Data Privacy & Transfer in Investigations

Last verified on Thursday 30th September 2021

Data Privacy & Transfer in Investigations: Luxembourg

Catherine Di Lorenzo, Thomas Berger and Paul Wagner

Allen & Overy LLP

SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

Luxembourg

The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction.

A number of provisions in the GDPR have particular relevance in the context of investigations. For example, processing of personal data must have a valid legal basis under GDPR. Establishing a legal basis in the context of an investigation is not always straightforward, particularly where investigations involve foreign authorities or courts and where the relevant data includes sensitive data. Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation. It can be challenging to ensure compliance with these principles in the context of an investigation. 

Regarding cross-border investigations, Chapter VII of the GDPR sets out certain rules for the cooperation between European supervisory authorities and provides for a mechanism to ensure the consistent application of the GDPR throughout the European Union.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

Luxembourg

Banking and insurance secrecy

Under the Luxembourg Act dated 5 April 1993 relating to the financial sector, as amended (known as the Banking Law), those subject to the supervision of the Luxembourg Supervisory authority of the financial sector (the Commission de Surveillance du Secteur Financier, CSSF) pursuant to the Banking Law are prohibited from disclosing any information entrusted to them in the course of their professional duties to any third parties. This applies to credit institutions and other professionals in the financial sector (also known as PFS) in addition to members of their management, directors and their employees. Banking secrecy also applies to the Luxembourg branches of overseas banks.

All client data is protected by banking secrecy, irrespective of whether the client is an individual, a company, a government body or otherwise.

There are a number of exceptions to banking secrecy. Exceptions to banking secrecy include when:

  • the disclosure is authorised by law, for example, under the Banking Law (as well as any law that predates the Banking Law); or
  • the disclosure is made with the client’s consent or its specific instruction (in a note dated 1 March 2004 issued by the CSSF’s lawyers committee (the CODEJU) (annexed to the CSSF's 2003 annual report), the CODEJU describes the conditions under which a client’s consent to a transfer of his or her client data may result in such transfer without violating banking secrecy as set out in the Banking Law. This concept has not yet been tested in court. Since 2018, the Banking Law expressly provides for the possibility to rely on client’s consent in an outsourcing context subject to certain conditions (see below).

In particular, information covered by banking secrecy may, under certain conditions, be disclosed to:

  • shareholders or partners whose status or capacity is a precondition for authorisation of the financial institution in question, insofar as this is necessary for the proper and prudent management of the institution, the risk assessment on a consolidated basis or the calculation of prudential ratios on a consolidated basis;
  • internal control bodies of companies forming part of the same group of companies as the credit institution or PFS may have access to information regarding specific business relations with clients, to the extent that this is needed for the global management of legal risks and risks to their reputation in connection with money laundering or the financing of terrorism (within the meaning of the law of 12 November 2004 on the fight against money laundering and terrorism financing);
  • companies forming part of the same financial conglomerate as the credit institution or PFS for information that these entities may exchange between them insofar as the information is necessary for the exercise of supplementary supervision of a financial conglomerate under the Banking Law;
  • the CSSF, foreign or European regulators responsible for prudential supervision of the financial sector;
  • any person established in Luxembourg, subject to the prudential supervision of the CSSF, the European Central Bank or the Commissariat aux Assurances (the CAA) and which is bound by a criminally sanctioned professional secrecy obligation, insofar as the information communicated to those professionals is provided under an agreement for the provision of services; or
  • service providers providing services to the credit institution/PFS in the context of an outsourcing arrangement provided that the client has accepted the outsourcing of services, the type of information to be transmitted in the framework of the outsourcing and the country of establishment of the service provider and provided that the service provider having access to confidential information is subject by law to professional secrecy or bound by a confidentiality agreement.

In accordance with articles 7 and following of the Law of 7 December 2015 on the insurance sector, those subject to the prudential supervision of the CAA or a foreign supervisory authority for the exercise of an activity covered by that law, including insurance and reinsurance undertakings and pension funds, are subject to insurance secrecy. The requirements on insurance secrecy largely mimic those on banking secrecy, including their exceptions (mutatis mutandis).

A breach of banking or insurance secrecy is subject to an imprisonment from eight days to six months and a fine of €500 to €5,000 and may lead to administrative sanctions.

The answers to the questions below are subject to the above developments regarding banking and insurance secrecy and an analysis of whether these secrecy requirements may affect each of the responses must be made.

General professional secrecy

Article 458 of the Luxembourg Criminal Code is the general basis for professional secrecy in Luxembourg. It provides that doctors, surgeons, health officers, pharmacists, midwives and all other persons who are custodians, by state or by profession, of the secrets entrusted to them, and who, except in cases where they are called upon to testify in court and where the law obliges them to make these secrets known, have revealed them, shall be punished by imprisonment from eight days to six months and a fine of between €500 and €5,000.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

3. What constitutes personal data for the purposes of data protection laws?

Luxembourg

The GDPR defines “personal data” as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Data that is truly anonymised will not be “personal data" for the purposes of the GDPR, as it does not identify the individual. Data is not truly anonymised if a re-identification of the individuals to which the data relates by reasonably available means remains possible. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the GDPR.

The GDPR only applies to natural living persons. It does not cover legal persons or deceased natural persons.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

Luxembourg

The GDPR applies to "processing", which is defined broadly and includes any activity in relation to personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.

The direct obligations under the GDPR apply primarily to controllers. A controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed.

However, the GDPR also imposes certain direct obligations on processors. A processor is defined in the GDPR as a person who processes personal data on behalf of the controller.

As regards the territorial scope, the GDPR applies to processing of personal data, as defined above, in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Further, the GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The GDPR also applies to the processing of personal data by a controller not established in the Union, but in a place where member state law applies by virtue of public international law.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

Luxembourg

When processing personal data (ie, information relating to an identified or identifiable natural person) in the context of investigations, organisations must comply with GDPR.

Under the GDPR, the role of the parties involved in the processing must be determined in accordance with a fact-based analysis. The organisation, on whose behalf the investigation is carried out, presumably qualifies as the controller, ie, the party that determines the purposes and means of the processing.

The party assisting with the investigation either qualifies as a controller or processor, notably depending on the level influence that party exerts on the essential means of the processing, such as which and whose data shall be processed, for how long shall they be processed and who shall have access to them. Law firms and auditing firms typically qualify as independent controllers particularly given the level of independence their role requires. A processor, on the other hand, processes personal data on behalf of the controller and does not pursue own purposes when doing so.

Where more than one controller is involved in the processing, it must also be verified, in light of the available guidance and jurisprudence, whether these controllers qualify as joint controllers.

The relationship between a controller and a processor must be governed by a data processing agreement in accordance with article 28 GDPR. The relationship between joint controllers must be governed by a so-called joint-controllership agreement in accordance with article 26 GDPR.

The GDPR also requires that the processing has a lawful basis. In the case of an investigation, there are presumably two possible lawful bases available: the compliance with a legal obligation to which the controller is subject or the pursuance of a legitimate interest by the controller or a third party. The legitimate interest could, for instance, arise in the prevention of fraud, the establishment, exercise or defence of legal claims, or the compliance with a legal obligation to which a third party is subject. The consent of the data subject is rarely an appropriate lawful basis in the context of an investigation as it can be withdrawn at any time and as it risks falling short of the requirement to be freely given, especially in respect of employees.

Strict requirements apply where the investigation involves the processing of special categories of personal data, meaning personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of these categories of data is generally prohibited, unless one of the exemptions under article 9(2) GDPR applies. In the case of an investigation, the following exemptions are potentially relevant:

  • the data subject has given his or her explicit consent to the processing for one or more specified purposes;
  • the processing relates to personal data that are manifestly made public by the data subject;
  • the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
  • the processing is necessary for reasons of substantial public interest, on the basis of Union or member state law, where this is proportionate to the relevant aim and safeguards the rights and interests of data subjects.

Where the processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller must carry out a data protection impact assessment in accordance with article 35 GDPR. The guidance of the European Data Protection Board provides for factors to take into account when determining whether there is such high risk processing. The controller must notably carry out a data protection impact assessment if the investigation involves the monitoring of employees.

The controller must provide the data subjects with a privacy notice informing them about the processing of their personal data in accordance with article 13 or 14 GDPR, depending on whether the personal data are obtained directly from the data subject or not.

Aside from the right to information, data subjects enjoy certain other rights, such as the right of access and the right to object to the processing, which the controller must able to comply with if their conditions are fulfilled.

Under Chapter V of the GDPR personal data may not be transferred to a country or territory outside the European Economic Area (EEA) unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Moreover, in accordance with the accountability principle, the controller must be able to demonstrate compliance with its obligations under the GDPR. Controllers and processors must notably maintain a record of processing activities.

Finally, the investigation must also respect the right to privacy at work. If the processing of personal data in the context of the investigation qualifies as monitoring of employees (eg, CCTV, use of access badges, monitoring the use of IT devices, recording of telephones conversations), the employer must comply with article L.261-1 of the Luxembourg Labour Code, which requires, among others, notifying the employee representatives or, if no employee representation has been put into place, the labour inspectorate (Inspection du Travail et des Mînes) about the envisaged processing. In accordance with the secrecy of correspondence, it is in principle prohibited to open private communications of an employee, except under certain conditions, notably where there is a strong suspicion of concealment of improper use (eg, marking an email as “private”, although its content is of business nature).

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

Luxembourg

The data protection requirements applicable to the different parties involved in the investigation depend on their role under the GDPR, ie whether they qualify as controller or processor.

Under the GDPR, the role of the parties involved in the processing must be assessed on a factual basis. It cannot be determined for instance based on contractual provisions. The organisation in the interest of which the investigation is carried out presumably qualifies as the controlle (ie, the party that determines the purposes and means of the processing). This is, in principle, the case for the company carrying out an internal investigation.

The party assisting with the investigation either qualifies as a controller or processor, notably depending on the level of influence that party exerts on the essential means of the processing, such as which and whose data shall be processed, for how long shall they be processed and who shall have access to them. Law firms and auditing firms typically qualify as independent controllers particularly given the level of independence their role requires. A processor, on the other hand, processes personal data on behalf of the controller and does not pursue own purposes when doing so.

Where more than one controller is involved in the processing, it must also be verified, in light of the available guidance and jurisprudence, whether these controllers qualify as joint controllers.

The relationship between a controller and a processor must be governed by a data processing agreement in accordance with article 28 GDPR. The relationship between joint controllers must be governed by a so-called joint-controllership agreement in accordance with article 26 GDPR.

Most data protection requirements are directed towards controllers. The controller is notably responsible to determine the lawful basis for the processing and to ensure compliance with the rights of the data subjects, such as by informing the data subjects about the processing of their personal data and by responding to their requests to exercise their rights. The controller must also carry out a data protection impact assessment where the processing is likely to result in a high risk to the rights and freedoms of natural persons, such as in the case of employee monitoring, and must ensure that the transfer of personal data to countries outside of the EEA do not undermine the level of data protection afforded in the European Union.

If the processing relates to the employees of the controller, the controller must verify whether the processing does not qualify as employee monitoring. If the processing does qualify as employee monitoring, the controller must comply with article L.261-1 of the Luxembourg Labour Code, which requires, among others, notifying the employee representatives or, if no employee representation has been put into place, the labour inspectorate about the envisaged processing.

Certain data protection requirements are specifically directed towards processors. Under the GDPR, these requirements mostly stem from the mandatory terms that the data processing agreement with the controller needs to include in accordance with Article 28 GDPR. The processor must not process the personal data otherwise than on the instructions of the controller. The processor must also assist the controller with responding to requests for exercising the data subject’s rights and with the compliance of the controller’s obligations with regard to the security of the processing, data protection impact assessments and prior consultations with the supervisory authorities. When engaging another processor, whether with the general or specific authorisation of the controller, the processor must impose the same data protection obligations onto the other processor as set out in the data processing agreement with the controller

In addition, the GDPR also imposes certain obligations that apply directly to controllers and processors. These include an obligation to: (i) implement appropriate technical and organisational measures to protect personal data, (ii) maintain a written record of processing activities carried out on behalf of each controller; (iii) designate a data protection officer where required; (iv) appoint a representative (when not established in the EU) in certain circumstances; and (v) notify the controller without undue delay on becoming aware of a personal data breach.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

RIGHTS OF INDIVIDUALS

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

Luxembourg

The consent of the data subject is one possible legal basis for processing of personal data under the GDPR. Data subject consent is therefore not mandatory for the processing of personal data, but consent must be obtained if no other legal basis is available.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Luxembourg

Consent may be considered as an enabling action when planning an investigation. However, obtaining consent can be practically challenging, and proceeding with processing of personal data in reliance solely on this ground is rarely appropriate. One reason is that consent must be capable of being specific and informed. This is rarely the case as often such consent is generic and not specific to an investigation.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

Luxembourg

Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid for this reason.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

Luxembourg

There is no prescribed form for the consent, but it should be freely given, specific, informed and unambiguous. In addition, to the extent relied upon as a basis for international transfers, consent must also be explicit. Consent can also be withdrawn at any time and must be as easy to withdraw as to give.

In the case of sensitive data, where consent is relied upon to provide a legal basis under article 9 GDPR, it must also be explicit. A controller may therefore wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”).

Consent can be obtained through a website or other electronic means.

Whether consent given in advance, such as through general terms and conditions or account opening information, is sufficient for the purposes of the GDPR depends, among other things, on the balance of power between the controller and data subject and the specificity of the wording. Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid for this reason.

Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. This means that consent should not be hidden among other terms and conditions. In any event, there is a risk that a generic consent provided through general terms and conditions is not specific and informed, and so not validly given by the data subject.

The controller should also consider the requirement for consent to the processing for sensitive data to be explicit.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Luxembourg

Right of access

A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request (DSAR). The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject.

A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) GDPR) or where this would adversely affect the rights and freedoms of others (article 15(4) GDPR).

Right of erasure

Data subjects have the right to request rectification of any personal data relating to them that is inaccurate, and completion of any incomplete data, including by way of a supplementary statement. There is an obligation on a controller under the GDPR to ensure the personal data it keeps is accurate.

Data subjects have the right to obtain from the controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

Right to object

In certain circumstances, such as when a controller is relying upon their legitimate interests (or those of a third party) or the processing is necessary for performing tasks in the public interest or in the exercise of official functions, data subjects have a right to object to the processing of personal data concerning them at any time. A controller must adhere to this objection unless it can demonstrate compelling legitimate grounds for the processing that override the interests of the data subject, or if the processing is necessary within legal proceedings.

A data subject also has a right to obtain a restriction of processing from the controller where it believes the relevant personal data is inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the data subject can require the controller to limit the processing to that required in the context of legal proceedings.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

EXTRACTION, LEGAL REVIEW AND ANALYSIS BY THIRD PARTIES, INTERNATIONAL TRANSFER

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

Luxembourg

Additional provisions of the GDPR apply where the third party qualifies as a processor (ie, where the third party processes personal data on behalf of the controller without pursuing own purposes).

The controller must use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing meets the requirements of the GDPR. A written contract to this effect must be entered into between the processor and controller (article 28 GDPR). This contract must include a description of the data processing activities and require the processor, among other things, to:

  • act only on the documented instructions of the controller (including with regard to international transfers of data to a third country);
  • ensure that persons who process the data have committed to confidentiality or are under a statutory duty of confidentiality;
  • implement appropriate security measures in accordance with the GDPR;
  • engage a sub-processor only with the prior authorisation of the controller;
  • assist the controller in carrying out its obligations to respond to requests by data subjects to exercise their rights under the GDPR; and
  • assist the controller in ensuring its compliance with its data security obligations.

Where a processor engages a sub-processor, the contract between them must reflect the same data protection obligations as set out in the contract between the controller and the processor.

These provisions of the GDPR apply to processors within the same corporate group in the same way as to other third-party processors.

Another aspect to consider is the location of the third party. In case it is located outside of the European Economic Area, this entails the applicability of the provisions regarding the international transfer of personal data.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

Luxembourg

A transfer of personal data to a third-party law firm of personal data for the purposes of providing legal advice needs to be analysed in the same way as any other transfer of personal data, and so must be carried out in compliance with the GDPR and the principles relating to the processing of personal data.

This means that sharing personal data with law firms for the purpose of providing legal advice is in principle permitted, however, the controller must ensure that it complies with the general requirements of GDPR. Particularly relevant here is the data minimisation principle, which requires that no more data is shared than what is necessary in relation to the purpose pursued. The data subject must also receive prior information about such processing in accordance with article 13 or 14 GDPR, depending on whether the data is obtained directly from the data subject or not. Moreover, where the law firm resides in a country outside of the European Economic Area, the controller must ensure that the country concerned is covered by an adequacy decision of the European Commission or that the transfer is otherwise protected by appropriate safeguards, such as standard contractual clauses.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

Luxembourg

While the qualification of a party as either controller or processor depends on the case-by-case analysis of the factual situation, a generally adopted position is that law firms act as independent controllers.

Consequently, the client and the law firm are independently responsible for complying with data protection laws.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

15. What is the position and status of legal process outsourcing firms under data protection laws?

Luxembourg

The qualification of a party as either controller or processor depends on the case-by-case analysis of the factual situation, in particular of the question of whether the party factually (not only contractually) “determines the purposes and means of the processing of personal data” (article 4(7) GDPR).

In general, where the legal process outsourcing firm is regulated as a law firm or requires a similar level of independence, it qualifies in all likelihood as an independent controller.

However, if the legal process outsourcing firm does not process the personal data otherwise than on the instructions of the controller and, in particular, does not pursue own purposes, such as the compliance with a legal obligation, then the legal process outsourcing firm may qualify as a processor.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Luxembourg

No.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Luxembourg

The GDPR distinguishes between transfers to other jurisdictions within the EEA and transfers of data to jurisdictions outside the EEA.

Within the EEA

A transfer of personal data from this jurisdiction to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within the jurisdiction.

Outside the EEA

Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory provides an adequate level of protection for personal data.

The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data and so a transfer can be made to such countries in compliance with the rules that provide restrictions on transfers outside the EEA.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay, and the UK as providing adequate protection.

Alternatively, the controller as transferor could ensure an adequate level of protection through:

  • entering into standard contractual clauses (SCC) approved by the European Commission, supplemented, where appropriate, with additional measures to ensure that the level of data protection afforded in the European Union is not undermined; or
  • the adoption of binding corporate rules.

Controllers transferring personal data and looking to rely on standard contractual clauses approved by the European Commission (or another article 46 GDPR international transfer mechanism) must assess on a case-by-case basis whether additional safeguards are needed to remedy any identified deficiency and ensure adequate data protection.

In the absence of other possibilities, and subject to strict interpretation, personal data can be transferred outside of the EEA if one of the following derogations, among others, applies:

  • the data subject has consented to the transfer (as noted above, this consent should be explicit as well as freely given, specific, informed and unambiguous);
  • the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims; or
  • the transfer is necessary to protect the vital interests of the data subject.

Where none of the above derogations is available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The controller shall inform the supervisory authority of the transfer and, in addition to providing the information referred to in articles 13 and 14 GDPR, shall inform the data subject of the transfer and on the compelling legitimate interests pursued. As such, this derogation is unlikely to be of practical application in the context of an investigation.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

Luxembourg

Local counsel is not aware of any specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Luxembourg

The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing (see question 7). In particular, a legal basis must be established under article 6 GDPR. 

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Luxembourg

The transfer of personal data to regulators or enforcement authorities in a country within the EEA is generally permissible. The controller must, however, ensure that it complies with the general requirements under GDPR. In particular, the controller must ensure that the transfer has a lawful basis. Such lawful basis is presumably given where the controller receives an order from the regulator or enforcement authority concerned to transfer the data. The controller must also inform the data subject about the transfer, unless there is a restriction from doing so in accordance with article 23 GDPR.

Transfer of personal data to regulators or enforcement authorities in a country outside the EEA are subject to additional restrictions. In accordance with article 48 GDPR:

[a]ny judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

This means that the controller may in practice only transfer personal data to a regulator or enforcement authority in a foreign country where such transfer is based on a request made through a mutual legal assistance treaty or where the controller ensures that the level of protection afforded in the European Union is not undermined by the transfer. The data transfer restrictions of the GDPR remain otherwise applicable.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Luxembourg

The recipient of such a request may consider taking the following steps, among others:

  • Consider if there is a legal obligation to respond to the request and, if so, to what extent. This includes reviewing the legality of the request, where appropriate.
  • Consider also if the recipient is subject to any banking secrecy or insurance secrecy or other professional secrecy that could have a further additional impact.
  • Seek further information in writing from the requesting regulator to evaluate the purpose of the request.
  • If possible, challenge the request if there are grounds to do so or negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation.
  • In accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose. 
  • Consider whether it is practicable to obtain data subject consent and/or give a further privacy notice.
  • Put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor).
  • Consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

ENFORCEMENT AND SANCTIONS

22. What are the sanctions and penalties for non-compliance with data protection laws?

Luxembourg

The possible sanctions under the GDPR are defined in article 83 GDPR, and may be imposed by the Luxembourg National Commission for Data Protection (CNPD) in the Luxembourg jurisdiction according to the Law of 1 August 2018 organising the National Commission for Data Protection and the implementation of the GDPR

There is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (eg, for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million

The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement.

A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a controller may bring a civil claim for compensation.

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Luxembourg

EU General Data Protection Regulation (2016/679)

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Law of 1 August 2018 organising the National Commission for Data Protection and the general data protection regime (Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données)

http://data.legilux.public.lu/eli/etat/leg/loi/2018/08/01/a686/jo

Answer contributed by Catherine Di Lorenzo, Thomas Berger and Paul Wagner

Get unlimited access to all Global Investigations Review content