On 26 July 2018, during its last public session of the legislature, the Luxembourg Parliament adopted the Luxembourg bill implementing and complementing the EU General Data Protection Regulation or GDPR (Regulation No 2016/679) (click here for our comments on the initial version of the bill).
Since the GDPR is a European regulation, its provisions have been directly applicable in Luxembourg since 25 May 2018, the date of applicability of the GDPR.
However, the Member States were left a number of options when it came to implementing the GDPR. Luxembourg has made use of some of these options, in particular concerning, on the one hand the organisation of the Luxembourg data protection authority (CNPD), including its administrative sanctioning powers, and on the other hand, the introduction of more specific material provisions on processing of health data and processing of personal data for journalistic, research and monitoring in a working relationship purposes.
The adopted bill furthermore abolishes the Luxembourg Data Protection Act of 2 August 2002, as amended, and thus the various notification and authorisation requirements contained therein.
At the same session, the Luxembourg Parliament also adopted a Luxembourg law transposing the EU Directive 2016/680 on the processing of personal data by competent authorities in criminal matters.
Read more about the topic here.