Annual report 2018 of the National Data Protection Commission (CNPD)

The CNPD presented its annual report with the key figures for the year 2018 at a press conference in Esch/Belval today.

2018: new data protection rules

The General Data Protection Regulation[1] or 'GDPR' has been applicable since 25 May 2018. This new regulation has established a harmonised legal framework within the European Union. It was supplemented at the national level by a new law on the CNPD and a law on police and national security[2].

The system of prior notifications and authorisations that controllers had to submit to the CNPD for certain data processing operations (which was valid before 25 May 2018), was abolished. This change is in line with the new philosophy of the GDPR, which aims to make organisations that process personal data more accountable.

This paradigm shift allows the National Data Protection Commission to strengthen its advisory and monitoring roles.

A record number of inquiries and complaints

The entry into application of the new rules was accompanied by an increased awareness among professionals and individuals about data protection challenges and issues and has led to a significant increase in inquiries.

Thus, the CNPD received 1,112 written requests for information in 2018, more than double the amount received in 2017 (528 requests). Many questions concerned the compliance with the new legislation, video surveillance and the rights of data subjects.

The number of complaints from individuals, who considered that the law had not been respected or that their rights had been violated increased greatly compared to the previous year, from 200 in 2017 to 450 in 2018.

Awareness raising and guidance

The CNPD implemented various measures to raise awareness and provide advice to citizens and controllers, in particular by:

  • distributing 12,000 copies of the new brochure on citizens' rights in various strategic locations in the Grand Duchy, as part of the 'Your data? Your rights!' campaign;
  • developing new guidelines on video surveillance, the right of personal portrayal (droit à l’image), data protection rules in the context of social elections and for associations;
  • organising the conference 'Four Decades of Data Protection' in the presence of Prime Minister Xavier Bettel and the European Commissioner for Justice, Consumer Protection and Equality Vera Jourova;
  • training more than 500 people in 12 sessions on 'Data Protection Basics';
  • participating in more than 86 conferences and training sessions (Chamber of Commerce, Chamber of Skilled Trades and Crafts, ABBL, University of Luxembourg, etc.);
  • publishing a number of forms (notification of data breaches, declaration of the Data Protection Officer, request for prior consultation) aimed at simplifying the obligations of data controllers;
  • contributing to the legislative process with 27 opinions (5 more than in 2017) on draft laws and regulations related to data protection.

Development of the investigation methodology: Audits and on-site investigations

The CNPD's strategy evolved in 2018 with the implementation of so-called 'proactive' investigations. These investigations are carried out in the form of thematic audits on the new obligations under the GDPR. 25 audit procedures were opened in 2018 to verify the compliance of data controllers with the rules concerning the designation and implementation of the Data Protection Officer role.

The CNPD also carried out controls based on incidents, complaints, information from the media or previous controls. In 2018, 12 on-site investigations were carried out in the areas of video surveillance, geolocalisation, advertising and marketing.

Main cause of data breaches: human error

Since 25 May 2018, private and public actors shall notify personal data breaches to the CNPD within 72 hours after having become aware of the breach, if the violation in question is likely to result in a high risk to the rights and freedoms of natural persons. 172 data breaches were notified to the CNPD in 2018. The main cause of these violations was human error.

Future prospects

After the entry into application of the GDPR, the CNPD is consolidating its new structures and procedures. In 2019, the CNPD will continue its efforts to support various stakeholders with the implementation of the data protection rules and to strengthen the monitoring of the controllers obligations in cooperation with the other European data protection authorities.


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[2] Act of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework and Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters

Press release by the National Data Protection Commission

Last update