DATA PROTECTION POLICY OF THE CNSC COQUE

DATA PROTECTION POLICY OF THE CNSC COQUE

Webshop information notice

Video surveillance privacy notice

DATA PROTECTION POLICY OF THE CNSC COQUE

The Centre National Sportif et Culturel Coque (hereinafter the “CNSC”) is committed to protecting personal data and privacy of its employees, customers, website visitors and any person using its Services in general.
All operations on your personal data are performed in compliance with applicable regulations and in particular:
•    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation - GDPR).
•    Law of 1 August 2018 establishing the organisation of the National Commission for Data Protection.
•    Amended Law of 30 May 2005 on specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector and amending Articles 88-2 and 88-4 of the Code of Criminal Procedure.
This Data Protection Policy aims to inform you:
•    Of the nature of personal data processing activities we carry out concerning you;
•    Of the categories of personal data we collect about you;
•    Of the way your personal data is processed by the CNSC;
•    Of the terms and conditions for the use of your personal data and your rights in this regard, in compliance with applicable European and Luxembourg legislation applicable to the CNSC.

Table of Contents

  1. IDENTITY OF THE DATA CONTROLLER
  2. DATA PROTECTION OFFICER (DPO)
  3. DESCRIPTION OF PERSONAL DATA PROCESSING CONCERNING YOU
    • 3.1  Booking of spaces for companies, clubs, federations, educational establishments, institutional entities (municipalities, ministries, etc.) and groups
    • 3.2 Coque Kaart, subscriptions and associated services
    • 3.3 Contests and promotional activities
    • 3.4 Our communications: newsletter
    • 3.5 Job application and job offer
    • 3.6 Hotel room booking 
    • 3.7 Restaurant La Coquille booking
    • 3.8 Management of registrations for activities offered by CNSC: sports activities, Wellness Centre and activities for children
    • 3.9  Gift cards
    • 3.10 Chatbot use
    • 3.11 Reimbursements, cancellations and right of withdrawal
    • 3.12 Management of operations to read and/or write information in your electronic communications equipment based on your consent
  4. TRANSFER OF YOUR PERSONAL DATA OUTSIDE THE EUROPEAN UNION
  5. SECURITY OF YOUR PERSONAL DATA
  6. HOW TO EXERCISE YOUR RIGHTS REGARDING THE USE OF YOUR PERSONAL DATA
  7. MODIFICATION OF THIS POLICY
  8. REFERENCE LANGUAGE


1. IDENTITY OF THE DATA CONTROLLER

The data controller under the General Data Protection Regulation (GDPR) and other data protection regulations is the Centre National Sportif et Culturel Coque (CNSC).
Address: 2, rue Léon Hengen, L-1745 Luxembourg
Telephone: +352 43 60 60 1
Email: info@coque.lu

2.  DATA PROTECTION OFFICER (DPO)

For any questions concerning the processing of your personal data by the CNSC, you may contact the Data Protection Officer (DPO) designated with the National Commission for Data Protection:
By email: dpo@coque.lu
By mail:
C/o DPO of CNSC
Address: 2, rue Léon Hengen, L-1745 Luxembourg

3.  DESCRIPTION OF PERSONAL DATA PROCESSING CONCERNING YOU

As part of the operation of the website https://coque.lu/, the CNSC collects data about you. This personal data is processed in accordance with and within the limits of the purposes stated at the time of collection.

3.1  Booking of spaces for companies, clubs, federations, educational establishments, institutional entities (municipalities, ministries, etc.) and groups

a) Legal bases and purposes of personal data processing

The processing aims at managing your booking of a space, including the reservation, logistic organisation and provision of premises; the legal basis is the performance of the contract concluded between the CNSC and the company or person making the reservation.

b) Categories of personal data collected

To fulfil these purposes, the CNSC may collect from you the following data:
•    First and last name, company name, job title and professional contact details (address, email, telephone), information relating to the booking (date, time, space concerned), nature of the event organised, number of participants, qualification (for access to the pit), first and last name of authorised group supervisors (as part of access authorisations).
•    For school groups, educational establishments shall provide CNSC with a list of students by class in order to allow access to any latecomers.
•    Potential collection of health data: groups may, on their own initiative, transmit information relating to a specific dietary requirement or intolerances.

c) Retention periods for personal data

Data relating to bookings is retained for the duration necessary for the management of the contract, then archived for a period of five (5) years from the end of the service, in accordance with civil or commercial prescription rules. Billing data is retained as accounting documents for ten (10) years from the date of invoice issue.
Beyond this period, it is deleted or anonymised securely, unless otherwise required by law.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to:
•    Authorised CNSC personnel responsible for managing space bookings,
•    Service providers involved in the management of events.
Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.

3.2  Coque Kaart, subscriptions and associated services

a) ) Legal bases and purposes of personal data processing

The processing aims at creating and managing your Coque Kaart card, managing your subscription (including, where applicable, its extension or full or partial refund in accordance with the GTCSU in force), as well as managing associated services (access, benefits, usage tracking). The legal basis is the performance of the contract binding the CNSC to the user.

b) Categories of personal data collected

To enable the management of your subscription or the issuance and management of the Coque Kaart, the CNSC collects the following data:
•    First and last name, postal address, email address, telephone number, date of birth, photograph of the cardholder (mandatory for the issuance of the Coque Kaart), customer number and information relating to the subscription or associated services,
•    Potential collection of health data: medical certificate

c) Retention periods for personal data

The medical certificate, when collected for the purpose of processing a refund or extension, is destroyed immediately after the CNSC has verified that the conditions laid down in the GTCSU are met. Other data is retained for the entire validity period of the Coque Kaart, then archived for a maximum period of ten (10) years after your last contact with the CNSC, unless otherwise required by law. Beyond this period, it is deleted or anonymised securely.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to:
•    Authorised CNSC personnel,
•    Technical service providers (subscription management, payment, printing, card encoding).
Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.

3.3  Contests and promotional activities

a) Legal bases and purposes of personal data processing

The processing aims at organising, managing and monitoring contests and promotional activities periodically organised by the CNSC on the legal basis of your consent.

b) Categories of personal data collected

To fulfil these purposes, the CNSC may collect from you the following data: name, first name, email address, telephone number, age for children, postal address, and, where applicable, data necessary for the provision of prizes.

c) Retention periods for personal data

Data collected as part of a contest or promotional activity is retained for the duration necessary for their organisation and the provision of any prizes, then deleted within six (6) months, unless otherwise required by law or legal proceedings justifying longer retention.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to:
•    Authorised CNSC personnel,
•    Service providers involved in the management of the contest or the sending of prizes (marketing agency, delivery service).
Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.

3.4 Our communications: newsletter

a) Legal bases and purposes of personal data processing

The processing aims at: sending information, updates and offers concerning the CNSC, on the basis of your consent.

 b) Categories of personal data collected

To fulfil these purposes, the CNSC may collect from you the following data:
•    Newsletter: first name, last name and email address.
•    Cart reminders: email address.

c) Retention periods for personal data

Newsletter: your data is retained until withdrawal of your consent (unsubscribe) or, failing that, for a maximum period of three (3) years from your last active contact (e.g. newsletter opening), unless otherwise required by law.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to:
•    Relevant CNSC personnel,
•    Its service provider Mailchimp which ensures the development and hosting of the newsletter management tool.
Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.

3.5  Job application and job offer

a) Legal bases and purposes of personal data processing

The processing aims at managing your application. On the legal basis of the performance of pre-contractual measures taken at your request, and where applicable on the legitimate interest of the CNSC to develop a pool of candidates for future recruitment.

b) Categories of personal data collected

To fulfil these purposes, the CNSC may collect the following data:
•    Identity: name, first name, date of birth, nationality.
•    Contact information: email address, telephone number, postal address.
•    Personal life: marital status, number of children.
•    CV, cover letter, qualifications, professional experience, interview assessment and, where applicable, any other information provided as part of your application.

c) Retention periods for personal data

Data is retained:
•    Throughout the duration of the recruitment process,
•    Then, in case of negative outcome, archived for a maximum period of 2 years, unless you object, in order to contact you about potential opportunities.
Beyond this, it is deleted or anonymised securely.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to:
•    Authorised CNSC personnel
•    HR service providers involved in our recruitment processes
Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.

3.6  Hotel room booking

a) Legal bases and purposes of personal data processing

The processing aims at managing your hotel reservation and completing the accommodation form required by Luxembourg law. It is based on the legal basis of the performance of the contract relating to your reservation and the legal obligation to complete and transmit the accommodation form to the competent authorities.

b) Categories of personal data collected

To fulfil these purposes, the CNSC may collect from you the following data: name, first name, email address, postal address, telephone number, nationality, country of residence, bank card number.

c) Retention periods for personal data

Your data is retained for the duration necessary for the management of the reservation, then archived for a maximum period of 10 years in accordance with accounting and tax obligations, unless otherwise provided by the legislation applicable to Luxembourg.
Accommodation forms are retained for a period of six months after which they are automatically deleted.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to:
•    Relevant CNSC personnel,
•    The Protel service provider (EU software),
•    The Booking.com reservation platform (EU Platform),
•    Accommodation forms: to competent authorities via MyGuichet.lu (CTIE).
Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.

3.7  Restaurant La Coquille booking

a) Legal bases and purposes of personal data processing

The processing aims at managing your reservation to dine or lunch at Restaurant La Coquille. The legal basis of the processing is the performance of the contract. Data relating to dietary preferences or restrictions, when provided, is collected with your explicit consent and is used only to adapt the service.

b) Categories of personal data collected

To fulfil these purposes, the CNSC may collect from you the following data: name, first name, email address, telephone number and optionally your dietary preferences and restrictions.

c) Retention periods for personal data 

Data is retained for the duration necessary for the management of your reservation, then archived for a maximum period of 3 years, unless otherwise required by law. Dietary preferences or restrictions are deleted immediately after the service, unless explicit consent for longer retention is given.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to:
•    Authorised CNSC personnel,
•    Its service provider Zenchef which manages online reservations and flow management.
Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.

3.8  Management of registrations for activities offered by CNSC: sports activities, Wellness Centre and activities for children

a) Legal bases and purposes of personal data processing

We collect and use your data to:
•    Manage your registration for sports activities
•    Manage your Wellness Centre reservations,
•    Manage your registration for children’s activities (birthdays and camps)
These processing activities are primarily based on the legal basis of the performance of the contract binding you to us, as well as legal obligations.
The collection of your health data, or that of your minor child, is subject to your explicit consent.

b) ) Categories of personal data collected

To fulfil these purposes, the CNSC may collect from you the following data:
•    Your identity and contact information: name, first name, date of birth, contact details,
•    For sports camps: name and first name of the representative, email address and telephone number, discipline concerned, number of camp participants.
•    Data relating to your registration: activity, dates, number of participants,
•    Your billing data,
•    If necessary: fitness certificates, restrictions and dietary requirements
•    For children, contact details of the legal representative and specific information (with consent).

c) Retention periods for personal data

Your data is retained for a limited period:
•    Up to 5 years after the last activity for registration data,
•    10 years for billing data in accordance with accounting obligations,
•    Data relating to restrictions and dietary requirements are deleted 6 months after the event, other data is retained for up to 3 years for management or 10 years for billing.
Beyond these periods, your data is deleted or anonymised.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to:
•    Authorised CNSC personnel,
•    Michel Consulting for the former webshop.
Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.

3.9  Gift cards

a) Legal bases and purposes of personal data processing

The processing aims at purchasing and managing gift cards, on the legal basis of the performance of the contract concluded with the purchaser. The purchaser has a right of withdrawal of 14 days in accordance with applicable legislation.

b) Categories of personal data collected

To fulfil these purposes, the CNSC may collect from you the following data: name and first name of the offeror, name and first name, email address of the gift card recipient.

c) Retention periods for personal data

Personal data relating to the purchase and use of gift cards is retained for a period of 1 year after the expiry date of the card’s validity, i.e. 2 years maximum from the date of purchase, in order to be able to manage claims or disputes.
Data related to billing (purchaser) is retained for 10 years, in accordance with accounting obligations applicable to Luxembourg.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to authorised CNSC personnel and E-connect (technical service provider of the webshop, EU Platform). Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.

3.10   Chatbot use

a) Legal basis and purpose of personal data processing

The processing aims at providing informational assistance and support to visitors to the CNSC website. It is based on the legitimate interest of the data controller (Article 6.1.f GDPR).

b)  Categories of personal data collected

To fulfil these purposes, the CNSC collects from you the following data:
•    Customer ID and customer pseudonym
•    Email address of the visitor
•    Conversation history
•    Connection and browsing data: IP address, IP country location, conversation open/close time, conversation date.

c) Retention periods for personal data

Your personal data is retained for periods strictly necessary to pursue the purpose of the processing:
•    ID, customer pseudonym and conversation history: retention period of 30 days. In case of a request made to reception, the conversation history will be retained for the duration of processing of the request.
•    Email address of the visitor: retention until erasure request made by the visitor.
•    Connection and browsing data:
•    Technical logs: retention period of 180 days
•    Cookies: duration of the session.

d) Recipients or persons with access to your personal data

Your personal data is accessible only to:
•    Authorised CNSC personnel,
•    ChatLab, our processor responsible for the publishing and hosting of the Chatbot, as well as its further processors.

3.11 Reimbursements, cancellations and right of withdrawal

a) Legal bases and purposes of personal data processing

The processing aims at managing reimbursement and cancellation requests relating to CNSC services (subscriptions, activities, gift cards), in accordance with the GTCSU in force. The processing is based on the performance of the contract (Art. 6.1.b GDPR). In case of collection of a medical certificate, the processing is based on your explicit consent (Art. 9.2.a GDPR).

b) Categories of personal data processed

Name and first name, customer number, reference of the order or subscription concerned, reason for the request, bank details (IBAN) for the transfer of the refund, and where applicable, a medical certificate.

c) Retention periods for personal data

The medical certificate, when collected, is destroyed immediately after verification by the CNSC. Data relating to reimbursement is retained for 10 years in accordance with accounting obligations applicable to Luxembourg.

d) ) Recipients or persons with access to your personal data

Your personal data is accessible only to authorised CNSC personnel (Reception, accounting), the technical service provider in charge of the webshop and the payment service provider for processing the refund.
Outside of these recipients, your personal data is not shared with third parties. However, the CNSC may be required to transmit your personal data to authorised third parties in order to meet its legal obligations, particularly in case of judicial request.
Consult our Cookie Policy.


4.  TRANSFER OF YOUR PERSONAL DATA OUTSIDE THE EUROPEAN UNION

Personal data collected by the CNSC is primarily processed within the European Union. However, certain third-party services may involve the transfer of your data outside the EU, in particular:
•    Mailchimp (The Rocket Science Group, LLC, United States), used for newsletter management.
•    Booking.com B.V., Netherlands: possible transfers outside the EU with appropriate safeguards (Standard Contractual Clauses).
In these cases, the CNSC ensures that these transfers are carried out in accordance with the GDPR and European jurisprudence by implementing appropriate safeguards, in particular:

a)  Transfer to the United States of America – Data Privacy Framework for certain transfers to the United States of America: on 10 July 2023, the European Commission adopted a new adequacy decision concerning the United States.

By this decision, the Commission found that amendments made by the United States to their national legislation now make it possible to ensure an adequate level of protection of personal data transferred from the EU to organisations located in the United States when they comply with this new “data protection framework”. The list of these organisations is kept up to date and will shortly be made public by the US Department of Commerce.
Transfers of personal data from the European Union to organisations on this list can therefore take place freely, without a specific framework in the form of “Standard Contractual Clauses” or any other transfer instrument.
•    For our newsletter, we use the “Mailchimp” service provided by The Rocket Science Group, LLC (675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, United States). This data will be processed exclusively for the purposes of sending our newsletters. Information collected through this functionality is generally sent and stored on one of the servers located in the United States. The Rocket Science Group not being certified under the Data Privacy Framework, the transfer of personal data to this recipient is covered by the following Standard Contractual Clauses.
•    To measure the audience of our website, we use Google Analytics, a service provided by Google Inc 1600 Amphitheatre Parkway, Mountain View, CA 94043. Google Inc being certified under the Data Privacy Framework, this transfer does not require any specific framework in the form of “Standard Contractual Clauses” or any other transfer instrument.

b)   The integration of Standard Contractual Clauses (SCCs) validated by the European Commission in contracts with these service providers.

c)   The implementation of additional technical and organisational measures, such as data encryption before transmission, pseudonymisation where possible, as well as rigorous monitoring of data during transfer and storage.

5.  SECURITY OF YOUR PERSONAL DATA 

Given the evolution of technology, implementation costs, the nature of data to be protected and the risks to the rights and freedoms of individuals, the CNSC implements all appropriate technical and organisational measures to ensure the security of collected personal data.
Among these measures are:
•    The use of physical and technical security measures to ensure the availability, integrity and confidentiality of information systems and processed data,
•    Protection of data against any security breach resulting, accidentally or unlawfully, in destruction, loss, alteration, unauthorised disclosure of personal data or unauthorised access to such data (personal data breach).

 6.  HOW TO EXERCISE YOUR RIGHTS REGARDING THE USE OF YOUR PERSONAL DATA

Within the limits and conditions permitted by the GDPR, you have the right to request from the data controller access to personal data concerning you, rectification or erasure thereof, restriction of processing of your personal data, as well as data portability (Art. 20 GDPR).
You also have the right to object to the processing of your personal data, in particular the right to object to your data being used for commercial prospecting purposes.
If you believe, after contacting us, that your rights regarding your personal data are not being respected, you may lodge a complaint with the National Commission for Data Protection (CNPD) or the supervisory authority of your place of residence.
To exercise these rights or for any question on the processing of your data, you can contact us by justifying your identity and by contacting the CNSC, by electronic means: dpo@coque.lu

7.   MODIFICATION OF THIS POLICY

This policy may be updated at any time.

8.   REFERENCE LANGUAGE

In case of divergence in interpretation between the different language versions of this policy, only the original version in French shall prevail.

Last modified: April 2026