Introduction
This Data Privacy Policy is an additional part of our Data Protection Policy, especially designed for web based application, in particular for our website features:
- Memberships form
- Contact us form
- Cookies and tracking web items for security purposes
Definitions
According to the art 4 from the European Data Protection Regulations, the following terms are in use:
“GDPR”: - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Personal Data”: Information of any type regardless of the type of medium, including sound and image, relating to an identified or identifiable natural person (data subject).
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
What we collect
To provide its services, LFMA needs to collect and process certain information about you. The data we collect depends on the context of your interactions with LFMA, the choices you make including the services which are provided to you.
It is to be noted that you have choices about the data we collect. When you are asked to provide personal data, you may decline. If you choose not to provide data that is necessary to provide the service, we may not be able to deliver the service.
Categories of Data Processed
The data we collect and process can include the following, but is not limited to:
- Identification data: we collect data about you such as, your first and last name, and other similar contact data, date of birth, gender as title, country, nationality and preferred language;
- Business contact information: we collect data about you such as job function, job title, department, organisation name(company), location, and, email address, postal address, phone number, Mobile phone, fax;
- Financial information: we collect your financial information, such as financial account information, if needed to take payment or fulfil related purposes like annual fee for memberships;
Further to the categories of data mentioned above, LFMA guarantees that, we neither request nor collect special categories of data (i.e., personal information specifying criminal offences/convictions, medical or health conditions, biometric or genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual).
Ways of collecting Data
Information that we automatically collect when you use our Website: when you use our Website, we automatically collect, through Cookies, the following information:
- Navigation and click-stream data;
- HTTP protocol elements;
A cookie is “a text file that a Web browser stores on a user’s machine. Websites activates cookies for authentication, storing website information/preferences, other browsing information and anything else that can help the Web browser while accessing Web servers. HTTP cookies are known by many different names, including browser cookies, Web cookies or HTTP cookies.”
- Session: it expires when the browser is closed
- Permanent: it persists even when the browser is closed. They have an expiration date though and by law (e.g. remember passwords and login in order to not re-enter them every time.)
- Third-party: Cookies attributes usually corresponds to the website domain they are on. Not for third-party cookies—as you probably gathered from the name, they are installed by third-party websites (no way), such as advertisers. They gather data about your browsing habits, and allow them to track you across multiple websites. Other websites using third-party cookies: Facebook, Flickr, Google Analytics, Google Maps, Google Plus, SoundCloud, Tumblr, Twitter and YouTube.
Considering these definitions, LFMA shall use only the Facebook, Instagram, XING, Linkedin, Google Analytics, Google Maps, Google Plus, SoundCloud, Flickr, Twitter and YouTube.
Personal data that we collect when you claim for membership with LFMA: we may collect and process your data when you conduct business with us. "Personal data" means information relating to an identified or identifiable natural person that LFMA receives on behalf of the client himself/herself/itself. Examples of categories of such personal data can be found in the previous section.
Purposes for collection, use and processing of member’s data
For processing to be lawful under the General Data Protection Regulation (the “GDPR”), a lawful basis needs to be identified before processing personal data.
We use or may use your personal data for the following purposes (or as otherwise described at the point of collection) in line with the lawful basis under the GDPR:
- To provide you with the service you have requested;
- Processing is necessary for the performance of a contract with the data subject.
- To provide you with information, access to resources or other services that you have requested from us on behalf of your organization;
- Processing is necessary for the performance of a contract with the data subject.
- To send you client service-related communications (marketing);
- Processing is necessary for the purposes of the legitimate interests pursued by the controller.
- To manage the infrastructure and business operations of LFMA and to comply with internal policies and procedures;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
- To comply with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities.
- Processing is necessary for compliance with a legal obligation.
We may contact you by mail, telephone, fax, video conference, email or other electronic messaging service to notify you about special events, new features or other information that may be of interest to you in accordance with your interaction with LFMA. Where required by applicable law, your prior consent will be obtained before sending you direct marketing and you may object or opt out of receiving marketing messages from LFMA.
LFMA does not in any way sell, lease or rent your information to third parties.
Disclosure of your Personal Data
Service providers: LFMA may disclose/transfer your data with third parties that we refer as service providers solely to the extent necessary to enable such service providers to provide services to LFMA and to assist us in providing services to you. LFMA’s policy is to maintain contracts with all third parties with whom we disclose/transfer personal information that restrict their access, use and disclosure of personal data. Service providers must, in fact, abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose.
Safety, security and compliance with law: we will access, transfer, disclose and preserve personal data to comply with applicable law or respond to subpoenas, court orders or other valid legal process, for reasons relating to national security, to defend against legal claims, to protect the rights and safety of LFMA, LFMA’s clients, employees or others. This may involve the sharing of your data with law enforcement, government agencies, courts and other organizations.
Consent: we may share your data in other ways and for new purposes if you have asked us to do so and have consented to such sharing.
Access to personal Data
LFMA seeks to ensure that you are able to exercise your rights at any time. LFMA will address any request within the limits of its technical and organizational means.
These include:
- Right to access your personal information: should you want to review the data we hold, collect and process about you, please let us know by contacting us to the contact information provided in the section “HOW TO CONTACT US” of this policy.
- Right to rectification: should the data we hold, collect and process about you be inaccurate or incomplete, you have the right to update such data at any time by contacting us to the contact information provided in the section “HOW TO CONTACT US” of this policy.
- Right to erasure: if at any time you decide you do not want us to retain any personal data we collected from you, you may request we delete your data by contacting us to the contact information provided in the section “HOW TO CONTACT US” of this policy. We will take reasonable measures to comply with your request in accordance with applicable laws.
- Right to restriction of processing: should you wish to exercise this right, please contact us to the contact information provided in the section “HOW TO CONTACT US” of this policy. You should obtain the right to restriction of processing only where in accordance with applicable laws.
- Right to object: should you wish to exercise this right, please contact us to the contact information provided in the section “HOW TO CONTACT US” of this policy. We will consider your objection and we will comply with it unless we have a compelling legitimate ground as permitted by applicable law.
- Right to data portability: you may have the right to have your personal data transmitted directly from us to another controller only when you have asked us to do so and have consented to such sharing, and when technically feasible. Should you wish to exercise this right, please contact us to the contact information provided in the section “HOW TO CONTACT US” of this policy.
- Right to lodge a complaint with the supervisory authority: you have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”), where you believe that your data is being processed in a way that does not comply with the GDPR.
How we protect your Data
LFMA acknowledges your trust and is committed to protecting the data you provide to us. We maintain appropriate organisational, physical and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of personal data) to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of personal data.
Confidentiality
Considering the appropriate security measures, the processing of personal data constitutes a legitimate interest of the data controller concerned.
LFMA guarantees that the processing of personal data shall be operated with confidentiality, integrity and respect to the rights and freedoms of a natural person
Notification of personal Data Breach
LFMA will notify its client of any personal data breach by Arendt, its processors, or any other third-parties acting on Arendt’s behalf without undue delay, only where the personal data breach is likely to result in a high risk to the rights and freedoms of the client.
Retention period of personal Data
LFMA will only retain your personal data:
- For as long as it is necessary for the purpose or purposes for which it was intended;
- For as long as your memberships is active;
- For as long as required or permitted by law.
Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy from time to time to reflect changes in the law, our data collection and used practices, and to ensure it is accurate, complete and up-to-date*. You are advised to check this Privacy Policy from time to time.
*Last update on 12/07/2018
How to contact Us
If you have any questions or concerns about our use of your information or regarding our Privacy Policy, you may contact us by sending an email to secretariat@lfma.lu or by writing to us at:
LFMA
Boîte postale 776
L - 2017 Luxembourg