Luxembourg: National Commission for Data Protection Publishes List of Operations Requiring Impact Data Assessment

On March 11, 2019, the National Commission for Data Protection (CNPD) published a list of activities for which a data protection impact assessment (DPIA) is mandatory.

According to the press release, the list of activities has been submitted to the European Data Protection Board (EDPB) for its opinion. The list is not exhaustive and is limited to activities that will always require the performance of a DPIA. For activities which are not mentioned in the list, data processors shall refer to Article 35(1) of the General Data Protection Regulation (GDPR) and WP248 of Article 29 Working Party.

Request a Free Trial

As a trusted source of regulatory intelligence for the global payments industry, we enable organisations to manage the growing volume and velocity of regulatory risk with confidence, empowering more informed and effective decision making, in an efficient and cost-effective way.

Take a Trial