These terms and conditions (hereinafter referred to as 'Ts&Cs') set out the rules for use of the mobile application GouvID.
GouvID is operated by the Luxembourg Government (hereinafter referred to as 'the Government'). It is published by the Government IT Centre (Centre des technologies de l'information de l'État – hereinafter referred to as 'CTIE'), located at 560, rue de Neudorf, L-2220 Luxembourg.
Article 1 : DEFINITIONS
The term 'user' refers to an adult or minor natural person (though minors must have obtained permission from their parents or the people holding parental authority) who downloads the GouvID app to their mobile phone (a personal or professional device to which they usually have access).
The term 'application' (or 'app') refers to the software application GouvID, which can be downloaded from the 'Apple Store' and 'Google Play Store' platforms for installation on compatible mobile phones.
The term 'QR code' refers to a 2D barcode designed to store data. QR codes can be decrypted by QR reader software from an image taken by a mobile phone or tablet with a camera or webcam.
The term 'facial recognition' refers to technology which automatically authenticates and identifies a person using the features of their face. Such technology may be used to unlock a phone or tablet which supports it, and to authorise sensitive transactions such as payments. One example is the 'Face ID' function, developed by Apple.
The term 'fingerprint recognition' refers to technology which authenticates a user by means of their fingerprint. Such technology may be used to unlock a phone or tablet which supports it, and to authorise sensitive transactions such as payments. One example is the 'Touch ID' function, developed by Apple.
The term 'Near-Field Communication' (hereinafter, 'NFC') refers to short-range wireless communication technology facilitating the exchange of information between two devices.
The terms 'contactless reader' or 'NFC reader' refer to a reader capable of using near-field communication to communicate with another device, such as a Luxembourg ID card.
The term 'Machine-Readable Zone' (hereinafter, 'MRZ') refers to an area on an official document which is reserved for a machine to read, identify and validate the document.
The term 'PIN code' (Personal Identification Number) refers to a personal identification code which can be used to secure access to a system, such as a SIM card, bank card or chip card.
The term 'electronic signature' refers to data in electronic format, which are attached or associated with other electronic data by means of software, which can be used in place of a physical signature.
The term 'authentication' refers to an electronic process which confirms the identity of a natural or legal person, or the authenticity of a signature.
Article 2 : PURPOSE OF THE APPLICATION
The purpose of the application is to allow the user to use their mobile phone as a contactless card reader for their Luxembourg ID card. The app can use the authentication and signing capabilities of the chip on the user's ID card when the user is using online third-party public services which recognise the app.
The free app allows users to:
- add certain data contained on their ID card to an electronic wallet (hereinafter, "'wallet'");
- authenticate their identity in order to use an online service;
- sign a document generated by an online service;
- change the initial PIN attached to the chip on their ID card after it is issued to them;
- change the current PIN attached to the chip on their ID card.
Information from the ID card can be loaded into an e-wallet by using a mobile phone to scan the MRZ on the back of the user's ID, or by manually entering the data.
An online service will be finalised or authenticated, and/or a document will be signed, after the app has scanned the QR Code displayed on the website that the user is browsing.
The Government may change, expand or update the purpose of the app at any time. If it is expanded, users will be notified.
Article 3 : HARDWARE NEEDED TO USE THE APPLICATION
To access and use the app, the user must have:
- a compatible multimedia tool – i.e. a mobile device with a camera, an NFC reader capable of reading ISO7816 tags and running iOS 13.0 or Android 5.0 or later versions;
- internet access;
- a customer account on the 'Apple App Store' or 'Google Play Store'.
Article 4 : AVAILABILITY OF THE APPLICATION
The Government shall make every effort to ensure security in accessing, viewing and using the content and services provided through the app.
In principle, the app is available 24/7, except for reasons of force majeure or the occurrence of an event beyond the Government's control, and during operations:
- to carry out technical maintenance;
- to implement updates;
- to make technical improvements or change the content and/or presentation;
- for safety reasons;
- for any other reason deemed necessary.
Such operations may be carried out at any time, without prior notice to the user.
In the event that the app is unavailable or does not work properly, users are not entitled to any indemnification.
Article 5 : FINANCIAL CONDITIONS
The app can be downloaded for free on 'Apple App Store' or 'Google Play Store'.
The user alone is responsible for the equipment and hardware necessary to access and use the app. The user shall also bear the telecommunications costs incurred by accessing and using the app.
Article 6 : INTELLECTUAL PROPERTY OF THE APPLICATION
The Government is the exclusive owner of all intellectual property rights pertaining to the structure and content of the app, unless expressly stated otherwise and unless otherwise stipulated by law or contract.
These Ts&Cs do not entail the transfer of any intellectual property right to the user, with respect to either the structure or the content of the app and its services.
Users expressly undertake to refrain from using the app in a way that may infringe the rights of the Government and, in particular, refrain from any such use as may constitute counterfeiting or parasitic use of information, or unfair competition.
All text, graphics, icons, photographs, illustrations and, more generally, all components of the application must not be represented, reproduced, exploited or extracted, either in full or in part, on any medium, without the express written consent of the Ministry for Digitalisation (Ministère de la Digitalisation). Unless otherwise stipulated by legislation and/or regulation, or with express written licence from the Ministry for Digitalisation, users shall refrain from modifying, adapting, merging, translating, reverse engineering, decompiling, deconstructing or creating derivative works based on all or some of the components of the application. Failure to comply will result in personal liability.
Article 7 : USER LICENCE
The Government grants the user a free usage licence for the app. However, users must refrain from using the app for business purposes. Failure to comply will result in personal liability.
The term 'business purposes' includes, in particular:
- any profit or commercial income resulting from the marketing of the app or any competitive use;
- using the app with a commercial company and/or a third party if such a use leads to the marketing of the app.
The licence is non-exclusive, non-transferable, and may be revoked at any time.
Article 8 : LIMITATION OF LIABILITY
LThe Government cannot fully guarantee the accuracy or completeness of all information contained in the app, whether provided by the Government itself or by any other person or organisation. As such, the Government may not be held liable.
Similarly, the Government may not be held liable if access to the app and/or its authentication or signing services is interrupted due to maintenance operations, updates or technical improvements, or for the purpose of making changes to the content and/or presentation.
In addition, the Government may temporarily or permanently suspend access to the app and to any connected services, without indemnification.
The Government accepts no liability for any direct or indirect damage occurring in connection with changes or modifications made to the app.
The user alone is responsible for updating the app to its latest version. The Government assumes no responsibility in this regard.
The Government may not be held liable if, for any reason, the app or its services become inaccessible.
The Government may not be held liable if, for any reason, internet connectivity is interrupted.
The Government may not be held liable for any omissions and/or errors the app may contain.
The Government may not be held liable for:
- damage of any sort, whether direct or indirect, resulting from the use of or inability to use the app or its services, and notably any operating, financial or commercial loss, or loss of programs and/or data in the app user's information system;
- damage of any sort, whether direct or indirect, resulting from the content and/or use or inability to use websites linked to the app or which the user would usually be able to access through the app.
The Government accepts no liability whatsoever for any misuse of the mobile phone, or for any incident relating to the use of that device while running the app. Under no circumstances may the Government be held liable for any damage whatsoever, caused to the user, their terminal, their computing or phone equipment and data stored thereon, or for the consequences of such damage for their personal, professional or commercial activities.
The user declares that they are fully aware of and accept the risks, limitations and problems of the internet network and the app's operating system, for which the Government may not be held liable. In particular, the user acknowledges that:
- they use the app at their own risk;
- the app is accessible ‘as is’, depending on its availability;
- they are responsible for protecting their own data and/or software stored on their mobile phone, and for taking all appropriate measures to protect them against any damage (loss of the phone, malfunction, virus, hacking, etc.);
- given the technical performances of the internet, processing time is required to respond to, view, request or transfer the information.
Users undertake not to use the app for fraudulent purposes.
Users acknowledge that they, and they alone, are responsible for any breach of their obligations under these Ts&Cs, and for the consequences of such a breach.
The personal data communicated directly or indirectly by the user when using the application (hereinafter, the 'app') shall be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the law of 1 August 2018 on the organisation of the National Commission for Data Protection and on the implementation of the above-mentioned Regulation (EU) 2016/679.
None of the user's personal data are collected by the Government and/or CTIE through the app, other than those which are required for the processing described below.
Unless otherwise stipulated, the CTIE is the data controller.
The Government takes various technical and organisational security measures to ensure adequate confidentiality, integrity, availability and resilience of the services provided through the app and for which it is the subcontractor or data controller, and to protect users' rights and freedoms in accordance with industry standards.
The personal data will only be processed for the purpose of providing the user with the services offered by the app. By activating or using such services, the user agrees to the necessary data processing.
If they do not consent, the user will not be able to activate these services to use the app and their purpose will not be achieved.
The user has the right to access, rectification and erasure of data concerning them. They should contact the data controller in order to exercise these rights.
Users also have the right to restrict processing of their personal data, to object to its use, to withdraw their consent, and the right to data portability. These rights can be exercised by contacting the data controller directly.
Users can send their requests by post, to the following address: 'Centre des technologies de l'information de l'État, B.P. 1111 L-1011 Luxembourg'.
Users may address claims relating to the protection of their personal data to the data protection officer (DPO) at the CTIE, contactable by email on: firstname.lastname@example.org.
In addition, users may refer to the National Commission for Data Protection in relation to any dispute arising in this area.
Processing in connection with saving the PIN code
When the user activates biometrics on their mobile phone for an ID card, the PIN code for that card is saved in the app and protected by the phone's facial recognition or fingerprint recognition functions. This way, the user does not need to re-enter their PIN each time they use their ID card. They can access the PIN by means of the above biometric functions.
The user alone controls how long the app retains the PIN for.
The PIN is never disclosed to anyone.
Processing in connection with saving the ID card data to the e-wallet
When the ID card is saved to the app's wallet, some of the user's personal data are saved on the mobile phone, specifically:
- the information contained on the ID card: surname(s), first name(s), gender, nationality, date of birth, ID card number, the issue and expiry dates of the ID card, a photograph of the user and of their handwritten signature;
- the LuxTrust certificates (authentication and signature), if the ID card contains such certificates;
- the PIN attached to the chip on the ID card, if the user chooses to save it in the app.
By saving these data, the user can clearly identify and select the appropriate ID card before using it through the app.
The user alone controls how long these data are kept in the e-wallet.
These data are never disclosed to anyone.
Processing in connection with event logs and the helpdesk
The app saves technical event logs to the mobile phone. These logs may be analysed to gain insight into any technical problems that arise. The app will only send these technical event logs to the CTIE when the user takes action within the app, allowing such submission.
The purpose of sending these logs is to provide the CTIE with fuller information about a technical problem which exists. This will help the CTIE to find a solution. In addition, this data may be further processed by the CTIE for statistical purposes.
These technical event logs are constructed in such a way as to contain no personal data. The request sent by the user will include the logs and their identifying data. Thus, the full request may be described as containing personal data, though the log files themselves do not.
The request thus formulated is stored in the Grand Duchy of Luxembourg.
The personal data disclosed by the user shall be retained for as long as necessary for the processing of their request, plus one year to allow for subsequent re-examination of the case in order to improve the quality of service provided to users.
The technical event logs are created by the app and are regularly deleted. The event logs are kept in the app and are deleted when the user deletes the app.
Processing in connection with authentication and signing
The authentication and signing functions, which are referred to in the app as 'online transactions', are made available for use in the context of dealings with a third-party online public service which recognises the app. The online service transmits data in connection with an online transaction by means of a QR code which it creates and which the user then scans into the app. The data contained in the QR code are then sent to the service in signed, authenticated form. The online transaction allows the user to authenticate their identity before logging onto the online public service, or before signing a document.
The duration of the data processing is the length of time that the user spends interacting with the app when using the corresponding features, plus the time taken for the data to be sent from the app to the third-party online public service, via the CTIE's servers, which are located in the Grand Duchy of Luxembourg. The data from such a transmission are never retained by the CTIE.
The third-party online public service, for its part, is governed by its own Ts&Cs. The CTIE is not liable for use of such third-party services when using the GouvID app. Thus, the CTIE is not liable for any data processing in connection with such services. The CTIE acts as a processor in relation to processing in connection with authentication or signing through the app, and when the data are transmitted.
Consequently, it is the user's responsibility to review the specific Ts&Cs for each service they use and, where necessary, to contact the appropriate data controllers in order to exercise their right to access, rectification, portability and erasure of data concerning them, their right to limit the processing of such data, object to their processing, or withdraw their consent.
These data controllers are also subject to the aforementioned Regulation (EU) 2016/679, and to the Law of 1 August 2018.
Processing linked to the management of the app by the 'Apple App Store' or 'Google Play Store'
The 'Apple App Store' and 'Google Play Store' platforms are likely to process the personal data disclosed directly or indirectly by the user when downloading the app.
In this case, Apple and Google alone are responsible for processing the user's personal data.
As Apple and Google are also subject to Regulation (EU) 2016/679 and the law of 1 August 2018, it is up to the user to contact those organisations to exercise their rights, as set out above.
Article 10 : CHANGES TO THE GENERAL TERMS AND CONDITIONS OF USE
The Government reserves the right to modify, expand or supplement any or all of these Ts&Cs at any time, so that they reflect changes to services, or technical, jurisprudential or legal changes, or any new services that may be introduced. Users will be notified of such changes.
Nevertheless, the Government advises all users to apprise themselves of the Ts&Cs governing the use of the app. Only the latest version of these Ts&Cs accessible online is deemed to be in force at the time of use of the app by the user.
Article 11 : APPLICABLE LAW AND ATTRIBUTION OF JURISDICTION
These Ts&Cs are subject to Luxembourg law.
Any dispute or disagreement arising in connection with the app or interpretation of these Ts&Cs, and which has not been amicably settled, shall be subject to the jurisdiction of the Luxembourg courts.