Luxembourgish data protection authority updates guidelines on international transfers of personal data
Through these updates, the CNPD aims to provide organisations with practical tools to navigate the complexities of cross-border data processing while reinforcing the core principles of European data protection law.
The Luxembourg National Commission for Data Protection (CNPD) has issued updated guidelines on international transfers of personal data, aiming to offer clearer instructions for companies handling cross-border data flows. The revision clarifies what constitutes a transfer of personal data to a third country outside the European Economic Area (EEA) and reaffirms that such transfers are governed by strict conditions set by the General Data Protection Regulation (GDPR), particularly under Chapter V.
According to the CNPD, personal data can only be transferred to countries that have been formally recognised by the European Commission as offering an adequate level of protection. Countries currently benefiting from this recognition include Andorra, Argentina, Canada (under PIPEDA), Japan, the United Kingdom, and the United States for companies certified under the EU-US Data Privacy Framework. In cases where an adequacy decision is absent, the CNPD stresses the need for appropriate safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), as outlined in Article 46 of the GDPR. The guidelines also explain the limited instances in which derogations under Article 49 GDPR can be used, such as obtaining explicit consent or demonstrating necessity for contractual performance.
The CNPD advises data exporters to adopt a structured approach when managing international transfers. Organisations should first verify whether an adequacy decision applies. If not, they must implement appropriate safeguards and confirm that individuals’ rights and legal remedies are protected in the destination country. If neither adequacy nor safeguards are possible, they may only rely on the narrowly interpreted derogations permitted by law.
Sector-specific considerations have also been integrated into the updated guidelines. Particular attention is given to special cases like journalism, academic research, criminal law, and financial services, where unique legal frameworks may govern data transfers. The CNPD stresses that all international transfers must remain compliant with recent European Court of Justice rulings, notably the Schrems II decision, which tightened the requirements for data transfers to countries without an adequacy decision.
