CNPD (Luxembourg)

From GDPRhub
Commission Nationale pour la Protection des Données
Name: Commission Nationale pour la Protection des Données
Abbreviation : CNPD
Jurisdiction: Luxembourg
Head: Tine A. Larsen
Deputy: n/a
Adress: 15, Boulevard du Jazz

L-4370 Belvaux


Phone: +352 2610 60 1
Twitter: n/a
Procedural Law: n/a
Decision Database: n/a
Translated Decisions: Category:CNPD (Luxembourg)
Head Count: n/a
Budget: n/a

The Commission Nationale pour la Protection des Données (CNPD) is the national Data Protection Authority for Luxembourg, headquartered in Belvaux, municipality of Salem. The CNPD oversees the GDPR in Luxembourg and advises the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of the rights and freedoms of natural persons with regard to processing of their personal data.

Structure[edit | edit source]

The CNPD is an independent public institution, financially and administratively autonomous. Although the CNPD operates in the form of a public establishment under the supervision of the Minister whose responsibilities include data protection (currently the Minister for Communications and Media), it is nevertheless independent in the exercise of its functions.

The CNPD adopted its rules of procedure, including its internal procedures and working methods on 22 January 2020. The rules of procedure was adopted unanimously by the members of the college in plenary session. These internal rules of procedure are published in the Official Gazette of the Grand Duchy of Luxembourg.

The internal regulations determine:

  1. operating conditions for the CNPD;
  2. the organisation of the services of the CNPD;
  3. the procedures for convening the members of the college and holding collegiate meetings.

The CNPD is a collegiate body made up of four members, one of which is a president. Members are called Data Protection Commissioners and are authorised to use the title “Commissioner”, with this title having no impact on their rank or their remuneration.

Current Commissioners are: Ms Tine A. Larsen (Chair), Mr Thierry Lallemang (Commissioner), Mr Marc Lemmer (Commissioner) and Mr Alain Herrmann (Commissioner). Four deputy members are also appointed. The deputy members are called to replace members of the college when they are absent or unable to attend.

The CNPD meets regularly for deliberations. The college may validly sit and deliberate only if at least three members of the college are present, and decisions are adopted by majority vote. If the number of votes are equal, the president has the deciding vote. Abstentions are not permitted. The members of the college and the deputy members cannot sit, deliberate or adopt decisions in a matter in which they have a direct or indirect interest.

The CNPD's organizational chart can be found on this page.

Procedural Information[edit | edit source]

Applicable Procedural Law[edit | edit source]

The CNPD verifies if personal data is processed in accordance with the following provisions:

The CNPD is not competent to supervise the processing of personal data carried out by courts of the judicial order, including the public prosecutor (ministère public), or the administrative order acting in their judicial capacities.

Complaints Procedure under Art 77 GDPR[edit | edit source]

The GDPR was adopted pursuant to article 40 of the Act of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework. It determines the procedure for investigations before the CNPD.

In the course of the procedure of complaint, the CNPD first examines whether a complaint is justified, i.e. it checks whether the facts alleged by the claimant relating to the processing of personal data are likely or not to constitute a violation of the applicable data protection legislation. Where the CNPD considers that the challenged processing of data would indeed be contrary to applicable law, it will use its best endeavours to remedy the situation without making use of the binding measures entrusted within the framework of its powers conferred by law.

Ex Officio Procedures under Art 57 GDPR[edit | edit source]

The CNPD may launch Ex Officio procedures, for example following information seen in the media. They also launch own audit campaigns, for example the 2018 audit of controllers' appointment of a Data Protection Officer (which lead to several decisions, many which are found in the GDPRhub, for example Délibération n° 42FR/2021).

Appeals[edit | edit source]

A decision made by the CNPD can be challenged within 3 months. If it is, it will go to a general, administrative tribunal for review. A tribunal decision may also be challenged and the case will then move forward in the Luxembourg court system.

Practical Information[edit | edit source]

Filing with the DPA[edit | edit source]

Complaints can be filed online via this form: or sent by post to the following address:

Commission nationale pour la protection des données

Service des réclamations

15, Boulevard du Jazz

L-4370 Belvaux

Known Problems[edit | edit source]

Make sure to download your complaint as PDF after submission. You are left with no trace of what you submitted if you fail to download the complaint.

Filing an Appeal[edit | edit source]

You can help us by filling in this section!

Decision Database[edit | edit source]

Decision and Opinions can be found on the CNPD's website here : Decisions summarized on the GDPRhub are listed here.

Statistics[edit | edit source]

Key figures of 2021[edit | edit source]

These figures are from the DPA's 2021 annual report:

  • 618 written requests for information (compared to 655 in 2020) —The three main categories were the COVID-19 pandemic (contact tracing, body temperature measurement, teleworking, homeschooling, etc.), monitoring at the workplace and the rights of data subjects (right of access, right of erasure, etc.).
  • 33 opinions on draft laws or regulations (compared to 24 in 2020) — In addition to those relating to the fight against Covid-19, the opinions focused on video surveillance of public spaces for public safety purposes (VISUPOL), open data and re-use of public sector information, the control of the acquisition and possession of weapons, the European electronic communications code and the Central Database of the Police.
  • 512 complaints from individuals who considered that the law had not been respected or that their rights had been violated (compared to 485 in 2020) —Over one quarter (26%) of the complaints were based on non-compliance with the right of access by controllers, 24% were requests for erasure or rectification of data and 14% were related to the lawfulness of the processing.
  • 333 data breaches notified to the CNPD (compared to 379 in 2020) —The CNPD receives approximately 29 notifications of data breaches per month. The main cause remains human error in 62 % of cases. More than half of the incidents are detected within 5 days of their occurrence.
  • 18 on-site investigations (compared to 8 in 2020) — The CNPD carried out on-site investigations mainly on video surveillance.
  • 6 investigations as part of an audit on transparency — The CNPD continued its investigations as part of its thematic campaign “transparency in the online services sector” which was launched in 2020 among 6 companies in this area.

Funding[edit | edit source]

You can help us filling this section!

Personal[edit | edit source]

You can help us filling this section!

Caseload[edit | edit source]

You can help us filling this section!

Fines[edit | edit source]

You can help us filling this section!

Annual Reports[edit | edit source]

The CNPD has published annual reports since 2002, all of which can be found on their website here:

Annual reports are usually published in September/October.

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB