Policy of confidentiality

POLICY OF CONFIDENTIALITY OF THE MINISTRY OF HIGHER EDUCATION AND RESEARCH

(hereinafter "Policy")
Last updated and applicable since 30 July 2018.

1. Preamble

For the Ministry of Higher Education and Research, including its various departments (e.g. the Centre de documentation et d'information sur l'enseignement supérieur (hereinafter " CEDIES ")) and having its main offices at 18-20, Montée de la Pétrusse, L-2327 Luxembourg (hereinafter " MESR"), the protection of your privacy is a primary concern.

This Policy governs the processing, including the collection, use, storage, disclosure and protection of your personal data, i.e. any information relating to an identified or identifiable natural person (hereinafter " Personal Data ") by MESR. Please note, however, that this Policy is not exhaustive, while the nature of the activities and contexts in which your Personal Data is processed by the MERS means that it is difficult to provide you with an exhaustive description of all processing activities carried out by or on behalf of the MERS.

2. Data controller and data protection officer

The MESR is the controller of your Personal Data.
We have appointed a Data Protection Officer to inform and advise MEST on how to protect your privacy. Please find below the contact details of our Data Protection Officer:
Email: dataprotection@mesr.etat.lu

3. Collection and use of Personal Data

3.1. Personal Data collected

Depending on the services rendered and the information provided by individuals, the MESR collects and processes, in particular, the following categories of Personal Data:

  • identification data (surname, first name, physical address, telephone number, mobile phone, fax, title, National Register of Natural Persons number, identity card, passport, etc.);
  • Personal characteristics (date of birth, date of birth, date of birth, etc.)
  • personal characteristics (date and place of birth, age, marital status, sex, nationality, household situation, physical characteristics, data associated with behaviour, life habits, consumption habits, type of accommodation, hobbies, etc.);
  • information on your residence permit (residence permits, work permits, immigration, information on the housing situation in the country of study, etc.);
  • images;
  • economic and financial information (income, financial situation, tax situation, bank account, etc.);
  • data on professional and educational background, including (inter alia) training and work experience (CV, covering letter(s), letter(s) of recommendation, work certificates, academic and professional qualifications, etc.);
  • authentication information and electronic identification data (email address, social network account, internal login, electronic certificate, logs, IP address, so-called "security" data such as passwords, etc.);
  • for persons falling under the provisions of Article 7, paragraph 11 of the Act of 24 July 2014 concerning state financial aid for higher education, health data;

3.2. Sources from which the Personal Data is derived

In addition to the Personal Data that MESR collects directly from you, MESR may also collect Personal Data from other sources, including but not limited to the following sources:

  • from higher education and research institutions ;
  • from the State Treasury of the Grand Duchy of Luxembourg ;
  • the Centre des technologies de l'information de l'Etat (hereinafter " CTIE ") (in particular the Service du Registre National des Personnes Physiques (RNPP register));
  • the other Ministries
  • other Ministries of the State of the Grand Duchy of Luxembourg as well as foreign ;
  • public authorities or bodies such as the Centre commun de la sécurité sociale;
  • and financial institutions;
  • .
  • Foreign authorities competent for academic and professional recognition (including notably ENIC-NARIC Networks or Innovative Medicines Initiative (IMI).

3.3. Legal basis for the MESR to collect and process your Personal Data

The lawfulness of the processing of your Personal Data is given in that it is:

  • Necessary for the performance of a contract to which you are a party or for the performance of pre-contractual measures taken at the request of the same;
  • necessary for compliance with a legal obligation to which the MESR is subject, such as in particular:
    • the Law of 28 October 2016 on the recognition of professional qualifications;
    • the amended Act of 21 May 1999 concerning the function of candidate in post-primary teaching careers;
    • the amended Law of 24 July 2014 concerning state financial aid for higher education;
    • the Law of 27 June 2018 concerning the organisation of the University of Luxembourg;
    • the Law of 3 December 2014 concerning the organisation of public research centres;
    • and
    • the Law of 31 May 1999 creating a national fund for research in the public sector;
    • the Grand-Ducal Regulation of 23 February 2010 on the organisation of studies and the promotion of students in training courses leading to a higher technician's certificate;
    • the Grand-Ducal Regulation of 23 February 2010 on the organisation of studies and the promotion of students in training courses leading to a higher technician's certificate;
    • the Grand-Ducal Regulation of 23 February 2010 on the organisation of studies and the promotion of students in training courses leading to a higher technician's certificate
    • the Grand-Ducal Regulation of 24 July 2000 concerning the application work ;
    • the amended Grand-Ducal Regulation of 27 August 2014 concerning state financial aid for higher education ;
    • the Grand-Ducal Decree on the constitution of ministries.
  • necessary for the execution of a mission of public interest or relating to the exercise of public authority vested in the MESR (e.g. with regard to the granting of State-guaranteed loans, the organisation of the Student Fair, etc.) ;
  • necessary for reasons of important public interest ;
  • necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes ; or
  • legitimate where you have, where applicable, given your consent to the processing of your Personal Data.

3.4. Conditions applicable to your consent

Please note that you have the right to withdraw your consent relating to the processing of your Personal Data at any time. Withdrawal of your consent does not, however, affect the lawfulness of the processing based on your consent prior to such withdrawal.

In the event that you have not yet reached the age of 16, the MESSR, in accordance with the applicable data protection legislation, may only process your Personal Data on the basis of your consent if one of your holders of parental responsibility has also given their consent or authorised such processing of your Personal Data. The MEST will endeavour in such a case to reasonably verify that one of your parental responsibility holders has also given consent or authorised the processing of your Personal Data.

3.5. Consequences of refusing to provide your Personal Data

Please note that we may not be able to provide you with all of the services offered by MESR or grant you the benefits of, for example, financial assistance for higher education if you do not provide us with all the Personal Data requested.

Le MESR traite vos Données personnelles à des fins diverses et notamment pour les finalités suivantes :

  • pour assurer la gestion administrative des candidats ainsi que la gestion des jurys d’examen (p.ex. en ce qui concerne le travail de candidature) ;
  • pour assurer la gestion des élèves inscrits dans une formation dans un établissement luxembourgeois ou étranger (p.ex. en ce qui concerne la gestion centralisée des étudiants inscrits dans un diplôme du Brevet de Technicien Supérieur) ;
  • pour la gestion, l’octroi et le suivi des aides financières pour études supérieures (bourses et prêts) ;
  • pour établir et maintenir à jour le registre des titres de l'enseignement supérieur et pour gérer la reconnaissance des qualifications professionnelles, ainsi que les homologations des diplômes dans la branche du droit (notamment pour étudier les demandes des candidats, établir des arrêtés);
  • pour assurer la réception des demandes d’information et de renseignements des étudiants et les transmettre aux cités universitaires concernées et à l’organisme en charge de la gestion des logements pour étudiants, assurer le suivi de la bonne application des conventions ;
  • pour assurer la gestion et le suivi de l’augmentation des aides financières, d’accord des délais pour le remboursement des prêts et de dispense partielle ou totale du remboursement, pour assurer la vérification des dossiers d’appel à garantie soumis par les banques (p.ex. en ce qui concerne le suivi, la gestion et la préparation des travaux de la commission consultative) ;
  • pour élaborer des statistiques ;
  • pour assurer la gestion des candidatures, attribuer des lauréat(e)s, verser des bourses privées et d’en assurer le suivi;
  • pour solliciter des exposants, enregistrer des demandes des exposants et transmettre des données aux acteurs concernés ou participants (p.ex. en ce qui concerne l’organisation de la Foire de l’Etudiant et autres expositions ou événements) ;
  • pour assurer la gestion financière de certaines activités du MESR, assurer la gestion des paiements et réaliser des rapports ;
  • pour gérer des ressources et des accès informatiques, pour attribuer et gérer des droits d’accès aux ressources informatiques, échanger avec le CTIE et pour établir un inventaire du matériel informatique fourni ;
  • pour assurer la gestion des demandes de support (y compris IT), mener des investigations nécessaires pour la résolution d’erreurs ou d’incidents par l’utilisation des logs, assurer un suivi du développement d’applications et de leur maintenance avec un support externe et établir une extraction de données des applications ;
  • en général : en vertu des lois applicables, pour répondre à des demandes d’autres autorités publiques et gouvernementales ; pour protéger le MESR et ses opérations ou celles de ses partenaires ; pour protéger les droits du MESR ou ceux des partenaires du MESR, de vous, ou autrui et pour préparer et exercer les voies de recours qui sont de droit ;
  • pour tester, apprécier ou évaluer de quelconque autre manière l'efficacité de nos mesures techniques et organisationnelles assurant la sécurité du traitement de vos Données personnelles ou pour mettre en œuvre pareilles mesures ;
  • pour éviter toute violation de données ou tout contournement de nos mesures de sécurité ou pour atténuer leurs possibles effets négatifs ;
  • pour assurer tout autre traitement qui soit conforme et utile à la réalisation des objectifs ou à l’accomplissement des missions assignés au MESR.

3.6. How we use your Personal Information

MESR processes your Personal Data for a variety of purposes, including the following:

  • to ensure the administrative management of candidates as well as the management of examination boards (e.g. with regard to application work); and
  • to ensure the management of students enrolled in a training course in a Luxembourg or foreign institution (e.g. with regard to the centralised management of students enrolled in a Brevet de Technicien Supérieur diploma); and
  • to establish and maintain the register of higher education qualifications and to manage the recognition of professional qualifications, as well as the homologation of diplomas in the branch of law (in particular to study candidates' applications, to establish decrees);
  • to ensure the reception of applications for the recognition of professional qualifications
  • to ensure the reception of requests for information and enquiries from students and to transmit them to the university halls of residence concerned and to the body in charge of managing student accommodation, to ensure the follow-up of the correct application of the agreements;
  • to ensure the management of the student accommodation
  • to ensure the management and monitoring of the increase in financial aid, of the granting of deadlines for the repayment of loans and of partial or total exemption from repayment, to ensure the verification of the files for the call for guarantees submitted by the banks (e.g. with regard to the monitoring, management and preparation of the work of the consultative commission);
  • for soliciting applications for private scholarships
  • to solicit exhibitors, register exhibitor requests and transmit data to the relevant actors or participants (e.g. with regard to the organisation of the Student Fair and other exhibitions or events); and
  • to provide financial management of certain MEST activities, manage payments and produce reports;
  • to manage resources
  • to manage IT resources and accesses, to assign and manage access rights to IT resources, to exchange with the CTIE and to establish an inventory of the IT equipment provided;
  • to ensure the management of support requests (including IT), to carry out investigations necessary for the resolution of errors or incidents through the use of logs, to monitor the development of applications and their maintenance with external support and to establish a data extraction of applications;
  • in general: under applicable laws, to respond to requests from other public and governmental authorities; to protect MEST and its operations or those of its partners; to protect the rights of MEST or those of MEST's partners, you, or others and to prepare and exercise remedies that are available at law;
  • to test, assess or otherwise evaluate the effectiveness of our technical and organisational measures ensuring the security of the processing of your Personal Data or to implement such measures;
  • to prevent any breach of the law; and
  • to prevent any data breach or circumvention of our security measures or to mitigate their possible negative effects;
  • to carry out any other processing that is consistent with and useful for the achievement of the objectives or missions assigned to MESR.

3.7. Use of cookies and similar technology

MESR may use cookies. cookies are text files that are stored on your device by a website you visit. They are widely used to make websites work or to make them work more efficiently as well as to provide any additional information to the site owners.

Cookies are usually stored on the hard drive of your device. We use the information collected using cookies to analyse trends, to administer our services and to evaluate their effectiveness. The information collected using cookies allows us to determine which parts of our site are most visited or what difficulties, if any, our visitors encounter while accessing or using the site. With this knowledge, we can provide you with a more personalised experience when using the services provided by MESR and we can improve the quality of your experience by recognising and providing more of the features and information that are most popular and by resolving access problems. We may also use cookies or other technology (particularly those known as web bugs or clear gifs), which are typically stored in emails, to help us confirm receipt of our emails from you as well as your response.

We may use third party service providers, in particular to assist us in providing our services or to better understand the use of our site. Our third party service providers may deposit cookies on your device's hard drive, the information collected using these cookies will educate us and our service providers on various aspects, such as how visitors navigate our site. Our third party service providers may analyse this data, including any Personal Data, and may provide us with reports to enable us to better understand your interests in the MESR and to better serve your interests. The data, including any Personal Data, collected by our third party service providers may be linked and combined with any other data, including any Personal Data, that MESR processes that relates to you.

4. Keeping your Personal Data up to date

MESR ensures that the Personal Data collected is accurate and kept up to date. Please note, however, that you are responsible for keeping your Personal Data up to date and for informing MEST if there are any changes to it.

5. Vos droits liés à la protection des données

5.1. General

To exercise your data protection rights described in this section, you may contact the MESR by sending an email to dataprotection@mesr.etat.lu. Please indicate clearly in your request which Personal Data you wish to access, rectify or delete, or which processing of Personal Data you wish to limit.

5.2. Your rights of access, rectification, restriction of processing and erasure of your Personal Data & your right to data portability

You have, within the limits of applicable data protection laws, the possibility to exercise your right of access to your Personal Data processed by MESR and to request rectification or erasure of your Personal Data or to request restriction of its processing.

You have, within the limits of applicable data protection laws, the right to (i) receive the Personal Data you have provided to MESR in a structured, commonly used and machine-readable format and (ii) to transmit such Personal Data to another data controller. Where technically feasible, the MEST will transmit your Personal Data directly to another controller of your choice, at your request.

5.3. Your right to object

In accordance with current data protection legislation, you have the right to object at any time, for reasons relating to your particular situation, to the processing of your Personal Data by the MESR, unless :

  • i. there are compelling legitimate grounds for the processing which override your interests and rights and freedoms; or
  • ii.  that the processing is necessary for the establishment, exercise or defence of legal claims.

Where Personal Data is processed for statistical purposes, you have the right to object, on grounds relating to your particular situation, to the processing of your Personal Data, unless the processing is necessary for the performance of a task in the public interest.

5.4. Automated individual decision making

The MESR does not a priori make automated individual decisions.

Please note, however, that should the MESSR decide to use such automated individual decision-making, the MESSR will ensure - in view of the risks that such automated individual decision-making could entail for your rights and freedoms - that appropriate measures to protect your legitimate interests are put in place, in particular by giving you  the opportunity to express your point of view in written form by sending an email to dataprotection@mesr.etat.lu.

6. Disclosure of Personal Data

MESR may disclose your Personal Data in particular to the following categories of recipients :

  • to Ministries of the State of the Grand Duchy of Luxembourg as well as foreign ;
  • to other public bodies or other public authorities (including, in particular, the Administration des Contributions Directes, the Centre Commun de la Sécurité Sociale, the Trésorerie de l'Etat du Grand-Duché de Luxembourg, the Administration de l'Enregistrement et des Domaines and the Fonds National de Solidarité);
  • and
  • to service providers;
  • to national and foreign law enforcement bodies, supervisory authorities, regulatory agencies, or any other governmental representative;
  • to research and statistical bodies (e.g. the Institut national de la statistique et des études économiques du Grand-Duché de Luxembourg (STATEC)) ;
  • to foreign authorities competent for academic and professional recognition, including ENIC-NARIC Networks or Innovative Medicines Initiative (IMI).

7. International transfers of your Personal Data

In principle, your Personal Data is processed in the Grand Duchy of Luxembourg.

The MESR may, however, transfer your Personal Data outside the European Economic Area or to international organisations (" third countries ") in accordance with applicable data protection legislation. The MESR may therefore transfer your Personal Data to third countries if one of the following conditions is met (depending on the context) :

  • an adequate level of protection is ensured (i.e. if the European Commission has - by means of an adequacy decision - certified to the third country concerned an adequate level of protection substantially equivalent to that guaranteed in the European Union) ;
  • appropriate safeguards are in place (e.g. a legally binding and enforceable instrument between public authorities or bodies has been adopted or provisions providing for enforceable and effective rights for data subjects have been incorporated into administrative arrangements between the public authorities or bodies in question) ;
  • the transfer or set of transfers of your Personal Data to a relevant third country is lawful where at least one of the conditions set out in Article 49 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (" GPDR ") is met namely in particular if:
    • the transfer is necessary on important public interest grounds ; or
    • the transfer is necessary for the establishment, exercise or defence of legal claims.

Please note that in cases where the transfer or set of transfers of Personal Data to a third country or international organisation is made pursuant to Article 49 of the GDPR, the absence of an adequacy decision or appropriate safeguards entails the risk that your Personal Data may be subject to rights and regulations that do not guarantee an adequate level of protection of your rights and freedoms as is normally the case in the European Union and that as a result such a transfer may lead to negative consequences for the protection of your privacy.

8. External websites

MESR websites, including in particular those relating to the Student Fair and CEDIES, may provide references or links to other websites or online services, or facilitate access to other websites or online services ("External Websites"). We do not control these External Websites or any of their contents and we cannot in any way be held responsible for External Websites to which the MESR refers or provides a link, either directly or indirectly. In particular, MEST shall in no event be liable for the content of External Websites, for any information posted on them, for their policies, data protection standards, promotions, products, practices, services or actions or any other damages, losses, failures or problems caused by or related to External Websites.

Please note that the inclusion of any link or reference within the MEST website does not imply endorsement of any External Website by MEST and it remains that these External Websites have separate and independent data protection policies. We therefore encourage you to review the policies, rules, terms, data protection practices, and regulations of each website you visit.

We seek to protect the integrity of our website and appreciate any feedback on External Websites to which the MESR website links.

9. Retention of your Personal Data

Without prejudice to the right to further process your Personal Data for purposes that are not incompatible with the original purpose, and subject to the legal and regulatory obligations to which the MESR is subject, the MESR shall retain your Personal Data in an identifiable form for no longer than is necessary for the purposes for which it is to be used.

If the retention of your Personal Data is no longer necessary, including for compliance with documentation and archiving obligations, we will securely erase your Personal Data.

10. Questions or complaints

If you have any questions or concerns about this Policy or if you are seeking further information relating to the processing activities of your Personal Data carried out by the MERS, you may contact the MERS (see point 2.).

If you are not satisfied with our response or action, you may contact and lodge a complaint with the Commission Nationale pour la Protection des Données (the Luxembourg supervisory authority) having its seat at 15, Boulevard du Jazz, L-4370 Belvaux (Luxembourg).

11. Availability and modification of the Policy

The Policy is and will remain available to you on the MESR website.

MSEMR reserves the right to revise, change, modify, update, supplement, add or delete portions of the Policy at any time in its sole discretion. In the event that we make such changes to the Policy, MEST will make the amended version of the Policy available to you on the MEST website and it will be your responsibility to review the amended Policy.

 

Last update