Privacy statement

Name and contact details of the controller according to Article 4 para. 7 of the GDPR

Company: Hospilux S.A.
Address: 1 rue des Chaux – L-5324 Contern
Tel.: (00352) 35 02 20 1
E-mail: hospilux@hospilux.lu 

Data processing:

Hospilux S.A.
1 rue des Chaux – L-5324 Contern
(00352) 35 02 20 1
hospilux@hospilux.lu

Data protection officer: dpo@hospilux.lu

 


Personal data security and protection
We place great importance on the confidentiality of any personal data that you provide us with in order to protect it against any unauthorised access, which is why we take the greatest care in processing it and adhere to the most advanced security standards to ensure maximum protection of your personal data.

As a private company, we are subject to the provisions of the European Union’s General Data Protection Regulation (GDPR) and the regulations of the National Commission for Data Protection (CNPD, the Luxembourg Data Protection Act). We have put technical and organisational measures in place to ensure that data protection provisions are complied with both by ourselves and by our external service providers.

Definitions
The legislator requires that personal data be processed lawfully, in good faith and in a manner that is transparent to the data subject (lawfulness, good faith processing and transparency). In order to ensure this, we have outlined various legal definitions that are also used in the present privacy statement:

  1. Personal data
    Personal data is any information relating to an identified or identifiable natural person (hereafter referred to as the Data Subject); an identifiable natural person is one who can be identified, either directly or indirectly, notably in relation to an identifying factor such as a name, an identification number, location data, a username or other login details, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
  2. Processing
    Processing refers to any operation or series of operations performed upon personal data or sets of personal data, by automatic or other means, including collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or linking, restriction, deletion and destruction.
  3. Restriction of processing
    ’Restriction of processing’ is the marking of stored personal data with a view to restricting its future processing.
  4. Profiling
    Profiling covers any form of automated processing of personal data that involves using personal data to evaluate certain personal aspects relating to an individual, notably for the purposes of analysing or predicting certain factors concerning the person’s professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  5. Pseudonymisation
    Pseudonymisation refers to the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the need for additional information, provided that this additional information is stored separately and is subject to certain technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
  6. File
    A ‘file’ is any structured set of personal data that can be accessed based on specific criteria, whether the set in question be centralised, decentralised or distributed functionally or geographically.
  7. Controller
    The controller is the natural or legal person, public authority, service or other body that determines the purposes for and means by which the data is processed, either alone or jointly with others; where the purposes and means of such processing are determined by European Union law or by the law of a Member State, the controller may be appointed or the specific criteria applicable to said appointment may be outlined by European Union law or by the law of a Member State.
  8. Processor
    The processor is any natural or legal person, public authority, service or other body that processes personal data on behalf of the controller.
  9. Recipient
    The recipient is the natural or legal person, public authority, service or other body with which personal data is shared, by a third party or otherwise. Any public authorities with which personal data may be shared in the context of a particular enquiry in accordance with European Union law or the law of a Member State will not, however, be considered recipients of said data; the public authorities in question shall process such data in accordance with the applicable data protection rules depending on the purposes for which it is being processed.
  10. Third party
    A third party is a natural or legal person, public authority, service or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process the personal data in question.
  11. Consent
    The ’consent’ of the data subject means any freely given specific, informed and unequivocal indication of their wishes by which the data subject agrees, whether by means of a declaration or a clear positive action, to the processing of personal data concerning them.

Lawfulness of processing
The processing of personal data is only lawful if there is a legal basis for its processing. This legal basis for processing can stem notably from the following requirements of Article 6 para. 1 lit. a-f of the GDPR:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Information on the collection of personal data
(1) The following information relates to the collection of personal data when using our website. Personal data notably includes users’ names, addresses, e-mail addresses and behaviour.

(2) When you contact us from your e-mail address, we save the data you provide (your e-mail address and potentially your name and telephone number) in order to be able to respond to your queries. The data collected in this way will be deleted when there is no longer any need to retain it or when the processing of the data is restricted in the case of a legal retention obligation.

Collection of personal data when visiting our website
When using the website for information purposes only, i.e. without registering or providing information in any other way, we only collect the personal data that your browser sends to our server. If you want to visit our website, we collect the following data which is required for technical purposes relating to the displaying, stability and security of our website (legal basis: Art. 6 para 1 S. 1 lit. f of the GDPR):

  • IP address
  • Date and time of the request
  • Difference in time zone in relation to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Volume of data transmitted each time
  • Website from which the request originates
  • Browser
  • Operating system and size
  • Browser language and version.

Use of cookies
(1) In addition to the above-mentioned data, cookies are stored on your computer when you use our website. These cookies are small text files that are stored on your hard drive, depending on the browser you use, and used to obtain various information. Cookies can run small programs and transmit viruses to your computer. They are used to make the Internet offering more user-friendly and efficient.

(2) This website uses the following types of cookies, the scope and function of which are outlined below:

  • Temporary cookies (cf. point a.)
  • Persistent cookies (cf. point b.).
  1. Temporary cookies are automatically deleted when you close your browser and notably include session cookies. They store a session ID that allows different requests from your browser to be assigned to the same session. This, in turn, allows your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close your browser.
  2. Persistent cookies are automatically deleted after a pre-determined period of time that can vary depending on the cookie. You can delete cookies at any time in your browser’s security settings.
  3. You can configure your browser settings as you wish and reject third-party cookies or even all cookies, for example. These third party cookies are installed by third parties, not by the website you are actually visiting. We would like to point out that deactivating cookies may prevent you from using the website to its full potential.
  4. We use cookies to identify you on future visits if you do not have an account with us and to avoid the need for you to log in every time you visit.

Other functions and offers on our website
(1) In addition to the purely informational use of our website, we offer various services that you can use should you so wish and that generally require you to enter additional personal data that we use to provide these services and that is subject to the aforementioned data processing principles.

(2) We do use external data processors to process data to some extent. These have been carefully selected and mandated by us, are bound by our instructions and are monitored on a regular basis.

(3) We may also transfer your personal data to third parties when it comes to participating in initiatives, competitions, contracts or other similar services in collaboration with our partners. You will receive further information about this when entering your personal data or beneath the description of the offering.

(4) Insofar as our service providers and partners are based in a country outside of the European Economic Area (EEA), we will inform you of the consequences of this circumstance in the description of the offering.

Use of our online shop or ‘Webshop’
(1) When placing an order via our online shop, it is vital to the conclusion of the contract that you provide the personal data we require in order to process your order. Information that is vital to the execution of contracts is indicated, while other details are optional. We process the data you provide when placing an order and may, for these purposes, pass on your payment data to our bank in accordance with Art. 6 para. 1 S. 1 lit. b of the  GDPR. You can also create an account that will enable us to save your data for future purchases. The data you provide when creating an account in the My Account section will be stored definitively. You can delete all other data, including your account, at any time via the customer area.

(2) Due to commercial and tax regulations, we are obliged to store your address, payment details and order data for a period of ten years. We do, however, restrict the processing of said data once a period of two years has passed, meaning that your data will then only be used to enable us to fulfil our legal obligations.

(3) To prevent unauthorised access to your personal data, and financial data in particular, by third parties, the ordering process is encrypted using TLS technology.

Minors
Our offering is aimed primarily at adults. Persons under the age of 18 should not provide us with personal data without the consent of their parents or guardians.

Rights of the data subject
(1) Revocation of consent
If consent has been given for the processing of personal data, you have the right to revoke this consent at any time. Such revocation does not affect the lawfulness of the processing that has taken place up to the prior to the point of revocation.

You may contact us at any time to exercise your right of revocation.

(2) Right of confirmation
You have the right to request confirmation from the controller regarding the processing of personal data. You may request such confirmation at any time from the controller whose contact details are provided above.

(3) Right to information
With regards to the processing of personal data, you may request information about the data, and the following details in particular, at any time:

  1. The purpose(s) for which the data is being processed;
  2. The categories of personal data that are being processed;
  3. The recipient or categories of recipient to whom the personal data in question has been or will be disclosed, notably including any recipients in third countries or international organisations;
  4. If possible, the expected duration for which the personal data will be stored, or, if not possible, the criteria by which this duration will be determined;
  5. The existence of a right to rectify or delete your personal data or a right to restrict or object to the processing thereof;
  6. The existence of a right to complain to a supervisory body;
  7. Where personal data is not collected from the data subject, all information regarding the origin of the data;
  8. The existence of a right to automated individual decision-making including profiling in accordance with Article 22 para. 1 and 4 of the GDPR and, at least in these cases, relevant information regarding the logic involved and the scope and intended effects of such processing on the data subject.

Where personal data is transferred to a third country or international organisation, you are entitled to be informed about the appropriate safeguards put in place in accordance with Article 46 of the GDPR in relation to said transfer. We will provide a copy of the personal data that is being processed in this manner. For any additional copies, we may charge an appropriate fee based on the cost of processing. If the request is submitted electronically, the information is to be provided in a standard electronic format unless otherwise stated. The right to receive a copy in accordance with paragraph 3 will not affect the rights or freedoms of other persons.

(4) Right of rectification
You have the right to request the immediate rectification of any of your personal data that is inaccurate. Taking into account the purposes of the processing, you have the right to have any incomplete personal data completed,  including by means of an additional declaration.

(5) Right to erasure (Right to be forgotten)
You have the right to have the controller delete your personal data as soon as possible and we are obliged to delete such  personal data as soon as possible where one of the following reasons applies:

  1. The personal data is no longer required for the purposes for which it was collected or otherwise processed;
  2. the data subject withdraws their consent for the data to be processed, in accordance with Article 6 para. 1(a) or Article 9 para. 2(a) of the GDPR, and there is no other legal basis on which to process the data;
  3. the data subject objects to the processing in accordance with Article 21 para. 1 and there is no compelling legitimate reason for processing the data in question, or the data subject objects to the processing in accordance with Article 21 para. 2 of the GDPR;
  4. the personal data has been unlawfully processed;
  5. the personal data must be erased in order to comply with a legal obligation pursuant to European Union law or the law of the Member State to which the controller is subject;
  6. the personal data has been collected for the purposes of offering information society services as referred to in Article 8 para. 1 of the GDPR.

If the controller has made the personal data public and is required to erase them pursuant to paragraph 1, the controller will, taking into account the technologies available and the associated costs of implementation, take reasonable measures, including of a technical nature, to inform the controllers who process said personal data that a data subject has requested the erasure by said controllers of any link to said personal data or any copy or reproduction of said personal data.

The right to erasure (Right to be forgotten) does not apply insofar as such processing is necessary:

  • to the exercising of the right to freedom of expression and information;
  • to fulfil a legal obligation that requires the processing provided for under European Union law or the law of the Member State to which the controller is subject, or to perform a task of public interest or relating to the exercising of the public authority vested in the controller;
  • for reasons of public interest in the field of public health, in accordance with Article 9 para. 2(h) and (i) and Article 9 para. 3 of the GDPR;
  • for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 para. 1 of the GDPR, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously compromise the achievement of the purposes of such processing; or
  • for the establishment, exercising or defence of legal rights.


(6)  Right to restriction of processing
You have  the right to have the controller restrict the processing of data where any of the following apply:

  1. the accuracy of the personal data is contested by the data subject, for a period of time that will allow the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject objects to its deletion and demands instead that its use be restricted;
  3. the controller no longer needs the personal data for processing purposes but the data is still required in order for the data subject to establish, exercise or defend their legal rights;
  4. the data subject has objected to the processing under Article 21 para. 1 of the GDPR during the process of verifying whether the legitimate reasons upheld by the controller override those of the data subject.

Where processing has been restricted pursuant to the preceding  paragraph, such personal data may,  with the exception of storage,  only be processed with the data subject’s consent, or for the establishment, exercising or defence of legal rights, or for the purposes of protecting the rights of another natural or legal person, or for important reasons of public interest where the European Union or a Member State is concerned.

In order to exercise this right to restrict processing, the data subject may contact the controller, whose contact details are provided above, at any time.

(7) Right to data portability
You have the right to receive personal data relating to you that you have provided to us in a structured, common and machine-readable format, and you have the right to transmit that data to another data controller without any hindrance on the part of the controller with whom the personal data has been shared, where:

  1. the processing is based on consent in accordance with Article 6 para. 1(a) or Article 9 para. 2(a) or on a contract in accordance with Article 6 para. 1(b) of the GDPR; and
  2. the data is processed by means of automated processes.

Where you exercise your right to data portability in accordance with paragraph 1, you have the right to have your personal data transferred directly from one controller to another, where technically possible. The exercising of the right to data portability does not affect the right to erasure  (right to be forgotten). This right does not apply to any processing required for the performance of a task of public interest or relating to the exercising of the public authority vested in the controller.

(8) Right to object
You have the right to object, at any time and for reasons relating to your particular situation, to the processing of your personal data based on Article 6 para. 1(e) or (f) of the GDPR, including any profiling based on these provisions. The controller shall no longer process the personal data unless they can demonstrate any compelling legitimate reasons for doing so that override the interests, rights and freedoms of the data subject, or for the establishment, exercising or defence of legal rights.

Where personal data is processed for marketing purposes, you have the right to object to the processing of your personal data for such marketing purposes, including profiling, insofar as it is related to such marketing, at any time. If you object to the processing of your personal data for marketing purposes, it shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by means of automated processes using technical specifications.

Where personal data is processed for scientific or historical research purposes or for statistical purposes in accordance with Article 89 para. 1, you have the right to object, for reasons relating to your particular situation, to the processing of personal data concerning you, unless said processing is necessary for the performance of a task of public interest.

You may exercise your right to object at any time by contacting the controller.

(9) Automated individual decision including profiling
You have the right not to be subject to a decision based exclusively on automated processing, including profiling, that has any legal effects that concern you or significantly affect you in a similar way. This does not apply in the following cases:

  1. where the decision is necessary for the conclusion or execution of a contract between the data subject and a controller;
  2. where the decision is authorised by Union law or the law of the Member State to which the controller is subject and that also provides for appropriate measures to safeguard the rights and freedoms and the legitimate interests of the data subject;
  3. where the decision is based on the explicit consent of the data subject.

The controller shall put in place appropriate measures to safeguard the rights and freedoms and the legitimate interests of the data subject, at least the right of the data subject to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.

The data subject may exercise this right at any time by contacting the controller.

(10) Right to complain to a supervisory body
Without prejudice to any other administrative or judicial remedy, the data subject also has the right to lodge a complaint with a supervisory body, in particular in the Member State in which they are resident or work or in which the alleged breach took place, if the data subject believes that the processing of their personal data violates this regulation.

(11) Right to effective judicial remedy
Without prejudice to any other administrative or extra-judicial remedy including the right to complain to a supervisory body in accordance with Article 77 of the GDPR,  you have the right to an effective judicial remedy should you believe that your rights as granted by this regulation have been violated as a result of any non-compliant processing of your personal data.

Use of Google Analytics
(1) This  website uses Google Analytics, a website analysis service provided by Google Inc. (Google). Google Analytics uses cookies, which are text files installed on your computer to help analyse users’ usage of the website in question. The information that the cookie generates regarding your use of the website is generally sent to and stored by Google on servers located in the United States. If IP anonymisation is enabled on the website in question, Google will shorten your IP address in European Union Member States and other States that are part of the European Economic Area agreement. The full IP address will only be sent to a Google server in the United States in exceptional cases. Google will use this information for the purpose of evaluating how you use the website, compiling reports on website activity and providing other services relating to website activity and Internet usage on behalf of the operator.

(2) The IP address sent by your browser within the framework of Google Analytics will not be merged with other Google data.

(3) You can prevent cookies from being saved by adjusting the appropriate setting in your browser; we would, however, like to point out that disabling them may prevent you from using the website to its full potential. You can also prevent the data generated by the cookie  regarding your use of this website (including your IP address) from being shared with Google, as well as the processing of this data, by downloading and installing this module for your browser, available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

(4) This website uses Google Analytics with the anonymizeIp() extension, which allows your truncated IP addresses to be processed while eliminating any personal references. If the data collected contains any personal references, these are immediately eliminated and the personal data immediately deleted.

(5) We use Google Analytics to analyse and improve the use of our website on a regular basis. The statistics obtained in this way can help us to improve our offering and make it more relevant to you as a user. In exceptional cases, when personal data is transferred to the United States, Google has agreed to be bound by the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics stems from Art. 6  para. 1 S. 1 lit. f of the GDPR.

(6) Information about the data processor: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

  • Conditions of use: http://www.google.com/analytics/terms/de.html,
  • Information regarding data protection: http://www.google.com/intl/de/analytics/learn/privacy.html,
  • Privacy statement: http://www.google.de/intl/de/policies/privacy.


(7) This website also uses Google Analytics for the cross-device analysis of visitor flows based on a user ID. You can disable this multi-device analysis of your usage in your customer account under My Data, then Personal Data.