• Accueil
  • Business Partners, Suppliers and Clients privacy notice

Business Partners, Suppliers and Clients privacy notice

Last revised: December 2024

1. An overview of data protection

The Luxembourg Institute of Science and Technology (hereafter “LIST”, “We”) is committed to ensure the highest standards of data protection in compliance with the applicable legislation, notably with reference to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”).

The present document aims at illustrating what personal data we collect about you, the reason why LIST uses your data and, as the case may be, share your data and the applicable retention periods. Additionally, the notice also provides you with information regarding your rights, how to exercise them and whom you can contact in case of any query.

2. Scope of the notice

The present notice is directed to all external business partners, clients and prospective clients, suppliers, subcontractors and service providers of LIST who enter into a business relationship with LIST and whose personal data are processed for the management of this relationship (hereinafter “You”). Please note that additional privacy notices as mentioned in the beginning of this document may apply, depending on the nature of your relationship with LIST, which shall apply in addition to the present Privacy Notice.

3. Identity of the data controller

The data controller is LIST, having its registered office at 5, Avenue des Hauts-Fourneaux L-4362 Esch-sur-Alzette, Luxembourg. Our contact details can be found under section 12.

4. Categories of personal data we collect

We collect personal data of:

  • individuals who enter on their own name in business with LIST or in their quality as authorised representatives of their company or organisation;
  • contact persons of our partners, clients, suppliers, subcontractors and service providers who are legal entities;
  • qualified contacts, who have been in contact with us and shown interest in LIST.

Partners, clients, suppliers and subcontractors should ensure their employees are aware that their data is being shared with us, as described in this Privacy Notice.

Please find here below a list of personal data that we may collect and process:

  • Contact details: name, surname, professional postal and e-mail addresses, professional telephone number;
  • Professional information: company/organisation, current role or title;
  • Financial information: VAT number, bank account number (IBAN and BIC), and in the framework of a procurement process LIST might require payment declaration statements for social security contributions and taxes and duties, balance sheets and profit and loss accounts covering the last three financial years insofar our client or supplier is a natural person;
  • Criminal record or equivalent: Extract of criminal records of the company's representatives might be requested in the framework of a procurement process;
  • Other data required in the framework of a procurement process: registration with the trade or professional register, proof of professional indemnity insurance (including public liability), references from public or private companies having purchased similar goods or services within the past three years as long as they contain personal data;
  • Contractual information: your contracts with LIST, date and place of signature, your signature, signatory’s name and email;
  • Meeting data: email address of the participants to the meeting, details of invitation to the meeting (date, time and place of meeting or link to virtual room), meeting data (text, video and audios) in case of recordings or transcripts, and metadata (date, time and duration of call, name/subject of meetings).
  • Technical data: device identification data and traffic data (MAC addresses, web logs, IP addresses) in case of virtual meetings; in case of electronic signatures: IP address, method of authentication used (e.g., email, SMS, access code), time stamps for each stage (when the document was viewed, signed, or declined), device information data.

5. How we collect your data

We collect your personal data:

  • directly from you;
  • from another employee of your company or organisation;
  • from third parties such as LIST’s research partners in the framework of a research project or for the preparation of a project proposal;
  • from the client, supplier or service provider for whom You work;
  • from your company’s/organisation’s website or social media platforms such as LinkedIn as well as other business platforms.

6. Why and how your personal data is processed

LIST collects and uses your personal data for the following purposes:

Purpose Details
To perform and execute agreements with You In this case LIST processes your name, surname, establishment and financial data (if you contract with us as a natural person), role/title and signature needed to execute, establish, renew or amend written agreements with You, to manage and execute payments and reimbursement requests, to issue invoices, and implement tasks in preparation of contracts. In case of electronic signatures, LIST may process your technical data and metadata to send you invitations for signature via LIST’s e-signature tool and in order to ensure the authenticity and legal validity of the electronically executed agreement.
To organize purchase processes through public procurement procedures

This includes evaluation and selection of offers and suppliers for LIST's needs; to perform the administration of procurement processes (open and negotiated), to publish and organise tenders and offers according to the applicable legislation.
To manage our relationship with You

This may include in particular processing of your contact details, your professional information, your previous contacts and relationship history with LIST as well as meeting and technical data in order to contact and communicate with You, to deliver relevant documents and invitations, to ensure internal coordination within LIST and to maintain or update our list of business contacts and database of suppliers/subcontractors. We may also use our suppliers’ data to establish your supplier profile and for the annual evaluation done in the framework of our ISO 17025 accreditation.

In some cases, we may need to record a meeting held virtually and share the footage with the people participating in the meeting or other partners or employees who couldn’t attend on a strictly need-to-know basis and to the extent necessary. Specific information will be given to you before the recording so that you can agree to the recording or not.

Depending on your relationship with LIST, we may use your contact details to invite you to our social events organised for the promotion of our activities and to complete a satisfaction survey.
To provide and improve our services
To manage and facilitate coordination of business partnership and service opportunities
To document LIST relationships with external organizations, persons, meetings and opportunities
To internally report about partnership development activities

7. Legal basis for processing

Please find here below a list of the purposes for which LIST collects and processes your personal data:

Purpose Legal basis
To perform and execute agreements with You In this case LIST will process your personal data for the performance of a contract or in order to take steps to entering into a contract with You.
To organize purchase processes through public procurement procedures

In this case LIST will process your personal data: a) to execute the public tender or contract (negotiated procedure) with You; and
b) to comply with our legal obligations under the Luxembourgish Law of the 8th of April 2018 on public procurement, according to which, LIST, as a public institution, must publish tenders for purchases in specific cases and follow the applicable rules and conditions.
To manage our relationship with You  
  • In accordance with the applicable legislation, LIST has the specific mission to perform activities for the needs and interests of public and private stakeholders. Therefore, LIST has a legitimate interest to ensure continuous contacts with businesses to meet its mission and grow its impact while ensuring internal coordination and definition of its strategy. Colleting and processing personal data from individuals that demonstrated having an interest in LIST’s activities is necessary for accomplishing this purpose. Your data will only be added to our Customer Relationship Management (CRM) tool after the occurrence of a first meeting with LIST. Please kindly note that you can object to the processing of your personal data for this purpose by sending an e-mail to crm@list.lu.
  • In case of recordings of virtual meetings, your data (image and voice) will be collected based on your consent provided at the beginning of the meeting. To withdraw your consent at any time, You can contact the organiser of the meeting or the LIST employee who invited You to the meeting.
  • LIST has a legitimate interest to maintain a data base with its suppliers/subcontractors including personal data of representatives or contacts of our suppliers/clients/ subcontractors who are legal entities, in order to communicate with You in a customary, personal manner and to keep our supplier/ client/subcontractor updated throughout our relationship.
 
To provide and improve our services
To manage and facilitate coordination of business partnership and service opportunities
To document LIST relationships with external organizations, persons, meetings and opportunities
To internally report about partnership development activities

8. Share of your personal data with third parties

LIST may share your personal data with:

  • LIST’s internal departments on a need-to-know basis, in order to ensure the proper management of your relationship with LIST (such as Innovation Line Management Office, IP and Technology Transfer Office, Business Partners, Legal, Communication, IT);
  • External service providers that perform services on LIST behalf, such as IT service providers;
  • Institutional or non-institutional partners, with whom LIST collaborates in the context of LIST’s research activities,

Some of the mentioned recipients of your personal data may be in countries outside the European Union or the European Economic Area (EU/EEA):

  • Microsoft Ireland Operations Limited: This processor is based in Ireland and is the provider of Microsoft Outlook, an email and calendar application as well as Microsoft Teams, a video-conferencing platform, both of which are available as part of Microsoft's Office 365 suite. Microsoft may transfer, store and process personal data in the United States of America or any other country in which Microsoft or its contractors maintain facilities. Transfers out of the European Union (EU) and European Economic Area (EEA), are governed by Standard Contractual Clauses. For further details, please have a look at the following webpage: https://learn.microsoft.com/en-us/microsoftteams/teams-privacy
  • Docusign Inc: This processor is based in the United States of America and is the provider of the electronic signature tool which We use in LIST for the execution of our contracts with third parties.  As a cloud-based platform, your personal data may be transferred data in the United States of America or other countries outside the EU/EEA where DocuSign has its sub-processors. Such transfers are made based on the European Commission's Standard Contractual Clauses. For further details, please have a look at the following webpage: https://www.docusign.com/privacy
  • SAP Belgium S.A./N.V. (Module: SAP ARIBA Contracts): This processor is based in Belgium and is the provider of our cloud-based contract management platform. SAP Belgium is part of a global group of companies and your personal data may be sub-processed by and transferred to the SAP Affiliates established outside the EU/EEA.  Such transfers are done based on article 49 of the GDPR (Derogation for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request). More information about SAP’s privacy policy can be found here: https://www.sap.com/about/trust-center/data-privacy.html

9. Ensuring personal data security and integrity

In compliance with the applicable data protection legislation, LIST has put in place appropriate technical and organisational measures in order to prevent or act upon any unauthorised and unlawful processing or disclosure, accidental loss, modification or destruction of personal data. These measures are implemented based on the current state of art, an evaluation of the risks derived by the processing activity and the need to protect personal data. Such technical and organisation measures are regularly updated and/or adjusted to new technical developments or any organisational change that may affect LIST.

10. Data retention periods

LIST will only retain your personal for a period of time that is strictly necessary for the purposes for which we collect your data, without prejudice to LIST to keep them for a longer duration for legal and/or regulatory obligations applying to LIST or due to exceptional situations that would justify them being kept longer (judicial procedure, etc.). Below are the details regarding the time we keep your personal data:

Purpose Retention period
To perform and execute agreements with You LIST will keep your personal data for a maximum period of thirty (30) years after the end of each agreement in accordance with Art. 2262 of the Luxembourgish Civil Code.
To organize purchase processes through public procurement In this case LIST will keep your personal data for a period of ten (10) years after the end of your contract with LIST, in accordance with Art. 14 and 16 of the Luxembourgish Commercial Code.
To manage our relationship with You  
  • LIST will only retain your personal data for a period of three (3) years from the creation of your account in our CRM tool. Upon expiration of this period, your account on our CMR tool shall be retained only on justified basis due to an ongoing relationship with you or to the existence of a business partnership or service opportunity. In such cases, LIST ensures to perform an annual review of the persistence of such justifications.
  • Data related to our clients’ or suppliers’ profiles are kept for three (3) years after the end of your business relationship with LIST.
  • Meeting data and technical data will be kept in accordance with our retention schedule.

 
To provide and improve our services
To manage and facilitate coordination of business partnership and service opportunities
To document LIST relationships with external organizations, persons, meetings and opportunities
To internally report about partnership development activities

11. Your rights and how to exercice them

With regards to your personal data collected and processed by LIST, you may exercise at any time the following rights:

  • Right to access: You have the right to receive confirmation about whether or not your personal data is being processed by LIST. If that is the case, you have the right to know what data is being collected and processed and to obtain of copy of it;
  • Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to request to have it rectified;
  • Right to erasure: Subject to certain conditions specified in art. 17 of the GDPR, you have the right to have your personal data deleted by LIST;
  • Right to restriction of processing: Subject to certain conditions specified in art. 18 of the GDPR, you have the right to obtain restriction of the processing of your personal data performed by LIST;
  • Right to data portability: Subject to certain conditions specified in art. 20 of the GDPR, you have the right to obtain a copy of the personal data you provided to LIST in in a structured, commonly used and machine-readable format and to request the transfer of these data to another data controller;
  • Right to object: You have the right to object the processing of your personal data when the conditions set out in art. 21 of the GDPR apply;
  • Right to withdraw consent: If LIST is processing your personal data based on your consent, you have the right to withdraw that consent at any time. The withdrawal of such consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD). More information on how to lodge a complaint are available on CNPD’s website: https://cnpd.public.lu.

You may exercise any of these rights by contacting our Data Protection Officer (DPO) by filling the online form.

Please kindly note that your rights are not absolute, and they may be withheld in accordance with applicable data protection laws. In such event, LIST will provide you with the reasons for not complying with your request. In such case, you may lodge a complaint with the CNPD and seek a judicial remedy against such decision.

12. Changes to this notice

LIST may make changes to this privacy notice from time to time, to reflect our current privacy practices or to comply with changes in the applicable data protection legislation. LIST encourages you to regularly visit this page in order to remain informed on how LIST collects and processes your personal data.

Partager cette page :