Data protection

Processing of personal data by the Police

In carrying out its duties, the Grand Ducal Police is required to process personal data, while ensuring compliance with the legal framework. You will find below information relating to the protection of your data.

Definitions :

« personal data » : any information relating to an identified or identifiable natural person (“data subject”).
« identifiable natural person » : a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
« processing » : any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Legal basis for the processing of personal data by the Police :

The Regulation (EU) 2016/679 Of the european parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereafter GDPR, which entered into force on 25^th May 2018, is not the only legal text that applies to the processing of personal data within the Police.

The processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security are done in accordance with the law of 1^st August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, transposing into national law the Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA), hereafter “the law of 1^st August 2018”.

Thus, the law of 1^st August 2018 covers the processing of personal data carried out by the Police in connection with the performance of their duties.

The processing carried out by the Police is also governed by the following legal provisions :

· The amended law of 18^th July 2018 on the Grand Ducal Police ;

· The Code of Criminal Procedure ;

· The Criminal Code ;

· Other laws and regulations that assign specific missions to the Police.

Purposes of processing

The Grand Ducal Police processes personal data for the following purposes :

1. prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security ;

2. Carrying out background checks on persons as part of its criminal investigations or of general law policing missions or in the context of another legal Police mission;

3. Support to criminal investigations through operational criminal analysis at the request of the judicial authorities;

4. Support to the definition and implementation of internal security policy through strategic crime analysis;

5. Use of information for statistical research purposes ;

6. Identification of Police members in charge of a file.

The personal data may be processed for other purposes, in accordance with article 8 of the Law of 1st August 2018.

Recipients

In addition to the Grand Ducal Police, these include the judicial authorities, as provided for in the Code of Criminal Procedure, as well as any other authority authorised to receive communication of Police data in accordance with national laws, Grand Ducal regulations and European legal provisions in force.

Data controller :

The Grand Ducal Police, represented by its General Director.

secgen@police.etat.lu

Data protection officer:

dpo@police.etat.lu

Tasks :

To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to national and European regulations;
To monitor compliance with national and European legal provisions and with the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits ;
To provide advice where requested as regards the data protection impact assessment and monitor its performance;
To cooperate with the supervisory authority;
To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Principles governing data processing activities:

Personal data must be :

processed lawfully and fairly;
collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes ;
adequate, relevant and not excessive in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date ;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
processed in a manner that ensures appropriate security of the personal data.

Storage period

The retention period of personal data in the Central Register («Fichier central ») is defined in article 43quinquies, paragraph 9 and following in the modified law of 18^th July 2018 on the Grand Ducal Police.

For other Police databases, the retention period is set by the data controller in the absence of a specific legal provision. This retention period needs however to comply with the provisions of article 43quater, paragraph 4 of the previously mentioned modified law of 18^th August 2018 which specifies that “(…) Data which is collected during general law policing missions or any other mission entrusted to the Police by law is deleted at the latest when the same data is deleted from the active section of the Central Register, except if a specific legal provision sets a longer retention period. Data relating to the mission of criminal investigations is deleted at the latest at the moment of transfer of the same data to the passive section of the Central Register, except if a specific legal provision sets a longer retention period.”

Security of personal data :

Personal data shall be processed in such a way as to guarantee appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by appropriate technical or organisational measures.

In this context, it should be noted that the Grand Ducal Police’s staff is subject to professional secrecy and in particular to the secrecy of the investigation, and furthermore, each staff member has access only to the data needed for the performance of his or her respective tasks.

Monitoring of the processing of personal data :

Data processing by the Grand Ducal Police is submitted to the monitoring by the supervisory authorities established by article 51 of the GDPR and articles 39 and 40 of the law of 1^st August 2018, respectively by article 3 of the law of 1^st August 2018 on the organisation of the National Data Protection Commission and the general data protection framework.

The supervisory authorities shall make sure on the one side that the data processing is carried out in accordance with the legal provisions governing them in order to protect the fundamental rights and freedoms of natural persons in relation to processing and on the other side, facilitate the free flow of personal data within the Union.

For this purpose, supervisory authorities may obtain access to all personal data that is being processed. They may carry out onsite visits and shall receive all the information and documents useful for performing their mission. They may also entrust one of their members with a specific monitoring mission. The supervisory authorities ensure also that the necessary corrections and deletions are done.

The supervisory authority’s missions are more precisely described in article 57 of the GDPR as well as in article 42 of the law of 1^st August 2018.

Notification of a personal data breach to the supervisory authority and/or the data subject :

A personal data breach is notified by the data controller, in accordance with article 55 of the GDPR and/or article 29 of the law of 1^st August 2018, without undue delay and, where feasible, not later than 72 hours after having become aware of it, to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller communicates the personal data breach to the data subject without undue delay, unless this communication is not necessary in accordance with article 34, paragraph 3 of the GDPR, respectively article 30, paragraph 3 of the law of 1^st August 2018.

Your data subject’s rights :

You have the following rights, which are subject to the conditions laid down in the respective articles:

access right (article 15 of the GDPR ; article 13 of the law of 1^st August 2018) : obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data as well as other information, such as the purposes of the processing or recipients of the data, along with a copy of the processed data for requests under the GPDR;
right to rectification (article 16 of the GDPR; article 15 of the law of 1^st August 2018): obtain the rectification of inaccurate personal data relating to you or the completion of incomplete data;
right to erasure (article 17 of the GDPR; article 15 of the law of 1^st August 2018): obtain the erasure of personal data concerning you without undue delay if the conditions of the respective articles are met;
right to restriction of processing (article 18 of the GDPR; article 15 of the law of 1^st August 2018): obtain the restriction of processing of your personal data, if the conditions of the previously mentioned articles are met;
right to object (article 21 of the GDPR): the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning them, which is based on point (e) or (f) of Article 6, paragraph 1 of the GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The Grand Ducal Police wishes to remind the data subjects that the GDPR does not apply to the processing of data of deceased (recital 27 of the GDPR) or of legal persons.

Exercising your data subject’s rights :

Currently, the Grand Ducal Police accepts three possible ways to file a request for exercising the above-mentioned rights :

by post ;
by email ;
in person at the General Directorate of the Grand Ducal Police, at the Cité policière Grand-Duc Henri, Complexe A, rue de Trèves, L-2632 Luxembourg, preferably after making an appointment with the Data Protection Officer.

The persons wishing to file a request may address it to the Data Protection Officer using the following contact details. These requests are subject to compliance with the identity verification procedure described below.

Postal address:

Grand Ducal Police

General Directorate

Data protection officer

B.P.1007

L-2957 Luxembourg

Email address: dpo@police.etat.lu

Identity verification procedure:

In accordance with article 12, paragraph 6 of the GDPR, and article 11, paragraph 5 of the law of 1^st August 2018, the Grand Ducal Police needs to have sufficient guarantees to be able to establish with certainty the identity of the data subject filing a request, so as not to infringe the rights of others. Thus, the following documents have therefore to be enclosed to the requests:

For a request from an individual:

- a copy of their identity document (identity card or passport).

Please note that for persons residing abroad, they need to also hand in a recent residence certificate since the final reply is sent by postal letter.

For a request from an individual on behalf of another individual :

- a copy of an identity document of the represented party (identity card or passport);

- a copy of an identity document of the representing party (identity card or passport);

- a power of attorney signed by both parties.

For a request from an attorney:

- a power of attorney signed by the client and the attorney;

- a copy of an identity document of the client (identity card or passport);

- a copy of an identity document of the representing party (identity document or passport).

The reply will be addressed to the official address at which the applicant is registered, but it may also be sent to another address upon explicit request from the applicant.

Right to lodge a complaint

In case the reply which is provided by the Grand Ducal Police does not satisfy the requestor, the latter has the right to file a complaint with the national supervisory authority, namely the « Commission nationale pour la protection des données », in accordance with article 77 of the GDPR, respectively in accordance with article 44 of the previously mentioned Law of 1st August 2018. The national supervisory authority may be contacted under the following contact details

Commission nationale pour la protection des données (CNPD)
Service des réclamations
15, boulevard du Jazz,
L-4370 Belvaux

Security measures to protect the processing of personal data

1) Legal framework:

The security measures that the controller must implement to protect the processing of personal data carried out under its responsibility are described in Article 28 of the Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters, and Article 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2) Performance of risk analysis:

The Grand-Ducal Police carried out a risk assessment, as required by the legal framework, and took the necessary measures to minimise the risks.

Risk analysis is a key element of information security and is carried out as part of the management of the entity's information security management system. Risk analysis enables:

identify information security risks;
assess and evaluate the identified risks;
identify and mitigate undesirable information security impacts;
define and plan the actions to be taken to manage the risks;
implement the planned actions;
accept the residual risk;
determine and apply a continuous improvement approach to information security.

As the risk analysis contains the detailed technical measures implemented, it cannot be made public, as knowledge of the techniques used to protect the processing of personal data is obviously the first piece of information that a malicious person would need in order to gain unauthorised access to the processing.

The risk analysis conducted by the Police Technology Directorate (PGD-DCRC-DTP), version 1.0. final of 28 October 2018, hereinafter referred to as the risk analysis v.1.0 constitutes the first formalised risk analysis of the entity's information security. It has been carried out with the objective of taking stock of the entity's current information security situation. Each risk was carefully assessed using the information known and received from the agents involved in the different departments and the impact values of criteria C (confidentiality), I (integrity) and D (availability), the likelihood (probability) of a threat and the qualification (probability) of a vulnerability.

2.1.) Methodology:

The Grand-Ducal Police has adopted the risk analysis approach recommended by ANSSI, i.e. a risk analysis method based on information as the central element of reflection (data-centric model). To carry out its risk analysis, the entity uses the MONARC risk analysis tool developed by CASES, hosted on the GovCloud platform implemented by the CTIE as part of an agreement with ANSSI to host the Monarc tool, and made available by ANSSI. The advantage of this choice is the immediate availability of all the elements needed to create the entity model on which the risk analysis is based, with the library objects (assets and risk scenarios) already pre-designed and structured according to the approach described above, thus allowing a rapid start and efficient completion of the analysis.

The risk analysis v.1.0 summarises the methodology and presents the results of the risk analysis carried out with MONARC in the entity's environment. MONARC is influenced by the international standard ISO/IEC 27005:2011.

References

[1] ISO/IEC 27005 :2011, Information security risk management. The ISO/IEC 27005 explains in detail how to carry out risk assessment and management in the context of information security.

2.2.) Description of the "Optimised Risk Analysis Method CASES" (MONARC):

MONARC is based on a library of risk models that provide objects consisting of risk scenarios for each asset or group of assets. This approach facilitates the management of the most common risks and provides greater objectivity and efficiency. As MONARC is fully iterative, the results can be refined and adapted to the maturity of each entity by increasing the granularity of the risk scenarios.

Setting the context

The aim of this first stage is to take stock of the context, issues and priorities specific to the entity wishing to analyse its risks.

This involves identifying the entity's key activities and critical processes, in order to focus the risk analysis on the most important elements. To do this, a kick-off meeting is organised with members of management and key people. The aim is to find out what sustains the business and what could destroy it, to identify key processes, internal and external threats, and organisational, technical and human vulnerabilities.

Context modelling

This phase involves modelling the object trees. The assets have been defined in the previous phase. They now need to be detailed and formalised in a diagram showing their interdependencies.

Impacts are defined at the level of primary assets (information or services). Secondary assets inherit the impact of the primary asset to which they are attached (object tree).

Impacts on secondary assets can be modified manually.

Risk assessment and management

Assessment involves quantifying the threats, vulnerabilities and impacts in order to calculate the risks.

To do this, you need high-quality information about the exact likelihood of a threat, the ease with which a vulnerability can be exploited, and the potential impact. Hence the importance of relying on metrics that have been validated by experts.

If the risk assessment identifies a risk that is higher than the acceptable level (risk acceptance grid), measures must be taken to deal with this risk in order to reduce the risk to an acceptable level.

Implementation and monitoring

Once the initial risk treatment has been carried out, we need to move on to a phase of continuous safety management, with recurrent monitoring and control of safety measures, so that we can make lasting improvements.

This fourth phase also allows security to be continuously optimised by increasing the granularity of the objects used and extending the scope of risk analysis.

3) Assessment of consultants:

3.1.) Strengths:

A commitment from the DCRC to carry out a risk analysis for the DTP department, to entrust it to DTP staff and to acquire in-house knowledge and skills in information security.
The assignment of a member of the DTP department to investigate and manage logical access.
The appointment of a DPO at entity level.

3.2.) Weaknesses:

The time taken to complete the risk analysis. The risk analysis should be seen as a snapshot of the entity's situation at a given point in time, and if too much time elapses between the start of the analysis and the result, there is a risk that the result will be affected by changes that have occurred in the meantime. Obviously, the length of time will also depend on the availability of the staff carrying out the risk analysis.

3.3.) Summary:

The consultants met with motivated people and appreciate management's determination to pursue efforts to improve information security within their field of application.

Schengen Information System (SIS)

Protection of individuals with regard to the processing of personal data in the Schengen Information System (SIS)

Presentation of the Schengen Information System

The Schengen Information System (SIS) was designed as a search system for persons and objects by the Convention implementing the Schengen Agreement of 19June 1990. The SIS was implemented as a compensatory measure to the lifting of internal border controls with the aim of ensuring a high level of security in the European Union’s area of freedom, security and justice is laid down in three regulations:

Regulation (UE) 2018/1860 on the use of the Schengen Information System for the return of illegally staying third-country nationals,
Regulation (UE) 2018/1861 on the establishment, operation and use of the Schengen Information System (SIS) border checks,
Regulation (UE) 2018/1862 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters.

Thus, the system includes the following alerts:

On persons:

subject to a return decision for the purpose of verifying that the obligation to return has been complied with and of supporting the enforcement of the return decisions
for a refusal of entry or stay;
wanted for arrest for surrender or extradition purposes;
who are missing;
sought for assistance with a judicial procedure;
for discreet checks, inquiry checks or specific checks;
who are wanted and unknown for the purposes of identification under national law.

On objects:

for discreet checks, inquiry checks or specific checks;
for seizure or use as evidence in criminal proceedings.

The processing of personal data:

The processing of personal data by the national competent authorities is done in accordance with the law of the 1^st of August 2018 on the protection of individuals with regard to the processing of personal data by law enforcement authorities, transposing the Directive 2016/680 into national law, respectively in accordance with the European Regulation 2016/679 (the General Data Protection Regulation, GDPR).

Data controller

The Grand Ducal Police, represented by its General Director.

secgen@police.etat.lu

Data protection officer

dpo@police.etat.lu

Purposes of processing

The purposes of the processing for which the personal data are intended are the following:

Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security,
External border control,
Immigration control.

Recipients or categories of recipients

National competent authorities of the Schengen Member States that can access the SIS and are thus to be considered as recipients are listed in article 34 of Regulation 2018/1861 and articles 44 to 47 of Regulation 2018/1862.

In addition to these national competent authorities, SIS can also be accessed by Europol, Frontex and Eurojust in accordance with articles 35 and 36 of Regulation 2018/1861 and articles 48 to 50 of Regulation 2018/1862.

Storage period

Alerts on persons and on objects shall be kept only for the time required to achieve the purposes for which they were entered.

The above-mentioned regulations foresee several time limits for a periodic review of the need for the storage of personal data with the possibility to renew alerts.

Alerts on persons subject to a discrete, inquiry or specific check as well as certain categories of missing persons have in principle to be re-examined at the latest after one year.

Alerts on persons subject to a return decision, subject to a refusal of entry and stay, sought to assist with a judicial procedure as well as unknown wanted persons for the purpose of identification have in principle to be re-examined at the latest after three years.

Alerts on persons wanted for arrest for surrender or extradition purposes as well as certain categories of missing persons are in principle to be re-examined at the latest after five years.

Alerts on objects are in principle to be re-examined at the latest after ten years.

Data subjects’ rights

In order to ensure the protection of individuals with regard to the processing of personal data, the European legal instruments, in particular article 53 of Regulation (UE) 2018/1861 for the reporting of persons for return decisions and for the purposes of non-admission or prohibition of residence, and article 67 of Regulation (UE) 2018/1862 for other categories of alerts, grant individuals the right of access to personal data relating to them, as well as the rights to obtain rectification of inaccurate data and deletion of illegally stored data in accordance with articles 15, 16 and 17 of the GDPR and articles 13 and 15 of the previously mentioned Law of the 1^st August 2018. .

In the Grand Duchy of Luxembourg, each data subject may assert their right of access, to rectification and deletion directly to the Grand Ducal Police.

In accordance with article 12(6) of the GDPR and article 11, paragraph 5 of the previously mentioned Law of 1^st August 2018, the Grand-Ducal Police must have sufficient guarantees to establish with certainty the identity of the person requesting information, so as not to prejudice the rights of others. The following documents have therefore to be enclosed to the requests:

For a request from an individual:

either a written request via letter to the controller accompanied by a copy of their ID document (identity card or passport), to the following address:
Cité Policière Grand-Duc Henri
Complexe A, rue de Trèves
L-2957 Luxembourg
or an email accompanied by a copy of their ID document (identity card or passport) as well as a copy of a signed letter to the following address: dpo@police.etat.lu

For a request from an individual on behalf of another individual:

a power of attorney signed by both parties,
a letter signed by the represented party,
a copy of an identity document of the represented party (identity card or passport),
a copy of an identity document of the representing party (identity card or passport).

For a request from an attorney:

a power of attorney signed by the client and the attorney,
a copy of an ID document of the client (identity card or passport),
a copy of an ID document of the attorney (identity card or passport),
a copy of an attorney card or equivalent.

A request where one of these documents is missing is considered incomplete and will not be processed.

It goes without saying that the transmission of a copy of an identity card or passport via the Internet may present a certain risk in the event of possible abuse by a third party (for example, interception).

Right to lodge a complaint or to seek judicial remedy

In case the reply which is provided by the Grand Ducal Police does not satisfy the requestor, the latter has the right to file a complaint with the national supervisory authority, namely the « Commission nationale pour la protection des données », in accordance with article 77 of the GDPR, respectively in accordance with article 44 of the previously mentioned Law of 1^st August 2018. The national supervisory authority may be contacted under the following contact details:

Commission nationale pour la protection des données (CNPD)
Service des réclamations
15, Boulevard du Jazz
L-4370 Belvaux
Luxembourg.

Furthermore, the requestor also has the right to seek judicial remedy within three months after the receipt of the final reply at the Administrative Court of Luxembourg (Tribunal administratif) with the assistance of an attorney.

Lastly, it should be noted that if the data controller limits the exercise of the rights of a data subject in accordance with articles 14 or 15, paragraph 4 of the previously mentioned Law of 1^st August 2018, respectively article 53(3) of the Regulation 2018/1961 and article 67(3) of the Regulation 2018/1862, the data subject may exercise his right indirectly via the « Commission nationale pour la protection des données » as provided for in article 16 of the aforementioned law.

Documents :

Learn more :

Publications

Additional information

Schengen Information System What is the Schengen Information System?
Commission nationale pour la protection des données (CNPD) (Nouvelle fenêtre)
EUR-Lex - Access to European Union law - Règlement (UE) 2018/1860 du Parlement européen et du Conseil relatif à l’utilisation du système d’information Schengen aux fins du retour des ressortissants de pays tiers en séjour irrégulier
EUR-Lex - Access to European Union law - Règlement (UE) 2018/1861 du Parlement européen et du Conseil sur l’établissement, le fonctionnement et l’utilisation du système d'information Schengen (SIS) dans le domaine des vérifications aux frontières
EUR-Lex - Access to European Union law - Règlement (UE) 2018/1862 du Parlement européen et du Conseil sur l’établissement, le fonctionnement et l’utilisation du système d'information Schengen (SIS) dans le domaine de la coopération policière et de la coopération judiciaire en matière pénale
Loi du 1^er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données (New window)
Loi du 1^er août 2018 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale (New window)

Passenger Information Unit

Legal notice on the processing of Passenger Name Record (PNR) data for the purpose of preventing and combating terrorism and serious crime

Legal basis for the processing of personal data by the Passenger Information Unit (PIU):

DIRECTIVE (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of Passenger Name Record (PNR) data for the prevention, investigation, detection and prosecution of terrorist offences and serious crime,

transposed into national law by :

Act of 1 August 2018 on the processing of passenger name record data.

Legal basis for data protection:

Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters.

The data controller:

The Grand-Ducal Police, represented by its Director General.

secgen@police.etat.lu

The data protection officer:

Contact details for the Data Protection Officer:

Directorate General - Data Protection Officer
dpo@police.etat.lu

Purpose of processing

In the performance of its duties, the Grand-Ducal Police processes personal PNR data for the purpose of preventing, investigating, detecting and prosecuting terrorist offences and serious crime.

Your rights:

You have the following rights, subject to the conditions set out in the respective articles of the Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters:

Right of access (article 13): obtain confirmation as to whether or not personal data relating to you is being processed by the Police and, if so, access to such data and other information, such as the purposes or recipients of the processing, as well as a copy of your data being processed ;
Right to rectification (article 15): have inaccurate personal data corrected or incomplete data completed ;
Right to erasure of personal data (article 15): obtain the deletion of your personal data if their retention is no longer justified by a legitimate reason ;
Right to restriction of processing (article 15) : obtain a restriction on the processing of your personal data, subject to the conditions set out in Article 15.

To exercise your rights, please contact the Data Protection Officer by e-mail: dpo@police.etat.lu

Right to lodge a complaint with the supervisory authority:

D’après l’article 44 de la loi du 1er août 2018 relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale, toute personne concernée peut introduire auprès de la Commission nationale pour la protection des données une réclamation contre des opérations de traitement de données à caractère personnel si elle considère que le traitement des données à caractère personnel la concernant constitue une violation des dispositions de la loi précitée.

De même, la personne concernée a le droit d’introduire une réclamation auprès de l’autorité de contrôle lorsqu’elle n’est pas satisfaite de la réponse du responsable du traitement à sa demande d’accès/de rectification/d’effacement/de limitation-

Contact details for the supervisory authority:

Commission nationale pour la protection des données (CNPD)
Service des réclamations
15, boulevard du Jazz,
L-4370 Belvaux

More information:

Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters (Mémorial A n°689 du 16 août 2018)
Act of 1 August 2018 on the processing of passenger name record data in the context of the prevention and repression of terrorism and serious crime and amending the Act of 5 July 2016 on the reorganisation of the State Intelligence Service (Mémorial A n°690 du 16 août 2018)

Description of the processing of personal data carried out by the Grand-Ducal Police as part of the management of "Einsatzleitsystem" (ELS) interventions

The Grand Ducal Police operates a database of personal data and general police information known as the "Einsatzleitsystem" (ELS). You can consult the document < here >

Download "Fiche d'informations - vidéosurveillance de la Police grand-ducale"

FICHE D’INFORMATIONS – VIDEOSURVEILLANCE DE LA POLICE GRAND-DUCALE (PDF)