Your questions

Protection of personal data

I bought products online from a company based in Luxembourg. This company transmits my purchase history to one of its subsidiaries in the United Kingdom for the purpose of its stock management. Is the Luxembourg company authorised to transfer my personal data to its UK subsidiary after the United Kingdom’s withdrawal?

In the absence of a Withdrawal Agreement, the European regulation will cease to apply in the United Kingdom after the United Kingdom’s withdrawal. This means that the United Kingdom will be considered a third country within the meaning of the General Data Protection Regulation.

In relation to the Luxembourg company, the rights to which the data subject is entitled under the General Data Protection Regulation, including the right to information, are maintained. Anyone who decides to process a data subject’s personal data, is obliged to inform the data subject of

  • their identity;
  • the purpose of collecting data and whether the provision of the data is mandatory or optional;
  • the recipients of the data;
  • the rights granted to the data subject under the General Data Protection Regulation;
  • any transfers of data to a country outside the European Union.

The controller must provide these elements in plain and clear language when personal data are collected or, at the latest, within one month following the data collection, if the data are not collected directly from the data subject.

The Luxembourg company must therefore inform the data subject of the transfer of his/her personal data to its UK subsidiary and of the legal basis on which the transfer is based.

Finally, subject to compliance with the general principles of the General Data Protection Regulation, including the right to information, the Luxembourg company, in order to transfer personal data to its UK subsidiary lawfully and in the absence of a formal adequacy decision by the European Commission, must base the transfers on one of the legal mechanisms provided for by the General Data Protection Regulation. For example, the Luxembourg company may use standard data protection clauses. These are model contracts for the transfer of personal data adopted by the European Commission. The use of such clauses offers an appropriate level of protection for the data subject’s personal data for such a transfer, as the UK subsidiary of the Luxembourg company running the website will have to respect the data protection obligations contained in these clauses.

I bought products online from a company established in the United Kingdom. Will I have the same rights as currently under the General Data Protection Regulation after the United Kingdom’s withdrawal?

In the absence of a Withdrawal Agreement, the current European regulation will cease to apply in the United Kingdom after the United Kingdom’s withdrawal. This means that the United Kingdom will be considered a third country within the meaning of the General Data Protection Regulation. The national legislation of the United Kingdom will, in principle, become applicable.

In addition, the UK data protection authority has clarified that the UK Government intends to adopt a law similar to the General Data Protection Regulation, in the event of a “no deal” Brexit.

The data subject will also be able to lodge a complaint with the National Commission for Data Protection (CNPD) in the event of a dispute with the controller, which the CNPD will then forward to its British counterparts.

If necessary, the CNPD could be competent in this case on the basis of an indirect application of the General Data Protection Regulation.

I am employed in Luxembourg and regularly travel to the UK for professional reasons. In this context, my Luxembourg employer systematically sends my personal data (name, first name, telephone number, etc.) to an entity based in the United Kingdom, which is responsible for managing my work-related journeys. Will my employer have the right to continue to transfer my data after the United Kingdom’s withdrawal?

In the absence of a Withdrawal Agreement, the European regulation will cease to apply in the United Kingdom after the United Kingdom’s withdrawal. This means that the United Kingdom will be considered a third country within the meaning of the General Data Protection Regulation.

The rights to which the data subject is entitled under the General Data Protection Regulation, including the right to information, continue to apply with respect to his/her Luxembourg employer. Anyone who decides to process a data subject’s personal data, is obliged to inform the data subject of their:

  • identity;
  • the purpose of collecting data and whether the provision of the data is mandatory or optional;
  • the recipients of the data;
  • the rights granted to the data subject under the General Data Protection Regulation;
  • any transfers of data to a country outside the European Union.

The controller must provide these elements in plain and clear language when personal data are collected or, at the latest, within one month following the data collection, if the data are not collected directly from the data subject.

The Luxembourg employer must therefore inform the data subject of the transfer of its personal data to the entity established in the United Kingdom and of the legal basis on which the transfer is based.

As such, subject to compliance with the general principles of the General Data Protection Regulation, including the right to information, the Luxembourg employer, in order to transfer personal data to its UK entity lawfully and, in the absence of a formal adequacy decision by the European Commission, must base the transfer on one of the legal mechanisms provided for by the General Data Protection Regulation. For example, the Luxembourg employer may use standard data protection clauses. These are model contracts for the transfer of personal data adopted by the European Commission. The use of such clauses offers an appropriate level of protection of the data subject’s personal data for such a transfer, as the UK entity in charge of managing the data subject’s business travel will have to respect the data protection obligations contained in these clauses.

However, should occasional business trips be carried out in the framework of a work contract, the transfer may take place on a different legal basis, i.e. on the basis of one of the derogations provided for by the applicable legislation in force (for example, if the data subject’s employer can justify that this transfer is necessary to fulfill the obligations of said work contract). However, this does not exempt the data subject’s employer from providing the former with the information referred to above.

I am a natural person holding shares in a Luxembourg investment fund. The financial institution which set up the investment fund, is established in the UK and wishes to receive my personal data for statistical purposes. Is the Luxembourg investment fund authorised to transfer my personal data to the UK financial institution after the United Kingdom’s withdrawal?

In the absence of a Withdrawal Agreement, the European regulation will cease to apply in the United Kingdom after United Kingdom’s withdrawal. This means that the United Kingdom will be considered a third country within the meaning of the General Data Protection Regulation after it leaves the EU.

In relation to the Luxembourg investment fund, the rights to which the data subject is entitled under the General Data Protection Regulation, including the right to information, are maintained. Anyone who decides to process a data subject’s personal data, is obliged to inform the data subject of their:

  • identity;
  • the purpose of collecting data and whether the provision of the data is mandatory or optional;
  • the recipients of the data;
  • the rights granted to the data subject under the General Data Protection Regulation;
  • any transfers of data to a country outside the European Union.

The controller must provide these elements in plain and clear language when personal data are collected or, at the latest, within one month following the data collection, if the data are not collected directly from the data subject.

The Luxembourg investment fund must therefore inform the data subject of the transfer of its personal data to the financial institution established in the UK and of the legal basis on which the transfer is based.

Finally, subject to compliance with the general principles of the General Data Protection Regulation, including the right to information, the Luxembourg investment fund, in order to transfer personal data to the UK financial institution lawfully and in the absence of a formal adequacy decision by the European Commission, must base the transfers on one of the mechanisms provided for by the General Data Protection Regulation. For example, the Luxembourg investment fund may use standard data protection clauses. These are model contracts for the transfer of personal data adopted by the European Commission. The use of such clauses offers an appropriate level of protection for the data subject’s personal data for such a transfer, as the UK financial institution will have to respect the data protection obligations contained in these clauses.

Last update