Through the law of 27 February 2018 implementing the EU regulation (UE) 2015/751 on interchange commissions for card based payments, which amends various laws relating to the financial sector (and was published in the Luxembourg official gazette on March 1st 2018), the Luxembourg parliament has now relaxed the rules on professional secrecy for banks, investment firms, other regulated professionals of the financial sector, payment institutions, electronic money institutions and insurance undertakings (together the « financial institutions ») to facilitate outsourcing arrangements.
Until now there was some uncertainty around the possibility to rely on a client’s consent for the transfer of client data to third parties, since the professional secrecy rules incumbent upon financial institutions were considered by courts to be public policy provisions, i.e. provisions to which contractual derogations are not allowed.
The new law provides that clients of financial institutions may consent to the transfer of their data by such financial institutions to an outsourcee.
Consent can be explicit or implied based on the information provisions agreed among parties.
Many financial institutions have agreed on general terms and conditions with their clients which provide that amendments may be made thereto by merely giving notice to the client and that they will become effective within a certain period of time failing an objection by the client. Such financial institutions can now rely on this implied consent provision to amend their general terms and conditions and provide for a right to outsource certain functions to a third party outsourcee who will have access to confidential client data.
It seems that the wording of the law even allows for other methods to obtain an implied consent from clients.
The consent needs to be informed in the sense that clients must be informed on (i) the type of data that will be accessible by or transferred to the outsourcee, and (ii) the country where the outsourcee is based.
The outsourcee must be bound by legal professional secrecy duties or by contractual confidentiality duties.
Data protection, governance and data integrity rules are not affected by the above changes.
Finally, the new law broadens also the possibilities to exchange client data among financial institutions.