Data protection

The Commissariat aux Assurances (CAA) collects and processes personal data, the protection of which is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In accordance with this Regulation, we are providing you with the following information.

Legal basis for processing your personal data

The processing of your personal data is based on Article 6 (1), letters a), b), c) or e) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The data controller

The data controller is the CAA, a public institution with its registered office at 11, rue Robert Stumper, L-2557 Luxembourg (www.caa.lu)

The Data Protection Officer (DPO)

The CAA has appointed an internal Data Protection Officer whom you can contact if you have any questions about the CAA's personal data practices. You will find the DPO's contact details below:

Data Protection Officer:
Email: dpo@caa.lu
11, rue Robert Stumper 
L-2557 Luxembourg
+352 22 69 11 – 1

The recipient of your personal data

The recipient of your personal data is the CAA.

Use of your personal data

- RECRUITMENT 
- REQUEST FOR OUT-OF-COURT COMPLAINT RESOLUTION 
- ALERTING ABOUT A BREACH OF THE LEGISLATIVE AND REGULATORY FRAMEWORK APPLICABLE TO THE INSURANCE SECTOR (WHISTLEBLOWING)

1.  Recruitment  

• Consent and how long we store personal data 
  By submitting your application to the CAA, you consent to your personal data being processed as part of the recruitment process, and to it being stored for a period of 2 years after the last contact. You may withdraw your consent at any time, without this affecting the processing carried out on the basis of your consent prior to its withdrawal.

• Consequences of not providing personal data
  The provision of personal data is necessary for access to employment in the Luxembourg civil service, as an employee of the State or as a civil servant of the State. Failure to provide this data will result in the application not being considered.
• Your rights 
  In accordance with Regulation (EU) 2016/679, you have the right to access, rectify, delete and limit the processing of your data, as well as the right to object and the right to portability of your data.

2.  Request for out-of-court complaint resolution

• The recipient of your personal data
  In addition to the CAA, your personal data is normally transferred to the professional concerned by your request for out-of-court complaint resolution.
• How long your personal data is stored?
  Your personal data is stored for the duration of the processing of your request for out-of-court complaint resolution and for ten years after the closure of your file.
• Consequences of not providing personal data
  The provision of personal data is necessary for the handling of your request for out-of-court complaint resolution. Failure to provide such data means that the CAA cannot process your request.
• Your rights
  In accordance with Regulation (EU) 2016/679, you have the right to access, rectify and limit the processing of your data, as well as the right to object to the use of your data.

3.  Reporting a breach of the legislative and regulatory framework applicable to the insurance sector (Whistleblowing)

For the purposes of carrying out the tasks entrusted to it by the Law of 16 May 2023 on the protection of persons who report breaches of Union law (hereinafter the ‘Law of 16 May 2023’), the CAA may be required to process personal data relating to whistleblowers.

• Purposes of processing 
  In the context of the procedure relating to whistleblowing, the personal data obtained may be processed, subject to the applicable confidentiality obligations, in the context of the performance of the CAA's tasks or investigations, where this falls within its remit.
• Data processed 
  As the reporting person, you may provide your full name, postal address and e-mail address on the Whistleblowing form, bearing in mind that reports may also be made by telephone, orally or in person, during an interview, it being specified in the latter case that the above information will be recorded in written document either signed by you, if appropriate, or anonymously, it being specified in the latter case that your personal data will not be processed, except in the event of subsequent identification. It is advisable, when describing the potential breach, to mention only the elements of the breach that are relevant to you.
• Categories of recipients

  Recipients:

  Only members of the CAA staff specifically designated to process reports as part of the whistleblowing procedure have access to the processed data.

  Potential recipients:

  However, data may also be transmitted to other members of the CAA staff, who are also bound by confidentiality, for the purposes of effectively examining the report, on the basis of their respective remit in relation to the subject of the report. Anonymisation will therefore be preferred in this context, but if this is not possible, in particular because it would contravene the effective processing of the report, only the data strictly necessary for its successful processing will be transmitted.

  When the CAA receives a report for which it is not competent and in order to ensure its effectiveness, the alert may be transmitted to other competent authorities as defined by article 18 of the Law of 16 May 2023.

  By operation of law, personal data may also be transmitted (f.i. due to the CAA's duty to inform the Procureur d’Etat if the acts are likely to constitute a crime or an offence, or in the context of criminal proceedings against the entity concerned, in which case the whistleblower may, where appropriate, be called as a witness).
• How long personal data is kept

  Personal data that is clearly not relevant to the processing of a specific report is not collected or, if collected by accident, is deleted without undue delay.

  Personal data obtained by means of a report deemed to be unfounded, falling outside the scope of the CAA's remit by authorised agents, shall be deleted without delay.

  Personal data obtained through an report is kept for three months following the closure of the investigation carried out by the CAA in the exercise of its respective missions or of the proceedings concerning the facts alleged in the report until the end of the appeal period.

  In accordance with the law of 17 August 2018 on archiving, files with heritage value must be kept for archiving purposes in the public interest beyond these periods of administrative usefulness.
• Your rights

  You may exercise your right to access, rectify, delete or limit the processing of your personal data by contacting the CAA. If you have any questions about the processing of your personal data by the CAA, or if you wish to exercise your rights, you can contact the Data Protection Officer by post at CAA - Délégué à la protection des données - 11, rue Robert Stumper, L-2557 Luxembourg, Grand-Duchy of Luxembourg  or by e-mail to: dpo@caa.lu.

  You may also address any complaints to the National Data Protection Commission.
• Further information
  Further information on the whistleblowing procedure can be found under the ‘Whistleblowing’ tab. 

In the event of a complaint

You can send your complaints to the Commission nationale pour la protection des données at 15, boulevard du Jazz, L-4370 Esch/Alzette (www.cnpd.lu).

Cookies

Cookies are small text files that a website can place on your computer or mobile device when you visit a website. They are used to store information, for example when you visit a particular page, to help us provide you with a better website experience. We will not be able to identify who you are, but we will be able to identify where you are.

This information helps us to know which pages are most and least attractive to our visitors. They can help us improve navigation and design features to help you access information more easily.

You can take the following actions:

• Accept cookies: you will no longer see the warning when you access any of the pages on this website.
• Do nothing: you will continue to see the warning if you access any of the pages on this site. If you continue browsing, we will consider that you accept the use of cookies.
• Change your cookie settings: you can delete cookies from this website and change your browsing settings, but this will not prevent you from seeing the cookie warning when you access the site again.

The list below shows the cookies we use on our websites. It does not show the cookies used by third party websites to which we may establish links. We may change the list from time to time:

• tartecitron : a tag management solution that allows you to manage tags and centralise the collection of consent in a single tool.
• GA4 : enables anonymous information to be collected, for example, on the number of visits and visitors to the site, on how visitors arrived on the site and on the pages they consulted. Duration: 13 months.

Change cookie settings:

You can limit, block or delete cookies from this site by configuring your browser preferences. You can also activate the private browsing option, which stops your browser storing your browsing history, secret passwords, cookies and other information from the sites you visit.

In each browser, the cookie configuration is different; the Help" function will show you how to do this.