Visitors privacy notice
Last revised: October 2023
1. An overview of data protection
The Luxembourg Institute of Science and Technology (hereafter “LIST”, “We”) is committed to ensure the highest standards of data protection in compliance with the applicable legislation, notably with reference to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”).
The present document aims at illustrating what personal data we collect about you, the reason why LIST uses your data and, as the case may be, share your data and the applicable retention periods. Additionally, the notice also provides you with information regarding your rights, how to exercise them and whom you can contact in case of any query.
2. Scope of the notice
The present notice is directed to all externals visiting LIST’s premises including but not limited to candidates, conference speakers, LIST’s external partners, auditors, customers, suppliers and service providers (hereafter the “Visitor”, “You”).
3. Identity of the data controller
The data controller is LIST, having its registered office at 5, Avenue des Hauts-Fourneaux L-4362 Esch-sur-Alzette, Luxembourg. LIST is in this case the sole responsible for collecting and processing your personal data in relation with your participation to LIST’s activities.
4. Categories of personal data we process
The categories of personal data that we collect about you include:
- Identification data: name, surname, ID card
- Professional information: company/organisation
- Badge related data: date of acquisition and return of your badge, badge number, location data and logs
- Your image: in case it is captured by the CCTV systems installed on LIST’s premises.
- Connection data to guest’s wifi: guest account, email and technical logs (time user, event).
5. Why and how your personal data is processed
LIST collects and uses your personal data for the following purposes:
| Purpose | Details |
|---|---|
Management of the visit | This includes in particular processing of your identification and professional data to issue personalised badges or access cards and to organize meetings on your request. |
Ensure safety of LIST buildings | This includes in particular processing of your identification and badge related data as well as your image in order to ensure safety of people in LIST buildings as well as safety and control of LIST buildings, including its assets. |
Contact visitors in case of emergency | LIST need to process your identification and badge related data in order to ensure compliance with health and safety standards in order to identify people in case of emergency and evacuation situations. |
Provide access to wifi network | This includes in particular processing of your temporary account details to connect to the wifi network (name, email, portal username) as well as data related to your use of the wifi network: your MAC Address, IP address, type of endpoint, premises, network equipment, port, traffic data and logs in order for LIST to be able to provide you access to its wifi network in a secure way. |
6. How we obtain your personal data
We obtain the personal data:
- directly from you;
- from publicly available sources (such as ResearchGate, LinkedIn, your company’s website);
- from other individuals related to you.
7. Legal basis for processing
Below you can find the list of legal basis on whose grounds LIST collects and processes your personal data:
| Purpose | Legal basis |
|---|---|
Management of the visit |
|
Ensure safety of LIST buildings | LIST has a legitimate interest to process your personal data in order to ensure the physical security of people and items on its premises. |
Contact visitors in case of emergency | In case of emergency (such as fire incidents) LIST will process your personal data based on the need to protect the vital interests of the people being inside its premises. |
Provide access to wifi network | LIST has a legitimate interest to process your personal data in order to provide you with access to its wifi network while ensuring security of its systems. |
8. Share of your personal data
LIST may share your personal data with:
- LIST’s internal departments on a need-to-know basis (such as IS Operations, Administrative Support Office, Human Resources),
- External service providers that perform services on LIST behalf, such as IT providers, security companies.
Some of the mentioned recipients of your personal data may be in countries outside the European Union or the European Economic Area (EU/EEA): - Microsoft Ireland Operations Limited: This processor is based in Ireland and is the provider of MS Tools (such as Outlook, MS Teams). Microsoft may transfer, store and process your personal data in the United States or any other country in which Microsoft or its contractors maintain facilities. Transfers outside the European Union and European Economic Area, are governed by Standard Contractual Clauses. For further details, please have a look at the following page: https://privacy.microsoft.com/en-gb/privacystatement.
9. Ensuring personal data security and integrity
In compliance with the applicable data protection legislation, LIST has put in place appropriate technical and organisational measures in order to prevent or act upon any unauthorised and unlawful processing or disclosure, accidental loss, modification or destruction of personal data. These measures are implemented based on the current state of art, an evaluation of the risks derived by the processing activity and the need to protect personal data. Such technical and organisation measures are regularly updated and/or adjusted to new technical developments or any organisational change that may affect LIST.
In particular, access on a need-to-know basis has been implemented to ensure only staff with appropriate need for the purpose has access to the personal data of Visitors. Additionally, we have data processing agreements in place with our processors.
10. Data retention periods
LIST will only retain your personal data for a period of time that is strictly necessary for the purposes for which we collect your data, without prejudice to LIST to keep them for a longer duration for legal and/or regulatory obligations applying to LIST or due to exceptional situations that would justify them being kept longer (judicial procedure, etc.).
In particular, LIST will retain:
| Purpose | Retention Period |
|---|---|
Management of the visit | LIST will retain your identification and professional data for a period of 3 months after the end of the month of your visit. |
Ensure safety of LIST buildings | LIST will retain: - your identification and badge related data including logs and reports for a period of 2 years after cancellation of the access; - your image for a period of 30 days after the moment it is captured by the CCTV systems on LIST premises. |
Contact visitors in case of emergency | LIST will retain your identification and badge related data for a period of 3 months after the end of the month of your visit. |
Provide access to wifi network | LIST will retain your personal data for a period of 5 years after you access the network. |
11. Your rights and how to exercise them
With regards to your personal data collected and processed by LIST, you may exercise at any time the following rights:
- Right to access: You have the right to receive confirmation about whether or not your personal data is being processed by LIST. If that is the case, you have the right to know what data is being collected and processed and to obtain of copy of it;
- Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to request to have it rectified;
- Right to erasure: Subject to certain conditions specified in art. 17 of the GDPR, you have the right to have your personal data deleted by LIST;
- Right to restriction of processing: Subject to certain conditions specified in art. 18 of the GDPR, you have the right to obtain restriction of the processing of your personal data performed by LIST;
- Right to data portability: Subject to certain conditions specified in art. 20 of the GDPR, you have the right to obtain a copy of the personal data you provided to LIST in in a structured, commonly used and machine-readable format and to request the transfer of these data to another data controller;
- Right to object: You have the right to object the processing of your personal data when the conditions set out in art. 21 of the GDPR apply;
- Right to withdraw consent: If LIST is processing your personal data based on your consent, you have the right to withdraw that consent at any time. The withdrawal of such consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD). More information on how to lodge a complaint are available on CNPD’s website: cnpd.public.lu.
- You may exercise any of these rights by contacting our Data Protection Officer (DPO) by filling our online form available at LIST’s website at: www.list.lu.
12. Changes to this notice
LIST may make changes to this privacy notice from time to time, to reflect our current privacy practices or to comply with changes in the applicable data protection legislation. LIST encourages you to regularly visit this page in order to remain informed on our data protection policies.
