While General Data Protection Regulation (EU) 2016/679 (the “GDPR”) is directly applicable under domestic law, its entry into force in May of 2018 requires an implementing law in Luxembourg.

On 12 September 2017, Mr. Xavier BETTEL, Minister of Communications and the Media submitted Bill No. 7184 on the creation of the National Commission for Data Protection (Commission nationale pour la protection des données or “CNPD”) and the implementation of Regulation (EU) 2016/679 on the protection of natural persons with regard to personal data processing and the free movement of such data.

The first chapter of the bill affirms the National Commission for Data Protection’s independence, reinforces its powers and extends the scope of its competence. The CNPD itself will also be developed. In parallel with the reinforcement of its composition and the professional qualifications of its members, its missions and powers will be extended, particularly by increasing the ceiling of sanctions it can impose under the GDPR. The CNPD will thus be able to impose administrative sanctions of up to EUR 20 million, or in the case of a company, up to 4% of its annual worldwide turnover for the preceding year.

The second chapter of the bill aims at giving further detail to specific rules which Member States must apply under the GDPR. Specifics are thus given for the reconciliation of law with the protection of personal data and the right to freedom of expression and information, garantees and derrogations applicable to processing for scientific research, historic or statistical purposes as well as the processing of specific categories of personal data by health services.

To consult the bill in French and the status of its adoption, click here.