Terms of Service and Privacy Policy

By using this website and its content, the user is deemed to have acknowledged and agreed to all the terms and disclaimers of these general terms of service.

The CSSF reserves the right to change these general terms of service, at any time and without notice, to update the contents due to developments in the legislation or for any other reason deemed necessary. The user shall be responsible for enquiring into the general terms of service of the website, only the updated version accessible online of which is deemed to be in force.

The user is authorised to consult, download, save or print the information available on this website, unless otherwise specified. With the exception of filling out the fields of the forms, no other changes can be made, in any way whatsoever, to the information and data published therein. Reproduction or distribution of the information available on this website is only permitted upon prior written consent from the CSSF.

This website may include contents that do not belong to the CSSF. These contents are subject to the copyrights and terms of service of their authors even if the relevant contents do not expressly refer to copyrights of third parties.

This webite may include references in the form of links to external pages and documents. Such references by no means constitute a consent or an unconditional reproduction of these contents by the CSSF. The CSSF disclaims all liability for the content and accessibility of the documents and websites to which it refers. Access to external pages and documents is at the user’s own risk.

The CSSF reserves the right to change or develop this website, and to suspend the access without notice for any reason deemed necessary. The CSSF may, in particular, withdraw, add, amend, supplement or specify all or part of the information, services and applications available on this website.

This website has been drawn up with the utmost care. The CSSF strives to ensure that the contents of the website are improved, updated and complete. However, the CSSF makes no warranty, either express or implied, as to the completeness, topicality or accuracy of the information and documents available for consultation on this website or as to the unfettered access to this website. The information included on this website is not a legal advice. Moreover, the CSSF or its agents shall not be liable for any damage, direct or indirect, related to the use of this website or any content made available on this website.

Any dispute relating to the use of this website shall be subject to the Luxembourg law and shall exclusively fall within the scope of the Luxembourg Courts.

The Commission de Surveillance du Secteur Financier (CSSF) is the supervisory authority of the Luxembourg financial sector. Its duties and its field of competence are provided for in Section 2 of the Law of 23 December 1998 establishing a financial sector supervisory commission (“Commission de surveillance du secteur financier”) (the “Organic Law”). The CSSF performs its duties of prudential supervision and supervision of the markets for the purposes of ensuring the safety and soundness of the financial sector, solely in the public interest. Within the limits of its remit, it ensures notably that the authorised persons and the issuers comply with the regulations applicable to them, including those aiming to ensure the protection of the financial consumers and the prevention of the use of the financial sector for the purposes of money laundering or terrorist financing. The CSSF represents Luxembourg in the area of European and international supervision.

In this context, the CSSF underlines its commitment to the protection of your personal data (“Personal Data” or “Data”) and ensures also compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the “GDPR”) as well as with the applicable Luxembourg legislation.

The Personal Data referred to in this policy (hereinafter, the “Policy”) are those of third parties outside the CSSF (which exclude the CSSF’s staff members, i.e. the members of the Executive Board of the CSSF, the Resolution Director, the agents treated as civil servants, the trainee agents, the professional staff treated as State employees (employés de l’Etat), the “salariés” treated as “salariés de l’Etat”, trainees and students and internal service providers) who are referred to individually as “Data Subject” (as defined below) or “You”, i.e.:

• the natural persons directly supervised by the CSSF;
• the natural persons working within the supervised entities (agents, employees, members of the management bodies, key function holders, shareholders, intermediaries and other participants, etc.);
• the natural persons within the national, foreign and international authorities and bodies with which the CSSF cooperates;
• any person providing one or several services for the CSSF under a service provision agreement aiming to fulfil tasks unrelated to the CSSF’s legal missions, including in particular removals, general maintenance of the premises (cleaning, repairs, etc.), concierge services, management of the CSSF’s restaurants;
• any other person about whom the CSSF collected Personal Data for the purposes laid down in the recital.

The persons who applied for a job or who submitted an unsolicited application are informed of the Processing (as defined below) of their Personal Data via a specific policy called Job Applicant Privacy Notice available under the section “Careers” of the CSSF website: https://careers.cssf.lu/en/home/.

This Policy informs you of the following:

• Who is the Controller? How to contact the CSSF?
• Why does the CSSF process your Personal Data?
• What is the purpose of the Processing?
• How long are the Data stored?
• With whom does the CSSF share these Data?
• How are your Data protected?
• Your rights as Data Subject.
• Update to the Policy.

The following concepts are used in this Policy:

• Personal Data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person – Article 4(1) GDPR.
• Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction – Article 4(2) GDPR.
• Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by EU or Member State law, the Controller or the specific criteria for its nomination may be provided for by EU or Member State law – Article 4(7) GDPR.

The Commission de Surveillance du Secteur Financier (CSSF), a public law institution established at 283, route d’Arlon, L-1150 Luxembourg, acts as Controller of your Personal Data.

The CSSF designated an internal Data Protection Officer (“DPO”) whom You may contact in case of questions relating to the policies or practices of the CSSF with respect to the protection of Personal Data. You may contact the DPO via email or by post at the following address:

Commission de Surveillance du Secteur Financier

DPO / Pascal Pirih
283, route d’Arlon
L-1150 Luxembourg

dpo@cssf.lu

The CSSF processes Personal Data of Data Subjects in the framework of:

• the performance of the tasks carried out in the public interest or the exercise of the public powers conferred on the CSSF by the legislator;
• the use of the CSSF website;
• the use of the digital desks;
• the submission of enquiries via the CSSF website;
• the subscriptions to the news on the CSSF website;
• the reporting of a breach of the financial sector regulation (whistleblowing);
• the submission of a complaint;

And when:

• You carry out any work for the CSSF (outsourcing/service provision);
• You physically come to the CSSF.

It concerns, among others, Personal Data that You give the CSSF or that the CSSF receives by third parties (in any way whatsoever, including via digital desks) in the framework of the CSSF’s prudential supervision, supervision of the markets in financial instruments (including their operators), resolution, supervision regarding the fight against money laundering and terrorist financing, protection of financial consumers and public oversight of the audit profession.

The Personal Data processed by the CSSF for the purpose of its tasks carried out in the public interest and the exercise of the public authority conferred on it, will be stored as long as You, or the natural or legal person subject to the CSSF’s supervision for which You work or for which You perform or have performed a function, are subject to the supervision of the CSSF. The CSSF may continue to process your Personal Data beyond this period, e.g. in so far as they may become relevant again for the exercise of the CSSF’s supervisory mission or in the framework of possible liability claims.

The CSSF uses cookies on its website but they are not ‘intrusive’. This means that:

• they are not used to gather Personal Data about You in any way;
• the CSSF does not use targeting or advertising cookies that build up a profile.

When You use the CSSF website notably to view the information the CSSF makes available, download documents or use online forms, a number of cookies are used by the CSSF and by third parties to allow the website to function and to collect useful information about visitors and to help to improve your user experience.

Manage cookies

The cookies used on www.cssf.lu:

When You create an account on one of the digital desks made available by the CSSF, You are requested to provide your name, email address, password and optionally the name and address of the company.

This information is used in order to secure your access on the desk concerned.

Your account is kept as long as You use the desk and until You delete your access.

The CSSF does not use the information You provided in order to produce automated decisions likely to affect You.

The CSSF stores the requests in the form of emails for one year, after which they are erased.

When You submit an enquiry via the CSSF website, You are requested to provide your name, email address and optionally a company name and address.

This information is used to respond to your enquiry. The CSSF may email You after your enquiry in order to do a follow-up and ensure that You have received a satisfactory answer.

Your enquiry is stored and processed as an email hosted on the servers of the CSSF in Luxembourg.

The CSSF does not use the information You provided in order to produce automated decisions likely to affect You.

The CSSF stores the requests in the form of emails for one year, after which they are erased.

When You subscribe to the news on the CSSF website, You are requested to provide your email address.

In accordance with Article 6(1)(a) of the GDPR, your consent will be requested before using your email address to send You the following information depending on your selection among these elements: warnings, sanctions and administrative measures imposed by the CSSF, communiqués/press releases, laws and regulations, Newsletter, legal reporting, statistics, EU/international and other publications.

When you report a breach of financial sector regulations (whistleblowing) via the form provided for that purpose, or via any other means listed on the page Whistleblower protection, you are requested to provide at least your name (save for an anonymous report), an email address, as well as the subject of the report. You may complete this information with your personal contact data, and any other relevant supporting documentation within the limit imposed by the chosen communication channel.

The CSSF will use this information to determine its competence in relation to the reported facts, to analyse their substance and to contact you for further information. The Processing of your Personal Data is necessary to perform the tasks carried out in the public interest or in the institutional role of the CSSF conferred on it notably by the Law of 23 December 1998 establishing a financial sector supervisory commission (“Commission de surveillance du secteur financier”) and by the different “sector-specific” laws applicable to the financial sector. Further information concerning the mission and competences of the CSSF is available on the dedicated page.

The CSSF is committed to protecting the whistleblower’s identity within the limits of the applicable law. In other words, neither the identity of the whistleblower nor the identity of third parties who may be involved will be disclosed to the supervised persons concerned, except in circumstances in which the disclosure becomes unavoidable in law (e.g. as a result of the CSSF’s duty to inform the State Prosecutor if the acts may constitute a crime or an offence, or in the context of criminal proceedings against the entity concerned in which case the whistleblower may be called as a witness).

When the CSSF receives a report for which it has no competence and in order to ensure the effectiveness of whistleblowing reports, the information is transmitted to the competent supervisory authority (e.g. the European Central Bank or other EU or non-EU financial sector supervisory authorities) in compliance with the rules relating to professional secrecy provided for in Article 16 of the Organic Law and the provisions of Chapter V of the GDPR regarding the transfers of Personal Data to third countries (cf. Section 5 below).

Personal data obtained through a report that is deemed unjustified by the authorised agents, as it falls outside the CSSF’s remit, are deleted without delay.

Personal data obtained by means of a report are stored on the CSSF’s internal servers in Luxembourg for three months following the closure of the investigation conducted by the CSSF in the discharge of its relevant tasks or proceedings with respect to the allegations made in the report until the end of the appeal period.

More information on about (i) the whistleblowing procedure and (ii) the confidentiality rules governing the procedure to report breaches of the financial sector regulations to the CSSF is available on the dedicated page.

When You file a complaint as an individual, You will be requested to provide your name, email address, complaint as well as some supporting documents, including a copy of your ID card or any document permitted by law to prove the identity of a natural person.

The CSSF will use this information to determine if it is competent to handle the complaint, to analyse its substance and to contact You for further information. The Processing of your Personal Data is necessary to perform a task carried out in the public interest or in the institutional role of the CSSF.

Your complaint will be stored on the internal servers of the CSSF in Luxembourg until the procedure is closed or for the following ten years. After that, your Personal Data will be erased.

Additional information on the handling of your complaints is available at:

The CSSF may also collect and use your Personal Data if they are provided by your employer or a company with which You are connected in any way, in the framework of a contractual relationship between the CSSF and your employer or said company.

The data consist of your name, your email address and other Personal Data and, in some cases, references to previous jobs and ID document.

The CSSF has a video surveillance system on its premises. Video surveillance means the activity of monitoring with video cameras in order to:

• secure access to the buildings;
• ensure the security of its staff;
• detect and identify possible suspicious or dangerous behaviours likely to lead to accidents or incidents;
• accurately locate the origin of an incident;
• protect the CSSF’s property (buildings, installations, equipment, etc.);
• organise and oversee a rapid evacuation of the staff in case of an incident;
• be able to warn in time the rescue and fire services or the police force as well as to facilitate their intervention.

The CSSF stores its surveillance images for fourteen (14) days.

The CSSF maintains a register of the visits with your name, the name of your company and the person visited.

In the context of its mission carried out in the public interest and the exercise of its public powers, the CSSF cooperates in particular with the European Central Bank, the Banque centrale du Luxembourg, the supervisory and/or resolution authorities of the EU Member States, as well as with other national and EU institutions, authorities or bodies in charge of investor and depositor protection and the safeguarding of financial stability. Due to the CSSF’s reporting obligation in accordance with Article 23(2) of the Code of Criminal Procedure, your Personal Data may be transmitted to the State Prosecutor if the acts may constitute a crime or offence.

It is possible that the CSSF, in the context of its mission carried out in the public interest and the exercise of its public powers and within the limits of applicable standards, exchanges your Personal Data with an international organisation. In such a case, the CSSF ensures that the international organisation guarantees an appropriate level of protection (in accordance with Article 45 GDPR) or that it can use a derogation, such as applicable in case of a transfer necessary for important reasons of public interest (in accordance with Article 49 GDPR) or another instrument with appropriate guarantees fulfilling the provisions of Chapter V of the GDPR regarding the transfers of Personal Data to third countries or international organisations.

Given the international dimension of its prudential supervision of the financial sector and supervision of the markets in financial instruments, the CSSF may transfer your personal data to its counterparts located in the European Economic Area (EEA) and outside the EEA.

In the context of international cooperation with its foreign counterparts, the CSSF is committed to have in place the safeguards set out in the Administrative Arrangement for the transfer of personal data between EEA financial supervisory authorities and non-EEA financial supervisory authorities, without prejudice to the European Commission’s adequacy decisions with respect to certain countries¹.

In particular, when the CSSF collects and processes Personal Data transferred under the Administrative Arrangement, it guarantees that:

• it will only transfer Personal Data that are relevant, adequate and limited to what is necessary for the purposes for which they are transferred and further processed;
• it will have in place appropriate technical and organisational measures to protect Personal Data that are transferred to it against any unauthorised or unlawful Processing, destruction, loss, alteration or unauthorised disclosure;
• it will retain Personal Data for no longer than is appropriate and necessary for the purpose for which the data are processed;
• it will not take any decision concerning a natural person based solely on automated Processing of Personal Data, including profiling, without human involvement;
• it will not divulge your Personal Data for other purposes, such as for commercial or marketing purposes.

As regards the Personal Data shared under the Administrative Arrangement, You can make a written request to the CSSF to receive information about the Processing of your Personal Data, to access the Personal Data and to correct any inaccurate or incomplete Personal Data, as well as make a written request to erase, restrict Processing or to object to the Processing of your Personal Data at the following address:

by mail:

Commission de Surveillance du Secteur Financier

DPO / Pascal Pirih
283, route d’Arlon
L-1150 Luxembourg

or

by email: dpo@cssf.lu

Nevertheless, due to the sensitive nature of the CSSF’s public interest mission and the professional secrecy to which it is bound, in some cases these safeguards might be restricted, in particular where they are likely to seriously impair the objectives of that Processing (Article 14(5)(b) of the GDPR), where obtaining or disclosing information is expressly provided for by law (Article 14(5)(c) of the GDPR) or where they affect the professional secrecy to which the CSSF is subject (Article 14(5)(d) of the GDPR and Article 16 of the Organic Law, the infringement of which is punishable under Article 458 of the Criminal Code).

In each case, the CSSF will assess whether the restriction imposed is appropriate. The restriction should be necessary and provided for by law, and will continue only for as long as the reason for the restriction continues to exist.

If you believe that your Personal Data have not been handled consistent with these safeguards, you can lodge a complaint with the transferring authority, the receiving authority or both authorities. To this end, you may contact the CSSF Data Protection Officer whose contact details are given below. In this case, the authorities concerned will use best efforts to settle the complaint or dispute amicably in a timely fashion.

Should the dispute remain unsolved, other methods may be used to resolve it, unless the request is manifestly unfounded or excessive. Such methods include participation in non-binding mediation, as well as in other non-binding dispute resolution proceedings initiated by the natural person or by the authority concerned.

If the dispute is not resolved through cooperation by the authorities, nor through non-binding mediation or other non-binding dispute resolution proceedings, and the transferring authority considers that the receiving authority has not acted in accordance with the safeguards set out in the Administrative Arrangement, the transferring authority will suspend the transfer of Personal Data under this Administrative Arrangement to the receiving authority until it is of the view that the issue raised has been satisfactorily addressed by the receiving authority, and will inform You thereof.

Contact

For any questions or requests for information about redress, You may contact the CSSF:

by mail:

Commission de Surveillance du Secteur Financier

DPO / Pascal Pirih
283, route d’Arlon
L-1150 Luxembourg

or

by email: dpo@cssf.lu

¹ _{The list of third countries that are recognised as having equivalent safeguards is available at: Data protection adequacy for non-EU countries (europa.eu)
Opinion 4/2019 of the European Data Protection Board
IOSCO Administrative Arrangement
The CSSF is signatory to this Administrative Arrangement. Appendix A contains a list of all EEA authorities that have joined the Administrative Arrangement. The non-EEA authorities that have joined the Administrative Arrangement are listed in Appendix B.}

The CSSF implements technical and organisational means in order to protect your Personal Data and prevent any destruction, loss, alteration or modification as well as any unauthorised access or disclosure, voluntary or involuntary. Moreover, the CSSF requests also its service providers which process Personal Data for the CSSF to always take the necessary security measures.

Without prejudice to the general obligation of professional secrecy laid down in Article 16 of the Organic Law and without prejudice to the limitations provided for by the GDPR, You can ask the CSSF what information it holds about You and You can ask the CSSF to correct the information if it is inaccurate. The exercise of the right of access shall not adversely affect the rights and freedoms of others.

When the Processing of your Personal Data is based on consent, You have the right to withdraw your consent at any time. Such withdrawal has no consequence on the validity of the Processing of your Personal Data before the withdrawal.

If your Personal Data are processed for consent purposes or in order to fulfil a contract, You may ask that a copy of the information be sent to You in a machine-readable format so that it can be transferred to another provider. That right shall not apply to Processing necessary for the performance of a mission carried out in the public interest or in the exercise of public authority vested in the CSSF.

Without prejudice to the limitations provided for by the GDPR, You have the right to ask the CSSF to stop using your information for a certain period of time (right to restriction), if You consider that it does not act lawfully.

To exercise your rights over your personal data, by email or mail, please use the contact details of the DPO referred to in Section 3 above. When there are reasonable doubts regarding your identity, you might be asked to provide a copy of a document as a means to authenticate your identity. It can be any document such as your ID card or passport. Our use of the information on your identification document is strictly limited: we will only use the data to verify your identity and will not store them longer than needed for this purpose.

Where necessary (dispute, breach of the rules on the protection of personal data), you have the right to file a complaint with the National Commission for Data Protection (Commission nationale pour la protection des données, CNPD) which is the authority, in Luxembourg,  that is competent for the protection of personal data, through its website www.cnpd.lu or by writing to:

Commission nationale pour la protection des données (CNPD)
Service des réclamations
15, Boulevard du Jazz
L-4370 Belvaux

The CSSF regularly reviews and, if appropriate, updates this Policy, as its services and use of Personal Data evolves. If the CSSF wants to make use of your Personal Data in a way that has not been previously identified, You will be contacted to be given information about this and, if necessary, to be asked for your consent.

The CSSF will update the version number and date of this Policy each time it is changed.