Privacy Policy

This privacy policy notice informs you about the data we collect from you when you use our website. In collecting this information we are acting as a data controller and we are legally required (Regulation EU 2016/679 (GDPR)), to provide you with information about us, about why and how we use your data, and about the rights you have over your data.

 
The processing of personal data is based on, as applicable, Article 6(1)(a), (b), (c), (e) or (f) of Regulation EU 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.

 
The CSSF, which acts as data controller, processes the personal data solely to achieve the specific purpose for which they are collected through the website. The personal data collected are not processed for commercial purposes. Personal data are only shared on a need-to-know basis with staff who are responsible for achieving the purpose of the collection. This data may be shared with people outside the CSSF when this appears necessary in order to achieve the purpose of the collection or in cases provided for by the law. Should a visitor to the website refuse to provide certain essential items of data, the CSSF reserves the right to refrain from dealing with the visitor's question or request.

 
The CSSF processes these personal data for the duration which is strictly necessary in order to attain the specific purposes in view of which the data are processed.

 

Who are we?

We are the Commission de Surveillance du Secteur Financier (CSSF), a public institution which supervises the professionals and products of the Luxembourg financial sector. Our address is 283, route d’Arlon L-1150 Luxembourg.

 

Data Protection Officer

The CSSF has appointed an internal data protection officer for you to contact if you have any questions or concerns about the CSSF’s personal data policies or practices. The CSSF’s data protection officer’s name and contact information are as follows:

 

DPO / Pascal Pirih
CSSF
283, route d’Arlon
L-1150 Luxembourg
dpo@cssf.lu
+352 26 25 1 2283
 

How we use your information

When you use our website
When you submit an enquiry via our website
When you sign up to receive our newsletters
When you report a breach of the financial sector regulation (Whistleblowing)
When you submit a complaint
When you appear as a reporting or contact person for a supervised entity in our online forms

Data transfers outside de European Economic Area

When you physically come to the CSSF
Your rights as a data subject
Your right to complain
Updates to this privacy policy

 

 

When you use our website (Cookie policy)

We use cookies on the CSSF websites, but they are not 'intrusive'. This means that:


• we do not use cookies to gather personal data about you in any way;
• we do not use targeting or advertising cookies that build up a profile of you.

 

When you use our website to view the information we make available, download documents or use online forms, a number of cookies are used by us and by third parties to allow the website to function and to collect useful information about visitors and to help to improve your user experience.

 

These cookies are shown below.

  

Cookie Name

Purpose

Further information

fe_typo_user

Preserves user's preferences across page requests.

Deleted at the end of the session

_pk_id.#

Collects anonymous statistics on the user's visits to the website, such as the number of visits, average time spent on the website.

Anonymous Data

_pk_ses.#

Used to track which pages have been visited during the session.

Anonymous Data

 

 

When you submit an enquiry via our website

When you submit an enquiry via our website, we ask you to provide to the CSSF your name, email address, enquiry and optionally you may provide your company name and/or address.

 

We use this information to respond to your query. We may also email you after your enquiry in order to follow up on your interest and ensure that we have answered it to your satisfaction. We will do this based on our legitimate interest in providing accurate information.

 

Your enquiry is stored and processed as an email which is hosted on our servers in Luxembourg.

 

We do not use the information you provide to make any automated decisions that might affect you.

 

We keep enquiry emails for one year, after which they are deleted.

 

 

When you sign up to receive our newsletters

When you sign up to receive our newsletters, we ask for your email address.

 

We will ask for your consent to use your email address to email you, according to your selection, the following type of information: Warnings, Communiqués/Press releases, Laws and regulations, Newsletter, Legal reporting, Sanctions imposed by the CSSF, Statistics, EU/International and other information.

 

You can withdraw your consent at any time and we will stop sending you the information.

 

Your email address is stored on our servers in Luxembourg and is not shared with a third party.

 

We do not use the information you provide to make any automated decisions that might affect you.

 

We keep your email address for as long as we produce and distribute our newsletters. If you withdraw your consent, we will remove your email address from our database.

 

When you report a breach of the financial sector regulation (Whistleblowing)

When you report a breach of the financial sector regulation (Whistleblowing) via the online form, we will ask you for your name, email,  report and you may optionally provide us with your address and up to 5 supporting documents. Please note that alternatively, you may also send an email to whistleblowing@cssf.lu.

 

We will use this information to determine if we are competent in relation to the reported facts, to analyse their substance and to contact you for further information. Processing your data is necessary to perform a task carried out in the public interest or in our institutional role. You may find additional information on the whistleblowing procedure at:
Whistleblowing Questions/Answers

 

We are committed to protecting the whistleblower's identity within the limits of the applicable legislation. In other words, neither the identity of the employee having blown the whistle, nor the identity of third parties who may be involved, will be disclosed to the entity concerned. The identity of the whistleblower or of third parties will only be disclosed in circumstances in which the disclosure becomes unavoidable in law (e.g. as a result of the CSSF’s duty to inform the State prosecutor if the acts may constitute a crime or an offence, or in the context of criminal proceedings against the entity concerned in which case the whistleblower may, as the case may be, be called as a witness). Although it may perhaps not always be entirely excluded, despite all the precautions taken, that the employer discovers the whistleblower’s identity by cross-checking information, the CSSF will make every effort to protect it. When we receive a report for which the CSSF has no competence and in order to ensure the effectiveness of whistleblowing reports, we may transmit the information to the competent supervisory authority (e.g. the European Central Bank, or other EU or non-EU financial sector supervisory authorities).

 

Your report is stored on our internal servers until the procedure is closed. After that we will delete your personal data.

 

 

When you submit a complaint

When you file a complaint as an individual, we will ask you for your name, email, address, complaint as well as some supporting documents, including a copy of your ID card or any similar document proving your identity. You may optionally provide us with contact details of your representative.

 

We will use this information to determine if we are in charge of the complaint, to analyse its substance and to contact you for further information. Processing your data is necessary to perform a task carried out in the public interest or in our institutional role.

 

Your contact information may, as a result of the CSSF’s duty, be transmitted to the State prosecutor if the acts may constitute a crime or an offence, or in the context of criminal proceedings against the entity concerned in which case you may, as the case may be, be called as a witness.

 

Your complaint is stored on our internal servers in Luxembourg until the procedure is closed and for the following 10 years. After that, your personal data will be erased.

 

You may find additional information on how we handle your complaints at:
FAQ - Complaints 

CSSF Regulation N° 16-07 relating to out-of-court complaint resolution

 

 

When you appear as a reporting or contact person for a supervised entity in our online forms

When you appear as a reporting person or a contact person in our online forms, we will ask you for your name, email and optionally your telephone number.

 

We will use this information to contact you in the context of the procedure concerned. Processing your data is necessary to perform a task carried out in the public interest or in our institutional role.

 

All data is stored on our servers in Luxembourg for the duration of the procedure concerned and for as long as required by our obligations.

 

 

Data transfers outside the European Economic Area

How and why does the CSSF process your personal data

Given the international dimension of our prudential supervision of the financial sector and supervision of the markets in financial instruments, the CSSF may transfer your personal data to its counterparts located in the European Economic Area (EEA) and outside the EEA.

As a general principle, the CSSF only collects and processes personal data for the performance of the duties vested in it, pursuant to Article 2 of the Law of 23 December 1998 establishing a financial sector supervisory commission, as amended (the Law of 23 December 1998).

In the context of international cooperation with its foreign counterparts, the CSSF is committed to have in place the safeguards set out in the Administrative Arrangement for the transfer of personal data between EEA financial supervisory authorities and non-EEA financial supervisory authorities, without prejudice to the European Commission’s adequacy decisions with respect to certain countries[1].

In particular, when the CSSF collects and processes personal data transferred under the Administrative Arrangement, it guarantees that: 

  • it will only transfer personal data that are relevant, adequate and limited to what is necessary for the purposes for which they are transferred and further processed;
  • it will have in place appropriate technical and organisational measures to protect personal data that are transferred to it against any accidental or unlawful access, destruction, loss, alteration or unauthorised disclosure;
  • it will retain personal data for no longer than is appropriate and necessary for the purpose for which the data are processed;
  • it will not take any decision concerning a natural person based solely on automated processing of personal data, including profiling, without human involvement;
  • it will not divulge your personal data for other purposes, such as for commercial or marketing purposes.

What are your safeguards under the Administrative Arrangement?

As regards the personal data shared under the Administrative Arrangement, you can make a written request to the CSSF to receive information about the processing of your personal data, to access the personal data and to correct any inaccurate or incomplete personal data, as well as make a written request for the erasure, restriction of processing or to object to the processing of your personal data at the following address: 

  • by mail: Commission de Surveillance du Secteur Financier
                 DPO / Pascal Pirih
                 283, route d’Arlon 
                 L-1150 Luxembourg

or

Nevertheless, due to the sensitive nature of our public interest mission and the professional secrecy to which we are bound, in some cases these safeguards might be restricted, in particular where they are likely to severely compromise the purposes of the processing operations concerned (Article 14(5)(b) of the GDPR), where obtaining or disclosing information is expressly provided for by law (Article 14(5)(c) of the GDPR) or where they affect the professional secrecy to which the CSSF is subject (Article 14(5)(d) of the GDPR and Article 16 of the Law of 23 December 1998 the infringement of which is punishable under Article 458 of the Criminal Code).

In each case, the CSSF will assess whether the restriction imposed is appropriate. The restriction should be necessary and provided for by law, and will continue only for as long as the reason for the restriction continues to exist.


What redress is available to you?

If you believe that your personal data have not been handled consistent with these safeguards, you can lodge a complaint with the transferring authority, the receiving authority or both authorities. To this end, you may contact the CSSF Data Protection Officer whose contact details are given below. In this case, the authorities concerned will use best efforts to settle the complaint or dispute amicably in a timely fashion.

Should the dispute remain unsolved, other methods may be used to resolve it, unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation, as well as in other non-binding dispute resolution proceedings initiated by the natural person or by the authority concerned.

If the dispute is not resolved through cooperation by the authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, and the transferring authority considers that the receiving authority has not acted in accordance with the safeguards set out in the Administrative Arrangement, the transferring authority will suspend the transfer of personal data under this Administrative Arrangement to the receiving authority until it is of the view that the issue raised has been satisfactorily addressed by the receiving authority, and will inform you thereof.


Contact

For any questions or requests for information about redress, you may contact the CSSF:

  •  by mail: Commission de Surveillance du Secteur Financier
                  DPO / Pascal Pirih
                  283, route d’Arlon 
                  L-1150 Luxembourg

 or

[1] The list of third countries that are recognised as having equivalent safeguards is available at: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

 

Opinion 4/2019 of the European Data Protection Board

Administrative Arrangement

CSSF is a signatory to this administrative arrangement. Appendix A contains a list of all EEA (European Economic Area) authorities that have joined the administrative arrangement. The non-EEA authorities that have joined the administrative arrangement are listed in Appendix B.

 

When you physically come to the CSSF

The CSSF has a video surveillance system on its premises. Video surveillance means the activity of monitoring with video cameras in order to:

  • secure access to the buildings;
  • ensure the security of its staff;
  • detect and identify possible suspicious or dangerous behaviours likely to lead to accidents or incidents;
  • accurately locate the origin of an incident;
  • protect the CSSF’s property (buildings, installations, equipment, etc.);
  • organise and oversee a rapid evacuation of the staff in case of an incident;
  • be able to warn in time the rescue and fire services or the police force as well as to facilitate their intervention.

The CSSF stores its surveillance images for fourteen (14) days.
The CSSF maintains a register of the visits with your name, the name of your company and the person visited.

 

 

Your rights as a data subject

Without prejudice to the limitations provided by the GDPR, you can ask us what information we hold about you, and you can ask us to correct it if it is inaccurate. If we have asked for your consent to process your personal data, you may withdraw that consent at any time.

 

If we are processing your personal data for reasons of consent or to fulfil a contract, you can ask us to give you a copy of the information in a machine-readable format so that you can transfer it to another provider.

 

Without prejudice to the limitations provided by the GDPR, if we are processing your personal data for reasons of consent, you can request that your data be erased.

 

You have the right to ask us to stop using your information for a period of time if you believe we are not doing so lawfully.

 

Finally, in some circumstances you can ask us not to reach decisions affecting you using automated processing or profiling.

 
To submit a request regarding your personal data by email, post or telephone, please use the contact information provided above in the Who Are We section of this policy.

 

Your right to complain

If you have a complaint about our use of your information, we would prefer that you first contact us directly, so that we can address your complaint. However, you can also contact the CNPD via their website at www.cnpd.lu or write to them at:

Commission nationale pour la protection des données
Service des plaintes
1, avenue du Rock'n'Roll
L-4361 Esch-sur-Alzette

 

 

Updates to this privacy policy

We will regularly review and, if appropriate, update this privacy policy, as our services and use of personal data evolves. If we want to make use of your personal data in a way that we have not previously identified, we will contact you to provide information about this and, if necessary, to ask for your consent.

 

We will update the version number and date of this page each time it is changed.

 

Version 1.2 of 2 September 2019