HR compliance in Luxembourg is not an annual audit. It is a set of overlapping obligations — data protection, labour law, social security, taxation — that must hold all year round, and each one leaves a trace an auditor may ask to see. This checklist walks through the points every HR team or DPO should have under control in 2026. It is meant to help you structure the work, not to serve as legal advice: always confirm edge cases with your DPO or adviser, since the details often turn on your sector, your headcount and the collective agreements you apply.
The Luxembourg HR compliance landscape
Three bodies of rules overlap the moment you employ staff in Luxembourg. The GDPR, applied and supervised locally by the CNPD (the national data protection authority). The Labour Code, which governs contracts, working time, collective agreements and wage indexation. And the social security and tax layer, run by the CCSS (Centre commun de la sécurité sociale) and the ACD (the direct tax administration), with the Bureau RTS handling income tax withheld at source.
Depending on the sector, you also deal with the ITM (labour inspectorate) for employment law and, for financial-sector entities, the CSSF's expectations around outsourcing and ICT. The hard part is not knowing each rule in isolation, but making them coexist in a system that stays auditable. That is exactly what a Luxembourg-focused HR compliance software is meant to solve.
GDPR Article 30 records of processing for HR
As the data controller, the employer must maintain a record of processing activities (ROPA) under Article 30 of the GDPR. For HR, that record must cover every processing activity: recruitment, payroll, working time, health data (sick leave, occupational health) and performance evaluation. For each one, you document:
- The purpose and the legal basis of the processing.
- The categories of data and of data subjects.
- The recipients (internal, processors, official bodies).
- The retention periods per category.
- The technical and organisational security measures.
The classic trap: a record written once, then forgotten in a spreadsheet. A useful record is a living one — it reflects the processing you actually run and updates when a process changes. When a new tool is added, a vendor changes or a retention period is revised, the record should move with it. We explored this in our article "Compliance is never a module": the record should live inside the system, not beside it, so that it is accurate the day an auditor asks for it rather than reconstructed the night before.
Legal basis, data-subject rights and the 72-hour breach rule
Each HR processing activity needs a clear legal basis. In practice, "performance of the contract" does not cover everything: some operations rest on a legal obligation, others on legitimate interest, and an employee's consent is rarely a solid basis given the subordination relationship. When the right basis is unclear, record your reasoning and validate it with your DPO.
On data-subject rights, the HR team must be able to answer access, rectification, erasure and portability requests within the GDPR timeframes. That means knowing, for a given employee, where their data lives and who has accessed it. Finally, when a personal-data breach occurs, notification to the authority — the CNPD — is generally due within 72 hours. That is only realistic if detection and logging are already in place: you cannot document a breach in 72 hours if you have no trace of who accessed what.
"The right question is not 'are we compliant?' but 'if the CNPD asked for our record and our access logs tomorrow, could we produce them in minutes?'."
Luxapps compliance team
CCSS and payroll declarations
In Luxembourg, the employer declares hires and departures, as well as monthly payroll and social contributions, to the CCSS. These declarations are both administrative and sensitive: a delay or an error feeds straight into the employee's social rights. The discipline expected is timeliness and accuracy, month after month.
In parallel, income tax is withheld at source (RTS) and paid over through the ACD's Bureau RTS. The rate depends notably on the employee's tax class: Class 1 (single, no dependent children), Class 1a (single with a dependent child, widowed, or aged 65 and over) and Class 2 (married or registered partners, benefiting from income splitting). The 2026 brackets are unchanged from 2025. A payroll system built for Luxembourg embeds these classes and automates the declarations rather than trusting them to a spreadsheet.
Multi-CCT and automatic wage indexation
Many organisations apply several collective agreements (conventions collectives de travail, CCT) across different employee populations. Pay scales, seniority steps and bonuses can differ from one group to another — this is "multi-CCT". Compliance means applying the right rule to the right employee, without error or omission, and being able to prove it.
On top of that sits automatic wage indexation (the échelle mobile). An index tranche of +2.5% is triggered when the semi-annual average of the consumer price index moves 2.5% away from the last applied level: salaries, pensions and treatments then rise by 2.5%. It is a public-order rule of the Labour Code — it cannot be derogated downward, whether by contract or by collective agreement. The most recent indexation took effect on 1 June 2026 (+2.5%). In practice, your payroll system must apply it automatically, on the right date, across all affected pay.
Data retention and access control
HR and payroll documents carry statutory retention periods. Rather than quote exact figures that vary with the document type, hold on to the principle: statutory retention periods apply, and the system should carry them — deleting or archiving at the right moment, without depending on an administrator's memory. Keeping data too long is as much a compliance risk as keeping it too briefly.
The second pillar is access control. "Who can see what?" must have an answer per role and per resource, enforced server-side rather than merely hidden in the interface. A native audit log completes the picture: every payslip viewed or contract amended is traced. That is what makes the 72-hour rule workable and a CNPD review low-stress. Our HR compliance platform treats retention and logging as rules of the system, not as a manual procedure.
Your 2026 checklist
In summary, here are the points to verify before year-end:
- Up-to-date Article 30 record covering recruitment, payroll, time and health data — purposes, legal bases, retention, recipients, security.
- Documented legal bases for each processing activity, without defaulting to employee consent.
- A working rights-response process (access, rectification, erasure, portability).
- Breach detection and notification ready for the 72-hour rule to the CNPD.
- CCSS declarations and RTS withholding up to date, with the correct tax classes.
- Multi-CCT and indexation applied automatically, including the 1 June 2026 indexation.
- Automated retention periods and role-based access control with a native audit log.
None of these points is insurmountable on its own. The difficulty comes from their accumulation and from the evidence you must produce. A tool that embeds these obligations by design turns compliance from an annual chore into a permanent property of the system — a principle we detail in our article on the HRIS built for Luxembourg.
Want a platform where the record, retention, declarations and access control are built in by construction rather than bolted on afterwards? Explore our HR compliance software for Luxembourg, hosted in Luxembourg and never outside the EU.
Talk about your HR compliance Request a demo →