Data Privacy & Transfer in Investigations: Luxembourg

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

Luxembourg

The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in Luxembourg.

A number of provisions in the GDPR have particular relevance in the context of investigations. For example, processing of personal data must have a valid legal basis under GDPR. Establishing a legal basis in the context of an investigation is not always straightforward, particularly where investigations involve foreign authorities or courts and where the relevant data includes sensitive data. Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation. It can be challenging to ensure compliance with these principles in the context of an investigation. 

Regarding cross-border investigations, Chapter VII of the GDPR sets out certain rules for the cooperation between European supervisory authorities and provides for a mechanism to ensure the consistent application of the GDPR throughout the European Union.

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

Luxembourg

Banking and insurance secrecy

Under the Luxembourg Act dated 5 April 1993 relating to the financial sector, as amended (known as the Banking Law), those subject to the supervision of the Luxembourg Supervisory authority of the financial sector (the Commission de Surveillance du Secteur Financier, CSSF) pursuant to the Banking Law are prohibited from disclosing any information entrusted to them in the course of their professional duties to any third parties. This applies to credit institutions and other professionals in the financial sector (also known as PFS) in addition to members of their management, directors and their employees. Banking secrecy also applies to the Luxembourg branches of overseas banks.

All client data is protected by banking secrecy, irrespective of whether the client is an individual, a company, a government body or otherwise.

There are a number of exceptions to banking secrecy. Exceptions to banking secrecy include when:

• the disclosure is authorised by Luxembourg law, for example, under the Banking Law (as well as any law that predates the Banking Law); or
• the disclosure is made with the client’s consent or its specific instruction (in a note dated 1 March 2004 issued by the CSSF’s lawyers committee (the CODEJU) (annexed to the CSSF's 2003 annual report), the CODEJU describes the conditions under which a client’s consent to a transfer of his or her client data may result in such transfer without violating banking secrecy as set out in the Banking Law. This concept has not yet been tested in court. Since 2018, the Banking Law expressly provides for the possibility to rely on a client’s consent in an outsourcing context subject to certain conditions (see below).

In particular, information covered by banking secrecy may, under certain conditions, be disclosed to:

• shareholders or partners whose status or capacity is a precondition for authorisation of the financial institution in question, insofar as this is necessary for the proper and prudent management of the institution, the risk assessment on a consolidated basis or the calculation of prudential ratios on a consolidated basis;
• internal control bodies of companies forming part of the same group of companies as the credit institution or PFS may have access to information regarding specific business relations with clients, to the extent that this is needed for the global management of legal risks and risks to their reputation in connection with money laundering or the financing of terrorism (within the meaning of the law of 12 November 2004 on the fight against money laundering and terrorism financing);
• companies forming part of the same financial conglomerate as the credit institution or PFS for information that these entities may exchange between them insofar as the information is necessary for the exercise of supplementary supervision of a financial conglomerate under the Banking Law;
• the CSSF, foreign or European regulators responsible for prudential supervision of the financial sector;
• any person established in Luxembourg, subject to the prudential supervision of the CSSF, the European Central Bank or the Commissariat aux Assurances (the CAA) and which is bound by a criminally sanctioned professional secrecy obligation, insofar as the information communicated to those professionals is provided under an agreement for the provision of services; or
• service providers providing services to the credit institution/PFS in the context of an outsourcing arrangement provided that the client has accepted the outsourcing of services, the type of information to be transmitted in the framework of the outsourcing and the country of establishment of the service provider and provided that the service provider having access to confidential information is subject by law to professional secrecy or bound by a confidentiality agreement.

In accordance with articles 7 and following of the Law of 7 December 2015 on the insurance sector, those subject to the prudential supervision of the CAA or a foreign supervisory authority for the exercise of an activity covered by that law, including insurance and reinsurance undertakings and pension funds, are subject to insurance secrecy. The requirements on insurance secrecy largely mimic those on banking secrecy, including their exceptions (mutatis mutandis).

A breach of banking or insurance secrecy is subject to respectively an imprisonment from eight days to six months and a fine of €500 to €5,000 for individuals or a fine of €500 to €10,000 for legal persons, and may lead to administrative sanctions.

The answers to the questions below are subject to the above developments regarding banking and insurance secrecy and an analysis of whether these secrecy requirements may affect each of the responses must be made.

General professional secrecy

Article 458 of the Luxembourg Criminal Code is the general basis for professional secrecy in Luxembourg. It provides that doctors, surgeons, health officers, pharmacists, midwives and all other persons who are custodians, by state or by profession, of the secrets entrusted to them, and who, except in cases where they are called upon to testify in court and where the law obliges them to make these secrets known, have revealed them, shall be punished by imprisonment from eight days to six months and a fine of between €500 and €5,000 for individuals and a fine of €500 to €10,000 for legal persons.

Article 458 of Luxembourg Criminal Code also covers communications with lawyers. Specific rules on attorney-client privilege are set out under article 35 of the law of 10 August 2011 on the legal profession.

3. What constitutes personal data for the purposes of data protection laws?

Luxembourg

The GDPR defines “personal data” as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Data that is truly anonymised will not be “personal data" for the purposes of the GDPR, as it does not identify the individual. Data is not truly anonymised if a re-identification of the individuals to which the data relates remains possible by means reasonably likely to be used. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the GDPR.

The GDPR only applies to data relating to natural living persons. It does not cover data relating to legal persons or deceased natural persons.

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

Luxembourg

The GDPR applies to any "processing" of personal data, which is defined broadly and includes any activity performed on personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.

The direct obligations under the GDPR apply primarily to controllers. A controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed. However, the GDPR also imposes certain direct obligations on processors. A processor is defined in the GDPR as a person who processes personal data on behalf of the controller.

In the context of investigations, the organisation, on whose behalf the investigation is carried out, would presumably qualify as a controller. The party assisting with the investigation would either qualify as a controller or a processor, notably depending on the level influence that they exert on the essential means of the processing, such as which and whose data shall be processed, for how long shall they be processed and who shall have access to them. Law firms and auditing firms typically qualify as independent controllers particularly given the level of independence their role requires.

As regards the territorial scope, the GDPR applies to processing of personal data, as defined above, in either of the following cases:

• the processing takes place in the context of the activities of an establishment of a controller or a processor in the Union or in a place where member state law applies by virtue of public international law, regardless of whether the processing itself takes place in the Union or not; or
• the processing concerns personal data of data subjects who are in the Union where the processing activities are related to: (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the Union, regardless of whether controller or processor is established in the Union or not.

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

Luxembourg

Organisations must comply with the GDPR when they process personal data (ie, information relating to an identified or identifiable natural person), whether in the context of investigations or not.

The GDPR imposes different obligations depending on the role of the parties as a controller or a processor. Where more than one controller is involved in the processing, it must also be verified whether these controllers qualify as joint controllers, ie when two or more parties jointly determine purposes and means of a processing operation.

The relationship between a controller and a processor must be governed by a data processing agreement in accordance with article 28 GDPR. The relationship between joint controllers must be governed by a so-called joint-controllership agreement as per article 26 GDPR.

The GDPR requires all processing of personal data to have a lawful basis in accordance with article 6 GDPR.  

In the case of an investigation, there are presumably two relevant lawful bases: compliance with a legal obligation to which the controller is subject or pursuance of a legitimate interest by the controller or a third party. The legitimate interest could, for instance, arise in the prevention of fraud, the establishment, exercise or defence of legal claims, or the compliance with a legal obligation to which a third party is subject. The consent of the data subject is rarely an appropriate lawful basis in the context of an investigation as it can be withdrawn at any time and it risks falling short of the requirement to be freely given, especially in respect of employees.

Strict requirements apply where the investigation involves the processing of special categories of personal data, meaning personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of these categories of data is generally prohibited, unless one of the exemptions under article 9(2) GDPR applies. In the case of an investigation, the following exemptions are potentially relevant:

• the data subject has given his or her explicit consent to the processing for one or more specified purposes;
• the processing relates to personal data that are manifestly made public by the data subject;
• the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
• the processing is necessary for reasons of substantial public interest, on the basis of Union or member state law, where this is proportionate to the relevant aim and safeguards the rights and interests of data subjects.

Where the processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller must carry out a data protection impact assessment in accordance with article 35 GDPR. The guidance of the European Data Protection Board provides for factors to take into account when determining whether there is such high-risk processing. The controller must notably carry out a data protection impact assessment if the investigation involves the monitoring of employees.

The controller must also provide the data subjects with a privacy notice informing them about the processing of their personal data in accordance with articles 13 and 14 GDPR.

Aside from the right to information, data subjects enjoy certain other rights, such as the right of access and the right to object to the processing (see question 11).  

In accordance with the accountability principle, the controller must also be able to demonstrate compliance with its obligations under the GDPR. Controllers and processors must notably maintain a record of processing activities.

Furthermore, according to Chapter V of the GDPR, personal data may not be transferred to a country or territory outside the European Economic Area (EEA) unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the controller or processor has set in place appropriate safeguards as well as legal remedies and guarantees for the protection of data subject rights (see question 17).

Finally, the investigation must also respect the right to privacy at work. If the processing of personal data in the context of the investigation qualifies as monitoring of employees (eg, CCTV, use of access badges, monitoring the use of IT devices, recording of telephones conversations), the employer must comply with article L.261-1 of the Luxembourg Labour Code, which requires, among others, notifying the employee representatives or, if no employee representation has been put into place, the labour inspectorate (Inspection du Travail et des Mînes) about the envisaged processing. In accordance with the secrecy of correspondence, it is in principle prohibited to open private communications of an employee, except under certain conditions, notably where there is a strong suspicion of concealment of improper use (eg, marking an email as “private”, although its content is of business nature).

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

Luxembourg

The data protection requirements applicable to the different parties involved in the investigation depend on their role under the GDPR, ie whether they qualify as controller or processor.

Under the GDPR, the role of the parties involved in the processing must be assessed on a factual basis and cannot be determined based on contractual provisions. The organisation in the interest of which the investigation is carried out presumably qualifies as the controller (ie, the party that determines the purposes and means of the processing). This is, in principle, the case for the company carrying out an internal investigation.

The party assisting with the investigation either qualifies as a controller or processor, notably depending on the level of influence that party exerts on the essential means of the processing, such as which and whose data shall be processed, for how long shall they be processed and who shall have access to them. Law firms and auditing firms typically qualify as independent controllers particularly given the level of independence their role requires. A processor, on the other hand, processes personal data on behalf of the controller and does not pursue own purposes when doing so.

Where more than one controller is involved in the processing, it must also be verified whether these controllers qualify as joint controllers (ie, they jointly determine purposes and means of a processing operation).

The relationship between a controller and a processor must be governed by a data processing agreement in accordance with article 28 GDPR. The relationship between joint controllers must be governed by a so-called joint-controllership agreement in accordance with article 26 GDPR.

Most data protection requirements are directed toward controllers.

• The controller is notably responsible for determining the lawful basis for the processing and ensuring compliance with the rights of the data subjects, such as informing the data subjects about the processing of their personal data and responding to their requests to exercise their rights.
• The controller must also carry out a data protection impact assessment where the processing is likely to result in a high risk to the rights and freedoms of natural persons, such as in the case of employee monitoring.
• The controller must ensure that the transfer of personal data to countries outside the EEA do not undermine the level of data protection afforded under the GDPR.
• If the processing relates to the employees of the controller, the controller must verify whether the processing does not qualify as employee monitoring. If the processing does qualify as employee monitoring, the controller must comply with article L.261-1 of the Luxembourg Labour Code, which requires, among others, notifying the employee representatives or, if no employee representation has been put into place, the labour inspectorate about the envisaged processing.

Certain data protection requirements are specifically directed toward processors. Under the GDPR, these requirements mostly stem from the mandatory terms that the data processing agreement with the controller needs to include in accordance with Article 28 GDPR. These notably include obligations to:

• not process the personal data otherwise than on the instructions of the controller;
• assist the controller with responding to requests for exercising the data subject’s rights and with the compliance of the controller’s obligations with regard to the security of the processing, data protection impact assessments and prior consultations with the supervisory authorities;
• notify the controller without undue delay on becoming aware of a personal data breach; and
• impose, when engaging another processor, whether with the general or specific authorisation of the controller, the processor must impose, the same data protection obligations as set out in the data processing agreement with the controller.

In addition, the GDPR also imposes certain obligations that apply both to controllers and processors. These include obligations to:

• implement appropriate technical and organisational measures to protect personal data;
• maintain a written record of processing activities carried out on behalf of each controller;
• designate a data protection officer where required; and
• appoint a representative (when not established in the EU) in certain circumstances.

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

Luxembourg

The consent of the data subject is one of several legal bases for processing of personal data under the GDPR. Data subject consent is therefore not mandatory for the processing of personal data, but consent must be obtained if no other legal basis is available.

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Luxembourg

Consent may be considered as an enabling action when planning an investigation. However, obtaining valid consent can be practically challenging, and processing of personal data in reliance solely on this ground is rarely appropriate.

One reason is that consent must be capable of being specific and informed. In other words, the data subject should agree to processing of his or her data only for explicit purposes that he or she is made aware of in advance of giving consent. In practice, this is rarely the case as often consent given by data subjects is generic and not specific to the investigation.

In addition, a data subject must be able to withdraw consent easily and at any time. This is a right that cannot be contracted out of and could be difficult to manage in the context of the investigation.  

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

Luxembourg

Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. According to the European Data Protection Board guidelines, consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid for this reason.

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

Luxembourg

The GDPR requires consent to be a statement or a clear affirmative act, freely given, specific and informed. Consent can also be withdrawn at any time and must be as easy to withdraw as to give.

In addition, if relied upon as a basis for processing sensitive data under article 9 GDPR or for international transfers to third countries, consent must also be “explicit”. As per the European Data Protection Board’s guidelines, the “explicit” nature of consent refers to the way it is expressed, ie that it should be given as an explicit statement, by the means of a written and a signed statement or an oral statement. A controller may therefore wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”).

Consent can be obtained through a website or other electronic means. Whether consent given in advance, such as through general terms and conditions or account opening information, is sufficient for the purposes of the GDPR depends, among other things, on the balance of power between the controller and data subject and the specificity of the wording. Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid for this reason.

Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. This means that consent should not be hidden among other terms and conditions. Hence, there is a risk that generic consent provided through general terms and conditions is not specific and informed, and so not validly given by the data subject.

The controller should also consider the requirement for consent to the processing for sensitive data to be explicit (ie be given as an explicit statement).

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Luxembourg

Right of access

A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request (DSAR). The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject.

A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) GDPR) or where this would adversely affect the rights and freedoms of others (article 15(4) GDPR).

Right of erasure

Data subjects have the right to obtain from the controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

Right to object

In certain circumstances, such as when a controller is relying upon their legitimate interests (or those of a third party) or the processing is necessary for performing tasks in the public interest or in the exercise of official functions, data subjects have a right to object to the processing of personal data concerning them at any time. A controller must adhere to this objection unless it can demonstrate compelling legitimate grounds for the processing that override the interests of the data subject, or if the processing is necessary within legal proceedings.

A data subject also has a right to obtain a restriction of processing from the controller where it believes the relevant personal data is inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the data subject can require the controller to limit the processing to that required in the context of legal proceedings.

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

Luxembourg

Additional requirements of the GDPR apply where the third party qualifies as a processor (ie, where the third party processes personal data on behalf of the controller without pursuing own purposes).

The controller must use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing meets the requirements of the GDPR. A written contract to this effect must be entered into between the processor and controller (article 28 GDPR). This contract must include a description of the data processing activities and require the processor, among other things, to:

• act only on the documented instructions of the controller (including with regard to international transfers of data to a third country);
• ensure that persons who process the data have committed to confidentiality or are under a statutory duty of confidentiality;
• implement appropriate security measures in accordance with the GDPR;
• engage a sub-processor only with the prior authorisation of the controller;
• assist the controller in carrying out its obligations to respond to requests by data subjects to exercise their rights under the GDPR; and
• assist the controller in ensuring its compliance with its data security obligations.

Where a processor engages a sub-processor, the contract between them must reflect the same data protection obligations as set out in the contract between the controller and the processor.

These provisions of the GDPR apply to processors within the same corporate group in the same way as to other third-party processors.

Another aspect to consider is the location of the third party. In case it is located outside of the European Economic Area, the provisions regarding international transfer of personal data will apply.

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

Luxembourg

A transfer of personal data to a third-party law firm for the purposes of providing legal advice needs to be analysed in the same way as any other transfer of personal data, and so it must be carried out in compliance with the GDPR.

This means that sharing personal data with law firms for the purpose of providing legal advice is in principle permitted, however, the controller must ensure that it complies with the general requirements of GDPR.

Particularly relevant here is the data minimisation principle, which requires that no more data is shared than what is necessary in relation to the purpose pursued. The data subject must also receive prior information about such processing in accordance with articles 13 and 14 GDPR. Moreover, where the law firm resides in a country outside of the European Economic Area, the controller must ensure that the country concerned is covered by an adequacy decision of the European Commission or that the transfer is otherwise protected by appropriate safeguards, such as standard contractual clauses combined, where appropriate, with measures that supplement such safeguards to ensure compliance with the Union level of data protection with sufficient technical and organisational measures.

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

Luxembourg

While the qualification of a party as either controller or processor depends on the case-by-case analysis of the factual situation, a generally adopted position is that law firms act as independent controllers.

Consequently, the client and the law firm are independently responsible for complying with data protection laws.

15. What is the position and status of legal process outsourcing firms under data protection laws?

Luxembourg

The qualification of a party as either controller or processor depends on the case-by-case analysis of the factual situation, in particular whether the party factually (not only contractually) “determines the purposes and means of the processing of personal data” (article 4(7) GDPR).

In general, where the legal process outsourcing firm is regulated as a law firm or requires a similar level of independence, it qualifies in all likelihood as an independent controller.

However, if the legal process outsourcing firm processes personal data only on the instructions of the controller and, in particular, does not pursue its own purposes, such as compliance with a legal obligation, then it will likely qualify as a processor.

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Luxembourg

No, there are no additional requirements that regulate the disclosure of data to third parties in Luxembourg.

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Luxembourg

The GDPR distinguishes between transfers to other jurisdictions within the EEA and transfers of data to jurisdictions outside the EEA.

Within the EEA

A transfer of personal data from this jurisdiction to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within the jurisdiction.

Outside the EEA

Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory provides an adequate level of data protection.

The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data and so a transfer can be made to such without the data transferer being subject to additional requirements.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the UK and Uruguay as providing adequate protection.

In the absence of an adequacy decision, the controller as transferor could provide appropriate safeguards by entering into standard contractual clauses (SCC) approved by the European Commission or adopting binding corporate rules.

However, in the C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision, the European Court of Justice clarified that the SCCs approved by the European Commission are solely intended to provide contractual guarantees that apply uniformly in all third countries and they may not be able to provide strong enough safeguards if they can be bypassed under the legislation of third countries concerned. In that case, the data exporter should combine the SCCs with additional technical and organisational measures, such as encryption and pseudonymisation of personal data, to ensure that the level of protection afforded under the GDPR is not undermined.

In the absence of other possibilities, and subject to strict interpretation, personal data may exceptionally be transferred outside of the EEA if one of the following derogations, among others, applies:

• the data subject has consented to the transfer (as noted above, this consent should be explicit as well as freely given, specific, informed and unambiguous and the data subject must have been made aware of the possible risks);
• the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;
• the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims; or
• the transfer is necessary to protect the vital interests of the data subject.

Where none of the above derogations is available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to the protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The controller shall inform the supervisory authority of the transfer and, in addition to providing the information referred to in Articles 13 and 14 GDPR, shall inform the data subject of the transfer and on the compelling legitimate interests pursued. This derogation is unlikely to be of practical application in the context of an investigation.

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

Luxembourg

Local counsel is not aware of any specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations.

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Luxembourg

The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing (see question 7). In particular, a legal basis must be established under article 6 GDPR. 

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Luxembourg

Within the EEA

The transfer of personal data to regulators or enforcement authorities in a country within the EEA is generally permissible under the GDPR.

The controller must, however, ensure that it complies with the general requirements under GDPR. In particular, the controller must ensure that the transfer has a lawful basis. Such lawful basis is presumably given where the controller receives an order from the regulator or enforcement authority concerned to transfer the data. The controller must also inform the data subject about the transfer, unless there is a restriction from doing so in accordance with article 23 GDPR.

Outside the EEA

Transfer of personal data to regulators or enforcement authorities in a country outside the EEA is subject to additional restrictions in addition to general requirements listed above. Whether in the context of investigations or not, personal data cannot be transferred to countries outside the EEA that were not recognised by the European Commission as providing an adequate level of data protection unless an exemption applies or appropriate safeguards are set in place. Article 49 of the GDPR provides for derogations to the requirement for an adequacy decision or implementing safeguards in certain circumstances, including where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.

As per article 48 GDPR, a decision from a third-country administrative authority, court or tribunal does not in itself justify transfer of personal data, unless the decision is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or Luxembourg.

This means that the controller may in practice only transfer personal data to a regulator or enforcement authority in a foreign country where such transfer is based on a request made through a mutual legal assistance treaty or where the controller ensures that the level of protection afforded in the European Union is not undermined by the transfer. The data transfer restrictions of the GDPR remain otherwise applicable.

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Luxembourg

The recipient of such a request may consider taking the following steps, among others:

• Consider if there is a legal obligation to respond to the request and, if so, to what extent. This includes reviewing the legality of the request, where appropriate.
• Consider also if the recipient is subject to any banking secrecy or insurance secrecy or other professional secrecy that could have a further additional impact.
• Seek further information in writing from the requesting regulator to evaluate the purpose of the request.
• If possible, challenge the request if there are grounds to do so or negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation.
• In accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose. 
• Consider whether it is practicable to obtain data subject consent and/or give a further privacy notice.
• Put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor).
• Consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.

22. What are the sanctions and penalties for non-compliance with data protection laws?

Luxembourg

The possible sanctions under the GDPR are defined in article 83 GDPR, and may be imposed by the Luxembourg National Commission for Data Protection (CNPD) in the Luxembourg jurisdiction according to the Law of 1 August 2018 organising the National Commission for Data Protection and the implementation of the GDPR.

There is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (eg, for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million.

The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement.

A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a controller may bring a civil claim for compensation.

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Luxembourg

EU General Data Protection Regulation (2016/679)

Law of 1 August 2018 organising the National Commission for Data Protection and the general data protection regime (Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données)