Skip to main content

Privacy policy

The present privacy policy (the “Policy”) is intended to provide, in accordance with articles 12 and 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”), the individuals who contact TwentyTwo Group Holding either by email or mail, with information on how TwentyTwo Group Holding may process personal data about them at this occasion.

Information on the use, by TwentyTwo Group Holding, of cookies and other trackers on our website can be found in our cookies policy available here.

1. Definitions

For the purpose of the present Policy, the below terms shall have the following meaning:

  • data subject means an identified or identifiable natural person. A natural person is identifiable when he/she can be identified either directly or indirectly, for example, through the use of an identifier, such as a name or an identification number. 
  • data procession” or “processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • personal data” is any information relating to a data subject, whether it relates to his or her private, professional or public life. Personal data therefore covers a lot of information and can be anything from a name, a home address, a photo, an email address, bank details or a computer’s IP address.
  • special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

2. Data controller and contact details

In relation to the processing of the personal data collected from you when you contact us either by email or mail, TwentyTwo Group Holding shall qualify as data controller pursuant to the GDPR which means that in this context we determine the purposes and means of the processing of such personal data.

In accordance with article 13 1. a) of the GDPR, TwentyTwo Group Holding’s details are as follows:

TwentyTwo Group Holding
Société à responsabilité limitée
2, Place de Paris
L-2314 Luxembourg

References hereinafter to “we” or “us” are references to TwentyTwo Group Holding.

3. Purposes and legal bases of the data processing

We process personal data for the following purposes:

3.1 Performance of a contract or pre-contractual measures (art. 6 1. (b) GDPR)

Personal data made available to us for the preparation of a contract or its execution is processed for the following purposes:

  • providing our services;
  • establishing, executing and, if necessary, terminating our contract(s);
  • keeping our accounting records up-to-date, invoicing our services and cash collection.

 3.2 Compliance with a legal obligation to which we are subject (art. 6 1. (c) GDPR)

We may process the personal data provided to us for the purpose of ensuring compliance with our legal obligations.

3.3 Legitimate interest (art. 6 1. (f) GDPR)

We may process personal data, where required to protect our legitimate interests or those of third parties, provided that the interests or fundamental rights and freedoms of the data subject(s) concerned do not conflict with this. Legitimate interests may include our economic interests, our legal interests (including the establishment, exercise or defence of legal claims), and our interest in complying with and ensuring compliance or IT security.

3.4 Consent (art. 6 1. (a) GDPR)

We may use, with your consent, your personal data for the purpose(s) for which you have contacted us.

Please note that we do not require the disclosure of special categories of personal data in order to provide our services. Before contacting us, please check that any documents and/or information you provide to us do not contain special categories of personal data.

4. Categories of recipients of the personal data we process

Our employees are primarily entitled to receive knowledge of your personal data.

Personal data may be shared with the following third parties for the purposes set out below:

  • the affiliates of TwentyTwo Group Holding, if the reasons why you have contacted us involve an affiliate of TwentyTwo Group Holding;
  • service providers, auditors, advisors, external consultants or other persons acting on our behalf when we need to obtain advice or for the purpose of preparing and/or auditing our accounts;
  • public authorities, courts, institutions, administrations, governmental corporations, when necessary to address your request, when we are legally obliged to do so, or for the establishment, exercise or defence of legal claims;
  • IT and cloud services providers, who, among other things, store data, support the administration and maintenance of our systems as well as file archivists and shredders;
  • logistics service providers to deliver documents;
  • legal advisors in the context of asserting our claims.

5. Transfer to Third Countries

Personal data sent by email to TwentyTwo Group Holding is stored on a cloud-based server located in Europe. We take all necessary measures to ensure that your personal data is protected in accordance with applicable data protection laws and regulations, including the GDPR.

We may transfer personal data to countries outside the EU or the EEA only in the following cases:

  • if such countries are granted an adequacy decision by the European Commission;
  • if such countries have not been granted an adequacy decision by the European Commission:
  • if appropriate safeguards are provided in accordance with article 46 of the GDPR; or
  • for the performance of the contract we have with the data subject or the implementation of pre-contractual measures taken at the data subject’s request; or
  • if necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person; or
  • if necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims (including for example to comply with the laws applicable to us, a governmental or a court’s injunction made to us); or
  • with the data subject’s explicit consent.

6. Duration of storage of the personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements or for the establishment, exercise or defence of legal claims.

Personal data collected for the purpose of complying with our legal or regulatory obligations will be retained on the basis of their relevant statutory limitation periods. 

When personal data are processed on the basis of: 

  • the data subject’s consent, such processing will continue the until revocation of data subject’s consent; and
  • legitimate interests, such processing will continue the until the data subject validly objects to the processing of his/her personal data on this basis or until such legitimate interests cease.

7. Automated individual decision-making, including profiling

We do not use automated decision making, including profiling in relation to the personal data you may provide to us when contacting us.

8. Data Protection Rights

Under certain conditions, data subjects may exercise the following rights:

  • Right of access: data subjects are entitled to request confirmation from us as to whether we are processing personal data relating to them, in accordance with the conditions set out in article 15 of the GDPR. 
  • Right to rectification: under article 16 of the GDPR, data subjects are entitled to request that we rectify personal data relating to them if it is inaccurate or incorrect.  
  • Right to erasure: data subjects are entitled, under the conditions of article 17 of the GDPR, to request from us the deletion of personal data relating to them without delay. However, there is no right to erasure if, inter alia, the processing of personal data is necessary for (i) the exercise of the right of freedom of expression and information, (ii) the fulfilment of a legal obligation to which we are subject (e.g. statutory retention obligations) or (iii) the establishment, exercise or defence of legal claims. 
  • Right to restriction of processing: under the conditions of article 18 of the GDPR data subjects are entitled to request from us the limitation of the processing of their personal data. 
  • Right to data portability: data subjects are entitled, under the conditions of article 20 of the GDPR, to request from us the provision of the personal data relating to them that you have submitted to us in a structured, current and machine-readable format. 
  • Right to object: data subjects are entitled to object to the processing of their personal data under the conditions and within the limits of article 21 of the GDPR. Our interests may however prevent, in certain circumstances, the processing from being terminated despite any objection. 
  • Right to withdraw consent: In the circumstances where data subjects may have provided their consent to the processing and transfer of their personal data for a specific purpose they have the right to withdraw their consent for that specific processing at any time. To withdraw their consent, data subjects need to contact us. 
  • Right of appeal to a supervisory authority: data subjects have the right to make a complaint to the Commission Nationale pour la Protection des Données (“CNPD”) which is the Luxembourg supervisory authority for data protection issues. We would, however, appreciate the chance to discuss with you about your concerns before you reach out to the CNPD so please do not hesitate to contact us.

The details of the CNPD are the following:

Commission nationale pour la protection des données
15, Boulevard du Jazz
L-4370 Belvaux
Phone: (+352) 26 10 60 -1

For any question or further information on data subject’s rights, please contact us at:

In the exercise, by the data subjects, of their rights, we may need to request specific information from data subjects to help us confirm their identity and ensure their right to access their personal data (or to exercise any of their other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact the relevant data subjects to ask them further information in relation to their request to speed up our response.

9. Applicable law and jurisdiction

This Policy and any dispute or claim arising out of or in connection with it or its subject matter (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the Grand Duchy of Luxembourg.

The courts of Luxembourg City shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Policy or its subject matter (including non-contractual disputes or claims).

10. Changes to this Policy

This Policy is effective from 30 May 2024 and we reserve the right to make changes to it from time to time and at our discretion, to the latter.