Protection of personal data


The National Health Fund (CNS) places its insured persons at the heart of its concerns. Therefore, the protection of your personal data is a priority for the CNS.

This notice provides you with the necessary information and explains how the CNS collects, uses, shares, stores and protects your personal data.

It also tells you about your rights and how to exercise them.

Who is in charge of the treatment?

The CNS, a public institution established and having its registered office at L-2144 Luxembourg, 4 rue Mercier, is the data controller.

As such, the CNS is responsible for the way it collects, uses, shares, stores and protects your personal data.

What categories of personal data are processed and for what purposes?

Depending on the type of purpose pursued, the following personal data are collected and processed in the context of our activities:

  • data relating to your marital status and your identity, such as surname, first name, date of birth, gender, nationality, social security number, postal address, email address, telephone number, identity document and/or other identifying administrative documents ;
  • electronic identification data in case of access to a CNS application, for example: IP address, cookies and email address;
  • financial data, for example: RIB, IBAN, amounts relating to health costs, fees received;
  • medical data, for example: diagnosis codes, data concerning accidents at work or occupational diseases;
  • data relating to the composition of your household, such as marriage or form of cohabitation, marital history, family members;
  • data relating to your membership, for example, insurance career;
  • data relating to your profession, e.g. profession, place of work, employer, salary, history and incapacity for work (including certificates);
  • judicial data such as guardianship and provisional administration;
  • images, photos and sounds, for example: photo of prosthesis or dental quote, images for processing relating to the safety of infrastructures;
  • data relating to claims and complaints; and

any other personal data that you decide to communicate to CNS staff.

The following purposes are pursued:

  • handling of services provided by the CNS (e.g. making appointments for meetings at CNS agencies)
  • Health-maternity insurance
    • issuance of health insurance cards, health details and other forms and certificates;
    • coverage of health care and preventive medicine measures;
    • payment of cash benefits for sickness and maternity;
    • payment of funeral allowances;
    • establishment of the statutes of the CNS;
    • establishment of the overall health and maternity insurance budget;
    • resetting of the contribution rate, if necessary;
    • contractual negotiations with professional groups of healthcare providers and hospitals;
    • and establishment, every 2 years, of the budget for each hospital establishment.
  • Long-term care insurance
    • support for the aid and care required by the dependent person at home or in a stationary establishment;
    • payment of a cash benefit to replace benefits in kind for the dependent person at home;
    • support for technical aids and accommodation adaptations;
    • negotiation with professional associations of service providers working within the framework of long-term care insurance;
    • and preparation of the long-term care insurance budget and the annual statement of income and expenditure.
  • Accident insurance
    • payment of benefits in the event of an accident at work or occupational disease, on behalf of the accident insurance.
  • management of CNS contractual relations;
  • complaint and incident management;
  • prevention and treatment of offenses and fraud;
  • management of pre-litigation or litigation disputes;
  • production of statistics to monitor and steer actions, implement health policies and carry out evaluations;
  • contribution to research;
  • newsletter management;
  • and management of the relationship with healthcare professionals (e.g. allocation of the service provider code, transfer abroad)

How do we collect, process and use your personal data?

In addition to the personal data that the CNS collects directly from you, the CNS may also collect personal data from other sources, including: hospitals, pharmacies, medical analysis and clinical biology laboratories and certain health professionals.

For each purpose described above, the collection and processing of your data is carried out in accordance with the applicable regulations relating to the protection of personal data, including the GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR) and national laws implementing the GDPR where applicable.

In general, the data is processed by the CNS for the implementation of its public interest mission or on the basis of a legal obligation to which the CNS is subject. In specific cases, other bases preside over the collection of data: the execution of a contract to which you are a party or the execution of pre-contractual measures taken at your request or your consent.

Who has access to your personal data? Where is your data processed? Is your data transferred?

The personal data processed by the CNS is only accessible to its agents who need to know this information as part of their duties. In certain limited and detailed cases, they may be accessible to authorized service providers of the CNS and to the authorities legally entitled to have such data communicated to them (for example, police or judicial authorities and other social security institutions). All such recipients are required to comply with the data protection legislation specifically applicable to them.

The CNS ensures that it takes all the appropriate technical and organizational measures to protect the security of your personal data and mainly its confidentiality, integrity and availability. Please note that the CNS data protection officer is responsible full-time for the protection of personal data.

Except in duly justified exceptions, your data is processed within the European Union and is not transferred to third countries.

How long will your personal data be kept?

The CNS undertakes that the data collected will be kept for a period that does not exceed the period necessary for the purposes for which this data is collected and processed. This data may also be kept for the purpose of complying with limitation periods and/or any other legal provisions.

What are your rights?

Subject to certain formalities and conditions, you have the possibility to exercise the following rights:

  • right of access: you have the right to ask us for information concerning the data processed by the CNS and to obtain a copy.
  • right to rectification: you can request that the data concerning you be modified or completed if they are inaccurate.
  • right to erasure: you have the right to request the erasure of your personal data.
  • right of opposition: you can oppose, for reasons relating to a particular situation, the processing of your personal data.
  • right to portability: you can retrieve the data you have provided to the CNS, in a structured, commonly used and machine-readable format.
  • right to withdraw consent: where we use your personal data on the basis of your consent, you have the right to withdraw that consent at any time. This withdrawal does not affect the lawfulness of the processing based on the consent given before the withdrawal.

Please note that if you object to certain processing of your data or request that the information concerning you be destroyed, the CNS may nevertheless retain and use your personal data insofar as this is necessary in order to comply with legal obligations, for example. or defense of claims.

You also have the right to file a complaint with the National Commission for Data Protection – CNPD, located at 15, Boulevard du Jazz, L-4370 Belvaux –

How to contact us?

To exercise your rights as described above and/or to ask questions about the processing of your personal data, please contact our Data Protection Officer by writing to or to the following postal address

National Health Fund
Data Protection Officer
4, Rue Mercier
L-2144 Luxembourg

How do we update this information notice?

The CNS may modify this information notice at any time, and we advise you to consult our site periodically to review the most recent applicable version.

Last update