Privacy policy
Processing of personal data
In the course of its activities, Hospilux S.A. is required to process certain personal data of its employees, customers and partners; it ensures to the best of its ability the protection of such data by means of secure processing thereof, in compliance with the laws and regulations in force, including Regulation (EU) 2016/679 of 27 April 2016 on the protection with regard to the processing of personal data and on the free movement of such data of natural persons (hereinafter the "EU Regulation").
In accordance with Article 5 of the European Regulation, Hospilux S.A. respects the following fundamental principles:
Lawfulness
When processing personal data, Hospilux S.A. uses one of the following four legal bases:
- -The consent of the data subject
- -Performance of a contract;
- -Compliance with a legally established obligation;
- -The pursuit of legitimate interests.
Where consent is the legal basis for processing, Hospilux S.A. guarantees that it is :
- -Specific: processing is for a single purpose, and this purpose is precisely defined;
- -Unambiguous: consent is a clear, voluntary act;
- -Free: the person concerned must have the choice and must not suffer any negative consequences in the event of refusal;
- -Informed: when consent is obtained, the person concerned is informed of the contact details of the data controller, the purpose of the processing, the personal data that will be collected and otherwise processed, and the right to withdraw consent at any time.
-
Loyalty
-
Hospilux S.A. processes personal data in such a way as to ensure the greatest possible transparency towards the persons concerned; Hospilux S.A. does not process personal data without the knowledge of its employees, visitors, customers, suppliers or any other person who may have communicated personal data to it. In this way, Hospilux S.A. ensures that the information it processes is handled fairly, in accordance with the applicable legislation and the reasonable expectations of the persons concerned.
Transparency
-
Hospilux S.A. provides a certain amount of information to data subjects. This information is provided in clear, simple and easily accessible terms, regardless of the communication medium.
Whether it collects personal data directly from data subjects or from third parties, Hospilux S.A. provides data subjects with the information required by law.
Purpose limitation
-
Personal data processed by Hospilux S.A. is used for specific, explicit and legitimate purposes in relation to the processing activities carried out.
Data minimization
-
Personal data communicated to and processed by Hospilux S.A. is that which is strictly necessary for the performance of its activities: only information that is relevant, adequate and not excessive in relation to the purposes pursued in connection with the processing concerned is processed. Hospilux S.A. assesses this principle on a case-by-case basis, in order to ensure that the processing of personal data is proportionate.
-
-
Limits on data retention
-
The retention periods for personal data collected and processed by Hospilux S.A. are determined on a case-by-case basis, depending on the type of personal data, the purpose of the processing and legal requirements.
-
Once the retention period has been reached, personal data is securely deleted to prevent its recovery. Where data is stored on analog media (or other tools or applications), it is also destroyed in such a way as to preserve its confidentiality.
-
-
Within the scope of its activities, Hospilux S.A. guarantees the minimized collection of the personal data of data subjects in order to strictly meet its obligations.
Data accuracy
-
Hospilux S.A. takes great care to ensure the accuracy of the data collected and stored as part of its processing activities. Where necessary, it is updated. To this end, any data subject may submit a request for rectification of his or her personal data to the DPO; the request must be accompanied by proof of identity.
The purpose of this privacy policy is to inform data subjects about the main ways in which their personal data is processed.
Some definitions of terms used in the personal data protection policy
"Personal data" means any information which directly or indirectly identifies or renders identifiable a natural person;
"DPO" refers to Hospilux's Data Protection Officer.
"Data subject" means the natural person whose personal data are collected and otherwise processed by Hospilux S.A., or a processor;
"Processing" means any operation or set of operations performed upon personal data, by means of automated processes on an electronic medium or manually on paper, such as collecting, recording, organising, structuring, storing, adapting or modifying, retrieving, consulting, using, communicating by transmission or disseminating such data;
"Controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing operation;
"Processor" means the natural or legal person, public authority, department or other body which processes personal data on behalf of the controller;
"Websites" means the websites of Hospilux SA whose URL addresses are: www.hospilux.lu and shop.hospilux.lu.
Hospilux S.A. is responsible for the processing operations set out in this policy; for more information about the company, please consult the legal information published at the bottom of the website.
1. What processing operations are carried out by Hospilux S.A.? On what legal grounds? What personal data is processed?
You are a Hospilux S.A. customer.
Some processing operations are carried out through the use of the Hospilux S.A. website, while others are carried out directly by Hospilux S.A.
| Treatment | Purpose | Basis of legality | Data concerned | Shelf life |
|---|---|---|---|---|
| E-commerce | Sale of products via the shop.hospilux.lu website | Performance of a contract | Identification data Bank details |
10 years |
| Management of rentals of medical devices in shops not covered by the CNS | Rental of medical devices not covered by the National Health Fund | Performance of a contract | Identification data Bank details Health data |
2 years after the end of the contract |
| Management of rentals of medical devices in shops covered by the CNS | Dispensing of medical devices Cooperation with health professionals and health institutions (CNS) |
Legitimate interest Performance of a contract |
Identification data Health data |
2 years |
| Claims management | Continuous quality improvement in line with ISO 9001 standard | Legitimate interest | Identification data | 2 years |
You are a professional customer, partner or supplier of Hospilux S.A.
Some processing operations are carried out via the Hospilux S.A. website, while others are carried out directly by Hospilux S.A.
| Treatment | Purpose | Basis of legality | Data concerned | Shelf life |
|---|---|---|---|---|
| Managing commercial activities | Contract management Customer accounting Monitoring customer relations |
Performance of a contract Legal obligation |
Identification data Professional life Transaction data Bank details |
10 years |
| Order management | Editing/receiving purchase orders Receive quotations, delivery notes and invoices |
Performance of a contract | Identification data Economic and financial information |
10 years |
| Supplier management | Maintaining a contact list of suppliers and service providers Supplier contract management Supplier accounting |
Performance of a contract Legal obligation |
Identification data Professional life |
10 years |
You are applying for a position at Hospilux S.A.
| Treatment | Purpose | Basis of legality | Data concerned | Shelf life |
|---|---|---|---|---|
| Recruitment | Processing applications (CVs, covering letters, letters of recommendation) Organising interviews Putting together the candidate file |
Pre-contractual measures Legitimate interest |
Identification data Professional life |
3 months |
You are a whistleblower
| Processing | Purpose | Legal basis | Data concerned | Retention period |
|---|---|---|---|---|
| Management of reports of violations of directly applicable national and European law | Receipt of reports of breaches of the law Management of the follow-up to the notifications received |
Legal obligation | Reported facts, elements collected during the verification of the reported facts, protocols of the verification operations, follow-up to the alert. Identification data Professional life |
The duration of storage depends on the follow-up action taken to the alert: - Destruction of data without delay if no follow-up action is taken on the alert. - 5 years after completion of the alert if follow-up action is taken |
Processing carried out regardless of the status of the data subject
| Treatment | Purpose | Basis of legality | Data concerned | Shelf life |
|---|---|---|---|---|
| Video surveillance | Ensuring the safety of people and property | Legitimate interest | Video images | 30 days before automatic deletion |
| Public Wifi | Provide wifi access to customers, partners and suppliers when they visit the site | Performance of a contract | Connection data | 24 hours before automatic deletion |
| Website management | Order management Management of third-party contacts |
Consent | Identification data Professional life |
10 years (order management) 2 years (contact management) |
2. Who has access to the data collected and otherwise processed?
Only authorised persons at Hospilux S.A. who are directly involved in the processing of the aforementioned personal data may access such data ; they may also be passed on to companies in the group to which Hospilux S.A. belongs, for internal administrative purposes.
To carry out certain processing operations, Hospilux S.A. uses subcontractors with whom a specific contract has been concluded, in accordance with the European Regulation.
3. What rights do people affected by the processing of personal data have? How can they exercise these rights?
Depending on the lawfulness of the processing in question, the data subject has the following rights:
- be informed of the existence and purposes of any processing of their personal data;
- access their personal data and ask for them to be corrected or deleted, or for the processing of their data to be restricted;
- object to the processing ;
- request the portability of personal data;
- withdraw, at any time, the consent given to Hospilux S.A. if the processing is based on its consent;
- promptly inform the Data Protection Officer of any loss or fraudulent removal (unlawful processing) of personal data;
- lodge a complaint with the Commission Nationale pour la Protection des Données if the data subject believes, after contacting the DPO of Hospilux S.A., that his or her rights have not been respected.
Hospilux S.A.'s DPO is the contact person for any request to exercise the aforementioned rights; he can be contacted by e-mail at the following address: dpo@hospilux.lu.
4. Right of access to video surveillance images
Given the length of time the images are kept, the request must be sent to the DPO no later than 5 calendar days after the images are taken; it must specify the place, date and precise time of the images to be viewed (time slot of no more than a quarter of an hour), the visual characteristics of the person to enable those responsible for the processing to identify him or her on the image slots, such as gender, height, hair colour and length, clothing, etc.).
If the request can be granted, they make an appointment for the applicant to view the video; this must take place at Hospilux S.A., in the presence of the person responsible for the video surveillance processing.
5. How secure is the data?
Hospilux S.A. takes all necessary precautions, including administrative, technical, organisational and physical measures, to protect Personal Data against loss, theft and fraudulent subtraction, as well as against unauthorised access, disclosure, alteration or destruction of Personal Data.
Hospilux S.A. takes the necessary measures to guarantee the confidentiality, integrity and availability of the data it processes, in particular to prevent their disclosure to unauthorized third parties. In order to comply with this security obligation, all employees are subject to a confidentiality obligation.
As part of its data security risk assessment, Hospilux S.A. takes into account the risks of destruction, loss or alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data, whether accidental or unlawful, which could result in physical or material damage or moral prejudice to the persons concerned. This risk assessment is carried out and reviewed on a regular basis.
Hospilux S.A. also implements a default security system that restricts access to personal data and limits its retention.
Hospilux S.A. acts to ensure the best possible security of personal data and its processing, in technical, human and organizational terms.
In particular, Hospilux S.A. is committed to :
- -Employee awareness and training;
- -Authentication and management of employee authorizations;
- -Access traceability and incident management;
- -Securing workstations;
- -Protection of its internal IT network;
- -Secure servers and websites;
- -Backup and management of business continuity;
- -Supervision of data maintenance and destruction;
- -Protection of premises;
- -Supervision of IT developments where necessary;
- -Implementation of cryptographic methods;
- -Regular assessment of the company's security level.
Hospilux S.A. ensures that the technical and organizational measures to protect personal data implemented by the subcontractors it selects comply with its security requirements.
