During the performance of its duties, the Grand-Ducal Police processes personal data, in accordance with the legal framework. The information below relates to data protection
"personal data": any information relating to an identified or identifiable natural person.
"identifiable natural person": a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Legal basis for the processing of personal data by the Police:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereafter referred to as the GDPR, which entered into force on 25 May 2018, is not the only legal text that applies to the processing of personal data by the Police.
The processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including protection against threats to public security and the prevention of such threats, are governed by the Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, which transposes Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, hereafter referred to as the Law of 1 August 2018.
The Law of 1 August 2018 therefore covers the processing of personal data by the Police in relation to the performance of its duties.
The data controller:
the Grand-Ducal Police, represented by its Director General.
The Data Protection Officer:
to inform and advise the data controller or the processor and the employees who carry out processing of their obligations pursuant to the provisions in national and European law;
to monitor compliance with the national and European legal framework relating to personal data protection, including with regard to the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment and monitor its performance;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.
The Data Protection Officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Principles relating to processing of personal data:
Personal data shall be:
processed lawfully, fairly and in a transparent manner in relation to the data subject;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Security of personal data:
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Grand-Ducal Police personnel are of course bound by professional secrecy and more particularly by investigative secrecy, and each member of personnel has access only to the data necessary for them to perform their respective tasks.
Supervision of personal data processing:
The processing implemented by the Grand-Ducal Police is supervised and monitored by supervisory authorities set up pursuant to Article 51 of the GDPR and Articles 39 and 40 of the Law of 1 August 2018, and pursuant to Article 3 of the Law of 1 August 2018 establishing the National Commission for Data Protection and the general rules on data protection.
The supervisory authorities ensure that processing is carried out in accordance with the legal provisions governing it in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.
To this end, the supervisory authorities have direct access to the data processed. They may carry out checks in situ and obtain all information and documents relevant to their tasks.
They may also appoint one of their members to carry out specific supervisory tasks. The supervisory authorities carry out the necessary rectifications and erasures.
The tasks of the supervisory authorities are set out in greater detail in Article 57 of the GDPR, and in Article 42 of the Law of 1 August 2018.
Notification to the supervisory authority and communication to the data subject of a personal data breach:
In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority in accordance with Article 55 of the GDPR and Article 29 of the Law of 1 August 2018, unless the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons.
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay, unless such communication is unnecessary pursuant to Article 34(3) of the GDPR and Article 30(3) of the Law of 1 August 2018.
Subject to the conditions set out in the relevant articles, you have the following rights:
right of access (Article 15 of the GDPR; Article 13 of the Law of 1 August 2018): the right to obtain from the Police confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to said data and to other information such as the purposes and recipients of the processing, together with a copy of the personal data undergoing processing;
right to rectification (Article 16 of the GDPR; Article 15 of the Law of 1 August 2018): the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed;
right to erasure (Article 17 of the GDPR; Article 15 of the Law of 1 August 2018): the right to obtain the erasure of personal data concerning you if the retention thereof is no longer justified on legitimate grounds.
right to restriction of processing (Article 18 of the GDPR; Article 15 of the Law of 1 August 2018): the right to obtain the restriction of processing of personal data concerning you, subject to the conditions set out in the aforementioned article.
right to object (Article 21 of the GDPR): the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions, unless there are compelling legitimate grounds for the processing or for the establishment, exercise or defence of legal claims.
The Grand-Ducal Police hereby informs you that the GDPR does not apply to the personal data of deceased persons (recital 27 of the GDPR).
Exercising your rights:
Data subjects can contact the Data Protection Officer using the contact details given below, subject to compliance with the identity verification procedure, details of which are given below.
Identity verification procedure:
In accordance with Article 12(6) of the GDPR and Article 11(5) of the Law of 1 August 2018, the Grand-Ducal Police must have sufficient guarantees in order to be able to establish the identity of the person requesting information with certainty.
At this stage, the Grand-Ducal Police has selected four options to enable data subjects to exercise their right to access information, namely:
a letter accompanied by a copy of an identity document (identity card or passport). The reply will be sent solely to the official address declared by the person making the request;
an email accompanied by a copy of an identity document (identity card or passport). The reply will be sent solely to the official address declared by the person making the request;
an electronic request using a unique identifier (LuxTrust or similar), which is currently being set up and will be accessible via the www.police.lu website;
a verbal request made in person, during opening hours and preferably by appointment with the Data Protection Officer, on presentation of an identity card, at the Directorate-General of the Grand-Ducal Police:
Direction Générale de la Police, Cité Policière Grand-Duc Henri, Complexe A, rue de Trèves, L-2632 Luxembourg,
with the option of requesting that the response be sent to an address chosen by the person making the request.
If you are not satisfied with the response given to your request under GDPR, you have the right to lodge a complaint with the National Commission for Data Protection (Commission nationale pour la protection des données - CNPD), using the contact details below:
Commission nationale pour la protection des données (CNPD)
Service des réclamations
15, boulevard du Jazz