Nearly three months after the first LuxLeaks report was published for Luxembourg, companies are still leaving themselves vulnerable to data breaches, suggest two Allen & Overy Senior Associates.


Senior Associate in Employment Law Gilles Dall’Agnol has keenly observed the reactions of companies to the two reports, which revealed tax agreements with international companies made by big four companies in Luxembourg.

“I think that LuxLeaks, for all its negative consequences, has had the effect of increasing awareness about the topic of data security,” he said.

As a result of the scandal, he says he expects to see the role of information security officers strengthened, along with the introduction of specific policies and mechanisms, such as whistleblowing structures. Meanwhile, he says companies will be more reluctant to outsource data security responsibilities.

However, Catherine Di Lorenzo, Allen & Overy Senior Associate in IP/IT and data protection law, said that many companies are failing to address a key question when securing tangible evidence of a data breach: are they authorised to monitor or screen employees’ emails?

“With respect to such screening, probably the most important part you have to know is that screening qualifies as employee monitoring which is only permissible if certain data protection rules have been complied with,” Ms Di Lorenzo explained, adding: “The data protection steps cannot be retroactively applied, which means if you’ve a suspicion to do with an email in which client data might have been sent, as you did not comply with data protection rules, the employer cannot simply go and screen the employee’s account.”

A company carrying out monitoring while having failed to comply with these rules exposes itself and its managers to criminal liability. In addition, evidence collected in this way is likely to be considered inadmissible in court.

This means, in other words, that a dismissal of an employee based solely on evidence collected in this way is likely to be ruled as abusive.

“If a company has not complied with the data protection rules, it should not even be carrying out a screening as this would itself qualify as a criminal offence. If the company does the screening anyway and finds something, it will most likely not be able to use it.

“It’s a disaster if you find yourself in such a situation,” Ms Di Lorenzo said, adding: “Compliance with data protection rules costs just one or two days’ work. But it is simply an element of corporate housekeeping everybody has neglected for a long time.”

Mr Dall’Agnol adds that in many such cases, companies do not have another choice but to make a criminal complaint without carrying out screening or employment law sanctions and leave it to the prosecutor to find the evidence.


SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity


If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.