The following definitions should be understood as the definitions established by EU Regulation 2016/679 of 27th April 2016.
The General Data Protection Regulation (RGPD in French or GDPR in English) is the European regulation EU 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It has been entered into force since 25 May 2018.
1.2. Personal data
Personal data is any information relating to:
- A natural person identified by name, first name, email address;
- An identifiable natural person, i.e. a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.3. Processing of personal data
Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.4. Data Controller
Natural or legal person who determines the purposes and means of the processing of personal data.
1.5. Data Processor
Natural or legal person who processes personal data on behalf of PREVAL.
2. Processing of your personal data
Respecting your privacy is a priority for PREVAL, which is committed to complying with the provisions of the GDPR.
PREVAL is mindful of and attentive to your right to be informed about the way in which personal data and personally identifiable information are processed. Certain personal data may be collected when you visit our website or in connection with the provision of our services.
This policy explains how we collect and process your personal data as well as the measures we have taken to preserve their confidentiality and security. PREVAL is required to collect your personal data in the context of:
- Entering into a business relationship
- visiting our website
- an information request about our products via our contact form (marketing)
- contractual relationships.
These include the following personal data:
- Name and surname, email address, phone number
- Date of birth
- Home address
- Civil status, family status
- Profession, level of education, degrees
- Copy of identity card / passport
- Bank details
- Economic and financial information
- Products or services provided
Some data must be communicated, others are optional. In the first case, not providing us with certain data or requesting their deletion may result in the inability to provide you with the product or service concerned, or to maintain the expected level of quality.
3. Purposes, legal grounds and minimisation of the processing of your personal data
PREVAL processes your personal data for the following purposes:
- the management of the commercial relationship to provide you with the products and services contracted;
Legal grounds: processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject.
- for direct marketing purposes to inform you about our products as well as invitations to our events.
Legal grounds: the data subject has consented to the processing of his/her personal data for one or more specific purposes.
The personal data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Your personal data will not be processed at a later stage in a manner incompatible with the purposes described above.
4. Retention period of your personal data
PREVAL stores your personal data for a period not exceeding the period required for the purposes for which the data are processed and in accordance with the legal and regulatory requirements.
PREVAL retains personal data relating to the management of the commercial relationship for the duration of the contract and after the end of the contract for a period of five years from the end of the relationship. An exception to the period of 5 years applies to the data included in PREVAL’s accounting and tax documents for which the retention period is increased to ten years in order to comply with legal obligations.
Personal data collected for direct marketing purposes will only be retained for the period during which you wish to receive our commercial communications. It will be deleted as soon as you inform us that you withdraw your consent.
5. Communication of your personal data
PREVAL might communicate your personal data to the other companies of the group depending on the type of services that you have requested and according to the internal organisation of the group in terms of management of the customer relationship.
As part of its legal obligations, PREVAL may also be required to communicate some of your personal data to the competent administrative or judicial authorities, and in particular to the Commission de Surveillance du Secteur Financier (CSSF).
PREVAL may also make all or part of the personal data processed accessible to its IT and other technological service providers, provided that GDPR agreements are concluded between PREVAL and those service providers and that PREVAL remains responsible for all acts or omissions of its service providers with respect to their access to personal data.
PREVAL might also use data processors to process your personal data.
These data processors are located geographically in the European Union and are governed by the same European personal data protection regulation. In that context, PREVAL will make sure to obtain sufficient guarantees from the data processors with regards to the implementation of technical and organizational measures to ensure that processing of your personal data is performed in accordance with the GDPR requirements and the instructions given by PREVAL and exclusively for the purposes described in this Policy, with the required discretion and security.
6. Right of access, rectification and opposition to your personal data
PREVAL makes a point of guaranteeing the control of your personal data, which is why you may at any time modify, add to or delete the personal data that you have provided us by simple request and on the conditions described below.
In accordance with the GDPR, you can exercise your right to:
- access your personal data and receive additional information on how the data is processed;
- rectify any personal data about you that is inaccurate or complete any incomplete personal data;
- request the deletion of your personal data when:
- the processing of your personal data is no longer necessary for the purposes described above;
- you have withdrawn your consent for processing those data (for example, in the case of direct marketing processing);
- the processing is no longer lawful or when the deletion is necessary to comply with a legal provision;
- when you oppose the processing.
- request the limitation of the processing of your personal data;
- oppose the processing of your personal data in certain cases, for example the processing of personal data for the purposes of commercial prospection;
- withdraw your consent to receive commercial communications;
- the portability of your personal data, that is to say to receive the personal data concerning you and to transmit them to another data controller.
To exercise your rights, you can contact PREVAL at the email address firstname.lastname@example.org or at the following postal address:
11 Boulevard Royal
In addition, you have the right to file a complaint with the Lead Supervisory Authority which is the National Commission for Data Protection in Luxembourg (Commission Nationale pour la Protection des Données – CNPD) using the contact details below:
Commission nationale pour la protection des données
1 Avenue du Rock’n’Roll
7. Security and confidentiality of your personal data
Access to your personal data is restricted to PREVAL employees who need to process them and who uphold strict confidentiality standards when processing such personal data.
PREVAL implements all appropriate technical and organisational measures to guarantee an appropriate level of security and the confidentiality of your personal data.
These measures are intended to ensure a maximum level of protection of your personal data against destruction, accidental or unlawful loss, alteration, unauthorized access or disclosure.
PREVAL reserves the right to modify the present policy in order to remain compliant with the privacy laws in force or to adapt it to its practices. We therefore invite you to consult it regularly to be aware of any changes. The new versions will be made available directly on our website, and the date will be updated in the last paragraph.
15 April 2019