Data protection & privacy

Demonstrating commitment to protecting personal data builds trust, enhances reputation and boosts competitiveness. Adhering to high personal data protection standards increases data quality and operational efficiency, and sound data and vendor management and security measures reduce the risks of data breaches and fines. If breaches do occur, rapid remediation reduces the risk of reputational damage, sanctions or other negative consequences.

We have one of the biggest teams of advisory and litigation lawyers specialising in data protection and privacy law in Luxembourg.

Our clients

We offer advice on data protection and privacy to national and international clients in a wide range of sectors such as banking and finance, insurance, fintech, asset management and investment funds, online platforms, technology, media and telecommunications, e-commerce, retail, healthcare, the legal profession, consulting, food and beverage industry, automotive, real estate, mining and more.

Our services

Our team of dedicated experts advises on all aspects of data protection and privacy, including:

  • Fully-fledged GDPR compliance programmes and gap analysis, including assessment of the roles of related parties such as independent controllers, joint controllers and processors)
  • Surveillance tool implementation programmes (access badges, CCTV, geolocation, etc.)
  • Background check practices/vetting policies and employee monitoring
  • Data breach management and notifications (including for regulated entities)
  • Assistance for dealing with data subjects exercising their rights under the GDPR, in particular the right of access (responses to employees’ request to access information) and the right to be forgotten
  • Handling complaints and responses to the relevant supervisory authority, in particular the Luxembourg Data Protection Commission (CNPD)
  • Mandatory or voluntary appointment of a data protection officer (DPO)
  • Direct marketing (unsolicited marketing communications)
  • Form of consent for minors
  • Internal/external audit missions, forensics investigations, discovery procedures and requests from law enforcement agencies to receive information
  • Ongoing or regular assistance and training
  • Data protection and privacy aspects of M&A, financing and private equity transactions: due diligence reports, transaction documents review
  • Drafting, reviewing, negotiating and advising on any documentation related to these topics, such as:
    • record of processing activities
    • internal policies and procedures (including data retention policy and internal data breach notification procedure)
    • privacy notices and cookie policies
    • joint controllership arrangements
    • processors’ audit forms
    • data processing agreements (including in the context of international transfers)
    • data protection impact assessments (DPIAs)
    • standard contractual clauses for transfers (SCCs) and transfer impact assessments (TIAs)
    • filings (official appointment of DPO, representative in the EU, lead supervisory authority)

Our team also offers assistance for data protection and privacy-related dispute resolution and litigation.

What others say about us

The firm provides an excellent pragmatic approach combined with a high level of expertise.

Legal 500 2022

IP & IT Luxembourg

The main quality I appreciate is engagement. The team thinks through the problem or question and proactively comes back asking for more information, in order to understand the bigger picture. The second point is that feedback is explanatory, allowing me to understand the legal position/advice, as well as to act independently, having understood potential pitfalls.

Legal 500 2021

IP & IT Luxembourg

The firm is my first point of contact when I have Luxembourg IT questions. The lawyers are knowledgeable and responsive.

Legal 500 2020

IP & IT Luxembourg