Privacy Policy – CED LUX asbl

Introduction

CED LUX asbl is an independent, non-profit organisation dedicated to fostering inclusive societies through education, empathy, and meaningful exchange.

CED LUX asbl (“we”, “our”, “us”) is committed to protecting the personal data entrusted to us. We ensure that all personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Luxembourg data protection laws.

This Privacy Policy applies whenever you interact with our services, activities, events, publications, donor relations, website, or any other initiatives (non-exhaustive).

All terms used in this Policy have the meaning assigned to them under the GDPR unless otherwise specified.

Please read this Policy carefully to understand how we collect, use, store, and protect your personal data.

Article 1: Data Protection Principles

As the data controller, CED LUX asbl ensures that all personal data is processed in line with the core GDPR principles:

  • Lawfulness, fairness, and transparency – We process personal data only on a lawful basis and inform individuals about how their data is used.
  • Purpose limitation – Data is collected for specific, legitimate purposes and not further processed in ways incompatible with those purposes.
  • Data minimisation – We only collect data that is necessary for the intended purpose.
  • Accuracy – We take all reasonable steps to keep personal data accurate and up to date.
  • Storage limitation – Data is retained only as long as necessary for the purpose for which it was collected.
  • Integrity and confidentiality – We apply appropriate technical and organisational security measures.
  • Accountability – We can demonstrate compliance with all GDPR principles.

Article 2: Purposes, Legal Bases, and Categories of Data Processed

We collect personal data directly from you (forms, emails, registrations, conversations) or, where applicable, from third parties or public sources. The data collected depends on your interaction with us.

2.1 Purposes and Legal Bases

We process your personal data for the purposes below:

PurposeLegal Basis (Art. 6 GDPR)Categories of Data
Membership administrationPerformance of a contract / pre-contractual measuresName, address, email, membership start date
Cohort registration for programmes or activitiesPerformance of a contract / pre-contractual measuresName, address, email, CV, communication data
Volunteer administrationLegitimate interestName, email, address, availability
Website contact form managementLegitimate interestName, email, message content
Donor and partner communicationLegitimate interest / legal obligationName, email, financial documentation if legally required

2.2 Processing of Minors’ Data

We do not process data of individuals under 16 years without written consent from a parent or legal guardian.

2.3 Special Categories of Data

In exceptional cases, we may process sensitive data (e.g., ethnic origin, political opinions, religious beliefs, health information) strictly within the scope of our legitimate non-profit activities and with appropriate safeguards.
For any other purpose, explicit consent will be obtained.
Consent may be withdrawn at any time without affecting prior lawful processing.

2.4 Cookies

Our website uses only strictly necessary cookies required for basic functionality.
We do not use analytical, tracking, or advertising cookies.

Article 3: Recipients of Personal Data

We may share personal data with:

  • Internal roles (board members, secretary, treasurer) on a strict need-to-know basis.
  • Project funders or auditors, only when necessary for monitoring, reporting, or compliance.
  • Service providers (e.g., IT hosting), bound by confidentiality and GDPR-compliant processing agreements.

We guarantee that:

  • We do not sell personal data.
  • We do not share data beyond what is necessary.
  • We do not use data for unspecified purposes.

International Transfers

We do not transfer personal data outside the EEA.
If exceptionally required, we will apply the safeguards of GDPR Chapter V (e.g., Standard Contractual Clauses).

Article 4: Data Retention

We retain personal data only as long as necessary:

  • Membership and volunteer data: up to 1 year after departure from the association.
  • Financial and legal documents: 10 years, in accordance with Luxembourg obligations.
  • Project-related documentation: retained based on donor requirements or legal obligations.

If you wish to request deletion, please contact us at the address below.

Article 5: Your Rights

You have the following rights under the GDPR:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21)
  • Withdrawal of consent at any time

To exercise any rights, please contact our Data Protection Officer:
📧 contact@cedlux.lu

Article 6: Complaints

If you have concerns about how we handle your data, please contact us first.
You also have the right to lodge a complaint with the Luxembourg Data Protection Authority (CNPD):
👉 https://cnpd.public.lu