SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS
1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in Luxembourg.
A number of provisions in the GDPR have particular relevance in the context of investigations. For example, processing of personal data must have a valid legal basis under GDPR. Establishing a legal basis in the context of an investigation is not always straightforward, particularly where investigations involve foreign authorities or courts and where the relevant data includes sensitive data. Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation. It can be challenging to ensure compliance with these principles in the context of an investigation.
Regarding cross-border investigations, Chapter VII of the GDPR sets out certain rules for the cooperation between European supervisory authorities and provides for a mechanism to ensure the consistent application of the GDPR throughout the European Union.Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner
Allen & Overy LLP
2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?
Banking and insurance secrecy
Under the Luxembourg Act dated 5 April 1993 relating to the financial sector, as amended (known as the Banking Law), those subject to the supervision of the Luxembourg Supervisory authority of the financial sector (the Commission de Surveillance du Secteur Financier, CSSF) pursuant to the Banking Law are prohibited from disclosing any information entrusted to them in the course of their professional duties to any third parties. This applies to credit institutions and other professionals in the financial sector (also known as PFS) in addition to members of their management, directors and their employees. Banking secrecy also applies to the Luxembourg branches of overseas banks.
All client data is protected by banking secrecy, irrespective of whether the client is an individual, a company, a government body or otherwise.
There are a number of exceptions to banking secrecy. Exceptions to banking secrecy include when:
- the disclosure is authorised by Luxembourg law, for example, under the Banking Law (as well as any law that predates the Banking Law); or
- the disclosure is made with the client’s consent or its specific instruction (in a note dated 1 March 2004 issued by the CSSF’s lawyers committee (the CODEJU) (annexed to the CSSF's 2003 annual report), the CODEJU describes the conditions under which a client’s consent to a transfer of his or her client data may result in such transfer without violating banking secrecy as set out in the Banking Law. This concept has not yet been tested in court. Since 2018, the Banking Law expressly provides for the possibility to rely on a client’s consent in an outsourcing context subject to certain conditions (see below).
In particular, information covered by banking secrecy may, under certain conditions, be disclosed to:
- shareholders or partners whose status or capacity is a precondition for authorisation of the financial institution in question, insofar as this is necessary for the proper and prudent management of the institution, the risk assessment on a consolidated basis or the calculation of prudential ratios on a consolidated basis;
- internal control bodies of companies forming part of the same group of companies as the credit institution or PFS may have access to information regarding specific business relations with clients, to the extent that this is needed for the global management of legal risks and risks to their reputation in connection with money laundering or the financing of terrorism (within the meaning of the law of 12 November 2004 on the fight against money laundering and terrorism financing);
- companies forming part of the same financial conglomerate as the credit institution or PFS for information that these entities may exchange between them insofar as the information is necessary for the exercise of supplementary supervision of a financial conglomerate under the Banking Law;
- the CSSF, foreign or European regulators responsible for prudential supervision of the financial sector;
- any person established in Luxembourg, subject to the prudential supervision of the CSSF, the European Central Bank or the Commissariat aux Assurances (the CAA) and which is bound by a criminally sanctioned professional secrecy obligation, insofar as the information communicated to those professionals is provided under an agreement for the provision of services; or
- service providers providing services to the credit institution/PFS in the context of an outsourcing arrangement provided that the client has accepted the outsourcing of services, the type of information to be transmitted in the framework of the outsourcing and the country of establishment of the service provider and provided that the service provider having access to confidential information is subject by law to professional secrecy or bound by a confidentiality agreement.
In accordance with articles 7 and following of the Law of 7 December 2015 on the insurance sector, those subject to the prudential supervision of the CAA or a foreign supervisory authority for the exercise of an activity covered by that law, including insurance and reinsurance undertakings and pension funds, are subject to insurance secrecy. The requirements on insurance secrecy largely mimic those on banking secrecy, including their exceptions (mutatis mutandis).
A breach of banking or insurance secrecy is subject to respectively an imprisonment from eight days to six months and a fine of €500 to €5,000 for individuals or a fine of €500 to €10,000 for legal persons, and may lead to administrative sanctions.
The answers to the questions below are subject to the above developments regarding banking and insurance secrecy and an analysis of whether these secrecy requirements may affect each of the responses must be made.
General professional secrecy
Article 458 of the Luxembourg Criminal Code is the general basis for professional secrecy in Luxembourg. It provides that doctors, surgeons, health officers, pharmacists, midwives and all other persons who are custodians, by state or by profession, of the secrets entrusted to them, and who, except in cases where they are called upon to testify in court and where the law obliges them to make these secrets known, have revealed them, shall be punished by imprisonment from eight days to six months and a fine of between €500 and €5,000 for individuals and a fine of €500 to €10,000 for legal persons.
Article 458 of Luxembourg Criminal Code also covers communications with lawyers. Specific rules on attorney-client privilege are set out under article 35 of the law of 10 August 2011 on the legal profession.Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner
Allen & Overy LLP
3. What constitutes personal data for the purposes of data protection laws?
The GDPR defines “personal data” as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Data that is truly anonymised will not be “personal data" for the purposes of the GDPR, as it does not identify the individual. Data is not truly anonymised if a re-identification of the individuals to which the data relates remains possible by means reasonably likely to be used. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the GDPR.
The GDPR only applies to data relating to natural living persons. It does not cover data relating to legal persons or deceased natural persons.Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner
Allen & Overy LLP
4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?
The GDPR applies to any "processing" of personal data, which is defined broadly and includes any activity performed on personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.
The direct obligations under the GDPR apply primarily to controllers. A controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed. However, the GDPR also imposes certain direct obligations on processors. A processor is defined in the GDPR as a person who processes personal data on behalf of the controller.
In the context of investigations, the organisation, on whose behalf the investigation is carried out, would presumably qualify as a controller. The party assisting with the investigation would either qualify as a controller or a processor, notably depending on the level influence that they exert on the essential means of the processing, such as which and whose data shall be processed, for how long shall they be processed and who shall have access to them. Law firms and auditing firms typically qualify as independent controllers particularly given the level of independence their role requires.
As regards the territorial scope, the GDPR applies to processing of personal data, as defined above, in either of the following cases:
- the processing takes place in the context of the activities of an establishment of a controller or a processor in the Union or in a place where member state law applies by virtue of public international law, regardless of whether the processing itself takes place in the Union or not; or
- the processing concerns personal data of data subjects who are in the Union where the processing activities are related to: (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the Union, regardless of whether controller or processor is established in the Union or not.
Allen & Overy LLP
5. What are the principal requirements under data protection laws that are relevant in the context of investigations?
Organisations must comply with the GDPR when they process personal data (ie, information relating to an identified or identifiable natural person), whether in the context of investigations or not.
The GDPR imposes different obligations depending on the role of the parties as a controller or a processor. Where more than one controller is involved in the processing, it must also be verified whether these controllers qualify as joint controllers, ie when two or more parties jointly determine purposes and means of a processing operation.
The relationship between a controller and a processor must be governed by a data processing agreement in accordance with article 28 GDPR. The relationship between joint controllers must be governed by a so-called joint-controllership agreement as per article 26 GDPR.
The GDPR requires all processing of personal data to have a lawful basis in accordance with article 6 GDPR.
In the case of an investigation, there are presumably two relevant lawful bases: compliance with a legal obligation to which the controller is subject or pursuance of a legitimate interest by the controller or a third party. The legitimate interest could, for instance, arise in the prevention of fraud, the establishment, exercise or defence of legal claims, or the compliance with a legal obligation to which a third party is subject. The consent of the data subject is rarely an appropriate lawful basis in the context of an investigation as it can be withdrawn at any time and it risks falling short of the requirement to be freely given, especially in respect of employees.
Strict requirements apply where the investigation involves the processing of special categories of personal data, meaning personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of these categories of data is generally prohibited, unless one of the exemptions under article 9(2) GDPR applies. In the case of an investigation, the following exemptions are potentially relevant:
- the data subject has given his or her explicit consent to the processing for one or more specified purposes;
- the processing relates to personal data that are manifestly made public by the data subject;
- the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
- the processing is necessary for reasons of substantial public interest, on the basis of Union or member state law, where this is proportionate to the relevant aim and safeguards the rights and interests of data subjects.
Where the processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller must carry out a data protection impact assessment in accordance with article 35 GDPR. The guidance of the European Data Protection Board provides for factors to take into account when determining whether there is such high-risk processing. The controller must notably carry out a data protection impact assessment if the investigation involves the monitoring of employees.
The controller must also provide the data subjects with a privacy notice informing them about the processing of their personal data in accordance with articles 13 and 14 GDPR.
Aside from the right to information, data subjects enjoy certain other rights, such as the right of access and the right to object to the processing (see question 11).
In accordance with the accountability principle, the controller must also be able to demonstrate compliance with its obligations under the GDPR. Controllers and processors must notably maintain a record of processing activities.
Furthermore, according to Chapter V of the GDPR, personal data may not be transferred to a country or territory outside the European Economic Area (EEA) unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the controller or processor has set in place appropriate safeguards as well as legal remedies and guarantees for the protection of data subject rights (see question 17).
Finally, the investigation must also respect the right to privacy at work. If the processing of personal data in the context of the investigation qualifies as monitoring of employees (eg, CCTV, use of access badges, monitoring the use of IT devices, recording of telephones conversations), the employer must comply with article L.261-1 of the Luxembourg Labour Code, which requires, among others, notifying the employee representatives or, if no employee representation has been put into place, the labour inspectorate (Inspection du Travail et des Mînes) about the envisaged processing. In accordance with the secrecy of correspondence, it is in principle prohibited to open private communications of an employee, except under certain conditions, notably where there is a strong suspicion of concealment of improper use (eg, marking an email as “private”, although its content is of business nature).Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner
Allen & Overy LLP
6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.
The data protection requirements applicable to the different parties involved in the investigation depend on their role under the GDPR, ie whether they qualify as controller or processor.
Under the GDPR, the role of the parties involved in the processing must be assessed on a factual basis and cannot be determined based on contractual provisions. The organisation in the interest of which the investigation is carried out presumably qualifies as the controller (ie, the party that determines the purposes and means of the processing). This is, in principle, the case for the company carrying out an internal investigation.
The party assisting with the investigation either qualifies as a controller or processor, notably depending on the level of influence that party exerts on the essential means of the processing, such as which and whose data shall be processed, for how long shall they be processed and who shall have access to them. Law firms and auditing firms typically qualify as independent controllers particularly given the level of independence their role requires. A processor, on the other hand, processes personal data on behalf of the controller and does not pursue own purposes when doing so.
Where more than one controller is involved in the processing, it must also be verified whether these controllers qualify as joint controllers (ie, they jointly determine purposes and means of a processing operation).
The relationship between a controller and a processor must be governed by a data processing agreement in accordance with article 28 GDPR. The relationship between joint controllers must be governed by a so-called joint-controllership agreement in accordance with article 26 GDPR.
Most data protection requirements are directed toward controllers.
- The controller is notably responsible for determining the lawful basis for the processing and ensuring compliance with the rights of the data subjects, such as informing the data subjects about the processing of their personal data and responding to their requests to exercise their rights.
- The controller must also carry out a data protection impact assessment where the processing is likely to result in a high risk to the rights and freedoms of natural persons, such as in the case of employee monitoring.
- The controller must ensure that the transfer of personal data to countries outside the EEA do not undermine the level of data protection afforded under the GDPR.
- If the processing relates to the employees of the controller, the controller must verify whether the processing does not qualify as employee monitoring. If the processing does qualify as employee monitoring, the controller must comply with article L.261-1 of the Luxembourg Labour Code, which requires, among others, notifying the employee representatives or, if no employee representation has been put into place, the labour inspectorate about the envisaged processing.
Certain data protection requirements are specifically directed toward processors. Under the GDPR, these requirements mostly stem from the mandatory terms that the data processing agreement with the controller needs to include in accordance with Article 28 GDPR. These notably include obligations to:
- not process the personal data otherwise than on the instructions of the controller;
- assist the controller with responding to requests for exercising the data subject’s rights and with the compliance of the controller’s obligations with regard to the security of the processing, data protection impact assessments and prior consultations with the supervisory authorities;
- notify the controller without undue delay on becoming aware of a personal data breach; and
- impose, when engaging another processor, whether with the general or specific authorisation of the controller, the processor must impose, the same data protection obligations as set out in the data processing agreement with the controller.
In addition, the GDPR also imposes certain obligations that apply both to controllers and processors. These include obligations to:
- implement appropriate technical and organisational measures to protect personal data;
- maintain a written record of processing activities carried out on behalf of each controller;
- designate a data protection officer where required; and
- appoint a representative (when not established in the EU) in certain circumstances.
Allen & Overy LLP