Privacy policy

This Privacy Policy is addressed to:

  • our prospective, current and former members of personnel (including trainees and temporary workers);
  • our shareholders who are natural persons and representatives of our shareholders which are legal entities;
  • our business contacts who are natural persons and representatives of our portfolio entities and target companies;
  • products or service suppliers and consultants who are natural persons (such as self-employed persons) and the representatives or contact persons of our suppliers or consultants who are legal entities;
  • our board members and any permanent representatives of board members which are legal entities;
  • the visitors of our premises; and
  • our website’s visitors and any third parties entering in contact with our company, such as journalists/analysts and individuals having signed up for our news alerts and/or our newsletter.

The policy does not apply to any information processed about legal entities.

You are receiving this Privacy Policy or you may have been directed to this Privacy Policy because LUXEMPART S.A. or another entity of the Luxempart group is “processing” information about you which constitutes “personal data”.

In this Privacy Policy:

personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and

processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (“process” or “processed” are deriving from that definition).

Luxempart or another entity of the Luxempart group is responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as the “controller”. In this Privacy Policy, “Luxempart”, “we” or “us” refers to LUXEMPART S.A. or the relevant entity of the Luxempart group.

Since 25 May 2018, Luxempart is subject to and complies with the revised data protection rules applicable in the European Union under the General Data Protection Regulation (the “GDPR”)[1].

In line with our commitment to protect your personal data, we want to inform you and explain in all transparency:

  • why and how Luxempart collects, uses and stores your personal data; and
  • what your rights and our obligations are in relation to such processing.

1. Who is responsible for the processing of your personal data?

Unless otherwise specified in this section, we are responsible, as controller, for the processing of your personal data.

For prospective, current and former members of personnel, the controller in relation to your personal data will be your potential, current or former employer (which may be another entity of the Luxempart group).

2. What type of personal data do we collect?

We collect or become aware of basic identification information about individuals with whom we interact, such as, for instance your name, title, position, company name, email and/or postal address and landline and/or mobile phone number.

This information may either be directly provided by you, communicated to us by the legal entity for which you work (e.g. if you are the contact person designated by your employer to manage the relationship with Luxempart), supplied to us by one of our service providers (e.g. financial institutions or recruiters) or obtained from publicly available sources (e.g. social media profiles).

2.1. Prospective, current and former members of personnel (including trainees and temporary workers)

For our prospective current and former members of personnel (including trainees and temporary workers), we may in addition also collect or become aware of the following information:

  • additional identification information (e.g. date and place of birth, nationality, ID card or passport numbers and copy of ID card/passport, travel cards, residence and work permits, personal address, contact person in case of emergency);
  • your family information (e.g. marital status, number of children, date of birth and household composition, as well as working status of the spouse);
  • your education and experience (e.g. employment and education history, other details included in the CVs (such as hobbies or other activities), professional qualifications, board membership and experience);
  • other information relating to your recruitment (e.g. information you provided during your interview, notes and comments regarding candidates made during the recruitment process, result of personality and competency assessment based on test, reports from headhunters or recruitment agencies, result of public search, personality tests);
  • your function (e.g. position information such as position title, role and responsibility in the position, reference number, supervisor and subordinates, employment dates such as dates of hiring/promotion/position change, work schedule, performance evaluations, language skills, periodic evaluation assessments, additional professional education and certification, results of surveys on wellbeing and resilience at work);
  • your remuneration data (such as salary level and amount, years of experience, bonus, stock options and performance units, loans, expenses information, insurance and other perks and benefits, pension entitlements, bank account details and seizure on wages);
  • your social security information (such as tax/social security status, insurance details, disabilities, attendance information including illness or leaves of absence);
  • your electronic identification data (e.g. login, passwords, IP address, badge number, logs relating to the usage of IT tools, online identifiers/cookies, Luxempart professional email address and unique code identifying each member of personnel’s account for expenses, sound and/or image recording such as CCTV or voice recordings, websites data with which the member of personnel registered using his/her professional email address);
  • information required to set up and maintain insider lists for Luxempart in accordance with the Market Abuse Regulation[2] and the Luxempart Dealing Code;
  • geolocation data (from corporate information and communication technology, including mobile phones, laptops and tablets in case of loss or theft);
  • your picture; and
  • more generally, information about the activities you are carrying out in your professional capacity at Luxempart, including professional communication data.

2.2. (Representatives of) shareholders

For our shareholders who are natural persons or representatives of  shareholders which are legal entities, we may in addition also collect or become aware of the following information:

  • additional identification information (e.g. place and date of birth, nationality, personal address, copy of ID card/passport);
  • information relating to your or your company’s shares (e.g. number, split of ownership (bear owner/usufruct), pledge on shares and type of rights);
  • your or your company’s financial information (bank account number for payment of dividends);
  • your family information (parents, spouse, children, brothers/sisters or other heirs, your act of donation) (for shareholders who are natural persons);
  • in the case of a legal entity, identification information regarding all of the representatives and beneficial owners of the legal entity;
  • information required to set up and maintain insider lists for Luxempart in accordance with the Market Abuse Regulation[3] and the Luxempart Dealing Code; and
  • contents of communications (if any).

2.3. (Representatives of) business contacts, portfolio entities and target companies

For our business contacts who are natural persons or representatives of portfolio entities and target companies, we may in addition also collect or become aware of the following information:

  • additional identification information (e.g. date and place of birth, nationality, personal address, copy of ID card/passport/utility bills);
  • in the case of a legal entity, identification information regarding all of the representatives and beneficial owners of the legal entity;
  • information required to set up and maintain insider lists for Luxempart in accordance with the Market Abuse Regulation[4] and the Luxempart Dealing Code; and
  • contents of communications (if any).

2.4. (Representatives of) services providers

For our products or service providers who are natural persons (such as self-employed persons) or the representatives or contact persons of our providers which are legal entities, we may in addition also collect the following information:

  • your electronic identification data where required for the purpose of the delivery of products or services to our company or of visits to our premises (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, logs, access and connexion times, image recording or sound such as badge pictures, CCTV or voice recordings, information contained in the reports from the guards (after hours));
  • in the case of a legal entity, identification information regarding all of the representatives and beneficial owners of the legal entity;
  • for natural persons acting as suppliers or service providers, financial information (e.g. bank account details, credit card number, bills and invoices) and information relating to the contract (e.g. type of agreement, parties and duration); and
  • information required to set up and maintain insider lists for Luxempart in accordance with the Market Abuse Regulation and the Luxempart Dealing Code.

2.5. Board members

For board members who are individual persons and permanent representatives of board members which are legal entities, we may in addition also collect or become aware of the following information:

  • additional identification information (e.g. date and place of birth, nationality, personal address, copy of ID card/passport, utility bills and travel cards);
  • your family information (e.g. marital status, number of children, date of birth and household composition);
  • your education and experience (e.g. employment and education history, professional qualifications and experience);
  • your function (e.g. dates and duration of the mandate, presence/absence);
  • your remuneration data (such as the amount, expense claim information, insurance and bank account details);
  • your electronic identification data (e.g. login, passwords, sound and/or image recording such as CCTV or voice recordings);
  • information required to set up and maintain insider lists for Luxempart accordance with the Market Abuse Regulation and the Luxempart Dealing Code;
  • your picture; and
  • more generally, information about the activities you are carrying out in your professional capacity at Luxempart.

2.6. Visitors of our premises

For the visitors of our premises, we may in addition also collect or become aware of your electronic identification data where required for the purpose of managing the visits to our premises (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, logs, access and connexion times, image recording or sound such as badge pictures, CCTV or voice recordings, information contained in the reports from the guards (after hours) and the other data (such as name, email address or phone number) provided when connecting on Luxempart’s WIFI network for external users.

2.7. Website’s visitors and any third parties entering in contact with our company such as analysts/journalists

For website’s visitors and any third parties entering in contact with our company such as analysts/journalists, we may in addition also collect the following information:

  • electronic identification data (http header fields, IP address, browser identification information, information on hardware and software, and location data if available);
  • information regarding your browser and device (e.g. internet service provider’s domain, browser’s type and version, operating system and platform, screen resolution, device manufacturer and model); and
  • data collected through cookies and code on the website (e.g. language preferences and analytics of the use of the website, such as the pages visited, in which order these pages were visited and the duration of the visit).

2.8. Sensitive data and other matters

To the extent authorised or required by law, we may also process sensitive data, such as trade union membership or health data. We will only do so as strictly required for the relevant purposes listed in Section 4 below or to comply with a legal obligation and, where required, subject to having obtained your prior consent. In such case, the data will be accessed and processed solely under the responsibility of a representative of the relevant entity of the Luxempart Group who is subject to an obligation of confidentiality.

If and whenever personal data is collected (e.g. in forms), we will indicate whether the provision of such data is mandatory (e.g. with an asterisk) and the consequences of a refusal to provide the requested data.

We may also collect your national registry number or social security number but will only process such data if and when legally required.

3. When do we collect personal data?

Personal data will be collected by us:

  • whenever individuals apply to become a member of personnel of an entity of the Luxempart Group;
  • whenever a member of personnel interacts with us, or other members of personnel, our IT equipment and other systems;
  • whenever we interact with former members of personnel;
  • whenever we interact with (the representatives of) our prospective investors, shareholders, consultants, and services providers;
  • whenever we interact with representatives of portfolio/target companies;
  • whenever we interact with board members; and
  • whenever individuals visit our website, visit our premises or contact us.

4. On which legal basis and for which purposes do we process personal data?

4.1. Legal basis for the processing

We are not allowed to process personal data if we do not have a valid legal ground. Therefore, we will only process personal data if:

  • we have obtained your prior consent;
  • the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
  • the processing is necessary to comply with our legal or regulatory obligations;
  • the processing is necessary to protect your vital interests or those of another natural person; or
  • the processing is necessary for the legitimate interests of Luxempart and does not unduly affect your interests or fundamental rights and freedoms.

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interest and your privacy. Examples of such ‘legitimate interests’ are:

  • to perform our investment activity;
  • to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by external suppliers);
  • to facilitate communications with (representatives of) our investors/shareholders (e.g. we may communicate professional contact details of one of our members of personnel to an investor/shareholder, indicating that this person is the contact person within Luxempart);
  • to prevent fraud, money laundering, terrorist financing or any other criminal activity as well as to protect the security of our IT systems, architecture and networks; and
  • to meet our sustainability objectives.

4.2. Purposes of the processing

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process personal data for one or more of the following purposes.

4.2.1. Prospective, current and former members of personnel (including trainees and temporary workers)

In relation to prospective, current and former members of the personnel (including trainees and temporary workers), we process personal data for:

  • recruitment activities;
  • personnel administration (including organisation of work, tasks, benefits, expenses and holiday and absence management, performing employment and background checks, creating and maintaining directories of the members of personnel, travel arrangements);
  • payroll management and benchmarking (such as administering remuneration and other contractual benefits, calculation of social security and professional income withholding tax, salaries and pay reviews and other awards such as stock options, stock grants and  bonuses, pensions and savings plans, benefits to families, business expenses, public transport and leasing for mobility purposes);
  • performance reviews (such as appraisals, evaluations, promotions, career and succession planning, staffing and talent and development management);
  • monitoring members of personnel’s activities in the workplace, including compliance with policies as well as health and safety rules in place;
  • managing any disciplinary action and handle internal complaints relating to violence, moral harassment and undesirable (sexual) conduct;
  • ensuring compliance and reporting (such as complying with our policies and legal requirements, income tax and insurance deductions, managing alleged cases of misconduct fraud; conducting audits, defending litigation);
  • ensuring business continuity;
  • managing investments and divestments involving our company;
  • internal and external communication purposes (including through the use of pictures of members of the personnel); and
  • any other purposes imposed by law and authorities.

4.2.2. (Representatives of) shareholders

In relation to our shareholders who are natural persons or representatives of shareholders which are legal entities, we process personal data to:

  • analyse the shareholding of our company;
  • communicate about and prepare for shareholders’ meetings (e.g. sending convening notices) and pay dividends to our shareholders, when applicable;
  • answer shareholders’ questions; and
  • convert dematerialised shares into nominative shares and vice versa.

4.2.3. (Representatives of) business contacts, portfolio entities and target companies

In relation to our business contacts who are natural persons or representatives of portfolio entities and target companies of Luxempart or any other group entity, we process personal data to:

  • source potential investment opportunities and to maintain relationships with our portfolio companies and their shareholders and to monitor such companies;
  • communicate about and prepare for events (e.g. sending invitations); and
  • answer questions.

4.2.4. (Representatives of) providers

In relation to our products or service providers who are natural persons (such as self-employed persons) or the representatives or contact persons of our providers who are legal entities, we process personal data to:

  • implement tasks in preparation of or under existing contracts;
  • monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
  • manage our IT resources, including infrastructure management and business continuity; and
  • billing and invoicing.

4.2.5. Board members

In relation to board members, we process personal data for:

  • the organisation and preparation of board and board committee meetings (including presence and absence management, performing background checks, creating and maintaining directories, travel arrangements);
  • remuneration management and benchmarking (such as administering remuneration and other contractual benefits, business expenses);
  • ensuring compliance and reporting (such as complying with our policies and legal requirements, income tax and insurance deductions, managing alleged cases of misconduct fraud; conducting audits, defending litigation);
  • ensuring business continuity;
  • managing investments and divestments involving our company; and
  • any other purposes imposed by law and authorities.

4.2.6. Visitors of our premises

In relation to the visitors of our premises, we process personal data to:

  • manage our facilities (e.g. management of access and visits to the building);
  • manage access to our WIFI network; and
  • ensure security of the building (e.g. CCTV).

4.2.7. Website’s visitors and any third parties entering in contact with our company such as journalists/analysts

In relation to visitors of Luxempart’s website and any third parties entering in contact with our company such as journalists/analysts, we process personal data to:

  • manage and improve our website (e.g. diagnose server problems, optimize traffic, integrate and optimize web pages where appropriate);
  • measure the usage of our website (e.g. by drawing up statistics about the traffic or by gathering information regarding the users’ behaviour and the pages they visit);
  • periodically send our news alerts and/or our newsletter (depending on your subscription), using the email address which you have provided (if you choose to do so);
  • analyse the performance of email campaigns and improve the email delivery services to better communicate with our subscribers; and
  • monitor and prevent fraud, infringement and other potential misuse of our website.

4.2.8. Public relations

In relation to public relations (journalists/analysts), we process personal data to:

  • invite selected individuals for the presentation of our annual report (for analysts only);
  • answer questions;
  • register attendees to our shareholders’ meeting; and
  • organise events.

4.2.9. General

In addition to the above specific purposes, we process all collected personal data for the following general purposes:

  • storing contact details (e.g. business cards);
  • manage and administer the relationship between us and the data subjects;
  • manage our IT resources, including infrastructure management and business continuity;
  • preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
  • comply with any legal obligations imposed on us in relation to our activities;
  • comply with mandatory policies in force for Luxempart or any other group entity (e.g. FATCA-CRS policy, AML/CFT program, Dealing Code);
  • reply to an official request from a public or judicial authority with the necessary authorisation;
  • archiving and record-keeping;
  • manage investments and divestments involving our company; and
  • any other purpose linked to our investment activity.

5. How do we protect personal data?

We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data. These measures take into account:

  1. the state of the art of the technology;
  2. the costs of its implementation;
  3. the nature of the data; and
  4. and the risk of the processing.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we:

  • only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes; and
  • ensure that your personal data remains up to date and accurate.

For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.

6. Who has access to personal data and with whom are they shared?

6.1. Transfers to third parties

We may transfer or give access to personal data to third parties outside Luxempart or the relevant entity of the Luxempart Group to complete the purposes listed in Section 4.2 above, to the extent they need it to carry out the instructions we have given to them. Such third parties may include:

  • third parties who process personal data, such as our payroll provider, our (IT) systems providers, website designers and hosting provider, payment services providers, financial institutions and clearing companies, provider of compliance services (e.g. for Market Abuse Regulation purpose) bank card companies, insurances companies and pensions funds, leasing companies, social security bodies, event organisers (e.g. for shareholders’ meetings), transcript and/or translation tools and other AI tools, education centres, email delivery service providers, database and storage/archiving service providers, consultants, travel agencies, taxi, rail and airline companies, security companies;
  • any third party to whom we assign or novate any of our rights or obligations under a relevant agreement;
  • our lawyers and external advisors; and
  • any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request.

With the exception of public authorities which are subject to their own rules, we will take all reasonable steps to ensure that the above third parties will be contractually obliged by us to protect the confidentiality and security of your personal data, in compliance with applicable law.

6.2. Transfers outside the European Economic Area

The personal data processed by Luxempart may also be transferred/processed in a country outside the European Economic Area (“EEA“), which covers the EU Member States, Iceland, Liechtenstein and Norway. Non-EEA countries may not offer the same level of personal data protection as EEA countries.

If your personal data is transferred outside the EEA, we will therefore put in place suitable safeguards to ensure such transfer is carried out in compliance with the applicable data protection rules. You may request additional information in this respect and obtain a copy of the relevant safeguard by exercising your rights as set out below.

7. How do we use cookies and other similar technologies such as analytics on our websites?

A cookie is a text file which may be placed on your device when visiting our website. It contains information that is collected from your device and sent back to the website on each subsequent visit so as to remember your actions and preferences over time.

Our cookie notice for this website is accessible via the following link https://www.luxempart.lu/cookie-notice/.

8. How long do we store your data?

We will only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.

We only keep data related to candidates for recruitment purposes for a maximum period of 2 years.

For current members of personnel, the retention period is the time of your employment, and 10 years thereafter, unless overriding legal or regulatory schedules require a longer or shorter retention period.

For contracts, the retention period is the term of your (or your company’s) contract with us, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period.

Personal data collected and processed in the context of a dispute are deleted (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.

When the above retention periods expire, we will take all reasonable steps to ensure that your personal data will be removed from our systems, destroyed or permanently de-identified. However, if individuals wish to have their personal data removed from our databases, they can make a request as described in Section ‎9, which we will review as set out below.

9. What are your rights and how can you exercise them?

9.1. Your rights

You have a right of access to your personal data as processed by Luxempart under this policy. If you believe that any information we hold about you is incorrect or incomplete, you may also request the correction thereof. Luxempart will promptly correct any such information.

You also have the right to:

  • request the erasure of your personal data;
  • request the restriction of the processing of your personal data;
  • withdraw your consent where Luxempart obtained your consent to process personal data (without this withdrawal affecting the lawfulness of processing prior to the withdrawal);
  • object to the processing of your personal data (e.g. for direct marketing purposes); or
  • object to the processing of your personal data for other purposes in certain cases where Luxempart processes your personal data on another legal basis than your consent,

Luxempart will review such requests, withdrawal or objection and honour them as required under the applicable data protection rules.

In addition, you also have the right to data portability. This is the right to obtain the personal data you have provided to Luxempart in a structured, commonly used and machine-readable format and to request the transmission of such personal data to a third party, without hindrance from Luxempart and subject to your own confidentiality obligations.

9.2. Exercising your rights

If you have a question or want to exercise the above rights, you may send an email to dataprotection@luxempart.lu or a letter at Luxempart (société anonyme), 12 rue Léon Laval, L-3372 Leudelange.

In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above. In Luxembourg this is the Commission Nationale pour la Protection des Données.

10. Updates to this policy

This policy may be subject to amendments. Any future changes or additions to the processing of personal data as described in this policy affecting you will communicated to you through an appropriate channel, depending on how we normally communicate with you.

This policy was last reviewed/updated: April 2025

[1] Regulation 2016/679 of the EU Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”).

[2] Regulation 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (the “Market Abuse Regulation” or “MAR”)

[3] Regulation 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (the “Market Abuse Regulation” or “MAR”)

[4] Regulation 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (the “Market Abuse Regulation” or “MAR”)

close
close