Privacy Policy

This privacy policy notice informs you about the data we collect from you when you use our website. In collecting this information we are acting as a data controller and we are legally required (Regulation EU 2016/679 (GDPR)), to provide you with information about us, about why and how we use your data, and about the rights you have over your data.

 
The processing of personal data is based on, as applicable, Article 6(1)(a), (b), (c), (e) or (f) of Regulation EU 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.

 
The CSSF, which acts as data controller, processes the personal data solely to achieve the specific purpose for which they are collected through the website. The personal data collected are not processed for commercial purposes. Personal data are only shared on a need-to-know basis with staff who are responsible for achieving the purpose of the collection. This data may be shared with people outside the CSSF when this appears necessary in order to achieve the purpose of the collection or in cases provided for by the law. Should a visitor to the website refuse to provide certain essential items of data, the CSSF reserves the right to refrain from dealing with the visitor's question or request.

 
The CSSF processes these personal data for the duration which is strictly necessary in order to attain the specific purposes in view of which the data are processed.

 

Who are we?

We are the Commission de Surveillance du Secteur Financier (CSSF), a public institution which supervises the professionals and products of the Luxembourg financial sector. Our address is 283, route d’Arlon L-1150 Luxembourg.

 

Data Protection Officer

The CSSF has appointed an internal data protection officer for you to contact if you have any questions or concerns about the CSSF’s personal data policies or practices. The CSSF’s data protection officer’s name and contact information are as follows:

 

DPO / Claude Lüscher
CSSF
283, route d’Arlon
L-1150 Luxembourg
dpo@cssf.lu
+352 26 25 1 2745
 

How we use your information

When you use our website
When you submit an enquiry via our website
When you sign up to receive our newsletters
When you report a breach of the financial sector regulation (Whistleblowing)
When you submit a complaint
When you appear as a reporting or contact person for a supervised entity in our online forms
Your rights as a data subject
Your right to complain
Updates to this privacy policy

 

 

When you use our website (Cookie policy)

We use cookies on the CSSF websites, but they are not 'intrusive'. This means that:


• we do not use cookies to gather personal data about you in any way;
• we do not use targeting or advertising cookies that build up a profile of you.

 

When you use our website to view the information we make available, download documents or use online forms, a number of cookies are used by us and by third parties to allow the website to function and to collect useful information about visitors and to help to improve your user experience.

 

These cookies are shown below.

  

Cookie Name

Purpose

Further information

fe_typo_user

Preserves user's preferences across page requests.

Deleted at the end of the session

_pk_id.#

Collects anonymous statistics on the user's visits to the website, such as the number of visits, average time spent on the website.

Anonymous Data

_pk_ses.#

Used to track which pages have been visited during the session.

Anonymous Data

 

 

When you submit an enquiry via our website

When you submit an enquiry via our website, we ask you to provide to the CSSF your name, email address, enquiry and optionally you may provide your company name and/or address.

 

We use this information to respond to your query. We may also email you after your enquiry in order to follow up on your interest and ensure that we have answered it to your satisfaction. We will do this based on our legitimate interest in providing accurate information.

 

Your enquiry is stored and processed as an email which is hosted on our servers in Luxembourg.

 

We do not use the information you provide to make any automated decisions that might affect you.

 

We keep enquiry emails for one year, after which they are deleted.

 

 

When you sign up to receive our newsletters

When you sign up to receive our newsletters, we ask for your email address.

 

We will ask for your consent to use your email address to email you, according to your selection, the following type of information: Warnings, Communiqués/Press releases, Laws and regulations, Newsletter, Legal reporting, Statistics, EU/International and other information.

 

You can withdraw your consent at any time and we will stop sending you the information.

 

Your email address is stored on our servers in Luxembourg and is not shared with a third party.

 

We do not use the information you provide to make any automated decisions that might affect you.

 

We keep your email address for as long as we produce and distribute our newsletters. If you withdraw your consent, we will remove your email address from our database.
 

When you report a breach of the financial sector regulation (Whistleblowing)

When you report a breach of the financial sector regulation (Whistleblowing) via the online form, we will ask you for your name, email,  report and you may optionally provide us with your address and up to 5 supporting documents. Please note that alternatively, you may also send an email to whistleblowing@cssf.lu.

 

We will use this information to determine if we are competent in relation to the reported facts, to analyse their substance and to contact you for further information. Processing your data is necessary to perform a task carried out in the public interest or in our institutional role. You may find additional information on the whistleblowing procedure at:
Whistleblowing Questions/Answers

 

We are committed to protecting the whistleblower's identity within the limits of the applicable legislation. In other words, neither the identity of the employee having blown the whistle, nor the identity of third parties who may be involved, will be disclosed to the entity concerned. The identity of the whistleblower or of third parties will only be disclosed in circumstances in which the disclosure becomes unavoidable in law (e.g. as a result of the CSSF’s duty to inform the State prosecutor if the acts may constitute a crime or an offence, or in the context of criminal proceedings against the entity concerned in which case the whistleblower may, as the case may be, be called as a witness). Although it may perhaps not always be entirely excluded, despite all the precautions taken, that the employer discovers the whistleblower’s identity by cross-checking information, the CSSF will make every effort to protect it. When we receive a report for which the CSSF has no competence and in order to ensure the effectiveness of whistleblowing reports, we may transmit the information to the competent supervisory authority (e.g. the European Central Bank, or other EU or non-EU financial sector supervisory authorities).

 

Your report is stored on our internal servers until the procedure is closed. After that we will delete your personal data.

 

 

When you submit a complaint

When you file a complaint as an individual, we will ask you for your name, email, address, complaint as well as some supporting documents, including a copy of your ID card or any similar document proving your identity. You may optionally provide us with contact details of your representative.

 

We will use this information to determine if we are in charge of the complaint, to analyse its substance and to contact you for further information. Processing your data is necessary to perform a task carried out in the public interest or in our institutional role.

 

Your contact information may, as a result of the CSSF’s duty, be transmitted to the State prosecutor if the acts may constitute a crime or an offence, or in the context of criminal proceedings against the entity concerned in which case you may, as the case may be, be called as a witness.

 

Your complaint is stored on our internal servers in Luxembourg until the procedure is closed and for the following 10 years. After that, your personal data will be erased.

 

You may find additional information on how we handle your complaints at:
FAQ - Complaints 

CSSF Regulation N° 16-07 relating to out-of-court complaint resolution

 

 

When you appear as a reporting or contact person for a supervised entity in our online forms

When you appear as a reporting person or a contact person in our online forms, we will ask you for your name, email and optionally your telephone number.

 

We will use this information to contact you in the context of the procedure concerned. Processing your data is necessary to perform a task carried out in the public interest or in our institutional role.

 

All data is stored on our servers in Luxembourg for the duration of the procedure concerned and for as long as required by our obligations.

 

 

Your rights as a data subject

Without prejudice to the limitations provided by the GDPR, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate. If we have asked for your consent to process your personal data, you may withdraw that consent at any time.

 

If we are processing your personal data for reasons of consent or to fulfil a contract, you can ask us to give you a copy of the information in a machine-readable format so that you can transfer it to another provider.

 

Without prejudice to the limitations provided by the GDPR, if we are processing your personal data for reasons of consent, you can request that your data be erased.

 

You have the right to ask us to stop using your information for a period of time if you believe we are not doing so lawfully.

 

Finally, in some circumstances you can ask us not to reach decisions affecting you using automated processing or profiling.

 
To submit a request regarding your personal data by email, post or telephone, please use the contact information provided above in the Who Are We section of this policy.
 

Your right to complain

If you have a complaint about our use of your information, we would prefer that you first contact us directly, so that we can address your complaint. However, you can also contact the CNPD via their website at www.cnpd.lu or write to them at:

Commission nationale pour la protection des données
Service des plaintes
1, avenue du Rock'n'Roll
L-4361 Esch-sur-Alzette

 

 

Updates to this privacy policy

We will regularly review and, if appropriate, update this privacy policy, as our services and use of personal data evolves. If we want to make use of your personal data in a way that we have not previously identified, we will contact you to provide information about this and, if necessary, to ask for your consent.

 

We will update the version number and date of this page each time it is changed.

 

 

 

Version 1.0 of 25 May 2018