Terms & Conditions | Data Privacy

Data Privacy

Data Protection Notice for website users

Version last updated on 14 December 2018.

LIH, 1A-B rue Thomas Edison L-1445 Strassen, Luxembourg (“we”) is committed to the protection of your personal data in accordance with data protection legislation, especially the General Data Protection Regulation EU 2016/679 (the “GDPR”).

This Data Protection Notice is directed to users or visitors of our website (the “Site”), and to individuals who contact us by any means or provide services to us (together “you”). It provides you with detailed information relating to the protection of your personal data by us.

1. Who is the controller of your personal data?

LIH, 1A-B rue Thomas Edison L-1445 Strassen is responsible as a data controller, for collecting and processing your personal data in relation to our activities. The purpose of this Data Protection Notice is to inform you on which personal data we collect, the reasons why we use and share such data, how long we keep it, what rights you have and how you can exercise them.

Further information may be provided where necessary when you are in contact with us for a specific activity.

2. What personal data do we process?

We collect and use your personal data to the extent necessary in relation to our activities.

We may collect various types of personal data about you, including:

  • identification data (such as your name, contact details, address, telephone, email, country),

  • professional details (such as company/organisation name and job title),

  • electronic identification data (e.g. email address, IP address, web browser and operating system used electronic signature, remote connection data),

  • details of information request, claims or other information related to Users interaction with IBBL,

  • banking details (such as bank account number, IBAN.

The data collected on our Site stem exclusively from the voluntary registering of your personal data (for example by contacting us through our online contact forms, by subscribing to our newsletter, by applying to one of our job offers, or by registering to an event) or if you choose to provide unsolicited personal data (information we have not asked for) to us such as a CV.

We may also collect information about you even if you do not have a direct relationship with us. This may notably occur when your employer provides us with information about you, or when your contact details are provided by one of our clients.

With the exception of the information indicated above and in our “Cookies Policy”, we do not collect, via freely accessible pages on this Site, personal data other than those listed above and those voluntarily entered by you, using the online forms provided for that purpose, most notably to contact us.

3. What are the purposes of and the legal bases for our processing?

We collect and use your personal data for the following purposes:

  • for the provision of services or information requested by you,

  • for the management of our events (registration, list of attendees),

  • to send you our newsletter,

  • to manage our business relationship with you,

  • to provide you with a safe and comfortable experience when visiting our Site,

  • to manage or improve our Site and services provided by us,

We collect your personal data on the following basis:

  • to perform a contract or for pre-contractual measures with you or an organisation you represent,

  • to comply with our legal and regulatory obligations,

  • to perform a task carried out in the public interest,

  • for our legitimate interests, or - with your consent.

4. Who do we share your personal data with?

In order to fulfil the aforementioned purposes, we may communicate your personal data to:

  • service providers/vendors that perform services on our behalf,

  • law enforcement or other government and regulatory bodies or agencies, upon request and to the extent permitted by law

  • certain regulated professionals such as lawyers or auditors.

We may also receive requests from third parties with authority to obtain disclosure of personal data. We will only respond to such requests where we are permitted to do so in accordance with applicable laws and regulations.

We require all third parties to respect the security of your personal data and to process it in accordance with the law.

5. Where do we transfer your personal data?

We may use third party providers to deliver our services and this may involve transfers of your personal data to countries outside of the European Union/European Economic Area (EU/EEA). In case of international transfers originating from the EU/EEA to a country outside the EU/EEA, the transfer of your personal data may occur where the European Commission has decided that the country outside the EU/EEA ensures an adequate level of data protection.

For transfers to countries outside the EU/EEA for which the level of protection has not been recognised as adequate by the European Commission, we will either implement appropriate safeguards provided for by current data protection law (e.g. the entry into standard data protection clauses) or rely on a derogation applicable to specific situations (such as your explicit consent).

You can obtain more information regarding relevant safeguards we rely on by contacting us at 

6. Security of your personal data.

The processing of your personal data is carried out through IT, electronic and manual tools, with logics strictly related to the aforementioned purposes and, in any event, in compliance with the appropriate technical and organisational measures required by law to ensure a level of security that is adequate to the risk, in order to avoid unauthorised loss or access to your data.

7. How long do we keep your personal data?

We will retain your personal data as long as necessary to fulfil the purposes we collected it for, for the period defined by our operational requirements (such as facilitating our relationship management with you) and for the time necessary for compliance with our legal obligations.

8. What are you rights regarding your personal data?

In accordance with applicable data protection law, you may exercise at any time, in respect of us, the following rights in relation to your personal data:

  • right to access, which enables you to obtain from us confirmation of whether personal data is being processed or not and, if so, obtain access to such data; we process a large quantity of information, and can thus request, in accordance with GDPR, that before the information is provided, you specify the information or processing activities to which your request relates;

  • right to rectification, which enables you to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete; and in certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled, in line with GDPR):

  • right to erasure, which enables you, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;

  • right to restriction of processing, which enables you, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;

  • right to object, which enables you to object to the processing of your personal data when certain conditions are met;

  • right to data portability, which enables you, in certain cases and with regard only to the data you have provided to us, to request receipt of your personal data in a structured and commonly machine-readable format.

If you have provided your consent to the processing of your personal data, you can withdraw such consent at any time.

To exercise any of these rights, you may contact our Data Protection Officer by email  or by postal mail:

Luxembourg Institute of Health
Data Protection Officer
1A-B rue Thomas Edison 
L-1445 Strassen

You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD). Full details may be accessed on the complaints section of CNPD’s website (https://cnpd.public.lu).

If you wish to learn more about cookies, please read our “Cookies Policy” available on our website https://www.lih.lu/

Changes to this Data Protection Notice

Changes may occur in the way we process personal data. In case these changes oblige us to update this Data Protection Notice, we will clearly communicate it to you, either viaour Site or via other appropriate means. The latest applicable version will always be available on our Site.


Top    


Data Protection Notice for patients and study participants

🇫🇷 Version française :  Déclaration de protection des données pour les patients et les participants à l’étude
🇩🇪 Deutsche Fassung:  Datenschutzhinweis für patienten und studienteilnehmer

Version last updated on 27 May 2019.

Luxembourg Institute of Health (LIH), 1A-B rue Thomas Edison L-1445 Strassen , Luxembourg (‘we’) is a public health research institute. We aim to generate knowledge on disease mechanisms and contribute to the development of news diagnostics, preventive strategies, innovative therapies and clinical applications that impact the healthcare of individuals.

We are committed to compliance with laws and regulations that govern the conduct of health research. This includes the General Data Protection Regulation EU 2016/679 (the ‘GDPR’) and any other applicable EU or local legislation or regulation implementing GDPR (notably the Luxembourg law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the GDPR), as well as their successor texts (together ‘Data protection legislation’).

As a public research institute under the law of 3 December 2014 on the organisation of public research centers, we conduct research in the public interest and make sure our research serves the interests of society as a whole. Some of our research may be conducted in collaboration with commercial organisations and funders. In any case, our research follows Luxembourg laws and regulations applicable to research.

This Data Protection Notice is directed to patients and participants in our scientific research, studies or projects (‘you’). It provides you with detailed information relating to the protection of your personal data by us.

Further information may be provided when necessary when you are in contact with us for a specific research activity.

1. Who is the controller of your personal data?

Luxembourg Institute of Health (LIH), 1A-B rue Thomas Edison L-1445 Strassen is responsible as a data controller , for collecting and processing your personal data in relation to your participation in our scientific research, studies or projects. The purpose of this Data Protection Notice is to inform you on which personal data we collect, the reasons why we use and share such data, how long we keep it, what rights you have and how you can exercise them.

2. What personal data do we process?

We collect and use your personal data to the extent necessary to achieve the research objectives of our projects you are participating in.

We may notably collect the following types of personal data in relation to specific research projects:

  • identification data (first name, surname, reference code or pseudonym );

  • contact details;

  • personal characteristics (age, sex, weight, height…);

  • personal life (life and consumption habits, family status);

  • education and professional life;

  • data concerning health (physical or mental health, pathology, family history, healthcare, risk behaviour, death cause, etc);

  • genetic data ;

  • data revealing your racial or ethnic origin, or sex life or sexual orientation.

We collect information about you (i) directly from you, or (ii) indirectly from your medical records or from databases (e.g. data concerning healthcare provided to you and held by social security authorities) and/or biological samples collections constituted in accordance with applicable laws.

Where we need to collect other categories of data about you in a specific research, study or project, we will inform you of this by appropriate means.

3. What are the purposes of and the legal bases for our processing?

We collect and use your personal data for the following purposes:

  • the conduct of a specific study or research in the health sector to understand the complex mechanisms of infectious and inflammatory diseases processes in order to enable new ways to diagnose, prevent or cure human disease,

  • the execution of cancer research within certain prioritised areas based on strong intradepartmental scientific track records, and to provide research expertise covering the most common cancer types that represents a health problem in Luxembourg;

  • the performance of interdisciplinary research focusing on epidemiology and public health research across a wide range of areas including cardio-metabolic conditions, sports medicine, human biomonitoring, health economics and clinical investigations;

  • the provisions of research-support services to support our research units, academia and international pharmaceutical industry players, providing them with sample collection and storage services, high quality methodological and statistical services;

  • to improve our internal processes and achieve maximum efficiency in our internal organisation,

  • to manage disputes, complaints and litigation in which we are involved,

  • to defend ourselves in any legal or court proceedings arising in relation to our activities,

  • for security and protection of our organization, IT networks and information.

Data protection legislation requires from us to have a valid legal reason (‘legal basis’) to process and use personal data about you. In the context of research, we collect your personal data on the following legal bases:

  • to comply with our legal and regulatory obligations related to public health (article 6.1c GDPR), or

  • for the performance of a task carried out in the public interest (article 6.1e GDPR), or

  • for our legitimate interests (article 6.1f GDPR), or

  • with your consent (article 6.1a GDPR) when legally required or permitted.

Where we also collect and use sensitive personal data (health, genetic …) we only do so where:

  • ‘the processing is necessary for reasons of public interest in the area of public health’ (article 9.2i GDPR), or

  • ‘the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’ (article 9.2j GDPR), or

  • we have obtained your explicit consent (article 9.2a GDPR) when legally required or permitted.

Where we need to rely on a different legal basis, we will inform you of this by appropriate means.

4. Who do we share your personal data with?

Depending on the nature and scope of our research activities, your personal data may be shared with the following recipients :

  • our scientific team in charge of a specific research, study or project,

  • professionals intervening in a specific research, study or project,

  • professionals in charge of data collection, quality controls, processing and statistical analysis of your personal data under our responsibility,

  • other researchers or research organisations for the purpose of achieving the research outcomes of our project.

We may access or share your data in a way that we can identify you as a research, study or project participant. However most personal data used in our research is coded or pseudonymised before sharing or publishing the research outcomes.

When we are working with other organisations and information is shared with them, we will inform you by appropriate means.

We may communicate your personal data to:

  • third-party service providers/vendors that perform services on our behalf to support our research, study or project,

  • law enforcement or other government and regulatory bodies or agencies, upon request and to the extent permitted by law

  • certain regulated professionals such as lawyers or auditors.

We require all third parties to respect the security of your personal data and to process it in accordance with applicable laws and regulations.

5. Where do we transfer your personal data?

Our activities may involve transfers of your personal data to countries outside of the European Union/European Economic Area (EU/EEA). In this case, the transfer of your personal data may occur where the European Commission has decided that the country outside the EU/EEA ensures an adequate level of data protection.

For transfers to countries outside the EU/EEA for which the level of protection has not been recognised as adequate by the European Commission, we will either implement appropriate safeguards provided for by data protection legislation (e.g. the entry into standard data protection clauses) or rely on a derogation applicable to specific situations (such as your explicit consent).

You can obtain more information regarding relevant safeguards we rely on by contacting us at 

6. Security of your personal data

The processing of your personal data is carried out through IT, electronic and manual tools, with logics strictly related to the aforementioned purposes and, in any event, in compliance with the appropriate technical and organisational measures required by law to ensure a level of security that is adequate to the risk, in order to avoid unauthorised loss or access to your data.

In order to protect your rights and the confidentiality of your personal data, and especially when processing sensitive data (e.g. health, genetic…) for scientific research purposes, we must have suitable and specific safeguards in place to help protect your personal data. Our researchers are notably asked to implement anonymization or pseudonymisation (e.g. remove identifiers such as your name and replace this with a unique code or key) wherever feasible and at the earliest opportunity.

7. How long do we keep your personal data?

We will retain your personal data as long as necessary to fulfil the purposes we collected it for and for the time necessary for compliance with our legal obligations. The time periods for which we retain your personal data depends on the type of data and the purposes for which we use it.

In accordance with the data minimisation principle, we ask our researchers to anonymise, pseudonymise or delete personal data collected as part of their research at the earliest opportunity. Thus, data where you can be identified will usually be kept for a minimum amount of time and in accordance with our research objectives. We may, however, retain personal data and documents (e.g. consent forms) for a time period following the completion of our research, study or project, as this is sometimes a legal or regulatory requirement or a requirement of our funders.

Some of our research projects or public health expertise missions may require that we process data where you can be identified, as it is necessary for achieving the outcome of the research. For such projects, we store your personal data as part of the research for the duration of the project and for a defined period after the project has ended. This is usually defined by applicable laws and regulations.

We will inform you by appropriate means (e.g. participant information sheet) with regards to how long your personal data will be kept for in specific research projects.

8. What are your rights regarding your personal data?

In accordance with data protection legislation, you may exercise at any time individual rights in relation to your personal data:

  • right to access, which enables you to obtain from us confirmation of whether personal data is being processed or not and, if so, obtain access to such data; we process a large quantity of information, and can thus request, in accordance with GDPR, that before the information is provided, you specify the information or processing activities to which your request relates;

  • right to rectification, which enables you to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete; and in certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled, in line with GDPR):

  • right to erasure, which enables you, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;

  • right to restriction of processing, which enables you, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;

  • right to object, which enables you to object to the processing of your personal data when certain conditions are met;

  • right to data portability, which enables you, in certain cases and with regard only to the data you have provided to us, to request receipt of your personal data in a structured and commonly machine-readable format.

Please note that the extent to which these rights apply to research will vary and that in some circumstances rights may be restricted. It should also be noted that we can only implement your rights during the period upon which we hold personal data about you. Once the data we hold about you has been irreversibly anonymised and becomes part of a research data set it will not be possible to access your personal data.

If you have provided your consent to the processing of your personal data, you can withdraw such consent at any time and this will not adversely affect your medical care.

To exercise any of these rights, you may contact our Data Protection Officer by email  or by postal mail:

Luxembourg Institute of Health (LIH) 
Data Protection Officer 
1A-B rue Thomas Edison
L-1445 Strassen

You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD). Full details may be accessed on the complaints section of CNPD’s website (https://cnpd.public.lu).

9. Changes to this data protection notice

Changes may occur in the way we process your personal data. In case these changes oblige us to update this Data Protection Notice, we will clearly communicate it to you, either via our website or via other appropriate means. The latest applicable version of this Data Protection Notice will always be available on our website.

10. Glossary

Anonymisation means the irreversible process of rendering personal data anonymous in such a manner that the data subject is not or is no longer identifiable;

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Data protection legislation means the General Data Protection Regulation EU 2016/679 (the ‘GDPR’) and any other applicable EU or local legislation or regulation implementing GDPR (notably the Luxembourg law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the GDPR), as well as their successor texts;

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (as defined by GDPR);

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Sensitive personal data or special categories of data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

Third party means natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.



Top    

Data protection notice for recruitment

🇫🇷 Version française : Avis relatif à la protection des données en matière de recrutement
🇩🇪 Deutsche Fassung: Datenschutzhinweis für das bewerbungsverfahren

Version last updated on 31 July 2019.

Luxembourg Institute of Health (LIH), 1A-B rue Thomas Edison L-1445 Strassen, Luxembourg and the Integrated BioBank of Luxembourg (IBBL), 1 rue Louis Rech L-3555 Dudelange, Luxembourg (“we”) are committed to the protection of your personal data in accordance with data protection legislation, especially the General Data Protection Regulation EU 2016/679 (the “GDPR”).

This Data Protection Notice for recruitment is directed to candidates who apply for a job at LIH and IBBL (“you”). It provides you with detailed information relating to the way we protect your personal data.

1. Who is the controller of your personal data?

Luxembourg Institute of Health (LIH), 1A-B rue Thomas Edison L-1445 Strassen is responsible as a data controller, for collecting and processing your personal data in relation to your application for a position at LIH/IBBL and our recruitment process. The purpose of this Data Protection Notice for recruitment is to inform you on which personal data we collect, the reasons why we use and share such data, how long we keep it, what rights you have and how you can exercise them.


2. What personal data do we process?

We collect and use your personal data to the extent necessary in relation to our recruitment process and to ensure that your application can be considered by the relevant LIH or IBBL department(s).

We may collect various types of personal data that you decide to or are requested to submit in relation to your application for a particular job position, including:

  • identification data (such as your name, date and place of birth, nationality, contact details, address, telephone, email, country, or other contact information),

  • job application data (CV, cover letter, previous work experience, education, additional qualification, or other information regarding your professional qualification and experience, additional skills and abilities, professional interest, details of your right to work in Luxembourg, etc. you provide for our consideration in the recruitment process),

  • pre-employment checks: interview notes, records/results of pre-employment checks, information included on your CV/resume and/or any application forms,

  • image: we do not require from job applicants to include photos as part of their job application documentation. It is up to you if you would like to voluntarily submit such image or photo,

  • identification of the job and personal requirements (type of employment sought, desired salary, willingness to relocate, or other job preferences you decide to voluntary submit),

  • referees: reference letters, names and contact details for referees,

  • any other information that you decide to voluntarily share with us, such as hobbies, interests, professional plans, how you found about our job offer, what motivates you to apply for us, marital status, salary level.

If you decide to attach reference letters to your job application, it is your responsibility to obtain consent from referees and inform them of the purposes for which their personal data may be processed (based on this Data protection notice for recruitment) before providing their personal data to us. We will not contact directly your referees, unless you explicitly consent to such approach.

We do not require from job applicants to include any special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning sex life or sexual orientation) or any judicial data (e.g. criminal records) as part of the job application documentation. Please do not include such sensitive data in your job application.

We may also collect information about you from publicly accessible sources, such as LinkedIn, etc., where we collect your full name, email, work history, and other data included on your profile. You can choose what types of information to submit as part of your job application. Normally, the following categories of data would be strictly necessary, so we can consider your job application for the particular position: your identification data, your job application data, pre-employment checks and identification of the job and personal requirements.

In certain cases, a LIH or IBBL job advertisement may specify additional categories of personal data required for a specific position. If so, provision of such information would be also treated as mandatory (please check the job advertisement again).

Submitting of any other information would be dependent entirely on you and would be treated as voluntary.

Note, that in case of your selection for the job position you have applied for, the above categories of personal data will further form part of your employment file with LIH or IBBL (more information will be provided to you upon the start of your employment).


3. What are the purposes of and the legal basis for our processing?

We collect and use your personal data for the following purposes:

  • to assess your skills, qualifications and interests against our career opportunities, to maintain our relationship during the recruitment process, including by calling you and inviting you to interviews, exchange of offers and terms of employment, etc.,

  • to verify your information, to run our internal compliance and conflict checks and to conduct reference/background checks (if required under applicable law or subject to your consent);

  • to communicate with you and inform you of other career opportunities,

  • for security and protection of our organization, IT networks and LIH information;

  • to improve our recruitment process, and - to defend ourselves in any legal or court proceedings.

We collect your personal data on the following basis:

  • pre-contractual measures necessary to establish a contractual relationship with you or represent take steps in this direction, at your request,

  • to comply with our legal and regulatory obligations related to recruitment campaigns ,

  • for our legitimate interests, including to ensure that our institute, IT networks and information are secure, to manage our recruitment process, to keep records of the recruitment process and to protect our interest and rights in the event of investigated, suspected or actual violations of applicable law, or - with your consent (only when legally required or permitted).


4. Who do we share your personal data with?

In order to fulfil the aforementioned purposes, your personal data may be shared internally for the purposes of the recruitment process with members of the LIH Human Resources department, interviewers involved in the recruitment process, managers in the business area with a vacancy if access to the data is necessary for the performance of their roles. LIH Human Resources will have access to your personal data for the purposes listed above. We may communicate your personal data to:

  • service providers/vendors (such as recruitment agency) that perform services on our behalf,

  • law enforcement or other government and regulatory bodies or agencies, upon request and to the extent permitted by law - certain regulated professionals such as lawyers or auditors.

We may also receive requests from third parties with authority to obtain disclosure of personal data. We will only respond to such requests where we are permitted to do so in accordance with applicable laws and regulations.

We require all third parties to respect the security of your personal data and to process it in accordance with the law.


5. Where do we transfer your personal data?

We may use third party providers to deliver our services and this may involve transfers of your personal data to countries outside of the European Union/European Economic Area (EU/EEA). In case of international transfers originating from the EU/EEA to a country outside the EU/EEA, the transfer of your personal data may occur where the European Commission has decided that the country outside the EU/EEA ensures an adequate level of data protection.

For transfers to countries outside the EU/EEA for which the level of protection has not been recognised as adequate by the European Commission, we will either implement appropriate safeguards provided for by current data protection law (e.g. the entry into standard data protection clauses) or rely on a derogation applicable to specific situations (such as your explicit consent).

You can obtain more information regarding relevant safeguards we rely on by contacting us at .


6. Security of your personal data.

The processing of your personal data is carried out through IT, electronic and manual tools, with logics strictly related to the aforementioned purposes and, in any event, in compliance with the appropriate technical and organisational measures required by law to ensure a level of security that is adequate to the risk, in order to avoid unauthorised loss or access to your data.


7. How long do we keep your personal data?

If your job application is unsuccessful, we will retain your personal data 2 years maximum after the end of the relevant recruitment process (for consideration for future employment opportunities). At the end of that period, or once you oppose to your personal data being processed, your personal data will be deleted or destroyed.

Note that in case you are selected for the job position you applied for, the above categories of personal data will continue being processed as part of your employment file with LIH or IBBL (more information will be provided to you upon the start of your employment).


8. What are you rights regarding your personal data?

In accordance with applicable data protection law, you may exercise at any time, in respect of us, the following rights in relation to your personal data:

  • right to access, which enables you to obtain from us confirmation of whether personal data is being processed or not and, if so, obtain access to such data; we process a large quantity of information, and can thus request, in accordance with GDPR, that before the information is provided, you specify the information or processing activities to which your request relates;

  • right to rectification, which enables you to obtain from us the correction and/or integration of any of your personal data that are incorrect and/or incomplete; and in certain limited cases (in which case we will analyse whether the conditions for the exercise of such rights are fulfilled, in line with GDPR):

  • right to erasure, which enables you, in specific cases provided for by art. 17 GDPR, to obtain from us the erasure of your personal data;

  • right to restriction of processing, which enables you, in the specific cases provided for by art. 18 of the GDPR, to restrict the processing of your personal data by us;

  • right to object, which enables you to object to the processing of your personal data when certain conditions are met;

  • right to data portability, which enables you, in certain cases and with regard only to the data you have provided to us, to request receipt of your personal data in a structured and commonly machine-readable format.

To exercise any of these rights, you may contact our Data Protection Officer by email dpo@lih.lu or by postal mail:

Luxembourg Institute of Health (LIH)
Data Protection Officer 1A-B rue Thomas Edison L-1445 Strassen

You have the right to lodge a formal complaint with the Commission nationale pour la protection des données (CNPD). Full details may be accessed on the complaints section of CNPD’s website.


9. Changes to this data protection notice for recruitment.

Changes may occur in the way we process personal data. In case these changes oblige us to update this Data Protection Notice for recruitment, we will clearly communicate it to you, either via our Site or via other appropriate means. The latest applicable version will always be available on our Site.


Top