This information notice is issued by the National Youth Service (Service national de la jeunesse, “SNJ”) as coordinator of the BEE SECURE project and in its capacity as data controller. Its aim is to inform users about the collection and processing of their personal data.
The BEE SECURE Stopline is an online platform that allows anonymous reporting of three categories of content: (1) child sexual abuse material (CSAM), (2) discrimination, racism, revisionism or hate speech, and (3) terrorism. Reported content that may be unlawful is forwarded to the police or other competent authorities.
The processing of personal data is carried out as part of a task carried out in the public interest, entrusted to the SNJ under the amended Youth Law of 4 July 2008.
1. Contact details of the SNJ and its Data Protection Officer
The SNJ is the data controller. Its contact details are:
Service national de la jeunesse
48-50,rue Charles Martel
L-2134 Luxembourg
Tel.: +352 247-86465
Email: dpo@snj.lu
For any questions regarding the processing of your personal data, please contact the SNJ’s Data Protection Officer (DPO):
by post: 48-50, rue Charles Martel, L-2134 Luxembourg
by email: dpo@snj.lu
2. Categories of Data, Legal Basis and Purpose of Processing
Legal basis for processing
The SNJ processes personal data on the basis of Article 6(1)(e) of the GDPR for the performance of a task carried out in the public interest pursuant to the amended Youth Law of 4 July 2008.
According to Article 7 of that law, the SNJ is responsible for contributing to the implementation of youth policy and acting as a point of contact, information, advice and support for young people and youth workers. Article 7(2)(e) includes among its tasks the initiation and implementation of projects promoting information, active citizenship among young people, human rights and core values such as social justice, equal opportunities, tolerance and solidarity. Within this framework, the SNJ coordinates the BEE SECURE Stopline service.
The data processing operations described here are carried out in accordance with the applicable European and national legal framework on data protection, namely:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation — GDPR);
- The Law of 1 August 2018 on the organization of the National Data Protection Commission (CNPD) and the implementation of the GDPR.
Categories of personal data processed
The SNJ does not actively collect any personal data from users who report content via the Stopline platform.
However, personal data may be provided voluntarily by users through free-text fields or uploaded content, relating either to themselves or to others:
- Uploaded files (e.g. screenshots or documents related to the report), which may contain personal data;
- Free-text entries in the reporting form that may contain personal data.
Purposes of processing
The data is processed for the following purposes:
- To receive, analyse and process reports submitted by users;
- To assess the nature and severity of the reported content based on the information provided (text, files, URLs, category, etc.);
- To forward reports, where appropriate, to competent authorities or partner organizations (e.g. police, INTERPOL, or other hotlines);
- To ensure the security and proper functioning of the platform through the collection of technical data related to the user’s environment (browser, device, operating system, display language);
- To generate anonymized statistics on platform use for evaluation, improvement, and awareness-raising purposes.
3. Data Sources and Recipients
The data processed originates directly from users of the Stopline platform (e.g. uploaded files, free-text entries, selected report categories, provided URLs).
The platform is operated on behalf of the SNJ by the organization Kanner-Jugendtelefon (KJT). KJT is the main recipient of the data reported via the platform and is responsible for their initial analysis and processing. KJT acts under a mandate from the SNJ and processes data in accordance with the applicable legal and contractual obligations.
Where necessary and in compliance with the legal framework, KJT may forward data to:
- Competent national authorities (e.g. Grand-Ducal Police, Public Prosecutor’s Office);
- International partner organizations such as members of the INHOPE network.
Technical service providers responsible for hosting and maintaining the platform may also have access to the data, to the extent required for their duties and under appropriate safeguards. These include:
- Custom Coding S.à r.l. (responsible for website layout and maintenance);
- Conostix SA (server hosting).
4. Voluntary Nature of Data Provision and Consequences of Refusal
As part of its public interest mission, the BEE SECURE Stopline enables users to report potentially illegal content or activities on the internet. In order to properly assess, legally qualify, and process the report, a detailed description of the reported facts is required. These details may contain personal data.
While the provision of personal data is not legally mandatory, it is essential for effective report handling. Failure to provide sufficient information may prevent the report from being processed or analyzed by the BEE SECURE Stopline team.
5. Data Retention Period
The personal data collected will be retained for a period of three months.
After this administrative retention period has expired, the data will be fully deleted.
6. Data Transfers to Third Countries
Your data will be processed exclusively within the European Economic Area (EEA) and will not be transferred by the SNJ to a third country within the meaning of Chapter V of the GDPR.
However, where necessary, the national authorities responsible for criminal prosecution may forward data to international organizations such as INTERPOL.
7. Rights of the Data Subject
You have the right, on grounds relating to your particular situation and within the limits of the applicable legal provisions, to object to the processing of your data in accordance with Article 21 of the GDPR.
Furthermore, under Chapter III (Articles 12 to 22) of the GDPR, you have the following rights:
- To access your data and obtain a copy (Article 15);
- To rectify inaccurate or incomplete data (Article 16);
- To have your data erased under the conditions set out in Article 17;
- To restrict the processing of your data under certain conditions (Article 18), e.g. while the accuracy of the data is being verified.
There is no automated decision-making that produces legal effects concerning you or similarly significantly affects you.
