Search

Since the entry into force of the GDPR on 25 May 2018, new transfer mechanisms are available to controllers or processors, who intend to transfer personal data to a third country with no adequate level of protection. These are: approved

Data exporters can use a series of appropriate safeguards enabling transfers to countries not offering an adequate level of protection. One of these safeguards is the possibility for controllers to offer adequate protection through a contract, which is binding for

International data transfers Any transfer of personal data, which are undergoing processing or which will be processed after the transfer, to a

Derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced

Transfers from a Luxembourg public authority or body to another public authority or body in a third country (i.e. outside the European Economic Area) may take place: with a legally binding and enforceable instrument between public authorities or bodies

Binding Corporate Rules ("BCRs") help ensure an adequate level of protection for data exchanged within a group of companies located both inside and outside the European Economic Area, and are ideal for a multinational group of companies

EU data protection rules apply to the European Economic Area and personal data may therefore be transferred freely between these countries, provided that the processing complies with the general principles of the GDPR (e.g. lawfulness of processing,  compatibility

When a country outside the EEA is not recognised by the European Commission as offering an adequate level of protection, there are several options that can be used to transfer personal data to these countries. The CNPD recommends, as its

Transfers of personal data may take place between different countries in the context of international cooperation in the field of Police and Justice, in accordance with existing international agreements or treaties. Cross-national supervisory authorities (e.g. Europol, Eurojust) apply

The CNPD shall have investigative powers, corrective powers, authorisation and advisory powers. Investigative powers The CNPD shall have all of the following investigative powers: to order the controller and the processor, and, where applicable, the controller's or the

The CNPD is present in the three Joint Supervisory Authorities (JSAs): "Schengen", "Europol" and "Customs".

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you if the legal basis for processing is: the pursuit of the legitimate interests of the controller

Who processes my personal data? Why and how is it processed? Companies or administrations must give you these elements in clear and plain language at the same time as the collection of your data or, at the latest, within one

Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate

The National Data Protection Commission (CNPD) will process your personal data in order to fulfil the tasks assigned to it by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection