Data protection policy

Introduction

The Caisse nationale de santé (CNS) places its insured persons at the heart of its concerns. Naturally, protecting your personal data is a priority for the CNS.

This notice provides you with the necessary information and explains how the CNS collects, uses, shares, stores and protects your personal data.
It also informs you of your rights and how to exercise them.

Who is responsible for the processing of the data?

The CNS, a public institution established and having its registered office at L-2144 Luxembourg, 4 rue Mercier, is responsible for the processing of your data.

As such, the CNS is responsible for the way in which it collects, uses, shares, stores and protects your personal data.

What categories of personal data are processed and for what purposes?

Depending on the type of purpose, the following personal data are collected and processed as part of our activities:

  • data relating to your civil status and identity, such as surname, first name, date of birth, gender, nationality, social security number, postal address, e-mail address, telephone number, identity document and/or other administrative identification documents;
  • electronic identification data in the event of access to a CNS application, for example: IP address, cookies and e-mail address;
    financial data, for example: RIB, IBAN, amounts relating to healthcare costs, fees received;
  • medical data, e.g. diagnosis codes, data relating to accidents at work or occupational illnesses;
  • data relating to the composition of your household, such as marriage or form of cohabitation, marital history, family members, etc;
    data relating to your affiliation, e.g. insurance career;
  • data relating to your occupation, such as occupation, place of work, employer, salary, history and incapacity for work (including certificates);
    judicial data such as guardianship and provisional administration;
  • images, photos and sounds, e.g. photos for prosthetic or dental quotes, images for infrastructure safety treatments;
    data relating to complaints; and any other personal data that you decide to communicate to CNS staff.

The aims are as follows:

  • management of services provided by the CNS (e.g. making appointments for interviews in CNS branches)
  • Health care and maternity insurance
    • issuing health insurance cards, health details and other forms and certificates ;
    • cover health care and preventive medicine;
    • payment of cash sickness and maternity benefits;
    • payment of funeral benefits;
    • drawing up the CNS's articles of association;
    • establishment of the overall budget for sickness and maternity insurance;
    • re-setting contribution rates, if necessary ;
    • negotiating agreements with professional associations of care providers and hospitals; and
      drawing up a budget for each hospital every 2 years.
  • Long-term care insurance
    • covering assistance and care required by the dependent person at home or in an inpatient facility;
    • payment of a cash benefit to replace benefits in kind for the dependent person at home;
    • payment of technical aids and home adaptations;
    • negotiating with professional associations of service providers working in the field of long-term care insurance; and
      drawing up the long-term care insurance budget and the annual statement of income and expenditure.
  • Accident insurance assocition          
    • payment of benefits in the event of an accident at work or occupational illness, on behalf of the accident insurance scheme.
    • management of CNS contractual relations;
    • management of claims and incidents;
    • preventing and dealing with offences and fraud
    • management of pre-litigation or litigation disputes;
    • compiling statistics to monitor and steer actions, implement health policies and carry out evaluations; contributing to research;
    • managing newsletters; and
    • managing relations with healthcare professionals (e.g. allocation of service provider codes, transfers abroad).

How do we collect, process and use your personal data?

In addition to the personal data that the CNS collects directly from you, the CNS may also collect personal data from other sources, including hospitals, pharmacies, medical analysis and clinical biology laboratories and certain healthcare professionals.

For each purpose described above, the collection and processing of your data is carried out in compliance with the applicable regulations relating to the protection of personal data including the GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR) and national laws implementing the GDPR where applicable.

In general, data is processed by the CNS for the implementation of its public interest mission or on the basis of a legal obligation to which the CNS is subject. In particular cases, data may also be collected for other purposes: the performance of a contract to which you are a party or the performance of pre-contractual measures taken at your request or with your consent.

Who has access to your personal data? Where is your data processed? Is your data transferred?

Personal data processed by the CNS is only accessible to its employees who need to know this information as part of their duties. In certain limited and detailed cases, it may be accessible to the CNS's authorised service providers and to authorities legally entitled to have such data communicated to them (for example, police or judicial authorities and other social security institutions). All such recipients are required to comply with the data protection legislation specifically applicable to them.

CNS will take all appropriate technical and organisational measures to protect the security of your personal data and, in particular, its confidentiality, integrity and availability. You should be aware that the CNS's Data Protection Officer deals with the protection of personal data on a full-time basis.

Unless there are duly justified exceptions, your data is processed within the European Union and is not transferred to third countries.

How long is your personal data kept?

CNS undertakes to keep the data collected for no longer than is necessary for the purposes for which the data is collected and processed. Such data may also be kept for the purpose of complying with limitation periods and/or any other legal provisions.

What are your rights?

Subject to certain formalities and conditions, you may exercise the following rights:

  • right of access: you have the right to ask us for information about the data processed by CNS and to obtain a copy.
  • right to rectification: you may request that data concerning you be amended or supplemented if it is inaccurate.
  • right to erasure: you have the right to request the erasure of your personal data.
  • right to object: you may object to the processing of your personal data for reasons relating to a specific situation.
  • right to portability: you may recover the data you have provided to CNS in a structured, commonly used and machine-readable format.
  • right to withdraw consent: where we use your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Such withdrawal does not affect the lawfulness of the processing based on consent carried out prior to the withdrawal.

Please note that if you object to certain processing of your data or request that information about you be destroyed, the CNS may nevertheless retain and use your personal data to the extent necessary to comply with, for example, legal obligations or the defence of claims.

You also have the right to lodge a complaint with the Commission Nationale pour la Protection des Données - CNPD, located at 15, Boulevard du Jazz, L-4370 Belvaux - www.cnpd.public.lu.

How can you contact us?

To exercise your rights as described above and/or if you have any questions regarding the processing of your personal data, please contact our Data Protection Officer by writing to dataprotection.cns@secu.lu or to the following postal address


Caisse nationale de santé

Data Protection Officer
4, Rue Mercier
L-2144 Luxembourg

 

How do we update this information notice?

CNS may amend this information notice at any time, and we advise you to consult our site periodically to review the most recent applicable version.

Last update