Luxembourg Capital Markets Association (LuxCMA)

6, rue Jean Monnet

L-2180 Luxembourg

📞 +352 26 68 30 04

📧 info@luxcma.lu

🌐 www.luxcma.com

LuxCMA acts as the controller of personal data collected via its website, events, newsletters, and other communication channels.

LuxCMA collects and processes personal data obtained directly from individuals - such as members, event participants, business partners, or employees - through interactions like event registration, email communication, and networking (e.g., business cards), as well as via publicly available sources, including websites, business registers, and professional networks like LinkedIn.

We may collect and currently process the following categories of personal data:

·        Identification and Contact Information: name, title, organisation, role, email, phone, postal address

·        Professional data: employer, function, areas of expertise

·        Website usage data: IP address, browser, device, cookies, pages visited

·        Media content: photos, audio, or video recordings from events or initiatives (e.g., podcasts)

·        Consent data: newsletter or cookie preferences

·        Activity-based data: participation in events, working groups, surveys

While the public areas of LuxCMA’s website can be accessed anonymously and no personal data is collected from casual visitors, aggregated metrics - like page visits - may be used internally for statistical purposes without allowing personal identification. Data may be collected via forms, newsletter subscriptions, event participation, surveys, working group engagement, direct email, or interactions via social media platforms such as LinkedIn, YouTube, and Spotify. Provision of certain data, particularly identification and contact details, may be required to establish or maintain a business relationship with LuxCMA. Although the submission of data is voluntary, withholding information may limit the association’s ability to deliver its services or grant event access. The data is used primarily to manage memberships and related services, convene members to meetings, support engagement in working groups and events, share updates and newsletters, provide access to digital platforms, ensure site functionality and security, and comply with legal or regulatory obligations - all in line with our contractual commitments and legitimate interests.

We collect and process personal data for the following purposes:

LuxCMA is committed to ensuring the security and confidentiality of your personal data. We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or alteration. This includes the use of SSL encryption on our website, as well as the implementation of data processing agreements with trusted service providers to ensure compliance with applicable data protection standards.

Personal data is stored securely and retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable legal or regulatory obligations. In particular, data processed in the context of legal obligations will be retained in accordance with statutory limitation periods under Luxembourg law, including those set out in the Code civil and Code de commerce, which range from three to thirty years.

In cases where LuxCMA processes data based on its legitimate interests - such as maintaining a central contact database - data subjects retain the right to object to such processing at any time (see section Your rights as a data subject below).

Once data is no longer necessary and no longer subject to legal retention requirements, it will be securely deleted or destroyed.

To support its operations and ensure the effective delivery of its services, LuxCMA uses a number of third-party tools and platforms, including LinkedIn (for social media outreach), YouTube and Spotify (for hosting videos and podcasts), Odoo (for website hosting, newsletter management, and security), Deepgrey (for web domains and email hosting), and Google Analytics and Tag Manager (for website analytics). Personal data may be shared with or accessed by these service providers, but only to the extent necessary for them to perform specific tasks on behalf of LuxCMA. Such third parties act as data processors and are selected following appropriate due diligence to ensure their compliance with applicable data protection regulations, including the GDPR.

LuxCMA may also engage other service providers, such as IT and HR companies, to perform operational tasks. In the context of events, basic participant details - such as name and organisation - may be shared with event sponsors or speakers for logistical and engagement purposes. In some instances, data may also be disclosed to public authorities in response to legal obligations or regulatory requests.

Within the Association, personal data may be accessed by LuxCMA staff members, Board and Executive Board members, chairpersons of working groups, as well as, from time to time, event organisers, hosts and caterers involved in LuxCMA activities.

While LuxCMA endeavours to keep all data processing within the European Union, certain situations - such as cooperation with external service providers or international events - may require the transfer of data to third countries. In such cases, LuxCMA ensures appropriate safeguards are in place, including reliance on the European Commission’s Standard Contractual Clauses (SCCs), to maintain the protection of personal data during international transfers.

In accordance with the GDPR, you have a number of rights regarding the processing of your personal data. You may exercise these rights at any time by contacting LuxCMA using the contact details provided at the beginning of this policy.

You have the right to request access to your personal data, including information about its origin, the recipients of the data, and the purposes for which it is being processed. You also have the right to request the rectification or deletion of your data, as well as to restrict its processing under certain conditions. If you have previously consented to the processing of your personal data, you may withdraw your consent at any time. This withdrawal will apply to future processing and will not affect the lawfulness of any processing conducted prior to the withdrawal.

Additionally, you may object to the processing of your data in specific circumstances, particularly with regard to direct marketing. You also have the right to receive your data in a structured, commonly used and machine-readable format (data portability), and to lodge a complaint with a supervisory authority - such as the Commission Nationale pour la Protection des Données (CNPD) in Luxembourg (www.cnpd.lu) if you believe your rights have been infringed.

Your key rights under the GDPR include:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure or ‘right to be forgotten’ (Articles 17 and 19)
• Right to restriction of processing (Articles 18 and 19)
• Right to data portability (Article 20)
• Right to object, including to processing for direct marketing purposes (Articles 21 and 22)
• Right to withdraw consent (Article 7(3))
• Right to lodge a complaint with a supervisory authority (Article 77)

Please note that LuxCMA will review and respond to such requests within the scope of its technical and organisational capabilities and in compliance with applicable legal obligations. Requests may be declined where they would conflict with legal requirements or compromise legitimate interests of the Association.

To enhance your browsing experience and evaluate engagement with our online content, LuxCMA uses cookies and third-party analytics tools, including Google Analytics and embedded content such as YouTube videos. These technologies help us understand how visitors interact with our website, optimise its performance, and ensure secure and user-friendly navigation.

You may manage your cookie preferences at any time through your browser settings or by using the cookie consent banner available on our website. Please note that disabling cookies may limit certain functionalities of the site.

Website hosting

The content of our website is hosted by Odoo SA, located at 5 rue du Laid Burniat, 1348 Louvain-la-Neuve, Belgium. Odoo is a suite of open-source business applications that includes tools for CRM, eCommerce, accounting, inventory, project management, and more.

For more details on how Odoo handles data, please consult their Privacy Policy.

The use of Odoo services is based on Article 6(1)(f) GDPR – LuxCMA has a legitimate interest in ensuring the reliable, secure, and optimised delivery of its website. Where required by law, processing may also be based on Article 6(1)(a) GDPR and §25(1) TTDSG (concerning user consent for cookie storage and access to device information). Consent may be revoked at any time.

Use of cookies

Our website uses what are commonly known as "cookies" – small data files stored on your device that help ensure the website operates effectively and efficiently. Cookies may be:

• Session cookies, which are temporary and deleted once you close your browser, or
• Persistent cookies, which remain stored on your device until manually removed or automatically deleted by your browser.

Cookies may be issued by LuxCMA directly (first-party cookies) or by external service providers (third-party cookies) to enable features such as video display or analytics. These cookies serve different purposes, including:

• Ensuring essential website functionality (e.g. navigation, login)
• Improving user experience and interface performance
• Analysing site traffic and user interactions
• Supporting our outreach and event registration processes

Cookies that are strictly necessary for website operation are processed on the basis of Article 6(1)(f) GDPR. Where required, cookies are subject to user consent under Article 6(1)(a) GDPR.

You have the ability to control and customise your cookie settings directly via your browser, allowing you to:

• Accept or reject cookies altogether
• Receive notifications when cookies are being placed
• Automatically delete cookies when your browser closes

If you choose to disable cookies, please be aware that certain functionalities of the website may be affected.

For a full overview of the specific cookies and tools used on this website, please refer to the relevant section within this Privacy Policy.

Consent Management with Odoo

This website utilises Odoo’s Consent Management system to collect and store user preferences related to cookies and similar technologies, in compliance with applicable data protection regulations.

Each time you visit our website, Odoo may collect the following data for consent-tracking purposes:

• Your consent status and any updates or revocations
• Your IP address
• Information about your browser and device
• The date and time of your visit

To associate this information with your preferences, Odoo stores a consent cookie in your browser. This information is retained until you request its deletion, remove the cookie manually, or the purpose for data retention is no longer applicable, subject to any legal retention obligations.

The use of Odoo's consent tool is based on Article 6(1)(c) GDPR, as required by law to manage user consent in a compliant manner.

When you subscribe to our newsletter, we collect and securely store your email address and relevant preferences. This information is used solely for the purpose of delivering regular updates on LuxCMA activities, events, publications, and other relevant news.

To manage and distribute our newsletters, we use the Odoo platform, a suite of open-source business applications provided by Odoo S.A., located at 5 rue du Laid Burniat, 1348 Louvain-la-Neuve, Belgium. Your subscription data (e.g., email address) is stored on Odoo’s servers located within the European Union (France or Belgium).

Verification and Consent

To ensure your consent and avoid misuse, you must confirm that you are the rightful owner of the email address provided and agree to receive our communications. No additional data is collected unless provided voluntarily.

The processing of your data is based on your explicit consent in accordance with Art. 6(1)(a) GDPR. You may withdraw your consent at any time by using the unsubscribe link included in every newsletter. This does not affect the lawfulness of any processing carried out prior to withdrawal.

Performance Tracking and Analytics

Newsletters sent through Odoo include tracking features that allow us to analyse subscriber behaviour. This includes metrics such as open rates, click-throughs, and interaction with links within the email. These insights help us improve the relevance and performance of our communications.

If you do not wish to be subject to this tracking, we recommend unsubscribing from the newsletter.

Data Retention and Blacklisting

Your data will be retained for as long as your subscription is active. Once you unsubscribe, your data will be removed from our active mailing list. In certain cases, your email address may be added to a suppression or "blacklist" to prevent accidental re-subscription or further contact. This blacklist is not used for any purpose other than preventing unwanted emails and is based on our legitimate interest (Art. 6(1)(f) GDPR) in complying with email communication regulations. You may object to this storage if your rights and interests override our legitimate interest.

For further information, please refer to the Odoo Privacy Policy.

This Privacy Notice is an internal document of LuxCMA and may be updated from time to time at the discretion of the Association. The most current version is always available on the LuxCMA website at www.luxcma.com.

For any questions or further information regarding this Privacy Notice, please contact us at info@luxcma.lu.