Privacy policy

Processing of personal data 

In the course of its activities, Hospilux S.A. is required to process certain personal data of its customers and partners; it ensures to the best of its ability the protection of such data by means of secure processing thereof, in compliance with the laws and regulations in force, including Regulation (EU) 2016/679 of 27 April 2016 on the protection with regard to the processing of personal data and on the free movement of such data of natural persons (hereinafter the "EU Regulation").

The purpose of this privacy policy is to inform data subjects about the main ways in which their personal data is processed.
Some definitions of terms used in the personal data protection policy 

"Personal data" means any information which directly or indirectly identifies or renders identifiable a natural person;

"DPO" refers to Hospilux's Data Protection Officer.

"Data subject" means the natural person whose personal data are collected and otherwise processed by Hospilux S.A., or a processor;

"Processing" means any operation or set of operations performed upon personal data, by means of automated processes on an electronic medium or manually on paper, such as collecting, recording, organising, structuring, storing, adapting or modifying, retrieving, consulting, using, communicating by transmission or disseminating such data;

"Controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing operation;

"Processor" means the natural or legal person, public authority, department or other body which processes personal data on behalf of the controller;

"Websites" means the websites of Hospilux SA whose URL addresses are: www.hospilux.lu and shop.hospilux.lu.
Hospilux S.A. is responsible for the processing operations set out in this policy; for more information about the company, please consult the legal information published at the bottom of the website.

1. What processing operations are carried out by Hospilux S.A.? On what legal grounds? What personal data is processed? 

You are a Hospilux S.A. customer.

Some processing operations are carried out through the use of the Hospilux S.A. website, while others are carried out directly by Hospilux S.A.

Treatment  Purpose  Basis of legality Data concerned  Shelf life 
E-commerce Sale of products via the shop.hospilux.lu website Performance of a contract  Identification data
Bank details
10 years
Management of rentals of medical devices in shops not covered by the CNS Rental of medical devices not covered by the National Health Fund Performance of a contract  Identification data
Bank details 
Health data 
2 years after the end of the contract 
Management of rentals of medical devices in shops covered by the CNS Dispensing of medical devices
Cooperation with health professionals and health institutions (CNS)
Legitimate interest
Performance of a contract 
Identification data
Health data 
2 years
Claims management Continuous quality improvement in line with ISO 9001 standard Legitimate interest Identification data 2 years

You are a professional customer, partner or supplier of Hospilux S.A.

Some processing operations are carried out via the Hospilux S.A. website, while others are carried out directly by Hospilux S.A.

Treatment  Purpose  Basis of legality Data concerned  Shelf life 
Managing commercial activities Contract management 
Customer accounting 
Monitoring customer relations
Performance of a contract
Legal obligation
Identification data
Professional life
Transaction data
Bank details
10 years
Order management Editing/receiving purchase orders
Receive quotations, delivery notes and invoices
Performance of a contract Identification data
Economic and financial information 
10 years
Supplier management Maintaining a contact list of suppliers and service providers
Supplier contract management
Supplier accounting
Performance of a contract
Legal obligation
Identification data
Professional life 
10 years

You are applying for a position at Hospilux S.A.
Treatment  Purpose  Basis of legality Data concerned  Shelf life 
Recruitment  Processing applications (CVs, covering letters, letters of recommendation)
Organising interviews
Putting together the candidate file 
Pre-contractual measures
Legitimate interest
Identification data
Professional life
3 months

You are a whistleblower
Processing Purpose Legal basis Data concerned Retention period
Management of reports of violations of directly applicable national and European law  Receipt of reports of breaches of the law 
Management of the follow-up to the notifications received
Legal obligation Reported facts, elements collected during the verification of the reported facts, protocols of the verification operations, follow-up to the alert.
Identification data
Professional life
The duration of storage depends on the follow-up action taken to the alert: 
- Destruction of data without delay if no follow-up action is taken on the alert.
- 5 years after completion of the alert if follow-up action is taken
Processing carried out regardless of the status of the data subject
Treatment  Purpose  Basis of legality Data concerned  Shelf life 
Video surveillance Ensuring the safety of people and property  Legitimate interest Video images 30 days before automatic deletion
Public Wifi Provide wifi access to customers, partners and suppliers when they visit the site Performance of a contract Connection data 24 hours before automatic deletion 
Website management  Order management
Management of third-party contacts
Consent Identification data
Professional life
10 years (order management) 
2 years (contact management) 

2. Who has access to the data collected and otherwise processed? 

Only authorised persons at Hospilux S.A. who are directly involved in the processing of the aforementioned personal data may access such data ; they may also be passed on to companies in the group to which Hospilux S.A. belongs, for internal administrative purposes.
To carry out certain processing operations, Hospilux S.A. uses subcontractors with whom a specific contract has been concluded, in accordance with the European Regulation.

3. What rights do people affected by the processing of personal data have? How can they exercise these rights? 

Depending on the lawfulness of the processing in question, the data subject has the following rights:

  • be informed of the existence and purposes of any processing of their personal data;
  • access their personal data and ask for them to be corrected or deleted, or for the processing of their data to be restricted;
  • object to the processing ;
  • request the portability of personal data;
  • withdraw, at any time, the consent given to Hospilux S.A. if the processing is based on its consent;
  • promptly inform the Data Protection Officer of any loss or fraudulent removal (unlawful processing) of personal data;
  • lodge a complaint with the Commission Nationale pour la Protection des Données if the data subject believes, after contacting the DPO of Hospilux S.A., that his or her rights have not been respected.

Hospilux S.A.'s DPO is the contact person for any request to exercise the aforementioned rights; he can be contacted by e-mail at the following address: dpo@hospilux.lu.

4. Right of access to video surveillance images 

Given the length of time the images are kept, the request must be sent to the DPO no later than 5 calendar days after the images are taken; it must specify the place, date and precise time of the images to be viewed (time slot of no more than a quarter of an hour), the visual characteristics of the person to enable those responsible for the processing to identify him or her on the image slots, such as gender, height, hair colour and length, clothing, etc.).
If the request can be granted, they make an appointment for the applicant to view the video; this must take place at Hospilux S.A., in the presence of the person responsible for the video surveillance processing.

5. How secure is the data? 

Hospilux S.A. takes all necessary precautions, including administrative, technical, organisational and physical measures, to protect Personal Data against loss, theft and fraudulent subtraction, as well as against unauthorised access, disclosure, alteration or destruction of Personal Data.

An error has occurred. This app may no longer respond until reloaded. Reload 🗙