The personal data communicated directly or indirectly by the user when using the application (hereinafter "app") shall be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and the law of 1 August 2018 on the organisation of the National Commission for Data Protection and on the implementation of the above-mentioned Regulation (EU) 2016/679.
The CTIE takes various technical and organisational security measures to ensure adequate confidentiality, integrity, availability and resilience of the services provided through the app and for which it is the subcontractor or data controller, and to protect users' rights and freedoms in accordance with industry standards.
The personal data will only be processed for the purpose of providing the user with the services offered by the app. By activating or using such services, the user agrees to the necessary data processing.
If they do not consent, the user will not be able to activate these services to use the app and their purpose will not be achieved.
Only the users themselves or authorised users may access the personal data, and only if they have a legitimate reason to do so.
The user has the right to access, rectification and erasure of data concerning them. They may exercise these rights by applying to the relevant data controller. Where applicable, these rights may be exercised through features on the MyGuichet.lu platform ("MyGuichet.lu") (authentic sources, erase function, etc.).
If they are unable to use these features because of a technical problem, users may refer to the Guichet.lu Helpdesk.
Where the CTIE is the data controller, the user may send their request by post to the following address: "Centre des technologies de l'information de l'État, 1, rue Mercier, B.P. 1111, L-1011 Luxembourg".
Users also have the right to restrict processing of their personal data, to object to its use, to withdraw their consent, and the right to data portability. These rights can be exercised by contacting the data controller directly.
Users can file claims relating to the protection of their personal data through the various communication channels available, and to the relevant data controller. Users can also file claims with the CTIE's data protection officer at the following email address: email@example.com. In addition, users may refer to the National Commission for Data Protection in relation to any dispute arising in this area.
Processing by the app in relation to procedures and authentic sources
The app allows users to undertake administrative procedures, view authentic sources and use them to pre-fill procedure-related forms or generate documents for their own use. When submitting their applications to the appropriate administration or establishment, users are asked to give their express consent for their personal data to be processed by the relevant administration or establishment as part of their application and/or request.
The data controller is the administration or establishment which implemented the procedure in question or granted access to a given authentic source on MyGuichet.lu. Their contact details are available either in the "Contact" section – which is clearly displayed for each procedure – or in the data header of an authentic source. The CTIE, which hosts the MyGuichet.lu platform, is the data controller's only subcontractor.
The purpose of each procedure is specified in its title, with further details provided in the relevant legal texts. Those legal texts can be found on the public page describing the procedure on the Guichet.lu website, in the "For more information" section, accessible via the link "More information on this procedure". This link is clearly displayed when the user begins a procedure, and can always be accessed via the status tracking features of an ongoing or completed procedure. Users may also track the progress of their procedures through the app, as the relevant administration or establishment will send messages to their MyGuichet.Lu account.
When the user submits their form or complete application file (form plus any annexes thereto and supporting documents) by electronic means, the information they provide is recorded and then forwarded directly to the competent administrative body or establishment. The computer system places an electronic time-stamp on the application file sent via MyGuichet.lu, evidencing the date and time that the file was forwarded to the competent administrative body or establishment. The file is stored on MyGuichet.lu. In principle, it is not possible to use MyGuichet.lu or the app in order to cancel or modify any application files already submitted to the competent administrative body or establishment. Any request to cancel or modify an application must be sent directly to the administration or establishment in question.
Where a signature is required, users must sign the electronic form using their authenticated electronic signature. In accordance with article 1322-1 of the Civil Code, an electronic signature for a procedure filed through the app identifies the person who has applied the signature, and certifies their acceptance of the contents of the signed document. Consequently, in the event of any dispute, electronically signed documents, as well as any data used as a time-stamp and to guarantee the correctness and completeness of the procedures carried out, shall be admissible before the courts and shall constitute evidence of the details contained therein and of the commitments they represent.
The scope of the collected data is determined by the legal or regulatory basis upon which the request or procedure is based, and by the data controller. This data is accessible only to the user and the data controller. Apart from the information provided by the user to the administrative body or establishment, the latter have no access to the data or to the documents stored on MyGuichet.lu or the app. However, the user accepts that a strictly limited number of people at the CTIE, or subcontractors bound by a non-disclosure agreement, may, on demand, temporarily access the data for a given application as part of the processing of a request for assistance filed by the user with the Guichet.lu Helpdesk.
As part of the processing of their application, the user accepts that, where necessary, the data they submit may be copied within the data controller's information system. The CTIE cannot know in advance to whom the data controllers may forward the data or how the data may be processed in the future, and such matters are beyond its purview. The CTIE merely provides a platform for initiating and tracking procedures between two clearly identified parties. Hence, where applicable, it is up to the user to directly approach the relevant data controllers to find out whom their data will be shared with or how it will be processed.
The length of time for which data will be kept varies depending on the type of procedure, and falls within the purview of the data controller. The criteria used to determine that length of time depend on the relevant legal basis. When users consult authentic sources, the data is never kept in MyGuichet.lu or in the app.
The legal foundations on which the procedures are based may contain specific provisions governing the exercise of users' rights.
The processing of certain applications submitted to the competent authority or establishment via the app and MyGuichet.lu may require personal data to be forwarded to the competent authorities of another EU or EEA Member State. Where applicable, such personal data may be forwarded through the Internal Market Information system (IMI), which was set up for the purposes of administrative cooperation, pursuant to the terms of EU Regulation 1024/2012. Such personal data is processed in accordance with Regulation (EC) No. 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. Further information can be found here.
Processing linked to saving of the app's password
Once the user has linked their MyGuichet.lu account to the app on their mobile phone or tablet, they can authenticate their identity using:
- a unique 6-character password chosen at time of linking the account with the device; or
- if they wish to activate these features, either at the time of linking or subsequently through the app settings, one of the biometric authentication systems (such as Touch ID or Face ID) offered by their mobile phone or tablet.
Thus, users are no longer required to sign with a two-step authentication using their LuxTrust product or electronic ID card every time, to access their MyGuichet.lu account and make use of the services it offers.
The length of time for which the password will be saved by the app is controlled entirely by the user. The password is related to the linking of the account with the device. If users wish to change their password, they must unlink and then link their account anew from the MyGuichet.lu site.
This password is never disclosed to anyone.
Processing linked to the creation of a document
Users may add or create a document (in PDF or any other format) in support of a current procedure, through the app. Documents can be added by selecting the documents that the app can access on the device used. They can be created by using the device's camera.
These documents may contain some of the user's personal data. This data depends on the document that is created or added.
The said documents are temporarily saved in a secure folder on the user's mobile phone or tablet that only the app can access.
The length of time for which this temporarily saved data will be kept is closely linked to the function of document submission for a given procedure.
Processing linked to online payment
The administrative fees for certain procedures can be paid using the payment system provided on Guichet.lu. Payment is made through a payment institution listed on the approved public register in Luxembourg, which guarantees the security of payment operations.
The payment details (credit card data or account number, transaction amount, etc.) do not go through the CTIE's site. At no time does the CTIE have access to this data. The CTIE is not involved in the payment procedure. As such, it may not be held responsible for malfunctions in the payment institution's application, or for any fraudulent use of users' payment details. For matters regarding payments, the user is subject to the institution's general terms and conditions.
Processing linked to the management of the app by the "Apple App Store" or "Google Play Store"
The "Apple App Store" and "Google Play Store" platforms are likely to process the personal data disclosed directly or indirectly by the user when downloading the app.
In this case, Apple and Google alone are responsible for processing the user's personal data.
As Apple and Google are also subject to Regulation (EU) 2016/679 and the law of 1 August 2018, it is up to the user to contact those organisations to exercise their rights, as set out above.