Article 17 Supervisory Authority

Article 17(2) of the amended Act of 2 August 2002 provides for a specific supervisory authority responsible for supervising and overseeing certain data processing operations carried out either in performance of a provision of national law or in application of an international convention.

Processing supervised by the supervisory authority

  • processing operations of a general nature necessary for the prevention, tracking down and recording of criminal offences that are restricted to the Luxembourg police force, the Inspection Générale de la Police and the Customs and Excise authority in line with their respective legal and regulatory duties,

  • processing operations relating to State security, defence and public safety,

  • data processing operations in the area of criminal law carried out under international treaties or inter-governmental agreements or in the context of cooperation with Interpol,

  • creation and usage of systems for videosurveillance of security zones (any place determined by Grand-Ducal Regulation, accessible to the public and due to its nature, position, configuration or frequentation presenting an increased risk of penal offences).

Such processing shall be covered by a Grand-Ducal Regulation which determines the following aspects of the data processing:

  • the person or entity responsible,
  • the cause of legitimacy of the processing,
  • the purposes of the processing,
  • the categories of data subjects and the categories of data relating to them,
  • the origin of these data,
  • the categories of third parties to which these data may be disclosed,
  • the measures to be taken to ensure secure processing.

Tasks and powers

The supervisory authority is informed immediately of the implementation of the processing of data covered by Article 17 of the amended Act of 2 August 2002. The authority ensures that the processing is carried out in compliance with the corresponding statutory provisions.

In carrying out its tasks, the supervisory authority has direct access to the data being processed. It may:

  • conduct spot checks on processing being carried out, and obtain any information or documents it may require to fulfil its task;

  • instruct one of its members to carry out specific supervisory tasks.

The supervisory authority causes any necessary rectifications or deletions to be carried out.

The right of access to the data referred to in Article 17 of the amended Act of 2 August 2002 may only be exercised through the supervisory authority. This body:

  • carries out the necessary checks and investigations;

  • has the necessary rectifications made, and

  • informs the individual concerned that the processing in question does not contain any data contrary to the Conventions, legislation and its regulations.

Cooperation at the European level

At the European level, the supervisory authority is present in the three Joint Supervisory Authorities (JSAs): "Schengen", "Europol" and "Customs" (refer to subcategories below for more information).

Annual report

The supervisory authority draws up an annual report on the performance of its tasks.

The authority submits its report to the Minister who has responsibility for data protection (currently Mr. Xavier Bettel, Minister for Communications and Media).


  • Ms Marie-Jeanne KAPPWEILER (chair of the supervisory authority), First Advocate-General
  • Ms Tine A. LARSEN, chair of the CNPD
  • Mr Thierry LALLEMANG, commissioner of the CNPD
Last update