GDPR and website in Luxembourg: complete 2026 checklist

A website that collects an email address, a name, an analytics cookie or an IP address processes personal data. And a website processing personal data in Luxembourg must be GDPR compliant — not in theory, not “when we have time”, but now.

Most SMEs discover the topic in one of two ways: a formal notice from a client or competitor, or a CNPD inspection. In both cases, the bill is rarely pleasant: possible fines, reputation damage, and the obligation to fix everything in a hurry.

This checklist covers the eight points addressing 95% of cases. None requires a complete rebuild — most can be fixed in a few hours with a competent provider, or a few weeks if you handle it yourself.

Why GDPR isn’t optional (even for a local SME)

GDPR applies as soon as you process personal data of a person located in the EU, regardless of company size, legal form or revenue. It also applies if you’re based outside the EU but address your site to a European audience.

In Luxembourg, the supervisory authority is the CNPD (rel="noopener"). It can act following a complaint, an alert from another European authority, or on its own initiative. Sanctions range from a simple warning to fines of up to 4% of worldwide revenue.

The idea that “no one will inspect a small local SME” is wrong. The CNPD handles hundreds of complaints per year, and a dissatisfied client or former employee is enough to open a file.

Cookies banner: what’s actually compliant

This is the most visible element — and where divergences are most frequent. A compliant cookies banner respects five strict rules:

• No non-essential cookie is set before consent. Including Google Analytics, Meta Pixel, Hotjar, or any marketing pixel.
• Refusal is as easy as acceptance. An “Accept all” button without an equivalent “Reject all” button isn’t compliant. Neither are “X” closures without explicit choice.
• Consent is granular. The user can accept analytics while refusing marketing, for example.
• Consent is traceable. You must be able to prove, for each visitor, what they accepted and when.
• Withdrawing consent is as easy as giving it. A “Manage my cookies” link in the footer accessible at all times.

Not compliant: “cookie walls” blocking access if refused, pre-checking, banners that auto-close after 5 seconds as implied acceptance.

Mandatory legal notice in Luxembourg

In Luxembourg, mandatory legal notice for a professional site (rel="noopener") includes:

• Full identity of the publisher: company name, legal form, share capital for companies, RCS number.
• Registered office address (not a PO box).
• VAT number if applicable.
• Direct contact email (not just a form).
• Phone number for e-commerce or service sites.
• Name of the publication manager.
• Hosting provider: company name, address, phone number.
• Privacy policy separately linked, clear and accessible from every page.

The INNOVALUX case, a SARL-s launched properly, illustrates what we should see by default: complete legal notice, accessible privacy policy, visible direct contact. It takes an afternoon to set up and saves weeks of complications.

Forms: trap fields and consent

Any form collecting personal data must respect three principles: minimisation, transparency, informed consent.

Minimisation: ask only what’s strictly necessary for your purpose. Requesting date of birth for a simple contact form is disproportionate.

Transparency: near the form (not in a generic policy three clicks away), clearly explain what happens to the data, who accesses it, how long it’s kept, how the user can delete it.

Informed consent: a non-pre-checked checkbox for each distinct purpose. Receiving a reply to a quote request = legitimate purpose, no checkbox needed. Adding this person to a marketing newsletter = distinct purpose, separate clear checkbox.

Trap fields to avoid: pre-filled email “recovered” from another source without consent, automatic newsletter subscription on form validation, pre-checking all options by default.

AutoRachat Luxembourg handles high volume (+75% conversion after rebuild) with a compliant form: minimal, transparent, explicit consent for post-evaluation communications. Compliance never hurt conversion — on the contrary, clarity reassures.

If you collect client testimonials, the same principle applies: written consent for use of name, photo, profession.

Hosting and data localisation

GDPR requires that transfers of data outside the EU are framed. Three cases:

EU hosting (Luxembourg, France, Germany, Netherlands, etc.): no transfer problem. Simplest case.

Hosting with a US provider with European servers (major hyperscalers offer European regions): technically data is in the EU, but the parent company being US-based, questions of applicable law remain. Solution: sign a standard DPA with the provider, including European Standard Contractual Clauses.

Direct US or non-EU/EEA hosting: strict legal framework needed (SCCs, certifications, or Data Privacy Framework for the US).

You must also know who has technical access to your data — covered in reclaim your website when the agency stops responding. If your current provider alone can access the user database, you’re in a fragile position, even with compliant hosting.

Sub-processors: Google Analytics, Mailchimp, Stripe and others

Each third-party service processing data on your behalf is a sub-processor under GDPR. You must:

• Sign a DPA with each. Google, Stripe, Mailchimp, Brevo, HubSpot, etc. all offer a downloadable standard DPA. Keep it on file.
• List these sub-processors in your privacy policy with their purpose and location.
• Verify regularly the list stays up to date. A service discreetly added by a developer without declaration isn’t compliant.

Sellect Luxembourg, B2B platform with 150+ partner agencies, manages about ten active sub-processors. The discipline lies in an internal registry kept month by month — not a forgotten Excel sheet, a real operational document reviewed quarterly.

For Google Analytics 4 specifically: “IP anonymisation” + signed DPA + declaration in cookies policy covers requirements for most SMEs.

Retention period and user rights

For each category of data collected, you must have defined a retention period. Some benchmarks:

• Contact / quote requests: 3 years after the last exchange if no conversion.
• Active client accounts: duration of relationship + 5 years (commercial prescription in Luxembourg).
• Newsletter: as long as the user doesn’t unsubscribe, with re-consent every 24-36 months recommended.
• Server logs / analytics: 13 months maximum recommended.

Beyond retention, users have rights exercisable at any time: access, rectification, erasure (“right to be forgotten”), portability, opposition.

You must respond to any request within one month maximum, and provide a clear request channel (often a dedicated email like gdpr@).

In case of CNPD inspection: what’s requested

A CNPD inspection rarely starts unannounced. You receive a letter requesting specific elements:

• Privacy policy in its current version
• Complete legal notice
• Register of processing activities
• Signed DPAs with major sub-processors
• Cookies banner screenshots in various configurations
• Evidence of handling of rights requests over the last 12 months
• Procedure in case of data breach

You generally have 30 days to respond. A complete, structured, good-faith response usually results in a warning and correction requests. Absence of response or evident bad faith escalates the fines.

For international transfers, the consolidated official GDPR text (rel="noopener") remains the reference.

---

Frequently asked questions

My site is hosted on a European AWS server: is that enough to be compliant?

For data localisation, yes. For overall compliance, no — you need to sign AWS’s standard DPA (downloadable from the AWS console), document this sub-processor in your privacy policy, and apply European Standard Contractual Clauses by default. The signed DPA remains mandatory.

Do I need a DPO (Data Protection Officer) for an SME website in Luxembourg?

No in the majority of cases. DPO designation is only mandatory for public authorities, large-scale processing with regular monitoring of individuals, or large-scale processing of sensitive data. A standard SME with a showcase site, contact form and newsletter doesn’t need a DPO.

How long can I keep prospect emails without renewing consent?

For B2C prospecting, the practical rule is 3 years after the last contact or interaction. Beyond that, either re-solicit explicit consent or delete the data. For B2B, you can rely on legitimate interest if the target matches your activity and you offer clear unsubscribe at each send.

What to do if I discover a data breach on my site?

Notification to the CNPD within 72 hours of discovery, via the online notification portal. Information to affected persons if the breach presents a high risk. Prepare a notification template and internal procedure in advance — at the moment a breach occurs, it’s not the right time to think about format. Document every step.

---

Going further

Understand who really owns your user data beyond your website — domain, hosting, third-party accounts, source code — in who owns your website and how to verify.

---

What we do at Slash.lu

When a client arrives with a GDPR question, we start by auditing the eight points of this checklist. We identify what’s compliant, what isn’t, and the priority order to fix. Technical fixes (cookies banner, legal notice, declared sub-processors) take a few days. Operational fixes (processing register, breach procedure, rights management) take a few weeks to settle into daily practice.

GDPR compliance isn’t a big budget. It’s a discipline. No package before we’ve looked at your situation, because each SME has its own processing scope.

Let's talk about your situation. Book a call — no commitment, reply within 24h.

→ Explore our web design service for the details of our method.