GDPR has been enforceable across the EU since 2018, and the CNPD — Luxembourg's data protection authority — has developed into an active supervisory body with a growing track record of investigations and enforcement decisions. For businesses that operate in Luxembourg or target Luxembourg-based users, GDPR compliance is not a one-time project: it is an ongoing operational discipline that requires legal advice calibrated to your specific processing activities.

 

Data protection in 2025 is no longer just GDPR. The EU AI Act imposes additional requirements on AI system operators in relation to training data, automated decision-making, and fundamental rights impact assessments. The Data Act has applied since September 2025 and reshapes data access and sharing obligations for connected product manufacturers and cloud service providers. The result is a layered regulatory environment in which GDPR, the AI Act, and the Data Act must be read together — and advice that addresses only one of them will be incomplete.

 

Jurisconsul advises across this landscape in an integrated way. Our data protection practice sits alongside our AI Act and Data Act practices, which means we advise on the interaction between frameworks rather than treating each in isolation.

 

GDPR Compliance Programmes

We advise businesses on building GDPR compliance programmes that are proportionate, documented, and sustainable. This covers lawful basis identification, privacy notice drafting, records of processing activities, data protection impact assessments (DPIAs), and the appointment and support of data protection officers where required. We design programmes that fit how your business actually processes data — not how a generic template assumes it does.

 

Data Processing Agreements

We draft and negotiate data processing agreements (DPAs), controller-to-controller agreements, and joint controller arrangements — covering the full range of commercial relationships in which personal data changes hands. We review DPAs received from third-party processors, identify clauses that create disproportionate risk or fall short of GDPR requirements, and negotiate amendments.

 

International Data Transfers

Transferring personal data outside the EU requires a valid legal mechanism — standard contractual clauses (SCCs), binding corporate rules (BCRs), adequacy decisions, or the relevant derogations. We advise on the mechanism appropriate to your transfer and on the transfer impact assessments that the CNPD and the EDPB expect to accompany SCCs for high-risk destinations.

 

CNPD Interactions and Regulatory Correspondence

We advise businesses that are subject to CNPD enquiries, investigations, or enforcement proceedings, and represent clients in correspondence with the authority. We also advise on proactive CNPD engagement — pre-consultation under Article 36 GDPR for high-risk processing, voluntary transparency reporting, and the management of data breach notifications.

 

Data Subject Rights

We advise on handling data subject access requests, erasure requests, restriction of processing requests, and objection rights — including the timetable, the exceptions that apply, and the documentation required to demonstrate compliance. For businesses that receive high volumes of requests, we design scalable handling workflows.

 

AI Act and GDPR Intersection

The AI Act builds on GDPR in several important respects — particularly for high-risk AI systems where a fundamental rights impact assessment is required, and for automated decision-making in consequential contexts. We advise on the interaction between the two frameworks and help businesses design AI governance arrangements that satisfy both.

​

​

​

​

​