Data protection and Luxembourg


At a time where the General Data Protection Regulation (“GDPR”) has been spoken and written about extensively in all European countries and where many companies are panic-stricken and wondering how to achieve compliance when it comes into force, including Luxembourg, it seems necessary to dedramatise the situation and to recall that the protection of data in Luxembourg is not a novelty.

The first regulation to this effect already dates from the late 1970’s with the Law of the 30th March 1979 organizing the digital identification of natural and legal persons.

The purpose of this Law was to create national registers collecting all relevant data such as surname, forename, sex, nationality, civil status, etc. for natural persons and denomination, headquarters, form, etc. for legal persons.

At the beginning of the 2000’s, Luxembourg adopted the first real regulation of data protection - as it is understood today - via the Act of 2 August 2002 on the protection of individuals with regard to the processing of personal data (“Loi modifiée du 2 août 2002 relative à la protection des personness à l’égard du traitement des données à caractère personnel”).

It goes without saying that this law was subsequently amended several times as well as supplemented by special laws such as the law of 30 May 2005 on data protection and electronic communications (“Loi modifiée du 30 mai 2005 relative à la protection des données et communications électroniques”).

Since 2007, the principle of data protection is comprehended in Luxembourg’s Constitution as its article 11 henceforth stipulates that "the State guarantees the protection of privacy, except for the exceptions laid down by law".

Data protection has always, in one way or another, played an important role in Luxembourg. The ancient qualification of “tax haven” to which critical minds will immediately think of is solely one aspect of this protection.

On the other hand, it is true – and the CNPD readily acknowledged it in its reports – Luxembourg struggled a little to see "a true culture of personal data protection in companies, administrations and public bodies".

To give an order of magnitude, the CNPD had received in 2015 only 724 advance notifications, 1,117 requests for authorization, 217 complaints and only 2 reports of violations of data.

Thus, while the issue of data protection is not new, the adoption and the implementation of the GDPR has at least allowed a renewal on this question and will probably, in the long run, enable this change of mentality.

For the few ones who perhaps managed to escape all the news on this topic, it is reminded that the new regulation is based on the increased accountability of all actors by:

  • giving data subjects more control over their personal data (in particular by introducing new rights such as the right to portability, the right to be forgotten and the right to be informed in the event of data breaches), 
  • giving greater responsibility and accountability to the companies (through the creation of a DPO, supervision of the duration of data retention, subcontract traceability, implementation of new Data Loss Prevention tools, etc.) as well as to all data processing actors (i.e. Data Controller, Data processor) while reducing their administrative burdens toward their national Data Protection Authority (DPA),
  • strengthening the role of the DPA such as the CNPD.

Though many companies worry about their ability to comply and its costs – since better protecting their clients’ data is going to request some time and internal changes – one must see these regulatory compliance issues as a competitive advantage for business.

Succeeding in creating an ethical and trustworthy framework for data processing today takes on a fundamental value for everyone, without exception, in the chain of personal data (from Data Subjects to Data Processors).

On the one hand, it is a matter of guaranteeing citizens high standards of protection of the private sphere and allowing them to the use of their personal data and, on the other hand, care must be taken not to slow down the development of the economic potential linked to technological development, such as the Big Data phenomenon, which can offer exceptional opportunities.

And this, Luxembourg, as a nation, understood it well.

Over the past few years, Luxembourg has experienced a major boost with the development of innovative technology companies, whether in the area of e-commerce, digital content, cloud computing, Big Data or Electronic payments.

At present time, Luxembourg offers a number of advantages for data centre operators (both private and public), with redundant, secure and high-speed fiber optic connections to the major Internet interconnection centres in Europe.

One thing for sure, data protection is a constant concern and in the midst of all future reflections. 

Luxembourg is indeed particularly known for its high concentration of data centers with the highest level of security. Luxembourg has seven data centers of the most demanding Tier IV standard, corresponding to 30% of the total number of Tier IV data centers in Europe and 12% of the total number of Tier IV data centres on the planet.

This is precisely for this reason and its know-how in handling sensitive data that Luxembourg has been chosen by Estonia for the creation and implementation of the first e-embassy (data embassy) in the world. A choice that was finalised by an official agreement only a few days ago.

This virtual embassy aims to ensure the digital continuity of the country, the ability to activate systems when necessary and to tap data from versions stored outside. The very secure server room – certified Tier 4 obviously – will contain important information from Estonian e-government, which will remain accessible even if the system on the national territory is out of service. The data embassy in Luxembourg must indeed store information on taxes, land, businesses, identity documents, pensions, legislation, census, etc.

Finally, with its "Digital Lëtzebuerg" initiative – a pool of experts coming from as diverse a background as the private, public or even academic sector working altogether toward the same objective since October 2014 already – the Luxembourg government aims to go always further to strengthen the country's position in the field of ICT and data protection.


Article provided by: Me Roy REDING et Me Cécile PORCHER, Luxembourg


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.