Catherine Di Lorenzo


Catherine specializes in data protection, technology and transactional IP. She is one of the leading Luxembourg lawyers for strategic data protection matters.

She advises clients across a wide range of business sectors (e-commerce, financial (including Fintech), insurance, asset managers, telecommunication, media and industrial sectors) with respect to their digital projects as well as with investigations by Luxembourg regulators. An important part of Catherine’s practice involves helping clients in relation to all areas of data privacy, including incidents such as personal data breaches, international data transfers, marketing and online advertising (i.e. ad tech) and data protection authority investigations. She advises clients on technological developments like the artificial intelligence, internet of things, big data and adtech. Catherine has also extensive experience in assisting clients with their technology transactions, such as digital transformation, IT outsourcing (especially in the heavily regulated financial and insurance sectors), the creation of interactive platforms or joint software development projects. Catherine advises on evolving cyber-related regulations, helps clients respond to incidents, and regularly provides client training on these topics.

Her practice covers both contentious and non-contentious matters, and she has defended clients in cross-border data investigations by data protection authorities, both before the authorities themselves and in court.


Representative matters

A global technology company in relation to major GDPR and ePrivacy investigations, both during the investigation and the litigation phase. Catherine acted as strategic advisor to the client during the investigation phase as well as the litigation on front of Luxembourg administrative courts.

A global fintech company in relation to an investigation of its compliance with data subject rights. Catherine headed a team composed by members of different EU jurisdictions and involved theAdvanced Delivery Team in Belfast in Perth to ensure that the matter was handled in a timely and cost-efficient manner. 

An asset manager on the implementation of a robo-advisor tool for investors, including the drafting of the client-facing documents and the negotiation of agreements with third party software provider.

A Fintech company with a cybersecurity incident caused by a defective third-party software.

A major bank with the migration of its entire IT infrastructure to the cloud, which included negotiation with the cloud service providers, obtaining authorizations and liaising with the Luxembourg financial sector supervisory authority and drafting of intra-group service agreements. 

A European institution on the strategy for protecting its IP rights and the drafting of the contractual arrangements to be implemented in relation to the launch of an artificial intelligence-based, collaborative platform. 

A U.S. investment advisor and private credit firm with their data protection compliance in connection with the establishment of several Luxembourg funds, including advice on contractual arrangements with service providers and investors as well as on data transfers. 

A major Luxembourg news website with the compliance of their cookie consent framework, including drafting a cookie policy and privacy notice to inform the data subjects about the processing of their personal data through the website and handling of complaints from data subjects. 

A virtual asset service provider in the setting up of an e-money institution in Luxembourg to deploy its strategy in Europe and further develop into a proper digital asset services provider. The advice covers banking regulatory, IT outsourcing, cybersecurity and data protection advice. 

A global tech company on the compliance of its connected devices (including virtual voice assistants) with data protection and medical devices regulations. 

An international provider of IT services in relation to the Digital Operational Resilience Act. 

On the negotiation of the transitional service agreement for the migration of IT systems and data in relation to the sale of the Luxembourg affiliate of a German Bank.

The Luxembourg affiliate of a German bank in relation to the rules and limitations for transferring data in relation to the Panama Papers to German tax authorities.

Pro bono

Assisting Médecins Sans Frontières Luxembourg on their compliance program in relation to the General Data Protection Regulation, including the data mapping, drafting records of processing and providing training to staff.

Assisting Autisme Luxembourg in relation to the compliance of their website with data protection and ePrivacy requirements.

Assisting Stëmm vun der Strooss, an organisation for homeless people in Luxembourg in relation to their compliance with the General Data Protection Regulation

Published Work

  • Di Lorenzo, C., Ancenys, L.-A., Wolters-Ruckert, N., Wagner, P. (2023) “EU AI Act: Key changes in the recently leaked text”, A&O Tech Talk
  • Di Lorenzo, C., Aubry, B., Mausen, F., Noeltner, P. (2023) "Blockchain 2023 Practice Guide: Luxembourg Chapter", Chambers and Partners
  • Di Lorenzo, C., Berger, T., Wagner, P. (2021) “Data Privacy & Transfer in Investigations (Luxembourg Chapter)”, Global Investigations Review
  • Di Lorenzo, C., (co-author), (2020) “Arguments according to which it would not be mandatory for investment funds to appoint a data protection officer in the sole KYC/AML context”, Revue internationale de la propriété intellectuelle et du droit du numérique (LegiTech) - Pincode

Speaking Engagements

  • Speaker, Investigations Bootcamp for GCs, A&O Luxembourg GC Club, February 2024
  • Guest Speaker, Generative AI and the AI Act in Banking, LHoFT – Luxembourg House of Financial Technology, November 2023
  • Guest Speaker, British Chamber of Commerce Leadership Forum on AI, October 2023
  • Guest Speaker, Practical use cases of AI, Le Club des CIO/COO/CDO de TNP Luxembourg, October 2023

Leadership Positions And Professional Affiliations

  • Member of the editorial board, PinCode
  • APDL (Association pour la Protection des Données au Luxembourg)
  • APSI (Association des professionnels de la Société de l'Information)
  • FedISA Luxembourg
Catherine Di Lorenzo is a strong practitioner with an excellent track record, especially in IT/outsourcing/data protection.
Legal 500, 2023
Catherine Di Lorenzo ‘is fully committed to her clients and has a deep knowledge of data protection regulation,’ reports one client. She maintains a broad caseload, encompassing GDPR compliance and IT outsourcing, as well as IP litigation and drafting licensing agreements.
Chambers and Partners, 2022



Admitted as avocat à la Cour, Luxembourg, 2010
Admitted to the Luxembourg bar under her professional home title, 2006
Admitted as Rechtsanwalt, Germany, 2006


Doctorate in law, University of Trier, 2013
Second German Law Degree, Oberlandesgericht Koblenz, 2005
First German Law Degree, University of Trier, 2003


English, French, German
A&O Shearman was formed on May 1, 2024 by the combination of Shearman & Sterling LLP and Allen & Overy LLP and their respective affiliates (the legacy firms). Any matters referred to above may include matters undertaken by one or more of the legacy firms rather than A&O Shearman.