Allgemeine Nutzungsbedingungen und Datenschutzerklärung

Durch Nutzung dieser Internetseite oder der hierüber abrufbaren Inhalte erklärt der Nutzer, vorliegende allgemeine Nutzungsbedingungen zur Kenntnis genommen zu haben und diesen vollumfänglich zuzustimmen.

Die CSSF behält sich das Recht vor, vorliegende allgemeine Nutzungsbedingungen jederzeit und ohne Vorankündigung zu ändern, sofern dies der CSSF aufgrund von Änderungen der abrufbaren Inhalte, aufgrund gesetzlicher Vorgaben oder aus sonstigen Gründen erforderlich erscheint. Es obliegt daher dem Nutzer, sich über die zum Zeitpunkt der Nutzung geltenden Nutzungsbedingungen zu informieren.

Sofern in den abrufbaren Inhalten nichts Abweichendes bestimmt ist, können diese konsultiert, heruntergeladen, gespeichert und ausgedruckt werden. Abgesehen von einer Vervollständigung eines Formulars in den darin vorgesehenen Feldern, ist eine Veränderung der abrufbaren Inhalte nicht gestattet. Die Verbreitung oder Vervielfältigung von abrufbaren Inhalten dieser Internetseite bedarf der vorherigen schriftlichen Zustimmung der CSSF.

Sofern diese Internetseite Inhalte von Dritten enthalten, so unterliegen diese dem Urheberrecht sowie den etwaigen Nutzungsbedingungen des jeweiligen Urhebers. Dies kann auch dann gelten, sofern vorliegende Internetseite nicht ausdrücklich auf Urheberrechte Dritter verweist.

Vorliegende Internetseite enthält Verweise in Form von Hyperlinks auf Internetseiten und Dokumente Dritter. Ein solcher Verweis stellt keine Zustimmung zu oder bedingungslose Übernahme der dort bereitgestellten Inhalte durch die CSSF dar. Die CSSF übernimmt keine Haftung in Bezug auf die Verfügbarkeit sowie den Inhalt von Internetseiten Dritter und der dort aufgeführten Dokumente. Das Herstellen einer Verbindung zu den Internetseiten oder Dokumenten Dritter erfolgt auf eigene Gefahr des Nutzers.

Die CSSF behält sich das Recht vor, diese Internetseite nach eigenem Ermessen jederzeit und ohne Vorankündigung abzuändern, weiterzuentwickeln oder den Zugang zu dieser zu unterbrechen. Die CSSF kann in diesem Zusammenhang die auf dieser Internetseite verfügbaren Informationen, Dienste und Anwendungen jederzeit vollständig oder teilweise löschen, hinzufügen, abändern, vervollständigen oder näher ausführen.

Diese Internetseite wurde mit größtmöglicher Sorgfalt erstellt. Die CSSF ist stets bemüht, den abrufbaren Inhalt dieser Internetseite zu verbessern, zu aktualisieren und zu erweitern. Dennoch kann die CSSF die Vollständigkeit, Aktualität, Richtigkeit der abrufbaren Inhalte und Dokumente sowie den störungsfreien Zugriff auf diese nicht gewährleisten. Die auf dieser Internetseite abrufbaren Inhalte stellen keine Rechtsberatung dar. Eine Haftung der CSSF oder deren Mitarbeiter für Schäden, welche direkt oder indirekt durch die Nutzung dieser Internetseite oder des hierüber abrufbaren Inhalts entstehen, ist daher ausgeschlossen.

Sämtliche Rechtsstreitigkeiten, welche aus oder im Zusammenhang mit der Nutzung der vorliegenden Internetseite entstehen, unterliegen ausschließlich dem Recht des Großherzogtums Luxemburg sowie der exklusiven Zuständigkeit der Gerichte des Großherzogtums Luxemburg.

The Commission de Surveillance du Secteur Financier (CSSF) is the supervisory authority of the Luxembourg financial sector. Its duties and its field of competence are provided for in Section 2 of the Law of 23 December 1998 establishing a financial sector supervisory commission (“Commission de surveillance du secteur financier”) (the “Organic Law”). The CSSF performs its duties of prudential supervision and supervision of the markets for the purposes of ensuring the safety and soundness of the financial sector, solely in the public interest. Within the limits of its remit, it ensures notably that the authorised persons and the issuers comply with the regulations applicable to them, including those aiming to ensure the protection of the financial consumers and the prevention of the use of the financial sector for the purposes of money laundering or terrorist financing. The CSSF represents Luxembourg in the area of European and international supervision.

In this context, the CSSF underlines its commitment to the protection of your personal data (“Personal Data” or “Data”) and ensures also compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the “GDPR”) as well as with the applicable Luxembourg legislation.

The Personal Data referred to in this policy (hereinafter, the “Policy”) are those of third parties outside the CSSF (which exclude the CSSF’s staff members, i.e. the members of the Executive Board of the CSSF, the Resolution Director, the agents treated as civil servants, the trainee agents, the professional staff treated as State employees (employés de l’Etat), the “salariés” treated as “salariés de l’Etat”, trainees and students and internal service providers) who are referred to individually as “Data Subject” (as defined below) or “You”, i.e.:

• the natural persons directly supervised by the CSSF;
• the natural persons working within the supervised entities (agents, employees, members of the management bodies, key function holders, shareholders, intermediaries and other participants, etc.);
• the natural persons within the national, foreign and international authorities and bodies with which the CSSF cooperates;
• any person providing one or several services for the CSSF under a service provision agreement aiming to fulfil tasks unrelated to the CSSF’s legal missions, including in particular removals, general maintenance of the premises (cleaning, repairs, etc.), concierge services, management of the CSSF’s restaurants;
• any other person about whom the CSSF collected Personal Data for the purposes laid down in the recital.

The persons who applied for a job or who submitted an unsolicited application are informed of the Processing (as defined below) of their Personal Data via a specific policy called Job Applicant Privacy Notice available under the section “Careers” of the CSSF website: https://careers.cssf.lu/en/home/.

This Policy informs you of the following:

• Who is the Controller? How to contact the CSSF?
• Why does the CSSF process your Personal Data?
• What is the purpose of the Processing?
• How long are the Data stored?
• With whom does the CSSF share these Data?
• How are your Data protected?
• Your rights as Data Subject.
• Update to the Policy.

The following concepts are used in this Policy:

• Personal Data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person – Article 4(1) GDPR.
• Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction – Article 4(2) GDPR.
• Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by EU or Member State law, the Controller or the specific criteria for its nomination may be provided for by EU or Member State law – Article 4(7) GDPR.

The Commission de Surveillance du Secteur Financier (CSSF), a public law institution established at 283, route d’Arlon, L-1150 Luxembourg, acts as Controller of your Personal Data.

The CSSF designated an internal Data Protection Officer (“DPO”) whom You may contact in case of questions relating to the policies or practices of the CSSF with respect to the protection of Personal Data. You may contact the DPO via email or by post at the following address:

Commission de Surveillance du Secteur Financier

DPO / Pascal Pirih

283, route d’Arlon

L-1150 Luxembourg

dpo@cssf.lu

The CSSF processes Personal Data of Data Subjects in the framework of:

• the performance of the tasks carried out in the public interest or the exercise of the public powers conferred on the CSSF by the legislator;
• the use of the CSSF website;
• the use of the digital desks;
• the submission of enquiries via the CSSF website;
• the subscriptions to the news on the CSSF website;
• the reporting of a breach of the financial sector regulation (whistleblowing);
• the submission of a complaint;

And when:

• You carry out any work for the CSSF (outsourcing/service provision);
• You physically come to the CSSF.

It concerns, among others, Personal Data that You give the CSSF or that the CSSF receives by third parties (in any way whatsoever, including via digital desks) in the framework of the CSSF’s prudential supervision, supervision of the markets in financial instruments (including their operators), resolution, supervision regarding the fight against money laundering and terrorist financing, protection of financial consumers and public oversight of the audit profession.

The Personal Data processed by the CSSF for the purpose of its tasks carried out in the public interest and the exercise of the public authority conferred on it, will be stored as long as You, or the natural or legal person subject to the CSSF’s supervision for which You work or for which You perform or have performed a function, are subject to the supervision of the CSSF. The CSSF may continue to process your Personal Data beyond this period, e.g. in so far as they may become relevant again for the exercise of the CSSF’s supervisory mission or in the framework of possible liability claims.

The CSSF uses cookies on its website but they are not ‘intrusive’. This means that:

• they are not used to gather Personal Data about You in any way;
• the CSSF does not use targeting or advertising cookies that build up a profile.

When You use the CSSF website notably to view the information the CSSF makes available, download documents or use online forms, a number of cookies are used by the CSSF and by third parties to allow the website to function and to collect useful information about visitors and to help to improve your user experience.

The cookies used on www.cssf.lu:

When You create an account on one of the digital desks made available by the CSSF, You are requested to provide your name, email address, password and optionally the name and address of the company.

This information is used in order to secure your access on the desk concerned.

Your account is kept as long as You use the desk and until You delete your access.

The CSSF does not use the information You provided in order to produce automated decisions likely to affect You.

The CSSF stores the requests in the form of emails for one year, after which they are erased.

When You submit an enquiry via the CSSF website, You are requested to provide your name, email address and optionally a company name and address.

This information is used to respond to your enquiry. The CSSF may email You after your enquiry in order to do a follow-up and ensure that You have received a satisfactory answer.

Your enquiry is stored and processed as an email hosted on the servers of the CSSF in Luxembourg.

The CSSF does not use the information You provided in order to produce automated decisions likely to affect You.

The CSSF stores the requests in the form of emails for one year, after which they are erased.

When You subscribe to the news on the CSSF website, You are requested to provide your email address.

In accordance with Article 6(1)(a) of the GDPR, your consent will be requested before using your email address to send You the following information depending on your selection among these elements: warnings, sanctions and administrative measures imposed by the CSSF, communiqués/press releases, laws and regulations, Newsletter, legal reporting, statistics, EU/international and other publications.

In order to achieve this objective, we use a subcontractor located in the European Union which provides sufficient guarantees as regards the implementation of appropriate technical and organisational measures so that the processing fulfils the requirements of the GDPR and guarantees the protection of your personal data.

Your email address is stored on servers in the European Union.

The CSSF does not use the information You provided to produce automated decisions likely to affect You.

The CSSF stores your email address as long as it produces and disseminates news. In case of withdrawal of your consent, the CSSF will immediately stop sending You the news and your email address will be erased from the CSSF’s and the subcontractor’s database.

When You report a breach of the financial sector regulation (whistleblowing), You are requested to provide your name, email address, report and optionally your address and up to five (5) supporting documents. Please note that alternatively, You may also send an email at the following email address: whistleblowing@cssf.lu.

The CSSF will use this information to determine if it is competent in relation to the reported facts, to analyse their substance and to contact You for further information. The Processing of your Personal Data is necessary to perform a task carried out in the public interest or in the institutional role of the CSSF. Additional information about the whistleblowing procedure is available at: Whistleblowing Questions/Answers.

The CSSF is committed to protecting the whistleblower’s identity within the limits of the applicable law. In other words, neither the identity of the employee having blown the whistle, nor the identity of third parties who may be involved, will be disclosed to the supervised entity concerned. The identity of the whistleblower or of third parties will only be disclosed in circumstances in which the disclosure becomes unavoidable in law (e.g. as a result of the CSSF’s duty to inform the State Prosecutor if the acts may constitute a crime or an offence, or in the context of criminal proceedings against the entity concerned in which case the whistleblower may, as the case may be, be called as a witness). When the CSSF receives a report for which it has no competence and in order to ensure the effectiveness of whistleblowing reports, the information is transmitted in an anonymised manner to the competent supervisory authority (e.g. the European Central Bank or other EU or non-EU financial sector supervisory authorities) subject to compliance with the rules relating to professional secrecy provided for in Article 16 of the Organic Law and the provisions of Chapter V of the GDPR regarding the transfers of Personal Data to third countries (cf. Section 5 below).

Your report will be stored on the internal servers of the CSSF in Luxembourg until the procedure is closed. Afterwards, your Personal Data will be erased.

When You file a complaint as an individual, You will be requested to provide your name, email address, complaint as well as some supporting documents, including a copy of your ID card or any document permitted by law to prove the identity of a natural person.

The CSSF will use this information to determine if it is competent to handle the complaint, to analyse its substance and to contact You for further information. The Processing of your Personal Data is necessary to perform a task carried out in the public interest or in the institutional role of the CSSF.

Your complaint will be stored on the internal servers of the CSSF in Luxembourg until the procedure is closed or for the following ten years. After that, your Personal Data will be erased.

Additional information on the handling of your complaints is available at:

FAQ – Complaints

CSSF Regulation N° 16-07 relating to out-of-court complaint resolution

Circular CSSF 17/671 as amended by Circular CSSF 18/698 (Specifications regarding CSSF Regulation N° 16-07 of 26 October 2016 relating to out-of-court complaint resolution)

The CSSF may also collect and use your Personal Data if they are provided by your employer or a company with which You are connected in any way, in the framework of a contractual relationship between the CSSF and your employer or said company.

The data consist of your name, your email address and other Personal Data and, in some cases, references to previous jobs and ID document.

The CSSF has a video surveillance system on its premises. Video surveillance means the activity of monitoring with video cameras in order to:

• secure access to the buildings;
• ensure the security of its staff;
• detect and identify possible suspicious or dangerous behaviours likely to lead to accidents or incidents;
• accurately locate the origin of an incident;
• protect the CSSF’s property (buildings, installations, equipment, etc.);
• organise and oversee a rapid evacuation of the staff in case of an incident;
• be able to warn in time the rescue and fire services or the police force as well as to facilitate their intervention.

The CSSF stores its surveillance images for fourteen (14) days.

The CSSF maintains a register of the visits with your name, the name of your company and the person visited.

In the context of its mission carried out in the public interest and the exercise of its public powers, the CSSF cooperates in particular with the European Central Bank, the Banque centrale du Luxembourg, the supervisory and/or resolution authorities of the EU Member States, as well as with other national and EU institutions, authorities or bodies in charge of investor and depositor protection and the safeguarding of financial stability. Due to the CSSF’s reporting obligation in accordance with Article 23(2) of the Code of Criminal Procedure, your Personal Data may be transmitted to the State Prosecutor if the acts may constitute a crime or offence.

It is possible that the CSSF, in the context of its mission carried out in the public interest and the exercise of its public powers and within the limits of applicable standards, exchanges your Personal Data with an international organisation. In such a case, the CSSF ensures that the international organisation guarantees an appropriate level of protection (in accordance with Article 45 GDPR) or that it can use a derogation, such as applicable in case of a transfer necessary for important reasons of public interest (in accordance with Article 49 GDPR) or another instrument with appropriate guarantees fulfilling the provisions of Chapter V of the GDPR regarding the transfers of Personal Data to third countries or international organisations.

5.3.1. How and why does the CSSF process your Personal Data?

Given the international dimension of its prudential supervision of the financial sector and supervision of the markets in financial instruments, the CSSF may transfer your personal data to its counterparts located in the European Economic Area (EEA) and outside the EEA.

In the context of international cooperation with its foreign counterparts, the CSSF is committed to have in place the safeguards set out in the Administrative Arrangement for the transfer of personal data between EEA financial supervisory authorities and non-EEA financial supervisory authorities, without prejudice to the European Commission’s adequacy decisions with respect to certain countries¹.

In particular, when the CSSF collects and processes Personal Data transferred under the Administrative Arrangement, it guarantees that:

• it will only transfer Personal Data that are relevant, adequate and limited to what is necessary for the purposes for which they are transferred and further processed;
• it will have in place appropriate technical and organisational measures to protect Personal Data that are transferred to it against any unauthorised or unlawful Processing, destruction, loss, alteration or unauthorised disclosure;
• it will retain Personal Data for no longer than is appropriate and necessary for the purpose for which the data are processed;
• it will not take any decision concerning a natural person based solely on automated Processing of Personal Data, including profiling, without human involvement;
• it will not divulge your Personal Data for other purposes, such as for commercial or marketing purposes.

5.3.2. What are your safeguards under the Administrative Arrangement?

As regards the Personal Data shared under the Administrative Arrangement, You can make a written request to the CSSF to receive information about the Processing of your Personal Data, to access the Personal Data and to correct any inaccurate or incomplete Personal Data, as well as make a written request to erase, restrict Processing or to object to the Processing of your Personal Data at the following address:

by mail:

Commission de Surveillance du Secteur Financier

DPO / Pascal Pirih

283, route d’Arlon

L-1150 Luxembourg

or

by email: dpo@cssf.lu

Nevertheless, due to the sensitive nature of the CSSF’s public interest mission and the professional secrecy to which it is bound, in some cases these safeguards might be restricted, in particular where they are likely to seriously impair the objectives of that Processing (Article 14(5)(b) of the GDPR), where obtaining or disclosing information is expressly provided for by law (Article 14(5)(c) of the GDPR) or where they affect the professional secrecy to which the CSSF is subject (Article 14(5)(d) of the GDPR and Article 16 of the Organic Law, the infringement of which is punishable under Article 458 of the Criminal Code).

In each case, the CSSF will assess whether the restriction imposed is appropriate. The restriction should be necessary and provided for by law, and will continue only for as long as the reason for the restriction continues to exist.

5.3.3. What redress is available to you

If you believe that your Personal Data have not been handled consistent with these safeguards, you can lodge a complaint with the transferring authority, the receiving authority or both authorities. To this end, you may contact the CSSF Data Protection Officer whose contact details are given below. In this case, the authorities concerned will use best efforts to settle the complaint or dispute amicably in a timely fashion.

Should the dispute remain unsolved, other methods may be used to resolve it, unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation, as well as in other non-binding dispute resolution proceedings initiated by the natural person or by the authority concerned.

If the dispute is not resolved through cooperation by the authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, and the transferring authority considers that the receiving authority has not acted in accordance with the safeguards set out in the Administrative Arrangement, the transferring authority will suspend the transfer of Personal Data under this Administrative Arrangement to the receiving authority until it is of the view that the issue raised has been satisfactorily addressed by the receiving authority, and will inform You thereof.

Contact

For any questions or requests for information about redress, You may contact the CSSF:

by mail:

Commission de Surveillance du Secteur Financier

DPO / Pascal Pirih

283, route d’Arlon

L-1150 Luxembourg

or

by email: dpo@cssf.lu

¹ _{The list of third countries that are recognised as having equivalent safeguards is available at: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Opinion 4/2019 of the European Data Protection Board
Administrative Arrangement
The CSSF is signatory to this Administrative Arrangement. Appendix A contains a list of all EEA authorities that have joined the Administrative Arrangement. The non-EEA authorities that have joined the Administrative Arrangement are listed in Appendix B.}

The CSSF implements technical and organisational means in order to protect your Personal Data and prevent any destruction, loss, alteration or modification as well as any unauthorised access or disclosure, voluntary or involuntary. Moreover, the CSSF requests also its service providers which process Personal Data for the CSSF to always take the necessary security measures.

Without prejudice to the general obligation of professional secrecy laid down in Article 16 of the Organic Law and without prejudice to the limitations provided for by the GDPR, You can ask the CSSF what information it holds about You and You can ask the CSSF to correct the information if it is inaccurate. The exercise of the right of access shall not adversely affect the rights and freedoms of others.

When the Processing of your Personal Data is based on consent, You have the right to withdraw your consent at any time. Such withdrawal has no consequence on the validity of the Processing of your Personal Data before the withdrawal.

If your Personal Data are processed for consent purposes or in order to fulfil a contract, You may ask that a copy of the information be sent to You in a machine-readable format so that it can be transferred to another provider. That right shall not apply to Processing necessary for the performance of a mission carried out in the public interest or in the exercise of public authority vested in the CSSF.

Without prejudice to the limitations provided for by the GDPR, You have the right to ask the CSSF to stop using your information for a certain period of time (right to restriction), if You consider that it does not act lawfully.

In order to submit a request concerning your Personal Data by email or by mail, please use the contact details provided in Section 3 above. Your request must be accompanied by a copy of the recto of your ID card, passport or any other ID document.

If you have a complaint to make concerning the use of your information, please contact first the CSSF directly so that it can address your complaint. However, You can also contact the Commission nationale pour la protection des données (CNPD) which is the competent authority in Luxembourg for the protection of Personal Data via its website www.cnpd.lu or by writing to:

Commission nationale pour la protection des données (CNPD)

Service des plaintes

15, Boulevard du Jazz

L-4370 Esch-sur-Alzette

The CSSF regularly reviews and, if appropriate, updates this Policy, as its services and use of Personal Data evolves. If the CSSF wants to make use of your Personal Data in a way that has not been previously identified, You will be contacted to be given information about this and, if necessary, to be asked for your consent.

The CSSF will update the version number and date of this Policy each time it is changed.

The CSSF has a video surveillance system on its premises. Video surveillance means the activity of monitoring with video cameras in order to:

• secure access to the buildings;
• ensure the security of its staff;
• detect and identify possible suspicious or dangerous behaviours likely to lead to accidents or incidents;
• accurately locate the origin of an incident;
• protect the CSSF’s property (buildings, installations, equipment, etc.);
• organise and oversee a rapid evacuation of the staff in case of an incident;
• be able to warn in time the rescue and fire services or the police force as well as to facilitate their intervention.

The CSSF stores its surveillance images for fourteen (14) days.

The CSSF maintains a register of the visits with your name, the name of your company and the person visited.

Without prejudice to the limitations provided by the GDPR, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate. If we have asked for your consent to process your personal data, you may withdraw that consent at any time.

If we are processing your personal data for reasons of consent or to fulfil a contract, you can ask us to give you a copy of the information in a machine-readable format so that you can transfer it to another provider.

Without prejudice to the limitations provided by the GDPR, if we are processing your personal data for reasons of consent, you can request that your data be erased.

You have the right to ask us to stop using your information for a period of time if you believe we are not doing so lawfully.

Finally, in some circumstances you can ask us not to reach decisions affecting you using automated processing or profiling.

To submit a request regarding your personal data by email, post or telephone, please use the contact information provided above in the Who Are We section of this policy.

If you have a complaint about our use of your information, we would prefer that you first contact us directly, so that we can address your complaint. However, you can also contact the CNPD via their website at www.cnpd.lu or write to them at:

Commission nationale pour la protection des données
Service des plaintes
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette

We will regularly review and, if appropriate, update this privacy policy, as our services and use of personal data evolves. If we want to make use of your personal data in a way that we have not previously identified, we will contact you to provide information about this and, if necessary, to ask for your consent.

We will update the version number and date of this page each time it is changed.