Data protection

Processing of personal data by the Police

During the performance of its duties, the Grand-Ducal Police processes personal data, in accordance with the legal framework. The information below relates to data protection

Definitions:

"personal data": any information relating to an identified or identifiable natural person.
"identifiable natural person": a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Legal basis for the processing of personal data by the Police:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereafter referred to as the GDPR, which entered into force on 25 May 2018, is not the only legal text that applies to the processing of personal data by the Police.

The processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including protection against threats to public security and the prevention of such threats, are governed by the Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, which transposes Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, hereafter referred to as the Law of 1 August 2018.

The Law of 1 August 2018 therefore covers the processing of personal data by the Police in relation to the performance of its duties.

The data controller:

the Grand-Ducal Police, represented by its Director General.

secgen@police.etat.lu

The Data Protection Officer:

dpo@police.etat.lu

Tasks:

to inform and advise the data controller or the processor and the employees who carry out processing of their obligations pursuant to the provisions in national and European law;
to monitor compliance with the national and European legal framework relating to personal data protection, including with regard to the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment and monitor its performance;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

The Data Protection Officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Principles relating to processing of personal data:

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Security of personal data:

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Grand-Ducal Police personnel are of course bound by professional secrecy and more particularly by investigative secrecy, and each member of personnel has access only to the data necessary for them to perform their respective tasks.

Supervision of personal data processing:

The processing implemented by the Grand-Ducal Police is supervised and monitored by supervisory authorities set up pursuant to Article 51 of the GDPR and Articles 39 and 40 of the Law of 1 August 2018, and pursuant to Article 3 of the Law of 1 August 2018 establishing the National Commission for Data Protection and the general rules on data protection.

The supervisory authorities ensure that processing is carried out in accordance with the legal provisions governing it in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.

To this end, the supervisory authorities have direct access to the data processed. They may carry out checks in situ and obtain all information and documents relevant to their tasks.
They may also appoint one of their members to carry out specific supervisory tasks. The supervisory authorities carry out the necessary rectifications and erasures.

The tasks of the supervisory authorities are set out in greater detail in Article 57 of the GDPR, and in Article 42 of the Law of 1 August 2018.

Notification to the supervisory authority and communication to the data subject of a personal data breach:

In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority in accordance with Article 55 of the GDPR and Article 29 of the Law of 1 August 2018, unless the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons.

When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay, unless such communication is unnecessary pursuant to Article 34(3) of the GDPR and Article 30(3) of the Law of 1 August 2018.

Your rights:

Subject to the conditions set out in the relevant articles, you have the following rights:

right of access (Article 15 of the GDPR; Article 13 of the Law of 1 August 2018): the right to obtain from the Police confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to said data and to other information such as the purposes and recipients of the processing, together with a copy of the personal data undergoing processing;
right to rectification (Article 16 of the GDPR; Article 15 of the Law of 1 August 2018): the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed;
right to erasure (Article 17 of the GDPR; Article 15 of the Law of 1 August 2018): the right to obtain the erasure of personal data concerning you if the retention thereof is no longer justified on legitimate grounds.
right to restriction of processing (Article 18 of the GDPR; Article 15 of the Law of 1 August 2018): the right to obtain the restriction of processing of personal data concerning you, subject to the conditions set out in the aforementioned article.
right to object (Article 21 of the GDPR): the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions, unless there are compelling legitimate grounds for the processing or for the establishment, exercise or defence of legal claims.

The Grand-Ducal Police hereby informs you that the GDPR does not apply to the personal data of deceased persons (recital 27 of the GDPR).

Exercising your rights:

Data subjects can contact the Data Protection Officer using the contact details given below, subject to compliance with the identity verification procedure, details of which are given below.

dpo@police.etat.lu

Identity verification procedure:

In accordance with Article 12(6) of the GDPR and Article 11(5) of the Law of 1 August 2018, the Grand-Ducal Police must have sufficient guarantees in order to be able to establish the identity of the person requesting information with certainty.

At this stage, the Grand-Ducal Police has selected four options to enable data subjects to exercise their right to access information, namely:

a letter accompanied by a copy of an identity document (identity card or passport). The reply will be sent solely to the official address declared by the person making the request;
an email accompanied by a copy of an identity document (identity card or passport). The reply will be sent solely to the official address declared by the person making the request;
an electronic request using a unique identifier (LuxTrust or similar), which is currently being set up and will be accessible via the www.police.lu website;
a verbal request made in person, during opening hours and preferably by appointment with the Data Protection Officer, on presentation of an identity card, at the Directorate-General of the Grand-Ducal Police:
Direction Générale de la Police, Cité Policière Grand-Duc Henri, Complexe A, rue de Trèves, L-2632 Luxembourg,

with the option of requesting that the response be sent to an address chosen by the person making the request.

If you are not satisfied with the response given to your request under GDPR, you have the right to lodge a complaint with the National Commission for Data Protection (Commission nationale pour la protection des données - CNPD), using the contact details below:

Commission nationale pour la protection des données (CNPD)
Service des réclamations
15, boulevard du Jazz
L-4370 Belvaux

Security measures to protect the processing of personal data

1) Legal framework:

The security measures that the controller must implement to protect the processing of personal data carried out under its responsibility are described in Article 28 of the Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters, and Article 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2) Performance of risk analysis:

The Grand-Ducal Police carried out a risk assessment, as required by the legal framework, and took the necessary measures to minimise the risks.

Risk analysis is a key element of information security and is carried out as part of the management of the entity's information security management system. Risk analysis enables:

identify information security risks;
assess and evaluate the identified risks;
identify and mitigate undesirable information security impacts;
define and plan the actions to be taken to manage the risks;
implement the planned actions;
accept the residual risk;
determine and apply a continuous improvement approach to information security.

As the risk analysis contains the detailed technical measures implemented, it cannot be made public, as knowledge of the techniques used to protect the processing of personal data is obviously the first piece of information that a malicious person would need in order to gain unauthorised access to the processing.

The risk analysis conducted by the Police Technology Directorate (PGD-DCRC-DTP), version 1.0. final of 28 October 2018, hereinafter referred to as the risk analysis v.1.0 constitutes the first formalised risk analysis of the entity's information security. It has been carried out with the objective of taking stock of the entity's current information security situation. Each risk was carefully assessed using the information known and received from the agents involved in the different departments and the impact values of criteria C (confidentiality), I (integrity) and D (availability), the likelihood (probability) of a threat and the qualification (probability) of a vulnerability.

2.1.) Methodology:

The Grand-Ducal Police has adopted the risk analysis approach recommended by ANSSI, i.e. a risk analysis method based on information as the central element of reflection (data-centric model). To carry out its risk analysis, the entity uses the MONARC risk analysis tool developed by CASES, hosted on the GovCloud platform implemented by the CTIE as part of an agreement with ANSSI to host the Monarc tool, and made available by ANSSI. The advantage of this choice is the immediate availability of all the elements needed to create the entity model on which the risk analysis is based, with the library objects (assets and risk scenarios) already pre-designed and structured according to the approach described above, thus allowing a rapid start and efficient completion of the analysis.

The risk analysis v.1.0 summarises the methodology and presents the results of the risk analysis carried out with MONARC in the entity's environment. MONARC is influenced by the international standard ISO/IEC 27005:2011.

References

[1] ISO/IEC 27005 :2011, Information security risk management. The ISO/IEC 27005 explains in detail how to carry out risk assessment and management in the context of information security.

2.2.) Description of the "Optimised Risk Analysis Method CASES" (MONARC):

MONARC is based on a library of risk models that provide objects consisting of risk scenarios for each asset or group of assets. This approach facilitates the management of the most common risks and provides greater objectivity and efficiency. As MONARC is fully iterative, the results can be refined and adapted to the maturity of each entity by increasing the granularity of the risk scenarios.

Setting the context

The aim of this first stage is to take stock of the context, issues and priorities specific to the entity wishing to analyse its risks.

This involves identifying the entity's key activities and critical processes, in order to focus the risk analysis on the most important elements. To do this, a kick-off meeting is organised with members of management and key people. The aim is to find out what sustains the business and what could destroy it, to identify key processes, internal and external threats, and organisational, technical and human vulnerabilities.

Context modelling

This phase involves modelling the object trees. The assets have been defined in the previous phase. They now need to be detailed and formalised in a diagram showing their interdependencies.

Impacts are defined at the level of primary assets (information or services). Secondary assets inherit the impact of the primary asset to which they are attached (object tree).

Impacts on secondary assets can be modified manually.

Risk assessment and management

Assessment involves quantifying the threats, vulnerabilities and impacts in order to calculate the risks.

To do this, you need high-quality information about the exact likelihood of a threat, the ease with which a vulnerability can be exploited, and the potential impact. Hence the importance of relying on metrics that have been validated by experts.

If the risk assessment identifies a risk that is higher than the acceptable level (risk acceptance grid), measures must be taken to deal with this risk in order to reduce the risk to an acceptable level.

Implementation and monitoring

Once the initial risk treatment has been carried out, we need to move on to a phase of continuous safety management, with recurrent monitoring and control of safety measures, so that we can make lasting improvements.

This fourth phase also allows security to be continuously optimised by increasing the granularity of the objects used and extending the scope of risk analysis.

3) Assessment of consultants:

3.1.) Strengths:

A commitment from the DCRC to carry out a risk analysis for the DTP department, to entrust it to DTP staff and to acquire in-house knowledge and skills in information security.
The assignment of a member of the DTP department to investigate and manage logical access.
The appointment of a DPO at entity level.

3.2.) Weaknesses:

The time taken to complete the risk analysis. The risk analysis should be seen as a snapshot of the entity's situation at a given point in time, and if too much time elapses between the start of the analysis and the result, there is a risk that the result will be affected by changes that have occurred in the meantime. Obviously, the length of time will also depend on the availability of the staff carrying out the risk analysis.

3.3.) Summary:

The consultants met with motivated people and appreciate management's determination to pursue efforts to improve information security within their field of application.

Schengen Information System (SIS)

Protection of individuals with regard to the processing of personal data in the Schengen Information System (SIS)

Presentation of the Schengen Information System

The Schengen Information System (SIS) was designed as a search system for persons and objects by the Convention implementing the Schengen Agreement of 19June 1990. The SIS was implemented as a compensatory measure to the lifting of internal border controls with the aim of ensuring a high level of security in the European Union’s area of freedom, security and justice is laid down in three regulations:

Regulation (UE) 2018/1860 on the use of the Schengen Information System for the return of illegally staying third-country nationals,
Regulation (UE) 2018/1861 on the establishment, operation and use of the Schengen Information System (SIS) border checks,
Regulation (UE) 2018/1862 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters.

Thus, the system includes the following alerts:

On persons:

subject to a return decision for the purpose of verifying that the obligation to return has been complied with and of supporting the enforcement of the return decisions
for a refusal of entry or stay;
wanted for arrest for surrender or extradition purposes;
who are missing;
sought for assistance with a judicial procedure;
for discreet checks, inquiry checks or specific checks;
who are wanted and unknown for the purposes of identification under national law.

On objects:

for discreet checks, inquiry checks or specific checks;
for seizure or use as evidence in criminal proceedings.

The processing of personal data:

The processing of personal data by the national competent authorities is done in accordance with the law of the 1^st of August 2018 on the protection of individuals with regard to the processing of personal data by law enforcement authorities, transposing the Directive 2016/680 into national law, respectively in accordance with the European Regulation 2016/679 (the General Data Protection Regulation, GDPR).

Data controller

The Grand Ducal Police, represented by its General Director.

secgen@police.etat.lu

Data protection officer

dpo@police.etat.lu

Purposes of processing

The purposes of the processing for which the personal data are intended are the following:

Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security,
External border control,
Immigration control.

Recipients or categories of recipients

National competent authorities of the Schengen Member States that can access the SIS and are thus to be considered as recipients are listed in article 34 of Regulation 2018/1861 and articles 44 to 47 of Regulation 2018/1862.

In addition to these national competent authorities, SIS can also be accessed by Europol, Frontex and Eurojust in accordance with articles 35 and 36 of Regulation 2018/1861 and articles 48 to 50 of Regulation 2018/1862.

Storage period

Alerts on persons and on objects shall be kept only for the time required to achieve the purposes for which they were entered.

The above-mentioned regulations foresee several time limits for a periodic review of the need for the storage of personal data with the possibility to renew alerts.

Alerts on persons subject to a discrete, inquiry or specific check as well as certain categories of missing persons have in principle to be re-examined at the latest after one year.

Alerts on persons subject to a return decision, subject to a refusal of entry and stay, sought to assist with a judicial procedure as well as unknown wanted persons for the purpose of identification have in principle to be re-examined at the latest after three years.

Alerts on persons wanted for arrest for surrender or extradition purposes as well as certain categories of missing persons are in principle to be re-examined at the latest after five years.

Alerts on objects are in principle to be re-examined at the latest after ten years.

Data subjects’ rights

In order to ensure the protection of individuals with regard to the processing of personal data, the European legal instruments, in particular article 53 of Regulation (UE) 2018/1861 for the reporting of persons for return decisions and for the purposes of non-admission or prohibition of residence, and article 67 of Regulation (UE) 2018/1862 for other categories of alerts, grant individuals the right of access to personal data relating to them, as well as the rights to obtain rectification of inaccurate data and deletion of illegally stored data in accordance with articles 15, 16 and 17 of the GDPR and articles 13 and 15 of the previously mentioned Law of the 1^st August 2018. .

In the Grand Duchy of Luxembourg, each data subject may assert their right of access, to rectification and deletion directly to the Grand Ducal Police.

In accordance with article 12(6) of the GDPR and article 11, paragraph 5 of the previously mentioned Law of 1^st August 2018, the Grand-Ducal Police must have sufficient guarantees to establish with certainty the identity of the person requesting information, so as not to prejudice the rights of others. The following documents have therefore to be enclosed to the requests:

For a request from an individual:

either a written request via letter to the controller accompanied by a copy of their ID document (identity card or passport), to the following address:
Cité Policière Grand-Duc Henri
Complexe A, rue de Trèves
L-2957 Luxembourg
or an email accompanied by a copy of their ID document (identity card or passport) as well as a copy of a signed letter to the following address: dpo@police.etat.lu

For a request from an individual on behalf of another individual:

a power of attorney signed by both parties,
a letter signed by the represented party,
a copy of an identity document of the represented party (identity card or passport),
a copy of an identity document of the representing party (identity card or passport).

For a request from an attorney:

a power of attorney signed by the client and the attorney,
a copy of an ID document of the client (identity card or passport),
a copy of an ID document of the attorney (identity card or passport),
a copy of an attorney card or equivalent.

A request where one of these documents is missing is considered incomplete and will not be processed.

It goes without saying that the transmission of a copy of an identity card or passport via the Internet may present a certain risk in the event of possible abuse by a third party (for example, interception).

Right to lodge a complaint or to seek judicial remedy

In case the reply which is provided by the Grand Ducal Police does not satisfy the requestor, the latter has the right to file a complaint with the national supervisory authority, namely the « Commission nationale pour la protection des données », in accordance with article 77 of the GDPR, respectively in accordance with article 44 of the previously mentioned Law of 1^st August 2018. The national supervisory authority may be contacted under the following contact details:

Commission nationale pour la protection des données (CNPD)
Service des réclamations
15, Boulevard du Jazz
L-4370 Belvaux
Luxembourg.

Furthermore, the requestor also has the right to seek judicial remedy within three months after the receipt of the final reply at the Administrative Court of Luxembourg (Tribunal administratif) with the assistance of an attorney.

Lastly, it should be noted that if the data controller limits the exercise of the rights of a data subject in accordance with articles 14 or 15, paragraph 4 of the previously mentioned Law of 1^st August 2018, respectively article 53(3) of the Regulation 2018/1961 and article 67(3) of the Regulation 2018/1862, the data subject may exercise his right indirectly via the « Commission nationale pour la protection des données » as provided for in article 16 of the aforementioned law.

Documents :

Learn more :

Publications

Additional information

Schengen Information System What is the Schengen Information System?
Commission nationale pour la protection des données (CNPD) (Nouvelle fenêtre)
EUR-Lex - Access to European Union law - Règlement (UE) 2018/1860 du Parlement européen et du Conseil relatif à l’utilisation du système d’information Schengen aux fins du retour des ressortissants de pays tiers en séjour irrégulier
EUR-Lex - Access to European Union law - Règlement (UE) 2018/1861 du Parlement européen et du Conseil sur l’établissement, le fonctionnement et l’utilisation du système d'information Schengen (SIS) dans le domaine des vérifications aux frontières
EUR-Lex - Access to European Union law - Règlement (UE) 2018/1862 du Parlement européen et du Conseil sur l’établissement, le fonctionnement et l’utilisation du système d'information Schengen (SIS) dans le domaine de la coopération policière et de la coopération judiciaire en matière pénale
Loi du 1^er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données (New window)
Loi du 1^er août 2018 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale (New window)

Passenger Information Unit

Legal notice on the processing of Passenger Name Record (PNR) data for the purpose of preventing and combating terrorism and serious crime

Legal basis for the processing of personal data by the Passenger Information Unit (PIU):

DIRECTIVE (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of Passenger Name Record (PNR) data for the prevention, investigation, detection and prosecution of terrorist offences and serious crime,

transposed into national law by :

Act of 1 August 2018 on the processing of passenger name record data.

Legal basis for data protection:

Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters.

The data controller:

The Grand-Ducal Police, represented by its Director General.

secgen@police.etat.lu

The data protection officer:

Contact details for the Data Protection Officer:

Directorate General - Data Protection Officer
dpo@police.etat.lu

Purpose of processing

In the performance of its duties, the Grand-Ducal Police processes personal PNR data for the purpose of preventing, investigating, detecting and prosecuting terrorist offences and serious crime.

Your rights:

You have the following rights, subject to the conditions set out in the respective articles of the Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters:

Right of access (article 13): obtain confirmation as to whether or not personal data relating to you is being processed by the Police and, if so, access to such data and other information, such as the purposes or recipients of the processing, as well as a copy of your data being processed ;
Right to rectification (article 15): have inaccurate personal data corrected or incomplete data completed ;
Right to erasure of personal data (article 15): obtain the deletion of your personal data if their retention is no longer justified by a legitimate reason ;
Right to restriction of processing (article 15) : obtain a restriction on the processing of your personal data, subject to the conditions set out in Article 15.

To exercise your rights, please contact the Data Protection Officer by e-mail: dpo@police.etat.lu

Right to lodge a complaint with the supervisory authority:

D’après l’article 44 de la loi du 1er août 2018 relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale, toute personne concernée peut introduire auprès de la Commission nationale pour la protection des données une réclamation contre des opérations de traitement de données à caractère personnel si elle considère que le traitement des données à caractère personnel la concernant constitue une violation des dispositions de la loi précitée.

De même, la personne concernée a le droit d’introduire une réclamation auprès de l’autorité de contrôle lorsqu’elle n’est pas satisfaite de la réponse du responsable du traitement à sa demande d’accès/de rectification/d’effacement/de limitation-

Contact details for the supervisory authority:

Commission nationale pour la protection des données (CNPD)
Service des réclamations
15, boulevard du Jazz,
L-4370 Belvaux

More information:

Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters (Mémorial A n°689 du 16 août 2018)
Act of 1 August 2018 on the processing of passenger name record data in the context of the prevention and repression of terrorism and serious crime and amending the Act of 5 July 2016 on the reorganisation of the State Intelligence Service (Mémorial A n°690 du 16 août 2018)

Description of the processing of personal data carried out by the Grand-Ducal Police as part of the management of "Einsatzleitsystem" (ELS) interventions

The Grand Ducal Police operates a database of personal data and general police information known as the "Einsatzleitsystem" (ELS). You can consult the document < here >