

Representation

Single point of contact for the CNPD and data subjects. In case of inspection, we step in, not you.

Whistleblower channel Optional

Internal alert channel compliant with the Luxembourg law of 16 May 2023, mandatory for any organisation with 50+ employees. Drafted alert procedure, internal charter, handling of reports, training for managers and HR.

Read the whistleblower page →
Roadmap and action plan

Our method in 9 axes.

Every mandate follows a proven roadmap built around the 9 main GDPR chapters.

01 Training

General and role-specific training. Recurring awareness via our e-learning platform.

02 Data analysis

Identifying personal data per department, records of processing (Article 30), legitimate-interest assessments and retention policy.

03 Transparency & information

Data protection policy, website notices, candidates, employees, CCTV, every processing documented per Article 12.

04 Data security

Article 32: review of technical and organisational measures (TOMs), risk assessment, alignment with ISO 27001 if relevant.

05 Processing actors

Controllers / processors: contract analysis (Article 28), technical and legal compliance assessment of vendors.

06 Data subject rights

Request-handling procedure (access, rectification, erasure, objection), team support for on-time legal responses.

07 Impact assessment (DPIA)

Detection of high-risk processing, DPIAs run with our proprietary tool, documented decisions.

08 Data breach

Handling procedure, incident documentation, on-site intervention available within the day for serious incidents.

09 International transfers

Detection of transfers outside the EU/EEA (tools, partners), contractual safeguards (SCCs, BCRs) and dedicated procedure.

European certification

Europrivacy

Europrivacy is the only GDPR certification scheme officially recognised by the EDPB under Article 42 GDPR. An Europrivacy certificate publicly demonstrates your compliance, defensible vis-à-vis customers, investors or supervisory authorities.

Luxgap supports the whole journey: scope definition, gap analysis (146 controls), remediation plan, audit preparation with an accredited body, surveillance audits and triennial renewal.

Request an Europrivacy quote →

Europrivacy is a registered trademark of the European Centre for Certification and Privacy (ECCP), recognised by the EDPB on 17 October 2022.

Sanctions for non-compliance

GDPR: up to €20M or 4% of global turnover. The CNPD has issued more than €30M in fines in recent years, including against SMBs.

AI Act: up to €35M or 7% of global turnover for prohibited practices.

The mandate over time

How a Luxgap DPO mandate unfolds.

Three overlapping phases: a structured onboarding at start, a continuous monthly routine, and event-driven interventions whenever needed.

1

Onboarding (D0 → D+30)

  • Official registration with the CNPD as your DPO.
  • Mapping of existing processing per department and takeover of the register (Article 30).
  • Quick audit of major risks: transfers outside the EU, high-risk processing, processor contracts.
  • Prioritised action plan for the first 6 months.
2

Monthly routine

  • Updates to the register of processing and related documentation.
  • Responses to data subject requests (access, rectification, erasure).
  • Quarterly or half-yearly committee depending on size, with written minutes.
  • Regulatory watch (CNPD, EDPB, case law) summarised and shared with your leadership.
3

Event-driven interventions

  • DPIA for any new high-risk processing (HR, AI, CCTV, biometrics…).
  • Data breach handling: qualification, CNPD notification within 72h, communication to data subjects.
  • Response to CNPD inspections, with on-site support if needed.
  • Contractual review of critical processors and GDPR clauses.
How our mandate works

A mandate, not day-rate consulting.

You have a legal obligation: we take ownership of it. No staff augmentation, no man-days package, no minimum. We commit to the outcome, and behind your single contact, there is a full team.

Outcome-based commitment

You're not paying for days worked. We sign to keep your obligation met, records, DPIAs, NIS 2 governance, regulator reporting. If that means three exchanges in a week, we do them.

A team, not one person

You have a single point of contact. Behind it: lawyers (GDPR, AI Act, NIS 2, DORA), cyber engineers (audits, technical DPIAs, BCP, incidents) and developers (in-house register/DPIA tools, AI automation agents). The right profile steps in at the right time.

Available all year

Even a mandate sized for one day per month yields multiple short interventions: a 30-minute call, a written reply, an ad-hoc DPIA, a steering committee. We answer, we step in, we don't vanish between invoices.

Tracked to the minute

Every action is logged. One hour on Teams = one hour billed, nothing more. No half-day minimum, no hidden bundle. You pay what we use, and only that.

Client + regulator transparency

You access a detailed log: who did what, when, on which topic, for how long. In case of a CNPD, ILR or CSSF inspection, that journal is proof of an actively operated mandate, not just a contract on paper.

From SMB to public sector

Our mandates range from 12-person SMBs to 800+ industrial groups, including public bodies, municipalities and institutions. Our method scales to your size, not the other way round.

Additional service

Internal whistleblowing channel

The Luxembourg law of 16 May 2023 (transposing EU directive 2019/1937) requires any public or private organisation with 50+ employees to operate a confidential internal alert channel. This obligation is complementary to GDPR but is not included in the standard DPO mandate.

Luxgap offers a separate service: alert procedure drafting, internal charter, partial or full outsourcing of the reporting channel, manager and HR training.

Request a whistleblowing quote →

Ready to formalise your DPO mandate?

Configure your quote, you receive a tailored proposal within one business day.

Build my quote →