Privacy Notice
1. An overview of data protection
The Luxembourg Institute of Science and Technology (hereafter “LIST”, “We”) is committed to ensure the highest standards of data protection in compliance with the applicable legislation, notably with reference to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”). This notice explains which personal data we collect about you, why we do so and, if applicable, with whom your data are shared. Moreover, we also illustrate how long your personal information are kept and which are your legal rights under the GDPR.
2. Scope of the notice
This notice applies to user or visitors of this website (hereafter, the “website”) and to any individual that contact us by any means and for any purpose.
3. Identity of the data controller
The data controller is LIST, having its registered office at 5, Avenue des Hauts-Fourneaux L-4362 Esch-sur-Alzette, Luxembourg.
We are responsible for collecting and processing your personal data in relation to your use and browsing of the FIT platform.
Our contact details are set out in Section 9 (“Your rights and how to exercise them”) below.
4. Categories of personal data we collect
As a general principle, we collect personal data about you in the course of your browsing and use of the FIT platform or when you contact us. The specific categories of data we collect and/or obtain may vary depending on the use of the website or on the relationship with you.
Please find here below a list of personal data we may collect and process. Those may at times include:
- Contact details (such as name, surname, e-mail address),
- Professional information (such as company/organisation, current role),
- Technical data (such as IP address, your browser type and language, access logs including access times, websites use and monitoring thereof).
We may collect additional data about you based on your voluntary submission; that is, for example, the case when you create a user account on the FIT platform to access to the resources made available on the website, when you decide to provide more context about your organisation or to contribute to the knowledge database therein presented.
5. Purpose and legal basis for processing
We collect and process your personal data for one of the following reasons:
- To communicate with you,
- To process your contributions on the platform,
- To provide and improve the services made available on the website,
- To ensure and improve the functioning and the security of our website and network,
- To manage complaints, feedback and queries,
- To comply with applicable laws and regulatory obligations,
- To establish and/or defend our legal rights.
To comply with the applicable laws, we always need a legal basis to process your personal data.
In relation to this website, this includes:
- Your consent, when you create a user account on the platform in order to access and contribute to the resources made available,
- LIST’s legitimate interest, which consists of (i) the execution of the research project; (ii) the protection of our activity, of our information systems security, of our employees, partners and supplier; (iii) the improvement or further development of our services; (vi) the establishment and/or defence of our legal rights.
6. Share of your personal data with third parties
In order to fulfil the purposes mentioned in Section 5 (“Purposes and legal basis for processing”), LIST may transfer your personal data to:
- External service providers that perform services on LIST behalf,
- Institutional or non-institutional partners, with whom LIST collaborates in the context of its core activities.
In case of disclosure of your personal data to the aforementioned subjects, LIST shall take appropriate steps to ensure that third parties will apply adequate protection to this data as required by the applicable data protection legislation.
Some of the mentioned recipients of your personal data may be located in countries outside the European Union or the European Economic Area (EU/EEA). This is notably the case for SendGrid, the provider we use for e-mail management, and IBM Public Cloud, which provides us with the cloud storage solutions we are using to host this platform. In such cases, transfers to a county outside EU/EEA may take place when the European Commission has decided that the third country ensures an adequate level of protection. In the absence of such adequacy decision, LIST will only proceed to such transfer after having implemented appropriate safeguards to protect your personal data (such as the use of standard data protection clauses adopted by the European Commission) or where a derogation established by art. 49 of the GDPR exists (such as your explicit and informed consent).
Further information about the mentioned transfers and the safeguard measures applied by LIST can be obtained by contacting us at dpo@list.lu
7. Ensuring personal data security and integrity
In compliance with the applicable data protection legislation, LIST has put in place appropriate technical and organisational measures in order to prevent or act upon any unauthorised and unlawful processing or disclosure, accidental loss, modification or destruction of personal data. These measures are implemented based on the current state of art, an evaluation of the risks derived by the processing activity and the need to protect personal data. Such technical and organisation measures are regularly updated and/or adjusted to new technical developments or any organisational change that may affect LIST.
8. Data retention periods
Your personal data are retained by LIST until you decide to unsubscribe from the platform.
9. Your rights and how to exercise them
With regards to your personal data collected and processed by LIST, you may exercise at any time the following rights:
- Right to access: You have the right to receive confirmation about whether or not your personal data is being processed by LIST. If that is the case, you have the right to know what data is being collected and processed and to obtain of copy of it;
- Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to request to have it rectified;
- Right to erasure: Subject to certain conditions specified in art. 17 of the GDPR, you have the right to have your personal data deleted by LIST;
- Right to restriction of processing: Subject to certain conditions specified in art. 18 of the GDPR, you have the right to restrict the processing of your personal data by LIST;
- Right to data portability: Subject to certain conditions specified in art. 20 of the GDPR, you have the right to obtain a copy of the personal data you provided to LIST in in a structured, commonly used and machine-readable format and to request the transfer of these data to another data controller;
- Right to object: You have the right to object the processing of your personal data when the conditions set out in art. 21 of the GDPR apply;
- Right to withdraw consent: If LIST is processing your personal data based on your consent, you have the right to withdraw that consent at any time. The withdrawal of such consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD). More information on how to lodge a complaint are available on CNPD’s website: https://cnpd.public.lu
You may exercise any of these rights by contacting our Data Protection Officer (DPO):
- by e-mail at the following address: dpo@list.lu,
- or by post at:
Luxembourg Institute of Science and Technology
Attn. Data Protection Officer
5, Avenue des Hauts-Fourneaux
L-4362 Esch-sur-Alzette, Luxembourg.
Please kindly note that your rights are not absolute and they may be withheld in accordance with applicable data protection laws. In such event, LIST will provide you with the reasons for not complying with your request. You may lodge a complaint with the CNPD and seek a judicial remedy against such decision.
10. Link to other websites
Please be aware that this website may contain links to other website that are not governed by this privacy notice. We encourage you to review the privacy notice of each website before disclosing any personal data.
Last revised: February 2023