Data protection to the rescue of the beneficial owner

(Translated by DeepL)

The RGPD also protects the banking data of legal entities when the beneficial owner objects to the transfer of the data to the Department of Justice (judgment no. 141/23-II-CIV of 6 December 2023 of the Luxembourg Superior Court of Justice).

A person holds bank accounts with the Luxembourg branch of a Swiss bank. He is also the beneficial owner of a company which has two bank accounts with this branch. Another company, of which the customer’s ex-wife and son are beneficial owners, also holds an account with this branch.

The Swiss bank is the subject of criminal proceedings in the United States for complicity in tax fraud. For this reason, it informed its client that it was obliged to provide the Department of Justice (DoJ) with information about his account and those of the two companies.

The client brought an action before the competent Luxembourg court seeking an injunction prohibiting the Swiss bank from transferring his account details and those of his companies to the DoJ pursuant to the GDPR. The court granted the request in full for the personal account, but only with regard to his capacity as beneficial owner for the company accounts. The banking data of legal entities would not benefit from any protection under the RGPD.

The customer challenged the decision before the Superior Court of Justice (Luxembourg’s highest court). In particular, he argued that the RGPD protects all information relating to company accounts. The bank retorts that the beneficial owner has no rights in relation to accounts opened by companies, since the RGPD only protects natural persons, not legal entities.

Before examining the issue of data protection for legal entities, the Court pointed out that Article 4(1) GDPR defines personal data as any information relating to an identified or identifiable natural person. That concept is to be interpreted broadly (see CJEU, C-582/14) and also includes pseudonymised data (see recital 26 RGPD).

In the present case, the Swiss bank intends to transmit to the DoJ data similar to those resulting from lists II.D.2 drawn up by the DoJ under the Swiss Banks Program. The bank admits that this is pseudonymised data which ultimately enables the person to be identified in the context of a request for mutual legal assistance. It is therefore personal data protected by the RGPD.

As regards the protection of the data of legal entities, the Court points out that they are not protected by the RGPD. That said, data relating to a legal person may constitute the personal data of a natural person. For such data to be considered personal data, it is sufficient for it to directly or indirectly identify the natural person.

In this case, the customer is the beneficial owner of the first company, which holds accounts with the bank. The information relating to these accounts is likely to identify the beneficial owner. It therefore constitutes the beneficial owner’s personal data. The same applies to data relating to the company whose son and ex-wife are beneficial owners. Identifying these two people as beneficial owners makes it possible to identify the customer.

The Court therefore prohibited the Swiss bank from transferring the bank data to the DoJ, including all data relating to the companies’ bank accounts. In contrast to the previous instance, the Court made no distinction between the personal account, those of the company of which the client is the beneficial owner and those of the company of which his son and ex-wife are the beneficial owners.

In a ruling handed down in 2018, the Federal Court also examined the issue of the transfer of pseudonymised bank data to the DoJ. It also held that the data contained in list II.D.2 constitutes pseudonymised data protected by the DPA (see Hirsch Célian/Jacot-Guillarmod Emilie. Les données bancaires pseudonymisées : du secret bancaire à la protection des données, RSDA 2020, p. 151-167).

The Luxembourg judgment seems to us to be important with regard to data protection for legal persons. Indeed, the DPA and the GDPR only protect the data of natural persons (unlike the aLPD, which also protected the data of legal persons). However, company data also concerns natural persons, in particular the beneficial owner. According to the judgment commented on here, the beneficial owner may therefore invoke the RGPD (or the LPD) in order to protect the data of the legal entity. The company’s data concerns him when he is identifiable.

Such protection of the data of legal entities is justified in this case. The purpose of transferring bank data to the DoJ is to identify the natural person, not just the companies holding the account. It was therefore in casu consistent with the purpose of data protection to apply the GDPR to block the transfer of information relating to bank accounts belonging to companies. That said, such protection cannot necessarily be applied across the board. Firstly, the beneficial owner is not always identifiable by the recipient of the data, depending on the data transmitted (registers of beneficial owners are no longer public, see Hirsch, cdbf.ch/1259/). The beneficial owner could not therefore invoke data protection. Secondly, a beneficial owner who invokes the DPA in favour of the company could commit an abuse of rights (Art. 2 para. 2 CC) if he does not ultimately seek to protect his data, even if the information relating to the company may constitute personal data.