What is the Sandkëscht programme?
The CNPD regulatory sandbox is a collaborative environment coordinated by the National Data Protection Commission to enable organizations to test projects or applications while meeting GDPR requirements.
What is the purpose of the regulatory sandbox?
Its main objective is to enable organisations to innovate and tackle new technologies while ensuring that their projects or applications comply with data protection principles without compromising the privacy of individuals.
Who can access the Sandkëscht program?
Any establishment registered in Luxembourg. And whatever its size, sector of activity or status.
What are the steps to access the CNPD regulatory sandbox?
Organizations must submit their application to the CNPD by completing the Expression of Interest form.
Does the CNPD provide IT infrastructure or data?
No, the CNPD does not intend to provide a computer architecture or technical tests. The project leader assumes full responsibility for his/her information system and other architectural elements throughout the experimentation
What are the concrete benefits of participating in the CNPD initiative?
Direct collaboration with the data protection authority, through an open discussion, makes it possible to address data protection issues. Proactive and iterative cooperation helps detect and correct potential privacy breaches or security breaches prior to deployment into production, reducing the risk of non-compliance for more secure, responsible and privacy-friendly innovation.
How long does the participation in the Sandkëscht programme take?
The duration of use may vary depending on the complexity of the project or application and the requirements of the CNPD, but is generally limited to a reasonable period (from 9 to 18 months) to perform adequate testing.
What are the consequences in case of non-compliance with the rules of the CNPD regulatory sandbox?
Projects may be temporarily or permanently suspended depending on the results of the experiment. In addition, organizations may be denied access to the sandbox in the future and may be subject to additional investigations or sanctions for serious GDPR violations.
How is the confidentiality of projects monitored in the sandbox treated?
The information exchanged between the CNPD and the participating organisation within the framework of the "Regulatory Sandbox" will be treated confidentially. Communications on the Sandkëscht programme will be discussed with relevant stakeholders. If the participation is to remain confidential, only the general outlines can be shared in a high level manner with respect to the confidentiality requirements concluded with the participating organisation.
