Protection of personal data

The identification of positive cases and the tracing of people at high risk of infection is a key activity in the fight against the pandemic. It falls within the remit of the Health Directorate whose mission is to ensure public health protection both in terms of environmental health and monitoring and control of infectious diseases, including taking the necessary emergency measures to protect health.

In parallel and in order to control the evolution of the pandemic, the Luxembourg Government has set up a large scale testing programme from the very beginning of the pandemic. With the arrival of the first COVID-19 vaccines, this programme was completed by an ambitious vaccination programme. Within the framework of these programmes a certain amount of personal data is collected and processed.

The gathering and processing of personal data are important aspects of the fight against the COVID-19 pandemic and of the vaccination. They serve the general public health interest and enable decision-makers to take informed action. Indeed, effectively tackling the pandemic and providing citizens with the best possible protection against the SARS-CoV-2 virus would not be possible without processing personal data, both in terms of monitoring the spread and evolution of the pandemic and in terms of vaccination of the population. It must be possible to collect these data so that they can be analysed, studied and evaluated in order to protect the population and define the best health policy. 

Large Scale Testing

In order to monitor the evolution of the pandemic, the Luxembourg government has started a new phase of the large-scale screening programme (Large Scale Testing, LST). Testing is the most effective way to help break the chains of infection by identifying positive cases and effectively tracing their contacts. In this context, the personal data of the residents and cross-border workers invited to participate, and of the participants in the testing are collected and processed by the following four data controllers (i.e. the entity that determines the purposes and means of the processing personal data):

  • The Luxembourg Health Directorate, as it defines the strategy, coordinates the programme and analyses the personal data of the participants in order to monitor the process and make epidemiological decisions as well as appropriate public health policy decisions
  • The Laboratoires Réunis, which are responsible for organising samples, taking samples, carrying out tests, from making appointments to sending results
  • The General Inspectorate of Social Security as it identifies the categories of people to be invited to the testing programme
  • The National Health Laboratory, which will carry out the analyses as part of the serological tests

They process personal data in accordance with Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the "Regulation"). The personal data processing is carried out in order to (i) be able to invite residents and cross-border workers making up representative samples of the population, (ii) allow participants to carry out the test, (iii) provide participants with the results, and (iv) monitor the evolution of COVID-19 infection in the population in order to control and maintain, through appropriate public health decisions, the infection rate at the lowest possible level.

The categories of personal data processed by the different stakeholders in the LST are as follows; they depend on the participation of individuals:

  • Personal identification data (e.g. name, address, telephone numbers, e-mail address)
  • Personal details (e.g. gender, date of birth)
  • Socio-demographic data to enable sampling (e.g. occupation, household)
  • Identification data issued by public services (e.g. national identification number)
  • Data regarding the organisation of the appointment (e.g. date, time, testing station)
  • Health- data (e.g., information obtained during the test, information about COVID-19 infection)

The legal basis for this processing is to be found in:

  • The decision of the Government Council of 8 July 2020
  • The amended law 17 July 2020 on measures to combat the COVID-19 pandemic
  • The law of 24 July 2020 authorising the State to participate in the financing of the second phase of the LST programme in the context of the COVID-19 pandemic

Personal data may be transferred by the various data controllers involved to the following categories of recipients:

  • The Government IT Centre (CTIE), in charge of sending out invitations and providing the appointment scheduling platform
  • LDL CONNECT SA, in charge of providing a hotline for all questions relating to the Large Scale Testing
  • The General Inspectorate of Social Security, which pseudonymises the data in order to make them available to public research bodies for the purpose of drawing projections to observe the evolution of the pandemic and to produce monitoring charts (for example: monitoring the positivity rate by municipality, by age group, or by professional sector)
  • The eSanté Agency, which is responsible for ensuring the technical transfer of test results to the Health Inspection Division of the Luxembourg Health Directorate
  • The Health Inspection Division of the Luxembourg Health Directorate, which receives test results in order to ensure not only the tracing but also the epidemiological monitoring of the pandemic
  • The National Health Laboratory which, as a reference laboratory, can receive the positive samples in order to do the genetic sequencing of the virus to determine the variant

Personal data will be kept by each stakeholder for a period not exceeding that necessary for the purposes pursued, in accordance with their respective legal obligations. For instance, the Luxembourg Health Directorate retains personal data on the basis of the requirements of the amended law 17 July 2020 on measures to combat the COVID-19 pandemic.

Each individual whose data is processed has the right to request access to his or her personal data and to obtain a copy of it and, in the event that the personal data is incomplete or erroneous, to have it corrected. They also have the right to limit the processing of their personal data, the right to object to their use and the right to obtain their erasure, under the conditions and within the limits laid down by the General Data Protection Regulation.

It is possible to request to exert the rights listed above by submitting a written request, signed and with proof of identity:

  • For processing relating to sampling, contact the General Inspectorate of Social Security: igss@igss.etat.lu — 26, rue Zithe, L-2763 Luxembourg
  • For processing relating to invitation management, appointment scheduling and pandemic monitoring, contact the Luxembourg Health Directorate: info_donnees@ms.etat.lu — 13a, rue de Bitbourg, L-1273 Luxembourg
  • For processing relating to PCR screening tests, contact the Laboratoires Réunis: dpo@labo.Lu — 38, rue Hiehl, Z.A.C. Laangwiss, L-6131 Junglinster
  • For processing relating to serological tests, contact the Laboratoire national de santé (National Health Laboratory): dpo@lns.etat.lu — 1, rue Louis Rech, L-3555 Dudelange
  • It is also possible to lodge a complaint to the National Commission for Data Protection by post at the following address: 15, boulevard du Jazz, L - 4370 Belvaux or by completing the online form which is available on the CNPD website in the "Individuals” section -> Asserting your rights.

Contact Tracing

The identification of positive cases and the tracing of people (Contact Tracing) at high risk of infection is a key activity in the fight against the COVID-19 crisis. Its objective is to (i) identify positive cases, in order to put them in isolation; as well as (ii) identify their contacts at high risk of being infected, in order to ask them to put themselves in self-quarantine until they can be tested.

The tracing activities carried out by the Health Inspection Department of the Health Directorate involve the collection and processing of personal data, both from persons tested positive for COVID-19 as well as from persons at high risk of infection, in order to identify the contacts of a person tested positive for COVID-19 and to provide them with quarantine documents and a medical prescription to be tested.

The Health Directorate also uses the data collected to generate relevant statistics to assess, monitor and combat the pandemic, particularly by making public health decisions adapted to the spread and evolution of the pandemic.

These activities are governed by the amended law of 17 July 2020 introducing a series of measures to combat the Covid-19 pandemic.

The personal data concerning you, collected and processed:

  • Personal identification data including contact data (surname, first name, postal address, email address, phone number and reference number)
  • Identification data issued by the public services (CNS social security number)
  • Date of contact with the person tested positive for COVID-19
  • For positive persons only: date of birth, date of first symptoms, date of test, and workplace/employer

Depending on your situation, your personal data may be accessed by the following parties:

  • The General Inspectorate of Social Security, which pseudonymizes the data in order to make them available to public research bodies in view of producing projections to monitor the evolution of the pandemic
  • The Ministry of Education, Children and Youth, which assists the Health Directorate in the tracing activities whenever a school or childcare centre is concerned and acts as a point-of-contact for the institution in order to facilitate the implementation of the Health Directorate's directives

These parties are obliged to comply with the legal obligations regarding data protection, including professional secrecy or applicable confidentiality obligations.

Your personal data is kept by the Health Inspection Department of the Health Directorate according to the retention periods laid down by the amended law of 17 July 2020 introducing a series of measures to combat the COVID-19 pandemic.

Within the limits and under the conditions laid out by the amended law of 17 July 2020 introducing a series of measures to combat the COVID-19 pandemic and by the general regulations on data protection, you have the right to request access to your personal data and to obtain a copy of them and, in the event that these personal data are incomplete or erroneous, to have them rectified. You also have the right to limit the processing of your personal data, the right to object to their use and the right to claim their erasure.

It is possible to request to exercise the rights listed above by submitting a written request, signed and with proof of identity to the Health Directorate (Direction de la santé): info_donnees@ms.etat.lu — 13a, rue de Bitbourg, L-1273 Luxembourg

It is also possible to lodge a complaint to the National Commission for Data Protection by post at the following address: 15, boulevard du Jazz, L - 4370 Belvaux or by completing the online form which is available on the CNPD website in the "Individuals” section -> Asserting your rights.

Vaccination

The vaccination campaign is based on the collection and processing of personal data.

Access to a safe and quality vaccine against COVID-19 is a crucial part of the national response to the pandemic.

Combined with the other elements of the overall policy to fight the virus, namely prevention, diagnosis and screening (testing), isolation of infected persons, tracing and quarantining of contacts, management of COVID-19 patients and awareness raising and information, vaccination will play a crucial role in saving lives, containing the pandemic, protecting the health and care system and contributing to the recovery of our economy.

In this framework, the personal data of the persons invited to be vaccinated and of the vaccinated persons are collected and processed by the following data controllers (i.e. the entities that determine the purposes and means of the processing of personal data):

  • The Health Directorate, as it is responsible for organising and managing the vaccination campaign, but also for monitoring vaccine safety and quality as well as vaccine uptake (proportion of people vaccinated with a certain dose of vaccine during a given period) and vaccination coverage (proportion of the population considered to be protected by vaccination, at the end of a given period) at the national level
  • The General Inspectorate of Social Security because the latter identifies, on the basis of the vaccination strategy, the people who will be invited to be vaccinated

They process personal data in accordance with Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the "Regulation").

The processing of personal data from the vaccination campaign is carried out in order to (I) be able to invite people to be vaccinated, (II) enable those who wish to be vaccinated to be vaccinated, (III) monitor the safety of the vaccine(s) as well as its/their quality, in particular by monitoring its/their effectiveness, and (IV) monitor the adoption and coverage of the vaccine(s).

The legal basis for this processing is to be found in:

  • Amended law of 17 July 2020 introducing a series of measures to combat the COVID-19 pandemic
  • Law of 24 November 2015 amending the amended law of 21 November 1980 on the organisation of the Health Directorate and the amended law of 16 August 1968 on the creation of a Centre de logopédie et de services audiométrique et orthophonique
  • Law of 4 July 2000 on the responsibility of the State for vaccinations
  • Amended Grand-Ducal regulation of 15 December 1992 on the marketing of medicinal products

The categories of personal data processed by the data controllers involved in the vaccination campaign are as follows; they depend on people's participation in the vaccination campaign:

  • Identification data (surname, first names, date of birth, gender)
  • Contact details (telephone number and e-mail address)
  • National identification number
  • The vaccine allocation criteria as defined by the vaccination strategy
  • Data to determine the possible presence of contraindications, the presence of health problems or other risk factors, and the possible occurrence of adverse effects
  • The administration of the vaccine (decision, date, place of vaccination)
  • The characteristics of the vaccination (injection site, brand of vaccine product, batch number, administration number and expiry date)

Personal data may be transferred by the data controllers to the following recipients:

  • The Government IT Centre (CTIE), in charge of sending invitations, providing the appointment scheduling platform and managing the information system through which personal data related to vaccination are processed
  • The national allergology – immunology service of the CHL for urgent allergological advice after the visit to the vaccination centre of persons presenting a major allergic risk to the vaccine injection
  • When a pharmacovigilance file is opened, to the Centre Régional de Pharmacovigilance de Lorraine. It should be noted that the Centre Régional de Pharmacovigilance de Lorraine will have access by default to the files of pregnant women at the time of the administration of the vaccine in order to be able to follow them until the end of their pregnancy through the sending of two e-mails
  • The General Inspectorate of Social Security, which receives the data in order to make them available, in pseudonymised form, to various public research bodies for scientific research purposes

Personal data will be kept by each stakeholder for a period not exceeding that necessary for the purposes pursued, in accordance with their respective legal obligations. For instance, the Luxembourg Health Directorate retains personal data on the basis of the requirements of the amended law of 17 July 2020 introducing a series of measures to combat the COVID-19 pandemic.

Each individual whose data is processed has the right to request access to his or her personal data and to obtain a copy of it and, in the event that the personal data is incomplete or erroneous, to have it corrected. They also have the right to limit the processing of their personal data, the right to object to their use and the right to obtain their erasure, under the conditions and within the limits laid down by the General Data Protection Regulation.

It is possible to request to exert the rights listed above by submitting a written request, with proof of identity.

  • For data processing relating to the organisation and management of the vaccination campaign as well as the monitoring of safety, quality and vaccination coverage, contact the Health Directorate: info_donnees@ms.etat.lu — 13a, rue de Bitbourg, L-1273 Luxembourg
  • For processing relating to the management of persons to be invited to be vaccinated, contact the Inspectorate General of Social Security: igss@igss.etat.lu — 26, rue Zithe, L-2763 Luxembourg

It is also possible to lodge a complaint to the National Commission for Data Protection by post at the following address: 15, boulevard du Jazz, L - 4370 Belvaux or by completing the online form which is available on the CNPD website in the "Individuals” section -> Asserting your rights.

FAQ

What are the purposes of the information system in place?

The information system in place has the following purposes:

  1. to detect, evaluate, monitor and combat the COVID-19 pandemic
  2. to acquire fundamental knowledge on the spread and evolution of the pandemic (statistical monitoring, studies, research)
  3. to guarantee citizens access to adequate means of protection and care
  4. to continuously monitor and evaluate the effectiveness and safety of the vaccines and the state of health of the people vaccinated
  5. to monitor and evaluate the large scale testing programme and the vaccination programme

It also intends to meet the communication obligations and requests for information from European or international health authorities to which Luxembourg must respond. 

Who is responsible for the processing of personal data?

Several entities are responsible for the processing of personal data:

1. The Health Directorate, which, as part of its missions, monitors the evolution of the current pandemic and defines the epidemiological strategy while coordinating the measures put in place.

The Health Directorate is also responsible for the organisation and management of the vaccination campaign, as well as its monitoring and evaluation. It is primarily responsible for the safety and quality of the vaccines.

Both programmes require the acquisition and processing of a certain amount of personal data.

2. The General Inspectorate of Social Security, which is also involved in the large scale testing and vaccination programmes, whereas it is responsible for identifying the categories of persons to be invited to these programmes.

At the level of the implementation of the large scale testing programme, the medical analysis laboratories in charge of the tests within the framework of this programme, as well as the National Health Laboratory are among the entities that are required to process personal data. While the former are responsible for organising samples, taking samples, carrying out the tests and sending the results, the latter carries out the same analyses in the context of serological tests. 

Which personal data is processed?

The data collected from infected persons and persons at high risk of being infected (surnames, first names, date of birth, address, telephone number, social security number, contact details of the treating physician, data which make it possible to determine whether a person is infected, i.e. test results, diagnosis or, for persons at high risk of being infected, the date of last contact, the existence and date of the onset of symptoms).

Data intended to identify categories of people to be invited for the large scale testing programme and the vaccination programme (socio-demographic data, employment data, testing history and, in the context of the vaccination programme, the date of the appointment for vaccination and the administration of the vaccine).

It should be noted that, as far as vulnerable persons are concerned, it is the treating physicians who, at the request of their patient who wishes to be vaccinated, transmit personal data to the Health Directorate. However, sensitive data relating to the pathology of the patient are only processed by the physicians and not transmitted to the Health Directorate, which is only informed that the patient is a vulnerable person because of his or her state of health.

The data collected in the framework of the vaccination programme (standard identification and contact information, but also information concerning the distribution of the vaccine, data to determine the presence of possible contraindications or health problems or other risk factors). Data is also collected on the decision to administer the vaccine, on the characteristics of the vaccination (vaccine product, injection site, batch number, administration number, expiry date) or on the vaccinator. 

How is the collected data stored?

In general, personally identifiable data is pseudonymised before it is anonymised. In some cases, the data collected is immediately anonymised without the need for pseudonymisation. This applies in particular to data collected in connection with the invitation of vulnerable persons to be vaccinated, which is anonymised no later than three weeks after the invitation to be vaccinated has been sent out.

Pseudonymisation is a method of processing personal data which consists of processing said data in such a way that it is not possible to attribute the elements collected to a specific natural person without having recourse to additional information. Unlike anonymisation, this procedure is reversible. It constitutes a security measure for the persons whose data have been collected, providing them with a certain degree of confidentiality while at the same time making it possible to process these data within the framework of a specific health policy. It respects the principle of proportionality which guides the processing of personal data.

In practice, such a process consists of replacing directly identifiable data (surname, first name, etc.) with indirectly identifiable data (classification number, etc.) in order to reduce their sensitivity.

The data is then anonymised. Anonymisation consists of changing the content or structure of personal data in order to make it very difficult or impossible to "re-identify" the persons concerned. As a general rule, the period of time after which the data are anonymised is longer than that for pseudonymisation. 

How long is the retention period?

Several retention periods are foreseen in order to comply with the principle of proportionality and depending on the purpose of the processing operations carried out.

(i) concerning personal data collected and processed for the purpose of fighting the pandemic

These data are pseudonymised no later than six months after collection for a period of three years, after which they are anonymised.

These durations reflect the concern to monitor the impact of the epidemic on the basis of the knowledge recently acquired on the SARS-CoV-2 virus and in particular on the immunity of people who have been infected. Indeed, according to this knowledge, a person who has contracted COVID-19 generally has immunity for an average of six months. Moreover, in the event of reinfection, this usually occurs with seasonal coronaviruses within a relatively short period of time, usually less than 12 months.

From a public health perspective, it is essential to monitor reinfections in order to determine whether or not they are due to the presence of a new, more contagious variant of the virus, and to align health policy accordingly. It is therefore important to keep personal data related to a first infection in order to be able to identify a reinfection. However, the identification of a possible reinfection must take place as soon as possible in order to initiate the necessary steps for the implementation of adequate sanitary measures. It is therefore important to proceed as quickly as possible.

The retention of data in pseudonymised form for a period of three years coincides with the full duration of a pandemic, which often experiences several successive waves. This duration allows a complete follow-up.

(ii) concerning the data collected and processed in the framework of the vaccination programme

Personal data collected

  • of the vaccinator are anonymised no later than two years after collection.
  • of the person to be vaccinated are anonymised no later than 20 years after their collection, with the exception of certain data, i.e. identification data and contact details which are anonymised no later than two years after their collection as they are subject to change, or data which make it possible to determine the presence of possible contraindications, other risk factors which are anonymised after 10 years.
    The 20-year data retention period is justified in the light of pharmacovigilance, which consists of recording and evaluating the side effects or undesirable effects resulting from the administration of medicinal products, in this case vaccines. It is in the patient's interest that records are kept for a long period of time. Practice shows that it is not uncommon for side effects of medicines or vaccines to appear after several years or even after 10 years or more. It is therefore important to be able to link the administration of a specific medicine or vaccine to side effects. A long retention period of certain data allows such links to be made.
  • In the event of refutation of the indication of vaccination by the vaccinator, the personal data, in so far as they have been collected, shall be rendered anonymous at the latest at the end of a period of 2 years after their collection. In the event of withdrawal of the person's agreement to be vaccinated, the data shall be anonymised after 3 months. 

Who has access to the data of those infected or at high risk of infection?

Only physicians and health professionals as well as civil servants or employees appointed by the Minister of Health or any other person, designated by the Director of Health and therefore attached to the national authorities, have access to the data of infected persons or persons at high risk of being infected.

Moreover, these persons may only have access to health-related data to the extent strictly necessary for the performance of the legal or conventional tasks entrusted to them in the context of the fight against the pandemic. These persons are also subject to professional secrecy, and any violation of the latter is punishable under Article 458 of the Criminal Code.

It should be noted, however, that the data may be transferred by the various parties responsible for data processing. Among the recipients to whom data may be transferred are the following:

  • the Government IT Centre (CTIE) as an IT subcontractor of the Health Directorate
  • the eSanté Agency as responsible for the technical transfer of PCR and serological test results to the Health Inspectorate, which is a division of the Health Directorate
  • the General Inspectorate of Social Security, which pseudonymises the personal data collected and processed in the context of the pandemic in order to make them available to public research bodies, in accordance with their missions
  • the service provider in charge of the hotline, who can make testing and vaccination appointments at the request of people who do not have a means of accessing the dedicated online services

Can the data be processed for scientific, historical or statistical research purposes?

Yes, data may be processed for such purposes under the conditions laid down in the European General Data Protection Regulation and the law of 1st August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime, subject to being pseudonymised, i.e. processed in such a way that the data cannot be attributed to a given natural person without additional information. 

Is it possible to object to the processing of data?

Infected persons or persons at high risk of being infected cannot oppose the processing of their data in the information system whose main purpose is to fight the pandemic as long as they cannot provide a negative test result. For public health reasons, it is imperative to keep the data of people whose test results clearly show an infection with the SARS-CoV-2 virus. 

What are the data protection rights of natural persons?

Any natural person whose data is processed has the right to request access to his or her personal data and to obtain a copy and, in the event that these personal data are incomplete or erroneous, to have them corrected. They also have the right to limit the processing of their personal data, the right to object to their use and the right to obtain their erasure, under the conditions and limits laid out by the amended law of 17 July 2020 on measures to combat the COVID-19 pandemic and by the European Union's General Data Protection Regulation (2016/679).

It is possible to request to exercise these rights by submitting a written request, with proof of identity:

  • for processing related to the monitoring of the pandemic and the organisation and management of the vaccination, to the Direction de la santé (Health Directorate) - info_donnees@ms.etat.lu - 13a, rue de Bitbourg, L-1273 Luxembourg
  • for processing relating to the identification of categories of persons to be invited to large scale testing and vaccination programmes, to the Inspection générale de la sécurité sociale (General Inspectorate of Social Security) - igss@igss.etat.lu - 26, rue Zithe, L-2763 Luxembourg
  • for processing relating to PCR tests carried out as part of the large scale testing programme, to the Laboratoires Réunis - dpo@labo.lu - 38, rue Hiehl, Z.A.C. Laangwiss, L-6131 Junglinster
  • for processing relating to serological tests, to the Laboratoire national de santé (National Health Laboratory) - dpo@lns.etat.lu - 1, rue Louis Rech, L-3555 Dudelange

It is also possible to lodge a complaint to the National Commission for Data Protection (Commission nationale pour la protection des données - CNPD) by post at the following address: 15, boulevard du Jazz, L - 4370 Belvaux or by completing the online form which is available on the CNPD website in the "Individuals -> Assert your rights" section. 

Last update