Last revised: November 2023
1. An overview of data protection
The Luxembourg Institute of Science and Technology (hereafter “LIST”, “We”) is committed to ensure the highest standards of data protection in compliance with the applicable legislation, notably with reference to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”).
The present document aims at illustrating what personal data we collect about you, the reason why LIST uses your data and, as the case may be, share your data and the applicable retention periods. Additionally, the notice also provides you with information regarding your rights, how to exercise them and whom you can contact in case of any query.
2. Scope of the notice
The present notice is directed to:
- users or visitors of www.reach.lu (hereafter the “Platform”),
- individuals who contact us by any means for any purposes,
- individuals who subscribed to our newsletter,
- individuals who take part in our event(s) either as speaker or as sponsor,
Hereafter together “you”.
3. Identity of the data controller
The data controller is LIST, having its registered office at 5, Avenue des Hauts-Fourneaux L-4362 Esch-sur-Alzette, Luxembourg.
The Principal Investigator in charge of the project is: Laurène Chochois, reach@list.lu, (+352) 275 888-1.
4. Categories of personal data we collect
The list of personal data we collect about You varies on your use of this Platform or on the services we provide you.
Please find here below a list of personal data we may collect and process. Those may at times include:
- Contact details: name, surname, country, email, phone number, title,
- Professional information: company/organisation, job title,
- Technical data: device identification data and traffic data (e.g. MAC addresses, web logs, etc.) and password in the case of user account creation on our event management platform,
- Your image, audio and likeliness (as captured on a webinar, in photographs or recordings taken at the Event),
- Records of communications sent to You or received from You.
5. Purpose and legal basis for processing
LIST collects and uses personal data of Participants for the following purposes:
Purpose | Detail |
---|---|
To reply to your questions and/or to exchange with you | To ensure a proper follow-up of any query received by individuals in Luxembourg about the relevant EU regulation. When contact via the contact form, the Helpdesk processes your data to reply to you and document the performance of the task. |
Event management | To properly organize and deploy Events, which includes:
|
Processing of contact details for inviting to future events | To process contact details to manage the subscription of Participants to a mailing list of future events. |
Processing of contact details for sending LIST newsletter | To process contact details to manage the subscription of Participants to LIST newsletter. |
To make reporting to the Ministry and/or funding authorities | As request by the Ministry, we prepare periodic reports including anonymous and statistical data, such number of participants to our events or of registered users to the newsletter. |
6. Legal basis for processing
Below you can find the list of legal basis on whose grounds LIST collects and processes Participants’ personal data:
Purpose | Legal basis |
---|---|
To reply to your questions and/or to exchange with you | The processing is based on your consent, that is requested in the contact form and can be withdrawn at all times by contacting reach@list.lu. |
Event management | LIST processes personal data for such purpose under LIST’s legitimate interest in properly organizing and deploying Events. In relation to speakers and sponsors, processing is necessary to perform a contract with the data subject. |
Processing of contact details for inviting to future events | Consent provided during the Event registration or via the Platform. To withdraw consent, the Participant can click the unsubscribe link in the footer of any email received or contact reach@list.lu |
Processing of contact details for sending LIST newsletter | Consent provided during the Event registration or via the Platform. To withdraw consent, the Participant can click the unsubscribe link in the footer of any email received or contact reach@list.lu |
7. Share of your personal data with third parties
Your personal data will not be shared with any external party, unless in case of any Event co-organized by LIST with another external partner. In this case, we will request your express consent for the transfer of your data via the registration form.
LIST may share your personal data with:
- The research team of LIST in charge of managing the Platform,
- The public in general in relation to dissemination of photographs and videos,
- External service providers that perform services on LIST behalf, such as catering companies, event organisation or communication agencies service providers and IT service providers,
- Institutional or non-institutional partners, with whom LIST collaborates in the context of the Events’ management and organization.
Some of the mentioned recipients of your personal data may be in countries outside the European Union or the European Economic Area (EU/EEA):
- The Rocket Science Group LLC d/b/a Mailchimp: Mailchimp is the online platform that we use to manage and send LIST newsletters. Mailchimp may transfer and process personal data to and in the United States and anywhere else in the world where Mailchimp, its affiliates or its sub-processors maintain data processing operations. As between LIST and Mailchimp, such processing is done in compliance with the standard contractual clauses. For more details, you can have a look at the following webpage: https://mailchimp.com/en-gb/legal/data-processing-addendum/?_gl=1*13ddyte*_up*MQ..*_ga*ODA1NzU0OTExLjE2Nzc2ODQ1MDk.*_ga_N5HD1RTH6E*MTY3NzY4NDUwOC4xLjAuMTY3NzY4NDUwOC4wLjAuMA..&gclid=EAIaIQobChMI5OPC-P-6_QIVD97tCh2uUAGiEAAYASAAEgJoDPD_BwE&gclsrc=aw.ds.
- LogMeln Ireland Unlimited Company: This processor based in Ireland is the provider of the GoToWebinar tool, a virtual event platform. International transfers to subprocessors based in countries which do not ensure an adequate level of data protection within the meaning of the GDPR, are performed under Standard Contractual Clauses. Further details are available in the following webpage: https://www.goto.com/company/legal/privacy/international#data-transfers.
- Microsoft Ireland Operations Limited: This processor is based in Ireland and is the provider of MS Teams, a videoconferencing application. Microsoft may transfer, store and process personal data in the United States or any other country in which Microsoft or its contractors maintain facilities. Transfers out of the European Union and European Economic Area, are governed by Standard Contractual Clauses. For further details, please have a look at the following page: https://learn.microsoft.com/en-us/microsoftteams/teams-privacy.
Please kindly note that if you contact us to submit a query which is not related to the CLP or REACH regulations, your request will be forwarded to the competent authorities.
8. Ensuring personal data security and integrity
In compliance with the applicable data protection legislation, LIST has put in place appropriate technical and organisational measures in order to prevent or act upon any unauthorised and unlawful processing or disclosure, accidental loss, modification or destruction of personal data. These measures are implemented based on the current state of art, an evaluation of the risks derived by the processing activity and the need to protect personal data. Such technical and organisation measures are regularly updated and/or adjusted to new technical developments or any organisational change that may affect LIST.
9. Data retention periods
LIST will only retain your personal for a period of time that is strictly necessary for the purposes for which we collect your data, without prejudice to LIST to keep them for a longer duration for legal and/or regulatory obligations applying to LIST or due to exceptional situations that would justify them being kept longer (judicial procedure, etc.). Below are the details regarding the time we keep your personal data:
Purpose | Legal basis |
---|---|
To reply to your questions and/or to exchange with you | 5 years after the end of contact took place. |
Event management | In this case, we will keep the personal data in accordance with our retention schedule. |
Processing of contact details for inviting to future events | Until you unsubscribe to the newsletter. |
Processing of contact details for sending LIST newsletter | Until you unsubscribe to the newsletter. |
10. Your rights and how to exercise them
With regards to your personal data collected and processed by LIST, you may exercise at any time the following rights:
- Right to access: You have the right to receive confirmation about whether or not your personal data is being processed by LIST. If that is the case, you have the right to know what data is being collected and processed and to obtain of copy of it;
- Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to request to have it rectified;
- Right to erasure: Subject to certain conditions specified in art. 17 of the GDPR, you have the right to have your personal data deleted by LIST;
- Right to restriction of processing: Subject to certain conditions specified in art. 18 of the GDPR, you have the right to obtain restriction of the processing of your personal data performed by LIST;
- Right to data portability: Subject to certain conditions specified in art. 20 of the GDPR, you have the right to obtain a copy of the personal data you provided to LIST in in a structured, commonly used and machine-readable format and to request the transfer of these data to another data controller;
- Right to object: You have the right to object the processing of your personal data when the conditions set out in art. 21 of the GDPR apply;
- Right to withdraw consent: If LIST is processing your personal data based on your consent, you have the right to withdraw that consent at any time. The withdrawal of such consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD). More information on how to lodge a complaint are available on CNPD’s website: cnpd.public.lu.
You may exercise any of these rights by contacting our Data Protection Officer (DPO) by filling the online form.
11. Link to other websites
Please be aware that this website may contain links to other website that are not governed by this privacy notice. We encourage users to review the privacy notice of each website before disclosing any personal data.
12. Changes to this notice
LIST may make changes to this privacy notice from time to time, to reflect our current privacy practices or to comply with changes in the applicable data protection legislation. LIST encourages you to regularly visit this page in order to remain informed on how LIST collects and processes personal data.