Effective Date: 10 February 2026
1. Who We Are
Luxembourg for Transparency (abbreviated “L4T” and hereinafter referred to as "we", "us", or "our") acts as the Data Controller for your personal data. We are a non-profit association (Association sans but lucratif) registered in Luxembourg.
Legal Form: Association sans but lucratif (ASBL)
Full Legal Name: Luxembourg For Transparency
RCS Number: F15280
Registered Office: 6a, rue de Mamer, L-8185 Kopstal, Luxembourg
Contact: compliance@l4t.lu
2. Personal Data We Collect
We process the following categories of data directly from you:
Identification Data: Name, address, email address, phone number, and date of birth.
Financial Data: Payment information for donations or membership fees. Note that we use secure third-party processors and do not store your full payment details.
Communication Data: Emails, messages, and forms you submit to us.
Participation Data: Details regarding your involvement in our events, volunteering, or governance roles.
Technical Data: IP address and cookies (please refer to our Cookie Policy).
3. Why We Process Your Data (Purpose & Legal Basis)
We only process data where we have a lawful basis under GDPR Article 6:
Membership Management: To register you as a member and administer your participation.
Legal & Accounting Compliance: To manage donations, issue tax receipts (if applicable), and maintain accounts required by Luxembourg law.
Communication: To respond to your inquiries.
Newsletters: To send you updates and invitations.
Mission-Related Research: In specific anti-corruption research contexts, we may process sensitive data (e.g., political affiliations) under the lawful basis of Substantial Public Interest (Art. 9(2)(g)), subject to strict safeguards.
4. Whistleblowing & Confidentiality
In accordance with the Luxembourg Law of 16 May 2023, L4T maintains strict protocols for the handling of whistleblowing data. Information identifying a source is stored separately and is accessible only to designated case handlers.
5. Data Sharing and International Transfers
Data Sharing
We do not sell or rent your data. We may share data with:
Service Providers: Third-party vendors (e.g., IT services, payment processors) acting as Data Processors under our instructions.
Authorities: Luxembourgish public authorities, if required by law.
International Transfers
We primarily store data within the EEA. However, essential services (e.g., Google Workspace) may involve transfers to the United States. These transfers are protected by:
The EU-US Data Privacy Framework (DPF) adequacy decision, or
Standard Contractual Clauses (SCCs) approved by the European Commission.
6. Data Retention
We retain personal data only as long as necessary:
Membership Data: Duration of membership + 3 years (to manage potential claims).
Financial/Accounting Data: 10 years (as required by Luxembourg tax/accounting law).
Communication Data: Up to 3 years from the last contact.
Whistleblowing Data: Unsubstantiated allegations are deleted immediately.
7. Your Rights
Under the GDPR, you have the right to:
Access your data (Art. 15).
Rectify inaccurate data (Art. 16).
Erase your data ("Right to be forgotten") (Art. 17).
Restrict processing (Art. 18).
Object to processing (Art. 21).
Data Portability (Art. 20).
8. Contact Us
While you can contact us to exercise these rights, you also have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD) at 15, Boulevard du Jazz, L-4370 Belvaux (cnpd.public.lu). If you have any questions about this Privacy Policy or our privacy practices, please contact us at compliance@l4t.lu or at the correspondence address of Luxembourg for Transparency ASBL, BPM 316030, Banzelt 4 A, L-6921 Roodt-sur-Syre, Luxembourg.