Image of Catherine Di Lorenzo

Catherine Di Lorenzo

Partner

Catherine specializes in data protection, technology and transactional IP. She is one of the leading Luxembourg lawyers for strategic data protection matters.

She advises clients across a wide range of business sectors (e-commerce, financial (including Fintech), insurance, asset managers, telecommunication, media and industrial sectors) with respect to their digital projects as well as with investigations by Luxembourg regulators. An important part of Catherine’s practice involves helping clients in relation to all areas of data privacy, including incidents such as personal data breaches, international data transfers, marketing and online advertising (i.e. ad tech) and data protection authority investigations. She advises clients on technological developments like the artificial intelligence, internet of things, big data and adtech. Catherine has also extensive experience in assisting clients with their technology transactions, such as digital transformation, IT outsourcing (especially in the heavily regulated financial and insurance sectors), the creation of interactive platforms or joint software development projects. Catherine advises on evolving cyber-related regulations, helps clients respond to incidents, and regularly provides client training on these topics.

Her practice covers both contentious and non-contentious matters, and she has defended clients in cross-border data investigations by data protection authorities, both before the authorities themselves and in court.

Expertise

Experience

Representative matters

  • A global technology company in relation to major GDPR and ePrivacy investigations, both during the investigation and the litigation phase. Catherine acted as strategic advisor to the client during the investigation phase as well as the litigation on front of Luxembourg administrative courts.
  • A global fintech company in relation to an investigation of its compliance with data subject rights. Catherine headed a team composed by members of different EU jurisdictions and involved theAdvanced Delivery Team in Belfast in Perth to ensure that the matter was handled in a timely and cost-efficient manner. 
  • An asset manager on the implementation of a robo-advisor tool for investors, including the drafting of the client-facing documents and the negotiation of agreements with third party software provider.
  • A Fintech company with a cybersecurity incident caused by a defective third-party software.
  • A major bank with the migration of its entire IT infrastructure to the cloud, which included negotiation with the cloud service providers, obtaining authorizations and liaising with the Luxembourg financial sector supervisory authority and drafting of intra-group service agreements. 
  • A European institution on the strategy for protecting its IP rights and the drafting of the contractual arrangements to be implemented in relation to the launch of an artificial intelligence-based, collaborative platform. 
  • A U.S. investment advisor and private credit firm with their data protection compliance in connection with the establishment of several Luxembourg funds, including advice on contractual arrangements with service providers and investors as well as on data transfers. 
  • A major Luxembourg news website with the compliance of their cookie consent framework, including drafting a cookie policy and privacy notice to inform the data subjects about the processing of their personal data through the website and handling of complaints from data subjects. 
  • A virtual asset service provider in the setting up of an e-money institution in Luxembourg to deploy its strategy in Europe and further develop into a proper digital asset services provider. The advice covers banking regulatory, IT outsourcing, cybersecurity and data protection advice. 
  • A global tech company on the compliance of its connected devices (including virtual voice assistants) with data protection and medical devices regulations. 
  • An international provider of IT services in relation to the Digital Operational Resilience Act. 
  • On the negotiation of the transitional service agreement for the migration of IT systems and data in relation to the sale of the Luxembourg affiliate of a German Bank.
  • The Luxembourg affiliate of a German bank in relation to the rules and limitations for transferring data in relation to the Panama Papers to German tax authorities.

Pro bono

  • Assisting Médecins Sans Frontières Luxembourg on their compliance program in relation to the General Data Protection Regulation, including the data mapping, drafting records of processing and providing training to staff.
  • Assisting Autisme Luxembourg in relation to the compliance of their website with data protection and ePrivacy requirements.
  • Assisting Stëmm vun der Strooss, an organization for homeless people in Luxembourg in relation to their compliance with the General Data Protection Regulation.

Published Work

  • Di Lorenzo, C., Ancenys, L.-A., Wolters-Ruckert, N., Wagner, P. (2023) “EU AI Act: Key changes in the recently leaked text”, A&O Tech Talk
  • Di Lorenzo, C., Aubry, B., Mausen, F., Noeltner, P. (2023) "Blockchain 2023 Practice Guide: Luxembourg Chapter", Chambers and Partners
  • Di Lorenzo, C., Berger, T., Wagner, P. (2021) “Data Privacy & Transfer in Investigations (Luxembourg Chapter)”, Global Investigations Review
  • Di Lorenzo, C., (co-author), (2020) “Arguments according to which it would not be mandatory for investment funds to appoint a data protection officer in the sole KYC/AML context”, Revue internationale de la propriété intellectuelle et du droit du numérique (LegiTech) - Pincode
  • Di Lorenzo, C., Wagner, P. (2019) “Cookie consent – how to get it (right)”, Revue internationale de la propriété intellectuelle et du droit du numérique (LegiTech) - Pincode
  • Di Lorenzo, C., (2017) “Employees' rights to use company IT vs employer's rights to monitor such use” in Connexion
  • Di Lorenzo, C., (2017) “Privacy by design and privacy by default – New legal requirements under EU data protection law” in Silicon Magazine
  • Di Lorenzo, C., (co-author), (2014) “ La sous-traitance informatique dans le secteur financier - cadre légal et implications pratiques” in Droit bancaire et financier au Luxembourg
  • Di Lorenzo, C., (co-author), (2013), “Probleme der strafrechtlichen Produkthaftung von Vorstandsmitgliedern einer Aktiengesellschaft für das Zustandekommen eines rechtswidrigen Beschlusses - Haftung für vorsätzliches positives Tun bei Zustimmung, Enthaltung und Gegenstimme” (Europäische Hochschulschriften, (Peter Lang GmbH, Internationaler Verlag der Wissenschaften)
  • Di Lorenzo, C., (2010) “VoIP: une activité réglementée ?” AGEFI
  • “IT outsourcing in Luxembourg: impact of outsourcing in practice” (four-part article, AGEFI, September 2009, October 2009, November 2009 and December 2009) 

Speaking Engagements

  • Speaker, Investigations Bootcamp for GCs, A&O Luxembourg GC Club, February 2024
  • Guest Speaker, Generative AI and the AI Act in Banking, LHoFT – Luxembourg House of Financial Technology, November 2023
  • Guest Speaker, British Chamber of Commerce Leadership Forum on AI, October 2023
  • Guest Speaker, Practical use cases of AI, Le Club des CIO/COO/CDO de TNP Luxembourg, October 2023
  • Guest Speaker, Embracing AI, Fujitsu Luxembourg, June 2023
  • Guest Speaker, An Overview of the International Privacy Landscape: A Comparative Perspective, Berkeley Center for Law & Technology, March 2023
  • Speaker, What’s next for banks: a spotlight on data privacy and governance, A&O panel series, 23/02/2021
  • Speaker, Diversity & Inclusion, A&O Luxembourg GC Club Webinar 30/09/2022
  • Guest Speaker, Remote working: first Inventory from a cross-practice perspective, A&O x AMCHAM Luxembourg webinar, 28/04/2021
  • Guest Speaker, The Internet of Things, A&O University of IP, 12/02/2021
  • Speaker, New EU legislative proposals on digital operational resilience (DORA), A&O webinar, 09/12/2021
  • Guest Speaker, Harnessing AI as it Gets Stronger, Faster, International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2021), 12/10/2021
  • Guest Speaker, Covid-19 outbreak and its impact on the Luxembourg Banking Sector, The Luxembourg Banker’s Association (ABBL), 08/04/2020
  • Guest speaker, Outsourcing - A comparative view of the banking and funds sectors, Ladies in Law Luxembourg Association (LILLA), 13/02/2020
  • Guest Speaker, Big Data – Les défis juridiques, Association des Professionnels de la Société de l'Information (APSI), 19/06/2014
  • Guest Speaker, IT Contracts - What is important and how to avoid pitfalls?, Paperjam Workshop, 17/06/2014
  • Guest Speaker, Recrutement via réseaux sociaux - Quelques aspects légaux, Personnel Officers Group (POG), 02/04/2014
  • Guest Speaker, Bring Your Own Device - Legal Challenges, British Chamber of Commerce for Luxembourg, 04/07/2013
  • Guest Speaker, Luxembourg solutions for the IT sector - 2 examples: cloud and eArchiving, World Hosting Days, 21/03/2013 

Leadership Positions And Professional Affiliations

  • Member of the editorial board, PinCode
  • APDL (Association pour la Protection des Données au Luxembourg)
  • APSI (Association des professionnels de la Société de l'Information)
  • FedISA Luxembourg
  • ITechLaw

Recognition

Catherine Di Lorenzo is a strong practitioner with an excellent track record, especially in IT/outsourcing/data protection.
Legal 500, 2023
Catherine Di Lorenzo ‘is fully committed to her clients and has a deep knowledge of data protection regulation,’ reports one client. She maintains a broad caseload, encompassing GDPR compliance and IT outsourcing, as well as IP litigation and drafting licensing agreements.
Chambers and Partners, 2022

Qualifications

Admissions

Admitted as avocat à la Cour, Luxembourg, 2010
Admitted to the Luxembourg bar under her professional home title, 2006
Admitted as Rechtsanwalt, Germany, 2006

Academic

Doctorate in law, University of Trier, 2013
Second German Law Degree, Oberlandesgericht Koblenz, 2005
First German Law Degree, University of Trier, 2003

Languages

English, French, German
Disclaimer
A&O Shearman was formed on May 1, 2024 by the combination of Shearman & Sterling LLP and Allen & Overy LLP and their respective affiliates (the legacy firms). Any matters referred to above may include matters undertaken by one or more of the legacy firms rather than A&O Shearman.