Data & Privacy · Luxembourg
Data & Privacy - Luxembourg
Luxembourg has a comprehensive data-protection regime built on the directly-applicable EU GDPR, supplemented at national level by the Law of 1 August 2018, which created and organises the supervisory authority (CNPD) and sets national specifications. A companion Law of 1 August 2018 transposes the EU Law Enforcement Directive (2016/680) for criminal-matters and national-security processing. The CNPD is an active enforcer, with notable rulings including the (now-annulled and remanded) EUR 746 million Amazon fine.
Personal-data protection is governed by the directly-applicable EU GDPR (Regulation (EU) 2016/679), in force since 25 May 2018, applying across all sectors.
The Law of 1 August 2018 organises the CNPD and completes the GDPR at national level, repealing the previous Act of 2 August 2002. It was published in the Mémorial on 16 August 2018.
The Commission nationale pour la protection des données (CNPD) is the independent national supervisory authority responsible for monitoring and enforcing data-protection law in Luxembourg.
A separate Law of 1 August 2018 transposes EU Directive 2016/680 on personal-data processing by competent authorities in criminal matters and for national security.
In 2025 the CNPD issued 7 corrective measures including 6 fines (EUR 1,277 to EUR 175,000), focusing on records of processing activities and GDPR-compliant video surveillance.
On 12 March 2026 the Administrative Appeal Court annulled the CNPD's record EUR 746 million GDPR fine against Amazon, but upheld most of the CNPD's findings and sent the penalty back for re-analysis under updated CJEU case law.
Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →