If you submit a report on the basis of the lawt of 16 May 2023 on the protection of persons who report breaches of law, CSL may, in its capacity as data controller, be required to process your personal data.

Any processing of personal data carried out under the law of 16 May 2023 transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, including the exchange or transmission of personal data to competent authorities, is carried out in accordance with Regulation (EU) 2016/679 and the law of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal matters as well as in matters of national security, hereinafter “General Data Protection Regulation” or “GDPR”.

Personal data that is clearly not relevant to the processing of a specific report will not be collected or, if collected accidentally, deleted without undue delay.

Purposes and legal basis of processing

CSL will process your data following your report of a breach, based on its legal obligations under the aforementioned law of 2023.

The processing of your data is necessary for the performance of a legal obligation incumbent on CSL (Article 6, paragraph 1, sub c)) of the GDPR.

Processed data

The processed data will be all data that you have entrusted to us during your report and may concern:

your first and last name;
your email address;
your telephone number;
the reference number of your report;
a description of the perceived breach and the people involved; only relevant and necessary information should be given;
the record of your report with your signature.

Categories of recipients

Recipients

Only CSL staff members appointed as members of the “Alert” unit, as well as members of the IT department, members of the CSL management and/or the CSL President are authorised to access the data.

Possible external recipients

If a report requires the CSL to transmit the report to another authority, and if anonymisation is not possible without compromising the investigative and monitoring activities of that authority, only the personal data necessary for the investigation will be transmitted.

Retention period

Personal data which is clearly not relevant to the processing of a specific report shall not be collected or, if collected accidentally, shall be deleted without undue delay.

Personal data obtained as a result of a report deemed to be unfounded once the alert has been processed shall be deleted without delay.

Personal data obtained through a report is kept for two months following the closure of the internal investigation and beyond this date if the data must be kept in the context of legal proceedings or an official investigation. In this case, the data is kept until the end of these procedures.

Rights of data subjects

Right of access

Upon written request, CSL will provide you with a statement of your personal data processed as part of your report.

Your request should be made via the email address dataprotection@csl.lu, attaching a copy of your identity document which will be destroyed by CSL as soon as your request has been processed.

Right to rectification

You have the right to request that your inaccurate data be corrected.

Your request should be made via the email address dataprotection@csl.lu, attaching a copy of your identity document which will be destroyed by CSL as soon as your request has been processed.

Right to erasure

You have the right to request the erasure of your data if:

you consider that they are no longer necessary for the purpose(s) for which they were collected/processed;
the data processing is based solely on your consent and you withdraw your consent;
you exercise your right to object for a reason relevant to your particular situation and CSL does not have a compelling legitimate reason to do so;
you believe that your personal data is being processed illegally by CSL;
your data must be deleted in order to comply with a legal obligation to which CSL is subject.

Your request should be addressed to CSL via the email address dataprotection@csl.lu, attaching a copy of your identity document, which will be destroyed by CSL as soon as your request has been processed.

CSL may object to your request if:

the processing of your personal data is required by law;
when your data is processed for scientific or historical research purposes or for statistical purposes, provided that erasure of the data may make it impossible or seriously compromise the achievement of the purposes of the said processing;
when CSL needs them for the exercise or defence of its legal rights in court.

Right to limit processing

You have the right to request limitation of processing when:

you dispute the accuracy of your data, the time required to verify your data;
if in the event of unlawful processing, you yourself object to the erasure of your data, but request the limitation of their use;
if CSL no longer needs your data but you require it for the establishment, exercise or defend of your legal rights;
if you have objected to the processing on grounds relating to your particular situation, for the time necessary to verify whether the legitimate reasons pursued by CSL prevail over yours.

Your request must be addressed to CSL via the email address dataprotection@csl.lu, attaching a copy of your identity document, which will be destroyed by CSL as soon as your request has been processed.

Right to object to processing

You have the right to object to the processing of your data:

on grounds relating to your particular situation, unless CSL can demonstrate that it has compelling legitimate grounds for processing your data that prevail over your interests or if CSL needs it to establish, exercise or defend its legal rights;
when the processing is carried out for prospecting purposes by CSL.

Your request should be addressed to CSL via the email address dataprotection@csl.lu, attaching a copy of your identity document which will be destroyed by CSL as soon as your request has been processed.

When the processing of your data is based on your consent, you have the right to withdraw it at any time. CSL will then cease to use your data which will be destroyed.

Right to complain

You have the right to lodge a complaint with the National Data Protection Commission (CNPD). See cnpd.public.lu.

If you have any questions about the processing of your personal data by CSL, you can contact CSL’s Data Protection Officer (DPO) by e-mail at the following address: dataprotection@csl.lu.