How do we handle your personal data?
Studio créatif Lunivers S.à r.l.s
Duarrefstrooss, 2
9990 Weiswampach
Luxembourg
TVA: LU32261175
Ex2
2 Rue Kellermann,
59100 Roubaix,
France
Version 0.1 – Last updated: 06/01/2026
The protection of personal data in Europe is ensured by the General Data Protection Regulation (GDPR) of 27 April 2016, a European regulation relating to the protection of natural persons with regard to the processing of personal data and the free movement of such data, applicable since 25 May 2018.
Its objective is to ensure the protection of European citizens’ personal data, including employees, job applicants, insured persons, patients, clients, service providers, suppliers, and business partners (hereinafter referred to as “data subjects”).
Any organisation, regardless of its size, country of establishment or activity, may be concerned.
The GDPR applies to any public or private organisation that processes personal data, whether on its own behalf or not, where:
it is established within the territory of the European Union; or
its activities are directly targeted at European residents.
The GDPR also applies to processors that process personal data on behalf of other organisations.
Accordingly, when an organisation processes or collects data on behalf of or for another entity (company, public authority, association or administration), specific obligations apply in order to ensure the protection of the entrusted data.
In the course of its activities, VPF Consulting processes personal data.
This policy pursues a dual objective:
to explain the key principles to be respected in any personal data processing activity;
to provide clients with information relating to the processing of their data in the context of their relationship with VPF Consulting.
This Privacy Policy governs how VPF Consulting, acting as data controller, processes personal data collected (i) via the VPF Consulting website (the “VPF Consulting Website”) or through exchanges between VPF Consulting and any person who is not a client, and (ii) in the context of the performance of its professional activities.
VPF Consulting undertakes to provide adequate information, training and assistance to its employees, processors and agents to enable them to comply with their obligations regarding the protection of personal data processed in the course of their activities.
This policy supplements, but does not replace, data protection obligations already set out in service agreements and any other contractual documentation.
Personal data: any information relating to an identified or identifiable natural person.
A person may be identified:
directly (e.g. name, first name); or
indirectly (e.g. identification number, phone number, biometric data, or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including voice or image).
Identification may be achieved:
from a single data point (e.g. social security number, DNA); or
from the combination of several data points.
Processing: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, modification, retrieval, consultation, use, disclosure, alignment, restriction, erasure or destruction.
Personal data processing is not necessarily computerised; paper files are also concerned and must be protected under the same conditions.
Data controller: the natural or legal person, public authority or body which determines the purposes and means of processing.
Processor: the entity which processes personal data on behalf of the data controller.
Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they accept the processing of their personal data.
Personal data breach: a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Personal data processing is, in principle, not prohibited under EU law. However, sensitive data (including health data, trade union membership, racial or ethnic origin, sexual orientation) is prohibited unless specific exceptions apply, including:
explicit consent of the data subject;
employment, social security or social protection obligations;
protection of vital interests;
activities of non-profit organisations;
data made public by the data subject;
establishment, exercise or defence of legal claims;
substantial public interest;
preventive or occupational medicine;
public health;
archiving in the public interest.
Personal data is processed by VPF Consulting lawfully and fairly.
Processing is always based on one or more of the following legal bases:
Performance of a contract
Legal obligation
Protection of vital interests
Public interest mission
Legitimate interest, provided it does not override the rights of data subjects
Consent
VPF Consulting processes personal data honestly and transparently. Data is not further processed in a manner incompatible with its original purpose.
Clear and precise information is provided to clients, prospects and any person interacting with VPF Consulting.
Personal data is collected for specified, explicit and legitimate purposes only.
VPF Consulting only collects data that is adequate, relevant and limited to what is necessary.
All reasonable steps are taken to ensure inaccurate data is erased or rectified without delay.
Personal data is retained only for the period necessary for the relevant processing and is subsequently deleted or anonymised.
Appropriate technical and organisational measures are implemented to protect data against unauthorised processing, loss or damage.
VPF Consulting documents its processing activities and ensures compliance by its processors and recipients.
VPF Consulting is not legally required to appoint a DPO. However, the data controller performs this role.
Contact:
Data Protection Officer
Email: virginieparre@vpf.consulting
The DPO is responsible for:
monitoring compliance;
cooperating with the supervisory authority (CNPD).
Retention period: 10 years
Legal basis: Contract / consent (prospects)
Recipients: ACD, AED
Retention period: 10 years
Legal basis: Contract
Recipients: None
Legal basis: Legal obligation
Processor: L’Ex N’Co, Luxembourg
Legal basis: Contract / consent
Retention period: 10 years
Legal basis: Consent
Data subjects: Website visitors
Retention: See cookie policy
VPF Consulting has implemented appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful processing, loss or destruction.
Data subjects may exercise their rights by contacting the DPO:
Right to information
Right of access and rectification
Right to object
Right to withdraw consent
Right to erasure
Right to data portability
Right to restriction
Right to lodge a complaint with the CNPD (www.cnpd.lu)
All persons acting on behalf of VPF Consulting, including processors and agents, must comply with this policy.
VPF Consulting remains responsible for any GDPR non-compliance.
Thanks!
