General Data Protection Regulation (GDPR)

The GDPR is set to enter directly into force as from 25 May 2018. Accordingly, the current Luxembourg Act dated 2 August 2002 concerning the protection of individuals with regard to the processing of personal data will be repealed. A draft law n°7184 implementing some of the provisions of the GDPR (Opinion of the ABBL dated 22 November 2017) is currently under review at the Luxembourg Chamber of Deputies. The new paradigm as emphasised by the GDPR consists in responsibilising financial stakeholders acting as controllers by introducing the accountability principle (See article 5,  Principles relating to processing of personal data ), meaning that the latter will need to be able to demonstrate to the data subjects together with the National Commission for Data Protection that they put in place all the necessary procedures and processes to safeguard the data subjects’ rights.

In short, the challenge for financial stakeholders entails finding the right balance between complying with the stringent provisions of the GDPR, abiding to specific provisions as contained for instance within the legal framework of MiFID II, PSD2 and the 4thanti money laundering directive and taking due account of all the business processings managed by the controllers in their daily operations.

A core part of abiding to the pillar of accountability resides in implementing the concept of “data protection by design and by default”, that is to say that adequate security measures shall be established together with ensuring that their compliance is being monitored. Practically, entities processing personal data must take privacy into account during the whole life cycle of such data within the course of their business operations. Privacy by design promotes techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorized can read it) to protect personal data.

The concept of “privacy by default” default merely means that the strictest privacy settings automatically apply once prospects/clients acquire a new product or service. In other words, no manual change to the privacy settings should be required on the part of the data subject.

For controllers to play by the rules, the fundamental principle of transparency shall be applied. It consists in providing the data subjects with general and specific information related to the processing itself carried on by the controller, to be delivered in a fair, clear, concise and intelligible manner. Accordingly, clients/data subjects must be able to easily exert the new rights conferred upon them by the GDPR such as for instance the right to be forgotten, to data portability or the right to contest a decision solely based on automated processing or the right to object to processing in certain circumstances.

As per the accountability principle, hence implying the end of the notifications and prior authorisations submitted to the CNPD by end of May 2018, comes for the latter also increased corrective powers in the event of an infringement of the GDPR. The CNPD may indeed impose administrative fines of up to 20 millions euros or 4% of the total worldwide annual turnover of the concerned entity.

The ABBL is committed to provide to its members regular updates on any new guidelines effected for example by the article 29 Data protection working party (see also ) and any legal novelties at EU or national level being of interest to our members in relation to the protection of personal data (see ).

The links below available to the public at large may provide readers with useful insights as to being informed on the latest developments connected with the GDPR:


Association des Banques et Banquiers, Luxembourg


12, Rue Erasme L-1468 Luxembourg

Phone Fax
Opening hours

Monday to Friday from 8:00 to 17:30.