LUXEMBOURG Law and Practice Contributed by: Andreas Heinzmann, Valerio Scollo and Angela Permunian, GSK Stockmann
2.11 Implications of Additional, Non- Financial Services Regulations Data Protection and Privacy The GDPR together with the Luxembourg Law of 1 August 2018 regulate the processing of per - sonal data, and such rules apply regardless of the industry sector or whether the relevant entity is a legacy player or a newly established start- up. In addition to the general rules governing the processing of personal data, the rules relating to privacy by design and privacy by default as well as automated decision-making and profiling may be relevant for fintech companies. Cybersecurity Management of risks relating to information and communication technologies (ICT) is an essential part of the necessary risk management by finan - cial institutions. The CSSF has recently imple - mented the guidelines adopted by the EBA on ICT and security risk management, which need to be complied with by all entities authorised under the Financial Sector Law and the Payment Services Law. In addition, specific requirements apply to enti - ties considered operators of essential services in accordance with Directive (EU) 2016/1148, as transposed into national legislation by the Law of 28 May 2019. Certain entities of the financial sector, such as banks, may need to take specific measures to manage security risks in case their services are judged by the CSSF. Following the adoption of DORA, all entities in scope must ensure that they can withstand ICT- related disruptions and threats. In particular, fin - techs may need to adhere to strict standards to prevent and limit the impact of ICT-related inci - dents. DORA also provides an oversight frame - work on service providers (such as Big Techs)
on their platforms in relation to AML obligations if the activities are within the scope of the AML Law. In addition, gatekeeper liability may come into question if the fintech entity is involved in a transaction that falls under the scope of Direc - tive (EU) 2018/822 on mandatory automatic exchange of information (DAC 6) as a reportable cross-border transaction. 2.10 Significant Enforcement Actions The CSSF as the supervisory authority has broad powers to impose sanctions on enti - ties subject to its supervision. For example, in the area of anti-money laundering and counter terrorist financing (AML/CFT) supervision, the CSSF has the authority to issue warnings, rep - rimands, administrative fines and professional disqualification, and these sanctions may be made public. With regard to administrative fines, the CSSF has recently imposed a fine of EUR3 million on a Luxembourg bank due to non-compliance with the applicable AML/CFT legislation. The amount of the fine is proportional to the turnover of the bank. In addition to imposing administrative fines, the CSSF may also report cases to the prosecutor’s office regarding investment firms which claim to be established in Luxembourg and offer invest - ment services without authorisation. Otherwise, fintech companies may be subject to enforcement actions by the CNDP for non- compliance with the applicable data-protection rules.
508 CHAMBERS.COM
Powered by FlippingBook