GDPR Compliance
How LEGTECH ensures full compliance with the EU General Data Protection Regulation (Regulation 2016/679).
GDPR Compliant
LEGTECH is fully compliant with the European Union General Data Protection Regulation (EU) 2016/679, applicable since 25 May 2018.
1. Our Commitment
As a cybersecurity company operating in Luxembourg, data protection is at the core of everything we do. We don't just help our clients achieve compliance — we hold ourselves to the highest standards of data protection.
LEGTECH is committed to:
- Processing personal data lawfully, fairly, and transparently
- Collecting data only for specified, explicit, and legitimate purposes
- Minimizing data collection to what is strictly necessary
- Keeping data accurate and up to date
- Retaining data only as long as necessary
- Ensuring appropriate security of personal data
2. GDPR Principles We Follow
Our data processing activities adhere to all seven GDPR principles defined in Article 5:
Lawfulness, Fairness & Transparency
We process data based on clear legal grounds and inform you of how your data is used through this page and our Privacy Policy.
Purpose Limitation
Data is collected only for the specific purposes stated in our Privacy Policy and never repurposed without your consent.
Data Minimization
We collect only the minimum data necessary. Our contact form asks for name, email, subject, and message — nothing more.
Accuracy
We ensure personal data is accurate and provide you mechanisms to request corrections at any time.
Storage Limitation
Data is retained only as long as necessary: 24 months for contacts, 12 months for logs, 36 months for consent records.
Integrity & Confidentiality
We implement TLS encryption, access controls, and regular security audits to protect all personal data.
Accountability
We maintain records of processing activities, conduct impact assessments, and have designated a Data Protection Officer.
3. Lawful Basis for Processing
Every processing activity at LEGTECH is grounded in one of the legal bases defined in GDPR Article 6(1):
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Contact form processing | Pre-contractual measures at your request | Art. 6(1)(b) |
| Cookie consent management | Your explicit consent | Art. 6(1)(a) |
| Website security logging | Legitimate interest in protecting our systems | Art. 6(1)(f) |
| Consent record keeping | Legal obligation to demonstrate compliance | Art. 6(1)(c) |
| Theme preference storage | Your explicit consent | Art. 6(1)(a) |
4. Data Protection Impact Assessments
In accordance with GDPR Article 35, we conduct Data Protection Impact Assessments (DPIAs) for any processing likely to result in a high risk to individuals' rights and freedoms.
Given that our website processes minimal personal data and does not engage in large-scale profiling, automated decision-making, or processing of special category data, a full DPIA has determined our current processing to be low risk.
We reassess this determination annually or whenever significant changes are made to our processing activities.
5. Data Breach Notification
We have established procedures to detect, investigate, and report personal data breaches in compliance with GDPR Articles 33 and 34:
- Detection — Continuous monitoring and intrusion detection systems
- Assessment — Immediate assessment of the nature, scope, and risk of any breach
- Authority notification — Report to the CNPD within 72 hours of becoming aware of a qualifying breach (Art. 33)
- Individual notification — Direct notification to affected individuals without undue delay when the breach is likely to result in a high risk (Art. 34)
- Documentation — Full documentation of every breach, its effects, and remedial actions taken
6. Data Protection Officer
LEGTECH has designated a Data Protection Officer (DPO) who can be contacted for any data protection inquiries:
Data Protection Officer
LEGTECH sàrl
29 Boulevard de la Grande-Duchesse Charlotte
L-1331 Luxembourg
Email: privacy@legtech.lu
The DPO is responsible for monitoring GDPR compliance, advising on data protection impact assessments, and serving as the contact point for the CNPD.
7. Sub-Processors
We maintain a limited and transparent list of sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Server hosting provider | Infrastructure hosting | Luxembourg / EU |
| Google Fonts | Web font delivery (no tracking) | EU CDN endpoints |
All sub-processors are bound by Data Processing Agreements (DPAs) ensuring GDPR-equivalent protections. No personal data is transferred outside the EEA.
8. Staff Training & Awareness
All LEGTECH staff members undergo regular data protection training covering:
- GDPR principles and obligations
- Identifying and reporting data breaches
- Handling data subject access requests
- Secure data handling practices
- Recognizing phishing and social engineering attacks
9. Records of Processing Activities
In accordance with GDPR Article 30, LEGTECH maintains a comprehensive Record of Processing Activities (ROPA) that documents:
- The purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- Data retention periods
- Technical and organizational security measures
This record is available to the CNPD upon request.
10. Exercising Your Rights
We take your rights seriously. Here's how to exercise them:
How to submit a request
- Send an email to privacy@legtech.lu with the subject line "GDPR Request"
- Specify which right you wish to exercise (access, erasure, rectification, etc.)
- Provide enough information for us to verify your identity
- We will acknowledge your request within 5 business days
- We will fulfill your request within 30 calendar days (extendable by 60 days for complex requests, with notification)
All requests are handled free of charge. If a request is manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse the request, with justification.
Supervisory Authority
If you are not satisfied with our response, you have the right to lodge a complaint with:
Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
Website: cnpd.public.lu