Support Centre

Luxembourg

Summary

Law: Act of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679)

Regulator: National Commission for Data Protection (CNPD)

Summary: Luxembourg implemented the GDPR in 2018 through the Act of 1 August 2018 on the Organization of the National Commission for Data Protection and Implementing the GDPR (the Act). The GDPR is therefore directly applicable with regards to data subject rights and data controller and data processor obligations as well as data transfers. The Act establishes the National Commission for Data Protection (CNPD) and details its investigatory and enforcement powers. Moreover, the Act contains several express permissions to derogate from the GDPR where personal data is processed for scientific or historical research purposes or for statistical purposes, and prohibits the processing of genetic data for the purposes of the exercise of rights of the data controller in the insurance sector and in relation to employment. The CNPD frequently advises the legislator on privacy aspects and has issued opinions on legal reforms regarding data transparency, anti-money laundering, insurance, and financial trusts.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview of the rules and guidelines for DPO contact registration across Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.

The Luxembourg Law Transposing the Whistleblowing Directive (the Law) generalizes the protection of whistleblowers, which only existed before in the financial sector and in relation to money laundering violations. It was the result of fierce debates, especially around the fear of creating a climate of systematic denunciation without appropriate safeguards, going well beyond the protection of transparency activists driven by the public interest. Claire Leonelli and Florian Poncin, from CLAW - Avocats à la Cour, outline the contents of the Law, including its main obligations and who it protects.

The National Commission for Data Protection ('CNPD') published, on 26 October 2021, guidelines on cookies and other trackers ('the Guidelines'), which are intended to help operators of websites or apps to comply with the currently applicable rules on this matter. This insight breaks down some of the key points from the Guidelines, including a range of different scenarios where consent may or may not be necessary.