DATA PRIVACY

General Privacy Notice

Version last updated on January 24th, 2022

LIH, 1A-B rue Thomas Edison L-1445 Strassen, Luxembourg (“we”) is committed to the protection of your personal data in accordance with data protection legislation, especially the General Data Protection Regulation EU 2016/679 (the “GDPR”).

This Data Protection Notice is directed to users or visitors of our website (the “Site”), and to individuals who contact us by any means or provide services to us (together “You”). It provides You with detailed information relating to the protection of your personal data by us.

1. Who is the controller of your personal data?

LIH, 1A-B rue Thomas Edison L-1445 Strassen is responsible as a data controller, for collecting and processing your personal data in relation to our activities. The purpose of this Data Protection Notice is to inform You about which personal data we collect, the reasons why we use and share such data, how long we keep it, what rights You have and how You can exercise them.

Where necessary, further information may be provided when You are in contact with us for a specific activity.

2. What personal data do we process?

We collect and use your personal data to the extent necessary in relation to our activities.

We may collect various types of personal data about You, including:

identification data (such as your name, contact details, address, telephone, email, country),
professional details (such as company/organisation name and job title),
electronic identification data (e.g. email address, IP address, web browser and operating system used electronic signature, remote connection data),
details of information request, claims or other information related to users interaction with LIH,
banking details (such as bank account number, IBAN).

The data collected on our Site stem exclusively from the voluntary registering of your personal data (for example by contacting us through our online contact forms, by subscribing to our newsletter, by applying to one of our job offers, or by registering to an event).

With the exception of the information indicated above and in the cookies settings (Manage consent, according to your preferences), we do not collect, via freely accessible pages on this Site, personal data other than those listed above and those voluntarily entered by You, using the online forms provided for that purpose, most notably to contact us.

If You wish to learn more about cookies, please click here.

3. What are the purposes of and the legal basis for our processing?

We collect and use your personal data for the following purposes:

for the provision of services or information requested by You,
for the management of our events (registration, list of attendees),
to receive job applications as detailed under the notice “Data Protection Notice for recruitment”,
to send You our newsletter,
to manage our business relationship with You,
to provide You with a safe and comfortable experience when visiting our Site,
to manage or improve our Site and services provided by us,

We collect your personal data on the following basis:

to perform a contract or for pre-contractual measures with You or an organisation You represent,
to comply with our legal and regulatory obligations,
for our legitimate interests, or
with your consent.

4. Who do we share your personal data with?

In order to fulfil the aforementioned purposes, we may communicate your personal data to:

service providers/vendors that perform services on our behalf,
law enforcement or other government and regulatory bodies or agencies, upon request and to the extent permitted by law
certain regulated professionals such as lawyers or auditors.

In particular, we would like to inform You that this Site uses cookies that are linked to a web analytics service called “Google Analytics”, therefore, if You accept such cookies, your data will be accessed and processed by Google LLC (USA). You can find additional information about the processing of your data in the context of LIH’s use of Google Analytics.

We may also receive requests from third parties with authority to access your personal data. We will only respond to such requests where we are permitted to do so in accordance with applicable laws and regulations.

We require all third parties to respect the security of your personal data and to process it in accordance with the law.

5. Where do we transfer your personal data?

We may use third party providers to deliver our services and this may involve transfers of your personal data to countries outside of the European Union/European Economic Area (EU/EEA). In case of international transfers originating from the EU/EEA to a country outside the EU/EEA, the transfer of your personal data may occur where the European Commission has decided that the country outside the EU/EEA ensures an adequate level of data protection.

For transfers to countries outside the EU/EEA for which the level of protection has not been recognised as adequate by the European Commission, we will either implement appropriate safeguards provided for by current data protection law (e.g. the entry into standard data protection clauses) or rely on a derogation applicable to specific situations (such as your explicit consent).
You can obtain more information regarding relevant safeguards we rely on by contacting our Data Protection Officer.

6. Security of your personal data.

The processing of your personal data is carried out through IT, electronic and manual tools, with logics strictly related to the aforementioned purposes and, in any event, in compliance with the appropriate technical and organisational measures required by law to ensure a level of security that is adequate to the risk, in order to avoid unauthorised loss or access to your data.

7. How long do we keep your personal data?

We will retain your personal data for: (i) as long as necessary to fulfil the purposes we collected it for, (ii) the period defined by our operational requirements (such as facilitating our relationship management with You) and (iii) for the time necessary for compliance with our legal obligations.

8. What are your rights regarding your personal data?

In accordance with applicable data protection law, you may exercise at any time the following rights in relation to your personal data:

right to access, which enables You (according to art. 15 of the GDPR) to obtain from us confirmation of whether personal data are being processed or not and, if so, obtain access to such data; we process a large quantity of information, and can thus request, in accordance with the GDPR, that before the information is provided, You specify the information or processing activities to which your request relates;
right to rectification, which enables You (according to art. 16 of the GDPR) to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete;
and in certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled):
right to erasure, which enables You, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;
right to restriction of processing, which enables You, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;
right to object, which enables You to object to the processing of your personal data when the conditions provided for by art. 21 of the GDPR are met;
right to data portability, which enables You, in specific cases provided for in art. 20 of the GDPR and only with regard to the data You have provided to us, to request receipt of your personal data in a structured and commonly machine-readable format.

If You have provided your consent to the processing of your personal data, You can withdraw such consent at any time.

To exercise any of these rights, You may contact our Data Protection Officer by email or by postal mail:

Luxembourg Institute of Health
Data Protection Officer
1A-B rue Thomas Edison 
L-1445 Strassen

You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD). Full details may be accessed on the complaints section of CNPD’s website.

Changes to this Data Protection Notice

Changes may occur in the way we process personal data. In case these changes oblige us to update this Data Protection Notice, we will clearly communicate it to You, either via our Site or via other appropriate means. The latest applicable version will always be available on our Site.

Privacy Notice for Patients and Study Participants

Version last updated on July 16th 2024

The Luxembourg Institute of Health (LIH), 1A-B rue Thomas Edison L-1445 Strassen, Luxembourg (‘we’ or ‘us’) is a public health research institute. We aim to generate knowledge on disease mechanisms and contribute to the development of new diagnostics, preventive strategies, innovative therapies that have an impact on the healthcare of individuals.

We are committed to complying with laws and regulations that govern the conduct of health research. This includes the General Data Protection Regulation EU 2016/679 (the ‘GDPR’) and any other applicable EU or local legislation or regulation implementing GDPR (notably the Luxembourg law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the GDPR), as well as their successor texts (together ‘data protection legislation’).

As a public research institute under the law of 3 December 2014 on the organisation of public research centres, we conduct research in the public interest and make sure that our research serves the interests of society as a whole. Some of our research activities may be conducted in collaboration with commercial organisations and funders. In any case, our research follows Luxembourg laws and regulations applicable to research.

This Data Protection Notice is addressed to patients and overall participants in our scientific research, studies or projects (‘you’). It provides you with detailed information relating to the processing of your personal data by us.

1. Who is the controller of your personal data?

LIH is responsible as a data controller, for collecting and processing your personal data in relation to your participation in our scientific research, studies or projects.

The purpose of this Data Protection Notice is to inform you about which personal data we collect, the reasons why we use and share such data, how long we keep it, what rights you have and how you can exercise them.

Although this notice describes the processing activities typically carried out under LIH’s sole responsibility, we would like to stress that, depending on the nature of the research activities, your personal data can also be processed by other research partners, either jointly with LIH or on behalf and under the instructions of LIH.

2. What categories of personal data do we process, for which purposes and under which legal bases?

We collect and use your personal data to the extent necessary to carry out our research activities and to ensure that such activities are performed in an efficient, secure and compliant manner.

In the context of the research activities carried out by LIH, we collect information about you (i) directly from you, or (ii) indirectly from your medical records or from databases (e.g. data concerning healthcare and held by social security authorities) and/or (iii) generated through the analysis of your biological samples, in accordance with applicable laws.

Please be informed that when you agree to participate in a specific research project carried out by LIH, we will (where required) provide you with an additional notice that explains, in detail, which categories of personal data will be processed and how will these be processed considering the research objectives pursued.

In the table below, you will find information about the categories of personal data that might be processed by LIH within each processing operation, as well as the lawful bases under which we process your data.

3. With whom do we share your personal data?

Depending on the nature and scope of our research activities, and as detailed under the notice to be provided (where applicable) under each project or study, your personal data may be shared with the following recipients:

our scientific teams in charge of a specific research study or project;
professionals intervening in a specific research study or project;
professionals in charge of data collection, quality controls, processing and statistical analysis of your personal data;
other researchers or research organisations (whether from the academic or private sector) for the purpose of achieving the research outcomes of our projects;
entities to whom we provide research activities in the frame of an applicable law (e.g. the Luxembourg’s National Health Observatory).

The personal data used in our research activities is coded or pseudonymised before we analyse it, share it and/or publish the research outcomes.

In some cases, the research entities mentioned above may process your personal data on behalf and under the instructions of LIH, therefore, acting as LIH’s Processors, as defined under the GDPR. All data processors engaged by LIH are contractually bound by data protection obligations (data processing agreement)

We may, depending on the nature and scientific objectives of the research project or study, communicate your personal data, as much as possible after pseudonymisation, to:

third-party service providers/vendors that perform services on our behalf to support our research studies or projects, namely, software providers or cloud storage providers.

In the event of audits, investigations or proceedings, we may communicate your personal data to:

law enforcement or other government and regulatory bodies or agencies, upon request and to the extent permitted by law
regulated professionals such as lawyers or auditors.

We require all third parties to respect the security of your personal data and to process it in accordance with applicable laws and regulations.

4. Where do we transfer your personal data?

Our activities may involve transfers of your personal data to countries outside of the European Union/European Economic Area (EU/EEA). In this case, the transfer of your personal data may occur where the European Commission has decided that the country outside the EU/EEA ensures an adequate level of data protection.

For transfers to countries outside the EU/EEA for which the level of protection has not been recognised as adequate by the European Commission, we will either implement appropriate safeguards foreseen in the data protection legislation (e.g. standard data protection clauses) or rely on a derogation applicable to specific situations (such as your explicit consent).

You can obtain more information regarding relevant safeguards we rely on by contacting us at dpo@lih.lu.

5. Security of your personal data

The processing of your personal data is carried out through IT, electronic and manual tools, strictly for the aforementioned purposes and, in any event, in compliance with the appropriate technical and organisational measures required by law, to ensure a level of security that is adequate to the risk, in order to avoid unauthorised loss or access to your data.

In order to protect your rights and the confidentiality of your personal data – especially when processing sensitive data (e.g. health data, genetic data…) for scientific research purposes – we must have suitable and specific safeguards in place to help protect your personal data. Our researchers are asked to implement:

– Anonymization or pseudonymisation (e.g. remove direct identifiers such as your name and replace this with a unique code or key) wherever feasible and at the earliest opportunity.

– Data partitioning (keep your identifiers separate from other study data)

– Access rights management to ensure that only a small number of authorized people will have access to your data.

6. How long do we keep your personal data?

We will retain your personal data as long as necessary to fulfil the purposes we collected it for and for the time necessary for compliance with our legal obligations. The time periods for which we retain your personal data depend on the type of data and the purposes for which we use it and are further specified under the notice provided (wherever applicable) to participants of a specific research project or study.

In accordance with the data minimisation principle, we ask our researchers to anonymise, pseudonymise or delete personal data collected as part of their research as soon as data is no longer needed. Thus, data which allows your identification (e.g. your name, surname, email, postal address…) will usually be kept for a minimum amount of time and in accordance with our research objectives. We will, however, retain l data which does not directly identify you (you’re your answers to questionnaires, age, gender, clinical data…) and documents related to our studies (e.g. consent forms) for a longer period, following the completion of our research, study or project, whenever there is a legitimate reason, a legal or regulatory requirement to do so.

We stress that we will provide you information, by appropriate means (e.g. participant information sheet), regarding how long your personal data will be kept for in specific research projects in which you participate.

7. What are your rights regarding your personal data?

In accordance with data protection legislation, you may exercise at any time individual rights in relation to your personal data:

right to access, which enables you (according to art. 15 of the GDPR) to obtain from us confirmation on whether personal data is being processed or not and, if so, obtain access to such data; we process a large quantity of information, and can thus request, in accordance with the GDPR, that before the information is provided, you specify the information or processing activities to which your request relates;
right to rectification, which enables you (according to art. 16 of the GDPR) to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete;

and in certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled):

right to erasure, which enables you, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;
right to restriction of processing, which enables you, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;
right to object, which enables you to object to the processing of your personal data when the conditions provided for by art. 21 of the GDPR are met;
right to data portability, which enables you, in specific cases provided for in art. 20 of the GDPR and with regard only to the data you have provided to us, to request receipt of your personal data in a structured and commonly machine-readable format.

Please note that the extent to which these rights apply to research will vary and that in some circumstances rights may be restricted. It should also be noted that we can only implement your rights during the period upon which we hold personal data about you. Once the data we hold about you has been irreversibly anonymised and becomes part of a research dataset, it will not be possible to access your personal data.

If you have provided your consent to the processing of your personal data, you can withdraw such consent at any time and this will not adversely affect your medical care.

To exercise any of these rights, you may contact our Data Protection Officer by email at dpo@lih.lu or by postal mail:

Luxembourg Institute of Health (LIH)
Data Protection Officer
1A-B rue Thomas Edison
L-1445 Strassen

You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD). Full details may be accessed on the complaints section of CNPD’s website (https://cnpd.public.lu).

8. Changes to this data protection notice

Changes may occur in the way we process your personal data. In case these changes oblige us to update this Data Protection Notice, the latest applicable version will always be available on our website.

9. Glossary

Anonymisation means the irreversible process of rendering personal data anonymous in such a manner that the data subject is not or is no longer identifiable.

Consent means any freely given, specific, informed and unambiguous indication of the data subjects’ agreement to the processing of their personal data through a statement or a clear affirmative action.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data concerning health or health data means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (as defined by GDPR).

Processing means any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Sensitive personal data or special categories of data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Third party means natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Privacy Notice for Recruitment

Version last updated on January 3rd, 2023

Luxembourg Institute of Health (LIH), 1A-B rue Thomas Edison L-1445 Strassen, Luxembourg (“we”) is committed to the protection of your personal data in accordance with data protection legislation, especially the General Data Protection Regulation EU 2016/679 (the “GDPR”).

This Data Protection Notice for recruitment concerns candidates who apply for a job at LIH (“you”). It provides you with detailed information relating to the way we protect your personal data.

1. Who is the controller of your personal data?

LIH is responsible as a data controller, for collecting and processing personal data in relation to your application for a position at LIH and our recruitment process. The purpose of this Data Protection Notice for recruitment is to inform you about which personal data we collect, the reasons why we use and share such data, how long we keep it, what rights you have and how you can exercise them.

2. What personal data do we process?

We collect and use your personal data to the extent necessary in relation to our recruitment process.

We may collect various types of personal data that you decide to submit in relation to your application for a particular job position, including:

identification data (such as your name, date and place of birth, nationality, contact details, address, telephone, email, country, or other contact information),
job application data (CV, cover letter, previous work experience, education, additional qualification, or other information regarding your professional qualification and experience, additional skills and abilities, professional interest, details of your right to work in Luxembourg),
pre-employment checks (interview notes, records/results of pre-employment checks, information included on your CV/resume and/or any application forms),
image: we do not require from job applicants to include photos as part of their job application documentation. It is up to you if you would like to voluntarily submit your photo,
identification of the job and personal requirements (type of employment sought, desired salary, willingness to relocate, or other job preferences you decide to voluntary submit),
referees (reference letters, names and contact details for referees),
any other information that you decide to voluntarily share with us, such as hobbies, interests, professional plans, how you found about our job offer, what motivates you to apply for a job at LIH, marital status, salary level…

If you decide to attach reference letters to your job application, it is your responsibility to inform the concerned referees (before providing their personal data to us) that their personal data will be processed by LIH in accordance with this Data protection notice for recruitment. We will not contact directly your referees, unless you have informed us that we may proceed in such a manner.

We do not require from job applicants to include any special categories of data – racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (which allow or confirm your unique identification), data concerning health, data concerning sex life or sexual orientation) – nor any judicial data (e.g. criminal records) as part of the job application documentation. Please do not include such sensitive data in your job application.

We may collect information about you from publicly accessible sources (such as LinkedIn) where we collect your full name, email, work history, and other data included on your profile.

We may also receive information about you from recruitment agencies (such as your CV and motivation letter as well as any personal data you voluntarily include in your application) and from ADEM (Agence pour le développement de l’emploi) if you have an employment reintegration contract with ADEM and ADEM suggests you to apply for an LIH position. In this case, ADEM provides us only your contact details and we confirm if you applied or not.

You can choose what type of information to submit as part of your job application. Normally, the following categories of data would be strictly necessary, so we can consider your job application for a particular position: your identification data, your job application data, pre-employment checks and identification of the job and personal requirements.

In certain cases, an LIH job advertisement may specify additional categories of personal data required for a specific position. If so, provision of such information is also mandatory (please check the job advertisement again). The submission of any other information is entirely voluntary.

3. What are the purposes of and the legal basis for our processing?

We collect and use your personal data for the following purposes:

to assess your skills, qualifications and interests against our career opportunities,
to maintain our relationship during the recruitment process, including by calling you and inviting you to interviews, exchange of offers and terms of employment, etc.,
to verify the information you provide us, to run our internal compliance and conflict checks and to conduct reference/background checks (if required under applicable law or subject to your consent);
to communicate with you and, with your consent, inform you of other career opportunities,
for security and protection of our organization, IT networks and LIH information;
to improve our recruitment process, and
to defend ourselves in any legal or court proceedings.

We collect your personal data on the following basis:

pre-contractual measures necessary to establish a contractual relationship with you or take steps in this direction, at your request,
to comply with our legal and regulatory obligations related to recruitment campaigns,
for our legitimate interests, including: to ensure that our institute, IT networks and information are secure, to manage our recruitment process, (where applicable) to conduct tests about your personality, to keep records of the recruitment process and to protect our interest and rights in the event of investigated, suspected or actual violations of applicable law, or
with your consent (only when legally required or permitted).

4. Whom do we share your personal data with?

In order to fulfil the aforementioned purposes, your personal data may be shared internally for the purposes of the recruitment process with members of the LIH Human Resources department, interviewers involved in the recruitment process, and managers in the business area with a vacancy if access to the data is necessary for the performance of their roles. LIH Human Resources will have access to your personal data for the purposes listed above.Please note that in the course of the recruitment of candidates, personal data of these candidates (CVs) may be shared with non-LIH members of the selection committee (e.g: researchers from the University of Luxembourg, LIST, LISER, Hospitals in Luxembourg, private company involved in your project, researchers abroad…).

We may also communicate your personal data to:

service providers/vendors (such as recruitment agencies) that perform services on our behalf,
law enforcement or other government and regulatory bodies or agencies, upon request and to the extent permitted by law
certain regulated professionals such as lawyers or auditors.

We may also receive requests from third parties with authority to obtain disclosure of personal data. We will only respond to such requests where we are permitted to do so in accordance with applicable laws and regulations.

We require all third parties to respect the security of your personal data and to process it in accordance with the law.

5. Where do we transfer your personal data?

You can obtain more information regarding relevant safeguards we rely on by contacting us at dpo@lih.lu.

In case of recruitment of high-profile candidates, members of the selection committee may be located outside the EU/EEE (e.g. researchers in foreign universities) and the CVs of these candidates are sent to them in order to ensure that recognised experts in the field assess the application, given the magnitude and the impact of the research projects conducted by LIH. Such transfers are occasional and necessary for the implementation of pre-contractual measures taken following the application of such high-profile candidates (art. 49(1)(b) of the GDPR) and particularly necessary in order to complete the selection process and proceed to the contract with the candidates.

6. Security of your personal data.

7. How long do we keep your personal data?

If your job application is unsuccessful, we will retain your personal data for 2 (two) years after the end of the relevant recruitment process (to keep records of the recruitment process and to protect our interest and rights in the event of investigated, suspected or actual violations of applicable law and, where applicable, to contact you regarding future employment opportunities). At the end of that period, or once you oppose to your personal data being processed, your personal data will be deleted or destroyed.

We may process your personal data for the purposes of contacting you in case of future employment opportunities, in the event you gave us your consent to do so.

Note that in case you are selected for the job position you applied for, the above categories of personal data will continue being processed as part of your employment file with LIH (more information will be provided to you upon the start of your employment).

8. What are you rights regarding your personal data?

You may exercise at any time, the following rights in relation to your personal data processed by LIH for recruitment purposes:

right to access, which enables you (according to art. 15 of the GDPR) to obtain from us confirmation of whether personal data are being processed or not and, if so, obtain access to such data; we process a large quantity of information, and can thus request, in accordance with the GDPR, that before the information is provided, you specify the information or processing activities to which your request relates;
right to rectification, which enables you (according to art. 16 of the GDR) to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete;

and in certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled):

right to erasure, which enables you, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;
right to restriction of processing, which enables you, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;
right to object, which enables you to object to the processing of your personal data when the conditions provided for by art. 21 of the GDPR are met;
right to data portability, which enables you, in specific cases provided for in art. 20 of the GDPR and with regard only to the data you have provided to us, to request receipt of your personal data in a structured and commonly machine-readable format.

If you have provided your consent to the processing of your personal data, you can withdraw such consent at any time.

To exercise any of these rights, you may contact our Data Protection Officer by email or by postal mail:

Luxembourg Institute of Health (LIH)
Data Protection Officer 1A-B rue Thomas Edison L-1445 Strassen

You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD). Full details may be accessed on the complaints section of CNPD’s website.

9. Changes to this data protection notice for recruitment.

Changes may occur in the way we process personal data. In case these changes oblige us to update this Data Protection Notice for recruitment, we will clearly communicate it to you, either via our site or via other appropriate means. The latest applicable version will always be available on our site.

Privacy Notice in connection with your Donation to the LIH

Version last updated on November 7^th 2022.

The Luxembourg Institute of Health (LIH) thanks you for your generous donation to its research activities. In the context of your donation, you have provided us with some of your personal data. We attach great importance to the protection of your data, which is why it is important for us to inform you about the use that LIH makes of it and about the rights you have.

1. Purposes and legal basis for the processing

The LIH, as the Data Controller for the management of your donation, processes your personal data for the following purposes

to collect your donation (execution of the donation contract),
to provide you with a thank you letter which also serves as tax certificate relating to the payment of your donation (compliance with our legal obligations),
in case of a donation made at the request of a third party (in particular the family of a person whose death motivated your donation), to transmit your contact details only when requested by the third party, so that they can thank you directly as is customary (legitimate interest pursued by the third party), and
to keep you regularly informed by mail of the progress of research projects carried out by our laboratories thanks to your financial support (legitimate interest pursued by the LIH).

2. Data processed

The data we collect for these different purposes are your last name, first name, title, postal address (street, postcode, city and country), electronic address (if you provided it to us), phone number (optional), company (optional), the amount and the reason of your donation and your bank details.

The above data is collected directly from you. No further data about you is processed by LIH.

3. Who has access to your data?

LIH processes the personal data of donors in a confidential manner and exclusively in Luxembourg.

Your data will not be shared with any third party except where necessary for the above purposes or as required by law (e.g. law enforcement agencies, competent government and regulatory bodies, or certain regulated professionals such as lawyers or auditors).

Your bank account details are only processed by our finance department for the management of your donation and are shared with our service provider for the online payment, WORLDLINE (SIX Payment Services Europe), for the purposes of the payment execution.

Your contact details (name, surname, email address, company) will be shared with our service provider for the management of our information newsletter, Sarbacane (Europe), in order to be able to distribute our newsletter to you.

When you have made a donation following a call for donations made by third parties (in particular family members, in memory of a deceased person), we may communicate your contact details in order to allow them to thank you, unless you object to it. Under no circumstances will we communicate the amount of your donation.

4. How long your data will be kept

The data collected in order to manage your donation will not be kept beyond the time necessary to achieve the above purposes and to comply with our legal obligations in tax and accounting matters (up to a maximum of 10 years from the end of the year following receipt of your donation).

The data collected in order to keep you regularly informed about our research projects via our newsletter are stored as long as you do not object to their processing.

5. Your rights

In accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), you have the right to access and rectify your personal data. In some cases (depending on the conditions set by law), you have the right to request the deletion of your data, the right to request the restriction of certain aspects of the processing of your data, the right to retrieve your data with a view to passing it on to a third party (right to portability), and finally, the right to object to the way your data is used. In particular you can at any time object to LIH passing on your details to the third party that prompted your donation as well as to being contacted again by LIH in order to hear about our research projects. If you wish to exercise your rights, you can contact the LIH Data Protection Officer at dpo@lih.lu. If you do not wish to receive electronic information about our research projects, you can either contact LIH’s Data Protection Officer or unsubscribe via the dedicated link available at the end of our newsletter.

Finally, you have the right to lodge a complaint with the National Commission for Data Protection (CNPD) regarding the processing of your personal data by LIH. Full details may be accessed on the complaints section of CNPD’s website (https://cnpd.public.lu).

If you have any queries regarding the processing of your personal data by the LIH, you can contact the LIH’s Data Protection Officer by e-mail at dpo@lih.lu or by post at the address:

LUXEMBOURG INSTITUTE OF HEALTH – Data Protection – 1A-B, rue Thomas Edison – L-1445 Strassen – LUXEMBOURG

Privacy Notice in connection with Events management

Version last updated on April 12th, 2023

The Luxembourg Institute of Health (LIH), 1A-B rue Thomas Edison L-1445 Strassen, Luxembourg (“we”) values your privacy. We collect and process personal data about guest speakers and other attendees (“you”) to events organized by us.

We are committed to compliance with the General Data Protection Regulation EU 2016/679 (GDPR) and any other applicable EU or local legislation or regulation implementing GDPR (notably the Luxembourg law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the GDPR), as well as their successor texts (together “data protection legislation”).

This Data Protection Notice describes how we collect or otherwise process personal data as a data controller in relation to your participation and attendance at events organised by LIH (the “Event” or “Events”) the reasons why we use and share such data, how long we keep it, what rights you have and how you can exercise them.

1. Personal data processed, purposes and legal bases of processing

We collect and use your personal data to the extent necessary to organise and manage the Event as well as
to inform about and promote our activities. On the basis of the role under which you participate to our
Events, we process different categories of personal data, for different purposes and under different legal
bases. In the table below you will find the details regarding the processing of your personal data by LIH
depending on the category to which you belong:

2. Who do we share your personal data with?

Your personal data will be collected and processed primarily by our members of staff who have a legitimate need to process it for purposes set out above (our communication department and/or our scientific team(s) in charge of a specific event).

We will also communicate your personal data to certain:

third-party service providers/vendors to whom we outsource certain support services (e.g. translation, photocopying/printing, hosting and catering, streaming or filming of the Event),
certain regulated professionals such as lawyers or auditors.

Where necessary, your personal data will also be shared with law enforcement or other government and regulatory bodies or agencies, only upon request and to the extent permitted by law.

Please note that in order to be able to reimburse your expenses that occur in the course of your invitation as a Guest Speaker in the Event, your name, bank account number and amount of total expenses will be processed by members of our finance department. This data will be sent to our bank in order to proceed to the payment. Your expense declaration will be potentially accessible by our service provider for destruction of archives.

Photos taken or videos recorded during Events we organize may be published, in paper or electronic format, including on the internet (notably press releases, national and international newspapers and magazines, our website and social mediaaccounts). Where requested, we will share material including photos and videos of you taken during our Events with funding authorities (such as the Luxembourg National Research Fund) in the course of our reporting for specific projects and activities.

3. Where do we transfer your personal data?

Your personal data are processed by us within the European Union and no transfer of your personal data occurs outside of the European Union/European Economic Area (EU/EEA). If international transfers originating from the EU/EEA to a country outside the EU/EEA will occur in the future, we will update this Notice and ensure your personal data is adequately protected and we will implement appropriate safeguards in accordance with the GDPR. You can obtain more information regarding relevant safeguards we rely on by contacting the Data Protection Officer of LIH by email.

4. Security of your personal data

5. How long do we keep your personal data?

We retain your personal data until the end of the Event and for a period of time thereafter to inform you about our future events unless you object to the processing of your personal data in order to receive this information, to keep a record of your participation as a Guest Speaker or Attendee, to analyse data in relation to our events for LIH’s own operations, to comply with our legal obligations (up to a maximum of 10 years).

Photos and/or videos of you taken during our events will be kept as long as you do not object to their use and in any case for a maximum of 10 years from their collection, for statistical and historical purposes.

With regards to data related to your expenses as a Guest Speaker, we will keep them for a maximum of 10 years from the end of the financial year during which the expenses occurred, in order to comply with our accounting obligations.

6. What are your rights regarding your personal data?

In accordance with data protection legislation, you may exercise at any time individual rights in relation to your personal data:

right to of access, which enables you (according to art. 15 of the GDPR) to obtain from us confirmation of whether personal data is being processed or not and, if so, obtain access to such data. We process a large quantity of information, and can thus request, in accordance with GDPR, that before the information is provided, you specify the information or processing activities to which your request relates;
right to rectification, which enables you (according to art. 16 of the GDPR) to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete; and

in certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled):

right to erasure, which enables you, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;
right to restriction of processing, which enables you, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;
right to object, which enables you to object to the processing of your personal data when the conditions provided for in art. 21 of the GDPR are met. Please note that you have the right to object to the processing of your personal data that it is based on legitimate interest as per art. 6(1)(f) GDPR (see table above) at any time and free of charge by contacting LIH’s Data Protection Officer by email.
right to data portability, which enables you, in certain cases provided for in art. 20 of the GDPR and with regard only to the data you have provided to us, to request receipt of your personal data in a structured and commonly machine-readable format.

Please note that the extent to which these rights apply will vary and that in some circumstances rights may be restricted.

In case you do not wish your image to be captured or published, please inform us before the Event by contacting our Data Protection Officer or by approaching the photographer and/or one of our event organisers during the Event. It is also recommended not to pose in any photos taken and/or to avoid being in the photographer’s scope.

To exercise any of these rights, you may contact our Data Protection Officer by email or by postal mail:

Luxembourg Institute of Health (LIH)
Data Protection Officer
1A-B rue Thomas Edison
L-1445 Strassen

You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD). Full details may be accessed on the complaints section of CNPD’s website.

7. Changes to this data protection notice

Changes may occur in the way we process your personal data. In case these changes oblige us to update this Data Protection Notice, we will clearly communicate it to you, via our website. The latest applicable version will always be available on our Website.

Data Protection Notice for Suppliers

Data Protection Notice for Customers, Suppliers, potential Suppliers and any Individuals providing Service to LIH

Version last updated on 31.03.2023

The Luxembourg Institute of Health (LIH), 1A rue Thomas Edison L-1445 Strassen, Luxembourg (“we”) is committed to the protection of your personal data in accordance with data protection legislation, especially the General Data Protection Regulation EU 2016/679 (the “GDPR”).

This Data Protection Notice is addressed to contact persons of suppliers, potential suppliers and customers of LIH (e.g. their representatives, employees or other collaborators) as well as to any individuals providing an ad hoc service to LIH (e.g. Guest Speakers to LIH’s lectures or seminars, consultants and other individuals working on their own account). It provides You with detailed information relating to the protection of your personal data by us.

1. Who is the controller of your personal data?

LIH is responsible as a data controller for collecting and processing your personal data in the context of our business relationship with your employer (our supplier or our customer, depending on the context) or of our collaboration with You.

The purpose of this Data Protection Notice is to inform You about which personal data we collect, the reasons why we use and share such data, how long we keep it, what rights You have and how You can exercise them.

2. Personal data processed, purposes and legal bases of processing

According to the nature of your relationship with LIH, we process different categories of personal data, for different purposes and under different legal bases. In the table below you will find the details regarding the processing of your personal data by LIH depending on the category to which you belong:

3. Who do we share your personal data with?

Your personal data will be collected and processed primarily by our members of staff who have a legitimate need to process it for purposes set out above (our finance and purchase department and potentially our scientific teams).

We will also communicate your personal data to:

law enforcement or other government and regulatory bodies or agencies, only upon request and to the extent permitted by law,
certain regulated professionals such as lawyers or auditors.

Please note that in order to be able to reimburse your expenses that occur in the course of your intervention as a Guest Speaker in an event organised by us, your name, bank account number and amount of total expenses will be sent to our bank in order to proceed to the payment. Your expense declaration will be accessible by our service provider for destruction of archives.

Furthermore, in order to send You our customer satisfaction surveys, your personal data (name, surname, title, company, country, email) will be shared with our service provider for the management of our customer mailing list, Sarbacane (Europe), in order to be able to distribute our survey to you.

We require all third parties to respect the security of your personal data and to process it in accordance with the law.

4. Where do we transfer your personal data?

We will not transfer your personal data to countries outside of the European Union/ European Economic Area (EU/EEA). If international transfers originating from the (EU/EEA) to a country outside the EU/EEA will occur in the future, we will update this Notice and ensure your personal data is adequately protected and we will implement appropriate safeguards in accordance with the GDPR. You can obtain more information regarding relevant safeguards we rely on by contacting our Data Protection Officer at dpo@lih.lu.

5. Security of your personal data

6. How long do we keep your personal data?

We will retain your personal data for up to 10 years after the end of our contractual relationship with our supplier/customer, your employer, or with You, where we collaborate directly with You, in order to comply with our accounting obligations.

Please note that our customer mailing list, in order to send You our customer satisfaction survey, is created on the basis of our active customers. This list will be therefore kept as long as our business relationship with our customer, your employer, is active and You do not object to the processing of your personal data in the course of the customer satisfaction surveys..

7. What are your rights regarding your personal data?

In accordance with applicable data protection law, You may exercise at any time the following rights in relation to your personal data:

right to access, which enables You (according to art. 15 of the GDPR) to obtain from us confirmation of whether personal data are being processed or not and, if so, obtain access to such data; we process a large quantity of information, and can thus request, in accordance with the GDPR, that before the information is provided, You specify the information or processing activities to which your request relates;
right to rectification, which enables You (according to art. 16 of the GDPR) to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete;

and in certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled):

right to erasure, which enables You, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;
right to restriction of processing, which enables You, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;
right to object, which enables You to object to the processing of your personal data when the conditions provided for by art. 21 of the GDPR are met. Please note that you have the right to object to the processing of your personal data that it is based on legitimate interest as per art. 6(1)(f) GDPR (see table above);
right to data portability, which enables You, in specific cases provided for in art. 20 of the GDPR and only with regard to the data You have provided to us, to request receipt of your personal data in a structured and commonly machine-readable format.

To exercise any of these rights, You may contact our Data Protection Officer by email or by postal mail at:

Luxembourg Institute of Health
Data Protection Officer
1A-B rue Thomas Edison
L-1445 Strassen

You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD) concerning the processing of your personal data by LIH. Full details may be accessed on the complaints section of CNPD’s website (https://cnpd.public.lu).

8. Changes to this Data Protection Notice

Changes may occur in the way we process personal data. In case these changes oblige us to update this Data Protection Notice, we will clearly communicate it to You, via appropriate means. The latest applicable version will always be available on our Website.

Data Protection
Officer

Contact

Learn more

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
vOTSXIlGdxFUt	1 day	No description
xwNvEASRYf_	1 day	No description

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_ZM94YP9CD3	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_16961320_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
DEVICE_INFO	5 months 27 days	No description
ln_or	1 day	No description