Data protection

1. Processing operations carried out by the CNPD through the forms on its website (cnpd.public.lu)

The National Data Protection Commission (CNPD) will process your personal data in order to fulfil the tasks assigned to it by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

As a public authority processing personal data, the CNPD has to comply with its obligations as data controller.

Please find below the contact details of the CNPD:

National Data Protection Commission

15, Boulevard du Jazz
L-4370 Belvaux

Tél. : (+352) 26 10 60 -1

Fax. : (+352) 26 10 60 29

E-mail: info@cnpd.lu

For any question regarding the processing of your personal data carried out by the CNPD, please contact the data protection officer (DPO) of the CNPD:

By email: dpo@cnpd.lu
By post:

Commission nationale pour la protection des données

A l’att. du délégué à la protection des données

15, Boulevard du Jazz
L-4370 Belvaux

By phone : (+352) 26 10 60 – 1

Information concerning processing operations carried out by the CNPD through the forms on its website (cnpd.public.lu) are detailed below and are available on the relevant pages concerning the processing operations in question.

Retention periods mentioned below correspond to the “duration of administrative usefulness” defined by the CNPD in line with the Act of 17 August 2018 on public archiving. According to the provisions of this law, documents of archival value ("valeur patrimoniale") must be kept for archiving purposes in the public interest.

A. MANAGEMENT OF DPO’S CONTACT DETAILS

The CNPD is the controller of the personal data collected through the form « Declaration of the Data Protection Officer » available on its website (cnpd.public.lu).

1. Purposes of the processing and legal basis for the processing

Pursuant to Article 37, paragraph 7 of the General Data Protection Regulation, the controller or the processor are required to publish the contact details of their Data Protection Officer (“DPO”) and to communicate them to the CNPD.

For the performance of its tasks, the CNPD processes these data relating to the DPO in order to be able to communicate with them, if needed.

In this respect, the processing is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

Information concerning the natural person filling out the declaration form on behalf of the controller or on behalf of the processor are collected in order to verify the authenticity of the declaration.

2. Categories of personal data processed

The identifying data and contact details of the DPO and of the natural person filling out the declaration form on behalf of the controller or on behalf of the processor.

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

4. Storage duration

The data are kept for a period of one year from the date when the controller or the processor, which has designated the DPO, informs the CNPD that a new DPO has been designated or that the person designated no longer acts as the DPO.

5. Rights of the data subject

You have the right to access your personal data and to obtain a copy of them (Article 15 of the General Data Protection Regulation), to obtain the rectification of inaccurate or incomplete personal data (Article 16 of the General Data Protection Regulation), to object to the processing of your personal data under the conditions laid down in Article 21 of the General Data Protection Regulation, to obtain the erasure of your personal data under the conditions laid down in Article 17 of the General Data Protection Regulation, and to obtain the restriction of the processing under the conditions laid down in Article 18 of the General Data Protection Regulation.

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

B. INFORMATION REQUESTS SUBMITTED THROUGH THE CONTACT FORMS

1. Purposes of the processing and legal basis for the processing

Data subjects can contact the CNPD in order to obtain information concerning the exercise of their rights [Article 57, paragraph 1, point e) of the General Data Protection Regulation] and concerning the obligations of the data controllers.

In this respect, the processing of personal data collected through the contact form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Personal data processed

Two contact forms are available on the website of the CNPD: a form for requests by individuals and a form for requests by organisations.

Mandatory fields

The processing of your request (whether submitted on a personal basis or on behalf of your organisation) requires the collection of your personal data, i.e. your title, name, first name, as well as your e-mail address.

For requests submitted on a personal basis, you must additionally specify your country of residence, and, for requests submitted on behalf of your organisation, the country in which your organisation is established.

In both contact forms, you can indicate your request in the field entitled “message”. We recommend mentioning only information that are necessary for the processing of your request in this field. In particular, sensitive personal data (within the meaning of Article 9 of the General Data Protection Regulation – for instance data concerning health, or related to political opinions or religious beliefs) concerning you or another natural person should not be mentioned, if they are not indispensable to answer your request.

Non-mandatory fields

If you consider it necessary, additional information can be added in the non-mandatory fields of the forms, namely your phone number (to allow us to contact you more quickly in case of any additional questions) and, for requests submitted on behalf of an organisation, your sector, the name of your entity, and your role.

3. Categories of recipients of the personal data

Requests submitted to the CNPD through the contact forms are sent to info@cnpd.lu, managed by the secretariat of the CNPD. The requests are transmitted to the relevant department within the CNPD in accordance with their subject matter.

Most requests will be transmitted to the department in charge of information requests. However, some requests may be transmitted to other departments within the CNPD, namely the communication and public relations department or the department in charge of handling complaints.

Potential recipients

The data collected (if they constitute relevant information) may be transmitted to other supervisory authorities within the framework of the mutual assistance with these authorities (Article 61 of the General Data Protection Regulation).

4. Storage duration

The personal data contained within information requests submitted through the contact forms are kept for a period of three years from the date of closure of the request file.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

C. HANDLING OF COMPLAINTS

1. . Purposes of the processing and legal basis for the processing

Every data subject can lodge a complaint with the CNPD if he/she considers that the processing of personal data relating to him/her infringes the General Data Protection Regulation, in particular, if the data subject resides or/and works in the Grand-Duchy of Luxembourg, or if the infringement is alleged to have been committed in the Grand-Duchy of Luxembourg.

In this context, the CNPD processes the personal data transmitted by the complainant.

The processing of such data, on the basis of Article 57, paragraph 1 point f) of the General Data Protection Regulation, is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Categories of personal data processed

In order to facilitate the submission of complaints, a form is available on the website of the CNPD (cnpd.public.lu).

The handling of a complaint requires the collection of personal data related to the complainant, and where necessary, to other natural persons.

Identifying data and contact details

The form contains mandatory fields to collect identifying data and contact details of the complainant.

Additional information can be added in the non-mandatory fields of the form in order to facilitate the handling of the complaint, namely your email address, telephone/fax number, contact person/legal guardian (where applicable), reference number, customer reference, user name, email address used to sign up or other identifier with the data controller, relationship with the controller (employee, customer, etc.)

Subject matter of the complaint

The form contains checkboxes to specify the nature of the alleged infringement as well as the personal data impacted (these specifications are mandatory).

A detailed and chronological description of the matter is required; the form contains a mandatory field for this description. We recommended mentioning only information that are necessary for the processing of the complaint in this field. In particular, sensitive personal data (within the meaning of Article 9 of the General Data Protection Regulation – for instance data concerning health, or related to political opinions or religious beliefs) concerning the complainant or another natural person should not be mentioned if they are not indispensable for the handling of the complaint.

Supporting documents

The complainant can provide supporting documents and specify the nature of these documents in the dedicated fields of the form. We recommended providing only the documents, which are relevant for the handling of the complaint.

Follow-up of the complaint

Additional data may be required and requested by the CNPD during the handling of the complaint (from the person lodging the complaint and/or from the controller against which the complaint has been lodged).

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD.

Complaints lodged with the CNPD through the form available online are sent to plaintes@cnpd.lu, managed by the department in charge of handling complaints.

Complaints sent by post or fax are received by the secretariat of the CNPD and then forwarded to the department in charge of handling complaints.

Potential recipients

Data collected (if they constitute relevant information) may be transmitted to other supervisory authorities within the framework of the cooperation and the mutual assistance with these authorities (Articles 60 and 61 of the General Data Protection Regulation).

4. Storage duration

The personal data contained within complaints submitted through the complaints form or sent by post or fax are kept for a period of ten years from the date of closure of the complaint file.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

D. DATA BREACH NOTIFICATION

1. Purposes of the processing and legal basis for the processing

Data breaches which may result in a risk to the rights and freedoms of natural persons must be notified by the controller to the supervisory authority (Article 33 of the General Data Protection Regulation).

To that end, a data breach notification form is available on the website of the CNPD (cnpd.public.lu).

The processing of the data related to the notification is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Categories of personal data processed

The identifying data, role and contact details of the reporting person and of the contact person within the organisation.

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

Data breach notifications can be sent to the address databreach@cnpd.lu, managed by the department in charge of the management of data breach notifications.

The public key PGP can be downloaded here to secure the transmission of the information by encrypting it.

4. Storage duration

The personal data contained within the data breach notification form are kept for a period of ten years from the date of closure of the case.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data ProtectionRegulation, you can lodge a complaint with the CNPD.

E. PRIOR CONSULTATIONS

1. Purposes of the processing and legal basis for the processing

The controller has to consult the CNPD where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation (Article 36 and Recital 94 of the General Data Protection Regulation).

In order to facilitate this consultation, a prior consultation form is available on the website of the CNPD (cnpd.public.lu).

The processing of personal data transmitted through the form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Categories of personal data processed

The identifying data and contact details of the contact person within the organisation.

The identifying data, role and signature of the reporting person.

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

Prior notification forms can be sent to aipd@cnpd.lu, managed by the department in charge of prior consultations. The public key PGP can be downloaded here to secure the transmission of the information by encrypting it.

Prior notification forms can also be sent by post. In this case, the form is received by the secretariat and forwarded to the department in charge of prior consultations.

4. Storage duration

The personal data contained within the prior consultation form are kept for a period of ten year from the date of receipt of the consultation form.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

F. PUBLIC CONSULTATION ON THE CERTIFICATION SCHEME « GDPR CARPA »

1. Purposes of the processing and legal basis for the processing

The CNPD has launched a public consultation on the certification scheme “GDPR CARPA” concerning, on the one hand, the certification requirements (Article 42 of the General Data Protection Regulation), and on the other hand, the accreditation requirements of certification bodies (Article 43 of the General Data Protection Regulation).

In order to facilitate the consultation, a form is available on the website of the CNPD (cnpd.public.lu).

This consultation aims to help the CNPD accomplish the tasks conferred on it by Article 57, paragraph 1, points n) and p) of the General Data Protection Regulation.

In this respect, the processing of personal data transmitted through the consultation form is necessary for the performance of a task carried out in the public interest vested in the CNPD [Article 6, paragraph 1, point e) of the General Data Protection Regulation].

2. Categories of personal data processed

The identifying data and contact details of the contact person.

3. Categories of recipients of the personal data

Commissioners and staff of the CNPD. Data collected are not transferred to third parties.

The form can be sent by e-mail to alain.herrmann@cnpd.lu.

4. Storage duration

The personal data contained within the consultation form are kept for a period of one year from the date of closure of the public consultation.

5. Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

6. Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

2. Other data processing operations carried out by the CNPD

A. DAPRO LAB (CNPD’S OPEN DATA PROTECTION LABORATORY)

1. Purposes and legal basis of processing

In order to promote understanding of the risks, rules, safeguards and rights relating to the processing of personal data, the CNPD offers sessions for data protection professionals to exchange knowledge and experience. These sessions are called "DaPro Lab".

A DaPro Lab session is open to interested parties who meet the conditions of access set out in the [DaPro Lab Charter] and specified for each session.

The processing of your personal data by the CNPD in this context is based on your consent [Article 6(1)(a) of the General Data Protection Regulation].

You may withdraw your consent to the processing of your personal data by sending an e-mail to communication@cnpd.lu.

Data relating to persons interested in participating are collected by the CNPD to enable it to organise the DaPro Lab and to carry out the awareness-raising tasks entrusted to it under Article 57(1)(b) and (d) of the General Data Protection Regulation.

2. Categories of data processed

The following data relating to each person interested in taking part is collected and may be consulted by those responsible for organising the DaPro Lab within the CNPD:

Full name ;

Professional details ;

Data relating to professional activity (sector of activity, employer, duties carried out).

3. Categories of recipients of processed data

Those responsible for organising and running the DaPro Lab within the CNPD.

4. Retention period

Personal data relating to persons who have applied to take part and who meet the conditions for access are kept for a period of 6 months from the date of the DaPro Lab.

Personal data relating to persons who have applied to take part but who do not meet the conditions for access will not be retained.

5. Rights of data subjects

You may access data concerning you and obtain a copy (Article 15 of the General Data Protection Regulation), obtain rectification of inaccurate or incomplete data (Article 16 of the General Data Protection Regulation), obtain erasure of such data under the conditions set out in Article 17 of the General Data Protection Regulation and limit processing under the conditions set out in Article 18 of the same Regulation.

If you have any questions regarding the processing of your personal data by the CNPD, or if you wish to exercise your rights, you may contact the CNPD's DPO.

6. Complaints

If you consider that the processing of your data by the CNPD constitutes a breach of the General Data Protection Regulation, you may lodge a complaint with the CNPD.

B. Processing operations related to the management of the newsletter

Purposes of the processing

The CNPD (15, Boulevard du Jazz, L-4370 Belvaux) delivers a newsletter to the interested public in order to contact and inform them about events organised by the CNPD, the publication of guidance documents, legal opinions and other information and news related to the CNPD’s activities.

The sending of the newsletter is currently suspended, as the CNPD stopped using the tool of the provider through which the subscription and transmission of its newsletter were carried out.

Personal data processed

The CNPD keeps a contact list, obtained from the provider mentioned above, composed of the e-mail addresses of the subscribers. This contact list is to be used for future newsletters or to contact the interested public in order to inform them about events organised by the CNPD, or of the publication of guidance documents, legal opinions and other information and news related to the CNPD’s activities.

Legal basis for the processing

The processing of personal data carried out by the CNPD in this context is based on the consent of the data subject [Article 6, paragraph 1, point a) of the General Data Protection Regulation]. The consent can be withdrawn at any time.

Categories of recipients of the personal data

Within the CNPD, the contact list can be consulted by the CNPD’s staff in charge of the newsletter/the technical maintenance of the newsletter.

Unsubscribe

The subscribers can delete their e-mail address from the contact list by directly contacting the DPO of the CNPD.

Rights of the data subject

For any questions regarding the processing of your personal data carried out by the CNPD, and for any queries regarding the exercise of your rights, please contact the DPO of the CNPD.

Complaint

If you consider that the processing of your personal data by the CNPD infringes the General Data Protection Regulation, you can lodge a complaint with the CNPD.

C. PROCESSING OF PERSONAL DATA BY THE CNPD THROUGH IMI

Information under Article 13 of the GDPR on the processing of personal data carried out by the CNPD through the Internal Market Information System (IMI)

D. INFORMATION PURSUANT TO ARTICLE 13 OF THE GPDR CONCERNING THE PROCESSING OF PERSONAL DATA BY THE CNPD IN CONNECTION WITH THE MANAGEMENT OF APPLICATIONS

1. Data controller

The National Commission for Data Protection (CNPD) is responsible for processing the personal data communicated to it by applicants for a post to be filled within the CNPD.

The CNPD's contact details are as follows:

National Commission for Data Protection

15, Boulevard du Jazz

L-4370 Belvaux

Tel: (+352) 26 10 60 -1

2. Purposes and legal basis of processing

In accordance with Article 28 of the Act of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, "the CNPD's staff cadre comprises civil servants in the various processing categories as provided for by the amended Act of 25 March 2015 laying down the salary regime and the conditions and procedures for the promotion of State civil servants. The staff framework may be supplemented, as required and within the limits of budgetary appropriations, by trainees, employees and salaried staff of the State."

The CNPD processes the personal data contained in the applications sent to it in order to enable it to select candidates for a vacant post with a view to possible recruitment.

3. Categories of data processed

In addition to the identification data (surname and first name) and contact details provided by the applicant, the data processed by the CNPD for the purpose of managing applications are those contained in the documents provided with the application, namely:

Cover letter ;

Curriculum vitae ;

Copy of diploma(s) and/or certificate(s) required for the course applied for;

In the case of civil servants: the letter of successful completion of the general aptitude test (with attachments).

4. Categories of recipients of processed data

Personal data contained in applications sent to rh@cnpd.lu are processed by the Human Resources Unit within the Administration Department of the CNPD.

Applications sent to the CNPD by post are received in the Administration Department by the CNPD secretariat and forwarded to the Human Resources Unit.

As regards applications for a civil servant post to be submitted via the MyGuichet.lu platform, for which the CTIE is responsible (and which acts as a subcontractor in this context), the personal data provided by the applicant is communicated to the Centre de gestion du personnel et de l'organisation de l'État (CGPO) and may also be accessible to persons designated by the CTIE in the context of a request for support or assistance from the person concerned.

Applications of interest for the post to be filled are forwarded to the Commissioners by the CNPD's human resources unit.

Depending on the post to be filled, candidates' curriculum vitae and covering letter may also be sent to a head of department consulted as part of the selection procedure.

5. Retention period

Unsuccessful applications are destroyed by the CNPD after each recruitment process; the personal data they contain are deleted when they are destroyed.

As regards successful applications leading to recruitment, the staff member's personal file is compiled in accordance with Article 34 of the amended Act of 16 April 1979 laying down the general status of civil servants and the Grand Ducal Regulation of 13 April 1984 determining the documents contained in the personal file of civil servants.

6. Rights of data subjects

You may access the data concerning you and obtain a copy (article 15 of the General Data Protection Regulation), obtain the rectification of inaccurate or incomplete data (article 16 of the General Data Protection Regulation), object to the processing of your data (article 21 of the General Data Protection Regulation), obtain the erasure of your data under the conditions set out in article 17 of the General Data Protection Regulation and the restriction of processing under the conditions set out in article 18 of the same Regulation.

For any request relating to the exercise of your rights, you may contact the CNPD's DPO, whose contact details are given below (point 7).

7. Contact details for the Data Protection Officer

If you have any questions about the processing of your personal data by the CNPD in connection with the management of your application, you may contact the CNPD's Data Protection Officer (DPO) by e-mail (dpo@cnpd.lu) or by post:

National Commission for Data Protection

Attn: Data Protection Officer

15, Boulevard du Jazz

L-4370 Belvaux

Tel: (+352) 26 10 60 -1

8. Complaints

If you consider that the processing of your data by the CNPD constitutes a breach of the General Data Protection Regulation, you may lodge a complaint with the CNPD.

C. Information pursuant to Article 13 of the GDPR concerning the processing of personal data carried out by the CNPD in connection with the call for participation in the Pilot phase of the ALTO project

1. Data Controller

The National Commission for Data Protection (CNPD) is responsible for processing the personal data sent to it by entities (SMEs, chambers and professional associations) wishing to take part in the pilot phase of the ALTO project.

Contact details for the CNPD are as follows:

Commission nationale pour la protection des données

15, Boulevard du Jazz

L-4370 Belvaux

Tél. : (+352) 26 10 60 -1

2. Purposes and legal basis of processing

The ALTO project helps to raise awareness among data controllers and processors of their obligations under the GDPR. This project is part of a mission of public interest, which falls to the CNPD on the basis of Article 57(1)(d) of the GDPR.

The personal data collected from the participating entities is necessary to enable the CNPD and its partner, the LHC-NC3 (Luxembourg House of Cybersecurity, National Cybersecurity Competence Centre), to carry out the pilot phase of the ALTO project. This phase requires exchanges with these entities in order to develop a self-assessment and compliance assistance tool tailored to the needs of SMEs.

The processing of personal data carried out by the CNPD in this context is based on Article 6(1)(e) of the GDPR (processing necessary for the performance of a task carried out in the public interest).

3. Categories of processed data

The personal data processed by the CNPD as part of the pilot phase of the ALTO project are as follows:

Surname, first name, job title and professional contact details of the contact persons for the participating entities;
Observations and comments communicated to the CNPD and LHC-N3 on behalf of the entity they represent.

4. Categories of processed data recipients

The personal data processed as part of the pilot phase of the ALTO project is accessible to :

CNPD Commissioners and agents.
designated agents within the LHC-NC3.

5. Retention period

The personal data will be kept until the end of the pilot phase of the ALTO project, the duration of which is estimated at one year from its launch (in March 2023).

6. Rights of data subjects

You may access the data concerning you and obtain a copy (Article 15 of the General Data Protection Regulation), obtain the rectification of inaccurate or incomplete data (Article 16 of the General Data Protection Regulation), object to the processing of your data (Article 21 of the General Data Protection Regulation), obtain the erasure of such data under the conditions provided for in Article 17 of the GDPR and the restriction of processing under the conditions provided for in Article 18 of the same Regulation.

If you have any questions about the processing of your personal data by the CNPD, or if you wish to exercise your rights, you may contact the CNPD's DPO, whose contact details are given below (point 7).

7. Contact details for the data protection officer

If you have any questions about the processing of your personal data by the CNPD as part of the Pilot phase of the ALTO Project, you can contact the CNPD's Data Protection Officer (DPO) by e-mail (dpo@cnpd.lu) or by post:

Commission nationale pour la protection des données

A l’att. du délégué à la protection des données

15, Boulevard du Jazz

L-4370 Belvaux

Tél. : (+352) 26 10 60 -1

8. Complaint

If you consider that the processing of your data by the CNPD constitutes a breach of the General Data Protection Regulation, you may lodge a complaint with the CNPD.