Data Protection Policy

1. Policy Objective

The Association pour la Santé au travail des secteurs Tertiaire et Financier (hereinafter “ASTF”) is committed to maintaining the trust of patients, employees, beneficiaries and supervisory authorities when processing personal data. The purpose of this policy is to provide information on the methods of processing personal data carried out by ASTF as data controller.

ASTF recognizes that data protection is paramount and undertakes to implement and maintain the measures required by law, applicable regulations and industry best practices. This policy is notably aligned with Regulation (EU) 2016/679 (GDPR) and relevant legislation.

Compliant data protection practices are a central element of the organization’s governance and accountability. This policy defines the minimum requirements applicable to the processing of personal data, establishes a governance framework to ensure compliance, specifies responsibilities and describes measures for managing and reporting data protection incidents.

2. Data Controller

The ASTF is responsible for the personal data processed in the context of activities relating to occupational medicine and business management.

Association pour la Santé au travail des secteurs Tertiaire et Financier (ASTF)
15–17 avenue Gaston Diderich, 1420 Belair, Luxembourg
Tél. : (+352) 22 80 90 1

3. Source of Collected Data

The ASTF collects personal data directly from the data subjects, that is to say mainly from patients during medical examinations and from employees in the context of business management activities.

4. Subcontractors

The takes all necessary measures to ensure the security and confidentiality of the personal data it processes. The ASTF’s IT department may have controlled access to data in order to correct IT malfunctions or to make corrective entries following a written request. Within the strict framework of its electronic archiving duties, an external service provider may access your data, subject to a subcontracting agreement and appropriate safeguards.

5. International Data Transfers

The ASTF does not carry out any transfers of personal data to countries that are not members of the European Union.

6. Data Protection Principles

• Lawfulness and Fairness of Processing
  In accordance with Article 6 of the GDPR, all processing must be based on an appropriate legal basis. The ASTF will identify and document the legal basis for each processing purpose, will retain legitimate interest assessments where applicable, and will only use consent when appropriate and revocable without prejudice.

Possible legal bases (Article 6 GDPR): consent; performance of a contract; compliance with a legal obligation; protection of vital interests; task carried out in the public interest or in the exercise of official authority; legitimate interests, subject to the fundamental rights and freedoms of data subjects.

• Special Categories of Data
  Certain categories of data processed by the ASTF may fall under “special categories” (health data, etc.) within the meaning of Article 9 of the GDPR and will require specific measures. The processing of these categories is in principle prohibited, except for the derogations provided for by the GDPR, in particular when the processing is necessary in the context of occupational medicine (art. 9(2)(h) GDPR) or when another legal basis provided for by the GDPR applies (important public interest, protection of vital interests, research, fraud prevention, etc.).
• Transparency
  When data is collected directly, the ASTF will provide at the time of collection clear and transparent information specifying in particular: purposes, risks and security measures, identity and contact details of the controller, contact details of the DPO, categories of data processed, legal basis, possible recipients, transfers outside the EEA where applicable and applicable mechanisms, retention period, rights of individuals, right to withdraw consent, possibility of lodging a complaint with the supervisory authority, necessity of the data and consequences of refusal, and possible existence of automated decisions/profiling. the ASTF may dispense with this information when the data subject is already aware of it.
• Purpose Limitation
  Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. The purposes will be defined at the time of collection and will, if necessary, be subject to a data protection impact assessment (DPIA). Any new purpose will be subject to a compatibility assessment in accordance with Article 6(4) GDPR; if the purpose is not compatible, a new legal basis will be identified and, if required, new consent will be obtained.
• Data Minimization
  Only data relevant and necessary for the intended purpose should be collected and retained. Processing operations will be subject to a proportionate minimization assessment. Unnecessary data must be anonymized or deleted. Retention periods will be aligned with the record of processing activities (RoPA).
• Accuracy
  Data must be accurate and, where necessary, kept up to date. Every reasonable step will be taken to rectify or erase inaccurate data. Data subjects may request rectification, erasure or restriction of processing; the ASTF will respond within the timeframes provided for by the GDPR (one month, extendable by two additional months depending on complexity).

7. Storage Limitation

The ASTF will not retain data beyond the period necessary for the legitimate purposes for which it was collected. Retention periods are determined with regard to, in particular, the nature and sensitivity of the data, potential risks, the purposes pursued and legal obligations. Retention periods are detailed in the ROPA for each activity.

Regular reviews of stored data will be carried out by category; all documents must be reviewed at least annually, and for special category data at least half-yearly. Data will be destroyed securely (shredding, confidential disposal, secure electronic deletion, etc.).

7.1. Retention for Legal Purposes

The ASTF may issue a retention instruction preventing the deletion of data at the end of the retention period when they are necessary for the exercise, defense or instruction of legal action.

8. Integrity and Confidentiality

The ASTF implements appropriate technical and organizational measures to ensure the confidentiality, integrity and availability of data and systems. These measures must enable in particular the restoration of access to and availability of data in the event of an incident, regular assessment of their effectiveness and necessary improvements.

Data must never be left unprotected (physical documents in public places, unlocked screens, etc.) and transmissions must be carried out by secure means in accordance with internal procedures.

9. Accountability

The ASTF is responsible for compliance with the principles set out above and must ensure that its third-party service providers act in compliance with the GDPR.

9.1. Data Protection Officer (DPO)

The appoints a DPO, either in-house or under a service contract, whose functions must not give rise to a conflict of interest. The DPO exercises their duties independently and reports directly to the highest management level of the ASTF. He must be involved appropriately and in a timely manner in all issues relating to data protection.

DPO’s duties: to inform and advise entities and employees, to monitor compliance (including training and audits), to advise on DPIAs, to cooperate with the supervisory authority and to act as a contact point for it.

DPO — contact

Gianfranco Mei

Tél. : +352 22 51 51 1
Mobile : +352 621 877 322
KPMG Luxembourg
39, avenue JF Kennedy
L 1855 Luxembourg

10. Data Breach Management

A data breach is any security incident resulting in the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
Examples: loss or theft of media, unauthorized access, hardware or software failure, human error, natural disaster, cyber attacks (hacking, viruses, phishing), identity theft, sending information to the wrong recipient, etc.

In the event of an incident, the DPO is notably responsible for:

• Making, if necessary, notification to the CNPD without undue delay and, where possible, within 72 hours of becoming aware of it, if the risk to the rights and freedoms of individuals is established;
• Providing a copy of the notification to the competent body of ASTF for information and review;
• Notifying the data subjects when the breach is likely to result in a high risk to their rights and freedoms.

The ASTF establishes and maintains procedures for managing, investigating and reporting data protection incidents.

11. Rights of Data Subjects

The following rights are guaranteed:

• Right of Access: to know whether personal data concerning them is being processed and to obtain a copy of the data and related information (purposes, categories, recipients, etc.).
• Right to Erasure (Right to be Forgotten): request for erasure under the conditions provided for by the GDPR, subject to legal obligations or other legitimate grounds for retention.
• Right to Restriction of Processing: possibility of obtaining restriction in certain situations (disputes over accuracy, retention required for legal proceedings, etc.).
• Right to Object: possibility of objecting to certain processing, in particular processing for direct marketing purposes. For other grounds, the exercise of the right will depend on the grounds and justification of the controller.
• Right to Data Portability: possibility of obtaining and reusing personal data in a structured, commonly used and machine-readable format.
• Exercise of Rights: ASTF will respond to requests to exercise rights within the legal timeframes (one month, extendable by two months depending on complexity and number of requests). A process for managing Subject Access Requests is in place.

The ASTF establishes and maintains procedures ensuring the monitoring of requests from data subjects.

Requests from data subjects may be addressed:

• By email:
• By post at the following address:
  Association pour la Santé au travail des secteurs Tertiaire et Financier (ASTF)
  Attn: DPO
  15–17 avenue Gaston Diderich, 1420 Belair, Luxembourg

11.1 Automated Decision-Making and Profiling

The ASTF does not engage in decision-making based solely on automated processing producing legal effects or significantly affecting data subjects.

12. Record of Processing Activities (RoPA)

The ASTF maintains and updates a record of processing activities in accordance with Article 30 of the GDPR, referencing all processes involving personal data. It is the responsibility of all staff to ensure that records are kept up to date, whether in physical or electronic form. The record will be subject to a minimum annual review and will be updated following significant changes (migrations, new service providers, etc.).

13. Data Protection Training

The ASTF ensures that staff receive training appropriate to their data protection obligations. All employees are required to undergo annual training, which may be delivered in person or as e-learning.

14. Review of the Data Protection Policy

This policy is reviewed at least once a year.

– v. 10/03/2026 –