﻿Page 1 
OFFICIAL NEWSPAPER 
OF THE GRAND DUCHY OF LUXEMBOURG 
MEMORIAL A 
No. 689 of August 16, 2018 
Law of 1 st August 2018 on the protection of individuals with regard to the processing of 
personal data in criminal matters as well as in matters of national security and relating to 
modification 
1 ° of the amended law of 7 March 1980 on the organization of the judiciary; 
2 ° of the amended law of 29 May 1998 approving the Convention on the basis of article 
K.3 of the Treaty on European Union establishing a European Police Office (Convention 
Europol), signed in Brussels on July 26, 1995; 
3 ° of the law of 20 December 2002 approving - of the Agreement drawn up on the basis of article 
K.3 of the Treaty on European Union, on the use of data processing in the field of customs, 
signed in Brussels on July 26, 1995; - of the Agreement relating to provisional application between certain 
Member States of the European Union of the Convention drawn up on the basis of Article K.3 of the Treaty 
on the European Union, on the use of IT in the customs field, signed at 
Brussels, July 26, 1995; 
4 ° of the amended law of June 15, 2004 relating to the classification of documents and 
security ; 
5 ° of the amended law of June 16, 2004 on the reorganization of the socio-educational center of the State; 
6 ° of the amended law of 25 August 2006 relating to fingerprint identification procedures 
genetic in criminal matters and amending the Code of Criminal Investigation; 
7 ° of the law of 24 June 2008 on the control of travelers in establishments 
accommodation; 
8 ° of the amended law of 29 March 2013 relating to the organization of the criminal record; 
9 ° of the amended law of 19 December 2014 facilitating the cross-border exchange of information 
concerning road safety offenses; 
10 ° of the amended law of July 25, 2015 establishing the control and sanction system 
automated; 
11 ° of the law of 5 July 2016 on the reorganization of the State Intelligence Service; 
12 ° of the law of 23 July 2016 establishing a specific statute for certain data to be 
personal character processed by the State Intelligence Service; 
13 ° of the law of 22 February 2018 on the exchange of personal data and information 
in police matters; 
14 ° of the law of 18 July 2018 on the Grand Ducal Police; and 
15 ° of the law of July 18, 2018 on the General Inspectorate of the Police. 
A 689 - 1 
Page 2 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
We Henri, Grand Duke of Luxembourg, Duke of Nassau, 
Our Council of State heard; 
With the consent of the Chamber of Deputies; 
Considering the decision of the Chamber of Deputies of July 26, 2018 and that of the Council of State of July 27, 2018 
bearing that there is no need for a second vote; 
Have ordered and are ordering: 
Chapter 1 st - General Provisions 
Art.1 st . Purpose and scope 
(1) This law applies to the processing of personal data carried out for the purposes of 
prevention and detection of criminal offenses, investigation and prosecution thereof or execution 
criminal sanctions, including protection against threats to public security and prevention 
such threats, by any competent public authority or any other body or entity to which has been 
entrusted, for these same purposes, with the exercise of public authority and the prerogatives of public power, hereinafter 
after referred to as "competent authority". 
(2) This law also applies to the processing of personal data carried out: 
a) by the Grand Ducal Police in the performance of missions for purposes other than those referred to in paragraph 
1 st and provided for by special laws, 
b) by the State Intelligence Service in the execution of its missions provided for in article 3 of the law 
of 5 July 2016 on the reorganization of the State Intelligence Service, 
c) by the National Security Authority in the performance of its missions provided for in Article 20 of the amended law 
of June 15, 2004 relating to the classification of parts and security clearances, 
d) by the Luxembourg Army in the performance of its missions provided for in article 2 of the amended law of 
July 23, 1952 concerning the military organization, 
e) by the Financial Intelligence Unit in the performance of its missions provided for in Articles 74-1 to 
74-6 of the amended law of March 7, 1980 on judicial organization, and 
f) by the Luxembourg authorities in the context of activities falling within the scope of the title 
V, chapter 2, of the Treaty on European Union on the common foreign and security policy. 
(3) This law applies to the processing of personal data, automated in whole or in 
party, as well as the non-automated processing of personal data contained in or called upon 
appear in a file. 
Art. 2. Definitions 
(1) For the purposes of this law, the following terms are understood to mean: 
1 ° "personal data": any information relating to an identified natural person 
or identifiable, hereinafter referred to as "data subject"; is deemed to be a "natural person 
identifiable 'a natural person who can be identified, directly or indirectly, in particular 
by reference to an identifier, such as a name, an identification number, location data, 
an online identifier, or one or more specific elements specific to their physical identity, 
physiological, genetic, psychological, economic, cultural or social; 
2 ° “processing”: any operation or set of operations carried out or not with the aid of 
automated processes applied to personal data or sets of 
personal data, such as the collection, recording, organization, structuring, 
preservation, adaptation or modification, extraction, consultation, use, communication 
by transmission, dissemination or any other form of making available, bringing together or 
interconnection, limitation, erasure or destruction; 
3 ° "limitation of processing": the marking of personal data stored in order to limit 
their future treatment; 
A 689 - 2 
Page 3 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
4 ° "profiling": any form of automated processing of personal data consisting of using 
these personal data to evaluate certain personal aspects relating to a person 
physical, in particular to analyze or predict elements relating to work performance, 
economic situation, health, personal preferences, interests, reliability, behavior, 
the location or movements of that person; 
5 ° "pseudonymization": the processing of personal data in such a way that they do not 
can no longer be attributed to a specific data subject without resorting to information 
additional information, provided that this additional information is kept separately and 
subject to technical and organizational measures to ensure that the data of a 
personnel are not assigned to an identified or identifiable natural person; 
6 ° "file": any structured set of personal data accessible according to criteria 
determined, whether this set is centralized, decentralized or functionally distributed or 
geographic; 
7 ° “competent authority”: 
a) any public authority competent for the prevention and detection of criminal offenses, 
investigation and prosecution thereof or the execution of criminal sanctions, including the protection 
against threats to public security and the prevention of such threats, as well as 
civil servants and agents of administrations and public services to whom special laws have allocated 
certain administrative or judicial police powers, under the conditions and within the limits set 
by these laws, or 
b) any other body or entity to which the law of a Member State confers the exercise of public authority 
and the prerogatives of public power for the purposes of prevention and detection of offenses 
criminal proceedings, investigation and prosecution thereof or the execution of criminal sanctions, including the 
protection against threats to public security and the prevention of such threats; 
8 ° "controller": the competent authority which, alone or jointly with others, determines 
the purposes and means of the processing of personal data; when the purposes and 
means of this processing are determined by European Union or Luxembourg law, 
the controller or the specific criteria applicable to his appointment may be provided for 
by European Union or Luxembourg law; 
9 ° "subcontractor": the natural or legal person, the public authority, the service or another body 
who processes personal data on behalf of the controller; 
10 ° "recipient": the natural or legal person, public authority, department or any other body 
who receives communication of personal data, whether or not it is a third party. However, 
the public authorities who are likely to receive communication of personal data 
personnel within the framework of a specific fact-finding mission in accordance with the law are not 
considered as recipients; the processing of these data by public authorities in 
question complies with the applicable data protection rules according to the 
purposes of processing; 
11 ° "personal data breach": a breach of security resulting, in a manner 
accidental or unlawful destruction, loss, alteration, unauthorized disclosure of data to 
personal character transmitted, stored or otherwise processed, or unauthorized access to 
such data; 
12 ° "genetic data": personal data relating to genetic characteristics 
hereditary or acquired from a natural person that gives unique information about the 
physiology or state of health of that natural person and which results, in particular, from an analysis 
a biological sample of the natural person in question; 
13 ° "biometric data": personal data resulting from technical processing 
specific, relating to the physical, physiological or behavioral characteristics of a 
natural person, which allow or confirm their unique identification, such as facial images 
or fingerprint data; 
14 ° "data concerning health": personal data relating to physical health or 
mental health of a natural person, including the provision of health care, which reveals information 
on that person's state of health; 
A 689 - 3 
Page 4 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
15 ° “supervisory authority”: 
a) the supervisory authority established by the Act of 1 st August 2018 on the organization of the Commission 
national data protection system and the general data protection regime, hereinafter 
designated as the "National Commission for Data Protection", and 
b) the judicial supervisory authority established by article 40; 
16 ° "international organization": an international organization and bodies governed by public law 
international organization under it, or any other body that is created by an agreement between two or more countries, 
or under such an agreement, including the International Criminal Police Organization (ICPO - Interpol). 
(2) For the purposes of this Act, when the concepts used are not defined in paragraph 
1 st , the definitions of Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 
April 2016 on the protection of individuals with regard to the processing of personal data 
personal data and the free movement of such data, and repealing Directive 95/46 / EC (general regulation on 
data protection), hereinafter referred to as "Regulation (EU) No 2016/679", are applicable. 
Chapter 2 - Principles 
Art. 3. Principles relating to the processing of personal data 
(1) The personal data covered by this law are: 
a) processed lawfully and fairly; 
b) collected for specific, explicit and legitimate purposes and are not processed in a manner 
incompatible with these purposes; 
c) adequate, relevant and not excessive in relation to the purposes for which they are processed; 
d) accurate and, if necessary, kept up to date; all reasonable steps must be taken to ensure that 
personal data that are inaccurate, having regard to the purposes for which they are 
processed, erased or rectified without delay; 
e) kept in a form allowing the identification of the persons concerned for a period of 
not exceeding that necessary with regard to the purposes for which they are processed; 
f) processed in such a way as to ensure appropriate security of personal data, including 
protection against unauthorized or unlawful processing and against original loss, destruction or damage 
accidental, using appropriate technical or organizational measures. 
(2) Processing carried out, by the same or by another controller, for one of the purposes 
set out in Article 1 st, other than those for which the data were collected, are permitted if 
are necessary and proportionate for this purpose, subject to compliance with the provisions of the 
this chapter and by chapters IV and V. 
(3) These processing operations, by the same or by another controller, may include archiving 
in the public interest, for scientific, statistical or historical purposes, for one of the stated purposes 
in section 1 st . 
(4) The controller is responsible for compliance with paragraphs 1 st , 2 and 3 and is able 
to demonstrate that these provisions are respected. 
Art. 4. Retention and review periods 
(1) The controller sets appropriate deadlines for the erasure of personal data 
personal data or for the regular verification of the need to keep personal data. 
The deadlines are to be set having regard to the purpose of the processing. 
(2) The controller establishes procedural rules to ensure compliance with these deadlines 
who determine the persons intervening in the name and on behalf of the controller in this 
procedure, including the data protection officer, as well as the deadlines within which these 
people must perform their respective tasks. Procedural rules are made available 
of the data subject in accordance with Article 11 and to the competent supervisory authority upon request 
of it. 
A 689 - 4 
Page 5 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
Art. 5. Distinction between different categories of data subjects 
The controller establishes, where appropriate and as far as possible, a clear distinction 
between the personal data of different categories of data subjects, such as: 
(a) persons in respect of whom there are substantial grounds for believing that they have committed or are 
the point of committing a criminal offense; 
b) persons convicted of a criminal offense; 
c) victims of a criminal offense or persons about whom certain facts give reason to believe 
that they could be victims of a criminal offense, and 
d) third parties to a criminal offense, such as persons who may be called upon to testify during investigations 
in connection with criminal offenses or subsequent criminal proceedings, persons who may 
provide information about criminal offenses, or contacts or associates of any of the 
persons referred to in letters a) and b). 
Art. 6. Distinction between personal data and verification of data quality 
personal 
(1) Personal data based on facts are, as far as possible, distinguished 
those based on personal assessments. 
(2) The competent authorities shall take all reasonable measures to ensure that the data to be 
personal character that are inaccurate, incomplete or out of date are not transmitted or updated 
available. To this end, each competent authority verifies, as far as possible, the quality of 
personal data before they are transmitted or made available. As far as possible, 
during any transmission of personal data, the necessary information is added 
allowing the receiving competent authority to judge the accuracy, completeness, reliability, as well as 
and the level of updating of the personal data in question. 
(3) If it turns out that inaccurate personal data has been transmitted or data to 
personal character have been transmitted illegally, the recipient is informed without delay. In this 
In this case, the personal data are rectified or erased or their processing is restricted in accordance with 
in Article 16. 
Art. 7. Lawfulness of processing 
(1) The processing is only lawful if and to the extent that it is necessary for the performance of the tasks of 
the competent authority defined in Article 2, paragraph 1 st , item 7 °, for the purposes set out in Article 
1 st and when this mission is carried out in application of legislative provisions governing the 
competent referred. 
(2) The processing ensures the proportionality of the retention period of personal data, 
taking into account the purpose of the file and the nature or seriousness of the offenses and facts concerned. 
Art. 8. Specific conditions applicable to processing 
(1) Personal data collected by the competent authorities for the purposes stated 
in Article 1 st can not be processed for purposes other than those set out therein, unless such treatment 
either authorized by European Union law or by a provision of Luxembourg law. In that case, 
the processing of this data is carried out in accordance with the provisions of Regulation (EU) No 2016/679 or 
of the Law of 1 st August 2018 on the organization of the National Commission for Data Protection 
and the general data protection regime. 
(2) When competent authorities are responsible for carrying out tasks other than those set out in 
Article 1 st , Regulation (EU) No 2016/679 or, where applicable, the law of 1 st August 2018 on the organization of 
the National Commission for Data Protection and the General Data Protection Regime 
apply to the processing of data carried out for such purposes, including for archival purposes in 
public interest, for scientific or historical research, or for statistical purposes. 
(3) When European Union law or a provision of Luxembourg law applicable to the authority 
competent authority which transmits the data subjects their processing to specific conditions, the 
A 689 - 5 
Page 6 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
competent authority transmitting the data informs the recipient of these personal data of these 
conditions and the obligation to respect them. 
(4) The competent authority transmitting the data does not apply to recipients in other States 
members or to the services, bodies and agencies established under Chapters 4 and 5 of Title V of the Treaty 
on the functioning of the European Union conditions under paragraph 3 different from those 
applicable to transfers of similar data to other competent authorities established in the territory 
of the Grand Duchy of Luxembourg. 
Art. 9. Processing of special categories of personal data 
The processing of personal data which reveals racial or ethnic origin, opinions 
political, religious or philosophical beliefs, or trade union membership, and the treatment of 
genetic data, biometric data for the purpose of identifying a natural person in such a way 
single, health-related data or data relating to sexual life or sexual orientation 
of a natural person are authorized only in case of absolute necessity, subject to guarantees 
appropriate for the rights and freedoms of the data subject, and only: 
a) when authorized by European Union law or in application of this law or a 
other provision of Luxembourg law; 
b) to protect the vital interests of the data subject or of another natural person, or 
c) when the processing relates to data clearly made public by the data subject. 
Art. 10. Automated individual decision-making 
(1) Any decision based exclusively on automated processing, including profiling, which produces 
adverse legal effects for the data subject or significantly affects them, is prohibited, 
unless it is authorized by a national legal provision or by the law of the European Union, and 
that the controller provides appropriate guarantees for the rights and freedoms of the person 
concerned, and at least the right to obtain human intervention from the controller. 
(2) The decisions referred to in paragraph 1 st are not based on specific categories of data 
of a personal nature referred to in Article 9, unless appropriate measures to safeguard 
rights and freedoms and legitimate interests of the data subject are not in place. 
(3) Any profiling which results in discrimination against natural persons on the basis of 
special categories of personal data referred to in Article 9 is prohibited. 
Chapter 3 - Rights of the data subject 
Art. 11. Communication and modalities for exercising the rights of the data subject 
(1) The controller shall take reasonable steps to provide any information referred to in 
Article 12 and make any communication relating to processing relating to Article 10, Articles 13 
to 17 and Article 30 to the data subject in a concise, understandable and easily accessible manner, 
in clear and simple terms. The information is provided by any appropriate means, including by 
electronic. In general, the controller provides information in the same form 
as demand. 
(2) The controller facilitates the exercise of the rights conferred on the data subject by article 
10 and Articles 13 to 17. 
(3) The controller shall inform the data subject in writing as soon as possible of the 
follow-up given to his request. 
(4) No payment is required for providing the information referred to in Article 12 and for carrying out any 
communication and take any action under Article 10, Articles 13 to 17 and Article 30. When 
the requests of a data subject are manifestly unfounded or excessive, in particular because 
of their repetitive nature, the controller can: 
a) or require the payment of a reasonable fee which takes into account the administrative costs incurred for 
provide the information, communicate or take the measures requested, 
A 689 - 6 
Page 7 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
(b) refuse to act on the request. 
It is the responsibility of the controller to demonstrate the manifestly unfounded or excessive nature of 
Requirement. 
(5) When the controller has reasonable doubts as to the identity of the natural person 
submitting the request referred to in Articles 13 or 15, he may request that information be provided to him 
necessary to confirm the identity of the data subject. 
Art. 12. Information to be made available to or provided to the data subject 
(1) The controller makes available to the data subject at least the information 
following: 
a) the identity and contact details of the controller; 
b) the contact details of the data protection officer; 
c) the purposes of the processing for which the personal data are intended; 
d) the right to lodge a complaint with one of the two supervisory authorities referred to in Articles 39 and 
40 and the contact details of the said authority; 
e) the existence of the right to request from the controller access to personal data, 
their rectification or erasure, and limitation of the processing of personal data 
relating to a data subject. 
(2) In addition to the information referred to in paragraph 1 st , the controller provides the person 
concerned, in specific cases, the following additional information in order to enable him to exercise 
his rights: 
a) the legal basis for the processing; 
b) the retention period for personal data or, where this is not possible, the criteria 
used to determine this duration; 
c) where applicable, the categories of recipients of personal data, including in 
third countries or within international organizations; 
d) if necessary, additional information, in particular where the personal data 
are collected without the knowledge of the data subject. 
(3) The controller may delay or limit the provision of the information to the person 
concerned pursuant to paragraph 2, or not to provide this information, therefore and for as long 
that a measure of this nature constitutes a necessary and proportionate measure in a society 
democratic, having regard to the purpose of the processing concerned, and taking due account of the rights 
fundamental and legitimate interests of the natural person concerned, for: 
(a) avoid interfering with official or judicial inquiries, research or proceedings; 
b) avoid prejudicing the prevention or detection of criminal offenses, the investigation or prosecution of 
the matter or the execution of penal sanctions; 
c) protect public safety; 
d) protect national security and national defense; or 
e) protect the rights and freedoms of others. 
Art. 13. Right of access by the data subject 
Subject to Article 14, the data subject has the right to obtain from the controller the 
confirmation that personal data concerning him are or are not processed and, when they 
are, access to said data as well as the following information: 
a) the purposes of the processing as well as its legal basis; 
b) the categories of personal data concerned; 
c) the recipients or categories of recipients to whom the personal data have been 
communicated, in particular recipients who are established in third countries or organizations 
international; 
d) where possible, the planned retention period for personal data or, 
where this is not possible, the criteria used to determine this duration; 
A 689 - 7 
Page 8 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
e) the existence of the right to request from the controller the rectification or erasure of data 
of a personal nature, or the limitation of the processing of personal data relating to the 
concerned person ; 
f) the right to lodge a complaint with one of the two competent supervisory authorities referred to 
Articles 39 and 40 and the contact details of the said authority; 
g) the communication of personal data being processed, as well as any information 
available as to their source. 
Art. 14. Limitations of the right of access 
(1) The controller may limit, in whole or in part, the person's right of access 
concerned, therefore and for as long as such partial or complete limitation constitutes a measure 
necessary and proportionate in a democratic society, having regard to the purpose of the processing concerned, 
and taking due account of the fundamental rights and legitimate interests of the natural person 
concerned, for: 
(a) avoid interfering with official or judicial inquiries, research or proceedings; 
b) avoid prejudicing the prevention or detection of criminal offenses, the investigation or prosecution of 
the matter or the execution of penal sanctions; 
c) protect public safety; 
d) protect national security and national defense; or 
e) protect the rights and freedoms of others. 
(2) In the cases referred to in paragraph 1 st , the controller shall inform the person concerned by 
written, as soon as possible, of any refusal or limitation of access, as well as the reasons for the refusal 
or limitation. This information may not be provided when its communication is likely to 
compromising one of the objectives set out in paragraph 1 st . The controller informs the person 
concerned of the possibilities to lodge a complaint with the competent supervisory authority or 
lodge a judicial appeal. 
(3) The controller shall record the factual or legal grounds on which the decision is based. 
This information is made available to the competent supervisory authority. 
Art. 15. Right to rectification or erasure of personal data and limitation of 
treatment 
(1) The controller corrects personal data as soon as possible 
of the data subject that are inaccurate. Taking into account the purposes of the processing, the data to be 
incomplete personal character of the data subject are completed, including by a declaration 
additional information provided by the data subject provided for this purpose. 
(2) The controller shall erase the personal data from the data as soon as possible. 
data subject when the processing of such data constitutes a violation of the provisions provided for 
by Articles 3, 7 or 9, or when the personal data must be erased in order to comply with 
a legal obligation to which the controller is subject. 
(3) Instead of erasing, the controller limits processing when: 
a) the accuracy of the personal data is contested by the data subject and cannot be 
be determined whether the data is correct or not, or 
b) personal data must be kept for evidentiary purposes. 
When treatment is limited under paragraph 1 st , letter a) of this paragraph, the head of 
processing informs the data subject before lifting the restriction of processing. 
(4) The controller shall inform the data subject in writing of any refusal to rectify or erase 
of personal data or to limit the processing, as well as the reasons for the refusal. The manager 
processing may limit, in whole or in part, the provision of this information, since such a limitation 
constitutes a necessary and proportionate measure in a democratic society, having regard to the purpose of 
processing concerned, and taking due account of the fundamental rights and legitimate interests of the 
natural person concerned for: 
A 689 - 8 
Page 9 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
(a) avoid interfering with official or judicial inquiries, research or proceedings; 
b) avoid prejudicing the prevention or detection of criminal offenses, the investigation or prosecution of 
the matter or the execution of penal sanctions; 
c) protect public safety; 
d) protect national security and national defense; or 
e) protect the rights and freedoms of others. 
The controller informs the data subject of the possibilities to lodge a complaint 
with a supervisory authority or to appeal to the courts. 
(5) The controller communicates the rectification of inaccurate personal data 
to the competent authority from which the inaccurate personal data originated. 
(6) When personal data has been rectified or deleted or the processing has been restricted 
under paragraphs 1, 2 and 3, the controller sends a notification to the recipients in order to 
that these rectify or erase the personal data or limit the processing of the data 
of a personal nature under their responsibility. 
Art. 16. Exercise of the rights of the data subject and verification by the supervisory authority 
(1) In the cases referred to in Article 12, paragraph 3, Article 14, paragraph 1 st , and Article 15, paragraph 
4, the rights of the data subject can be exercised through the supervisory authority 
competent. 
(2) The controller shall inform the data subject of the possibility for him to exercise his 
rights through the competent supervisory authority pursuant to paragraph 1 st . 
(3) When the right referred to in paragraph 1 st is exercised, the competent supervisory authority shall inform at least the 
person concerned by having carried out all the necessary verifications or an examination. Authority 
control also informs the data subject of their right to appeal to a court. 
Art. 17. Rights of data subjects during judicial inquiries and criminal proceedings 
When the personal data relate to facts which are the subject of an investigation 
preliminary investigation, a preparatory investigation, which have been referred to a trial court, which 
the subject of a citation, or when the competent authority on the basis of the amended law of 10 August 1992 on 
to youth protection is seized of these facts, the rights referred to in Articles 12, 13 and 15 are exercised 
in accordance with the provisions of the Code of Criminal Procedure or other applicable legal provisions. 
Chapter 4 - Controller and processor 
Section 1 st - General Obligations 
Art. 18. Obligations of the controller 
(1) The controller, taking into account the nature, scope, context and purposes of the 
treatment as well as risks, varying in probability and severity, for rights and freedoms 
of natural persons, implements the appropriate technical and organizational measures to 
ensure and be able to demonstrate that the processing is carried out in accordance with this law. These 
measures are reviewed and updated, if necessary. 
(2) When proportionate to the processing activities, the measures referred to in paragraph 
1 st include the implementation of appropriate data protection policies by the 
controller. 
Art. 19. Data protection by design and data protection by default 
(1) Taking into account the state of knowledge, the costs of implementation and the nature, scope, 
context and purposes of the processing as well as the risks, the degree of probability and severity of which varies, 
that the processing presents for the rights and freedoms of natural persons, the controller 
implements, both when determining the means of treatment and during the proper treatment 
A 689 - 9 
Page 10 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
said, appropriate technical and organizational measures , such as pseudonymization, which are 
intended to implement the principles of data protection, for example the minimization 
data, effectively and to provide the processing with the necessary guarantees, in order to meet the 
requirements of this law and to protect the rights of the persons concerned. 
(2) The controller implements the appropriate technical and organizational measures 
to ensure that, by default, only personal data that is necessary for 
each specific purpose of the processing is processed. This obligation applies to the amount of data 
of a personal nature collected, to the extent of their processing, their retention period and their 
accessibility. In particular, these measures ensure that, by default, personal data 
are not made accessible to an unspecified number of natural persons without the intervention of 
the person concerned. 
Art. 20. Joint controllers 
(1) When two or more controllers jointly determine the purposes and means 
processing, they are jointly responsible for processing. Joint controllers 
transparently define their respective obligations to ensure compliance with the 
law, in particular with regard to the exercise of the rights of the data subject, and their obligations 
respective as regards the communication of the information referred to in Articles 11 and 12, by agreement between 
them. The single point of contact for data subjects, so that they can exercise their 
rights, is designated in the agreement. 
(2) Notwithstanding the terms of the agreement referred to in paragraph 1 st , the person concerned may exercise 
rights conferred on it by this law with regard to and against each of the data controllers. 
Art. 21. Subcontractor 
(1) The controller, when processing must be carried out on his behalf, only 
use of subcontractors who provide sufficient guarantees regarding the implementation of measures 
appropriate technical and organizational so that the processing meets the requirements of the 
this law and guarantees the protection of the rights of the data subject. 
(2) The subcontractor does not recruit another subcontractor without the prior written permission, specific or 
general, of the controller. In the case of a general written authorization, the subcontractor 
informs the controller of any planned changes regarding the addition or replacement 
other processors, thus giving the controller the possibility to raise objections to 
against these changes. 
(3) The processing by a processor is governed by a contract or other legal act under the law of 
the European Union, Luxembourg law or the law of another Member State, which binds the subcontractor to 
with regard to the controller and which defines the object and duration of the processing, the nature and the purpose 
of the processing, the type of personal data and the categories of data subjects and 
the obligations and rights of the controller. This contract or other legal act provides, 
in particular, that the subcontractor: 
a) act only on instructions from the controller; 
b) ensure that the persons authorized to process personal data undertake to comply with 
confidentiality or are subject to an appropriate legal obligation of confidentiality; 
c) help the controller, by any appropriate means, to ensure compliance with the provisions relating to 
the rights of the data subject; 
d) depending on the choice of the controller, delete all personal data or 
refers to the controller at the end of the provision of data processing services, 
and destroy the existing copies, unless a legal provision requires the retention of data at 
personal character; 
e) make available to the controller all the information necessary to provide the 
proof of compliance with this article; 
(f) comply with the conditions referred to in paragraphs 2 and 3 for recruiting another subcontractor. 
A 689 - 10 
Page 11 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
(4) The contract or other legal act referred to in paragraph 3 shall be in written form, including the form 
electronic. 
(5) If, in violation of this law, a processor determines the purposes and means of the processing, he 
is considered a controller with regard to this processing. 
Art. 22. Processing carried out under the authority of the controller or processor 
The processor, and any person acting under the authority of the controller or under that of the 
processor, who has access to personal data, only processes them on the instructions of the controller 
processing, unless required to do so by a legal provision. 
Art. 23. Record of processing activities 
(1) Controllers keep a register of all categories of processing activities 
carried out under their responsibility. This register contains all of the following information: 
a) the name and contact details of the controller and, where applicable, of the joint controller of the 
processing and data protection officer; 
b) the purposes of the processing; 
c) the categories of recipients to whom the personal data have been or will be 
communicated, including recipients in third countries or international organizations; 
d) a description of the categories of data subjects and the categories of personal data 
staff ; 
e) where appropriate, recourse to profiling; 
f) where applicable, the categories of transfers of personal data to a third country or to a 
international organisation ; 
g) an indication of the legal basis of the processing operation, including transfers, to which the 
personal data are intended; 
h) as far as possible, the deadlines for the erasure of the different categories of data 
of a personal nature; 
i) where possible, a general description of technical security measures and 
Organizational referred to in Article 28, paragraph 1 st . 
(2) Each processor shall keep a register of all categories of processing activities carried out for 
the account of the controller, including: 
a) the name and contact details of the processor (s), of each controller on behalf of 
from which the subcontractor acts and, where applicable, the data protection officer; 
b) the categories of processing carried out on behalf of each controller; 
c) where applicable, transfers of personal data to a third country or to an organization 
international, when expressly instructed to do so by the controller, including 
the identification of this third country or this international organization; 
d) where possible, a general description of technical security measures and 
Organizational referred to in Article 28, paragraph 1 st . 
(3) The records referred to in paragraphs 1 and 2 shall be in written form, including the form 
electronic. The controller and the processor make these records available to 
the supervisory authority, on request. 
Art. 24. Logging 
(1) Logs are established for at least the following processing operations in systems 
automated processing: the collection, modification, consultation, communication, including 
transfers, interconnection and erasure. Logs of consultation and communication operations 
make it possible to establish the reason, the date and time of these and the identification of the person who consulted 
or communicated the personal data, as well as the identity of the recipients of these data 
of a personal nature. 
A 689 - 11 
Page 12 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
(2) The logs are used only for the purpose of verifying the lawfulness of the processing, self-checking, 
guaranteeing the integrity and security of personal data and for procedural purposes 
criminal. 
(3) The controller and the processor shall make the logs available to the 
control on request. 
Art. 25. Cooperation with the competent supervisory authority 
The controller and the processor cooperate with the competent supervisory authority, 
request of the latter, in the performance of its missions.
Art. 26. Data protection impact assessment 
(1) When a type of processing, in particular through the use of new technologies, and taking into account 
the nature, scope, context and purposes of the processing, is likely to give rise to a high risk 
for the rights and freedoms of natural persons, the data controller first performs 
processing an analysis of the impact of the planned processing operations on data protection 
of a personal nature. 
(2) The analysis referred to in paragraph 1 er contains at least a general description of the operations 
planned processing, an assessment of the risks to the rights and freedoms of the data subjects, the 
measures envisaged to deal with these risks, the guarantees, measures and security mechanisms aimed at 
to ensure the protection of personal data and to provide proof of compliance with the law, account 
taking into account the rights and legitimate interests of data subjects and other affected persons. 
Art. 27. Prior consultation of the competent supervisory authority 
(1) The controller or processor consults the competent supervisory authority in advance 
to the processing of personal data which will be part of a new file to be created: 
(a) where a data protection impact assessment, as provided for in Article 26, 
indicates that the processing would present a high risk if the controller did not take 
measures to mitigate the risk, or 
b) when the type of processing, in particular, due to the use of new mechanisms, 
technologies or procedures, presents high risks to the freedoms and rights of individuals 
concerned. 
(2) The competent supervisory authority is consulted in the context of the preparation of a draft law or a 
draft grand-ducal regulation relating to treatment. 
(3) The supervisory authority may establish a list of processing operations to be subject to 
prior consultation pursuant to paragraph 1 st . 
(4) The controller provides the supervisory authority with the impact assessment relating to the protection of 
data under Article 26 and, upon request, any other information to enable the authority to 
control to assess the compliance of the processing and, in particular, the risks for data protection 
personal data of the data subject and the related guarantees. 
(5) Where the competent supervisory authority is of the opinion that the planned treatment referred to in paragraph 1 st would constitute a violation of this law, in particular when the controller has not 
sufficiently identified or mitigated the risk, the competent supervisory authority shall provide in writing, within a maximum of six weeks from receipt of the consultation request, a written notice to the 
controller, and where applicable to the processor, and it may make use of the powers referred to in 
Article 14 of the Law of 1 st August 2018 on the organization of the National Commission for Protection 
data and the general data protection regime or Article 43 of this law, depending on 
of the competent supervisory authority. This period may be extended by one month, depending on the complexity of the planned treatment. The supervisory authority informs the controller and, where applicable, the 
dealing with any extension within one month of receipt of the consultation request, 
as well as the reasons for the delay. 
A 689 - 12 
Page 13 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
Section 2 - Data security 
Art. 28. Security of processing 
(1) Taking into account the state of knowledge, the costs of implementation and the nature, scope, 
context and purposes of the processing as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the data controller and the processor 
implement the appropriate technical and organizational measures to guarantee a level of safety 
adapted to the risk, in particular with regard to the processing relating to specific categories of 
personal data referred to in Article 9. 
(2) With regard to automated processing, the controller or the processor shall 
implement, following a risk assessment, measures to: 
a) prevent any unauthorized person from accessing the facilities used for processing (control 
access to facilities); 
b) prevent data carriers from being read, copied, modified or deleted in an unauthorized manner. 
authorized (control of data carriers); 
c) prevent the unauthorized entry of personal data into the file, as well as 
unauthorized inspection, modification or deletion of stored personal data 
(conservation control); 
d) prevent automated processing systems from being used by persons not 
authorized using data transmission facilities (user control); 
e) ensure that persons authorized to use an automated processing system cannot access 
than the personal data to which their authorization relates (control of access to 
data); 
f) ensure that it can be verified and ascertained in which instances personal data has 
been or may be transmitted or made available by data transmission facilities 
(transmission control); 
g) ensure that it can be verified and ascertained a posteriori which personal data has been 
introduced into automated processing systems, and when and by whom 
have been introduced (control of the introduction); 
h) prevent the transmission of personal data as well as the transport of 
data carriers, the data can be read, copied, modified or deleted in an unauthorized manner. 
authorized (transport control); 
i) ensure that installed systems can be restored in the event of an interruption (restore); 
j) ensure that system functions operate, that operating errors are reported 
(reliability) and that the stored personal data cannot be corrupted by a 
system malfunction (integrity). 
Art. 29. Notification to the supervisory authority of a personal data breach 
(1) In the event of a personal data breach, the controller shall notify the breach 
in question to the competent supervisory authority as soon as possible and, if possible, within 
72 hours at the latest after becoming aware of it, unless it is unlikely that the violation 
in question does not create risks for the rights and freedoms of a natural person. When the 
notification to the supervisory authority does not take place within 72 hours, it is accompanied by the reasons for the delay. (2) The processor notifies the controller of any personal data breach 
as soon as possible after having read it. 
(3) The notification referred to in paragraphs 1 and 2 must at least: 
a) describe the nature of the personal data breach including, where possible, the categories and 
approximate number of persons affected by the violation and the categories and the approximate number 
records of personal data concerned; 
b) communicate the name and contact details of the data protection officer or other point of contact 
contact from which further information can be obtained; 
c) describe the likely consequences of the personal data breach, and 
A 689 - 13 
Page 14 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
d) describe the measures taken or that the controller proposes to take to remedy the 
personal data breach, including, where applicable, measures to mitigate such breaches 
possible negative consequences. 
(4) If and to the extent that it is not possible to provide all the information at the same time, the 
information may be communicated in stages without further undue delay. 
(5) The controller shall document any personal data breach referred to in 
Paragraph 1 st stating the facts regarding the violation of personal data, and its effects 
the measures taken to remedy the situation, so that the documentation thus constituted enables the supervisory authority to to verify compliance with this article. 
(6) When the personal data breach relates to personal data which 
have been transmitted by or to the controller of another Member State, the information 
referred to in paragraph 3 shall be communicated to the controller of that Member State within 
as fast as we can. 
Art. 30. Communication to the data subject of a personal data breach 
(1) When a personal data breach is likely to create a high risk for 
the rights and freedoms of a natural person, the controller communicates the violation to 
the person concerned as soon as possible. 
(2) The communication to the person referred to in paragraph 1 st describes in clear terms and 
simple, the nature of the personal data breach and contains at least the information and 
the measures referred to in Article 29, paragraph 3, letters b), c) and d). 
(3) The communication to the person referred to in paragraph 1 st is not necessary if one or 
the other of the following conditions is met: 
a) the controller has implemented the technical and organizational protection measures 
appropriate and these have been applied to the personal data affected by the said 
violation, in particular measures that make personal data incomprehensible 
for anyone who is not authorized to access it, such as encryption; 
b) the controller has taken subsequent measures which ensure that the high risk for 
the rights and freedoms of data referred to in paragraph 1 st is more likely to 
materialize; 
c) it would require disproportionate effort. In this case, it is rather proceeded to a public communication 
or a similar measure allowing data subjects to be informed in an equally 
effective. 
(4) If the controller has not already communicated to the data subject the breach of 
personal data concerning him, the supervisory authority may, after examining whether this 
violation is likely to generate a high risk, require the controller to proceed to 
such communication or decide that one or other of the conditions referred to in paragraph 3 is fulfilled. 
(5) The communication to the person referred to in paragraph 1 st may be delayed, limited or omitted, 
subject to the conditions and for the reasons referred to in Article 12 (3). 
Section 3 - Data protection officer 
Art. 31. Appointment of the data protection officer 
(1) The controller appoints a data protection officer. 
(2) The data protection officer is appointed on the basis of his professional qualities and, 
in particular, his specialized knowledge of the law and practices relating to the protection of 
data, and its ability to perform the tasks referred to in Article 33. 
(3) A single data protection officer may be appointed for several competent authorities, 
given their organizational structure and size. 
A 689 - 14 
Page 15 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
(4) The controller publishes the contact details of the data protection officer and the 
communicates to the supervisory authority. 
Art. 32. Function of the data protection officer 
(1) The controller ensures that the data protection officer is involved, in a 
in an appropriate and timely manner, to all matters relating to the protection of personal data 
staff. 
(2) The data controller helps the data protection officer to perform the tasks 
referred to in Article 33 by providing the resources necessary to carry out these tasks as well as access 
personal data and processing, and allowing him to maintain his knowledge 
specialized. 
Art. 33. Tasks of the data protection officer 
The data controller entrusts the data protection officer with at least the following tasks: 
a) inform and advise the controller and the employees who carry out the processing on the 
obligations incumbent on them by virtue of this law and other provisions of Union law 
European or Luxembourg data protection law; 
b) monitor compliance with this law, other provisions of European Union law or the 
Luxembourg law on data protection and the internal rules of the data controller 
processing in terms of the protection of personal data, including with regard to 
allocation of responsibilities, awareness and training of personnel involved in operations 
processing, and related audits; 
c) provide advice, upon request, on the impact assessment relating to the protection of 
data and verify the execution thereof in accordance with Article 26; 
d) cooperate with the competent supervisory authority; 
e) act as a point of contact for the data subject and the supervisory authority on matters 
relating to processing, including the prior consultation referred to in Article 27, and carrying out consultations, 
if applicable, on any other subject related to its missions. 
Chapter 5 - Transfers of personal data 
to third countries or international organizations 
Art. 34. General principles applicable to transfers of personal data 
(1) A transfer, by competent authorities, of personal data which is or is intended for 
to be processed after their transfer to a third country or to an international organization, including 
including onward transfers to another third country or to another international organization, does not take place, subject to compliance with the other provisions of this law, only when the conditions defined in 
this chapter are complied with, namely: 
a) the transfer is necessary for the purposes stated in Clause 1 st ; 
b) the personal data are transferred to a controller in a third country or 
to an international organization is a competent authority for the purposes referred to in Article 1 st ; 
c) in the event of the transmission or provision of personal data from another 
Member State, the latter has previously authorized this transfer in accordance with its national law; 
d) the European Commission has adopted an adequacy decision pursuant to Article 35 or, in 
the absence of such a decision, appropriate guarantees have been provided or exist in application of 
Article 36 or, in the absence of an Article 35 adequacy decision and appropriate safeguards 
in accordance with Article 36, derogations for special situations apply by virtue of 
section 37; 
e) in the event of a subsequent transfer to another third country or to another international organization, the 
competent authority that carried out the initial transfer or another competent authority in the same Member State authorize the onward transfer, after due consideration of all relevant factors, 
including the gravity of the criminal offense, the purpose for which the personal data are 
A 689 - 15 
Page 16 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
initially transferred and the level of protection of personal data in the country 
third party or within the international organization to which the personal data 
are transferred later. 
(2) transfers without prior authorization from another Member State under paragraph 1 st , 
letter c), are only authorized when the transfer of personal data is necessary 
for the purpose of preventing a serious and immediate threat to the public security of a Member State, or 
of a third country or for the essential interests of a Member State and if the prior authorization cannot be 
be obtained in good time. The authority responsible for granting prior authorization is informed 
Without delay. 
(3) All the provisions of this chapter are applied in such a way that the level of protection of 
natural persons insured by this law is not compromised. 
Art. 35. Transfers on the basis of an adequacy decision 
(1) A transfer of personal data to a third country or to an international organization may 
take place when the European Commission, pursuant to Article 36 of Directive (EU) 2016/680 of 
European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to 
the processing of personal data by the competent authorities for the purposes of prevention and 
detection of criminal offenses, investigation and prosecution in the matter or execution of sanctions 
criminal law, and the free movement of such data, and repealing Council Framework Decision 2008/977 / JHA, hereinafter after designated as "Directive (EU) No 2016/680", found by decision that the third country, 
a territory or one or more specified sectors in that third country, or the international organization in 
question ensures an adequate level of protection. Such a transfer does not require specific authorization. 
(2) A decision adopted under Article 36 (5) of Directive (EU) No 2016/680 is 
without prejudice to transfers of personal data to the third country, the territory or one or 
several sectors determined in this third country, or in the international organization in question, carried out 
in application of Articles 36 and 37. 
Art. 36. Transfers with appropriate guarantees 
(1) In the absence of a decision under Article 35, a transfer of personal data to a 
third country or to an international organization may take place when: 
a) appropriate safeguards with regard to the protection of personal data are 
provided in a legally binding instrument, or 
b) the controller has assessed all the circumstances of the transfer and considers that there are 
appropriate guarantees with regard to the protection of personal data. 
(2) The controller informs the competent supervisory authority of the categories of transfers 
under paragraph 1 st , b). 
(3) Where a transfer is made on the basis of paragraph 1 st , letter b), this transfer is documented and 
documentation is made available to the competent supervisory authority, on request, and includes the 
date and time of the transfer, information on the receiving competent authority, the justification for the transfer 
and the personal data transferred. 
Art. 37. Exemptions for special situations 
(1) In the absence of an adequacy decision under Article 35 or appropriate safeguards under 
Article 36, a transfer or category of transfers of personal data to a third country 
or to an international organization can only take place if the transfer is necessary: 
(a) to protect the vital interests of the data subject or of another person; 
b) to safeguard the legitimate interests of the data subject; 
c) to prevent a serious and immediate threat to the public security of a Member State or country 
third party; 
d) in individual cases, for the purposes set forth in article 1 st , or 
A 689 - 16 
Page 17 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
e) in a particular case, for the establishment, exercise or defense of legal claims relating to 
the purposes set out in Article 1 st . 
(2) Personal data is not transferred if the competent authority transferring the data 
data considers that the fundamental rights and freedoms of the data subject outweigh the interest 
public as part of the transfer referred to in paragraph 1 st , d) and e). 
(3) Where a transfer is made on the basis of paragraph 1 st , letter b), this transfer is documented and 
documentation is made available to the supervisory authority, on request, and indicates the date and time 
of the transfer, provides information on the receiving competent authority, indicates the justification for the transfer and the personal data transferred. 
Art. 38. Transfers of personal data to recipients established in third countries 
(1) Notwithstanding section 34, paragraph 1 st , b), and without prejudice to any international agreement referred in paragraph 2, the competent authorities within the meaning of Article 2 (7) (a) may, in certain cases 
special cases, transfer personal data directly to recipients established in 
third countries, only when the other provisions of this law are respected and all 
the following conditions are met: 
a) the transfer is strictly necessary for the performance of the mission of the competent authority transferring the data as provided the law of the European Union or for the purposes stated in Article 1 st ; 
b) the competent authority transferring the data establishes that there are no freedoms or rights 
fundamentals of the data subject which prevail over the public interest requiring the transfer to the 
case in question; 
c) the competent authority which transfers the data considers that the transfer to an authority which is competent for the purposes referred to in Article 1 st in the third country is ineffective or inappropriate, particularly because the transfer can not be done in a timely manner; 
d) the authority which has jurisdiction for the purposes referred to in section 1 st in the third country is informed as soon deadlines, unless this is ineffective or inappropriate, and 
e) the competent authority transferring the data informs the recipient of the purpose or purposes 
determined for which personal data should only be processed 
by the latter, provided that such processing is necessary. 
(2) By international agreement referred to in paragraph 1 st means any bilateral or multilateral international agreement in force between the Grand Duchy of Luxembourg and third countries in the field of cooperation 
judicial in criminal matters and police cooperation. 
(3) The transferring competent authority shall inform the supervisory authority of transfers under the 
this article. 
(4) Where a transfer is made on the basis of paragraph 1 st , this transfer is documented. 
Chapter 6 - Independent supervisory authorities 
Section 1 st - Administrative Control Authority 
Art. 39. Competence of the National Commission for Data Protection 
The supervisory body established by Article 3 of the Law of 1 st August 2018 on the organization of the Commission national data protection law and the general data protection regime is competent 
to control and verify compliance with the provisions of this law. 
Section 2 - Judicial review authority 
Art. 40. Creation, competence and composition of the judicial supervisory authority 
(1) A supervisory authority for the protection of judicial data, hereinafter referred to as 
“Judicial supervisory authority”. 
(2) By way of derogation from Article 39, personal data processing operations carried out 
by the courts of the judicial order, including the public prosecutor, and of the administrative order in the exercise A 689 - 17 
Page 18 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
their judicial role, either for the purposes referred to in Article 1 st of this Act or 
those referred to in Regulation (EU) No. 2016/679, are subject to control by the judicial control authority. 
(3) The judicial supervisory authority is composed of six full members and their deputies as follows: 
1) the President of the Superior Court of Justice or his delegate; 
2) a representative of the other courts of the judiciary; 
3) the President of the Administrative Court or his delegate; 
4) the State Attorney General or his delegate; 
5) a representative of the Public Prosecutor's Office of the district of Luxembourg or of the district of Diekirch, and 6) a representative of the National Commission for Data Protection. 
An official or employee of the judicial administration assumes the role of secretary of the judicial authority. 
judicial review. One or more other officials or employees of the judicial administration may 
be appointed as members of the secretariat of the judicial control authority, including one as a 
deputy secretary. 
(4) The full members and their substitutes as well as the officials and employees providing the secretariat 
of the judicial control authority are appointed by order of the minister having justice in his or her attributions 
on proposal: 
1) the President of the Superior Court of Justice for the substitute members referred to in paragraph 3, subparagraph 1 st , 1) and 2), and for civil servants and employees referred to in paragraph 3, subparagraph 2; 
2) of the State Prosecutor General for the full and alternate members referred to in paragraph 3, points 4) 
and 5), and 
3) the President of the National Commission for Data Protection for the member referred to in 
paragraph 3, point 6). 
(5) Can only be appointed full and substitute members who have a seniority of at least 
at least three years respectively within the judiciary of the judicial order, administrative courts 
or the National Commission for Data Protection. The term of office of full members 
and their alternates is six years and renewable once. The terms of office still end in the event of 
resignation as a member of the judicial control authority or as a member of the judiciary 
the judiciary, administrative courts or the National Commission for the Protection of 
data, or in the event of retirement or retirement. A member can only be removed from his mandate if he 
has committed a serious fault or if he no longer fulfills the conditions necessary for the performance of his duties. In in the event of a vacancy of an effective or supplementary mandate, it is provided for its replacement by the appointment of a new member, appointed in accordance with paragraph 4, who completes the term of office of the one he replaces. (6) During their term of office, the effective members of the judicial supervisory authority shall benefit from 
each of a non-pensionable monthly premium of fifty index points. This bonus is thirty 
points for alternate members of the judicial supervisory authority and twenty points for members 
of its secretariat. 
In the event of the appointment of a delegate within the meaning of paragraphs 3 and 4, the holder having carried out the delegation will receive the premium referred to in paragraph 1 st for the duration of the delegation. 
Art. 41. Functioning of the judicial control authority 
(1) The presidency of the judicial control authority is ensured by the President of the Superior Court of 
Justice or its delegate and its vice-presidency is ensured by the President of the Administrative Court or his 
delegate. 
(2) The judicial supervisory authority may validly deliberate only when at least three of its members 
staff or substitutes, including at least one full member, are present. The effective member who is prevented 
to participate in a meeting informs their deputy. 
The judicial control authority may hire experts who can attend, at its request, the meetings 
with consultative voice. 
(3) The judicial supervisory authority shall meet, when convened by its chairman, whenever required 
the matters included in its attributions. The meetings of the judicial control authority are chaired 
A 689 - 18 
Page 19 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
by its chairman or, in his absence, by its vice-chairman, otherwise in accordance with the provisions of 
its internal regulations referred to in paragraph 10. 
Apart from the case of urgency, the convocation, containing the agenda and mentioning the place, day and time of meeting, is sent by post or electronically at least eight calendar days before the 
date fixed for the meeting at the addresses indicated by the full members. 
(4) The chairman opens and closes the meeting and directs the discussions. When the president finds that the authority of judicial control is not in number to deliberate validly, it closes the meeting. In this case he summons 
again, within eight calendar days, the judicial control authority with the same order of 
day. The judicial control authority sits and deliberates validly whatever the number and quality 
members present. 
(5) The president and the other members of the judicial supervisory authority each have one vote. They 
vote by show of hands. Decisions are taken by a majority of the votes cast, with the exception of abstentions. In In the event of a tie, that of the chairman of the meeting is decisive. 
(6) The secretary shall draw up minutes after each meeting indicating the names of the members present or 
excused, the agenda of the meeting as well as the decisions taken and, if applicable, the reasons for them. 
The minutes are signed by the president and the secretary and communicated to the members of the 
judicial review. 
(7) The judicial supervisory authority acts in complete independence in the exercise of its missions and powers 
with which it is invested in accordance with this law. In the exercise of their missions and their powers, 
the members of the judicial control authority remain free from any external influence, whether 
direct or indirect, and do not seek or accept instructions from anyone. 
(8) The members of the judicial control authority shall refrain from any act incompatible with their 
functions and, during their term of office, do not exercise any incompatible professional activity, 
paid or not. 
(9) The members of the judicial control authority are subject to professional secrecy within the meaning of Article 458 of the Penal Code concerning any confidential information of which they became aware in the exercise 
of their missions or their powers, including after the end of their mandates. 
(10) The judicial control authority adopts internal regulations to determine its procedures and 
necessary working arrangements not provided for in this law. This regulation is published in the Official Journal of the Grand Duchy of Luxembourg. 
Art. 42. Missions of the judicial control authority 
(1) Within the limits of its powers provided for in Article 40, paragraph 2, and when the processing of 
personal data concerned by the authorities referred to therein falls within the scope of the 
this law, the judicial control authority: 
a) supervise the application of the provisions of this law and ensure that they are observed; 
b) promote public awareness and understanding of risks, rules, guarantees and 
processing rights; 
c) advise the Chamber of Deputies, the Government and other institutions and bodies on matters 
legislative and administrative measures relating to the protection of the rights and freedoms of individuals 
physical with regard to treatment; 
d) encourage the awareness of data controllers and processors of 
data falling within its competence to the obligations incumbent on them by virtue of this law; 
e) provide, upon request, to any data subject, information on the exercise of their rights arising from 
of this law and, where appropriate, cooperates to this end with the National Commission for the Protection 
foreign data and supervisory authorities; 
f) deals with complaints lodged by a data subject or by a body, organization 
or an association in accordance with Article 47, investigating the subject-matter of the complaint, to the extent 
necessary, and inform the complainant of the progress and outcome of the investigation within a 
reasonable time, especially if further investigation or coordination with another authority 
control is necessary; 
A 689 - 19 
Page 20 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
g) verify the lawfulness of the processing under Article 16 and inform the data subject within a 
reasonable result of the verification, in accordance with paragraph 3 of the same article, or the reasons 
having prevented its realization; 
h) cooperate with other supervisory authorities, including by sharing information, and provide them with 
mutual assistance in this context with a view to ensuring a coherent application of this law in order to 
ensure respect; 
i) conduct inquiries into the application of this Law, including on the basis of information received from a 
other supervisory authority or other public authority; 
j) monitor relevant developments, insofar as they have an impact on the protection of 
personal data, in particular in the field of information technology and 
communication; 
(k) provide advice on the processing operations referred to in Article 27. 
The judicial authority facilitates the introduction of the claims referred to in paragraph 1 st , f), by 
measures such as providing a complaint form which can be completed also by way of 
electronic, without excluding other means of communication. 
The accomplishment of the tasks of the judicial control authority is free for the person concerned. 
and for the data protection officers responsible for data processing under the 
scope of this law. 
When a request is manifestly unfounded or excessive by reason, in particular, of its 
repetitive, the judicial review authority may demand payment of reasonable fees based on its costs 
administrative or refuse to follow up on the request. It is the responsibility of the judicial control authority to 
demonstrate the manifestly unfounded or excessive nature of the request. 
(2) When the processing of personal data carried out by the authorities referred to in Article 40, 
paragraph 2, falls within the scope of Regulation (EU) No 2016/679, the tasks of the 
judicial review are those referred to in article 57 of this regulation. 
Art. 43. Powers of the judicial supervisory authority 
(1) When the processing of personal data carried out by the authorities referred to in Article 40, 
paragraph 2, falls within the scope of this law, the judicial control authority has the 
following corrective powers: 
a) notify a controller or processor that the planned processing operations 
are liable to violate the provisions of this law; 
b) order the controller or processor to put the processing operations into 
compliance with the provisions adopted by virtue of this law, if applicable in a specific manner 
and within a specified period, in particular by ordering the rectification or erasure of data to 
personal nature or limitation of processing in application of Article 15; 
c) temporarily or permanently restrict, including prohibiting, processing. 
The judicial supervisory authority shall obtain from the controller or processor access to all 
personal data that are processed and all other information necessary for the exercise 
of its missions. 
The judicial supervisory authority advises the controller in accordance with the procedure for 
prior consultation referred to in Article 27 and issue, on its own initiative or on request, opinions for the 
the Chamber of Deputies and the Government or other institutions and bodies, as well as the public, 
on any question relating to the protection of personal data falling within its competence. 
The judicial supervisory authority has the power to bring violations of the provisions of this law to the 
knowledge of the judicial authorities in order to ensure compliance with the provisions of this law. 
(2) When the processing of personal data carried out by the authorities referred to in Article 40, 
paragraph 2, falls within the scope of Regulation (EU) No 2016/679, the powers of the 
judicial review are those referred to in article 58 of this regulation. 
A 689 - 20 
Page 21 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
Chapter 7 - Remedies, Liability and Sanctions 
Art. 44. Right to lodge a complaint with a supervisory authority 
(1) Any person concerned may lodge with the National Commission for the Protection of 
data a complaint against personal data processing operations if it 
considers that the processing of personal data concerning him constitutes a violation of the 
provisions of this law. 
(2) Notwithstanding paragraph 1 st , claims against the data processing operations 
of a personal nature carried out by the courts, including the public prosecutor, and 
of the administrative order in the exercise of their judicial functions are treated as an incident of 
proceedings before the court which is competent to rule on the dispute in which the person concerned 
is a party, in accordance with the procedural provisions applicable to the dispute concerned. 
(3) For all complaints against personal data processing operations 
carried out by the courts of the judicial order, including the public prosecutor, and of the administrative order 
in the exercise of their judicial functions which cannot be dealt with in accordance with paragraph 
2, the person concerned can apply to the judicial control authority. 
(4) If the complaint is not lodged with the competent supervisory authority, the supervisory authority 
to whom the complaint was lodged, transmits it as soon as possible to the supervisory authority 
competent. The data subject is informed of this transmission. 
(5) The data subject is informed by the competent supervisory authority of the progress and 
the outcome of the complaint, including the possibility of a judicial remedy under Article 45. 
Art. 45. Right to a judicial appeal against a decision of the supervisory authority 
(1) Against decisions taken by the judicial supervisory authority pursuant to Article 44 (3), 
when the processing of personal data referred to in the complaint falls within the scope 
of this law, a judicial appeal may be brought by the person concerned before the chamber 
of the council of the court of appeal. 
The relevant request is entered in a register kept for this purpose at the clerk of the chamber of the council of the court of appeal. Under penalty of inadmissibility, the request must be lodged with the registry of the chamber of the council of the court of appeal within one month which runs from the date of notification of the decision in question by 
the judicial supervisory authority to the person concerned, or, when the judicial supervisory authority has not 
ruled on the complaint of the person concerned, from the expiration of a period of three months from the 
day of the referral to the judicial control authority by the person concerned. The clerk notifies the person 
concerned and the controller at least eight days before the day and time of the hearing. 
The controller or his representative and the data subject and, where applicable, his 
representative alone have the right to attend the hearing and provide such briefs and make such requisitions, 
verbal or written, as they deem appropriate. The hearing in the council chamber is not public. 
The notifications and warnings referred to in this paragraph shall be made in the forms provided for 
law enforcement notifications. Neither the time limit for appeal, nor the referral to the chamber of the council of the court appeals pursuant to this paragraph have no suspensive effect. 
(2) Against decisions taken by the National Commission for Data Protection on the basis of 
Article 44, paragraph 1 st , and against the decisions taken by the authority for judicial review based on 
Article 44 (3), when the processing of personal data referred to in the complaint 
falls within the scope of Regulation (EU) 2016/679, the data subject may submit a 
appeal to the administrative court which rules as the merits judge. 
Art. 46. Representation of data subjects 
(1) Without prejudice to the legal provisions relating to the representation of the parties before the courts 
judicial and administrative order, the person concerned has the right to mandate a person 
legal entity, fulfilling the conditions set out in paragraph 2, so that it exercises on its behalf the rights referred 
in Articles 44 and 45. 
A 689 - 21 
Page 22 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
(2) In order to be able to validly represent the person concerned, and under penalty of inadmissibility of the 
claim or appeal, the corporation referred to in paragraph 1 st must fulfill the following conditions: 
a) be validly constituted as an association or foundation in accordance with the provisions of the law 
amended of April 21, 1928 on associations and non-profit foundations; 
b) in the case of a non-profit association, have been recognized as being of public utility in accordance with article 26-2 of the law referred to in letter a); 
c) the protection of the rights and freedoms of the data subject in the context of data protection 
of a personal nature must appear in the statutes of the association or foundation as the object or one of the 
objects for which the association or foundation was created; 
d) have legal personality at the time of the lodging of the complaint or the legal action 
on behalf of the data subject; 
e) have been authorized in writing and prior to the exercise of the rights of the person referred to in Articles 
44 and 45. 
(3) The mandate issued in application of this article having as its object the defense of the general interest 
is zero. 
Art. 47. Sanctions 
(1) Violation of Articles 3 to 15, 18 to 30, and 34 to 38 of this Law are punishable by a fine 
administrative charge of 500 to 250,000 euros which is pronounced by decision by the supervisory authority. A 
appeal against this decision is open before the Administrative Court which rules as the merits judge. 
(2) The competent supervisory authority may, by decision, impose a fine of 100 euros per 
day of delay in order to compel the controller to comply with the orders being issued 
by the National Commission for Data Protection in application of Article 14, points 1 °, 3 ° and 4 ° 
of the Law of 1 st August 2018 on the organization of the National Commission for Data Protection and 
of the general data protection regime, or issued by the judicial control authority in application of 
of article 43, letters b) and c). 
The penalty runs from the date fixed in the decision pronouncing the penalty payment. This date cannot be 
prior to the date of notification of the decision. An appeal against this decision is open to the 
Administrative court which rules as the merits judge. 
(3) In addition, the violation of articles 9, 10 and 29 of this law with fraudulent intent or 
intention to harm is punishable by imprisonment from eight days to one year and a fine of 251 to 125,000 
euros or only one of these penalties. The court seised pronounces the cessation of the contrary processing 
to the provisions of the aforementioned articles under penalty of a fine, the maximum of which is set by the said court. 
(4) The National Commission for Data Protection and the State Prosecutor cooperate for the 
administrative or penal repression of violations or infringements of the provisions of this law and 
to those of the Law of 1 st August 2018 on the organization of the National Commission for Protection 
data and the general data protection regime. To this end, the National Commission for 
data protection, the State Prosecutor and the Grand Ducal Police can exchange any information 
they deem useful or necessary. 
(5) If there are any clues that can justify the opening by the National Commission for Data Protection 
an administrative procedure likely to result in the imposition of an administrative penalty for one or 
several facts constituting a violation of paragraph 8 or Articles 48 and 49 of the Law of 1 st August 2018 
on the organization of the National Commission for Data Protection and the general regime on 
data protection, it informs the State Prosecutor who decides, within two months of receiving 
of this information, if he exercises public action. In this case, he informs the National Commission for 
data protection. 
If the state prosecutor decides to prosecute, the National Data Protection Commission does not 
not proceed. In the event of a negative decision or in the absence of a response from the state prosecutor after the deadline two months, the National Commission for Data Protection proceeds in accordance with the law of 
1 st August 2018 on the organization of the National Commission for Data Protection and diet 
general on data protection. 
A 689 - 22 
Page 23 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
When during the procedure the National Commission for Data Protection ascertains the existence 
indications that the suspected persons are likely to have contravened the provisions of paragraph 
8 or Articles 48 and 49 of the Law of 1 st August 2018 on the organization of the National Commission for 
data protection and the general data protection regime, it relinquishes the case and 
forwards it to the State Prosecutor who proceeds in accordance with the Code of Criminal Procedure. 
If the state prosecutor considers during his investigation and before he summons to appear that the conditions 
criminal proceedings are not met but administrative sanctions are liable to 
apply, he forwards the file to the National Commission for Data Protection, which proceeds 
accordance with the law of 1 st August 2018 on the organization of the National Commission for Protection 
data and the general data protection regime. 
(6) When the State Prosecutor is seized on the basis of a complaint of facts likely to constitute a 
contrary to Section 8 or Articles 48 and 49 of the Law of 1 st August 2018 on the organization of 
National Commission for Data Protection and the General Data Protection Regime and 
that he decides to take public action, he informs the National Commission for Data Protection. 
In this case, the National Commission for Data Protection does not proceed. If the state attorney 
decides not to prosecute, the National Commission for Data Protection proceeds in accordance 
the Law of 1 st August 2018 on the organization of the National Commission for Data Protection and 
of the general data protection regime. 
If the state prosecutor considers during his investigation and before he summons to appear that the conditions 
criminal proceedings are not met but administrative sanctions are liable to 
apply, he forwards the file to the National Commission for Data Protection, which proceeds 
accordance with the law of 1 st August 2018 on the organization of the National Commission for Protection 
data and the general data protection regime. 
(7) The provisions of paragraphs 4 to 6 also apply to the judicial supervisory authority when it 
exercises the missions and has the powers provided for by Regulation (EU) 2016/679. 
(8) Anyone who knowingly prevents or hinders in any way the accomplishment of the 
tasks incumbent on the judicial control authority is punishable by imprisonment from eight days to one year and a fine of 251 to 125,000 euros or one of these penalties only. 
(9) The provisions of Articles 51 to 53 of the Act of 1 st August 2018 on the organization of the Commission 
national data protection regulations and the general data protection regime are applicable 
to the judicial control authority when it acts within the framework of its powers relating to the regulation 
(EU) n ° 2016/679 or provided for by this law. The recovery of fines or periodic penalty payments that 
pronouncement is entrusted to the Administration of registration and domains. It is done as in matter 
recording. 
Chapter 8 - Final provisions 
Section 1 st - Amending provisions
Art. 48. Law of 7 March 1980 on judicial organization as amended 
Article 75-8 of the amended law of 7 March 1980 on the organization of the judiciary is replaced as follows: 
" Art. 75-8. 
The right of everyone to have access to personal data concerning them which are 
processed by Eurojust, as provided for by article 19 of the aforementioned Council decision of 28 February 2002 
done in accordance with the terms of the right of access to Luxembourg as provided for in Articles 13, 
14 and 16 of the Law of 1 st August 2018 on the protection of individuals with regard to the processing 
personal data in criminal matters as well as in matters of national security. 
" 
A 689 - 23 
Page 24 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
Art. 49. Amended law of 29 May 1998 approving the Convention on the basis of article 
K.3 of the Treaty on European Union establishing a European Police Office (Convention 
Europol), signed in Brussels on July 26, 1995 
Article 3 of the amended law of 29 May 1998 approving the Convention on the basis of article 
K.3 of the Treaty on European Union establishing a European Police Office (Europol Convention), 
signed at Brussels on 26 July 1995 is replaced as follows: 
" Art. 3. 
The supervisory authority provided for in Article 2, paragraph 1 st , paragraph 15) a) of the Act of 1 st August 2018 on the protection of individuals with regard to the processing of personal data 
in criminal matters as well as in matters of national security is designated as the supervisory authority 
national law provided for in Article 23 of the Convention with the task of monitoring compliance with the 
with regard to the protection of personal data in the context of the operation of the system 
Europol information. 
" 
Art. 50. Law of 20 December 2002 approving - the Convention drawn up on the basis of article 
K.3 of the Treaty on European Union, on the use of data processing in the field of customs, 
signed in Brussels on July 26, 1995; - of the Agreement relating to provisional application between certain 
Member States of the European Union of the Convention drawn up on the basis of Article K.3 of the Treaty on the European Union, on the use of IT in the customs field, signed at 
Brussels, July 26, 1995 
Article 2 of the law of 20 December 2002 approving - of the Convention established on the basis of article 
K.3 of the Treaty on European Union, on the use of data processing in the field of customs, signed at 
Brussels, July 26, 1995; - the Agreement relating to the provisional application between certain Member States of the European Union of the Convention established on the basis of Article K.3 of the Treaty on European Union, on the use of IT in the customs field, signed in Brussels on July 26, 1995 is replaced 
as following : 
" Art. 2. 
The supervisory authority provided for in Article 2, paragraph 1 st , paragraph 15) a) of the Act of 1 st August 2018 on the protection of individuals with regard to the processing of personal data 
in criminal matters as well as in matters of national security is designated as the supervisory authority 
national law provided for in Article 17 of the Convention, with the task of monitoring compliance with the 
with regard to the protection of personal data in the context of the operation of the system 
customs information. 
" 
Art. 51. Law of June 15, 2004, relating to the classification of documents and the authorizations of 
security 
In article 23 of the amended law of June 15, 2004 relating to the classification of documents and 
security, paragraph 1 st is replaced as follows: 
" The processing by the National Safety Authority of information collected as part of its 
mission is implemented in accordance with the Law of 1 st August 2018 on the 
protection of individuals with regard to the processing of personal data by 
criminal matters as well as national security. " 
A 689 - 24 
Page 25 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
Art. 52. Amended law of June 16, 2004 on the reorganization of the socio-educational center of the State 
The amended law of June 16, 2004 on the reorganization of the socio-educational center of the State is amended as follows: 
1 ° In Article 11 bis , paragraph 4, subparagraph 2, the first sentence is replaced as follows: 
" The State Prosecutor General is considered, with regard to the processing of personal data 
staff, as data controller within the meaning of Article 4 (7) of Regulation (EU) No 
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals 
physical with regard to the processing of personal data and on the free movement of such 
data, and repealing Directive 95/46 / EC (General Data Protection Regulation), here 
hereinafter referred to as "Regulation (EU) No 2016/279". " 2 ° In Article 11bis, paragraph 4, subparagraph 3, the first sentence is replaced as follows: 
" The director of the center is considered, with regard to the processing of personal data 
staff as part of the accommodation and supervision of the resident, as responsible 
processing within the meaning of Article 4 (7) of Regulation (EU) No 2016/679. " 
Art. 53. Amended law of 25 August 2006 on fingerprint identification procedures 
genetic in criminal matters and amending the Code of Criminal Procedure 
The amended law of 25 August 2006 relating to identification procedures by genetic fingerprinting 
and amending the Code of Criminal Investigation is amended as follows: 
1. In Article 1 st , the second sentence is replaced as follows: 
" The processing of these data is subject to the requirements of Article 9 of the Law of 1 st August 2018 
on the protection of individuals with regard to the processing of personal data 
personnel in criminal matters as well as in matters of national security. " 2 ° in Article 13, paragraph 2 is replaced as follows: 
" (2) An established DNA profile is to be considered as personal data, within the meaning of the law of 
1 st August 2018 on the protection of individuals with regard to the processing of data 
personal character in criminal matters as well as in matters of national security, from the 
where the alphanumeric code of the DNA analysis has been associated with information relating to the person 
physical involved making it possible to identify it. " 
Art. 54. Law of 24 June 2008 on the control of travelers in establishments 
accommodation 
In article 3 of the law of 24 June 2008 on the control of travelers in establishments 
accommodation, the first sentence is replaced as follows: 
" The landlord is obliged to communicate to the Grand-Ducal Police the accommodation sheet concerning the 
persons accommodated for the purposes of the prevention and detection of criminal offenses, of investigations 
and prosecution in the matter or execution of criminal sanctions, including protection against 
threats to public safety and the prevention of such threats. " 
A 689 - 25 
Page 26 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
Art. 55. Amended law of 29 March 2013 relating to the organization of the criminal record 
In article 8 of the amended law of 29 March 2013 on the organization of the criminal record, the second 
sentence of point 2 is replaced as follows: 
" On a quarterly basis, the SRE sends a list of its requests for issuance and the reasons for 
these requests to the judicial authority provided for in Article 40 of the Law of 1 st August 2018 on 
the protection of individuals with regard to the processing of personal data by 
criminal matters as well as national security; " 
Art. 56. Amended law of 19 December 2014 facilitating the cross-border exchange of information 
concerning road safety offenses 
Article 6 of the amended law of 19 December 2014 facilitating the cross-border exchange of information concerning road safety offenses is replaced as follows: 
" Art. 6. 
(1) The processing of personal data within the framework of this law is carried out at 
purposes of prevention, research and observation of criminal or administrative offenses falling within 
of its scope and is carried out in accordance with Articles 24 to 32 of Decision 2008/615 / JHA 
and the aforementioned provisions are not contrary to the law of 1 st August 2018 on the protection of 
natural persons with regard to the processing of personal data in criminal matters 
as well as in matters of national security. 
(2) Any data subject has the right to obtain information on personal data 
personnel transmitted under this Act, including the date of the request and the authority 
jurisdiction of the offense Member State in accordance with Articles 11 to 17 of the Act of 1 st August 
2018 on the protection of individuals with regard to the processing of personal data 
personnel in criminal matters as well as in matters of national security. 
" 
Art. 57. Amended law of July 25, 2015 establishing the control and sanction system 
automated 
Article 10 of the amended law of July 25, 2015 establishing the control and sanction system 
automated is replaced as follows: 
" Art. 10. 
The Center carries out the processing of personal data which is necessary for 
the performance of its tasks is performed in accordance with the Law of 1 st August 
2018 on the protection of individuals with regard to the processing of personal data 
personnel in criminal matters as well as in matters of national security. 
" 
Art. 58. Law of 5 July 2016 on the reorganization of the State Intelligence Service 
The law of 5 July 2016 on the reorganization of the State Intelligence Service is amended as follows: 
1 ° in Article 9, paragraph 4, the last sentence is replaced as follows: 
" Subject to the conditions specified in paragraph 1 st , the SRE can directly exchange data 
of a personal nature with foreign intelligence services, including through 
common transmission facilities, in accordance with Articles 34 and 38 of the Law of 1 st 
August 2018 on the protection of individuals with regard to the processing of personal data 
personal character in criminal matters as well as in matters of national security. " 
A 689 - 26 
Page 27 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
2. In Article 10, paragraph 1 st is replaced as follows: 
" (1) The SRE proceeds to the processing of personal data which are necessary for 
the fulfillment of its legal missions which is carried out in accordance with the provisions of the law 
1 st August 2018 on the protection of individuals with regard to the data processing 
of a personal nature in criminal matters as well as in matters of national security. " 
3 ° In Article 10, paragraph 2, subparagraph 3 is replaced as follows: 
" On a quarterly basis, the SRE sends a list of its requests for issuance and the reasons for 
these requests to the judicial authority provided for in Article 40 of the Law of 1 st August 2018 on 
the protection of individuals with regard to the processing of personal data 
in criminal matters as well as in matters of national security. " 
4. In Article 10, paragraph 3, subparagraph 1 st is replaced as follows: 
" The Director is responsible for processing the data referred to in paragraphs 1 st and 2. It refers 
a data protection officer who is competent under his authority for the compliant application 
of the Law of 1 st August 2018 on the protection of individuals with regard to the processing of 
personal data in criminal matters as well as in matters of national security and 
implementation of security measures for the processing carried out by the SRE. " 
Art. 59. Law of 23 July 2016 establishing a specific statute for certain data to be 
personal character processed by the State Intelligence Service 
The law of 23 July 2016 establishing a specific statute for certain data of a 
personnel processed by the State Intelligence Service is amended as follows: 
1 ° in Article 3, paragraph 11 is replaced as follows: 
" (11) During the exercise of the expert's mission, the director of the State Intelligence Service 
is in charge of data processing within the meaning of Article 2, paragraph 8) of the Act of 1 st August 2018 
on the protection of individuals with regard to the processing of personal data 
personnel in criminal matters as well as in matters of national security, and the National Archives 
are considered as a subcontractor of the State Intelligence Service within the meaning of Article 2, 
point 9), of the same law. " 2 ° in Article 3, paragraph 15, the first is replaced as follows: 
" The final report may not contain any personal data or any element likely to 
allowing the identification of a person without the express consent of the person concerned, 
in accordance with Article 6 (1) (a) of Regulation (EU) No 2016/679. " 3 ° in Article 4, paragraph 2, point 1 is replaced as follows: 
" 1.the historical databases identified within the meaning of Article 3 (6), point 2, 
are transferred definitively to the National Archives as provided for in article 7 of the amended law 
of June 25, 2004 on the reorganization of State cultural institutes and subject to the 
provisions of Regulation (EU) 2016/679. The National Archives become responsible 
processing of this data from the date of final payment;" 4 ° in Article 5, paragraphs 1 and 2 are replaced as follows: 
" (1) Access by a data subject to data concerning them during the performance of the assignment 
experts is carried out in accordance with the provisions of articles 13, 14 and 16 of the law of 1 st 
August 2018 on the protection of individuals with regard to the processing of personal data 
personal character in criminal matters as well as in matters of national security. 
(2) Personal data, observed during the experts' mission and covering 
persons who have already submitted an access request are communicated to the person 
concerned in accordance with the provisions of paragraph 1 st . " 
A 689 - 27 
Page 28 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
5 ° in Article 5, paragraph 5 is replaced as follows: 
" (5) In the exercise of their mission, the experts have full access to the banks of 
historical data from the State Intelligence Service as well as access to data to 
personal character and process these data in accordance with the principle of legitimacy within the meaning of Article 5, paragraph 1 st , letter b) of Regulation (EU) No 2016/679. " 
Art. 60. Law of 22 February 2018 on the exchange of personal data and 
police information 
The law of 22 February 2018 on the exchange of personal data and information on 
policewoman is amended as follows: 
1. In Article 1 st , item 3), the words "Articles 18 and 19 of the Law of 2 August 2002 on the 
data protection with regard to the processing of personal data 'are replaced by 
the words "Chapter V of the Law of 1 st August 2018 on the protection of individuals with 
with regard to the processing of personal data in criminal matters as well as in security matters 
national ”. 
2 ° in Article 25, paragraph 2 is replaced as follows: 
" (2) The transmission of data and information shall take place in a form enabling the Commission 
national data protection authority to check whether all the conditions required by law were 
fulfilled at the time of transmission. Transmission documentation is retained for 
two years. " 3. In Article 26, paragraph 1 st is replaced as follows: 
" (1) The data and information transmitted to the administration of the State concerned form part of the 
processing of personal data for which the administration or its representative is the 
controller within the meaning of Article 4 (7) of Regulation (EU) No 2016/679 of 
European Parliament and of the Council of April 27, 2016 on the protection of natural persons 
with regard to the processing of personal data and the free movement of such data, and 
repealing Directive 95/46 / EC (General Data Protection Regulation). The Commission 
national data protection authority is responsible for verifying the application of the provisions 
of that Regulation and the Law of 1 st August 2018 on the protection of individuals 
with regard to the processing of personal data in criminal matters as well as in 
national security. " 4 ° Article 28 is replaced as follows: 
" The National Commission for Data Protection controls and monitors compliance with 
access conditions provided for by this law. The report to be sent to the Minister responsible for Protection 
Data in its duties, pursuant to Article 10 of the Law of 1 st August 2018 with 
organization of the National Commission for Data Protection and the general regime on 
data protection, contains a specific part relating to the performance of its mission of 
control exercised under this law. " 
A 689 - 28 
Page 29 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
Art. 61. Law of 18 July 2018 on the Grand Ducal Police 
In article 43 of the Law of 18 July 2018 on the Grand Ducal Police, paragraph 6 is replaced as follows: 
" The supervisory authority provided for in Article 2, paragraph 1 st , item 15), letter a) of the Act of 1 st August 2018 on the protection of individuals with regard to the processing of personal data 
criminal and national security personnel monitors and monitors compliance 
of the access conditions provided for in this article. The report to be sent to the Minister having 
Data protection in its duties, pursuant to Article 10 of the Law of 1 st August 2018 
on the organization of the National Commission for Data Protection and the general regime 
on data protection, contains a specific part relating to the performance of its mission of 
control exercised under this article. " 
Art. 62. Law of 18 July 2018 on the General Police Inspectorate 
Article 15 of the law of July 18, 2018 on the General Inspectorate of the Police is amended as follows: 
1 ° Paragraph 3 is replaced as follows: 
" (3) Within the framework of the missions set out in Articles 4, 7 and 9, the IGP has access to the data retracing 
access to the processing of personal data for which the controller is 
the Director General of Police. " 
2 ° Paragraph 6 is replaced as follows: 
" (6) The supervisory authority provided for in Article 2, paragraph 1 st , item 15), letter a) of the Act of 1 st 
August 2018 on the protection of individuals with regard to the processing of personal data 
personal character in criminal matters as well as in matters of national security controls and monitors 
compliance with the access conditions provided for in this article. The report to be sent to the Minister 
with the Data Protection in its powers pursuant to section 10 of the Act of 1 st August 
2018 on the organization of the National Commission for Data Protection and the Regime 
general on data protection, contains a specific part relating to the execution of its 
control mission carried out under this article. " 
Section 2 - Transitional provisions, compliance and citation title 
Art. 63. Transitional provisions and compliance 
(1) Exceptionally and when this requires disproportionate effort, the treatment systems 
automated personal data installed before May 6, 2016 are brought into compliance with article 
24 no later than May 6, 2023. 
(2) Notwithstanding paragraph 1 st , and in exceptional circumstances, a given system 
Automated personal data processing referred to in paragraph 1 st can be brought into line 
with Article 24 until a deadline to be determined by a decision of the Government in Council and located 
after May 6, 2023 when, failing this, serious difficulties arise for the operation of the 
automated processing system in question. The deadline cannot be set beyond May 6, 2026. 
A 689 - 29 
Page 30 
OFFICIAL JOURNAL of the Grand Duchy of Luxembourg MEMORIAL A - 689 of August 16, 2018 
Art. 64. Title of citation 
The reference to this Act is as follows: "Law of 1 st August 2018 on the protection 
of natural persons with regard to the processing of personal data in criminal matters as well as 
than in matters of national security. " 
Mandate and order that this law be inserted in the Official Journal of the Grand Duchy of Luxembourg 
to be performed and observed by all concerned. 
The Minister of Justice, 
Felix Braz 
Doc. speak 7168, sess. ord. 2016-2017 and 2017-2018; Dir. (EU) 2016/680. A 689 - 30
Cabasson on 1 st August 2018. Henri