Data protection

Processing operations carried out by the CNPD through the forms on its website (cnpd.public.lu)

The National Data Protection Commission (CNPD) will process your personal data in order to fulfil the tasks assigned to it by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

As a public authority processing personal data, the CNPD has to comply with its obligations as data controller.

Please find below the contact details of the CNPD:

National Data Protection Commission

15, Boulevard du Jazz
L-4370 Belvaux

Tél. : (+352) 26 10 60 -1

Fax. : (+352) 26 10 60 29

E-mail: info@cnpd.lu

For any question regarding the processing of your personal data carried out by the CNPD, please contact the data protection officer (DPO) of the CNPD:

By email: dpo@cnpd.lu
By post:

Commission nationale pour la protection des données

A l’att. du délégué à la protection des données

15, Boulevard du Jazz
L-4370 Belvaux

By phone : (+352) 26 10 60 – 1

Information concerning processing operations carried out by the CNPD through the forms on its website (cnpd.public.lu) are detailed below and are available on the relevant pages concerning the processing operations in question.

Retention periods mentioned below correspond to the “duration of administrative usefulness” defined by the CNPD in line with the Act of 17 August 2018 on public archiving. According to the provisions of this law, documents of archival value ("valeur patrimoniale") must be kept for archiving purposes in the public interest.

MANAGEMENT OF DPO’S CONTACT DETAILS

The CNPD is the controller of the personal data collected through the form « Declaration of the Data Protection Officer » available on its website (cnpd.public.lu).

1. Purposes of the processing and legal basis for the processing

Pursuant to Article 37, paragraph 7 of the General Data Protection Regulation, the controller or the processor are required to publish the contact details of their Data Protection Officer (“DPO”) and to communicate them to the CNPD.

For the performance of its tasks, the CNPD processes these data relating to the DPO in order to be able to communicate with them, if needed.

In this respect, the processing is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

Information concerning the natural person filling out the declaration form on behalf of the controller or on behalf of the processor are collected in order to verify the authenticity of the declaration.

2. Categories of personal data processed

The identifying data and contact details of the DPO and of the natural person filling out the declaration form on behalf of the controller or on behalf of the processor.

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

4. Storage duration

The data are kept for a period of one year from the date when the controller or the processor, which has designated the DPO, informs the CNPD that a new DPO has been designated or that the person designated no longer acts as the DPO.

5. Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation.

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

INFORMATION REQUESTS SUBMITTED THROUGH THE CONTACT FORMS

1. Purposes of the processing and legal basis for the processing

Data subjects can contact the CNPD in order to obtain information concerning the exercise of their rights [Article 57, paragraph 1, point e) of the General Data Protection Regulation] and concerning the obligations of the data controllers.

In this respect, the processing of personal data collected through the contact form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Personal data processed

Two contact forms are available on the website of the CNPD: a form for requests by individuals and a form for requests by organisations.

Mandatory fields

The processing of your request (whether submitted on a personal basis or on behalf of your organisation) requires the collection of your personal data, i.e. your title, name, first name, as well as your e-mail address.

For requests submitted on a personal basis, you must additionally specify your country of residence, and, for requests submitted on behalf of your organisation, the country in which your organisation is established.

In both contact forms, you can indicate your request in the field entitled “message”. We recommend mentioning only information that are necessary for the processing of your request in this field. In particular, sensitive personal data (within the meaning of Article 9 of the General Data Protection Regulation – for instance data concerning health, or related to political opinions or religious beliefs) concerning you or another natural person should not be mentioned, if they are not indispensable to answer your request.

Non-mandatory fields

If you consider it necessary, additional information can be added in the non-mandatory fields of the forms, namely your phone number (to allow us to contact you more quickly in case of any additional questions) and, for requests submitted on behalf of an organisation, your sector, the name of your entity, and your role.

3. Categories of recipients of the personal data

Requests submitted to the CNPD through the contact forms are sent to info@cnpd.lu, managed by the secretariat of the CNPD. The requests are transmitted to the relevant department within the CNPD in accordance with their subject matter.

Most requests will be transmitted to the department in charge of information requests. However, some requests may be transmitted to other departments within the CNPD, namely the communication and public relations department or the department in charge of handling complaints.

Potential recipients

The data collected (if they constitute relevant information) may be transmitted to other supervisory authorities within the framework of the mutual assistance with these authorities (Article 61 of the General Data Protection Regulation).

4. Storage duration

The personal data contained within information requests submitted through the contact forms are kept for a period of three years from the date of closure of the request file.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

HANDLING OF COMPLAINTS

1. . Purposes of the processing and legal basis for the processing

Every data subject can lodge a complaint with the CNPD if he/she considers that the processing of personal data relating to him/her infringes the General Data Protection Regulation, in particular, if the data subject resides or/and works in the Grand-Duchy of Luxembourg, or if the infringement is alleged to have been committed in the Grand-Duchy of Luxembourg.

In this context, the CNPD processes the personal data transmitted by the complainant.

The processing of such data, on the basis of Article 57, paragraph 1 point f) of the General Data Protection Regulation, is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Categories of personal data processed

In order to facilitate the submission of complaints, a form is available on the website of the CNPD (cnpd.public.lu).

The handling of a complaint requires the collection of personal data related to the complainant, and where necessary, to other natural persons.

Identifying data and contact details

The form contains mandatory fields to collect identifying data and contact details of the complainant.

Additional information can be added in the non-mandatory fields of the form in order to facilitate the handling of the complaint, namely your email address, telephone/fax number, contact person/legal guardian (where applicable), reference number, customer reference, user name, email address used to sign up or other identifier with the data controller, relationship with the controller (employee, customer, etc.)

Subject matter of the complaint

The form contains checkboxes to specify the nature of the alleged infringement as well as the personal data impacted (these specifications are mandatory).

A detailed and chronological description of the matter is required; the form contains a mandatory field for this description. We recommended mentioning only information that are necessary for the processing of the complaint in this field. In particular, sensitive personal data (within the meaning of Article 9 of the General Data Protection Regulation – for instance data concerning health, or related to political opinions or religious beliefs) concerning the complainant or another natural person should not be mentioned if they are not indispensable for the handling of the complaint.

Supporting documents

The complainant can provide supporting documents and specify the nature of these documents in the dedicated fields of the form. We recommended providing only the documents, which are relevant for the handling of the complaint.

Follow-up of the complaint

Additional data may be required and requested by the CNPD during the handling of the complaint (from the person lodging the complaint and/or from the controller against which the complaint has been lodged).

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD.

Complaints lodged with the CNPD through the form available online are sent to plaintes@cnpd.lu, managed by the department in charge of handling complaints.

Complaints sent by post or fax are received by the secretariat of the CNPD and then forwarded to the department in charge of handling complaints.

Potential recipients

Data collected (if they constitute relevant information) may be transmitted to other supervisory authorities within the framework of the cooperation and the mutual assistance with these authorities (Articles 60 and 61 of the General Data Protection Regulation).

4. Storage duration

The personal data contained within complaints submitted through the complaints form or sent by post or fax are kept for a period of ten years from the date of closure of the complaint file.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

DATA BREACH NOTIFICATION

1. Purposes of the processing and legal basis for the processing

Data breaches which may result in a risk to the rights and freedoms of natural persons must be notified by the controller to the supervisory authority (Article 33 of the General Data Protection Regulation).

To that end, a data breach notification form is available on the website of the CNPD (cnpd.public.lu).

The processing of the data related to the notification is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Categories of personal data processed

The identifying data, role and contact details of the reporting person and of the contact person within the organisation.

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

Data breach notifications can be sent to the address databreach@cnpd.lu, managed by the department in charge of the management of data breach notifications.

The public key PGP can be downloaded here to secure the transmission of the information by encrypting it.

4. Storage duration

The personal data contained within the data breach notification form are kept for a period of ten years from the date of closure of the case.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data ProtectionRegulation, you can lodge a complaint with the CNPD.

PRIOR CONSULTATIONS

1. Purposes of the processing and legal basis for the processing

The controller has to consult the CNPD where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation (Article 36 and Recital 94 of the General Data Protection Regulation).

In order to facilitate this consultation, a prior consultation form is available on the website of the CNPD (cnpd.public.lu).

The processing of personal data transmitted through the form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Categories of personal data processed

The identifying data and contact details of the contact person within the organisation.

The identifying data, role and signature of the reporting person.

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

Prior notification forms can be sent to aipd@cnpd.lu, managed by the department in charge of prior consultations. The public key PGP can be downloaded here to secure the transmission of the information by encrypting it.

Prior notification forms can also be sent by post. In this case, the form is received by the secretariat and forwarded to the department in charge of prior consultations.

4. Storage duration

The personal data contained within the prior consultation form are kept for a period of ten year from the date of receipt of the consultation form.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

PUBLIC CONSULTATION ON THE CERTIFICATION SCHEME « GDPR CARPA »

1. Purposes of the processing and legal basis for the processing

The CNPD has launched a public consultation on the certification scheme “GDPR CARPA” concerning, on the one hand, the certification requirements (Article 42 of the General Data Protection Regulation), and on the other hand, the accreditation requirements of certification bodies (Article 43 of the General Data Protection Regulation).

In order to facilitate the consultation, a form is available on the website of the CNPD (cnpd.public.lu).

This consultation aims to help the CNPD accomplish the tasks conferred on it by Article 57, paragraph 1, points n) and p) of the General Data Protection Regulation.

In this respect, the processing of personal data transmitted through the consultation form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Categories of personal data processed

The identifying data and contact details of the contact person.

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

The form can be sent by e-mail to alain.herrmann@cnpd.lu.

4. Storage duration

The personal data contained within the consultation form are kept for a period of one year from the date of closure of the public consultation.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

Processing operations related to the management of the newsletter

Purposes of the processing

The CNPD (15, Boulevard du Jazz, L-4370 Belvaux) delivers a newsletter to the interested public in order to contact and inform them about events organised by the CNPD, the publication of guidance documents, legal opinions and other information and news related to the CNPD’s activities.

The sending of the newsletter is currently suspended, as the CNPD stopped using the tool of the provider through which the subscription and transmission of its newsletter were carried out.

Personal data processed

The CNPD keeps a contact list, obtained from the provider mentioned above, composed of the e-mail addresses of the subscribers. This contact list is to be used for future newsletters or to contact the interested public in order to inform them about events organised by the CNPD, or of the publication of guidance documents, legal opinions and other information and news related to the CNPD’s activities.

Legal basis for the processing

The processing of personal data carried out by the CNPD in this context is based on the consent of the data subject [Article 6, paragraph 1, point a) of the General Data Protection Regulation]. The consent can be withdrawn at any time.

Categories of recipients of the personal data

Within the CNPD, the contact list can be consulted by the CNPD’s staff in charge of the newsletter/the technical maintenance of the newsletter.

Unsubscribe

The subscribers can delete their e-mail address from the contact list by directly contacting the DPO of the CNPD.

Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

Information concerning other processing operations carried out by the CNPD

Information under Article 13 of the GDPR on the processing of personal data carried out by the CNPD through the Internal Market Information System (IMI)