Data protection

The Surveillance authority for the accessibility of products and services (OSAPS) attaches great importance to respecting your privacy and protects your personal data by applying the European General Data Protection Regulation 2016/679 (GDPR).

OSAPS undertakes to protect, among other things, the (personal) data of all its stakeholders with the utmost care and to process it only in a fair and lawful manner. This privacy statement contains essential information about how OSAPS, as the data controller, collects and processes personal data, defines the purposes for which it does so, and explains your rights as a data subject.

Contact details of the data controller

OSAPS

11, rue Robert Stümper

L-2557 Luxembourg-Gasperich

Tel. (+352) 247-76555

Contact: info@osaps.etat.lu

Data Protection Officer (DPO)

If you have any questions about how OSAPS processes your personal data, you can contact the Data Protection Officer:

OSAPS

For the attention of the DPO (or Data Protection Officer)

11, rue Robert Stümper

L-2557 Luxembourg-Gasperich,

Your rights as a data subject

Right of access

  • You have the right to access your personal data.

Right to rectification

  • You have the right to have your personal data corrected if you find that your data is inaccurate or incomplete.

Right to erasure

  • You may request, in certain circumstances, that some of your personal data be erased.

Right to restriction

  • You may request, in certain circumstances, that access to your personal data be blocked.

Right to object

  • You may object to the processing of your personal data if you believe that the processing is unlawful and request its deletion.

To exercise your rights, you can send an email or letter to the Data Protection Officer (DPO).

Right to lodge a complaint with the National Data Protection Commission (CNPD)

  • You can contact the CNPD directly via the website www.cnpd.lu.

Security and confidentiality of your personal data

OSAPS has taken technical and organizational security measures to prevent the destruction, loss, falsification, alteration, unauthorized access, or disclosure of your personal data to third parties and any other unauthorized processing of such data. These measures include, among others, physical and operational security measures, access control, employee awareness, and confidentiality clauses.

Updating the privacy statement

We may modify or update this privacy statement from time to time to reflect changes in our practices regarding the processing of your personal data or changes in applicable laws. We will do so by posting the updated version on the OSAPS website. When we publish changes to the privacy statement, we will change the date and version number. Significant changes will be highlighted on our home page. Nevertheless, we encourage you to periodically review our Privacy Statement.

List of processing operations concerning persons outside OSAPS

Management of compliance statements.

Purpose

  • Contact details are collected to obtain additional information in cases where the information provided is not sufficient to determine whether OSAPS is competent to handle the non-compliance issue.

Legal basis

  • Consent of the person concerned.

Data subjects

  • Person submitting the request.

Data category

  • Identification data (surname, first name if applicable, contact details) and free text description of any non-compliance.

Retention period

  • 2 years.

Recipients

  • If OSAPS declares that it is not competent to handle the request, it may be forwarded directly to the competent authority and will be closed.

Handling of non-compliance with the service or product provider.

Purpose

  • The OSAPS requires the provider to bring the product or service into compliance.

Legal basis

  • Legal basis: Law of March 8, 2023, on accessibility requirements applicable to products and services.

Persons concerned

  • The service provider is a legal entity, but a contact person is identified to facilitate follow-up.

Data category

  • Identification data (last name, first name, contact details).

Retention period

  • Identification data (last name, first name, contact details).

Recipients

  • No recipients of the data.

Handling of administrative disputes and sanctions.

Purpose

  • To compel a service provider who refuses to bring their product or service into compliance.

Legal basis

  • Legal basis: Law of March 8, 2023, on accessibility requirements applicable to products and services.

Persons concerned

  • The service provider is a legal entity, but a contact person is identified to facilitate follow-up.

Data category

  • Identification data (last name, first name, contact details).

Retention period

  • Contact details are retained for 5 years.

Recipients

  • Lawyers and other legal bodies.

Last update