General Data Protection Regulation (GDPR)

The General Data Protection Regulation (UE 2016/679) (“GDPR”) entered into force on 25 May 2018 and introduced a new paradigm: for entities processing the personal data of natural persons to be able to prove that they comply with the core rules of the GDPR (a.k.a. the “accountability” principle). In brief, financial stakeholders acting as controllers/processors should be able to demonstrate to their clients and the CNPD, as the case may be, that they notably apply the principles of legitimacy, clearly defined purpose, necessity, proportionality and fairness towards the personal data processed. Furthermore, they must provide individuals with enhanced transparency and stringent IT security requirements.

To help its members overcome the challenges arising out of the GDPR, three guidelines with different scopes were drafted by the ABBL and presented during a conference held on 7 May 2018 “Surfing the Wave of the GDPR” with representatives of the National Data Protection Commission. The guidelines were drafted thanks to dedicated working groups of the ABBL and the involvement of the CNPD, namely “Steps forward in implementing the GDPR”, “Practical guide for the application of the GDPR in employment relationships” and “Big data and data analytics working group.”

As the former Luxembourg Law dated 2 August 2002 concerning the protection of individuals with regard to the processing of personal data was repealed because of the GDPR, the Luxembourg legislator had to draft a new Law which would confer new powers to the CNPD. The Law of 1 August 2018 establishing the National Commission for Data Protection and the implementation of Regulation (EU) 2016/679 supplements the GDPR by adopting new provisions where the GDPR so allows, for instance in the employment context according to its article 88, as well as adapting the law of the CNPD to award it new powers necessary to carry out its tasks effectively.

The CNPD hence disposes of new investigative powers and can notably get access to all personal data processed by the controllers/processors together with obtaining all relevant information pertaining thereto, notify legal entities of a potential breach of the GDPR, limit or forbid a processing of personal data. Administrative fines of up to 20 million euros or 4% of the total worldwide annual turnover of the concerned entity may apply in case of infringements of the GDPR.

With regard to the surveillance being undertaken at the workplace, such processing may only be executed in accordance of the lawfulness grounds of article 6 of the GDPR. Prior to any of such processing, the employee needs to be informed. The employer also has to give prior information to the Comité mixte, or failing that, to the staff delegation, or, failing that, to the labour inspection (Inspection du Travail et des Mines – ITM).

The prior information should include a detailed description of the purpose of the foreseen processing, the implementation methods of the surveillance system and, as the case may be, the retention period or the criteria for the retention of the data. In addition, the information has to include a formal commitment of the employer to use the data exclusively for the explicitly foreseen purposes.

The staff delegation, or, failing that, the concerned employees, may submit a request for prior opinion to the CNPD within 15 days following the prior information received by the employer. The CNPD shall respond to the submitted request in the month of the request. The request has a suspensive effect during this period. Finally, the concerned employees have the right to complain to the CNPD. The complaint is no valid reason for a dismissal.

The links below, available to the public at large, may provide readers with useful insights as to being informed on the latest developments connected with the GDPR:


Association des Banques et Banquiers, Luxembourg


12, Rue Erasme L-1468 Luxembourg

Phone Fax
Opening hours

Monday to Friday from 8:00 to 17:30.