“Data Subjects”: means natural persons whose personal data is being processed by LAFO.
“Personal Data”: means any information allowing the direct or indirect identification of an individual.
“Technical and Organizational Security Measures”: means measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of Personal Data over a network, and against all other unlawful forms of processing.
2. Collection of Personal Data
a. When does LAFO collect your Personal Data?
LAFO collects and stores Personal Data relating to Data Subjects having interactions with LAFO in accordance with Data Protection Legislation. Data Subjects may include, but are not limited to, the following categories of individuals:
representatives, employees, contact persons and any other related individuals of LAFO suppliers, third party providers and subcontractors; and
employees, shareholders, investors, directors, board members, signatories, contact persons, representatives, beneficial owners and any other related individuals of prospective clients.
b. Types of Personal Data.
Personal Data collected and stored by LAFO may include, but are not limited to, the following types of data:
identification data (such as name, family name, date and place of birth, gender);
contact information (such as phone and fax numbers, home and professional address, email address, country of (tax) residence);
other relevant personal details (nationality, citizenship) and about your employment, education, family or personal circumstances, and interests, where relevant;
government identification numbers (social security numbers, tax number, copy of ID card);
types of activities organized by LAFO and to which the Data Subjects participate;
financial and banking information (notably linked to bank account number); and
any other Personal Data reasonably related to the conduct of LAFO’s activities.
Most of the Personal Data we process is information that is knowingly provided to us by Data Subjects. However, please note that in some instances, we may process Personal Data received from a third party with the Data Subjects’ knowledge.
c. Purpose of the processing of Personal Data.
Personal Data shall mainly be processed for the following purposes:
the performance of any contractual obligations towards the Data Subjects, including but not limited to organising and participating to activities of LAFO.
In this respect, we may share your personal data with or transfer it to your agents, advisers, banks and intermediaries; third parties whom we engage to assist in delivering any services to you, including our professional advisers where it is necessary for us to obtain their advice or assistance, including lawyers, accountants, auditors, IT or public relations advisers; and our data storage providers
for compliance with legal obligations, including but not limited to, compliance with applicable law.
for the purposes of the legitimate interests pursued by us or by a third party that are necessary, for instance, for LAFO to carry out its daily activities, payment verification, to implement changes in our corporate structure or ownership, to create statistics and tests, accounting, audits, tax returns, for trainings and events organised by LAFO, as well as for direct marketing purposes relating to LAFO activities and in accordance with applicable law applicable to the sending of communications for prospective Data Subjects.
LAFO makes sure that only the Personal Data that are necessary to achieve the above-listed purposes are processed.
d. Update of Personal Data.
LAFO will endeavor to keep the Personal Data in our possession or control accurate. Individuals providing Personal Data are therefore responsible for promptly informing LAFO of any change to their Personal Data.
3. Disclosure of Personal Data
Personal Data will not be shared with third parties, except as provided below.
a. Disclosure of Personal Data.
We may disclose Personal Data to the following categories of recipients:
affiliated members of LAFO;
public authorities and administrations;
LAFO may disclose Personal Data in the following circumstances:
on Data Subject’s instruction;
in the event of a legal request and/or investigation when, in our opinion, such disclosure is necessary to prevent crime or fraud, or to comply with any statute, law, rule or regulation of any governmental authority or any order of any court of competent jurisdiction;
if we outsource some or all of the operations of our business to third party, as we may do from time to time;
when we believe release is appropriate or necessary to conduct LAFO’s business, comply with the law, enforce or apply our policies and other agreements, or protect the rights, property or safety of LAFO, our employees if any, or others.
In such circumstances, LAFO ensures that Personal Data is kept secure from unauthorized access and disclosure.
b. Transfer of Personal Data.
Data Subjects are informed that certain data recipients may be located outside the territory of the European Union in countries that do not offer a level of protection equivalent to the one granted in the European Union (“Third Countries”).
Data transfers to third parties located in Third Countries will be, depending on the nature of the transfer:
covered by appropriate safeguards such as standard contractual clauses approved by the European Commission, in which case the Data Subject may obtain a copy of such safeguards by contacting us; or
otherwise authorised under the Data Protection Legislation, as the case may be, as such transfer is consented to by the Data Subject or is necessary for the performance or execution of a contract concluded in the Data Subject’s interest or for the establishment, exercise or defense of legal claims or for the performance of a contract between the Data Subject and us.
4. Data Subjects’ rights in relation to the processing of their Personal Data
a. Rights granted to Data Subjects.
In accordance with applicable law, Data Subjects are granted the following rights with regards to the processing of their Personal Data:
the right to request access to their Personal Data stored by LAFO;
the right to update or correct any of their Personal Data, if the Personal Data is incorrect or incomplete;
the right to oppose to the processing of their Personal Data, on grounds related to their particular situation;
the right to request from LAFO the erasure of their Personal Data, to the extent such Personal Data (i) are no longer necessary in relation to the initial purpose(s) for which they were collected, (ii) consent, where applicable, has been withdrawn and there is no other means of legitimating the processing of Personal Data, (iii) the Data Subject objects to the processing of the Personal Data, (iv) the Personal Data is unlawfully processed;
the right to request the restriction of the processing of Personal Data, if such Personal Data is found to be inaccurate or unlawful, is no longer needed for the purposes of the processing, or should a court decision on a complaint lodged by a Data Subject be pending;
the right to data portability;
in the event of a dispute between the Data Subject and LAFO regarding the processing of Personal Data which failed to be resolved by the parties in an amicable manner, the right to lodge a complaint with the Luxembourg Data Protection Authority (the Commission Nationale pour la Protection des Données - CNPD). Data Subjects not residing in Luxembourg can contact their local Data Protection Authority.
LAFO will respond to individual complaints and questions relating to privacy and will investigate and attempt to resolve all complaints. LAFO will only be able to answer favorably to any of the above requests related to the right to oppose, right of erasure and right of restriction provided that it does not interfere with or contradict a legal obligations of LAFO (e.g a legal obligation to keep the related Personal Data) or due to any other impediment that would justify that LAFO would not be able to grant such requests.
LAFO undertakes to handle each request by a Data Subject free of charge and within a reasonable timeframe.
b. How to exercise such rights.
5. Data retention
LAFO undertakes not to use the Personal Data for purposes other than those for which it has been collected and that such information shall not be stored for a period longer than necessary for the realization of such purposes.
Retention periods shall, in any case, be compliant with any applicable law and proportionate to the purposes of the processing.
6. Technical and Organizational Security Measures
Ensuring that Personal Data is appropriately protected from data breaches is a high priority for LAFO.
LAFO implements adequate Technical and Organizational Security Measures, such as, depending on the equipment, password protection, encryption, physical locks, etc., to ensure a level of security appropriate to the risks represented by the processing and the nature of the Personal Data to be protected.
In such case, notification will be given by email, or any other methods allowed by the Data Protection Legislation.
Luxembourg Association of Family Offices
Attn. Nelly Kasongo
412F, route d’Esch,