Cross-cutting Topics

Impact of the GDPR on HR Management in Luxembourg

Regulation (EU) 2016/679 (GDPR) applies in full to employee data and imposes strict requirements on Luxembourg employers: monitoring systems may not be put in place without prior notification of employee representatives, reporting obligations to social security and public authorities remain in force within a secure framework, and retention of HR records must comply with the principles of data minimisation and storage limitation.

Legal bases: GDPR Art. 6; Art. L.261-1; Art. L.621-3; Art. CSS-VI-426; Art. CSS-VI-442 Updated: June 2026

1. Regulation of Employee Monitoring

Lawfulness requirements

An employer may only implement an employee monitoring system if it is based on one of the legal grounds set out in Article 6(1)(a) to (f) of the GDPR — consent, performance of a contract, legal obligation, protection of vital interests, public interest task or legitimate interests (Art. L.261-1, para. 1). Reliance on legitimate interests requires a balancing test against the rights and freedoms of the employees concerned.

Mandatory prior notification

Before any system is deployed, the employer must notify the joint committee, the staff delegation or, failing that, the Labour and Mines Inspectorate (ITM). This notification must specify (Art. L.261-1, para. 2):

›the purpose of the processing and how the system will operate;

›the retention period for the collected data;

›an express undertaking not to use the data for any purpose other than those declared.

Employees' right to challenge

Within 15 days of notification, employees or their delegation may request a compliance opinion from the National Commission for Data Protection (CNPD). This request has a suspensive effect: the system may not be deployed until the CNPD has issued its opinion (Art. L.261-1, para. 4).

Filing a complaint with the CNPD may not constitute either just cause or legitimate grounds for dismissal (Art. L.261-1, para. 5).

End of prior CNPD authorisation: since the GDPR became applicable in 2018, prior authorisation from the CNPD is no longer required to establish a data processing activity. However, the obligation to notify employees individually and collectively remains fully in force, and the employer must maintain an up-to-date and documented record of processing activities.

2. Reporting Obligations and Administrative Access

The GDPR does not exempt employers from their legal obligations to transmit data to public bodies. These data flows are strictly delimited and take place within a secure framework.

Social security declarations (Art. CSS-VI-426)

Every month, the employer must report to the Joint Social Security Centre (CCSS):

›the contributory bases for each employee;

›overtime hours worked;

›periods of incapacity for work.

Direct access by authorities (Art. L.621-3)

The Minister with responsibility for employment and the ADEM may have direct, secure access — with strong authentication — to CCSS files (affiliations, declared salaries) and other administrative databases (register of foreign nationals, guaranteed minimum income recipients, etc.). This access is limited to verifying eligibility for benefits and monitoring job-seekers.

Powers of inspection (Art. CSS-VI-442)

Representatives of social security bodies and other supervisory authorities are empowered to request any document relating to the identity, activity and remuneration of employees. This right of access is separate from the employer's internal monitoring prerogatives and falls outside the prior-notification mechanism provided for by Art. L.261-1.

3. Retention and Management of HR Data

Minimisation and storage-limitation principles

The GDPR requires that data be collected only to the extent strictly necessary (minimisation) and retained only for as long as needed for the purposes that justified their collection (storage limitation). Employers must define and document retention periods for each category of personal data processed.

Practical retention periods for HR records

There is no general statutory retention period applicable to employees' personal files, except for accounting documents subject to the 10-year prescription period under the Commercial Code. As a best practice, records should be kept at least until the expiry of the time limits for challenging termination, which covers dismissal-related claims.

Specific retention periods apply depending on the type of document:

›payslips and payroll documents: 10 years (accounting prescription);

›disciplinary file: retention period should be limited to the relevance of the sanction;

›unsuccessful candidate data: to be deleted within a reasonable period after the end of the recruitment process (generally 6 months), unless the candidate has explicitly consented to longer retention;

›CCTV footage: very short retention period (typically 30 days maximum), unless an incident requires preservation for evidential purposes.

The absence of a retention-period register constitutes a documentary deficiency liable to be identified by the CNPD during an inspection. This register is separate from — but complementary to — the record of processing activities required under Art. 30 GDPR.

4. Data Protection Officer (DPO) and Impact Assessment

Designation of a DPO

Designation of a Data Protection Officer (DPO) is mandatory in three situations (Art. 37 GDPR):

›the organisation is a public authority or body;

›its core activities require large-scale, regular and systematic monitoring of individuals (e.g. online behavioural tracking, fleet geolocation);

›its core activities involve large-scale processing of special categories of data (health data, biometric data, trade union data, etc.).

Outside these legally required situations, voluntary designation of a DPO is encouraged, particularly for mid-sized organisations processing significant volumes of employee data.

Data Protection Impact Assessment (DPIA)

A DPIA is mandatory when the intended processing is likely to result in a high risk to the rights and freedoms of individuals (Art. 35 GDPR). In an HR context, the processing activities concerned include in particular:

›continuous monitoring systems (CCTV, keyloggers, computer-activity tracking);

›biometric data processing (fingerprint or facial-recognition access control);

›automated decisions with a significant impact on employees (scoring, algorithmic selection);

›systematic geolocation of employees outside professional driving activities.

Where a DPIA reveals a residual high risk that the employer cannot mitigate by its own means, it must consult the CNPD before implementing the processing activity (Art. 36 GDPR).

A question about GDPR or HR data management in your company?

Ask Kymora →

The information in this guide is provided for informational purposes only and does not constitute legal advice. It may contain inaccuracies or may not reflect the latest legislative or case-law developments. For any specific situation, please consult a qualified legal professional.