Last revised: June 2023
1. An overview of data protection
The Luxembourg Institute of Science and Technology (hereafter “LIST”, “We”) is committed to ensure the highest standards of data protection in compliance with the applicable legislation, notably with reference to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “GDPR”).
The present document aims at illustrating what personal data we collect about you, the reason why LIST uses your data and, as the case may be, share your data and the applicable retention periods. Additionally, the notice also provides you with information regarding your rights, how to exercise them and whom you can contact in case of any query.
2. Scope of the notice
The present notice is directed to participants (hereafter the “Participant”) on LIST’s public events, including public lectures and conferences, demonstrations, competitions, tours of the LIST's facilities, and online events such as webinars (hereafter “Event”).
3. Identity of the data controller
The data controller is normally LIST, having its registered office at 5, Avenue des Hauts-Fourneaux L-4362 Esch-sur-Alzette, Luxembourg. LIST is in this case the sole responsible for collecting and processing your personal data in relation with your participation to LIST’s activities. However, joint controllers may exist for certain events.
4. Why and how your personal data is processed
LIST collects and uses personal data of Participants for the following purposes:
Purpose | Details |
To perform and execute agreements | In the case of sponsors, speakers, authors and remaining Participants purchasing registrations for Events, LIST processes personal data needed to perform and execute the required agreements. This includes: - to prepare and execute agreements;
- to deliver the Event;
- to process payments and refunds; and
- to manage invoices.
|
Event management | To properly organize and deploy Events, which includes: - managing Participants’ registration and participation to an Event (e.g. creation and management of user accounts in our event management platform, distribution of badges, managing of dietary requirements, provide updates and details regarding an event, distribution of satisfaction forms, managing complaints, feedback and queries regarding an Event);
- ensuring the broadcast of an Event, in case of an online webinar;
- receiving and evaluating papers submitted in the context of a call for papers related to an Event;
- ensuring the security of our premises and facilities, as well as to provide Participants access to the premisses of an Event;
- taking photographs and/or videos of an Event for dissemination in different media (LIST Intranet, LIST's social media accounts, conferences..) and promotion to the general public;
- publishing and sharing attendance lists as well as biographies and list of speakers, sponsor and authors;
- performing statistics and evaluation of Events.
|
Processing of contact details for inviting to future events | To process contact details to manage the subscription of Participants to a mailing list of LIST's future events. |
Processing of contact details for sending LIST newsletter | To process contact details to manage the subscription of Participants to LIST newsletter. |
5. How we obtain the personal data of Participants
Generally, we obtain the personal data directly from Participants, typically at the registration to an Event, when attending an Event, when communicate with us in relation to an Event, when completing our feedback forms or surveys or when submitting a scientific paper.
In some cases, we may obtain the personal data from third parties:
- a third party who may register the Participant for a LIST’s Event on his/her behalf,
- a third party who may submit the paper within the context of the call for papers and indicate the Participant as author,
- LIST’s IT providers as better explained below.
6. Categories of personal data we process
The categories of personal data that we collect about you may vary depending on the type of Event. Those include:
- Contact details: name, surname, address, postal code, city, country, email, phone number, title,
- Professional information: company/organisation, job title and department,
- Economic and financial information: if we need to process payments and refunds, bank account details, credit card details and payment information,
- Technical data: device identification data and traffic data (e.g. MAC addresses, web logs, etc.) and password in the case of user account creation on our event management platform,
- Your dietary requirements,
- Your image, audio and likeliness (as captured on a webinar, in photographs or recordings taken at the Event),
- Events You have attended in the past or for which you are registered to attend in the future,
- Records of communications sent to You or received from You,
- Any other requirement (such as accessibility requirements and emergency contacts).
7. Legal basis for processing
Below you can find the list of legal basis on whose grounds LIST collects and processes Participants’ personal data:
Purpose | Legal basis |
To perform and execute agreements | The processing of personal data is necessary for a contract with the Participant, in the case of sponsors, speakers, authors and remaining Participants purchasing registrations for Events. After the Event, in the case of financial transactions, LIST will need to process personal data to comply with legal obligations. |
Event management | LIST processes personal data for such purpose under LIST’s legitimate interest in properly organizing and deploying Events. The use made of the personal data benefits the individuals since it allows LIST to deliver the Event the Participant has registered for. In the case of dietary requirements, we process such personal data on the basis of your explicit consent provided when you voluntarily decide to communicate them to us. |
Processing of contact details for inviting Participants to future events | Consent provided during the Event registration. To withdraw consent, the Participant can click the unsubscribe link in the footer of any email received or contact LIST at communication@list.lu. |
Processing of contact details for sending Participants LIST newsletter | Consent provided during the Event registration. To withdraw consent, the Participant can click the unsubscribe link in the footer of any email received or contact LIST at communication@list.lu. |
8. Share of your personal data with third parties
LIST may share your personal data with:
- LIST’s internal departments on a need-to-know basis, in order to ensure the proper organization and management of the Event,
- The other Participants in the Event,
- The public in general in relation to dissemination of photographs and videos,
- External service providers that perform services on LIST behalf, such as catering companies, event organisation or communication agencies service providers and IT service providers,
- Institutional or non-institutional partners, with whom LIST collaborates in the context of the Events’ management and organization,
- The scientific committee that is in charge of evaluating and selecting the scientific papers,
- The Publisher that is responsible for the publication of the selected scientific papers.
Some of the mentioned recipients of your personal data may be in countries outside the European Union or the European Economic Area (EU/EEA):
- Ungerboeck Systems International GmbH: We use Ungerboeck, a company based in Germany, as our event management platform. Ungerboeck as our processor must ensure the compliance of its subcontractors providing contractual services outside the EU/EEA with EU data protection regulations. Particularly, this processor is authorized to involve Ungerboeck Systems International, Inc (United States) under the European Commission's Standard Contractual Clauses. Further information can be found at: ungerboeck.com/privacy-policy.
- The Rocket Science Group LLC d/b/a Mailchimp: Mailchimp is the online platform that we use to manage and send LIST newsletters. Mailchimp may transfer and process personal data to and in the United States and anywhere else in the world where Mailchimp, its affiliates or its sub-processors maintain data processing operations. As between LIST and Mailchimp, such processing is done in compliance with the standard contractual clauses. For more details, you can have a look at the following webpage: https://mailchimp.com/en-gb/legal/data-processing-addendum/?_gl=1*13ddyte*_up*MQ..*_ga*ODA1NzU0OTExLjE2Nzc2ODQ1MDk.*_ga_N5HD1RTH6E*MTY3NzY4NDUwOC4xLjAuMTY3NzY4NDUwOC4wLjAuMA..&gclid=EAIaIQobChMI5OPC-P-6_QIVD97tCh2uUAGiEAAYASAAEgJoDPD_BwE&gclsrc=aw.ds.
- LogMeln Ireland Unlimited Company: This processor based in Ireland is the provider of the GoToWebinar tool, a virtual event platform. International transfers to subprocessors based in countries which do not ensure an adequate level of data protection within the meaning of the GDPR, are performed under Standard Contractual Clauses. Further details are available in the following webpage: https://www.goto.com/company/legal/privacy/international#data-transfers.
- Microsoft Ireland Operations Limited: This processor is based in Ireland and is the provider of MS Teams, a videoconferencing application. Microsoft may transfer, store and process personal data in the United States or any other country in which Microsoft or its contractors maintain facilities. Transfers out of the European Union and European Economic Area, are governed by Standard Contractual Clauses. For further details, please have a look at the following page: https://learn.microsoft.com/en-us/microsoftteams/teams-privacy.
- Sli.do s. r. o.: This processor based in Slovakia, provides a cloud-based platform that enables real-time active engagement of participants at Events – Slido. In the absence of an adequacy decision, personal data may only be transferred to a third country outside the EEA where there are appropriate safeguards (e.g. pursuant to the standard contractual clauses). Further details are made available by the processor: https://www.slido.com/terms#service-providers.
- Worldline SA: We use Saferpay to process online payments, which is a service provided by the French company Worldline SA. The transaction data are entered in Saferpay and therefore it is not stored by LIST. The information that LIST has access to on Saferpay is the last 4 digits of the credit card, its validity date and the name of the cardholder. Please refer to this recipient privacy notice: https://www.six-payment-services.com/content/sps/global/en/services/legal/gdpr-closed-user-group-disclaimer.html#country=ch
- Mentimeter AB (publ): Mentimeter is a Swedish limited liability company that provides an audience engagement platform. Please refer to this recipient privacy notice: https://www.mentimeter.com/trust/legal/privacy-policy.
9. Ensuring personal data security and integrity
In compliance with the applicable data protection legislation, LIST has put in place appropriate technical and organisational measures in order to prevent or act upon any unauthorised and unlawful processing or disclosure, accidental loss, modification or destruction of personal data. These measures are implemented based on the current state of art, an evaluation of the risks derived by the processing activity and the need to protect personal data. Such technical and organisation measures are regularly updated and/or adjusted to new technical developments or any organisational change that may affect LIST.
In particular, access on a need-to-know basis has been implemented to ensure only staff with appropriate need for the purpose has access to the personal data of Participants in LIST Events. Additionally, we have data processing agreements in place with our processors.
10. Data retention periods
LIST will only retain your personal for a period of time that is strictly necessary for the purposes for which we collect your data, without prejudice to LIST to keep them for a longer duration for legal and/or regulatory obligations applying to LIST or due to exceptional situations that would justify them being kept longer (judicial procedure, etc.). Below are the details regarding the time we keep your personal data:
Purpose | Legal basis |
To perform and execute agreements | The personal data will be retained for 30 years (maximum) from the termination of the agreement in accordance with Art. 2262. Code Civil. |
Event management | In this case, we will keep the personal data in accordance with our retention schedule. |
Processing of contact details for inviting Participants to future events | Until you unsubscribe to the newsletter. |
Processing of contact details for sending Participants LIST Newsletters | Until you unsubscribe to the newsletter. |
11. Your rights and how to exercise them
With regards to your personal data collected and processed by LIST, you may exercise at any time the following rights:
- Right to access: You have the right to receive confirmation about whether or not your personal data is being processed by LIST. If that is the case, you have the right to know what data is being collected and processed and to obtain of copy of it;
- Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to request to have it rectified;
- Right to erasure: Subject to certain conditions specified in art. 17 of the GDPR, you have the right to have your personal data deleted by LIST;
- Right to restriction of processing: Subject to certain conditions specified in art. 18 of the GDPR, you have the right to obtain restriction of the processing of your personal data performed by LIST;
- Right to data portability: Subject to certain conditions specified in art. 20 of the GDPR, you have the right to obtain a copy of the personal data you provided to LIST in in a structured, commonly used and machine-readable format and to request the transfer of these data to another data controller;
- Right to object: You have the right to object the processing of your personal data when the conditions set out in art. 21 of the GDPR apply;
- Right to withdraw consent: If LIST is processing your personal data based on your consent, you have the right to withdraw that consent at any time. The withdrawal of such consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD). More information on how to lodge a complaint are available on CNPD’s website: https://cnpd.public.lu.
You may exercise any of these rights by contacting our Data Protection Officer (DPO) by filling the online form.
12. Changes to this notice
LIST may make changes to this privacy notice from time to time, to reflect our current privacy practices or to comply with changes in the applicable data protection legislation. LIST encourages you to regularly visit this page in order to remain informed on our data protection policies.