Skip to content
World Watch/Luxembourg/Data & Privacy

Data & Privacy · Luxembourg

Data protection & GDPR compliance in Luxembourg (2026)

Comprehensive lawEU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), implemented nationally by the Law of 1 August 2018 organising the Commission nationale pour la protection des données (CNPD) and the general data-protection framework; supervised by the CNPD.Country index 90 · A+

Luxembourg shaded by its data & privacy status

Data protection in Luxembourg: comprehensive law, under EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), implemented nationally by the Law of 1 August 2018 organising the Commission nationale pour la protection des données (CNPD) and the general data-protection framework; supervised by the CNPD..

Luxembourg has a comprehensive data-protection regime built on the directly-applicable EU GDPR, supplemented at national level by the Law of 1 August 2018, which created and organises the supervisory authority (CNPD) and sets national specifications. A companion Law of 1 August 2018 transposes the EU Law Enforcement Directive (2016/680) for criminal-matters and national-security processing. The CNPD is an active enforcer, with notable rulings including the (now-annulled and remanded) EUR 746 million Amazon fine.

GDPR & data protection in Luxembourg

In Luxembourg, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the National Commission for Data Protection (CNPD).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the National Commission for Data Protection (CNPD)
Applies to
any organisation processing the personal data of people in Luxembourg, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Luxembourg supplements it with a national data-protection act and its own supervisory authority.

GDPR in Luxembourg: FAQ

Does the GDPR apply in Luxembourg?

Yes. As an EU/EEA member, Luxembourg applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the National Commission for Data Protection (CNPD).

Who enforces data protection law in Luxembourg?

The National Commission for Data Protection (CNPD).

What are the GDPR fines in Luxembourg?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Luxembourg?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Luxembourg?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Comprehensive GDPR-based regime

Personal-data protection is governed by the directly-applicable EU GDPR (Regulation (EU) 2016/679), in force since 25 May 2018, applying across all sectors.

National implementing law (2018)

The Law of 1 August 2018 organises the CNPD and completes the GDPR at national level, repealing the previous Act of 2 August 2002. It was published in the Mémorial on 16 August 2018.

Supervisory authority: CNPD

The Commission nationale pour la protection des données (CNPD) is the independent national supervisory authority responsible for monitoring and enforcing data-protection law in Luxembourg.

Law-enforcement / national-security data

A separate Law of 1 August 2018 transposes EU Directive 2016/680 on personal-data processing by competent authorities in criminal matters and for national security.

Active enforcement

In 2025 the CNPD issued 7 corrective measures including 6 fines (EUR 1,277 to EUR 175,000), focusing on records of processing activities and GDPR-compliant video surveillance.

Landmark Amazon fine remanded

On 12 March 2026 the Administrative Appeal Court annulled the CNPD's record EUR 746 million GDPR fine against Amazon, but upheld most of the CNPD's findings and sent the penalty back for re-analysis under updated CJEU case law.

Timeline - major decisions & events

Apr 1, 2026guidanceofficial
CNPD marks 10 years of the GDPR as cornerstone of Luxembourg data protection

Luxembourg's data protection authority published a reflection on a decade of the GDPR, reaffirming its role enforcing the regulation and supporting compliance. It signals continuity of the GDPR-based framework as the country's core privacy regime.

CNPD
Mar 13, 2026decisionofficial
Administrative Court annuls Amazon's €746M GDPR fine, refers case back to CNPD

Luxembourg's Administrative Court overturned the record €746 million fine, finding the CNPD had not analysed Amazon's intent/negligence nor whether a fine was proportionate, while upholding that Amazon's 'legitimate interests' basis and information practices breached the GDPR. The case was sent back to the regulator for reassessment.

CNPD
Jan 6, 2025enforcement
CNPD fines a major credit institution for late data-subject access responses

The CNPD sanctioned a major bank for failing to meet GDPR deadlines for handling access requests; an initial €493,560 penalty was reduced to €175,000. It underscored the authority's focus on enforcing data-subject rights timelines.

INPLP
Jul 16, 2021enforcement
CNPD imposes record €746 million GDPR fine on Amazon

The CNPD fined Amazon Europe Core S.à r.l. €746 million for processing personal data for targeted advertising without valid consent, the largest GDPR fine ever at the time, stemming from a 2018 complaint by La Quadrature du Net. It established Luxembourg's regulator as a major enforcer for the EU-headquartered tech sector.

ICLG
Aug 1, 2018lawofficial
Law of 1 August 2018 establishes the modern CNPD and GDPR framework

This law reorganised the CNPD and laid down the national rules complementing the GDPR, repealing the 2002 Act. It is the foundation of Luxembourg's current data-protection regime, granting the CNPD investigative and fining powers (up to €20M or 4% of global turnover).

CNPD / Official Gazette
May 25, 2018lawofficial
GDPR becomes directly applicable in Luxembourg

EU Regulation 2016/679 (GDPR) took direct effect across the EU, replacing the 2002 Act as the principal data-protection instrument in Luxembourg. It introduced expanded data-subject rights, accountability obligations, and far higher sanctions.

CNPD
May 30, 2005lawofficial
Law of 30 May 2005 on privacy in the electronic communications sector

Transposing the ePrivacy Directive 2002/58/EC, this Act set sector-specific rules on cookies (consent), direct marketing, traffic/location data, and breach notification by communications providers. It remains the basis for cookie and electronic-marketing rules in Luxembourg.

CNPD
Aug 2, 2002lawofficial
Law of 2 August 2002 creates the CNPD and Luxembourg's first modern data-protection regime

Transposing the EU Data Protection Directive 95/46/EC, this Act (in force 1 December 2002) established the National Commission for Data Protection (CNPD) as an independent authority and set general processing rules. It was the country's first comprehensive privacy law in the modern sense.

EU Agency for Fundamental Rights (FRA)
Mar 31, 1979lawofficial
Law of 31 March 1979 regulating computerised use of personal data

Luxembourg's earliest data-protection statute governed the digital identification of natural and legal persons and the use of nominative data in automated processing. It marked the country's first legal recognition of data-protection concerns, later repealed by the 2002 Act.

CNPD

Luxembourg - other topics

Data & Privacy in other countries

Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →