Transfers or disclosures not authorised by Union law
General Data Protection Regulation · UE 2016/679
Transfers or disclosures not authorised by Union law
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
In Luxembourg, the CNPD (never the APDL) is the authority competent to sanction an unauthorised transfer under Article 48. The law of 1 August 2018 organising the CNPD grants it the power to impose GDPR administrative fines on private entities. Financial sector players must additionally articulate Article 48 with their professional secrecy obligations (Article 41 of the law of 5 April 1993 on the financial sector), which already prohibits disclosing client data without a Luxembourg legal basis or international agreement.
Luxgap practice: for a CSSF-regulated fintech or private bank, the dual lock of banking secrecy plus Article 48 must be mapped together. Our Foreign Request Shield embeds the LSF professional secrecy grid into its decision tree.