External Stakeholders
Last updateOctober 2022

Table of Contents

Introduction. 2

Scope. 2

Update. 2

Categories of personal data processed. 2

Purposes of processing. 3

Legal basis for processing. 4

Recipients of personal data. 4

Storage duration. 4

Security of personal data. 5

Data subjects’ rights. 5


LuxGap (hereinafter “LuxGap”, “firm”, “we”, “us” or “our”) attaches great importance to the protection of personal data and undertakes to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”) as well as any other applicable laws and regulations.


This Privacy Notice (“Notice”) explains how LuxGap collects, uses, shares and otherwise processes your personal data in connection with your relationship with us as a supplier, partner, visitor, client or acting for a client or being generally interested in our services, in accordance with applicable data protection laws and regulations.


This Notice will be reviewed on a periodic basis. Any changes to this Notice shall be approved by LuxGap.

Categories of personal data processed

The term “personal data” means any information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold.

We may collect personal information from you in the course of our business, including through your use of our website, when you contact or request information from us, when you engage our services or as a result of your relationship with one or more of our consultants or clients or when you visit our premises.

Depending on the purposes pursued, we may collect the following information:

Data category  Type
Personal identification information Contact detailsName Email Phone number Reason, date and time of visit/meeting, including online meetings Publicly available information (such as LinkedIn profile etc.)
Professional dataJob title Department and name of organisation
Financial informationPayment related information
Communication informationInformation transmitted as part of the provision of services

Purposes of processing

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose.

We process your personal data for the following purposes:

  1. To establish, administer and implement a business relationship.
  2. To provide our services to you and manage our relationship with you, including communicating with you in relation to your services and products.
  3. To strengthen the existing business relationship or to develop a new business relationship, including through commercial prospecting.
  4. To ensure physical security of the people, items and confidential information located in or accessible from our premises.

We will only use your personal data for the purposes for which we collected it and which we informed you about, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Legal basis for processing  

The above-mentioned processing activities are based on the following legal bases:

  1. Performance of a contract or precontractual measures.
  2. Performance of a contract.
  3. Legitimate interest or consent.
  4. Legitimate interest.

Recipients of personal data 

We may use or disclose personal data if we are required by law to do so or if we reasonably believe that use or disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.

To achieve the purposes mentioned above, the data is transmitted to the following recipients:

  • Internal employees who have permissions.
  • Network and technology systems providers.
  • IT service provider.
  • Administrative authorities, courts, tribunals, government agencies, law enforcement agencies and notaries.
  • Insurance companies by reason of the conclusion of an insurance contract over the benefits or occurrence of the insured event (e.g., liability insurance).
  • Service providers acting as subcontractors and on instruction from LuxGap.

Any relationship with a subcontractor is managed in accordance with the provisions of Article 28 of the GDPR. LuxGap only uses subcontractors that provide sufficient guarantees and abide by the same obligations.

Some of the above-mentioned recipients may be based in third countries. Where this is the case, transfers will be undertaken in line with Chapter V of the GDPR and applicable data protection laws and regulations. Where a third-party service providers process personal data outside the EEA in the course of providing services to us, our written agreement with them will include appropriate measures, usually in the form of standard contractual clauses.

Personal data retention period

Your personal data is stored by LuxGap only for as long as is necessary for the purpose for which we obtained them. The retention period will depend upon several factors, such as the duration of the contract concluded with you, or legal requirements imposed to LuxGap.

Whenever we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time by contacting us as indicated below or by clicking the unsubscribe link in the email communication we send you. Please, note that the withdrawal of your consent does not affect the lawfulness of the personal data processing based on consent prior to its withdrawal.

Upon expiry of the applicable retention period, we will securely destroy your personal data in accordance with applicable laws and regulations.

Security of personal data

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk so that the processing complies with the GDPR and applicable date protection laws.

These measures must provide for a level of security considered appropriate considering the technical standards and the type of personal data processed but also:

  • the state of the art and implementation costs.
  • the nature, scope, context, and purposes of processing; and
  • the likelihood and severity of the risk to the rights and freedoms of natural persons.

Security requirements are continually evolving, and effective security requires frequent assessment and regular improvement of outdated security measures. We are committed to continuously evaluate, strengthen, and improve the measures we implement.

Data subjects’ rights

As a natural person, you have several rights regarding your personal data that we can exercise in certain circumstances, including:

  • the right of access: You can request access to the data concerning you at any time as well as a copy of the data.
  • the right to rectification: You can request at any time that inaccurate or incomplete data be rectified.
  • the right to request the erasure of data: You can request that your data be deleted when, for example, the data is no longer necessary for the purposes for which it was collected or processed.
  • the right to restriction of processing: You can request that LuxGap restrict the processing of data if, for example, you question the accuracy of the data concerning you or if you object to the processing of data concerning you.
  • the right to data portability: You have the right to have your data transferred to another data controller in a structured, commonly used and machine-readable format, if the processing is carried out by automated means or if it is based on prior consent.
  • the right to object to data processing: You can object to the processing of your data and can withdraw your consent if the processing is based on consent, for example if the data is used for commercial prospecting purposes.

If you wish to exercise your rights, please contact us at dpo@luxgap.com

Your request will be responded to within 1 month at the latest, starting from the moment of your identity confirmation. We may extend the time limit by a further 2 months if the request is complex or if we have received a high number of requests.

You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Privacy Notice. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you are not satisfied with our response, you also have the right to lodge a complaint at any time with the National Commission for Data Protection (CNPD): https://cnpd.public.lu/