Please ensure Javascript is enabled for purposes of website accessibility

Expertise

Services

We have the expertise to handle the most demanding transactions. Our commercial understanding and experience of working with leading financial institutions, professional advisers and regulatory bodies means we add real value to clients’ businesses.

Sectors

Our sector approach relies on smart collaboration between teams who have a deep understanding of related businesses and industry dynamics. The specific combination of our highly informed experts helps our clients to see around corners.

Services

We have the expertise to handle the most demanding transactions. Our commercial understanding and experience of working with leading financial institutions, professional advisers and regulatory bodies means we add real value to clients’ businesses.

View all Services

Legal

Corporate and Fiduciary

Consulting

Legal

View all Legal

Banking and Finance

Corporate

Dispute Resolution

Employment law

Intellectual Property

Investment Funds

Listing services

Local Legal Services

Private Wealth

Property law

Regulatory

Relocation Services

Restructuring and Insolvency

Tax

Employment law

Employment law overview

Intellectual Property

Intellectual Property overview

Listing services

Listing services overview

Restructuring and Insolvency

Restructuring and Insolvency overview

Business Services Team

Business Services Team overview

Executive Team

Executive Team overview

German Desk

German Desk overview

French desk

French desk overview

Corporate and Fiduciary

View all Corporate and Fiduciary

Accounting and Financial Reporting Services

Cayman Islands AML/CFT training

Corporate Services

Debt Capital Markets

Fund Services

Governance Services

Investor Services

Ogier Connect

Private Wealth Services

Real Estate Services

Regulatory and Compliance Services

Accounting and Financial Reporting Services

Accounting and Financial Reporting Services overview

Cayman Islands AML/CFT training

Cayman Islands AML/CFT training overview

Corporate Services

Corporate Services overview

Debt Capital Markets

Debt Capital Markets overview

Governance Services

Governance Services overview

Investor Services

Investor Services overview

Ogier Connect

Ogier Connect overview

Private Wealth Services

Private Wealth Services overview

Real Estate Services

Real Estate Services overview

Regulatory and Compliance Services

Regulatory and Compliance Services overview

Ogier Global

Ogier Global overview

Consulting

View all Consulting

Ogier Regulatory Consulting

Sustainable Investment Consulting

Sustainable Investment Consulting overview

Business Services Team

View all Business Services Team

Sectors

Our sector approach relies on smart collaboration between teams who have a deep understanding of related businesses and industry dynamics. The specific combination of our highly informed experts helps our clients to see around corners.

View all Sectors

Aviation and Marine

BVI Law in Europe and Asia

CAYLUX

Energy and Natural Resources

Family Office

Foreign direct investment (FDI)

Funds Hub

Private Equity

Real Estate

Regulatory, Investigations and Enforcement

Restructuring and Insolvency

Sports

Sustainable Investing and ESG

Technology and Web3

Trusts Advisory Group

Aviation and Marine

Aviation and Marine overview

BVI Law in Europe and Asia

BVI Law in Europe and Asia overview

Energy and Natural Resources

Energy and Natural Resources overview

Family Office

Family Office overview

Foreign direct investment (FDI)

Foreign direct investment (FDI) overview

Funds Hub

Funds Hub overview

Private Equity

Private Equity overview

Real Estate

Real Estate overview

Regulatory, Investigations and Enforcement

Regulatory, Investigations and Enforcement overview

Restructuring and Insolvency

Restructuring and Insolvency overview

Sustainable Investing and ESG

Sustainable Investing and ESG overview

Technology and Web3

Technology and Web3 overview

Trusts Advisory Group

Trusts Advisory Group overview

Locations

Ogier provides practical advice on BVI, Cayman Islands, Guernsey, Irish, Jersey and Luxembourg law through our global network of offices across the Asian, Caribbean and European timezones. Ogier is the only firm to advise on this unique combination of laws.

All locations

Beijing

British Virgin Islands

Cayman Islands

Dubai

Guernsey

Hong Kong

Ireland

Jersey

London

Luxembourg - Legal Services

Luxembourg - Corporate and Fund Services

Shanghai

Singapore

Tokyo

News and insights

Keep up to date with industry insights, analysis and reviews. Find out about the work of our expert teams and subscribe to receive our newsletters straight to your inbox.

Fresh thinking, sharper opinion.

All news and insights

Brochures

Cases

Deals

Events

Guides and factsheets

Insights

News

Newsletters

Podcasts

Videos

About us

We get straight to the point, managing complexity to get to the essentials. Our global network of offices covers every time zone. 

About us

Corporate social responsibility (CSR)

Diversity, equity and inclusion

Information security

Innovation

Sustainability

No Content Set
Exception:
Website.Models.ViewModels.Components.General.Banners.BannerComponentVm

Activities requiring Data Protection Impact Assessment under Luxembourg law

Insight

22 March 2019

Luxembourg - Legal Services

ON THIS PAGE
Headshot of Anne-Gaëlle Delabye

Anne-Gaëlle Delabye

Team: Bertrand Géradin

ON THIS PAGE

RELATED

Corporate

GDPR

Legal

Save as PDF

The Luxembourg National Data Protection Commission (Commission nationale pour la protection des données, CNPD) has published a list of processing operations which require a mandatory data protection impact assessment in accordance with article 35 of the General Data Protection Regulation (GDPR).

What is a data protection impact assessment (DPIA)?

A DPIA represents a meaningful analysis of the impact of data processing on the data subjects concerned (processing which is required to be respectful of the privacy of such data subjects, in consonance with the fundamental principles of the GDPR).

What does a list of processing operations contain?

The list put forward by the CNPD does not consist of a comprehensive list of processing operations outside of which a DPIA would not be necessary – it is limited to those operations for which a data controller will necessarily need to perform a DPIA. The requirement for a DPIA in relation to operations not featured on the list will have to be assessed in accordance with the criteria of article 35, GDPR and the Guidelines on Data Protection Impact Assessment (WP248), issued by the Article 29 Working Party.

Certain operations in respect of which a DPIA is mandatory:

  • (subject to a limited exemption for health professionals providing certain services) involving the processing of genetic data (article 4 (13), GDPR);
  • involving the processing of biometric data (article 4 (14), GDPR) for the purpose of identifying data subjects;
  • involving the combination, matching or comparison of personal data collected from processing operations with different purposes (from the same or different controllers) – that produce legal effects / have a significant impact on the data subject;
  • that consist of or include regular and systematic control of the activities of employees – that produce legal effects / have a significant impact on employees;
  • certain operations for historical research / scientific or statistical purposes; and
  • that consist of the systematic tracking of the geographic location of data subjects.

Certain of these operations also need to fulfil the criteria laid down in the guidelines issued by the European Data Protection Board.

The CNPD has also emphasised the obligations on the controller to: (i) perform the DPIA prior to any such processing being undertaken, and (ii) consult with the CNPD prior to processing which could result in a high risk to data subjects (in the absence of measures taken by the controller to mitigate the risk).

Non-compliance

Under the GDPR, non-compliance with GDPR requirements could lead to fines imposed of up to 20million (EUR) or 4% of a group's worldwide turnover, whichever is greater. However for DPIAs this is in a lower category of up to 10million (EUR) or 2% of a group's worldwide turnover, whichever is greater. It is therefore important to comply with the requirements of the new legislation.

Actions we can help you with in the coming weeks:

  1. help you to determine whether or not a DPIA should be undertaken;
     
  2. assist you in a review of processing activities that you may currently be undertaking or are contemplating undertaking, and help verify whether any of those might qualify for a mandatory DPIA;
     
  3. if areas of potential high risk are identified, recommend steps to mitigate that risk and consult with the CNPD.

Contact us

Our dedicated GDPR team would be happy to assist you on all aspects of DPIAs (including providing DPIA templates) and the GDPR in general, so please do speak to your usual contact at Ogier for assistance.

For additional information, please contact Ogier in Luxembourg.

 

Key contacts

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice

No Content Set
Exception:
Website.Models.ViewModels.Blocks.SiteBlocks.CookiePolicySiteBlockVm