Data protection

What are the duties of the Social Security Centre (Centre commun de la sécurité sociale - CCSS) and what personal data does it process within the scope of its duties?

The main duties of the Social Security Centre (hereafter the CCSS) are organising the digitalisation and affiliation of insured persons in accordance with the provisions of the Social Security Law Code.

As such, within the scope of its legal duties, the CCSS processes all personal data (Pdf, 511 Kb) required to determine pension insurance records, replacement income and contribution bases, in particular. The CCSS therefore processes the data required for the affiliation of insured persons and for the determination, collection, forced recovery, recording and distribution of contributions for health insurance, accident insurance, pension insurance, care dependency and the Employers' Mutual Insurance Scheme.

The CCSS is also responsible for creating and operating a social security data bank according to the specific needs of the social security institutions and administrations. As such, the CCSS is authorised to exchange your personal data with other social security administrations and institutions. You can view a list of potential recipients and the legal bases permitting the transfer of data here (Pdf, 289 Kb).

All these recipients are required to comply with the data protection legislation specifically applicable to them.

The new European rules set out in the General Data Protection Regulation aim to make institutions more responsible for how they process personal data.

What personal data are processed when I visit the CCSS website?

To learn more about how the CCSS uses your personal data when you visit our website, please refer to the website's terms of use.

Is there a designated Data Protection Officer for the CCSS?

The legislation requires each institution to designate at least one Data Protection Officer (DPO).

The role of the DPO is to independently ensure that data protection legislation is applied within the institution.

Is there a record of processing activities?

The CCSS is also obliged to maintain a record of all processing activities (collection, use and/or storage) performed by the institution on your personal data.

This record must be publicly accessible and contain information about the purpose and conditions of the processing activities.

What are your rights when we process your personal data?

The table showing the categories of personal data processed by the CCSS provides information about the data concerning you that we process within the scope of our various legal duties.

You have the right to access these data and have them rectified if they are inaccurate or incomplete.

Understanding your right of access

Understanding your right to rectification

You can also object to the processing of your data if you feel that such processing is unfair or unlawful, and request that they be deleted.

Please note, however, that most of the personal data processed by the CCSS is done so by law and so the right to object is very limited.

These rights are set out in Articles 13 to 19 of the current data protection regulation No 45/2001.

If you wish to exercise your rights, you can post a written request to

CCSS Data Protection Officer
4, rue Mercier
L-2975 Luxembourg.

All requests must contain a detailed and appropriate description of the data you wish to access, together with a copy of an identity document, such as an identity card or passport, to confirm your identity.

The way we use the information in your identity document is strictly limited: the data will only be used to check your identity, and will not be stored for longer than necessary for this purpose.