Data Protection

Data Protection Policy

 

CMCM, established and having its registered office at 32-34 rue de Hollerich, L-1740 Luxembourg, processes personal data relating to natural persons in the course of its statutory activities. As a Data Controller, CMCM is committed to complying with applicable data protection rules and regulations.

This Personal Data Protection Policy describes how personal data is used and protected by CMCM. This policy is reviewed annually.

 

Scope

CMCM's Data Protection Policy sets out the principles and guidelines governing its obligations as a Data Controller (the person or entity determining the purposes and means of processing personal data) pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation – GDPR), which entered into force on 25 May 2018.

 

Data Collected

The data collected is limited to what is necessary for the purposes identified by CMCM, in particular the reimbursement of medical costs.

Personal data is collected in particular:

  • when joining CMCM;
  • when entering into a relationship with CMCM;
  • when updating your personal data;
  • when submitting invoices for reimbursement;
  • when a third party (Luxembourg hospital, foreign hospital, etc.) submits your file to us for reimbursement under a third-party payment arrangement or a prior authorisation procedure;
  • in the event of an accident or sudden illness while travelling abroad (CMCM-Assistance);
  • when submitting a job application to CMCM.

Various categories of personal data are collected in accordance with applicable legal provisions:

  • personal identification data (e.g. surname, first name, date and place of birth, address, telephone number, e-mail address, etc.);
  • national identification data (social security registration number);
  • reimbursement-related data (medical fee statements);
  • information relating to job applications (e.g. qualifications, professional experience, etc.).

Personal data relating to third parties (family members, employers, etc.) that you provide to CMCM is processed in the same manner as your own personal data, according to the corresponding services and purposes. It is your responsibility to inform the individuals concerned.

 

Lawfulness of processing

All personal data processing activities carried out by CMCM are based on one of the following lawful grounds:

  • compliance with legal, regulatory and statutory obligations;
  • performance of a contract, including pre-contractual measures, such as the reimbursement of medical and hospital expenses;

  • CMCM's legitimate interests, such as informing members about new services, conducting promotional activities, and organising events.

     

Transfer of data to third parties

CMCM transfers personal data to third parties (e.g. membership card providers, the CNS, printing service providers, hospitals, etc.) as part of its activities where authorised or required to do so by law, regulation or contract.

These third parties are themselves required to comply with applicable legal and contractual obligations relating to personal data protection, whether acting as Data Controllers or Data Processors.

 

Transfer of data outside the European Economic Area

CMCM does not transfer personal data outside the European Economic Area ("EEA"), except where a member provides a correspondence address in a country outside the EEA or where medical treatment or assistance requested by the member requires such a transfer.

 

Data retention period

CMCM retains personal data in accordance with its legal obligations and for no longer than is necessary to fulfil the purposes for which the data was collected.

 

Data security

CMCM is committed to protecting and securing your personal data in order to ensure its confidentiality and prevent its destruction, loss, alteration or unauthorised disclosure.

To this end, CMCM has implemented physical, technical, organisational and procedural security measures:

  • CMCM staff are made aware of personal data protection requirements through internal training, regular communications and the dissemination of best practices;
  • CMCM ensures that all necessary data protection measures are integrated from the design stage ("Privacy by Design"), whether in new applications or in existing applications where functionalities are added, replaced or modified;
  • CMCM applies the highest possible level of data protection by default ("Privacy by Default"). By default, only data that is genuinely necessary should be collected and stored. This principle applies to the quantity of personal data collected, the extent of processing, the retention period and data accessibility. Special categories of personal data (sensitive data) are subject to enhanced security measures;
  • when engaging data processors, CMCM requires them to provide equivalent data security safeguards;
  • CMCM's Information Security Policy ensures a level of protection for personal data that complies with applicable data protection regulations.

These measures are reviewed, updated and improved on a regular basis.

 

Data breach notification

In the event of a personal data breach, CMCM shall notify the National Commission for Data Protection (CNPD) as soon as possible and, where required, no later than 72 hours after becoming aware of the breach.

 

Where the breach concerns your personal data and is likely to result in a high risk to your rights and freedoms, CMCM will inform you without undue delay.

 

Your rights

Under the GDPR, you have the following rights regarding your personal data processed by CMCM:

  • the right to access your personal data and, where applicable, obtain a copy of such data;
  • the right to rectify inaccurate personal data;
  • the right to erasure ("right to be forgotten"), unless retention is required by law or another legitimate reason;
  • the right to restrict processing;
  • the right to data portability, meaning the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another Data Controller;
  • the right to object at any time to the processing of your personal data;
  • rights relating to automated decision-making.

If you wish to exercise any of the above rights, you may send your request by message, e-mail or post to:

 

CMCM
Data Protection Officer
32-34 rue de Hollerich
L-1740 Luxembourg
dataprotection@cmcm.lu

 

For reasons of confidentiality and data protection, CMCM must verify your identity before responding to your request. Accordingly, any request must be accompanied by a copy of a valid identity document.

 

CMCM will endeavour to respond to your request as promptly as possible and within one month of receipt. Depending on the complexity of the request or the number of requests received, this period may be extended by a further two months. You will be informed of any such extension and the reasons for it within one month of receipt of your request.

 

CMCM reserves the right to refuse requests that are manifestly unfounded or excessive (for example, repetitive requests). In the event of refusal, CMCM will provide the reasons for its decision and information regarding available remedies.

 

If you are not satisfied with the outcome of your request, you may lodge a complaint with the National Commission for Data Protection (CNPD). Further information is available at https://cnpd.public.lu.