3.1. Contractual clauses

Data exporters can use a series of appropriate safeguards enabling transfers to countries not offering an adequate level of protection. One of these safeguards is the possibility for controllers to offer adequate protection through a contract, which is binding for those who send the data and those who receive them, and which contains sufficient safeguards to protect the personal data.

3.1.1.       Standard data protection clauses

To help controllers, the European Commission has adopted standard contractual clauses (or “model contracts”) that are considered to offer sufficient safeguards in light of the applicable data protection rules.

The following standard data protection clauses may be used without an authorisation from the CNPD:

The controller or processor should always be able to present its standard data protection clauses when requested so by the CNPD (for example, in case of a control or audit).

More information:


3.1.2.       “Ad hoc” clauses

If controllers or processors do not use for the European Commission's standard contractual clauses, they can draft their own contractual clauses (“ad hoc” clauses) offering sufficient data protection safeguards. These clauses must be submitted to the CNPD in accordance with Article 46 (3) (a) of the GDPR. These clauses will subsequently have to be approved by the European Data Protection Board in accordance with Article 46 (4) of the GDPR through the consistency mechanism.

In accordance with Regulation n°7/2020 of 3 April 2020 of the National Data Protection Commission laying down the amount and payment terms of the fees within the framework of its powers of authorisation and consultation, each controller or processor established on the territory of Luxembourg, who submits contractual clauses to the CNPD for authorisation pursuant to Article 46 paragraph (3) letter a) of the GDPR, must pay a fee of 1.500 € to the CNPD.

More information:

Dernière mise à jour