Yes. Luxembourg’s National Commission for Data Protection (CNPD) is now a qualified entity authorized to bring class-action litigation on behalf of consumers whose GDPR rights have been violated. The authority gained this power after Luxembourg’s parliament passed legislation amending the Consumer Code on October 30, 2025, making Luxembourg one of the last EU member states to complete transposition of the EU Representative Actions Directive (RAD).
What Does It Mean for the CNPD to Be a “Qualified Entity”?
A qualified entity is an organization legally recognized to bring representative or collective actions on behalf of consumers without requiring each individual to file separately. Under Luxembourg’s amended Consumer Code, qualified entities now include established sectoral regulatory bodies such as the CNPD, approved consumer associations, and entities registered on recognized EU and EEA lists for consumer protection.
This means the CNPD can now file a single lawsuit representing a class of affected data subjects, pursue injunctive relief to stop ongoing GDPR violations, and seek remedies for consumers at scale, rather than processing thousands of individual complaints one by one.
Historically, Luxembourg had no formal procedure for mass actions, though courts had permitted informal “test case” mechanisms. The Madoff litigation was among the most notable examples of this workaround. The October 2025 legislation replaced that patchwork with a structured, statutory framework.
Why Does This Matter for GDPR Enforcement?
GDPR already permitted a limited form of collective action. Under Article 80, not-for-profit organizations could bring claims on behalf of data subjects who granted them a mandate to do so. What Luxembourg’s new law adds is a direct, regulatory path: the CNPD itself, as a supervisory authority, can now initiate representative actions without needing to be sponsored by a nonprofit or gather individual mandates first.
This significantly lowers the barrier to collective GDPR enforcement. Consider the scale involved: when the CNPD fined Amazon 746 million euros in July 2021, that case originated from a complaint filed by 10,000 individuals through the French privacy rights group La Quadrature du Net. Under the new framework, the CNPD could potentially bring a comparable action on its own initiative.
GDPR enforcement has accelerated sharply in recent years. EU data protection authorities issued more than 2.9 billion euros in fines between 2018 and 2024. With qualified entity status, the CNPD’s ability to drive that number higher just expanded considerably.
How Does Luxembourg’s Class-Action Procedure Work Under the New Law?
Under the amended Consumer Code, collective actions are filed before the District Court of Luxembourg sitting in commercial matters. The procedure can be written or oral. A filing must include individual cases presented in support of the action, a description of the consumers affected, and the specific measures being requested.
Actions may be brought by:
- Established sectoral regulators, including the CNPD, CSSF (financial sector), ILR, ALIA, ILNAS, and others
- Approved consumer associations representing members from one or more EU member states
- Qualified entities from other EU or EEA member states registered on recognized consumer protection lists
One notable limitation in the final version of the law: individual consumers cannot initiate collective actions on their own. Earlier drafts had included this option, but it was removed following a critical opinion from the Conseil d’Etat. The mechanism for out-of-court settlement was also revised, with the ad hoc mechanism replaced by Luxembourg’s general mediation framework.
What Types of GDPR Violations Could Trigger a Class Action?
Any systematic violation affecting a definable class of consumers is a candidate. Based on the CNPD’s recent enforcement history, the highest-risk areas include:
Consent and behavioral advertising. The Amazon case, upheld by Luxembourg’s Administrative Court in March 2025, centered on the processing of user data for targeted advertising without valid consent. The court confirmed the 746 million euro fine in full, ruling that commercial benefit cannot justify bypassing consent requirements under Article 6 GDPR.
Failure to honor data subject rights. Inadequate responses to access requests under Article 15, failures to honor deletion rights under Article 17, and blocked objection rights under Article 21 were all cited in the Amazon ruling.
Transparency violations. The court found Amazon’s disclosures to users about data processing were inadequate, unclear, and in some cases misleading. Transparency failures at scale are well-suited to representative action because the harm, while sometimes diffuse, is broadly shared.
Approximately 77% of organizations were actively working on AI governance as of 2025, according to IAPP research, suggesting widespread recognition that automated systems and data practices need closer attention. Class-action exposure gives companies operating in Luxembourg additional incentive to close compliance gaps before the CNPD acts rather than after.
Is Luxembourg a Significant GDPR Jurisdiction?
Disproportionately so, given its size. Luxembourg is home to the European headquarters of Amazon, a substantial portion of Meta’s European operations, and numerous financial services firms. Because GDPR enforcement jurisdiction follows the location of an organization’s EU establishment, the CNPD has served as lead supervisory authority for some of the largest data processors in the world.
The 746 million euro Amazon fine remains the largest fine imposed by any EU data protection authority against a single controller. Luxembourg’s new class-action framework means that future violations by companies established there could face not just regulatory fines from the CNPD, but representative litigation brought by that same authority on behalf of affected consumers.
What Should Companies Do in Response?
Companies with European operations established in Luxembourg should treat the CNPD’s new status as a prompt to conduct a compliance review with specific attention to consent mechanisms, the completeness of responses to data subject requests, and the transparency of privacy disclosures. The combination of regulatory fining power and representative litigation authority in a single body creates a concentration of enforcement risk that did not exist before October 2025.
Frequently Asked Questions
When did the CNPD become a qualified entity? The enabling legislation, amending Luxembourg’s Consumer Code to transpose the EU Representative Actions Directive, was passed by parliament on October 30, 2025.
Can individual consumers bring class actions in Luxembourg? No. The final version of the law removed that option. Only qualified entities, including regulators and approved associations, can initiate collective actions.
Does this affect companies outside Luxembourg? It can. If your organization’s EU establishment is in Luxembourg, the CNPD is likely your lead supervisory authority under GDPR. The new litigation powers extend to any violations affecting consumers that fall within the CNPD’s supervisory scope.
Is this the same as the EU Representative Actions Directive? Yes. Luxembourg’s October 2025 legislation transposes Directive 2020/1828 on representative actions for the protection of the collective interests of consumers. Luxembourg was among the last EU member states to complete this transposition.
What court hears these cases? The District Court of Luxembourg, sitting in commercial matters.
