Luxembourg Sees Surge in GDPR Complaints
Luxembourg’s data protection authority, the Commission nationale pour la protection des données (CNPD), recorded a significant increase in complaints during 2025. The authority received 846 new complaints, representing a 40% rise compared with 2024. Over the year, it handled 1,909 complaint files in total.
The complaints show that individuals are paying closer attention to how organizations collect, use, retain, and share personal data. The right of access was the most common concern, accounting for 25% of complaints. This right allows people to ask an organization whether it processes their personal data and, where applicable, obtain a copy of that information.
Requests for erasure accounted for 22% of complaints, while 21% concerned the lawfulness of processing. Under the GDPR, organizations must have a valid legal basis before processing personal data, such as consent, contractual necessity, a legal obligation, or legitimate interests. They must also provide clear information to individuals and respect requests to exercise their data protection rights.
The CNPD also reported that human error remained the leading cause of personal data breaches in 2025. Nearly half of notified breaches, or 49%, resulted from mistakes, including incorrect handling of data and accidental disclosure. Cyberattacks and disclosures to unauthorized recipients were also reported, showing the continued need for practical staff training, access controls, and effective incident-response procedures.
Artificial intelligence and data governance were further priorities for the CNPD during the year. As EU rules on AI and data use become applicable, the authority continued discussions with regulators and organizations developing new technologies. Its work included supporting GDPR compliance, approving Luxembourg’s first sector-specific GDPR code of conduct, and continuing work on certification tools.