Privacy Notice – Clients

Homepage | Privacy Notice – Clients

The purpose of this privacy notice is to inform you about how your personal data is collected, processed and protected in the context of our consultancy services, in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter the “GDPR”) and the Luxembourg law of 1 August 2018 on the organisation of the Commission nationale pour la protection des données and the general data protection framework.

This notice applies to any natural person whose data is collected by MGSI in the context of its consultancy services and/or its Data Protection Officer (DPO) services, whether the Client or its representatives, within the meaning of the general terms and conditions of service of MGSI.

Your data may be collected directly from you or transmitted to us by your employer or any entity that mandated you in the context of the contractual relationship.

  1. Identity of the data controller

MGSI S.à r.l., a limited liability company incorporated under Luxembourg law, registered with the Luxembourg Trade and Companies Register under number B192771, with its registered office at 52a Waistrooss, L-5495 Wintrange, Luxembourg, represented by Mélanie Gagnon, in her capacity as manager (hereinafter “MGSI”).

  1. Data processed

In the context of our contractual relationship, we may process the following categories of personal data:

  • Personal identification data: surname, first name, postal address, position, company, department;
  • Electronic identification data: telephone number, e-mail address;
  • Financial data: bank details, billing information;
  • Mission-related data: information communicated in the context of the performance of the Services (reports, correspondence, working documents).
  1. Purposes and legal bases for processing

We use your data for the following purposes:

  • Management of the contractual relationship and performance of the Services — legal basis: performance of a contract (Article 6.1.b GDPR). This processing is necessary for the performance of our respective contractual obligations, including the management and monitoring of the engagement, invoicing, traceability and proof of work, as well as the handling of complaints.
  • Sending our newsletter — legal basis: legitimate interest of MGSI (Article 6.1.f GDPR). The legitimate interest pursued is communication about our activities and client retention. You may object at any time (see section 8).
  • Archiving and evidence — legal basis: legitimate interest of MGSI (Article 6.1.f GDPR). The legitimate interest pursued is the retention of documentation necessary to demonstrate the performance of our engagements, the traceability of our recommendations and compliance with our professional obligations.
  1. Data retention periods

Your personal data relating to the performance of the Contract is retained for a period of ten (10) years from the end of the Contract, in accordance with applicable legal and professional retention obligations. After this period, your data is deleted or anonymised.

Your data used for sending our newsletter is retained for three (3) years from the end of the commercial relationship, unless you agree to receive it for a longer period.

  1. Data location

We store your personal data within the European Union.

  1. Sub-processing and recipients

We may share your personal data with:

  • our external collaborators (consultants, subcontractors) involved in the performance of the Services, bound by confidentiality obligations;
  • our partner law firm, when the engagement requires legal analysis or advice falling within the regulated legal profession;
  • our digital tools and platform providers (hosting, messaging, document management, collaboration), as sub-processors, to the extent necessary for the performance of the Services.

These recipients are bound by confidentiality and data protection obligations.

  1. Data security

MGSI implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures aim to protect your data against any unauthorised access, disclosure, alteration or accidental or unlawful destruction.

  1. Your rights

In accordance with Regulation (EU) 2016/679 (GDPR), you have the following rights:

  • Right of access: obtain confirmation that we process your data and obtain a copy thereof;
  • Right to rectification: request the correction of inaccurate or incomplete data;
  • Right to erasure: request the deletion of your data, subject to our legal retention obligations;
  • Right to restriction: request that we restrict certain processing in the cases provided for by the GDPR;
  • Right to data portability: receive your data in a structured, commonly used and machine-readable format;
  • Right to object: object at any time to processing based on legitimate interest, in particular to the receipt of our newsletter by clicking the unsubscribe link in each message;
  • Right to lodge a complaint: lodge a complaint with the Commission nationale pour la protection des données (CNPD), the Luxembourg supervisory authority.
  1. Contact

If you have any questions about this notice or your personal data, or if you wish to exercise your rights, you may contact us:

  • By e-mail: privacy@mgsi.lu
  • By post: MGSI S.à r.l., 52a Waistrooss, L-5495 Wintrange, Luxembourg