Notice on the protection of personal data

Last update 11.10.2024

In administrative buildings under the responsibility of the Government IT Centre (Centre des technologies de l'information de l'Etat – CTIE), which have a reception area and a security guard, visitors will be subject to an identity check. The processing consists in recording the visitors' personal details in a visitors' register, based on information in their identity document – i.e. their identity card or any other document that can be used to establish their identity. Visitors will be required to leave their ID at the reception desk. In exchange, they will be given a badge allowing them into the premises. In accordance with Articles 20.1 and 20.2 of the amended Grand Ducal regulation of 13 June 1979 on security directives in the civil service, we need your data to ensure the security of the administration premises, and to maintain a safe and efficient work environment. The following data is recorded in the visitors' register: surname, first name, license plate number (where applicable), and company/administration name (where applicable).

This data is kept for 5 years to ensure the security of the administration, and for subsequent analyses, if necessary.

The recipient of the data is the CTIE, which is also the Data Controller.

In accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, you have the right to access your data on duly justified grounds and, where appropriate, the right to request the rectification or erasure of your personal data, and the right to restrict its processing.

If you wish to exercise any of these rights, please contact the Guichet.lu Helpdesk:

using this online form; or
by phone (+352) 247-82 000, from Monday to Friday, from 8.00 to 18.00.

You may also file a claim with the National Commission for Data Protection (Commission nationale pour la protection des données), located at 15, boulevard du Jazz, L-4370 Belvaux.

This notice concerns the processing of personal data for the purpose of (i) managing public procurement procedures, which the Luxembourg government, as the awarding authority, has delegated to the Government IT Centre located at 560, rue de Neudorf, L-2220 Luxembourg (hereafter the 'CTIE'), and (ii) managing the performance of public procurement contracts.

For the purposes of managing public procurement procedures and the performance of public procurement contracts, and unless specified otherwise in the procurement documents, the CTIE shall be the Data Controller, within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation) (hereafter the 'GDPR').

This notice concerns the processing of personal data in connection with a public procurement contract, from the date of publication of the contract notice – or, where applicable, the pre-information notice – until the completion of the contract in question.

The processing of personal data is subject to the GDPR.

1. Whose personal data is processed and categories of data subject to processing

In managing public procurement procedures, the CTIE processes the personal data of economic operators that have expressed interest in the procurement procedure or requested clarification of the procedure, and that of candidates or tenderers. It also processes the personal data of the candidate's/tenderer's employees and subcontractors.

The categories of personal data that may be collected and processed are as follows:

identification data (surname, first name, sex, date and place of birth, country of residence, national identification number, passport number, ID document number, any other personal data shown in a passport, ID document or citizenship certificate, and home address);
work-related data (job, role, business address, business email address, and business telephone/fax number);
personal data contained in an extract from the criminal records;
personal data contained in certificates in connection with the payment of social security contributions and taxes;
data contained in CVs (including data on education and training);
other data submitted by the candidate or tenderer as part of the procurement procedure.

Please ensure that the documents you submit – especially CVs – do not contain any sensitive data, such as references to race or ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, or health status.

As part of the process of managing the performance of public procurement contracts, the personal data that may be collected and processed is as follows:

the economic operator's financial data: banking details (BIC code and IBAN number) and VAT number;
work-related data of employees of the economic operator selected to perform the contract (job, role, business address, business e-mail address, business telephone/fax number);
surnames and first names of the workers involved in performing the contract on behalf of the successful tenderer;
workers' identification data, as specified in a declaration of honour recalling the information security obligations that must be complied with in order to log in to the CTIE network;
workers' personal data required for Identity and Access Management (IAM) purposes – e.g. the creation and management of user accounts and user permissions, including usernames and passwords – on IT systems managed by the CTIE;
log data on the activities of workers on IT systems managed by the CTIE, relating to communication devices and systems, that may qualify as personal data.

2. Purposes and legal basis of processing

Personal data will be collected and processed for the purpose of managing procurement procedures and managing the performance of procurement contracts.

In the context of the management of procurement procedures, the legal basis for the processing of personal data is Article 6(1)(c) of the GDPR, as required under (i) Article 9(b)(b) of the Grand Ducal regulation of 27 August 2013 (as amended) on the use of electronic means in public procurement procedures and procedures for the award of concession contracts, and under (ii) Article 80(1) of the Grand Ducal regulation of 8 April 2018 (as amended) on the implementation of the Law of 8 April 2018 on public procurement.

Where managing the performance of public procurement contracts is concerned, personal data is processed for the purpose of complying with the requirements provided for in public procurement legislation.

Workers' personal data is processed for the purpose of ensuring the security of information. Furthermore, activity logs are recorded so that, if need be, they can be made available to the legal authorities and/or used by the CTIE in its defence in legal, administrative or other proceedings. The legal basis for the administrative processing of the personal data of workers involved in the performance of public procurement contracts is the Data Controller's legitimate interest (see Article 6(1)(f) of the GDPR).

3. How long personal data is retained

The personal data submitted by the successful tenderer will be retained for the term of the public procurement contract, and thereafter for 10 more years as of 1 January of the year following that in which the contract was completed.

If an economic operator has expressed an interest in or requested clarification of a procurement procedure, or in the event of an unsuccessful request to participate in or tender for a public procurement contract, any personal data that is submitted to the CTIE will be retained for 5 years as of 1 January of the year following that in which the expression of interest, the request for clarification, or the request to participate or tender was submitted.

The personal data of the workers involved in performing the contract – which is collected during the performance of the contract for information security purposes – is retained for the entire term of the contractual relationship between the CTIE and the successful tenderer, and thereafter for 5 more years as of 1 January of the year following that in which the contract was completed.

The time frames mentioned above shall be without prejudice to any applicable legal provisions on the archiving of data, or to any procurement-related appeals, disputes, claims, reports, audits or investigations that may prolong these time frames.

4. Data recipients

The processed data may be shared with the following categories of recipients: the administrative authorities of the Luxembourg government; auditors appointed by the government; public-sector establishments; communal administrations; the Court of Auditors of the Grand Duchy of Luxembourg; the Chamber of Deputies of the Grand Duchy of Luxembourg; external legal advisors; service providers assisting the awarding authority with procurement procedures or the performance of procurement contracts; and where applicable, the European Commission, the European Court of Auditors, the European Anti-Fraud Office (OLAF), and the European Public Prosecutor's Office, in the case of public procurement contracts co-financed by the European Structural and Investment Funds (ESI Funds) or under the Recovery and Resilience Plan (RRP).

5. Your rights regarding the processing of your personal data

As provided for in Chapter III of the GDPR (Articles 14–25), you, as a 'data subject', enjoy a specific set of rights regarding the processing of your personal data. As such, you have the right to access your personal data, request its rectification or erasure, and restrict its processing.

Please bear in mind that a request to erase your personal data may result in changes to the terms and conditions governing your request to participate in a public procurement or your tender and, consequently, the refusal of the latter.

When the legal basis for the collection and processing of your personal data is the CTIE's legitimate interest in ensuring the security of information, you also have the right to object to the lawful processing of your personal data on grounds relating to your personal circumstances. Please bear in mind that if a worker involved in the performance of a procurement contract objects to the processing of their personal data, they will no longer be able to participate in the performance of the contract and will have to be replaced.

To exercise any of these rights, you can send an email to the CTIE's Data Protection Officer (dataprotection@ctie.etat.lu).

If you have reason to believe that the processing of your personal data fails to comply with the GDPR, you may also file a claim with the National Commission for Data Protection, which is located at 15, boulevard du Jazz, L-4370 Belvaux.

Please note that the CTIE is not responsible for the processing of personal data collected through the Portal for Public Procurement Contracts (Portail des marchés publics – French only) for the purposes of managing the portal itself and any services that data subjects may have signed up for through the portal, the terms and conditions of which are provided for in the Grand Ducal regulation of 27 August 2013 (as amended) on the use of electronic means in public procurement procedures (https://legilux.public.lu/eli/etat/leg/rgd/2013/08/27/n4/jo), and which can also be found at https://pmp.b2g.etat.lu/?page=Commun.ConditionsUtilisation&calledFrom=entreprise.

All buildings (entrances and surroundings) under the responsibility of the Government IT Centre – including the Guichet.lu reception desk – are monitored by CCTV. The processing of CCTV images consists of their being viewed by authorised personnel in real time, or in a timely manner, for the purpose of detecting intrusions or unauthorised access. The purpose of this processing is to ensure the security of the information entrusted to the CTIE, as provided for in Article 2(b) of the Law of 20 April 2009 (as amended) establishing the Government IT Centre.

A 30-day retention period has been established to enable the detection of any type of intrusion or unauthorised access, in particular those with the aim of committing repetitive or periodic malicious actions. This duration was set in light of the criticality of the information entrusted to the CTIE and in compliance with the recommendations on the subject issued by the competent authorities. The CCTV images will be destroyed once the retention period has expired, unless an incident or an infringement is found to have occurred, or the CTIE is required to share the images with the police or the competent judicial authorities, or the images are seized by the latter.

The recipient of the data is the CTIE, which is also the Data Controller.

In accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, you have the right to access your personal data on duly justified grounds.