Data & Privacy · Luxembourg
Data protection & privacy laws in Luxembourg (2026)
Luxembourg shaded by its data & privacy status
Luxembourg has a comprehensive data-protection regime built on the directly-applicable EU GDPR, supplemented at national level by the Law of 1 August 2018, which created and organises the supervisory authority (CNPD) and sets national specifications. A companion Law of 1 August 2018 transposes the EU Law Enforcement Directive (2016/680) for criminal-matters and national-security processing. The CNPD is an active enforcer, with notable rulings including the (now-annulled and remanded) EUR 746 million Amazon fine.
Key points
Personal-data protection is governed by the directly-applicable EU GDPR (Regulation (EU) 2016/679), in force since 25 May 2018, applying across all sectors.
The Law of 1 August 2018 organises the CNPD and completes the GDPR at national level, repealing the previous Act of 2 August 2002. It was published in the Mémorial on 16 August 2018.
The Commission nationale pour la protection des données (CNPD) is the independent national supervisory authority responsible for monitoring and enforcing data-protection law in Luxembourg.
A separate Law of 1 August 2018 transposes EU Directive 2016/680 on personal-data processing by competent authorities in criminal matters and for national security.
In 2025 the CNPD issued 7 corrective measures including 6 fines (EUR 1,277 to EUR 175,000), focusing on records of processing activities and GDPR-compliant video surveillance.
On 12 March 2026 the Administrative Appeal Court annulled the CNPD's record EUR 746 million GDPR fine against Amazon, but upheld most of the CNPD's findings and sent the penalty back for re-analysis under updated CJEU case law.
Timeline - major decisions & events
Luxembourg's data protection authority published a reflection on a decade of the GDPR, reaffirming its role enforcing the regulation and supporting compliance. It signals continuity of the GDPR-based framework as the country's core privacy regime.
CNPD ↗Luxembourg's Administrative Court overturned the record €746 million fine, finding the CNPD had not analysed Amazon's intent/negligence nor whether a fine was proportionate, while upholding that Amazon's 'legitimate interests' basis and information practices breached the GDPR. The case was sent back to the regulator for reassessment.
CNPD ↗The CNPD sanctioned a major bank for failing to meet GDPR deadlines for handling access requests; an initial €493,560 penalty was reduced to €175,000. It underscored the authority's focus on enforcing data-subject rights timelines.
INPLP ↗The CNPD fined Amazon Europe Core S.à r.l. €746 million for processing personal data for targeted advertising without valid consent — the largest GDPR fine ever at the time, stemming from a 2018 complaint by La Quadrature du Net. It established Luxembourg's regulator as a major enforcer for the EU-headquartered tech sector.
ICLG ↗This law reorganised the CNPD and laid down the national rules complementing the GDPR, repealing the 2002 Act. It is the foundation of Luxembourg's current data-protection regime, granting the CNPD investigative and fining powers (up to €20M or 4% of global turnover).
CNPD / Official Gazette ↗EU Regulation 2016/679 (GDPR) took direct effect across the EU, replacing the 2002 Act as the principal data-protection instrument in Luxembourg. It introduced expanded data-subject rights, accountability obligations, and far higher sanctions.
CNPD ↗Transposing the ePrivacy Directive 2002/58/EC, this Act set sector-specific rules on cookies (consent), direct marketing, traffic/location data, and breach notification by communications providers. It remains the basis for cookie and electronic-marketing rules in Luxembourg.
CNPD ↗Transposing the EU Data Protection Directive 95/46/EC, this Act (in force 1 December 2002) established the National Commission for Data Protection (CNPD) as an independent authority and set general processing rules. It was the country's first comprehensive privacy law in the modern sense.
EU Agency for Fundamental Rights (FRA) ↗Luxembourg's earliest data-protection statute governed the digital identification of natural and legal persons and the use of nominative data in automated processing. It marked the country's first legal recognition of data-protection concerns, later repealed by the 2002 Act.
CNPD ↗Luxembourg - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →