Data Protection Office

Privacy notice related to events management

Introduction

In accordance with transparency requirements as per Articles 12, 13 and 14 of the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter the “GDPR”), this Privacy Notice (hereafter “the Notice”) explains how the University of Luxembourg (hereafter “we”, “us”) collects, processes and protects personal data as data controller in relation with invited speakers and attendees (hereafter “you”) to events organised by us. Attendees can be our staff and students, V.I.P.s as well as general public.

For details on the processing of your personal data when you participate in virtual events organised by us via Webex and recording of the event takes place, please refer to the following dedicated Privacy Notice: Recording of virtual events – University of Luxembourg I Uni.lu.

Who are we?

The University of Luxembourg is a public higher education and research establishment, operating under the supervision of the Ministry for higher education.

The University of Luxembourg has its official address at:

MAISON DU SAVOIR
2, avenue de l’Université
L- 4365 ESCH-BELVAL
Phone number: Tel.: (+352) 46 66 44 1
Internet address: https://www.uni.lu/

The University has appointed a DPO: reachable during working hours.

Further information is provided on:

Why do we process your personal data?

We collect and further process your personal data in order to organise, manage and promote events we organise and to which you participate. We collect your personal data directly from you. In particular, depending on our relationship with you, we will process the following personal data for the purposes and under the legal basis described below:

a. when you are an invited speaker to our events

Organisation of events
  • Purpose

    Organisation of events (including registration to our events as speaker, creation of speaker badge where required, arrange and facilitate venue and access, communicate updates and possible changes regarding our events).

  • Categories of personal data

    Personal identification and contact data (first and last name, email and postal address, phone number).

    Professional data (organisation, position/title).

    Data related to dietary and/or mobility restrictions (disabilities, consumption of certain categories of dietary products and other related information you may provide).

  • For all the personal data processed

    Legitimate Interest (when there is no agreement in place).

    The processing is necessary for the purposes of the legitimate interests pursued by us (art. 6, para. 1 (f), GDPR) consisting in assuring the organisation of the event as well as your venue and participation as an invited speaker.

    Performance of a contract (when there is an agreement in place).

    The processing is necessary for the performance of the contract with the invited speaker (art. 6, para. 1 (b), GDPR).

    For the special category of personal data processed

    Explicit consent

    Dietary and mobility restrictions may reveal special category of data about you. We collect and process this data only if you provide your explicit consent (art. 9, para. 2 (a), GDPR).

Information about and promotion of our events
  • Purpose

    Information about and promotion of our events (including coverage of our events via photos/videos, dissemination of photos/videos captured mainly via press releases and publications on our website and social media accounts, publication of information concerning the academic/professional background of invited speakers and their participation in our events).

  • Categories of personal data

    Personal identification data (first and last name).

    Academic and professional background (studies, expertise, organisation, position/title).

    Photos and videos (visual and promotional material, image captured or recorded during our events).

  • For all the personal data processed

    Legitimate Interest

    The processing is necessary for the purposes of the legitimate interests pursued by us (art. 6, para. 1 (f), GDPR) consisting in informing about and promoting our events to the public in order to ensure transparency as public organisation and attract the interest of the higher education and research community as well as in informing about the identity of invited speakers to our events.

    Consent

    Your consent will be requested for the capture and dissemination of your image in photos and videos (art. 6, para. 1 (a), GDPR).

Reimbursement of expenses occurring for the venue of the invited speakers to our events
  • Purpose

    Reimbursement of expenses occurring for the venue of the invited speakers to our events (including reimbursement of expenses occurred to invited speakers for travel, accommodation and meals).

  • Categories of personal data

    Personal identification data (first and last name, email, address).

    Bank account details (IBAN, BIC, bank name, bank account holder).

    Data related to expenses occurred in the course of our event (amount, type and date of expense, receipts and proofs of payment).

  • For all the personal data processed

    Performance of a contract (when there is an agreement in place).

    The processing is necessary for the performance of the contract with the invited speaker, concluded following the acceptance by the invited speaker of our invitation to participate to our event according to the proposed terms (art. 6, para. 1 (b), GDPR.

Communication about other relevant events we organize
  • Purpose

    Communication about other relevant events we organize (including sending information and/or invitations for our future events that might be of interest to you).

  • Categories of personal data

    Personal identification data (first and last name, email).

  • For all the personal data processed

    Legitimate Interest

    The processing is necessary for the purposes of the legitimate interests pursued by us (art. 6, para. 1 (f), GDPR) consisting in informing about and promoting future events we organise.

b. When you are an attendee to our events

Organisation of events
  • Purpose

    Organisation of events (including registration to our events, creation of badge where required, arrange and facilitate venue and access, communicate updates and possible changes regarding our events).

  • Categories of personal data

    Personal identification and contact data (first and last name, email).

    Professional data (organisation, position/title).

    Data related to dietary and/or mobility restrictions (disability, consumption of certain categories of dietary products and other related information you may provide).

  • For all the personal data processed

    Legitimate Interest

    The processing is necessary for the purposes of the legitimate interests pursued by us (art. 6, para. 1 (f), GDPR) consisting in assuring the organisation of our events as well as the venue of the attendees.

    For the special category of personal data processed

    Explicit consent

    Dietary and mobility restrictions may reveal special category of data about you. We collect and process this data only if you provide your explicit consent (art. 9, para. 2 (a), GDPR).

Information about and promotion of our events
  • Purpose

    Information about and promotion of our events (including coverage of our events via photos/videos, dissemination of photos/videos captured mainly via press releases and publications on our website and social media accounts).

  • Categories of personal data

    Photos and/or videos (visual and promotional material, image captured or recorded during our events)

  • For all the personal data processed

    Legitimate Interest

    Depending on the circumstances under which photos/videos are taken, the legal basis of this processing activity is the legitimate interests pursued by us (art. 6, para. 1 (f), GDPR) consisting in informing about and promoting our events to the public in order to ensure transparency as public organisation and attract the interest of the higher education and research community.

    Consent

    In other cases, consent will be requested for taking and publishing photos/video (art. 6, para. 1 (a), GDPR).

Conduct satisfaction surveys
  • Purpose

    Conduct satisfaction surveys (send satisfaction surveys related to our events to attendees).

  • Categories of personal data

    Personal identification data (first and last name, email)

  • For all the personal data processed

    Legitimate interest

    The processing is necessary for the purposes of the legitimate interests pursued by us (art. 6, para. 1 (f), GDPR) consisting in receiving feedback from attendees to our events in order to improve their quality.

Communication about other relevant events we organise
  • Purpose

    Communication about other relevant events we organise (including sending information and/or invitations for our future events that might be of interest to you).

  • Categories of personal data

    Personal identification data (first and last name, email)

  • For all the personal data processed

    Legitimate Interest

    The processing is necessary for the purposes of the legitimate interests pursued by us (art. 6, paragraph 1, point f), of the GDPR) consisting in informing about and promoting future events we organise.

Who are the recipients of your personal data?

Your personal data collected in the course of your registration and participation to our events are shared with the following recipients:

Employees of the University of Luxembourg in charge of the organisation of the event, mainly our Communication department & Heath, Security & safety Office;

  • Our Finance and Accounting department, in order to be able to reimburse your expenses as an invited speaker to our events. In this case, only your name, bank account details and expenses occurred will be processed by our Finance and Accounting department. This data will be sent to our bank in order to proceed to the payment.
  • Our essential IT service providers, including cloud providers (e.g. Microsoft), in accordance with the contract we have in place with our providers;
  • Online platform used for the registration to our events (e.g. Eventbrite, Weezevent, Qualtrics, etc.);
  • Emergency services (e.g. police, Fire brigade, hospital, etc.) in case of an emergency during our events;
  • Third-party service providers to whom we outsource certain support services for our events (e.g. translation/photocopying/printing of promotional material, hosting and catering, filming of the event);
  • certain regulated professionals such as lawyers or auditors, only upon request and to the extend required and permitted by law.

Please note that we publish photos and/or videos captured during our events on various dissemination channels, such as our website and social media accounts, press releases, newspapers and magazines, etc.

When we share your personal data with third parties, we ensure to share only the minimum necessary. All our third-party service providers processing your personal data on our behalf are obliged to take all appropriate security measures in order to protect your personal data according to our policies. They are allowed to use your personal data only in accordance to our instructions and not for their own purposes.

Do we transfer your personal data outside of European Union?

Your personal data is mainly processed within the European Union. Only where we use a service provider located outside the European Union (EU) or European Economic Area (EAA) in the course of our events (e.g. platform for the registration to our events, cloud provider) your personal data will be transferred outside the EU/EEA. Such transfer of your personal data to third countries will only take place in accordance with GDPR requirements, using the following mechanisms:

  • transfer to a third country deemed to offer an adequate protection, according to a decision issued by the European Commission; or
  • signature of Standard Contractual clauses for Data Processors established in third countries.

How long do we store your personal data?

The retention period of the personal data provided by you in the course of our events depends on the type of the event. In particular:

• Personal data collected in the course of internal events are kept for a duration of 1 year from the completion of the event;
• Personal data collected in the course of external events are kept for a duration of 2 years from the completion of the event.

For exceptional events (e.g. inauguration images, anniversary ceremony, etc.), we will retain the images longer for archival purposes.

Please note that if you are an invited speaker to our events, data related to your expenses are kept for a duration of 10 years from the end of the financial year during which they occurred, in order to ensure compliance with the accounting obligations to which we are subject.

Security of your personal data

The University of Luxembourg will protect your personal data by using appropriate technical and organisational measures and will take all steps reasonably necessary to ensure that your personal data is treated securely in order to avoid unauthorised access to, alteration or loss of your data.

What are your rights with regard to the processing of your personal data?

According to GDPR, you benefit notably from the following rights: right to be informed, right to access to your personal data, right to rectification, right to erasure, right to restrict the scope of the processing, right to object, right to data portability, right to lodge a complaint.

The University provides further information on its website page: Your rights.

In practice, you can exercise your rights by contacting our DPO

By sending a request by post to:

Université du Luxembourg
À l’attention de: DPO – Exercise of Data Subject rights
Maison du Savoir
2, Avenue de l’Université
L-4365 ESCH BELVAL

Or

By sending a request via email to the DPO, at dpo@uni.lu

How can you lodge a complaint?

If you consider that the processing of your personal data by us infringes the GDPR, you will have the right – without prejudice to any other administrative or judicial remedy – to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

In Luxembourg, the competent authority is the Commission Nationale pour la Protection des Données (CNPD).

Contact of the CNPD:

Commission Nationale pour la Protection des Données
1, avenue du Rock’n’Roll

Service des réclamations
L-4361 Esch-sur-Alzette

Tel. : (+352) 26 10 60 -1

Or via electronic form (accessible through CNPD’s website):

Applicable law – Jurisdiction

The present Notice shall be governed and construed in accordance with the Luxembourgish law.
Any dispute concerning the existence, interpretation or performance of this Notice which cannot be settle amicably, shall fall within the jurisdiction of the Courts of Luxembourg City, without prejudice to the rights of the data subjects to bring the matters before the court where he or she has her place of residence as well as its right to lodge a complaint with the supervisory authority.

Last update of this Privacy Notice: on 25 September 2023.