Data Advocacy for Luxemburg

The law dated 2 August 2002 on the protection of persons with regard to the processing of personal data as amended from time to time (Law).

The law dated 30 May 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector as amended from time to time (Law of 30 May 2005).

Commission Nationale pour la Protection des Données (CNPD)

1, avenue du Rock’n’Roll

L-4361 Esch-sur-Alzette

T +352 26 10 60 1

F +352 26 10 60 29

The CNPD is in charge of monitoring and checking that processed data are processed in accordance with the provisions of the Law and the Law of 30 May 2005 and their implementing regulations.

The controller may designate a DPO. Such designation releases the controller from the obligation to carry out the notification process. It does not exempt the controller from applying for authorisation before carrying out processing for which authorisation is required.

The powers of the data protection officer are as follows:

  • investigative powers to ensure supervision of the controller’s compliance with the provisions of the Law and its implementing regulations, and
  • a right to be informed by the controller and the relating right to inform the controller of the formalities to be carried out in order to comply with the provisions of the Law and its implementing regulations.

Any party that does not carry out the obligation to notify or supplies incomplete or inaccurate information is liable to a fine of between EUR 251 and EUR 125,000.

There is no legal obligation to notify data security breaches under the Law of 2002. The Data Controller could, however, always decide, depending on the importance of the breach, to inform the authority or the affected individual on a voluntary and purely informative basis, based on an internal management decision and not as a consequence of a legal requirement. The only existing obligations to provide notice of a breach of security is in the sector of electronic communications and networks. A specific form allowing a Data Controller to notify of data security breaches is available on the website of the National Commission for Data Protection.

An organization that is involved in a data breach situation may be subject to closure or cancellation of the file, register or database, an administrative fine, penalty or sanction, or civil actions and/or class actions.

Opt-in regime: no direct marketing electronic mail can be legally sent without the express consent of the receiver, unless a pre-existing business or commercial relationship exists. (Consent is however not mandated for marketing to legal persons.)

Also, a specific opt out must be offered with each message. Disguised sender identities are prohibited, and a valid return address must be provided.

The term “Opt-Out Rule” means that the sending of e-marketing to the recipient is permitted on an opt-out basis if:

  • the recipient’s details were originally collected “in the context of a sale”.
  • the entity sending the marketing is the same legal entity that collected the recipient’s details initially.
  • the marketing relates to “similar” products and/or services for which the recipient’s details were originally obtained.
  • the recipient is given the opportunity free of charge to object to the e-marketing, both at the time their details were collected and in each subsequent communication.

Applicable Legislation:

Law of 14 August 2000 on e-commerce

Law of 30 May 2005 on electronic communications networks and services

First party e-marketing

(entity that collects the data will send the e-marketing itself)

B2C: Opt-in. Opt-out permitted where Opt-Out Rule applies.

B2B: Opt-out

Third party e-marketing

(entity that collects the data will share with third party partner for e-marketing)

B2C: Opt-in

B2B: Opt-out.