Luxembourg complements GDPR with its Law of 1 August 2018

On 1 August 2018, the Luxembourg Government passed its national legislation to complement the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and repealing the nearly 16 year old data protection regime established by the 2 August 2002 law in its entirety. As GDPR is directly applicable in all EU member states, the 1 August 2018 law primarily focuses on the mechanisms of its application, rather than replicating or expanding restrictions on data processing. Nevertheless, the law of 1 August 2018 will have some impact on FundRock and its clients as subjects to Luxembourg law. The following outlines the main changes and their impact.
Workplace surveillance and monitoring
The new law relaxes the requirements for surveillance and monitoring in the workplace and amends the labor code to reflect the GDPR requirements for such processing.
The Commission nationale pour la protection des données (CNPD)
The majority of the law is dedicated to empowering the CNPD to carry out its mandate under GDPR as a “data protection authority”. The CNPD has the authority to investigate and adjudicate any potential breach of data protection law; under the 1 August 2018 law or GDPR. The CNPD may also take any of the punitive measures authorized by GDPR, including sanctions. Appeals of CNPD decisions are taken through the Administrative Courts.
The new law gives the CNPD the authority to levy penalties for non-compliance with the CNPD’s corrective measures or requests for information. These “periodic penalty payments” may be up to 5% the average daily turnover generated by the targeted entity, levied for each day of non-compliance.
For questions or further information please do not hesitate to contact our GDPR team at