Terms and conditions of use
These terms and conditions of use apply to the prior authentication and identification services regarding restricted access to any website ("Website") you may visit via the access architecture of the Government IT Centre (Centre des technologies de l'information de l'État - CTIE). In addition to these terms and conditions of use, each Website has its own general terms and conditions of use.By accessing the Website, you are unconditionally agreeing to observe its terms and conditions of use. The Government IT Centre (CTIE) reserves the right to amend the terms and conditions of use at any time. Use of the Website will be governed by the latest version of the general terms and conditions of use as published on the Website at the time of such use, and by these terms and conditions of use as regards the prior authentication and identification services for restricted access. Moreover, use of the Services may be further subject to more specific guidelines or conditions. Those specific guidelines and conditions are in addition to, and are included by reference to, the terms and conditions of use. Failure to comply with any of the terms and conditions of use of the authentication and identification services, or with the general terms and conditions of use, will automatically terminate your authorisation to use the Website.
The Website is accessed by you via the internet communication networks. You state that you are aware of, and accept, the associated risks. You are strongly advised to guard against the effects of computer hacking by adopting a suitable and secure computer configuration. The CTIE accepts no liability for any loss or damage that you may suffer at the time of, or after, browsing the Website.The CTIE will use its best endeavours to ensure the maximum availability of authentication and identification services. However, it accepts no liability should the website become temporarily or wholly unavailable. The CTIE reserves the right to update, modify or suspend the authentication and identification services without prior notice for maintenance purposes, on account of physical or technical incidents or for any other reason deemed necessary. The unavailability or malfunctioning of the services shall not entitle the user to any compensation. The CTIE shall not be liable in any way for the consequences of any failure on the part of the user to meet a deadline by reason of any temporary unavailability or malfunctioning of the services. Nor shall it be liable for any direct or indirect loss or damage in connection with any updates or changes to the services.
General remarks
Any personal data that you submit through the Website (the "Data") are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.The data controller for the processing of personal data is the administrative body responsible for the Website. The CTIE is the data controller's subcontractor for hosting the Website, authenticating and identifying users, safeguarding the identity of users and keeping the event logs relating thereto.
Under the terms of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, you have the right to access, rectify and request the erasure of any information relating to you. You are also entitled to withdraw your consent at any time.
Additionally, unless the processing of your personal data is compulsory, you may, with legitimate reasons, oppose the processing of such data.
If you wish to exercise these rights and/or obtain a record of the information held about you, please contact the relevant administrative body using the contact details given on the Website.
Where the CTIE is the data controller, you may send your request by post to the following address: Centre des technologies de l'information de l'Etat, 1, rue Mercier B.P. 1111 L-1011 Luxembourg.
You are also entitled to file a claim with the National Commission for Data Protection (Commission nationale pour la protection des données), headquartered at 1, avenue du Rock'n'Roll, L-4361 Esch-sur-Alzette.
Processing pertaining to authentication and identification
When you register for the authentication mode by user name and password, the Website will ask you to provide certain Data such as your surname, first name and email address.If you have chosen strong authentication as a means of authentication, when you first sign in, you accept and agree that the Website may access your Data held in the National Registry of Natural Persons (Registre national des personnes physiques) to ascertain the legitimacy of the access and creation of the account. You also accept and agree that the authentication data contained in the electronic certificate issued by the LuxTrust certification authority may be used to establish your identity, and that said authentication data may be recorded in your profile. Your profile also contains information on the frequency of use of the authentication and identification service.
The Data will only be processed for the purpose of authenticating your identity in the Government IT systems. They will not be used for any other purposes. Unless and until the right to erasure is exercised, the Data will be retained in our systems so that we can continue to provide the service.
Processing related to event logs
By authenticating your identity, you accept and agree that the data in connection with your activity (user name, surname, first name, procedure or function used, date and time, settings) may be audited, i.e., recorded and stored, for the sole purpose of allowing said data to be made available to the respective data controllers (the CTIE or the relevant administrative bodies where applicable), or to the judicial authorities, for the specific purpose of resolving data-security incidents in the legitimate interest of ensuring security, and legally establishing, exercising or defending a right as part of a judicial, administrative or extrajudicial procedure.The identity of the data controller depends on the feature being audited, and only the data controller has access to those data.
The confidentiality of such Data is assured to the highest of standards, and such data may only be extracted if the data controllers or judicial authorities explicitly request such an extraction, providing valid reasons for their request.
In view of the wide variety and number of procedures and the relevant legal bases, and in view of the highly restrictive access and extraction rules in force, the data are kept for 5 years overall.
All disputes concerning the use of the Website shall be governed by Luxembourg law, and the courts of the Grand Duchy of Luxembourg shall have exclusive jurisdiction to hear and settle such disputes.Specific terms and conditions of use of the service eIDAS Luxembourg
In addition to the aforementioned usage conditions, the following specific conditions apply for the usage of the Luxembourg eIDAS authentication service in the context of cross-border authentication within the meaning of The Regulation (EU) No 910/2014 Of The European Parliament And Of The Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (the "eIDAS Regulation").PERSONAL DATA PROTECTION
General remarks
Your personal data is stored in accordance with the Article 9(3) of the Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (the "Regulation (EU) 2015/1501").Processing pertaining to identification
When you perform an authentication with the Luxembourg eIDAS authentication service, the service asks you to provide a set of data for the purposes of identification.These data are of two types:
- A minimum set of person identification data uniquely representing a natural or a legal person (the "minimum data set") in accordance with the Article 11 of the Regulation (EU) 2015/1501. Providing this information is mandatory in the context of eIDAS authentications.
- A set of additional person identification data. This information is requested by the Service Provider requesting the authentication. Providing this information is not mandatory. However, access may be refused by the Service Provider if this information is not provided.
By proceeding with the authentication, you accept and agree that the CTIE may access your Data held in the National Registry of Natural Persons (Registre national des personnes physiques) in order to retrieve your personal information.
The Data will only be processed for the purpose of cross-border authentication within the meaning of the eIDAS Regulation. It will not be used for any other purposes, and will not be kept on our systems any longer than is necessary to achieve that purpose.