Privacy policy | LuxTrust S.A.

1. Introduction

LuxTrust is committed to ensuring that your privacy is respected when you visit our Web Site and is fully aware of the importance of this subject to you. That is why we make every effort to respect your privacy and your personal data (hereinafter, "Personal Data") when you use the LuxTrust web site (the "Web Site").

This Privacy Policy (hereinafter, "Policy") describes how we collect, use and protect information related to the Website and the services, products offered by LuxTrust (collectively "Services") and the LuxTrust Mobile application. This Policy applies to all visitors and users who access our Website and the LuxTrust Mobile application ("LuxTrust Mobile").

This Web Site is operated by LuxTrust S.A. located in Capellen, IVY Building, 13-15 Business park, L-8308, Grand Duchy of Luxembourg, registered in the Luxembourg Companies Register (Registre des sociétés du Luxembourg, RCS) under No. B112233.
LuxTrust S.A.acts as data controller (i.e. the entity that determines why and how Personal Data is processed) for the purposes of the applicable legislation and regulations on the protection of Personal Data, in particular Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as the “GDPR”). For the purposes of this Website Policy, LuxTrust S.A. is referred to as "LuxTrust", "we" and "us".

2. Which are the Personal Data collected by LuxTrust

The Personal Data processed is information about each person or potential user of our Services who browses this Web Site or uses LuxTrust Mobile.

In the context of browsing and interacting through our Web Site to order our Services, the Personal Data collected is information related to electronic certificates issued by LuxTrust:
a) identification data such as name, surname, date and place of birth, user’s number, professional title or position;
b) contact details such as email address, home address or civil residence, telephone number;
c) other relevant personal details, such as nationality and citizenship;
d) government identification numbers such as copies of identity cards, including photos and information contained in these documents, for the purposes of face-to-face and remote identification;
e) images/photos of the user, video and sound recording of remote identification video sessions;
f) types of Services received/supplied or products purchased/sold;
g) financial and banking information (in particular for payment and invoicing purposes);
h) recordings of incoming telephone conversations when the User or the Proxy User contacts LuxTrust’s customer service department (“CSD”).

As part of LuxTrust Mobile, the Personal Data collected are:
a) identifiers (user ID) for user authentication, such as screen name, identifier, account identifier, user identifier, customer number or other identifier at the user or account level that may be used to identify a user or a particular account;
b) geolocation data, which are optional, for improving the user’s experience and security;

3. Why LuxTrust collects Personal Data

We will process your Personal Data on the basis of one or more of the following elements:

processing is necessary to perform or enter into a contract with you (e.g., to deliver the Services to you or to enable you to use LuxTrust Mobile);
processing is necessary to comply with legal or regulatory obligations with which LuxTrust must comply, the terms of its accreditation, and requests or requirements of regulatory and enforcement authorities and to cooperate with such authorities;
processing is necessary to meet the purposes of the legitimate interests pursued by LuxTrust or a third party, including:
- responding to and managing requests you have made to us;
- to provide the products, Services or information requested;
- to send e-mails with marketing content;
- to improve the quality, security and experience when using our Services, Web Site, LuxTrust Mobile and to manage our customer relationships;
- to combat fraud related to the use of the Services;
- to implement any changes in the structure of LuxTrust;
- for billing and customer management purposes

4. Who are the recipients of Personal Data

You are informed that in strict compliance with the provisions of the GDPR, all or part of your Personal Data may be transmitted to the following recipients:
a) to some LuxTrust employees, subcontractors and suppliers of services that provide technical support to LuxTrust within the framework of the Services, the Web Site and LuxTrust Mobile (e.g. for Remote Identification); LuxTrust’s employees, sub-contractors or suppliers who may have access to the Personal Data shall be obliged to keep it confidential and secure and shall have access only to the Personal Data they require in order to perform their task or obligations, unless otherwise provided by laws or regulations;
b) to local authorities;
c) to companies that request it with the prior consent of the user;
d) to the public on the Internet and to the extent permitted by law, in connection with publications required for our Services, especially in connection with electronic certificates issued by us;
e) in the event of a change of control, if LuxTrust or its shareholders sell or assign all or part of LuxTrust or its assets to another company (e.g. in case of merger, acquisition or liquidation);
f) to public bodies, administrative or judicial authorities and supervisory bodies;

5. Are Personal Data being transferred?

You are informed that your Personal Data are hosted in the Grand Duchy of Luxembourg or in France. The majority of LuxTrust’s internal and external recipients, such as detailed in article 4 of this Policy, are located in the European Economic Area (“EEA”). However, in some rare cases, certain recipients (e.g. Registration Authorities) may be located in a country outside the European Economic Area (“EEA”). If there is a transfer to a country which does not ensure a level of protection equivalent to that in force in the EEA, LuxTrust shall ensure that appropriate safeguards have been implemented, such as standard contractual clauses and other legal safeguards in accordance with the GDPR.

You may contact LuxTrust to obtain a copy of such safeguards at the following e-mail address: dpo@luxtrust.lu.

6. What are your rights

In accordance with the GDPR, you have the right to obtain access to your Personal Data, have your Personal Data rectified or deleted, object to or restrict its processing in certain circumstances (for example, when the accuracy of the Personal Data is contested or there is an objection to its processing), as well as the right to receive the Personal Data in an interoperable format, or have it directly transmitted to another organisation, unless LuxTrust can invoke a compelling legitimate reason to keep the Personal Data. You also have the right to withdraw your consent insofar as the lawfulness of the processing is based on consent.

You must notify us of any changes to your Personal Data promptly.

You may exercise these rights by sending an email to LuxTrust at: dpo@luxtrust.lu.
If LuxTrust considers that the request is unclear, it may further discuss it with you to understand better the reason of the request. To prevent fraud, LuxTrust also reserves the right to carry out the necessary checks to verify your identity (e.g. by asking you to authenticate yourselves using a LuxTrust Device).

You have the right to file a complaint with your local data protection authority if you are concerned about the processing of your Personal Data.

The contact details of the data protection authority in Luxembourg, which is the National Data Protection Commission (or the Commission nationale pour la protection des données, “CNPD”) are the following:

Telephone number: (+352) 26 10 60 -1
Website: https://cnpd.public.lu/en.html
Online form: https://cnpd.public.lu/fr/particuliers/faire-valoir/formulaire-plainte.html (French) or https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html (English)
Address: 15, Boulevard du Jazz, L-4370 Belvaux.

7. For how long is your Personal Data stored

You are informed that, in strict compliance with the provisions of the GDPR, we retain and process the relevant Personal Data for a minimum period of 10 years after the date of initialization of the subscribed Services, in order to ensure retrospectively the possibility to verify the use of the subscribed Services.

Recordings of incoming telephone conversations from the User to the CSD are retained by a subcontractor of LuxTrust for a period of 6 months. LuxTrust has no access to these recordings, except if LuxTrust specifically requests it (e.g. exercise of access right by a User or Proxy User, for evidential purposes, fraud prevention etc.). In such cases, LuxTrust will obtain a copy of these recordings and may retain them for evidential purposes for a duration of 2 years. The retention period may also be extended in the event of legal proceedings. In this case, the data is kept until the end of the legal proceedings and then deleted according to the applicable legal prescription periods.

LuxTrust will comply with the applicable legislation and any directives issued by the authorities in this respect. Personal Data that is used to send you information regarding LuxTrust offers, news and events will be retained for a period of 3 years after the collection of the Personal Data or after the last contact received from the prospect. After this period, the Personal Data will be deleted or made anonymous.

8. Security measures

LuxTrust implements all appropriate technical and organisational measures to ensure a level of security of the Personal Data collected during the use of the Web Site and LuxTrust Mobile, appropriate to the processing carried out by LuxTrust and the associated risks against losses, misuse, unauthorised access, disclosure, unauthorised modifications or illegal destruction. It should be noted that internet connections are never completely secure or free of errors. You must therefore be cautious when selecting the information you send to LuxTrust by email. On the other hand, it is your responsibility to protect passwords, identifiers or other means that you use to access the Web Site and LuxTrust Mobile.

9. Cookies and login data

Cookies are used by the Website to make your use of the Website as easy as possible. More detailed information about the cookies we use is available in our Cookie Policy.

10. Use of Google Analytics

Purpose/ Information

This website uses Google Analytics, a web traffic analysis service provided by Google Inc. (Google). Web traffic analysis is the collection, collation and analysis of data about the behaviour of visitors to websites. A web traffic analysis service collects, among other things, data about the website from which the visitor arrives (referring site), the subpages visited, or how and for how long the subpage was visited. Google Analytics uses cookies, which are text files stored on your computer or smartphone, to help analyze how you use the Website. The information generated by the cookie about your use of the website is generally transmitted to and stored by Google on a server in the United States.

The use of the Google Analytics service does not allow us to identify you. This website uses a hash mechanism that anonymizes your IP address, which will be reduced in advance by Google in the Member States of the European Union or in other states that are party to the Convention on the European Economic Area before transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA for deletion. Google will use this information on behalf of the website operator to evaluate your use of the website, to compile reports on website activity and to provide other services relating to the use of this website.

The IP address transmitted to your browser within the scope of Google Analytics will not be associated with any other data held by Google and other third parties. For more information, please click here: https://support.google.com/analytics/answer/6366371?hl=en

Cookies related to Google Analytics (see our Cookie Policy) are used to collect data anonymously about how our customers use our Website, such as the pages they visit, the interactions they have on those pages, and information about the type of device they use. The data collected through the placement of these cookies is strictly limited to the unique identifiers associated with each user. For more information, please visit the following link: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookies-user-id

We only combine this data with other personal data collected through other platforms in order to improve the performance of our services and to refine the products we offer. We may also use this information and combine it with profile data to help us understand which of our products, services and offers might be of interest to you. With this information, we can tailor our advertisements and certain aspects of our Website to each visitor based on your usage. When setting up Google Analytics, we have ensured that Google receives this data as a commissioned service provider and is therefore not permitted to use this data for its own purposes.

Recipient:

The use of Google Analytics is carried out in accordance with the requirements agreed between the Luxembourg data protection authority and Google.
Information about the third party provider: Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

For exceptional cases where personal data is transferred to the United States, Google has concluded standard contractual clauses in accordance with Article 46 of the GDPR. For more information on the transfer of personal data to a country outside the European Economic Area, please click here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en.

Opt-Out/Deletion:

You can disable and/or prevent the storage of cookies related to Google Analytics through an adjustment of the web browser used and thus block cookies permanently if you wish, but this will limit the functions you can perform. For more information, please see our Cookie Policy.

You can also prevent Google from collecting the data generated by the cookie about your use of the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en. This browser extension informs Google Analytics via JavaScript that all data and information relating to the visit of the website cannot be transmitted to Google Analytics. The installation of this browser extension is considered as an objection to the data collection by Google.

Cookies lifetime: For more information on the lifetime of cookies, please see our Cookie Policy.

Retention period: 14 months

More information and Google's privacy policy can be found at https://policies.google.com/privacy and https://marketingplatform.google.com/about/analytics/terms/us/

Google Analytics is explained in detail at https://www.google.com/analytics/.

Use of Google Analytics for Firebase

We collect pseudonymised statistics data concerning the usage of the LuxTrust Mobile using Google Analytics for Firebase, a service provided by Google. General, non-personally identifiable statistics are collected based on identifiers for mobile devices (including Android Advertising ID), about how and by which user groups LuxTrust Mobile is used. Google Analytics for Firebase is used based on LuxTrust’s legitimate interest, as provided under Article 6(f) of the GDPR, in demand-oriented design, statistical evaluation and efficient marketing purposes of our LuxTrust Mobile. Please be informed that the deactivation of the collection of the non-personally identifiable statistics is not possible from the LuxTrust Mobile. If you need further information about Google Analytics for Firebase, please visit the following link: https://firebase.google.com/policies/analytics/.

11. External Links

For your convenience, this Web Site may provide links to sites that are not maintained by LuxTrust. These external links are provided for information purposes only. We do not systematically control the content of these sites. When you visit these web sites, we recommend that you carefully read the corresponding privacy policy. We cannot be held responsible for the privacy policies or the content of these websites, nor for the practices of their administrators, either in terms of their legality or the accuracy of the information contained therein, nor for any material damage that may result from their use.

12. Declaration of consent

By using this Web Site and LuxTrust Mobile, you declare that you have read and accept the terms of this Privacy Policy. By submitting information through this Site, you consent to the collection, use and disclosure of your Data in accordance with this Privacy Policy.

13. Changes to the Personal Data Protection Policy

We may occasionally update this Policy. We will notify you of any changes by updating the "Last Updated" date at the end of the Policy. Any changes or modifications will be effective immediately after the Policy is published on the Website, and you waive the right to receive specific notice of each change or modification.

You agree to be bound by such amendments and we recommend that you review this Policy regularly to stay informed of any updates.

14. How to Contact Us

If you have any further questions about this Privacy Policy, please contact our Privacy Officer at dpo@luxtrust.lu.

Last updated: June 2021

SUBSCRIBED SERVICES, DEVICES [SMARTCARDS, SIGNING STICKS, TOKENS, LuxTrust MOBILE] AND CERTIFICATES – V3

Introduction

LuxTrust is committed to ensuring your privacy and is fully aware of the importance of this subject.

This privacy policy (hereinafter “the Policy”) must be read alongside LuxTrust's general terms and conditions (hereinafter the “General Terms and Conditions”). All the words used in capital letters below shall have the same definition as attributed to them in the General Terms and Conditions.

This Policy describes how LuxTrust collects, uses and protects Personal Data related to the Certificates and the Subscribed Services to by the User, and, where applicable, the Proxy User, and which include a face-to-face or remote identification, the recording of electronic data, authentication, electronic signatures, electronic stamps and validation, as defined and explained the General Terms and Conditions.

LuxTrust S.A., located in Capellen, IVY Building, 13-15 Business park, L-8308, Grand Duchy of Luxembourg, registered in the Luxembourg Companies Register (Registre des sociétés du Luxembourg, RCS) under No. B112233, acts as data controller (i.e. the entity that determines why and how Personal Data is processed) for the purposes of the applicable legislation and regulations on the protection of Personal Data, in particular Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as the “GDPR”).

1. Which are the Personal Data collected by LuxTrust

The Personal Data collected and processed include information about the User and, where applicable, the Proxy User, which were provided to LuxTrust or the Registration Authority at the time of conclusion of the Agreement and generated by the use of the Subscribed Services and the execution of the Agreement.

These Personal Data include:

Information related to electronic Certificates:

a) identification data such as name, surname, , date and place of birth, User’s number and where applicable Proxy User’s number, professional title or position;
b) contact details such as email address, home address or civil residence, telephone number;
c) other relevant personal details, such as nationality and citizenship;
d) government identification numbers such as copies of identity cards, including photos and information contained in these documents, for the purposes of face-to-face and remote identification;
e) images/photos of the User or the Proxy User, video and sound recording of Remote Identification video sessions;
f) types of Services received/supplied or products purchased/sold;
g) financial and banking information (in particular for payment and invoicing purposes);
h) recordings of incoming telephone conversations when the User or the Proxy User contacts LuxTrust’s customer service department (“CSD”).

As part of LuxTrust Mobile, the Personal Data collected are:
a) identifiers (User ID) for User authentication, or if applicable for the Proxy User’s authentification, such as screen name, identifier, account identifier, user identifier, customer number or other identifier at the user or account level that may be used to identify a user or a particular account;
b) geolocation data, which are optional, for improving the User’s experience and security;

The communication of Personal Data necessary for the performance of the Agreement is mandatory for the User and any Proxy User.

2. Why LuxTrust collects Personal Data

Personal Data are processed by LuxTrust on the basis of one or more of the following elements:
a) the processing is necessary for the performance of the Agreement including the provision of the Subscribed Service, the issuance and use of the Certificate, as well as the establishment, update and publication of the Revocation Lists,
b) the processing is necessary for compliance with LuxTrust’s the legal obligations, the conditions of LuxTrust’s certification, as well as the requests or requirements of the regulatory and enforcement authorities and to cooperate with them;
c) the processing is necessary for the performance of the legitimate interests pursued by LuxTrust or by a third party, in particular:
(i)   for the purposes of invoicing,
(ii)   to improve quality, safety and User’s experience of the Services and to manage customer relations,
(iii)   in the fight against fraud related to the use of the Services,
(iv)   to implement changes in LuxTrust’s corporate structure or ownership,
(v) send emails with marketing content,
(vi)   to have a safety and security video surveillance during visits by the User or the Proxy User to the offices of LuxTrust
(vii)   to provide proof of a commercial transaction or any other commercial communication, in particular by implementing and managing Remote Identification video sessions using sound recordings.

Where, in accordance with the applicable law, the publication of a Certificate and/or its revocation in a publicly accessible directory subject to the consent of the User or, where applicable, the Proxy User, the publication may only take place after this consent has been given.

Use of Google Analytics for Firebase

LuxTrust collects pseudonymised statistics data concerning the usage of the LuxTrust Mobile using Google Analytics for Firebase, a service provided by Google. General, non-personally identifiable statistics are collected based on identifiers for mobile devices (including Android Advertising ID), about how and by which user groups LuxTrust Mobile is used. Google Analytics for Firebase is used based on LuxTrust’s legitimate interest, as provided under Article 6(f) of the GDPR, in demand-oriented design, statistical evaluation and efficient marketing purposes of our LuxTrust Mobile. The User and the Proxy User should be informed that the deactivation of the collection of the non-personally identifiable statistics is not possible from the LuxTrust Mobile. In case that the User and the Proxy User need further information about Google Analytics for Firebase, they can visit the following link: https://firebase.google.com/policies/analytics/.

3. What are the rights of users

In accordance with the GDPR, the User and the Proxy User have the right to obtain access to their Personal Data, have their Personal Data rectified or deleted, object to or restrict its processing in certain circumstances (for example, when the accuracy of the Personal Data is contested or there is an objection to its processing), as well as the right to receive the personal data in an interoperable format, or have it directly transmitted to another organisation, unless LuxTrust can invoke a compelling legitimate reason to keep the Personal Data. The User and Proxy User also have the right to withdraw their consent insofar as the lawfulness of the processing is based on consent.
Any modification of the Personal Data must be promptly notified by the User or Proxy User to LuxTrust or to the Registration Authorities.

The User and Proxy User may exercise these rights by sending an email to LuxTrust at: dpo@luxtrust.lu .

If LuxTrust considers that the request is unclear, it may further discuss it with the User or Proxy User to understand better the reason of the request. To prevent fraud, LuxTrust also reserves the right to carry out the necessary checks to verify the identity of the User or Proxy User (e.g. by asking them to authenticate themselves using their LuxTrust Device).

The User and Proxy User have the right to file a complaint with their local data protection authority if they are concerned about the processing of their Personal Data.

Telephone number: (+352) 26 10 60 -1
Website: https://cnpd.public.lu/fr.html
Online form: https://cnpd.public.lu/fr/particuliers/faire-valoir/formulaire-plainte.html (French) or https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html (English)
Address: 15, Boulevard du Jazz, L-4370 Belvaux.

4. Who are the recipients of Personal Data

In strict compliance with the provisions of the GDPR, all or part of the User’s or the Proxy User’s Personal Data may be transmitted:
a) to some LuxTrust employees, subcontractors and suppliers of services that provide technical support to LuxTrust within the framework of the Subscribed Services (e.g. for Remote Identification); LuxTrust’s employees, sub-contractors or suppliers who may have access to the Personal Data shall be obliged to keep it confidential and secure and shall have access only to the Personal Data they require in order to perform their task or obligations, unless otherwise provided by laws or regulations;
b) to authorities such as Registration Authorities, local authorities;
c) to companies that request it with the prior consent of the User or Proxy User;
d) to the public on the Internet and to the extent permitted by law, as part of the publications required for the Certificate;
e) in the event of a change of control, if LuxTrust or its shareholders sell or assign all or part of LuxTrust or its assets to another company (e.g. in case of merger, acquisition or liquidation);
f) to public bodies, administrative or judicial authorities and supervisory bodies;

5. Are Personal Data being transferred

The User and the Proxy User are informed that their Personal Data are hosted in the Grand Duchy of Luxembourg and in France. The majority of LuxTrust’s internal and external recipients, such as detailed in article 4 of this Policy, are located in the European Economic Area (“EEA”). However, in some rare cases, certain recipients (e.g. Registration Authorities) may be located in a country outside the EEA. If there is a transfer to a country which does not ensure a level of protection equivalent to that in force in the EEA, LuxTrust shall ensure that appropriate safeguards have been implemented, such as standard contractual clauses and other legal safeguards in accordance with the GDPR.

The User and the Proxy User may contact LuxTrust to obtain a copy of such safeguards at the following e-mail address: dpo@luxtrust.lu.

6. For how long is your Personal Data stored

The retention period of the Personal Data is variable and depends on the nature of the data, the pursued purposes and retention periods imposed by the applicable legal and regulatory provisions.

In strict compliance with the provisions of the GDPR, LuxTrust retains and processes relevant Personal Data after the end of the Agreement for a minimum period of 10 years after the date of the initialisation of the Subscribed Service, in order to retrospectively ensure the possibility of verifying the use of the Subscribed Services.

Recordings of incoming telephone conversations from the User or Proxy User to the CSD are retained by a subcontractor of LuxTrust for a period of 6 months. LuxTrust has no access to these recordings, except if LuxTrust specifically requests it (e.g. exercise of access right by a User or Proxy User, for evidential purposes, fraud prevention etc.). In such cases, LuxTrust will obtain a copy of these recordings and may retain them for evidential purposes for a duration of 2 years. The retention period may also be extended in the event of legal proceedings. In this case, the data is kept until the end of the legal proceedings and then deleted according to the applicable legal prescription periods.

LuxTrust will comply with the applicable legislation and any directives issued by the authorities in this regard.

7. Security measures

LuxTrust implements all appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the processing carried out by LuxTrust and the associated risks against losses, misuse, unauthorised access, disclosure, unauthorised modifications or illegal destruction. It should be noted that internet connections are never completely secure or free of errors. The User or Proxy User must therefore be cautious when selecting the information they send to LuxTrust by email. On the other hand, it is the responsibility of each User or Proxy User to protect passwords, identifiers or other means they use to access the Subscribed Services.

8. Contact LuxTrust

For any additional questions on the protection of Personal Data, please contact our Data Protection Officer at the following e-mail address: dpo@luxtrust.lu.

9. Changes to the Personal Data Protection Policy

LuxTrust may occasionally update this Policy. Changes will be indicated by a change to the “Last update” date at the end of the Policy. Any change or modification will take effect immediately after the Policy is published, and users waive the right to receive a specific notification of each change or modification.

LuxTrust recommends that Users and Proxy Users regularly consult this Policy in order to keep themselves informed of the updates.

Last updated: June 2021