Unternehmen
Zugriff auf die Datenbank
Durch Nutzung dieser Internetseite oder der hierüber abrufbaren Inhalte erklärt der Nutzer, vorliegende allgemeine Nutzungsbedingungen zur Kenntnis genommen zu haben und diesen vollumfänglich zuzustimmen.
Die CSSF behält sich das Recht vor, vorliegende allgemeine Nutzungsbedingungen jederzeit und ohne Vorankündigung zu ändern, sofern dies der CSSF aufgrund von Änderungen der abrufbaren Inhalte, aufgrund gesetzlicher Vorgaben oder aus sonstigen Gründen erforderlich erscheint. Es obliegt daher dem Nutzer, sich über die zum Zeitpunkt der Nutzung geltenden Nutzungsbedingungen zu informieren.
Sofern in den abrufbaren Inhalten nichts Abweichendes bestimmt ist, können diese konsultiert, heruntergeladen, gespeichert und ausgedruckt werden. Abgesehen von einer Vervollständigung eines Formulars in den darin vorgesehenen Feldern, ist eine Veränderung der abrufbaren Inhalte nicht gestattet. Die Verbreitung oder Vervielfältigung von abrufbaren Inhalten dieser Internetseite bedarf der vorherigen schriftlichen Zustimmung der CSSF.
Sofern diese Internetseite Inhalte von Dritten enthalten, so unterliegen diese dem Urheberrecht sowie den etwaigen Nutzungsbedingungen des jeweiligen Urhebers. Dies kann auch dann gelten, sofern vorliegende Internetseite nicht ausdrücklich auf Urheberrechte Dritter verweist.
Vorliegende Internetseite enthält Verweise in Form von Hyperlinks auf Internetseiten und Dokumente Dritter. Ein solcher Verweis stellt keine Zustimmung zu oder bedingungslose Übernahme der dort bereitgestellten Inhalte durch die CSSF dar. Die CSSF übernimmt keine Haftung in Bezug auf die Verfügbarkeit sowie den Inhalt von Internetseiten Dritter und der dort aufgeführten Dokumente. Das Herstellen einer Verbindung zu den Internetseiten oder Dokumenten Dritter erfolgt auf eigene Gefahr des Nutzers.
Die CSSF behält sich das Recht vor, diese Internetseite nach eigenem Ermessen jederzeit und ohne Vorankündigung abzuändern, weiterzuentwickeln oder den Zugang zu dieser zu unterbrechen. Die CSSF kann in diesem Zusammenhang die auf dieser Internetseite verfügbaren Informationen, Dienste und Anwendungen jederzeit vollständig oder teilweise löschen, hinzufügen, abändern, vervollständigen oder näher ausführen.
Diese Internetseite wurde mit größtmöglicher Sorgfalt erstellt. Die CSSF ist stets bemüht, den abrufbaren Inhalt dieser Internetseite zu verbessern, zu aktualisieren und zu erweitern. Dennoch kann die CSSF die Vollständigkeit, Aktualität, Richtigkeit der abrufbaren Inhalte und Dokumente sowie den störungsfreien Zugriff auf diese nicht gewährleisten. Die auf dieser Internetseite abrufbaren Inhalte stellen keine Rechtsberatung dar. Eine Haftung der CSSF oder deren Mitarbeiter für Schäden, welche direkt oder indirekt durch die Nutzung dieser Internetseite oder des hierüber abrufbaren Inhalts entstehen, ist daher ausgeschlossen.
Sämtliche Rechtsstreitigkeiten, welche aus oder im Zusammenhang mit der Nutzung der vorliegenden Internetseite entstehen, unterliegen ausschließlich dem Recht des Großherzogtums Luxemburg sowie der exklusiven Zuständigkeit der Gerichte des Großherzogtums Luxemburg.
The Commission de Surveillance du Secteur Financier (CSSF) is the supervisory authority of the Luxembourg financial sector. Its duties and its field of competence are provided for in Section 2 of the Law of 23 December 1998 establishing a financial sector supervisory commission (“Commission de surveillance du secteur financier”) (the “Organic Law”). The CSSF performs its duties of prudential supervision and supervision of the markets for the purposes of ensuring the safety and soundness of the financial sector, solely in the public interest. Within the limits of its remit, it ensures notably that the authorised persons and the issuers comply with the regulations applicable to them, including those aiming to ensure the protection of the financial consumers and the prevention of the use of the financial sector for the purposes of money laundering or terrorist financing. The CSSF represents Luxembourg in the area of European and international supervision.
In this context, the CSSF underlines its commitment to the protection of your personal data (“Personal Data” or “Data”) and ensures also compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the “GDPR”) as well as with the applicable Luxembourg legislation.
The Personal Data referred to in this policy (hereinafter, the “Policy”) are those of third parties outside the CSSF (which exclude the CSSF’s staff members, i.e. the members of the Executive Board of the CSSF, the Resolution Director, the agents treated as civil servants, the trainee agents, the professional staff treated as State employees (employés de l’Etat), the “salariés” treated as “salariés de l’Etat”, trainees and students and internal service providers) who are referred to individually as “Data Subject” (as defined below) or “You”, i.e.:
The persons who applied for a job or who submitted an unsolicited application are informed of the Processing (as defined below) of their Personal Data via a specific policy called Job Applicant Privacy Notice available under the section “Careers” of the CSSF website: https://careers.cssf.lu/en/home/.
This Policy informs you of the following:
The following concepts are used in this Policy:
The Commission de Surveillance du Secteur Financier (CSSF), a public law institution established at 283, route d’Arlon, L-1150 Luxembourg, acts as Controller of your Personal Data.
The CSSF designated an internal Data Protection Officer (“DPO”) whom You may contact in case of questions relating to the policies or practices of the CSSF with respect to the protection of Personal Data. You may contact the DPO via email or by post at the following address:
Commission de Surveillance du Secteur Financier
DPO / Pascal Pirih
283, route d’Arlon
L-1150 Luxembourg
The CSSF processes Personal Data of Data Subjects in the framework of:
And when:
It concerns, among others, Personal Data that You give the CSSF or that the CSSF receives by third parties (in any way whatsoever, including via digital desks) in the framework of the CSSF’s prudential supervision, supervision of the markets in financial instruments (including their operators), resolution, supervision regarding the fight against money laundering and terrorist financing, protection of financial consumers and public oversight of the audit profession.
The Personal Data processed by the CSSF for the purpose of its tasks carried out in the public interest and the exercise of the public authority conferred on it, will be stored as long as You, or the natural or legal person subject to the CSSF’s supervision for which You work or for which You perform or have performed a function, are subject to the supervision of the CSSF. The CSSF may continue to process your Personal Data beyond this period, e.g. in so far as they may become relevant again for the exercise of the CSSF’s supervisory mission or in the framework of possible liability claims.
The CSSF uses cookies on its website but they are not ‘intrusive’. This means that:
When You use the CSSF website notably to view the information the CSSF makes available, download documents or use online forms, a number of cookies are used by the CSSF and by third parties to allow the website to function and to collect useful information about visitors and to help to improve your user experience.
Manage cookiesThe cookies used on www.cssf.lu:
Category | Name | Description | Duration |
---|---|---|---|
Necessary cookies | cssf_cookies | Saves information regarding the user's consent to the use of cookies for each optional category. | 1 year |
Necessary cookies | ROUTEID | Technical cookie allowing load distribution. | Deleted when the browsing session ends |
Necessary cookies | TBMCookie* | Security: This cookies protects the website against automated attacks. | Deleted when the browsing session ends |
Necessary cookies | __utmvc | These first party cookies are set by a third party service to filter out malicious requests. | Deleted when the browsing session ends |
Necessary cookies | __utmvm* | These first party cookies are set by a third party service to filter out malicious requests. | 15 minutes |
Functional cookies | cssf_profile | This cookie adapts the website pages to the profile chosen by the visitor (professionals, markets, consumers). | 1 year |
Functional cookies | pll_language | This cookie saves the users’ language choice. | 1 year |
Performance cookies | _pk_id.# | Collects anonymous statistical data on the website consultations, such as the number of visits or the average time spent on the website. The data is processed in-house and is not shared with a third party. | 1 year |
Performance cookies | _pk_ses.# | Collects anonymous statistical data for the tracking of the pages consulted during the browsing session. The data is processed in-house and is not shared with a third party. | 30 minutes |
SoundCloud | This content from a third party provider has been blocked. By allowing this content to load, you agree with the terms of SoundCloud's cookie usage and privacy policy |
When You create an account on one of the digital desks made available by the CSSF, You are requested to provide your name, email address, password and optionally the name and address of the company.
This information is used in order to secure your access on the desk concerned.
Your account is kept as long as You use the desk and until You delete your access.
The CSSF does not use the information You provided in order to produce automated decisions likely to affect You.
The CSSF stores the requests in the form of emails for one year, after which they are erased.
When You submit an enquiry via the CSSF website, You are requested to provide your name, email address and optionally a company name and address.
This information is used to respond to your enquiry. The CSSF may email You after your enquiry in order to do a follow-up and ensure that You have received a satisfactory answer.
Your enquiry is stored and processed as an email hosted on the servers of the CSSF in Luxembourg.
The CSSF does not use the information You provided in order to produce automated decisions likely to affect You.
The CSSF stores the requests in the form of emails for one year, after which they are erased.
When You subscribe to the news on the CSSF website, You are requested to provide your email address.
In accordance with Article 6(1)(a) of the GDPR, your consent will be requested before using your email address to send You the following information depending on your selection among these elements: warnings, sanctions and administrative measures imposed by the CSSF, communiqués/press releases, laws and regulations, Newsletter, legal reporting, statistics, EU/international and other publications.
In order to achieve this objective, we use a subcontractor located in the European Union which provides sufficient guarantees as regards the implementation of appropriate technical and organisational measures so that the processing fulfils the requirements of the GDPR and guarantees the protection of your personal data.
Your email address is stored on servers in the European Union.
The CSSF does not use the information You provided to produce automated decisions likely to affect You.
The CSSF stores your email address as long as it produces and disseminates news. In case of withdrawal of your consent, the CSSF will immediately stop sending You the news and your email address will be erased from the CSSF’s and the subcontractor’s database.
When You report a breach of the financial sector regulation (whistleblowing), You are requested to provide your name, email address, report and optionally your address and up to five (5) supporting documents. Please note that alternatively, You may also send an email at the following email address: whistleblowing@cssf.lu.
The CSSF will use this information to determine if it is competent in relation to the reported facts, to analyse their substance and to contact You for further information. The Processing of your Personal Data is necessary to perform a task carried out in the public interest or in the institutional role of the CSSF. Additional information about the whistleblowing procedure is available at: Whistleblowing Questions/Answers.
The CSSF is committed to protecting the whistleblower’s identity within the limits of the applicable law. In other words, neither the identity of the employee having blown the whistle, nor the identity of third parties who may be involved, will be disclosed to the supervised entity concerned. The identity of the whistleblower or of third parties will only be disclosed in circumstances in which the disclosure becomes unavoidable in law (e.g. as a result of the CSSF’s duty to inform the State Prosecutor if the acts may constitute a crime or an offence, or in the context of criminal proceedings against the entity concerned in which case the whistleblower may, as the case may be, be called as a witness). When the CSSF receives a report for which it has no competence and in order to ensure the effectiveness of whistleblowing reports, the information is transmitted in an anonymised manner to the competent supervisory authority (e.g. the European Central Bank or other EU or non-EU financial sector supervisory authorities) subject to compliance with the rules relating to professional secrecy provided for in Article 16 of the Organic Law and the provisions of Chapter V of the GDPR regarding the transfers of Personal Data to third countries (cf. Section 5 below).
Your report will be stored on the internal servers of the CSSF in Luxembourg until the procedure is closed. Afterwards, your Personal Data will be erased.
When You file a complaint as an individual, You will be requested to provide your name, email address, complaint as well as some supporting documents, including a copy of your ID card or any document permitted by law to prove the identity of a natural person.
The CSSF will use this information to determine if it is competent to handle the complaint, to analyse its substance and to contact You for further information. The Processing of your Personal Data is necessary to perform a task carried out in the public interest or in the institutional role of the CSSF.
Your complaint will be stored on the internal servers of the CSSF in Luxembourg until the procedure is closed or for the following ten years. After that, your Personal Data will be erased.
Additional information on the handling of your complaints is available at:
CSSF Regulation N° 16-07 relating to out-of-court complaint resolution
The CSSF may also collect and use your Personal Data if they are provided by your employer or a company with which You are connected in any way, in the framework of a contractual relationship between the CSSF and your employer or said company.
The data consist of your name, your email address and other Personal Data and, in some cases, references to previous jobs and ID document.
The CSSF has a video surveillance system on its premises. Video surveillance means the activity of monitoring with video cameras in order to:
The CSSF stores its surveillance images for fourteen (14) days.
The CSSF maintains a register of the visits with your name, the name of your company and the person visited.
In the context of its mission carried out in the public interest and the exercise of its public powers, the CSSF cooperates in particular with the European Central Bank, the Banque centrale du Luxembourg, the supervisory and/or resolution authorities of the EU Member States, as well as with other national and EU institutions, authorities or bodies in charge of investor and depositor protection and the safeguarding of financial stability. Due to the CSSF’s reporting obligation in accordance with Article 23(2) of the Code of Criminal Procedure, your Personal Data may be transmitted to the State Prosecutor if the acts may constitute a crime or offence.
It is possible that the CSSF, in the context of its mission carried out in the public interest and the exercise of its public powers and within the limits of applicable standards, exchanges your Personal Data with an international organisation. In such a case, the CSSF ensures that the international organisation guarantees an appropriate level of protection (in accordance with Article 45 GDPR) or that it can use a derogation, such as applicable in case of a transfer necessary for important reasons of public interest (in accordance with Article 49 GDPR) or another instrument with appropriate guarantees fulfilling the provisions of Chapter V of the GDPR regarding the transfers of Personal Data to third countries or international organisations.
5.3.1. How and why does the CSSF process your Personal Data?
Given the international dimension of its prudential supervision of the financial sector and supervision of the markets in financial instruments, the CSSF may transfer your personal data to its counterparts located in the European Economic Area (EEA) and outside the EEA.
In the context of international cooperation with its foreign counterparts, the CSSF is committed to have in place the safeguards set out in the Administrative Arrangement for the transfer of personal data between EEA financial supervisory authorities and non-EEA financial supervisory authorities, without prejudice to the European Commission’s adequacy decisions with respect to certain countries1.
In particular, when the CSSF collects and processes Personal Data transferred under the Administrative Arrangement, it guarantees that:
5.3.2. What are your safeguards under the Administrative Arrangement?
As regards the Personal Data shared under the Administrative Arrangement, You can make a written request to the CSSF to receive information about the Processing of your Personal Data, to access the Personal Data and to correct any inaccurate or incomplete Personal Data, as well as make a written request to erase, restrict Processing or to object to the Processing of your Personal Data at the following address:
by mail:
Commission de Surveillance du Secteur Financier
DPO / Pascal Pirih
283, route d’Arlon
L-1150 Luxembourg
or
by email: dpo@cssf.lu
Nevertheless, due to the sensitive nature of the CSSF’s public interest mission and the professional secrecy to which it is bound, in some cases these safeguards might be restricted, in particular where they are likely to seriously impair the objectives of that Processing (Article 14(5)(b) of the GDPR), where obtaining or disclosing information is expressly provided for by law (Article 14(5)(c) of the GDPR) or where they affect the professional secrecy to which the CSSF is subject (Article 14(5)(d) of the GDPR and Article 16 of the Organic Law, the infringement of which is punishable under Article 458 of the Criminal Code).
In each case, the CSSF will assess whether the restriction imposed is appropriate. The restriction should be necessary and provided for by law, and will continue only for as long as the reason for the restriction continues to exist.
5.3.3. What redress is available to you
If you believe that your Personal Data have not been handled consistent with these safeguards, you can lodge a complaint with the transferring authority, the receiving authority or both authorities. To this end, you may contact the CSSF Data Protection Officer whose contact details are given below. In this case, the authorities concerned will use best efforts to settle the complaint or dispute amicably in a timely fashion.
Should the dispute remain unsolved, other methods may be used to resolve it, unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation, as well as in other non-binding dispute resolution proceedings initiated by the natural person or by the authority concerned.
If the dispute is not resolved through cooperation by the authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, and the transferring authority considers that the receiving authority has not acted in accordance with the safeguards set out in the Administrative Arrangement, the transferring authority will suspend the transfer of Personal Data under this Administrative Arrangement to the receiving authority until it is of the view that the issue raised has been satisfactorily addressed by the receiving authority, and will inform You thereof.
Contact
For any questions or requests for information about redress, You may contact the CSSF:
by mail:
Commission de Surveillance du Secteur Financier
DPO / Pascal Pirih
283, route d’Arlon
L-1150 Luxembourg
or
by email: dpo@cssf.lu
1 The list of third countries that are recognised as having equivalent safeguards is available at: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Opinion 4/2019 of the European Data Protection Board
Administrative Arrangement
The CSSF is signatory to this Administrative Arrangement. Appendix A contains a list of all EEA authorities that have joined the Administrative Arrangement. The non-EEA authorities that have joined the Administrative Arrangement are listed in Appendix B.
The CSSF implements technical and organisational means in order to protect your Personal Data and prevent any destruction, loss, alteration or modification as well as any unauthorised access or disclosure, voluntary or involuntary. Moreover, the CSSF requests also its service providers which process Personal Data for the CSSF to always take the necessary security measures.
Without prejudice to the general obligation of professional secrecy laid down in Article 16 of the Organic Law and without prejudice to the limitations provided for by the GDPR, You can ask the CSSF what information it holds about You and You can ask the CSSF to correct the information if it is inaccurate. The exercise of the right of access shall not adversely affect the rights and freedoms of others.
When the Processing of your Personal Data is based on consent, You have the right to withdraw your consent at any time. Such withdrawal has no consequence on the validity of the Processing of your Personal Data before the withdrawal.
If your Personal Data are processed for consent purposes or in order to fulfil a contract, You may ask that a copy of the information be sent to You in a machine-readable format so that it can be transferred to another provider. That right shall not apply to Processing necessary for the performance of a mission carried out in the public interest or in the exercise of public authority vested in the CSSF.
Without prejudice to the limitations provided for by the GDPR, You have the right to ask the CSSF to stop using your information for a certain period of time (right to restriction), if You consider that it does not act lawfully.
In order to submit a request concerning your Personal Data by email or by mail, please use the contact details provided in Section 3 above. Your request must be accompanied by a copy of the recto of your ID card, passport or any other ID document.
If you have a complaint to make concerning the use of your information, please contact first the CSSF directly so that it can address your complaint. However, You can also contact the Commission nationale pour la protection des données (CNPD) which is the competent authority in Luxembourg for the protection of Personal Data via its website www.cnpd.lu or by writing to:
Commission nationale pour la protection des données (CNPD)
Service des plaintes
15, Boulevard du Jazz
L-4370 Esch-sur-Alzette
The CSSF regularly reviews and, if appropriate, updates this Policy, as its services and use of Personal Data evolves. If the CSSF wants to make use of your Personal Data in a way that has not been previously identified, You will be contacted to be given information about this and, if necessary, to be asked for your consent.
The CSSF will update the version number and date of this Policy each time it is changed.
The CSSF has a video surveillance system on its premises. Video surveillance means the activity of monitoring with video cameras in order to:
The CSSF stores its surveillance images for fourteen (14) days.
The CSSF maintains a register of the visits with your name, the name of your company and the person visited.
Without prejudice to the limitations provided by the GDPR, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate. If we have asked for your consent to process your personal data, you may withdraw that consent at any time.
If we are processing your personal data for reasons of consent or to fulfil a contract, you can ask us to give you a copy of the information in a machine-readable format so that you can transfer it to another provider.
Without prejudice to the limitations provided by the GDPR, if we are processing your personal data for reasons of consent, you can request that your data be erased.
You have the right to ask us to stop using your information for a period of time if you believe we are not doing so lawfully.
Finally, in some circumstances you can ask us not to reach decisions affecting you using automated processing or profiling.
To submit a request regarding your personal data by email, post or telephone, please use the contact information provided above in the Who Are We section of this policy.
If you have a complaint about our use of your information, we would prefer that you first contact us directly, so that we can address your complaint. However, you can also contact the CNPD via their website at www.cnpd.lu or write to them at:
Commission nationale pour la protection des données
Service des plaintes
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
We will regularly review and, if appropriate, update this privacy policy, as our services and use of personal data evolves. If we want to make use of your personal data in a way that we have not previously identified, we will contact you to provide information about this and, if necessary, to ask for your consent.
We will update the version number and date of this page each time it is changed.