Data protection

The National Data Protection Commission (CNPD) will process your personal data in order to fulfil the tasks assigned to it by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

As a public authority processing personal data, the CNPD must comply with its obligations as controller.

Please find below the contact details of the CNPD:

National Data Protection Commission

15, Boulevard du Jazz 
L-4370 Belvaux

Tél. : (+352) 26 10 60 - 1

Fax. : (+352) 26 10 60 - 6099

E-mail: info@cnpd.lu

For any question regarding the processing of your personal data carried out by the CNPD, please contact the data protection officer (DPO) of the CNPD:

Commission nationale pour la protection des données

A l’att. du délégué à la protection des données

15, Boulevard du Jazz 
L-4370 Belvaux

  • By phone : (+352) 26 10 60 - 1

 

Personal data processing activities carried out by the CNPD are described below. For each processing activity, detailed information is available by clicking on “more information” in the section in question (including information regarding the exercise of your rights with the CNPD).

These “data protection notices” are also directly available on the relevant pages concerning the processing activities in question.

Retention periods mentioned within these notices correspond to the “duration of administrative usefulness” defined by the CNPD in line with the Act of 17 August 2018 on public archiving. According to the provisions of this law, documents of archival value ("valeur patrimoniale") must be kept for archiving purposes in the public interest.

1. Public awareness, trainings and information to the public

Management of the newsletter

The CNPD delivers a newsletter to the interested public in order to contact and inform them about events organised by the CNPD, publication of guidance documents, legal opinions and other information and news related to the CNPD’s activities. The interested public can subscribe online. The CNPD uses an email delivery service to facilitate communication to the public.

More information

1.    Purposes of the processing

The CNPD (15, Boulevard du Jazz, L-4370 Belvaux) delivers a newsletter to the interested public in order to contact and inform them about events organised by the CNPD, the publication of guidance documents, legal opinions and other information and news related to the CNPD’s activities.

The sending of the newsletter is currently suspended, as the CNPD stopped using the tool of the provider through which the subscription and transmission of its newsletter were carried out.

The CNPD (15, Boulevard du Jazz, L-4370 Belvaux) delivers a newsletter to the interested public in order to contact and inform them about events organised by the CNPD, publication of guidance documents, legal opinions and other information and news related to the CNPD’s activities.

The CNPD uses an email delivery service to facilitate communication to the public and to collect data on the delivery and consultation of its newsletter.

Subscription to the newsletter requires to provide an email address. In order to prevent any abusive use, a link is sent to the email address provided for the subscription. The user must click on this link to validate the subscription.

2.    Personal data processed

The following personal data are collected and accessible by the CNPD’s staff members in charge of managing the newsletter:

  • Email address provided for the subscription.
  • Date of subscription.
  • Subscription status (confirmed or not confirmed).
  • Language of the subscription (French by default).
  • Origin of the subscription (CNPD’s Website).

Following each newsletter delivery, a “campaign report” is generated with the following information for every subscriber:

  • Number of emails sent to the subscriber, received, not received (not delivered or email address does not exist), opened “without click”, not opened, read in the browser, date and time of the last clicked message, number of clicks on the “forward” button of the newsletter, number of messages treated as spam by the subscriber, number of clicks on the unsubscribe button, unsubscription confirmed.
  • The report also includes percentage information on every subscriber concerning the following elements: emails “delivered”, “opened”, “clicked”.

3.    Legal basis for the processing

The processing of personal data carried out by the CNPD in this context is based on the consent of the data subject [Article 6, paragraph 1, point a) of the General Data Protection Regulation]. The consent can be withdrawn at any time.

4.    Categories of recipients of the personal data

Within the CNPD, the personal data mentioned above can be consulted by the CNPD’s staff in charge of the newsletter/the technical maintenance of the newsletter.

The personal data processed can also be accessed by the provider of the email delivery service, Flexmail NV, located in Jaarbeurslaan 29, box 31, 3600 Genk, with company number 0835.786.642. Flexmail is acting as processor on behalf of the CNPD.

5.    Unsubscribe

To unsubscribe, the user can either click on the link included in every email sent with the newsletter or directly contact the DPO of the CNPD. The email address used for the subscription and the associated personal data are then deleted within 30 days.

6.    Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation) and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation.

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

7.    Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

Information requests submitted through the contact forms or by phone

Data subjects can contact the CNPD in order to obtain information concerning the exercise of their rights and concerning the obligations of the controllers. The CNPD processes the personal data that are necessary to reply to such requests. These personal data are collected through a contact form which sets out the obligatory information or via phone when calling the CNPD.

More information

1.      Purposes of the processing and legal basis for the processing

Data subjects can contact the CNPD in order to obtain information concerning the exercise of their rights [Article 57, paragraph 1, point e) of the General Data Protection Regulation] and concerning the obligations of the data controllers.

In this respect, the processing of personal data collected through the contact form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2.       Personal data processed

Two contact forms are available on the website of the CNPD: a form for requests by individuals and a form for requests by organisations.

Mandatory fields

The processing of your request (whether submitted on a personal basis or on behalf of your organisation) requires the collection of your personal data, i.e. your title, name, first name, as well as your e-mail address.

For requests submitted on a personal basis, you must additionally specify your country of residence, and, for requests submitted on behalf of your organisation, the country in which your organisation is established.

In both contact forms, you can indicate your request in the field entitled “message”. We recommend mentioning only information that are necessary for the processing of your request in this field. In particular, sensitive personal data (within the meaning of Article 9 of the General Data Protection Regulation – for instance data concerning health, or related to political opinions or religious beliefs) concerning you or another natural person should not be mentioned, if they are not indispensable to answer your request.

Non-mandatory fields

If you consider it necessary, additional information can be added in the non-mandatory fields of the forms, namely your phone number (to allow us to contact you more quickly in case of any additional questions) and, for requests submitted on behalf of an organisation, your sector, the name of your entity, and your role.

3.       Categories of recipients of the personal data

Requests submitted to the CNPD through the contact forms are sent to info@cnpd.lu, managed by the secretariat of the CNPD. The requests are transmitted to the relevant department within the CNPD in accordance with their subject matter.

Most requests will be transmitted to the department in charge of information requests. However, some requests may be transmitted to other departments within the CNPD, namely the communication and public relations department or the department in charge of handling  complaints.

Potential recipients

The data collected (if they constitute relevant information) may be transmitted to other supervisory authorities within the framework of the mutual assistance with these authorities (Article 61 of the General Data Protection Regulation).

4.       Storage duration

The personal data contained within information requests submitted through the contact forms are kept for a period of three years from the date of closure of the request file.

5.       Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation. 

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6.       Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

DaPro LAB

The CNPD offers training sessions and knowledge exchange programs for data protection professionals. These sessions are called « DaPro Lab ». The CNPD processes personal data relating to the work of the persons interested in taking part.

More information

1.       Purposes and legal basis of processing

In order to promote understanding of the risks, rules, safeguards and rights relating to the processing of personal data, the CNPD offers sessions for data protection professionals to exchange knowledge and experience. These sessions are called "DaPro Lab".

A DaPro Lab session is open to interested parties who meet the conditions of access set out in the [DaPro Lab Charter] and specified for each session.

The processing of your personal data by the CNPD in this context is based on your consent [Article 6(1)(a) of the General Data Protection Regulation].

You may withdraw your consent to the processing of your personal data by sending an e-mail to communication@cnpd.lu.

Data relating to persons interested in participating are collected by the CNPD to enable it to organise the DaPro Lab and to carry out the awareness-raising tasks entrusted to it under Article 57(1)(b) and (d) of the General Data Protection Regulation.

2.       Categories of data processed

The following data relating to each person interested in taking part is collected and may be consulted by those responsible for organising the DaPro Lab within the CNPD:

    Full name ;

    Professional details ;

    Data relating to professional activity (sector of activity, employer, duties carried out).

3.       Categories of recipients of processed data

Those responsible for organising and running the DaPro Lab within the CNPD.

4.       Retention period

Personal data relating to persons who have applied to take part and who meet the conditions for access are kept for a period of 6 months from the date of the DaPro Lab.

Personal data relating to persons who have applied to take part but who do not meet the conditions for access will not be retained.

5.       Rights of data subjects

You may access data concerning you and obtain a copy (Article 15 of the General Data Protection Regulation), obtain rectification of inaccurate or incomplete data (Article 16 of the General Data Protection Regulation), obtain erasure of such data under the conditions set out in Article 17 of the General Data Protection Regulation and limit processing under the conditions set out in Article 18 of the same Regulation.

If you have any questions regarding the processing of your personal data by the CNPD, or if you wish to exercise your rights, you may contact the CNPD's DPO.

6.       Complaints

If you consider that the processing of your data by the CNPD constitutes a breach of the General Data Protection Regulation, you may lodge a complaint with the CNPD.

ALTO project – Pilot phase

The ALTO project helps to raise awareness among controllers and processors about the obligations stemming from the GDPR. The personal data provided by the participating entities are necessary to carry out the pilot phase of the ALTO project. 

More information

1.    Data Controller

The National Commission for Data Protection (CNPD) is responsible for processing the personal data sent to it by entities (SMEs, chambers and professional associations) wishing to take part in the pilot phase of the ALTO project.

Contact details for the CNPD are as follows:

Commission nationale pour la protection des données

15, Boulevard du Jazz

L-4370 Belvaux

Tél. : (+352) 26 10 60 -1

2.         Purposes and legal basis of processing

The ALTO project helps to raise awareness among data controllers and processors of their obligations under the GDPR. This project is part of a mission of public interest, which falls to the CNPD on the basis of Article 57(1)(d) of the GDPR.

The personal data collected from the participating entities is necessary to enable the CNPD and its partner, the LHC-NC3 (Luxembourg House of Cybersecurity, National Cybersecurity Competence Centre), to carry out the pilot phase of the ALTO project. This phase requires exchanges with these entities in order to develop a self-assessment and compliance assistance tool tailored to the needs of SMEs.

The processing of personal data carried out by the CNPD in this context is based on Article 6(1)(e) of the GDPR (processing necessary for the performance of a task carried out in the public interest).

3.       Categories of processed data

The personal data processed by the CNPD as part of the pilot phase of the ALTO project are as follows:

  • Surname, first name, job title and professional contact details of the contact persons for the participating entities;
  • Observations and comments communicated to the CNPD and LHC-N3 on behalf of the entity they represent.

4.       Categories of processed data recipients

The personal data processed as part of the pilot phase of the ALTO project is accessible to :

  • CNPD Commissioners and agents.
  • designated agents within the LHC-NC3.

5.       Retention period

The personal data will be kept until the end of the pilot phase of the ALTO project, the duration of which is estimated at one year from its launch (in March 2023).

6.       Rights of data subjects

You may access the data concerning you and obtain a copy (Article 15 of the General Data Protection Regulation), obtain the rectification of inaccurate or incomplete data (Article 16 of the General Data Protection Regulation), object to the processing of your data (Article 21 of the General Data Protection Regulation), obtain the erasure of such data under the conditions provided for in Article 17 of the GDPR and the restriction of processing under the conditions provided for in Article 18 of the same Regulation.

If you have any questions about the processing of your personal data by the CNPD, or if you wish to exercise your rights, you may contact the CNPD's DPO, whose contact details are given below (point 7).

7.         Contact details for the data protection officer

If you have any questions about the processing of your personal data by the CNPD as part of the Pilot phase of the ALTO Project, you can contact the CNPD's Data Protection Officer (DPO) by e-mail (dpo@cnpd.lu) or by post:

Commission nationale pour la protection des données

A l’att. du délégué à la protection des données

15, Boulevard du Jazz

L-4370 Belvaux

Tél. : (+352) 26 10 60 -1

8.       Complaint

If you consider that the processing of your data by the CNPD constitutes a breach of the General Data Protection Regulation, you may lodge a complaint with the CNPD.

Public consultation on the certification scheme « GDPR-CARPA »

The CNPD launched a public consultation on the certification scheme “GDPR-CARPA”. In order to facilitate the consultation, a form was available on the website of the CNPD. Personal data processed by the CNPD are mainly contact details submitted by the participants.

More information

1.      Purposes of the processing and legal basis for the processing

The CNPD has launched a public consultation on the certification scheme “GDPR-CARPA” concerning, on the one hand, the certification requirements (Article 42 of the General Data Protection Regulation), and on the other hand, the accreditation requirements of certification bodies (Article 43 of the General Data Protection Regulation).

In order to facilitate the consultation, a form is available on the website of the CNPD (cnpd.public.lu).

This consultation aims to help the CNPD accomplish the tasks conferred on it by Article 57, paragraph 1, points n) and p) of the General Data Protection Regulation.

In this respect, the processing of personal data transmitted through the consultation form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2.       Categories of personal data processed

The identifying data and contact details of the contact person.

3.       Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

The form can be sent by e-mail to alain.herrmann@cnpd.lu.

4.       Storage duration

The personal data contained within the consultation form are kept for a period of one year from the date of closure of the public consultation.

5.       Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the same regulation.

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6.       Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

2. Obligations of the controller, supervisory activities, European and international cooperation

Management of the DPO’s contact details

Controllers and processors must communicate the contact details of their Data Protection Officer (“DPO”) to the CNPD. A dedicated form is available on the website of the CNPD. Personal data collected by the CNPD are mainly professional contact details. 

More information

The CNPD is the controller of the personal data collected through the form « Declaration of the Data Protection Officer » available on its website (cnpd.public.lu).

1.       Purposes of the processing and legal basis for the processing

Pursuant to Article 37, paragraph 7 of the General Data Protection Regulation, the controller or the processor are required to publish the contact details of their Data Protection Officer (“DPO”) and to communicate them to the CNPD.

For the performance of its tasks, the CNPD processes these data relating to the DPO in order to be able to communicate with them, if needed.

In this respect, the processing is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

Information concerning the natural person filling out the declaration form on behalf of the controller or on behalf of the processor are collected in order to verify the authenticity of the declaration.

2.       Categories of personal data processed

The identifying data and contact details of the DPO and of the natural person filling out the declaration form on behalf of the controller or on behalf of the processor.

3.       Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

4.       Storage duration

The data are kept for a period of one year from the date when the controller or the processor, which has designated the DPO, informs the CNPD that a new DPO has been designated or that the person designated no longer acts as the DPO.

5.       Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation. 

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6.       Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

Prior consultations (« data protection impact assessment »)

Depending on the risk that a type of processing may present to the rights and freedoms of data subjects, the controller can be under the obligation to carry out a data protection impact assessment and to consult the CNPD prior to the processing. In such a case, the CNPD collects mainly professional contact details.

More information

1.       Purposes of the processing and legal basis for the processing

The controller has to consult the CNPD where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation (Article 36 and Recital 94 of the General Data Protection Regulation).

In order to facilitate this consultation, a prior consultation form is available on the website of the CNPD (cnpd.public.lu).

The processing of personal data transmitted through the form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2.       Categories of personal data processed

The identifying data and contact details of the contact person within the organisation.

The identifying data, role and signature of the reporting person.

3.       Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

Prior notification forms can be sent to aipd@cnpd.lu, managed by the department in charge of prior consultations. The public key PGP can be downloaded here to secure the transmission of the information by encrypting it.

Prior notification forms can also be sent by post. In this case, the form is received by the secretariat and forwarded to the department in charge of prior consultations.

4.       Storage duration

The personal data contained within the prior consultation form are kept for a period of ten year from the date of receipt of the consultation form.

5.       Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation.

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6.       Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

Data breach notification

Unless a data breach is unlikely to result in a risk for data subjects, the controller must notify the data breach to the CNPD. In the context of such a notification, the CNPD collects mainly professional contact details. 

More information

1.      Purposes of the processing and legal basis for the processing

Data breaches which may result in a risk to the rights and freedoms of natural persons must be notified by the controller to the supervisory authority (Article 33 of the General Data Protection Regulation).

To that end, a data breach notification form is available on the website of the CNPD (cnpd.public.lu).

The processing of the data related to the notification is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2.       Categories of personal data processed

The identifying data, role and contact details of the reporting person and of the contact person within the organisation.

3.       Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

Data breach notifications can be sent to the address databreach@cnpd.lu, managed by the department in charge of the management of data breach notifications.

The public key PGP can be downloaded here to secure the transmission of the information by encrypting it.

4.       Storage duration

The personal data contained within the data breach notification form are kept for a period of ten years from the date of closure of the case.

5.       Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation.

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6.       Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data ProtectionRegulation, you can lodge a complaint with the CNPD.

Prior consultations (« data protection impact assessment »)

Depending on the risk that a type of processing may present to the rights and freedoms of data subjects, the controller can be under the obligation to carry out a data protection impact assessment and to consult the CNPD prior to the processing. In such a case, the CNPD collects mainly professional contact details.

More information

1.       Purposes of the processing and legal basis for the processing

The controller has to consult the CNPD where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation (Article 36 and Recital 94 of the General Data Protection Regulation).

In order to facilitate this consultation, a prior consultation form is available on the website of the CNPD (cnpd.public.lu).

The processing of personal data transmitted through the form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2.       Categories of personal data processed

The identifying data and contact details of the contact person within the organisation.

The identifying data, role and signature of the reporting person.

3.       Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

Prior notification forms can be sent to aipd@cnpd.lu, managed by the department in charge of prior consultations. The public key PGP can be downloaded here to secure the transmission of the information by encrypting it.

Prior notification forms can also be sent by post. In this case, the form is received by the secretariat and forwarded to the department in charge of prior consultations.

4.       Storage duration

The personal data contained within the prior consultation form are kept for a period of ten year from the date of receipt of the consultation form.

5.       Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation.

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6.       Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

Data breach notification

Unless a data breach is unlikely to result in a risk for data subjects, the controller must notify the data breach to the CNPD. In the context of such a notification, the CNPD collects mainly professional contact details. 

More information

1.      Purposes of the processing and legal basis for the processing

Data breaches which may result in a risk to the rights and freedoms of natural persons must be notified by the controller to the supervisory authority (Article 33 of the General Data Protection Regulation).

To that end, a data breach notification form is available on the website of the CNPD (cnpd.public.lu).

The processing of the data related to the notification is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2.       Categories of personal data processed

The identifying data, role and contact details of the reporting person and of the contact person within the organisation.

3.       Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

Data breach notifications can be sent to the address databreach@cnpd.lu, managed by the department in charge of the management of data breach notifications.

The public key PGP can be downloaded here to secure the transmission of the information by encrypting it.

4.       Storage duration

The personal data contained within the data breach notification form are kept for a period of ten years from the date of closure of the case.

5.       Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation.

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6.       Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data ProtectionRegulation, you can lodge a complaint with the CNPD.

Handling of complaints

Every data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The CNPD collects personal data submitted by the complainant, namely contact details, the subject matter of the complaint as well as personal data contained in supporting documents. 

More information

1.      Purposes of the processing and legal basis for the processing

Every data subject can lodge a complaint with the CNPD if he/she considers that the processing of personal data relating to him/her infringes the General Data Protection Regulation, in particular, if the data subject resides or/and works in the Grand-Duchy of Luxembourg, or if the infringement is alleged to have been committed in the Grand-Duchy of Luxembourg.

In this context, the CNPD processes the personal data transmitted by the complainant.

The processing of such data, on the basis of Article 57, paragraph 1 point f) of the General Data Protection Regulation, is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2.       Categories of personal data processed

In order to facilitate the submission of complaints, a form is available on the website of the CNPD (cnpd.public.lu).

The handling of a complaint requires the collection of personal data related to the complainant, and where necessary, to other natural persons.

Identifying data and contact details

The form contains mandatory fields to collect identifying data and contact details of the complainant.

Additional information can be added in the non-mandatory fields of the form in order to facilitate the handling of the complaint, namely your email address, telephone/fax number, contact person/legal guardian (where applicable), reference number, customer reference, user name, email address used to sign up or other identifier with the data controller, relationship with the controller (employee, customer, etc.)

Subject matter of the complaint

The form contains checkboxes to specify the nature of the alleged infringement as well as the personal data impacted (these specifications are mandatory).

A detailed and chronological description of the matter is required; the form contains a mandatory field for this description. We recommended mentioning only information that are necessary for the processing of the complaint in this field. In particular, sensitive personal data (within the meaning of Article 9 of the General Data Protection Regulation – for instance data concerning health, or related to political opinions or religious beliefs) concerning the complainant or another natural person should not be mentioned if they are not indispensable for the handling of the complaint.

Supporting documents

The complainant can provide supporting documents and specify the nature of these documents in the dedicated fields of the form. We recommended providing only the documents, which are relevant for the handling of the complaint.

Follow-up of the complaint

Additional data may be required and requested by the CNPD during the handling of the complaint (from the person lodging the complaint and/or from the controller against which the complaint has been lodged).

3.       Categories of recipients of the personal data

Commissioners and staff of the CNPD.

Complaints lodged with the CNPD through the form available online are sent to plaintes@cnpd.lu, managed by the department in charge of handling complaints.

Complaints sent by post or fax are received by the secretariat of the CNPD and then forwarded to the department in charge of handling complaints.

Potential recipients

Data collected (if they constitute relevant information) may be transmitted to other supervisory authorities within the framework of the cooperation and the mutual assistance with these authorities (Articles 60 and 61 of the General Data Protection Regulation).

4.       Storage duration

The personal data contained within complaints submitted through the complaints form or sent by post or fax are kept for a period of ten years from the date of closure of the complaint file.

5.       Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation.

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6.       Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

Investigations carried out by the CNPD

As a supervisory authority, the CNPD carries out investigations to verify the compliance with the applicable legislation. The CNPD collects personal data which are necessary to carry out its investigation. The categories of personal data collected depend on the subject matter of the investigation, the controller under investigation as well as on the specifics of the investigation.

More information

Activities of the restricted committee

The CNPD processes the personal data which are necessary to allow its restricted committee (formation restreinte) to adopt a decision on the outcome of an investigation. The processing of personal data is necessary in the context of the decision-making process of the restricted committee and for the assessment of the compliance with any corrective measures imposed.

More information

Internal Market Information System (IMI)

The CNPD cooperates with other supervisory authorities, including by sharing information. To this end, the CNPD uses an electronic tool (called IMI) provided by the European Commission to facilitate administrative cooperation. The CNPD processes personal data when using this tool.

Whistleblowing - Management of reports

The CNPD has put in place internal and external reporting channels pursuant to the Act of 16 May 2023 on the protection of whistleblowers. the CNPD processes the personal data transmitted by the whistleblower in the event of a report. However, personal data transmitted with the report that are clearly irrelevant for the handling of the report are immediately deleted.

3. Recruitments

Management of applications

The CNPD processes personal data included in the applications submitted to its human resources service in order to select suitable candidates for a vacancy to be filled. 

More information

1.         Data controller

The National Commission for Data Protection (CNPD) is responsible for processing the personal data communicated to it by applicants for a post to be filled within the CNPD.

The CNPD's contact details are as follows:

National Commission for Data Protection

15, Boulevard du Jazz

L-4370 Belvaux

Tel: (+352) 26 10 60 -1

2.         Purposes and legal basis of processing

In accordance with Article 28 of the Act of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, "the CNPD's staff cadre comprises civil servants in the various processing categories as provided for by the amended Act of 25 March 2015 laying down the salary regime and the conditions and procedures for the promotion of State civil servants. The staff framework may be supplemented, as required and within the limits of budgetary appropriations, by trainees, employees and salaried staff of the State."

The CNPD processes the personal data contained in the applications sent to it in order to enable it to select candidates for a vacant post with a view to possible recruitment.

3.       Categories of data processed

In addition to the identification data (surname and first name) and contact details provided by the applicant, the data processed by the CNPD for the purpose of managing applications are those contained in the documents provided with the application, namely:

    Cover letter ;

    Curriculum vitae ;

    Copy of diploma(s) and/or certificate(s) required for the course applied for;

    In the case of civil servants: the letter of successful completion of the general aptitude test (with attachments).

4.       Categories of recipients of processed data

Personal data contained in applications sent to rh@cnpd.lu are processed by the Human Resources Unit within the Administration Department of the CNPD.

Applications sent to the CNPD by post are received in the Administration Department by the CNPD secretariat and forwarded to the Human Resources Unit.

As regards applications for a civil servant post to be submitted via the MyGuichet.lu platform, for which the CTIE is responsible (and which acts as a subcontractor in this context), the personal data provided by the applicant is communicated to the Centre de gestion du personnel et de l'organisation de l'État (CGPO) and may also be accessible to persons designated by the CTIE in the context of a request for support or assistance from the person concerned.

Applications of interest for the post to be filled are forwarded to the Commissioners by the CNPD's human resources unit.

Depending on the post to be filled, candidates' curriculum vitae and covering letter may also be sent to a head of department consulted as part of the selection procedure.

5.       Retention period

Unsuccessful applications are destroyed by the CNPD after each recruitment process; the personal data they contain are deleted when they are destroyed.

As regards successful applications leading to recruitment, the staff member's personal file is compiled in accordance with Article 34 of the amended Act of 16 April 1979 laying down the general status of civil servants and the Grand Ducal Regulation of 13 April 1984 determining the documents contained in the personal file of civil servants.

6.       Rights of data subjects

You may access the data concerning you and obtain a copy (article 15 of the General Data Protection Regulation), obtain the rectification of inaccurate or incomplete data (article 16 of the General Data Protection Regulation), object to the processing of your data (article 21 of the General Data Protection Regulation), obtain the erasure of your data under the conditions set out in article 17 of the General Data Protection Regulation and the restriction of processing under the conditions set out in article 18 of the same Regulation.

For any request relating to the exercise of your rights, you may contact the CNPD's DPO, whose contact details are given below (point 7).

7.         Contact details for the Data Protection Officer

If you have any questions about the processing of your personal data by the CNPD in connection with the management of your application, you may contact the CNPD's Data Protection Officer (DPO) by e-mail (dpo@cnpd.lu) or by post:

National Commission for Data Protection

Attn: Data Protection Officer

15, Boulevard du Jazz

L-4370 Belvaux

Tel: (+352) 26 10 60 -1

8.       Complaints

If you consider that the processing of your data by the CNPD constitutes a breach of the General Data Protection Regulation, you may lodge a complaint with the CNPD.

4. CNPD’s website

Cookies

A cookie is a text file sent to your browser and saved on the hard drive of your device (computer, laptop, smartphone, for example) when you visit a website. For instance, cookies can be used to ensure the proper functioning of a website and to facilitate its use and improve its functionalities.

This website uses a “functional” cookie necessary to fill in the pages of the complaint form online:

Name

Content

Storage duration

JSESSIONID

Token

Duration of the session

Dernière mise à jour