Luxembourg
Luxembourg Data Privacy Laws: GDPR, CNPD & the Amazon Fine (2026)
Luxembourg data privacy law rests on the EU GDPR and the Law of 1 August 2018, which established the Commission nationale pour la protection des données (CNPD) as the independent supervisory authority. Serious violations carry fines up to EUR 20 million or 4 percent of global turnover.
Luxembourg packs an outsized regulatory footprint into a country of fewer than 700,000 people. It hosts the European headquarters of Amazon, PayPal, Airbnb, Skype, and a large share of Meta's European operations. It is also home to more than 120 banks and thousands of investment funds, making it one of the EU's two dominant financial centres. That combination of global tech presence and financial muscle has put Luxembourg's data protection authority at the centre of some of the most consequential privacy decisions in GDPR history.
This guide covers Luxembourg's complete data protection framework, from constitutional foundations and the national implementing legislation through CNPD enforcement powers, the landmark Amazon fine and its contested appeal, the new EU AI Act overlay, financial sector secrecy rules, cross-border transfer requirements, and every significant 2024 to 2026 development.
Quick Answer: What Law Governs Data Privacy in Luxembourg?
Three interlocking instruments govern data protection in Luxembourg.
The EU General Data Protection Regulation (GDPR) applies directly as EU law across every member state without the need for national transposition. It is the primary source of rights for data subjects and the primary source of obligations for controllers and processors.
The Law of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework is Luxembourg's principal national implementing act. It established the CNPD's structure, competences, and investigation procedures, and it fills in the areas where the GDPR expressly allows member states to exercise national flexibility.
A second Law of 1 August 2018 implements EU Directive 2016/680, which governs the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties. That second law covers law enforcement and national security data processing, areas outside the main GDPR framework.
Together, those three instruments form the complete national framework. For financial institutions, a fourth layer applies: professional secrecy obligations under the Law of 5 April 1993 on the financial sector, carrying separate criminal sanctions.
Constitutional Basis for Data Protection
Privacy and data protection sit at the foundation of Luxembourg's legal order.
The 2023 revision of the Luxembourg Constitution, which entered into force on 1 July 2023, made an important change. Article 20 now expressly guarantees the right to respect for private and family life. Article 31 separately guarantees the right to the protection of personal data. These are distinct constitutional rights. Before 2023, privacy protection rested on the older Article 11(3), which protected private life but did not explicitly address data as such.
This constitutional grounding reinforces the GDPR's status in Luxembourg and provides an independent domestic basis for data protection claims before Luxembourg's courts. It also signals that Luxembourg's legislature regards data rights as fundamental, not merely administrative, a signal that carries weight when courts review enforcement decisions.
The GDPR and the Law of 1 August 2018
Scope and Structure
The GDPR applies to any organisation that processes personal data of individuals located in the EU, regardless of where the organisation itself is established. For Luxembourg, this means that GDPR obligations bind domestic companies, foreign companies with an establishment in Luxembourg, and foreign companies that target Luxembourg residents with goods or services or monitor their behaviour.
The Law of 1 August 2018 runs to several chapters. The first part establishes the CNPD's structure and powers. The second part contains national rules that the GDPR allows member states to adopt, including age of consent for children's data processing (set at 16 years), processing of special categories of data for scientific research or archiving, and rules for processing in the employment context.
Key National Derogations and Additions
Luxembourg set the digital age of consent at 16 years. An information society service directed at children under 16 requires parental or guardian consent for the processing of that child's personal data. The GDPR allowed member states to lower this threshold to 13, but Luxembourg chose the higher threshold.
The law also addresses processing of personal data in the context of employment. Controllers may process employees' personal data to the extent necessary for the performance of the employment contract, compliance with a legal obligation, or where processing is necessary for the legitimate interests of the employer, subject to the employee's rights not being overridden.
Special categories of data, including health data, genetic data, racial or ethnic origin, and political opinions, can only be processed under the conditions set out in Article 9 of the GDPR, which the national law supplements for specific purposes such as scientific research, preventive medicine, and occupational health.
February 2024 Investigation Procedure Regulations
In February 2024, the CNPD adopted two new internal regulations: one concerning the investigation procedure and one concerning internal rules. These regulations, published on 23 February 2024, bring greater transparency and procedural clarity to how the CNPD conducts audits, handles complaints, and pursues sanctions proceedings. They follow the EU Court of Justice's increasing emphasis on procedural rigour in GDPR enforcement, a lesson reinforced sharply by the Amazon litigation discussed below.
Legal Bases for Processing and Consent
Data processing under the GDPR is lawful only when it rests on one of the six legal bases in Article 6.
Consent must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw as to give. Pre-ticked boxes and bundled consent do not satisfy the standard. Consent is often appropriate for marketing purposes but is not a catch-all: where processing is truly necessary for performance of a contract or compliance with a law, relying on consent can backfire because withdrawal of consent would then require the controller to stop the processing entirely.
Contractual necessity covers processing needed to perform a contract to which the data subject is party, or to take pre-contractual steps at the data subject's request. This basis applies to processing customer purchase data or employee payroll data.
Legal obligation covers processing required by EU or member-state law. Tax reporting, anti-money laundering records, and mandatory employee data retention all fall here.
Vital interests is a narrow basis used where processing is necessary to protect someone's life or physical integrity.
Public task applies to public authorities and bodies exercising official powers.
Legitimate interests allows a controller to process data where it has a legitimate interest that is not overridden by the data subject's interests, rights, and freedoms. This requires a three-step balancing test and cannot be used by public authorities acting in their official capacity.
For special categories of data (health, biometric, genetic, religious belief, political opinion, trade union membership, sexual orientation), Article 9 requires not just a legal basis under Article 6 but also a specific condition in Article 9(2), such as explicit consent, employment law obligations, or vital interests.
Data Subject Rights
Every individual whose personal data is processed by an organisation subject to the GDPR holds the following rights.
Access (Article 15): the right to obtain confirmation that data is being processed and, if so, a copy of that data along with information about the processing purposes, categories of data, recipients, retention periods, and the existence of automated decision-making.
Rectification (Article 16): the right to have inaccurate data corrected and incomplete data completed without undue delay.
Erasure (Article 17): the right to have data deleted where it is no longer necessary for the purpose collected, consent has been withdrawn with no other legal basis, the data was unlawfully processed, or a legal obligation requires deletion. This right is not absolute and does not override legitimate retention obligations.
Restriction (Article 18): the right to limit processing to storage only while a dispute about accuracy or lawfulness is resolved.
Portability (Article 20): the right to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or contractual necessity and is carried out by automated means.
Objection (Article 21): the right to object to processing based on legitimate interests or public task, including profiling. Where the controller cannot demonstrate compelling legitimate grounds that override the individual's interests, it must stop the processing. Objection to direct marketing is absolute: the controller must stop.
Rights related to automated decision-making (Article 22): the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, unless specific conditions apply.
Controllers must respond to rights requests within one calendar month. Complex or numerous requests may be extended by a further two months, but the controller must inform the requestor of the extension within the first month.
Data Protection Officers
Appointment of a Data Protection Officer (DPO) is mandatory for three categories of organisation: public authorities and bodies (with narrow exceptions), organisations whose core activities require regular and systematic monitoring of data subjects on a large scale, and organisations whose core activities involve large-scale processing of special categories of data or criminal conviction data.
Luxembourg adds a registration requirement beyond what the GDPR alone requires. Controllers and processors must communicate the DPO's contact details to the CNPD when the DPO takes up their duties, and must immediately notify the CNPD of any change of DPO. The CNPD does not approve or certify DPOs, but the registration obligation means the authority maintains visibility over who holds those roles.
The DPO must have expert knowledge of data protection law and practice, must act with independence, must not receive instructions on the exercise of their tasks, and must not be dismissed or penalised for performing those tasks. The DPO reports to the highest management level.
DPO compliance has been one of the CNPD's recurring enforcement priorities. The authority has conducted targeted investigations to verify that organisations meeting the mandatory thresholds have actually appointed a DPO and registered that person with the CNPD. Several enforcement actions involving small fines have resulted from failures to appoint a DPO where one was required.
Data Breach Notification
Luxembourg follows the standard GDPR breach notification framework, with the CNPD providing specific guidance on the process.
A personal data breach is defined as any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data that is transmitted, stored, or otherwise processed.
Notification to the CNPD
Controllers must notify personal data breaches to the CNPD within 72 hours of becoming aware of the breach, provided the breach is likely to result in a risk to the rights and freedoms of natural persons. Notifications are sent to databreach@cnpd.lu. The CNPD will send an electronic acknowledgment and may follow up with questions.
Where the 72-hour deadline cannot be met, the notification must be accompanied by the reasons for the delay. Partial notification within 72 hours is acceptable where complete information is not yet available, but the controller must follow up with additional information as it becomes available.
Notification to Data Subjects
If the breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also communicate the breach to the affected individuals without undue delay. The communication must describe, in clear and plain language, the nature of the breach, the likely consequences, and the measures taken or planned to address it.
Documentation
Every personal data breach must be documented in an internal breach register, regardless of whether it is reportable. That register must contain the facts of the breach, its effects, and the remedial action taken. The CNPD may request this register during an audit or investigation.
Processors must notify their controller without undue delay after becoming aware of a breach, allowing the controller to meet the 72-hour window.
Cross-Border Data Transfers
Luxembourg organisations benefit from the free flow of personal data within the European Economic Area. Transfers to countries outside the EEA require an appropriate transfer mechanism.
Adequacy decisions are the simplest mechanism: where the European Commission has determined that a third country provides an essentially equivalent level of data protection, transfers can flow freely. As of early 2026, the Commission has recognised 16 countries and one international organisation. A mutual adequacy decision between the EU and Brazil was announced in February 2026. The EU-US Data Privacy Framework, adopted in 2023, remains in force and enables transfers to certified US companies.
Standard Contractual Clauses (SCCs) are the most commonly used mechanism for transfers to countries without an adequacy decision. The 2021 modular SCCs replaced the earlier versions and introduced a requirement for Transfer Impact Assessments (TIAs). A TIA requires the controller to assess whether the law and practice of the destination country might impinge on the protections in the SCCs. Where risks are identified, supplementary measures such as encryption, pseudonymisation, or contractual access restrictions must be added.
Binding Corporate Rules (BCRs) allow multinational groups to transfer data internally across borders under a set of company-wide binding data protection rules approved by a lead supervisory authority. Given Luxembourg's role as EU headquarters for many multinationals, the CNPD has approved several BCR programmes.
For Luxembourg financial institutions, cross-border transfers carry an additional constraint. Professional secrecy rules mean that transferring client data abroad requires not only a valid GDPR transfer mechanism but also assurance that the destination jurisdiction and the receiving entity will maintain equivalent confidentiality obligations. This often requires contractual provisions beyond what the SCCs require.
The CNPD: Luxembourg's Supervisory Authority
The Commission nationale pour la protection des données (CNPD) is Luxembourg's independent supervisory authority. It was originally established under the 2002 law and reorganised under the Law of 1 August 2018 to align with the GDPR's independence and powers requirements.
Structure
The CNPD is a collegiate body comprising four members, one of whom serves as President. The members hold the title of Data Protection Commissioner. They are appointed by the Grand Duchy's Chamber of Deputies and serve fixed terms. The CNPD operates independently from the Luxembourg government and EU institutions, though it cooperates with both.
Powers
The CNPD holds the full range of powers that the GDPR requires national supervisory authorities to possess.
Investigative powers include the ability to demand access to all personal data and all information held by controllers and processors, to conduct audits and on-site inspections, and to require notification of any personal data breach.
Corrective powers include the ability to issue warnings, reprimands, orders to comply, orders to suspend or stop processing, and orders to erase or rectify data. In the most serious cases, the CNPD can impose temporary or permanent bans on processing.
Authorisation and advisory powers allow the CNPD to approve BCRs, accredit certification bodies, adopt standard contractual clauses, and issue opinions on proposed legislation affecting data protection.
The CNPD can impose administrative fines under GDPR Article 83, as discussed in the penalties section below. It can also bring legal proceedings before Luxembourg's courts.
One-Stop-Shop Mechanism
Because the GDPR assigns lead supervisory authority status to the authority in the country where a data controller has its main EU establishment, the CNPD serves as lead supervisory authority for every major technology company incorporated in Luxembourg. That includes Amazon Europe Core S.à r.l., several PayPal entities, Skype Communications S.à r.l., and numerous other platforms that serve users across the entire EU.
This explains why the CNPD, a relatively small authority in a small country, has handled cases of extraordinary scale. A complaint about data processing affecting millions of EU residents from multiple countries can land on the CNPD's desk because the relevant company is registered in Luxembourg.
Other EU supervisory authorities (known as concerned supervisory authorities) have the right to raise objections to draft decisions in cross-border cases. If objections cannot be resolved, the European Data Protection Board (EDPB) issues a binding decision. This cooperative mechanism shaped the Amazon case, where the original EDPB decision in 2021 led to the CNPD's final penalty.
Enforcement Priorities
The CNPD's thematic investigation priorities have shifted over the years. Between 2021 and 2022, the authority concentrated on DPO appointment compliance, video surveillance systems (CCTV), and vehicle tracking. Municipal authorities, schools, and private sector companies were the primary investigation subjects.
In 2023, the CNPD focused on data processing by public authorities in criminal investigations, particularly the use of bodycams by police officers. That year, the CNPD issued 8 corrective measures, including 3 fines totalling EUR 6,500, mostly for failures to inform data subjects adequately and for failures by municipal authorities to appoint DPOs.
By 2024, artificial intelligence had become the defining theme. The CNPD launched the Sandkëscht programme, a secure regulatory sandbox enabling companies to test AI and other digital innovations in a GDPR-compliant environment. It published guidance on AI and data protection, launched the DP4AI training course, organised six DaProLabs workshops for AI and data protection professionals, and approved its first sectoral code of conduct dedicated to temporary work. The 2024 annual report described AI as sitting at the heart of the CNPD's missions.
The Amazon Fine: History, Appeal, and Current Status
Luxembourg's most consequential enforcement action is the EUR 746 million fine against Amazon. Its procedural history is one of the most instructive sequences in the GDPR's existence, and its current status is important for any reader who may have seen earlier reports.
The Original Decision (July 2021)
On 15 July 2021, the CNPD imposed a fine of EUR 746 million on Amazon Europe Core S.à r.l. for processing personal data for targeted advertising without a valid legal basis. The case originated from a mass complaint filed by La Quadrature du Net, a French digital rights organisation, acting on behalf of more than 10,000 individuals. The complaint alleged that Amazon's behavioural advertising relied on personal data processed without proper user consent.
The CNPD found violations across several GDPR articles: Amazon lacked a valid legal basis for its targeted advertising processing, failed to provide adequate transparency to users about how their data was used, and did not fully honour data subject rights including access, rectification, erasure, and the right to object. The EUR 746 million penalty dwarfed all previous GDPR fines. Before this decision, the largest single fine had been EUR 50 million imposed by France's CNIL on Google in 2019.
Amazon's Appeal and the Administrative Tribunal (March 2025)
Amazon challenged the decision before Luxembourg's Administrative Tribunal. A hearing was held on 9 January 2024. On 18 March 2025, the Administrative Tribunal dismissed Amazon's appeal in full and upheld the CNPD's decision, including the EUR 746 million fine. The Tribunal confirmed the GDPR violations and endorsed the CNPD's corrective measures.
The judgment gave Amazon 40 days to decide whether to appeal to the Administrative Court of Appeal. The effects of the CNPD's decision remained suspended during any appeal period.
The Court of Appeal Annulment (March 2026)
Amazon did appeal, and in a judgment handed down on 12 March 2026, published on 13 March 2026, Luxembourg's Administrative Court of Appeal annulled the CNPD's EUR 746 million fine. The annulment rested on procedural grounds, not on a finding that Amazon had done nothing wrong.
The court identified three specific procedural failures by the CNPD. First, the CNPD applied something close to strict liability by never genuinely assessing negligence as a threshold condition before imposing a fine: EU case law now requires that analysis. Second, the CNPD never properly evaluated whether a fine was a proportionate measure given the circumstances at the time, which is a distinct step from simply calculating the fine amount. Third, the CNPD found a violation of Article 21 (right to object) without giving Amazon the opportunity to respond to that finding during the investigation, breaching Amazon's procedural rights.
The court noted that it largely sided with the CNPD on the underlying GDPR violations themselves. The case was sent back to the CNPD to conduct the missing analyses from scratch and, if warranted, issue a fresh penalty. The CNPD confirmed in its official statement that it had already secured effective data-processing compliance from Amazon: at a hearing on 8 January 2026, both parties confirmed that Amazon had brought its practices into line with the CNPD's original requirements.
The practical question before the CNPD is now a narrower one: given that Amazon has since remedied the violations, what fine, if any, is proportionate for past conduct? A timeline for that new decision has not been announced.
What This Means for GDPR Enforcement
The Amazon case has several lessons for organisations.
The violations themselves were confirmed at every stage of judicial review. Amazon's targeted advertising practices were found to breach the GDPR from the outset. The fine was annulled not because Amazon was cleared, but because the CNPD's penalty process did not follow the procedural steps that EU courts now require of supervisory authorities.
The case illustrates that GDPR enforcement is subject to judicial oversight and that supervisory authorities must follow precise procedures when imposing fines. The CNPD responded by updating its investigation procedure regulations in February 2024, at least in part to address the emerging procedural requirements EU courts were articulating.
For companies, the lesson is symmetrical: GDPR violations can survive years of litigation even when fines are procedurally flawed, and compliance is ultimately unavoidable.
EU AI Act Overlay
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 2 August 2024. It is directly applicable across the EU without national transposition, but member states must designate national supervisory authorities and adopt national penalty provisions.
Luxembourg's Implementation
On 23 December 2024, the Luxembourg government submitted Bill of Law 8476, which designates the CNPD as Luxembourg's primary national market surveillance authority for the AI Act. The CNPD will serve as the default authority for AI Act supervision, coordinate activities across sector-specific authorities, and act as Luxembourg's primary point of contact with EU AI institutions. The bill also establishes the national administrative penalties for AI Act non-compliance.
This designation builds on the CNPD's existing data protection expertise and extends its mandate into AI governance, a natural progression given how heavily AI systems depend on personal data.
Implementation Timeline
The AI Act applies in phases. Since 2 February 2025, the prohibitions on unacceptable-risk AI practices have been in force. These cover social scoring by public authorities, real-time biometric identification in public spaces by law enforcement (with narrow exceptions), subliminal manipulation of behaviour, and exploitation of vulnerabilities of specific groups. Organisations using AI systems in any of these categories faced mandatory compliance as of that date.
Additional obligations applying to high-risk AI systems come into effect progressively through 2025 and 2026. From 2 August 2025, a new wave of obligations for providers and deployers of high-risk AI systems entered into force.
Intersection with GDPR
The AI Act and the GDPR operate in parallel. An AI system that processes personal data must comply with both. The GDPR governs data quality, purpose limitation, data minimisation, and data subject rights in relation to data used to train or operate AI models. The AI Act governs the risk classification, transparency, conformity assessment, and human oversight requirements for the AI system itself.
In practice, a high-risk AI system that makes consequential decisions about individuals, such as creditworthiness assessments, recruitment screening, or risk scoring, must satisfy GDPR requirements for the personal data used, conduct a Data Protection Impact Assessment under GDPR Article 35, and comply with the AI Act's conformity assessment and registration obligations. The CNPD, as the designated authority for both frameworks, will be the primary contact point for businesses navigating this intersection.
Financial Sector Data Protection Rules
Luxembourg's position as a leading EU financial centre creates data protection obligations that go well beyond the GDPR.
Professional Secrecy Under the Financial Sector Law
Article 41 of the Law of 5 April 1993 on the financial sector imposes a duty of professional secrecy on all persons working for or with credit institutions, investment firms, payment institutions, and all other professionals in the financial sector regulated by the CSSF. This obligation covers all information entrusted in the course of professional activities, extends to former employees, and applies to information about clients and counterparties alike.
The scope of this obligation is notably broad. Any person who, in the exercise of their professional duties, has knowledge of the business affairs, acts, or facts of a client or counterparty must keep that information strictly confidential. This applies to clerks, analysts, accountants, and every other professional in the chain.
Criminal Penalties
Violations of professional secrecy are prosecuted under Article 458 of the Luxembourg Criminal Code. Unauthorised disclosure of confidential client information carries penalties of a prison term of 8 days to 6 months and a fine of EUR 500 to EUR 5,000. These criminal sanctions are separate from and additional to any GDPR administrative fines the CNPD may impose.
This creates a dual-penalty risk for Luxembourg financial institutions. A data breach affecting client financial data could trigger a CNPD investigation under the GDPR and criminal prosecution under the Criminal Code, pursued through entirely different proceedings.
Permitted Disclosures
Professional secrecy is not absolute. Disclosure is authorised or required in several circumstances: when a specific legislative provision requires it (for example, anti-money laundering reporting obligations), when ordered by a Luxembourg court in judicial proceedings, when required by tax authorities under international exchange-of-information agreements such as the Common Reporting Standard or FATCA, and when required in the context of CSSF supervisory proceedings.
The CSSF's Oversight Role
The Commission de Surveillance du Secteur Financier (CSSF) supervises compliance with both prudential requirements and professional secrecy obligations for all entities in the Luxembourg financial sector. The CSSF has adopted the European Banking Authority guidelines on outsourcing arrangements and cloud services. Financial institutions must ensure that cloud and outsourcing contracts include provisions addressing both GDPR and professional secrecy requirements, including access controls, confidentiality obligations, and audit rights.
When financial institutions receive GDPR data subject access requests, they must balance the individual's right of access against professional secrecy obligations owed to third parties. In practice, this means redacting third-party information from responses to access requests rather than providing raw account or transaction data.
Penalties and Sanctions
GDPR Administrative Fines
The CNPD can impose administrative fines at two tiers.
For less serious violations, including failures related to controller and processor obligations under Articles 8, 11, 25 through 39, 42, and 43 of the GDPR, fines can reach EUR 10 million or 2 % of global annual turnover for the preceding financial year, whichever is higher.
For serious violations, including violations of the core principles for processing (Articles 5, 6, 7, 9), data subject rights (Articles 12 through 22), international transfer rules (Articles 44 through 49), or non-compliance with a CNPD order, fines can reach EUR 20 million or 4 % of global annual turnover, whichever is higher.
How Fines Are Calculated
The CNPD applies the criteria in GDPR Article 83(2) and follows the EDPB's Guidelines 04/2022 on administrative fines. Relevant factors include the nature, gravity, and duration of the violation; whether it was intentional or negligent; actions taken to mitigate harm; degree of cooperation with the CNPD; the categories of personal data affected; and any prior infringements.
The Amazon case added a further procedural requirement that the CNPD must now expressly articulate: a genuine proportionality assessment that weighs the specific circumstances, including whether the organisation has since remedied the violation, before settling on a final figure.
Beyond Administrative Fines
Criminal penalties apply in specific circumstances. Article 458 of the Criminal Code covers professional secrecy violations in the financial sector. The Law of 1 August 2018 governing criminal matters establishes additional penalties for data protection violations by law enforcement authorities. In the most serious cases, courts can also award civil damages to affected data subjects.
Other Corrective Measures
The CNPD routinely uses corrective measures short of fines. Warnings and reprimands are issued where violations are minor or have been promptly remedied. Compliance orders require a controller to bring processing into line with the GDPR by a specified deadline. In the most serious cases, temporary or permanent bans on processing can be imposed.
Recent Developments: 2024 to 2026
Amazon Fine Annulment (March 2026)
The most significant development is the Court of Appeal's annulment of the EUR 746 million fine on procedural grounds, as discussed above. The CNPD is conducting the missing analyses to determine a fresh penalty for past violations that Amazon has already remedied.
Digital Sovereignty Strategy
In May 2025, the Luxembourg government launched "Accelerating Digital Sovereignty 2030," a national strategy identifying data, artificial intelligence, and quantum technologies as the three pillars of Luxembourg's digital future. The strategy emphasises Luxembourg's ambition to remain a leading EU data and financial centre while ensuring that data sovereignty and privacy protections remain at the core of its digital economy.
AI Act Designation (Late 2024 to 2025)
Following the submission of Bill 8476 in December 2024, the CNPD was formally designated as Luxembourg's national AI Act supervisory authority. From 2 August 2025, the full set of obligations for high-risk AI systems entered into force. The CNPD has published guidance on prohibited AI practices and on how organisations can establish meaningful control over AI systems. The Sandkëscht sandbox remains available for companies wishing to test AI systems in a supervised GDPR-compliant environment before deployment.
EU-Brazil Adequacy Decision (February 2026)
The European Commission and Brazil reached a mutual adequacy decision in February 2026. For Luxembourg organisations transferring personal data to Brazil, the adequacy decision simplifies what had previously required SCCs or other transfer mechanisms.
CNPD Investigation Procedure Regulations (February 2024)
The adoption of detailed investigation procedure regulations in February 2024 modernised how the CNPD conducts audits and sanction proceedings. These regulations incorporate the procedural safeguards that EU courts have emphasised in recent judgments, including the negligence assessment and proportionality analysis that the Amazon appeal identified as missing from the 2021 fine decision.
Business Compliance Guide
Organisations operating in Luxembourg, whether established there or simply subject to GDPR because they serve Luxembourg residents, need to manage several practical compliance areas.
Lead Supervisory Authority Considerations
A company with its main EU establishment in Luxembourg will be supervised primarily by the CNPD. All cross-border enforcement actions, complaints from EU residents in other member states, and major enforcement decisions will pass through the CNPD as lead authority. Organisations should build their GDPR compliance programmes with the CNPD as their primary regulatory relationship.
DPO Registration
Any organisation that meets the mandatory DPO threshold must communicate the DPO's contact details to the CNPD promptly on appointment and on every subsequent change. The registration is simple but the failure to complete it is an enforcement risk. The CNPD treats DPO compliance as a recurring audit priority.
Records of Processing Activities
Controllers with more than 250 employees, or whose processing is likely to result in risk to data subjects, or whose processing involves special categories of data or criminal conviction data, must maintain a detailed record of processing activities and make it available to the CNPD on request.
Data Protection Impact Assessments
A DPIA is mandatory before any processing that is likely to result in a high risk to data subjects. The CNPD has published a list of processing types requiring a DPIA. High-risk AI systems generally require a DPIA under GDPR Article 35 in addition to their AI Act conformity obligations.
Cookie Compliance
The amended Act of 30 May 2005 implementing the ePrivacy Directive requires prior consent for any cookie or similar tracking technology that is not strictly necessary for providing the service the user has requested. Consent must meet GDPR standards: freely given, specific, informed, and unambiguous. Reject-all options must be as accessible as accept-all.
Financial Sector Dual Compliance
Financial institutions must treat every compliance decision as a two-framework question. Does this process comply with the GDPR? Does it also comply with the professional secrecy obligations under Article 41 of the Financial Sector Law? Cloud migrations, vendor contracts, data subject access request responses, and cross-border transfers all require both analyses.
Disclaimer: This article provides general information about Luxembourg data privacy laws for educational purposes only. It does not constitute legal advice. Data protection law is complex and subject to change. Organisations should consult with a qualified attorney or data protection professional for guidance on their specific compliance obligations.
For related coverage, see our guides on Luxembourg recording laws and EU data privacy laws.
Frequently Asked Questions
What is the main data protection law in Luxembourg?
Luxembourg's data protection framework rests on the EU GDPR, which applies directly, and the national Law of 1 August 2018. That national law establishes the CNPD's structure and powers, sets national rules where the GDPR allows member-state flexibility, and fixes the digital age of consent at 16 years. A second Law of 1 August 2018 covers data processing in criminal matters and national security, implementing EU Directive 2016/680. The 2023 Constitution now expressly guarantees both the right to privacy (Article 20) and the right to personal data protection (Article 31).
What happened to the EUR 746 million Amazon GDPR fine?
The CNPD imposed the fine on Amazon Europe Core S.à r.l. on 15 July 2021 for processing personal data for targeted advertising without a valid legal basis. Luxembourg's Administrative Tribunal upheld the fine in full on 18 March 2025. Amazon then appealed to the Court of Appeal, which annulled the fine on 12 March 2026 on procedural grounds: the CNPD had not assessed negligence, had not conducted a genuine proportionality analysis, and had found a violation without giving Amazon a chance to respond. The underlying GDPR violations were largely confirmed at every stage. The case was sent back to the CNPD to issue a fresh analysis and potentially a new penalty. Amazon has already brought its practices into compliance.
What are the data breach notification requirements in Luxembourg?
Data controllers must notify the CNPD within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals. Notifications go to databreach@cnpd.lu. If the breach poses a high risk to individuals's rights and freedoms, affected data subjects must also be notified without undue delay. All breaches must be documented in an internal register, regardless of whether they are reportable. Processors must notify their controller without undue delay so the controller can meet the 72-hour window.
What special data privacy rules apply to Luxembourg's financial sector?
Financial institutions must comply with both the GDPR and the professional secrecy obligations under Article 41 of the Law of 5 April 1993 on the financial sector. Article 458 of the Luxembourg Criminal Code makes unauthorised disclosure of client data a criminal offence, carrying a prison term of 8 days to 6 months and fines of EUR 500 to EUR 5,000. These criminal sanctions apply in addition to GDPR administrative fines. Exceptions permit disclosure for anti-money laundering, court orders, and tax exchange-of-information obligations, but financial institutions must verify each disclosure against both frameworks.
What is the CNPD's role in the EU AI Act?
Luxembourg Bill of Law 8476, submitted in December 2024, designates the CNPD as Luxembourg's primary national market surveillance authority for the EU AI Act (Regulation (EU) 2024/1689). The CNPD will supervise AI systems deployed in Luxembourg, coordinate sector-specific authorities, and serve as the primary point of contact with EU AI institutions. This designation builds on the CNPD's data protection expertise, given that AI systems heavily depend on personal data processing.
What are the maximum GDPR fines that can be imposed in Luxembourg?
The CNPD can impose fines at two tiers. For violations of controller and processor obligations (Articles 8, 11, 25-39, 42, 43), the maximum is EUR 10 million or 2 % of global annual turnover, whichever is higher. For violations of core principles, data subject rights, or international transfer rules (Articles 5-7, 9, 12-22, 44-49), the maximum is EUR 20 million or 4 % of global annual turnover. The CNPD also applies EDPB Guidelines 04/2022 on fines calculation and must now conduct an express proportionality analysis, as the Amazon appeal confirmed.
How do cross-border data transfers work from Luxembourg?
Within the EU and EEA, personal data flows freely. Transfers to third countries require one of: (1) a European Commission adequacy decision (as of early 2026, 16 countries are covered, including the US under the EU-US Data Privacy Framework and, since February 2026, Brazil); (2) Standard Contractual Clauses with a Transfer Impact Assessment; (3) Binding Corporate Rules approved by the CNPD; or (4) other derogations under Article 49. Financial institutions must also ensure that transfers comply with professional secrecy obligations, which may require additional contractual protections beyond the SCCs.
Sources and References
- CNPD - National Legislation Overview(cnpd.public.lu).gov
- CNPD - Official Statement on Court of Appeal Amazon Ruling (March 2026)(cnpd.public.lu).gov
- CNPD - Amazon Decision Announcement (March 2025)(cnpd.public.lu).gov
- CNPD - Data Breach Notification Guidance(cnpd.public.lu).gov
- CNPD - Annual Reports(cnpd.public.lu).gov
- CNPD - AI Act Obligations (August 2025)(cnpd.public.lu).gov
- CNPD - National Implementation of the AI Act (November 2024)(cnpd.public.lu).gov
- EUR-Lex - General Data Protection Regulation(eur-lex.europa.eu).gov
- EUR-Lex - EU AI Act (Regulation 2024/1689)(eur-lex.europa.eu).gov
- EDPB - Guidelines 04/2022 on Calculation of Administrative Fines(edpb.europa.eu).gov
- CSSF - Commission de Surveillance du Secteur Financier(cssf.lu).gov
- Arendt - Luxembourg Bill 8476 and AI Act(arendt.com)
- European Commission - Adequacy Decisions for Third Countries(commission.europa.eu).gov