Legal aspects

Regarding Police Lëtzebuerg information and communications platforms:

General terms and conditions of use of the site

Any person using information, documents, products, software and/or services (hereinafter collectively referred to as the 'Services') offered by this website shall be deemed to be aware of, and to have accepted, all the provisions of these general terms and conditions of use.

'Body' designates the public authority, ministry, administration or other public body which, either alone or jointly with others, are responsible for this site.

Obligations incumbent on the user

The site is accessed via the Internet. The user declares that they are aware of the risks involved and that they accept those risks. They must guard against the effects of computer hacking by adopting a suitable and secure computer configuration.

The State of the Grand Duchy of Luxembourg cannot accept any liability for any damage the user may suffer, directly or indirectly, in connection with browsing this site or using the services it offers, or from accessing any of the websites to which it links.

There is no charge for using the site.

Management of cookies

This site uses cookies, which are small text files used to analyse information related to the user's browsing activities (frequency of visits, duration of visits, pages visited, etc.).

They are stored by the site in a directory on the user's computer. A cookie contains the name of the server that created it, an identifier in the form of a unique number and an expiry date. The unique identifier allows the website to 'remember' the user's computer whenever they visit the website. Session cookies are deleted from the user's computer when the session is closed. However, persistent cookies remain on the user's computer for one month after the end of the session.

The user can decide whether or not to allow the website to store cookies on their computer. They can change their browser settings at any time to prevent cookies from being accepted and stored. The user can also delete all previously stored cookies at any time, using their browser (see Cookies Charter)

If the user opts to refuse cookies from this website, some features may not work as expected or may be disabled. Hence, it is recommended that users update their browser settings to accept cookies from the website.

Alterations to the site

The State of the Grand Duchy of Luxembourg reserves the freedom to update, alter or suspend the site, without prior notice, for maintenance or updating operations, or for any other reason deemed necessary.

In particular, the State of the Grand Duchy of Luxembourg may, at any time, withdraw, add to, supplement or clarify all or any part of the information and services contained in, or offered on, the site. The State of the Grand Duchy of Luxembourg cannot be held liable for any loss or damage whatsoever, whether direct or indirect, in connection with any such changes.

General limitations of liability

The State of the Grand Duchy of Luxembourg shall make its best effort to ensure optimal availability of the site. However, it cannot be held liable should the website become temporarily or totally unavailable.

The State of the Grand Duchy of Luxembourg shall make its best effort to ensure the security of the information system.

The State of the Grand Duchy of Luxembourg shall make its best effort to ensure optimal availability of the site.

The State of the Grand Duchy of Luxembourg shall make its best effort to ensure the security of the information system. However, it cannot be held liable should the information system be attacked or the website become temporarily or totally unavailable.

The State of the Grand Duchy of Luxembourg shall make its best effort to ensure the accuracy of the information provided by the site and published on the social networks. However, it cannot be held liable for any omissions in connection with the updating of information or forms, errors in the use of the system, coding errors, inaccuracies, gaps in the information provided, or any errors or inaccuracies. Indeed, while the aim is to disseminate accurate, up-to-date information from a range of sources, the State of the Grand Duchy of Luxembourg is not immune to the danger of hardware errors. None of the information published on this site should be considered as exhaustive or as constituting a commitment on the part of the State of the Grand Duchy of Luxembourg. Explanations in layman's terms and translations are provided solely for information purposes. Only legal texts published in the Mémorial (Official Journal of the Grand Duchy of Luxembourg) shall be deemed authoritative. The information appearing on this site is of a general nature. It is not tailored to personal or specific circumstances, and therefore cannot be regarded as constituting personal, professional or legal advice to the user. If the user needs personal or specific advice, they should always consult the competent departments within the different administrative bodies.

Limit of the site's liability

This site expressly excludes liability for any consequences, whether direct or indirect, arising from:

incompatibility between the service offered and the equipment, applications, procedures or infrastructures of the user or of any third party;

any security breaches caused by the user or a third party, and more generally any security breaches not directly attributable to the website;

any errors and/or fraudulent acts committed by the user or a third party;

any unavailability or malfunction of electronic communication systems or networks.

Links to related sites

For users' convenience, this site may contain links to other websites which they may find useful or of interest. The State of the Grand Duchy of Luxembourg and more specifically the Body do not systematically check the content of these sites. Consequently, they accept no liability for the content of those websites, either in terms of the legality of such content or the accuracy of the information found there.

Intellectual property

The site, all the elements contained therein (including the layout) and the information and services are protected by the legislation on intellectual property and copyright.

Unless otherwise stated, the State of the Grand Duchy of Luxembourg does not grant any licence or authorisation with regard to the intellectual property rights it holds in respect of this site, the elements contained therein, or the services it provides. Moreover, reproduction of the information or services, either wholly or in part and in whatever form or by whatever means, is not permitted without the prior written consent of the Body.

Unless otherwise stated, users are authorised to view, download and print the available documents and information, subject to the following conditions:

the documents may only be used for personal purposes, for information and in a strictly private context;

the documents and information may not be modified in any way whatsoever;

the documents and information may not be disseminated outside or beyond the site.

The rights implicitly or expressly granted above constitute an authorisation to use the site; under no circumstances do they constitute a transfer or assignment of property rights or other rights in relation to the site.

Changes to the general terms and conditions of use

These general terms and conditions of use may be modified or supplemented at any time, without prior notice, in line with changes made to the site or changes in the law, or for any other reason deemed necessary. It is the user's responsibility to familiarise themselves with the general terms and conditions of use of the site, of which only the most up-to-date version accessible online shall be deemed to be in force. It is possible that, in the interval between two visits to the site, the general terms and conditions of use have changed, and it is therefore the user's responsibility to read through the conditions each time before using the site.

Applicable law and courts of competent jurisdiction

All disputes concerning the use of this site and its services shall be governed by Luxembourg law, and the courts of the Grand Duchy of Luxembourg shall have exclusive jurisdiction to hear and settle such disputes.

Protection of personal data

General

The personal data communicated by the user are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The State of the Grand Duchy of Luxembourg does not collect any personal data other than the IP addresses in the web server logs for security purposes; user consent is not required before visiting the site.

The controller for these processing operations is the Body responsible for this website.

For information, the rules relating to the protection of natural persons with regard to the processing of personal data by the Grand-Ducal Police for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including protection against threats to public security and the prevention of such threats, are not set out in the aforementioned Regulation (EU) 2016/679, but in the Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, which transposes Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

Users can lodge complaints relating to the protection of their personal data through the various communication channels available, and directly to the controller who, in this case, is the Body responsible for this website.

For more information, please consult our legal notice relating to the protection of personal data.

Online contact form on the site

The information about you collected through the website contact form must be processed by the relevant Body in order to manage your request.

By filling in the form, you agree to your personal data being processed in the context of your request. This information is stored by the administration for as long as necessary for the purposes of the processing.

As the retention period for personal data depends on the type of request, the Body will communicate the applicable retention period, or the criteria used to determine it, on request, on a case-by-case basis.

The recipient of your data is the Body responsible for processing your request. Please contact the Body you are filing your request/application with to find out who the recipients of the data in this form are.

In accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, you are entitled to access, rectify and, where applicable, request the erasure of your personal data. You are also entitled to withdraw your consent at any time.

Additionally, unless it is mandatory to process your data, you may object to such processing for legitimate reasons.

If you wish to exercise these rights and/or obtain a record of the information held about you, please contact the relevant Body using the contact details provided on the form. You also have the option of lodging a complaint with the National Commission for Data Protection (Commission nationale pour la protection des données - CNDP), whose headquarters are located at 15, boulevard du Jazz, L-4370 Belvaux.

Processing in connection with audience measurement

Certain data relating to the users' hardware and software, which is not capable of revealing their identity, is collected when they visit the public site. The sole purpose of collecting such data is to garner statistics on website traffic (type of browser, resolution, approximate location, etc.) in order to provide users with the best possible user experience.

Under no circumstances is the user's full IP address kept. Only one part of the IP address is kept in order to obtain overall statistics, and under no circumstances is it possible to identify the user.

This data is kept and hosted in Europe in a solution provided by a subcontractor – specifically, Adobe Systems Inc. – who, as such, is subject to the same legal obligations regarding the protection of personal data, should such data be harvested in the future.

The data is kept for no longer than is necessary to observe how audiences evolve as a function of browsers, resolution settings, and other available statistical data.

The controller for these processing operations is the Body responsible for this website.

Processing in connection with online surveys

Users' data are harvested, with their permission, for the sole purposes of conducting surveys for the State's administrative bodies. In addition, technical audience-measurement data are collected at the same time.

The data is kept for the duration of the survey, plus a few weeks for the results to be statistically analysed.

These surveys are conducted directly on websites of subcontractors such as surveygizmo.eu developed by Widgix Limited, based in the United States. The data are hosted in Europe. Those subcontractors are subject to the same legal obligations regarding the protection of personal data, because the surveys are carried out for or by users in the European Union.

The procedures for carrying out these surveys are such that none of the collected data permit personal identification of the user. Even by combining technical identifier data (IP address or information about the user's browser or device) and/or data harvested from multiple surveys, the subcontractor operating the platform would still be unable to personally identify the users.

The data controller and the data recipient is the Body responsible for the website, which commissioned the survey.

Protected logos and emblems

The logos and emblems of the Police grand-ducale (PGD) have been registered with the Benelux Office for Intellectual Property (BOIP). By this filing, all the distinctive signs of the PGD, including in particular the logos, emblems, insignia, slogans, posters, designs, denominations or any other element relating thereto, have been protected at the level of the BENELUX countries.

The distinctive signs are also protected by copyright laws, in particular the loi modifiée du 18 avril 2001 sur les droits d’auteurs, les droits voisins et les bases de données, as well as any provision relating to trademarks, designs and models, in particular the BENELUX Convention on intellectual property.

The determination of the emblem is covered by the règlement grand-ducal du 17 août 2018 portant 1° détermination de l’emblème, de l’uniforme et de la carte de service de la Police ; 2° modification du règlement grand-ducal du 15 février 1982 concernant les drapeaux et emblèmes militaires.

The logos and emblems belong exclusively to the Ministry of Internal Security, as well as to the PGD, and are protected by the provisions of Luxembourg criminal law against any fraudulent or non-fraudulent usurpation. Any use or reproduction in any form whatsoever therefore requires the prior agreement of these two parties.

If you have any requests or questions, please use the following email address: contact@police.etat.lu

Presence on social networks

Moderation policy

All users joining the website's community on social networks undertake to refrain from any form of discrimination based on race, colour, religion, gender, sexual orientation, age, ethnic origin, disability, marital or employment status.

Abusive, racist, sexist or offensive comments have no place on social networks. Any such comments will be deleted and reported.

Languages

On social networks, this site communicates mainly in French. Depending on the situation and target audiences, information may be posted in the other two national languages (German and Luxembourgish) and in English.

As far as possible, replies to all questions or comments will be in the language used by the user.

Cookies Charter

We explain to you how and why we use cookies on this website, quite openly.

This site may use client-side cookies. These are small text files that are used to analyse users' browsing patterns and habits (frequency and duration of visits, pages viewed, language preferences, etc.). They are stored by the site in a directory on the user's computer. Cookies generally contain the name of the server, an identifier in the form of a unique number, and an expiry date. The unique identifier allows the website to 'remember' the user's computer whenever they visit the website.

The user can decide whether or not to allow the website to store cookies on their computer. They can change their browser settings at any time to prevent cookies from being accepted and stored. Additionally, from their browser, the user can delete any cookies that have already been stored on their computer.

What are cookies and what are they used for?

Cookies are small text files that are sent through your browser by the websites you visit and saved on and/or read from the hard disk of your device (e.g. your PC, laptop or smartphone). Practically all websites use cookies to optimise performance, user experience and features.

Our cookies

We use cookies for web analytics purposes. Our cookies are set by Adobe Analytics. Adobe Analytics is a third-party product which is hosted in Europe and complies with European data protection regulations.

We use Adobe Analytics to track the number of visitors and to collect data on how they use our website (e.g. pages with the most views, visit duration, etc.).

We use this information to improve our website and to provide users with the best possible access to information.

We do not use advertising cookies.

How to disable cookies

You can disable cookies at any time.

You can delete cookies stored on your device and set your browser to refuse them using the preferences of your Internet browser.

Cookies-related browser settings can generally be found in the "Options", "Tools" or "Preferences" menu of the browser you use to access this website.

However, depending on the browser you use, the procedure for disabling cookies may be different.

For further information, see the links below:

Microsoft Internet Explorer

Note that even if you prevent your browser from storing cookies on your device, you will still be able to browse this website.

If you have any questions about the Cookies Charter, please contact us using the on-line form.

Data protection and processing:

Processing of personal data by the Police

During the performance of its duties, the Grand-Ducal Police processes personal data, in accordance with the legal framework. The information below relates to data protection

Definitions:

"personal data": any information relating to an identified or identifiable natural person.

"identifiable natural person": a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Legal basis for the processing of personal data by the Police:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereafter referred to as the GDPR, which entered into force on 25 May 2018, is not the only legal text that applies to the processing of personal data by the Police.

The processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including protection against threats to public security and the prevention of such threats, are governed by the Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, which transposes Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, hereafter referred to as the Law of 1 August 2018.

The Law of 1 August 2018 therefore covers the processing of personal data by the Police in relation to the performance of its duties.

The data controller:

the Grand-Ducal Police, represented by its Director General.

secgen@police.etat.lu

The Data Protection Officer:

dpo@police.etat.lu

Tasks:

to inform and advise the data controller or the processor and the employees who carry out processing of their obligations pursuant to the provisions in national and European law;

to monitor compliance with the national and European legal framework relating to personal data protection, including with regard to the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

to provide advice where requested as regards the data protection impact assessment and monitor its performance;

to cooperate with the supervisory authority;

to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

The Data Protection Officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Principles relating to processing of personal data:

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject;

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

accurate and, where necessary, kept up to date;

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Security of personal data:

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Grand-Ducal Police personnel are of course bound by professional secrecy and more particularly by investigative secrecy, and each member of personnel has access only to the data necessary for them to perform their respective tasks.

Supervision of personal data processing:

The processing implemented by the Grand-Ducal Police is supervised and monitored by supervisory authorities set up pursuant to Article 51 of the GDPR and Articles 39 and 40 of the Law of 1 August 2018, and pursuant to Article 3 of the Law of 1 August 2018 establishing the National Commission for Data Protection and the general rules on data protection.

The supervisory authorities ensure that processing is carried out in accordance with the legal provisions governing it in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.

To this end, the supervisory authorities have direct access to the data processed. They may carry out checks in situ and obtain all information and documents relevant to their tasks.
They may also appoint one of their members to carry out specific supervisory tasks. The supervisory authorities carry out the necessary rectifications and erasures.

The tasks of the supervisory authorities are set out in greater detail in Article 57 of the GDPR, and in Article 42 of the Law of 1 August 2018.

Notification to the supervisory authority and communication to the data subject of a personal data breach:

In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority in accordance with Article 55 of the GDPR and Article 29 of the Law of 1 August 2018, unless the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons.

When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay, unless such communication is unnecessary pursuant to Article 34(3) of the GDPR and Article 30(3) of the Law of 1 August 2018.

Your rights:

Subject to the conditions set out in the relevant articles, you have the following rights:

right of access (Article 15 of the GDPR; Article 13 of the Law of 1 August 2018): the right to obtain from the Police confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to said data and to other information such as the purposes and recipients of the processing, together with a copy of the personal data undergoing processing;

right to rectification (Article 16 of the GDPR; Article 15 of the Law of 1 August 2018): the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed;

right to erasure (Article 17 of the GDPR; Article 15 of the Law of 1 August 2018): the right to obtain the erasure of personal data concerning you if the retention thereof is no longer justified on legitimate grounds.

right to restriction of processing (Article 18 of the GDPR; Article 15 of the Law of 1 August 2018): the right to obtain the restriction of processing of personal data concerning you, subject to the conditions set out in the aforementioned article.

right to object (Article 21 of the GDPR): the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions, unless there are compelling legitimate grounds for the processing or for the establishment, exercise or defence of legal claims.

The Grand-Ducal Police hereby informs you that the GDPR does not apply to the personal data of deceased persons (recital 27 of the GDPR).

Exercising your rights:

Data subjects can contact the Data Protection Officer using the contact details given below, subject to compliance with the identity verification procedure, details of which are given below.

dpo@police.etat.lu

Identity verification procedure:

In accordance with Article 12(6) of the GDPR and Article 11(5) of the Law of 1 August 2018, the Grand-Ducal Police must have sufficient guarantees in order to be able to establish the identity of the person requesting information with certainty.

At this stage, the Grand-Ducal Police has selected four options to enable data subjects to exercise their right to access information, namely:

a letter accompanied by a copy of an identity document (identity card or passport). The reply will be sent solely to the official address declared by the person making the request;

an email accompanied by a copy of an identity document (identity card or passport). The reply will be sent solely to the official address declared by the person making the request;

an electronic request using a unique identifier (LuxTrust or similar), which is currently being set up and will be accessible via the www.police.lu website;

a verbal request made in person, during opening hours and preferably by appointment with the Data Protection Officer, on presentation of an identity card, at the Directorate-General of the Grand-Ducal Police:
Direction Générale de la Police, Cité Policière Grand-Duc Henri, Complexe A, rue de Trèves, L-2632 Luxembourg,

with the option of requesting that the response be sent to an address chosen by the person making the request.

If you are not satisfied with the response given to your request under GDPR, you have the right to lodge a complaint with the National Commission for Data Protection (Commission nationale pour la protection des données - CNPD), using the contact details below:

Commission nationale pour la protection des données (CNPD)

Service des réclamations
15, boulevard du Jazz

L-4370 Belvaux

Security measures protecting the processing of personal data

1) Legal framework:

The security measures that must be implemented by the controller to protect the processing of personal data carried out under their responsibility are set out in Article 28 of the Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, as well as in Article 32 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2) Risk analysis conducted:

As prescribed by the legal framework, the Grand-Ducal Police has conducted a risk analysis and taken the necessary steps to minimise risks.

Risk analysis is a key aspect of information security and is conducted as part of managing the entity's information security management system. The risk analysis makes it possible to:

identify information security risks;

assess and appraise the risks identified;

establish and limit adverse effects on information security;

define and plan the actions to be implemented to tackle the risks;

implement the actions planned;

accept the residual risk;

determine and apply an approach of continuous improvement to information security.

As the risk analysis contains details of the technical measures implemented, it cannot be published, as understanding the techniques used to protect the processing of personal data is obviously crucial information for a criminal looking to obtain illegal access to the processing.

The risk analysis conducted by the Police technologies department (Direction des technologies policières (PGD-DCRC-DTP)), version 1.0. final of 28 October 2018, hereinafter risk analysis v.1.0, is the entity's first formal information security risk analysis. It was conducted with a view to assessing the entity's current situation in terms of information security. Each risk has been carefully assessed against the information known and received from officers called upon from different departments, and the impact values of the C (confidentiality), I (integrity) and A (availability) criteria, the likelihood of a threat and the likelihood of a vulnerability.

2.1.) Methodology:

The Grand-Ducal Police have adopted the risk analysis approach recommended by the National cybersecurity agency of France (ANSSI), where information forms a central part of the approach (data-centric model). To carry out its risk analysis, the entity uses the MONARC risk analysis tool, developed by CASES, hosted on the GovCloud platform implemented upstream by the Government IT centre (CTIE) subject to an agreement with ANSSI for hosting the MONARC tool, with ANSSI making it available for use. The benefit is that all the elements required to create the entity's model as a basis for the risk analysis are immediately available with the predetermined library objects (assets and risk scenarios) structured in line with the aforementioned approach. As a result, the analysis may be started quickly and conducted efficiently.

Risk analysis v.1.0 summarises the method and sets out the results of the risk analysis carried out using MONARC at the entity's work environment. MONARC is implemented in compliance with the international standard ISO/IEC 27005:2011.

References

[1] ISO/IEC 27005:2011 - Information security risk management.

[2] http://www.iso.org/iso/en/catalogue_detail?csnumber=56742. The ISO/IEC 27005 standard provides a detailed explanation of how to conduct the risk assessment and risk treatment, in relation to information security

2.2.) Description of the "Méthode Optimisée d’Analyse des Risques CASES" (MONARC):

MONARC relies on a library of risk models providing objects made up from risk scenarios for assets or groups of assets. This approach helps to manage the most common risks and achieve objectivity and efficiency. As MONARC is entirely iterative, these results can be refined and tailored to the maturity of each entity by increasing the detail of the risk scenarios.

Context establishment

The first step is to take stock of the context, challenges and priorities of the entity wishing to analyse its risks.

In particular, this serves to identify the entity's key activities and critical processes in order to steer the risk analysis towards the most important elements. To do this, a kick-off meeting is arranged with members of the management team and key individuals. The goal is to understand what makes the entity "live" and what could destroy it, as well as identifying the key processes, internal and external threats, and organisational, technical and human vulnerabilities.

Context modelling

This phase includes the modelling of object trees. Assets were identified in the previous phase. They must now be detailed and formalised in a diagram showing their interdependencies.

Impacts are defined at the level of the primary assets (information or services). The secondary assets inherit the impact of the primary asset to which they are attached (object tree).

The impacts at secondary asset level can be modified manually.

Assessment and treatment of risks

The assessment consists of quantifying the threats, vulnerabilities and impacts to calculate risks.

This requires quality information on the exact likelihood of the threats, the ease of exploiting vulnerabilities and potential impacts, hence the need to rely on metrics validated by experts.

When the risk assessment identifies a risk exceeding the acceptable level (risk acceptance grid), risk treatment measures should be implemented to reduce the risk to an acceptable level.

Implementation and monitoring

When the first treatment of risks has been carried out, an ongoing security management phase must be entered with monitoring and recurring control of security measures, in order to improve these sustainably.

This fourth phase also enables continuous optimisation of security by increasing the detail of objects used and expanding the scope of the risk analysis.

3) Consultant assessment:

3.1.) Strengths:

The commitment by the management at the Central directorate for resources and competences (Direction centrale "ressources et compétences" - DCRC) to conducting a risk analysis for the Police technologies department (Direction des technologies policières - DTP), entrusting the handling of the analysis to DTP agents and acquiring internal knowledge and skills in information security.

Assigning a study brief and logical access management to a DTP agent.

Appointing a DPO at the entity.

3.2.) Weaknesses:

The time taken to carry out the risk analysis. The risk analysis should be considered a snapshot of the entity's situation at a given moment, so a long interval between the start and end of the analysis may compromise the results if changes have occurred in the meantime. Of course, the time it takes to run the risk analysis is also contingent on the availability of the people carrying it out.

3.3.) Summary:

The consultants met proactive partners and appreciate the management's determination to strive towards improving information security within their control.

Schengen Information System (SIS)

Protection of individuals with regard to the processing of personal data in the Schengen Information System (SIS)

Presentation of the Schengen Information System

The Schengen Information System (SIS) was implemented as a search system for persons and objects by the Convention implementing the Schengen Agreement of 19June 1990. The SIS was devised as a compensatory measure to the lifting of internal border controls with the aim of ensuring a high level of security in the European Union’s area of freedom, security and justice. The Council Decision 2007/533/JHA of 12 June 2007, as well as the European Regulation 1987/2006 of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System, laid the legal foundation for the second generation of the SIS (SIS II) and introducing several new functionalities. Thus, the system includes the following alerts:

On persons:

for a refusal of entry or stay;
wanted for arrest for surrender or extradition purposes;
who are missing;
sought for assistance with a judicial procedure;
for discreet checks or specific checks.

On objects:

for discreet checks or specific checks;
for seizure or use as evidence in criminal proceedings.

Monitoring the processing of personal data:

The processing of data by the Grand Ducal Police is done in accordance with the law of the 1^st of August 2018 on the protection of individuals with regard to the processing of personal data by law enforcement authorities, transposing the Directive 2016/680 into national law. The controller shall implement the appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out by the Grand-Ducal Police in accordance with the national and European legal framework. The controller shall ensure that in case of infringement of the data processing rules, the necessary corrections and cancellations are being made.

In order to assert their rights described hereafter, the individual must send a written request to the controller accompanied by a copy of his/her ID document, to the following address:

Direction générale – Data protection officer
Cité Policière Grand-Duc Henri
Complexe A, rue de Trèves
L-2957 Luxembourg

Data subjects’ rights

In order to ensure the protection of individuals with regard to the processing of personal data, the European legal instruments, in particular the SIS II Regulation in its Article 41 for the reporting of persons for the purposes of non-admission or prohibition of residence, and the SIS II Decision in its Article 58 for other categories of alerts, grant individuals the right of access to personal data relating to them, as well as the rights to obtain rectification of inaccurate data and deletion of illegally stored data.

In the Grand Duchy of Luxembourg, each data subject may assert his/her right of access, rectification and deletion directly to the Grand Ducal Police of Luxembourg. The SIS II Decision in Article 58 specifies that everyone has the right of access to his/her personal data entered in SIS II. To do this, the person concerned must send a written request, accompanied by a copy of his/her ID document, to the the Data protection officer of the Grand Ducal Police. According to the law of the 1^st of August 2018 on the protection of individuals with regard to the processing of personal data by law enforcement authorities transposing the Directive 2016/680, the data subject may also address a complaint to a supervisory authority in case of an unsatisfactory response from the controller that means from the Grand Ducal Police. The address of the competent authority (CNPD) is the following:

Commission nationale pour la protection des données
Service des réclamations
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette

Pour en savoir plus / Learn more :

Publications

SIS II - Système d’information Schengen II (FR) (Pdf - 812 Ko)
SIS II - Schengen Information System II (EN) (Pdf - 809 Ko)
SIS II - Schengen Informationssystem II (DE) (Pdf - 814 Ko)
SIS II - Sistema de Informação de Schengen II (PT) (Pdf - 768 Ko)

Informations complémentaires / Complementary information

Schengen Information System What is the Schengen Information System?
Autorité de contrôle spécifique (Article 17) (cnpd.public.lu)
EUR-Lex - Access to European Union law Règlement (CE) n o 1987/2006 du Parlement européen et du Conseil du 20 décembre 2006
EUR-Lex - Access to European Union law Décision 2007/533/JAI du Conseil du 12 juin 2007
Texte coordonné de la loi du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel modifiée par la loi du 31 juillet 2006, la loi du 22 décembre 2006, la loi du 27 juillet 2007.

Passenger Information Unit

Legal notice relating to the processing of passenger name record data for the prevention and prosecution of terrorism and serious crime

In the performance of its tasks, the Grand-Ducal Police processes personal name record (PNR) data for the purposes of the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

Definitions:

"personal data": any information relating to an identified or identifiable natural person.

"identifiable natural person": a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Legal basis for the processing of personal data by the Passenger Information Unit (PIU):

Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime,

transposed into national law by:

The Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters applies to the processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including protection against threats to public security and the prevention of such threats, by any competent public authority or any other body or entity that has been entrusted with the exercise of public authority and the prerogatives of public power to this end, hereafter referred to as the "competent authority".

The Law of 1 August 2018 on the processing of passenger name record data for the prevention and prosecution of terrorism and serious crime and amending the Law of 5 July 2016 on the reorganisation of the State intelligence service specifically governs the transfer, by air carriers, of passenger name record data, and the processing of these data for the purposes of the prevention, investigation, detection or prosecution of terrorist offences and serious crime.

The data controller:

the Grand-Ducal Police, represented by its Director General.

secgen@police.etat.lu

Contact details of the PIU:

Directorate General - International relations department - Passenger Information Unit

dri.uip@police.etat.lu

Contact details of the Data Protection Officer:

Directorate General - Data Protection Officer.

To exercise your rights, contact the Data Protection Officer by email at dpo@police.etat.lu

Tasks of the Data Protection Officer:

to inform and advise the data controller or the processor and the employees who carry out processing of their obligations pursuant to the provisions in national and European law;

to provide advice where requested as regards the data protection impact assessment and monitor its performance;

to cooperate with the supervisory authority;

to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

Principles relating to processing of personal data:

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject;

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

accurate and, where necessary, kept up to date;

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Security of personal data:

Notification to the supervisory authority and communication to the data subject of a personal data breach:

In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the breach in question to the supervisory authority, unless the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons. When the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by the reasons for the delay.

When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay, unless such communication is unnecessary pursuant to Article 30 of the Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters.

Right to submit a complaint to the supervisory authority in the case of a personal data breach:

According to Article 44 of the Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, any data subject may submit a complaint to the National Commission for Data Protection about personal data processing operations if they feel that the processing of the personal data relating to them constitutes a breach of the provisions of the aforementioned law.

The supervisory authority shall inform the data subject of the progress and outcome of the complaint, including the option of taking legal action pursuant to Article 45.

Contact details of the supervisory authority:

Commission nationale pour la protection des données (CNPD)

Service des réclamations
15, boulevard du Jazz

L-4370 Belvaux

Your rights:

Subject to the conditions set out in the relevant articles of the Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, you have the following rights:

Right of access (Article 13): the right to obtain from the Police confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to said data and to other information such as the purposes and recipients of the processing, together with a copy of the personal data undergoing processing;

Right to rectification (Article 15): the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed;

Right to erasure of data (Article 15): the right to obtain the erasure of personal data concerning you if the retention thereof is no longer justified on legitimate grounds;

Right to restrict processing (Article 15): the right to obtain the restriction of processing of personal data concerning you, subject to the conditions set out in Article 15.

To exercise your rights, contact the Data Protection Officer by email at: dri.cj@police.etat.lu

For more information:

Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données
Directive (UE) 2016/681 du Parlement européen et du Conseil du 27 avril 2016 relative à l'utilisation des données des dossiers passagers (PNR) pour la prévention et la détection des infractions terroristes et des formes graves de criminalité, ainsi que pour les enquêtes et les poursuites en la matière
Loi du 1er août 2018 relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale (Mémorial A n°689 du 16 août 2018)
Loi du 1er août 2018 relative au traitement des données des dossiers passagers dans le cadre de la prévention et de la répression du terrorisme et de la criminalité grave et portant modification de la loi du 5 juillet 2016 portant réorganisation du Service de renseignement de l’Etat (Mémorial A n°690 du 16 août 2018)
Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et mise en œuvre du règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données), portant modification du Code du travail et de la loi modifiée du 25 mars 2015 fixant le régime des traitements et les conditions et modalités d’avancement des fonctionnaires de l’Etat

Description of the personal data processing carried out by the Grand-Ducal Police for the management of Einsatzleitsystem (ELS) actions.

The Grand-Ducal Police uses a database of personal data and general police information known as the Einsatzleitsystem (ELS). See the document about the ELS >>>

Other topics:

Funds for Internal Security

Internal Security Fund

The "Internal Security Fund" (ISF) was set up for the period 2014-2020 as part of the general European "Solidarity and Management of Migration Flows" programme.

This fund will support the management of the external borders and visas, with €2.8 billion of funding being made available up to 2020. One and a half billion will go to national programmes, €791 million will support the management of migration flows at the EU's external borders, €154 million will be devoted to the Special Transit Scheme, and €264 million to EU actions, emergency aid and technical assistance.

The funds are being used to set up the infrastructure and systems necessary at border crossing points and for the surveillance of the borders. They are also funding the IT systems required for the European Border Surveillance System (EUROSUR) as well as measures to ensure effective management of migration flows, visa application processing and consular cooperation.

The total financial support package for police cooperation, preventing and combating crime, and crisis management was one billion euros for the 7 years. The main objectives of this package are crime prevention, combating cross-border, serious and organised crime (particularly terrorism), and strengthening cooperation between the enforcement authorities at national and European levels.

At national level, the management of this new fund was entrusted to the Grand-Ducal Police. It provided for a budget of approximately €7 million to be made available to Luxembourg as part of a scheme to co-fund its national multi-year internal security and external border security programme. This budget has been allocated as follows: approximately €5m for the management of the external borders and €2m for police cooperation, preventing and combating crime, and crisis management. Today, these amounts have increased considerably, especially for border management (from €5m to around €16m), and police cooperation (from €2m to €2.4m).

FE-ISF Contact

Claudia CARVAS

Tel.: (+352) 244 24 7771

Email: claudia.carvas@police.etat.lu

Cité Policière Grand-Duc Henri
Complexe A, rue de Trèves
L-2957 Luxembourg

Protection of individuals with regard to the processing of personal data in the Schengen Information System (SIS)

Pour en savoir plus / Learn more :

Internal Security Fund

Conditions générales d’utilisation de l’application mobile Police.lu