Privacy policy
Processing of personal data
In the course of its activities, Hospilux S.A. is required to process certain personal data of its customers and partners; it ensures to the best of its ability the protection of such data by means of secure processing thereof, in compliance with the laws and regulations in force, including Regulation (EU) 2016/679 of 27 April 2016 on the protection with regard to the processing of personal data and on the free movement of such data of natural persons (hereinafter the "EU Regulation").
The purpose of this privacy policy is to inform data subjects about the main ways in which their personal data is processed.
Some definitions of terms used in the personal data protection policy
"Personal data" means any information which directly or indirectly identifies or renders identifiable a natural person;
"DPO" refers to Hospilux's Data Protection Officer.
"Data subject" means the natural person whose personal data are collected and otherwise processed by Hospilux S.A., or a processor;
"Processing" means any operation or set of operations performed upon personal data, by means of automated processes on an electronic medium or manually on paper, such as collecting, recording, organising, structuring, storing, adapting or modifying, retrieving, consulting, using, communicating by transmission or disseminating such data;
"Controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing operation;
"Processor" means the natural or legal person, public authority, department or other body which processes personal data on behalf of the controller;
"Websites" means the websites of Hospilux SA whose URL addresses are: www.hospilux.lu and shop.hospilux.lu.
Hospilux S.A. is responsible for the processing operations set out in this policy; for more information about the company, please consult the legal information published at the bottom of the website.
1. What processing operations are carried out by Hospilux S.A.? On what legal grounds? What personal data is processed?
You are a Hospilux S.A. customer.
Some processing operations are carried out through the use of the Hospilux S.A. website, while others are carried out directly by Hospilux S.A.
| Treatment | Purpose | Basis of legality | Data concerned | Shelf life |
|---|---|---|---|---|
| E-commerce | Sale of products via the shop.hospilux.lu website | Performance of a contract | Identification data Bank details |
10 years |
| Management of rentals of medical devices in shops not covered by the CNS | Rental of medical devices not covered by the National Health Fund | Performance of a contract | Identification data Bank details Health data |
2 years after the end of the contract |
| Management of rentals of medical devices in shops covered by the CNS | Dispensing of medical devices Cooperation with health professionals and health institutions (CNS) |
Legitimate interest Performance of a contract |
Identification data Health data |
2 years |
| Claims management | Continuous quality improvement in line with ISO 9001 standard | Legitimate interest | Identification data | 2 years |
You are a professional customer, partner or supplier of Hospilux S.A.
Some processing operations are carried out via the Hospilux S.A. website, while others are carried out directly by Hospilux S.A.
| Treatment | Purpose | Basis of legality | Data concerned | Shelf life |
|---|---|---|---|---|
| Managing commercial activities | Contract management Customer accounting Monitoring customer relations |
Performance of a contract Legal obligation |
Identification data Professional life Transaction data Bank details |
10 years |
| Order management | Editing/receiving purchase orders Receive quotations, delivery notes and invoices |
Performance of a contract | Identification data Economic and financial information |
10 years |
| Supplier management | Maintaining a contact list of suppliers and service providers Supplier contract management Supplier accounting |
Performance of a contract Legal obligation |
Identification data Professional life |
10 years |
You are applying for a position at Hospilux S.A.
| Treatment | Purpose | Basis of legality | Data concerned | Shelf life |
|---|---|---|---|---|
| Recruitment | Processing applications (CVs, covering letters, letters of recommendation) Organising interviews Putting together the candidate file |
Pre-contractual measures Legitimate interest |
Identification data Professional life |
3 months |
You are a whistleblower
| Processing | Purpose | Legal basis | Data concerned | Retention period |
|---|---|---|---|---|
| Management of reports of violations of directly applicable national and European law | Receipt of reports of breaches of the law Management of the follow-up to the notifications received |
Legal obligation | Reported facts, elements collected during the verification of the reported facts, protocols of the verification operations, follow-up to the alert. Identification data Professional life |
The duration of storage depends on the follow-up action taken to the alert: - Destruction of data without delay if no follow-up action is taken on the alert. - 5 years after completion of the alert if follow-up action is taken |
Processing carried out regardless of the status of the data subject
| Treatment | Purpose | Basis of legality | Data concerned | Shelf life |
|---|---|---|---|---|
| Video surveillance | Ensuring the safety of people and property | Legitimate interest | Video images | 30 days before automatic deletion |
| Public Wifi | Provide wifi access to customers, partners and suppliers when they visit the site | Performance of a contract | Connection data | 24 hours before automatic deletion |
| Website management | Order management Management of third-party contacts |
Consent | Identification data Professional life |
10 years (order management) 2 years (contact management) |
2. Who has access to the data collected and otherwise processed?
Only authorised persons at Hospilux S.A. who are directly involved in the processing of the aforementioned personal data may access such data ; they may also be passed on to companies in the group to which Hospilux S.A. belongs, for internal administrative purposes.
To carry out certain processing operations, Hospilux S.A. uses subcontractors with whom a specific contract has been concluded, in accordance with the European Regulation.
3. What rights do people affected by the processing of personal data have? How can they exercise these rights?
Depending on the lawfulness of the processing in question, the data subject has the following rights:
- be informed of the existence and purposes of any processing of their personal data;
- access their personal data and ask for them to be corrected or deleted, or for the processing of their data to be restricted;
- object to the processing ;
- request the portability of personal data;
- withdraw, at any time, the consent given to Hospilux S.A. if the processing is based on its consent;
- promptly inform the Data Protection Officer of any loss or fraudulent removal (unlawful processing) of personal data;
- lodge a complaint with the Commission Nationale pour la Protection des Données if the data subject believes, after contacting the DPO of Hospilux S.A., that his or her rights have not been respected.
Hospilux S.A.'s DPO is the contact person for any request to exercise the aforementioned rights; he can be contacted by e-mail at the following address: dpo@hospilux.lu.
4. Right of access to video surveillance images
Given the length of time the images are kept, the request must be sent to the DPO no later than 5 calendar days after the images are taken; it must specify the place, date and precise time of the images to be viewed (time slot of no more than a quarter of an hour), the visual characteristics of the person to enable those responsible for the processing to identify him or her on the image slots, such as gender, height, hair colour and length, clothing, etc.).
If the request can be granted, they make an appointment for the applicant to view the video; this must take place at Hospilux S.A., in the presence of the person responsible for the video surveillance processing.
5. How secure is the data?
Hospilux S.A. takes all necessary precautions, including administrative, technical, organisational and physical measures, to protect Personal Data against loss, theft and fraudulent subtraction, as well as against unauthorised access, disclosure, alteration or destruction of Personal Data.
