← All articles

consultant

Intra-group sharing: CNIL accepts legitimate interest, CNPD treats it as a transfer

In Luxembourg in 2026, legitimate interest may ground intra-group administrative sharing, but the CNPD qualifies it as a transfer between controllers, requiring strong transparency and, outside the EEA, a Chapter V mechanism.

By Expertise Luxgap 31/05/2026

Anchored fact: in November 2024, the EDPB issued guidelines on GDPR Article 6(1)(f) (legitimate interest). Key 2026 divergence: CNIL considers legitimate interest relevant for “internal administrative purposes” within a group, while the CNPD treats intra‑group sharing as a transfer between distinct controllers, subject to transparency and, where applicable, Chapter V. Bottom line: intra‑group sharing cannot just tick “legitimate interest”.

The case

  • On 20 November 2024, the EDPB released for consultation its Guidelines 1/2024 on processing based on Article 6(1)(f) GDPR (legitimate interest), structuring the three‑step test and stressing strict necessity and balancing, notably for data re‑use and sharing. See EDPB, Guidelines 1/2024.
  • French position: CNIL explicitly illustrates that legitimate interest may ground processing “of customers or employees within a corporate group for internal administrative purposes.” Reference: CNIL’s “Legitimate interest” page (2026). CNIL.
  • Luxembourg position: the CNPD recalls that “entities within the same corporate group may be considered distinct controllers or processors and disclosures of data between those entities could be considered transfers of personal data.” In other words: intra‑group sharing is a disclosure to another controller and, outside the EEA, a transfer under Chapter V. CNPD — Notion of transfer to a third country.

This juxtaposition — EDPB (demanding framework), CNIL (openness for internal administration), CNPD (transfer qualification between group entities) — creates an operational ridge line for groups established or active in Luxembourg.

Legal reasoning

  • Legal basis at stake: Article 6(1)(f) GDPR, legitimate interest. It requires: 1) a legitimate interest of the controller or a third party, 2) strict necessity of the processing to achieve that interest, 3) a balancing test where data subjects’ interests or fundamental rights do not prevail. See GDPR Art. 6(1)(f) on EUR‑Lex and EDPB Guidelines 1/2024. EDPB 1/2024.
  • EDPB reading (2024): legitimate interest is neither residual nor a “catch‑all”; necessity must be demonstrated against a precise purpose (not group “convenience”). Re‑use and sharing must align with reasonable expectations and be clearly disclosed (Arts. 13‑14) with mitigating measures where needed (minimisation, pseudonymisation, opt‑out, etc.). EDPB 1/2024.
  • CNIL reading: among common Art. 6(1)(f) cases, CNIL cites operations “within a corporate group for internal administrative purposes,” e.g., centralising support functions. This openness is not a blank cheque: it requires a genuine balancing test, safeguards (need‑to‑know access, short retention, logging) and fair information. CNIL.
  • CNPD reading (transfer qualification): entities in a group are, in principle, distinct controllers; disclosures between them are communications to another controller. If the recipient is outside the EEA, Arts. 44‑49 apply (adequacy, SCCs/BCRs/DPF, as applicable). Practically: map flows, adapt notices (recipients/categories), and ensure a Chapter V tool outside the EEA. CNPD — Notion of transfer.

What this changes in practice

Basic HR centralisation

  • In France: “legitimate interest — internal administration” may work if necessity is demonstrated and safeguards are strong (need‑to‑know access, minimisation, limited retention). CNIL.
  • In Luxembourg: the same flow is sharing to another controller; you must reflect it in notices (recipients/categories), record it distinctly (Art. 30), document the three‑step test (EDPB 1/2024), and, if the hub is outside the EEA, apply a Chapter V tool (SCCs, BCRs, adequacy/DPF). CNPD ; EDPB 1/2024.

Group CRM sharing for cross‑selling

  • Direct B2C marketing under legitimate interest is high‑risk; EDPB 1/2024 requires heightened vigilance and alignment with reasonable expectations. With profiling/targeting, consent (Art. 6(1)(a)) is often needed — at minimum, provide an effective right to object. EDPB 1/2024.

Anti‑fraud/compliance (KYC/AML) sharing

  • Possible under 6(1)(f) if strictly necessary and proportionate, with logging and segregation. Depending on locations, prepare SCCs/BCRs; being “in the same group” does not waive transfer mechanisms. CNPD — Notion of transfer.

Common pitfalls

  1. Equating “group = same controller”. Incorrect: group entities are distinct controllers/processors; sharing is a disclosure, potentially a Chapter V transfer. CNPD.
  2. Ticking “legitimate interest” without a documented test. EDPB 1/2024 requires demonstrating the interest, strict necessity and balancing, with concrete mitigations (pseudonymisation, access limits, effective opt‑out). EDPB.
  3. Failing to inform data subjects (Arts. 13‑14) about intra‑group recipients/categories and third countries. Naming “Group XYZ” alone can be too generic; specify categories and, outside the EEA, the mechanisms used. EDPB 1/2024.
  4. Re‑using customer data for cross‑selling “because it’s the same group”. CNIL accepts LI for internal administration; for marketing, LI is risky and consent is often required, with an effective right to object. CNIL.
  5. Overlooking Chapter V when a consolidation entity, service centre or intra‑group provider is outside the EEA. BCRs, SCCs or adequacy/DPF remain indispensable if the destination is a third country. CNPD.

Official sources

  • EDPB — Guidelines 1/2024 on processing based on Article 6(1)(f) GDPR: edpb.europa.eu
  • CNIL — Legal basis “Legitimate interest”: cnil.fr
  • CNPD (Luxembourg) — Notion of transfer to a third country: cnpd.public.lu
  • GDPR — Consolidated text (Arts. 6(1)(f), 13‑14, 30, 44‑49) on EUR‑Lex: eur-lex.europa.eu
  • Context on “controller/processor/joint controllership” — EDPB guidelines: cnpd.public.lu

Operational takeaway

In Luxembourg as of May 2026, intra‑group sharing based on legitimate interest remains possible for internal administrative purposes, but you must follow the EDPB grid (necessity/balancing), ensure full transparency, and — often overlooked — treat it as a transfer between distinct controllers with a Chapter V mechanism outside the EEA. A robust Art. 30 record, precise notices and a defendable 6(1)(f) test are the foundations for CNPD audits. To structure this, consider engaging a certified DPO mandate and framing your GDPR compliance in Luxembourg.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

expertise reglementaire rgpd cnpd interet-legitime transferts-internationaux edpb
LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →