Data brokers under control: Luxembourg prepares for new digital regulations

In response to a parliamentary enquiry by MPs Ben Polidori and Franz Fayot, the Luxembourg government has confirmed that the activities of so-called "data brokers" - intermediaries in the trade and aggregation of personal data - are not yet regulated by specific legislation. The country does not have a mapping of such activities and the general provisions of the General Data Protection Regulation (GDPR) are currently applicable.

All companies processing personal data - including data brokers - are required to comply with the principles of transparency, lawfulness and limitation of the purposes of data processing, as stipulated in the GDPR. These rules are supplemented by the provisions of the Act of 1 August 2018 on the National Data Protection Commission and the National Data Protection Regulation.

Compliance with the GDPR is overseen by the Commission for Data Protection (CNPD), which has powers of inspection and sanctions. Citizens can exercise their rights of access, rectification and deletion of data and, if necessary, file complaints with the CNPD when their rights are violated.

As part of European initiatives on digital sovereignty, Luxembourg is preparing to implement Regulation (EU) 2022/868 on "data governance". The relevant draft law No. 8395 is already in preparation. It envisages the creation of a special notification procedure for data exchange service providers, with the CNPD being designated as the competent authority to monitor compliance with the requirements of Chapter III of the regulation.

The CNPD will also be responsible for monitoring and handling complaints from individuals and legal entities regarding the actions of data sharing intermediaries.