WEBSHOP INFORMATION NOTICE
The National Sports and Cultural Centre Coque (hereinafter the “CNSC” or “we”) places particular importance on the protection of your personal data and the respect of your privacy. This notice aims to inform you clearly and transparently about the processing of personal data implemented in the context of the use of the webshop (shop.coque.lu), as well as the rights you have.
This notice supplements the CNSC Data Protection Policy.
Table of Contents
- Identity of the Data Controller
- Délégué à la protection des données (DPO)
- Description of Personal Data Processing Concerning You
- Transfer of Your Personal Data Outside the European Union
- Security of Your Personal Data
- How to Exercise Your Rights Regarding the Use of Your Personal Data
- General Terms and Conditions of Sale and Use
- Modification of This Notice
- Language of Reference
1. Identity of the Data Controller
The data controller under the General Data Protection Regulation (GDPR) and other personal data protection regulations is the National Sports and Cultural Centre Coque (CNSC).
Address: 2, rue Léon Hengen, L-1745 Luxembourg
Telephone: +352 43 60 60 1
Email : info@coque.lu
2. Data Protection Officer (DPO)
For any questions concerning the processing of your personal data carried out by the CNSC in the context of the webshop, you can contact the Data Protection Officer (DPO) designated with the National Commission for Data Protection:
By email : dpo@coque.lu
By post:
Care of the DPO of CNSC
Address: 2, rue Léon Hengen, L-1745 Luxembourg
3. Description of Personal Data Processing Concerning You
General clarifications (all webshop processing). Unless otherwise indicated, data is collected directly from you when creating your account, placing an order, or using webshop features. Some information may also be generated by the system (for example: customer identifier, timestamps, technical logs).
When data collection is necessary for contract performance (account creation, order processing, billing), the failure to provide information marked as necessary may prevent account creation or order completion. Non-essential fields are optional. The CNSC confirms that it does not carry out, via the webshop, any decision based exclusively on automated processing that produces legal effects concerning you or significantly affects you within the meaning of Article 22 of the GDPR.
In the context of webshop operation, the CNSC processes data concerning you. This personal data is processed in accordance with and within the limits of the purposes specified at the time of collection.
3.1 Creation and Management of Webshop User Account
a) Legal Bases and Purposes of Personal Data Processing
The processing aims to create and manage your user account on the webshop, as well as access to the services offered by the CNSC online, and the management of third-party profiles associated with this account. Profiles of children under 16 years of age are created and managed by the account holder (legal representative), as part of the child’s registration for CNSC activities.
Main account: the processing is based on the legal basis of performance of a contract.
Profiles (children under 16 years of age): the processing is based on the legal basis of performance of a contract.
b) Categories of Personal Data Processed
To meet these purposes, the CNSC may process the following data:
Main account: name, first name, email address, phone number, date of birth, postal address, communication language, unique customer number, history of registrations and reservations associated with your account.
Profiles (children under 16 years of age): name, first name, date of birth of the child.
Name, first name, and date of birth are not modifiable in self-service from your personal area. For any correction of your family name or date of birth, please contact the CNSC reception with a valid identity document. For any correction of your first name, please send your request to the DPO at dpo@coque.lu.
c) Personal Data Retention Periods
Your personal data is retained for as long as you use your account, then for a period of five (5) years, minimum from your last contact with the CNSC. No deletion occurs as long as any funds or services remain associated with your account. Beyond this period and in the absence of funds or services, your data is deleted or anonymized securely, except where there is a legal obligation to retain it for longer.
d) Recipients or Persons Accessing Your Personal Data
Your personal data is accessible only to:
• Authorized CNSC personnel responsible for account and associated service management;
• The technical service provider responsible for the development and maintenance of the webshop;
• The platform hosting provider.
Outside of these recipients, your personal data is not communicated to third parties. However, the CNSC may be required to transmit your personal data to authorized third parties in order to satisfy its legal obligations, particularly in case of judicial request.
3.2 Order Management
a) Legal Bases and Purposes of Personal Data Processing
The processing aims to manage your purchases and registrations on the webshop: sports subscriptions, group and individual classes, event tickets, Coque Kaart reloading, including payment and billing.
Order and registration management: the processing is based on the legal basis of performance of a contract.
b) Categories of Personal Data Processed
To meet these purposes, the CNSC may process the following data: name and first name, customer number, billing address, order history, details of purchases and registrations (products, classes, amounts, dates), payment method, billing data.
Your banking data is never stored on the webshop; it is processed exclusively by the payment service provider.
c) Personal Data Retention Periods
Data relating to orders is retained for the duration necessary for contract management. Accounting documents (invoices) are retained for ten (10) years from the date of issue, in accordance with Luxembourg legal obligations (Article 16 of the Commercial Code).
d) Recipients or Persons Accessing Your Personal Data
Your personal data is accessible only to:
• Authorized CNSC personnel (Reception, Sports Office, accounting);
• The technical service provider responsible for the webshop;
• The payment service provider, for secure processing of your transactions.
Outside of these recipients, your personal data is not communicated to third parties. However, the CNSC may be required to transmit your personal data to authorized third parties in order to satisfy its legal obligations, particularly in case of judicial request.
3.3 Refunds and Cancellations
a) Legal Bases and Purposes of Personal Data Processing
The processing aims to manage cancellation and refund requests related to orders placed on the webshop, in accordance with the General Terms and Conditions of Sale and Use (GTCSU). Two processes coexist: cancellation within the deadline, carried out directly by the customer from their personal area (automatic refund to the original payment method), and cancellation outside the deadline or exceptional case, submitted by email to info@coque.lu and subject to internal approval. If necessary, supporting documents (medical certificate) may be required.
In case of incapacity or illness, an extension of subscription may also be granted according to the same procedures (request by email, medical certificate required, internal approval). The medical certificate is destroyed immediately after verification.
• Cancellation and refund: the processing is based on the legal basis of performance of a contract.
• Collection of health data (medical certificate): the processing is based on your explicit consent, in accordance with Article 9.2.a of the GDPR.
b) Categories of Personal Data Processed
To meet these purposes, the CNSC may process the following data: name and first name, customer number, reference of the order in question, reason for cancellation or refund, refund amount, refund method (the refund is made by the original payment method; in the absence of a Coque Kaart, a bank account statement (RIB) may be requested to proceed with the transfer).
Potential collection of health data: a medical certificate may be requested in case of illness or injury justifying a refund or extension of subscription, in accordance with the GTCSU (Article 10.3).
c) Personal Data Retention Periods
The medical certificate, when collected, is destroyed immediately after verification by the CNSC that the conditions set by the GTCSU are met. Data relating to refunds and cancellations is retained as accounting documents for ten (10) years..
d) Recipients or Persons Accessing Your Personal Data
Your personal data is accessible only to:
• Authorized CNSC personnel (Reception, Sports Office, accounting);
• The technical service provider responsible for the webshop;
• The payment service provider, for processing the refund.
Outside of these recipients, your personal data is not communicated to third parties. However, the CNSC may be required to transmit your personal data to authorized third parties in order to satisfy its legal obligations, particularly in case of judicial request.
The refund and cancellation conditions applicable in the context of the webshop are detailed in the General Terms and Conditions of Sale and Use (GTCSU).
3.4 Coque Kaart, Subscriptions and Associated Services
a) Legal Bases and Purposes of Personal Data Processing
The processing aims to manage your Coque Kaart via the webshop (association with account, online reloading, balance check), the management of your subscription (subscription, renewal, expiry monitoring) and associated services. The legal basis is the performance of the contract binding the CNSC to the user.
b) Categories of Personal Data Processed
To meet these purposes, the CNSC may process the following data: name and first name, postal address, email address, telephone, date of birth, customer number, Coque Kaart number and balance, reload history, subscription type and duration, information relating to subscription management.
c) Personal Data Retention Periods
Data is retained for the entire validity period of the card or subscription, then archived for a period of ten (10) years from your last contact with the CNSC. No deletion occurs as long as any funds or services remain associated with your card or subscription, except where there is a legal obligation to retain it for longer.
d) Recipients or Persons Accessing Your Personal Data
Your personal data is accessible only to:
• Authorized CNSC personnel;
• The technical service provider responsible for the webshop.
Outside of these recipients, your personal data is not communicated to third parties. However, the CNSC may be required to transmit your personal data to authorized third parties in order to satisfy its legal obligations, particularly in case of judicial request.
3.5 Gift Cards
a) Legal Bases and Purposes of Personal Data Processing
The processing aims to purchase and manage gift cards via the webshop, based on the legal basis of performance of the contract concluded with the purchaser. Gift cards are valid for 1 year from the date of purchase. A 14-day withdrawal right applies to unused gift cards (Article 13.2 of the GTCSU).
b) Categories of Personal Data Processed
To meet these purposes, the CNSC may process the following data: name and first name of the giver, name, first name and email address of the gift card recipient, amount and code of the card.
c) Personal Data Retention Periods
Personal data relating to the purchase and use of gift cards is retained for a period of 1 year after the date of expiry of the card’s validity, or 2 years maximum from the date of purchase, in order to manage complaints or disputes. Data relating to billing (purchaser) is retained for 10 years, in accordance with the accounting obligations applicable in Luxembourg.
d) Recipients or Persons Accessing Your Personal Data
Your personal data is accessible only to authorized CNSC personnel and the technical service provider responsible for the webshop.
Outside of these recipients, your personal data is not communicated to third parties. However, the CNSC may be required to transmit your personal data to authorized third parties in order to satisfy its legal obligations, particularly in case of judicial request.
3.6 Waiting Lists
a) Legal Bases and Purposes of Personal Data Processing
The processing aims to manage waiting lists for full classes. When a class is full, you can voluntarily register on a waiting list from the webshop. As soon as a place becomes available, an email is sent to all registered users; the place is allocated to the first to register. The legal basis for processing is the legitimate interest of the CNSC (Article 6.1.f of the GDPR) to organize the allocation of available places fairly and to inform registered persons. You can withdraw from the waiting list at any time from your personal area and, if applicable, exercise your right to object (Article 21 of the GDPR) by contacting dpo@coque.lu.
b) Categories of Personal Data Processed
To meet this purpose, the CNSC may process the following data: name, first name, email address, class in question, rank on the waiting list.
c) Personal Data Retention Periods
Your registration on the waiting list is retained until the date of the class in question. You can withdraw from the waiting list at any time from your personal area.
d) Recipients or Persons Accessing Your Personal Data
Your personal data is accessible only to:
• Authorized CNSC personnel;
• The technical service provider responsible for the webshop.
Outside of these recipients, your personal data is not communicated to third parties. However, the CNSC may be required to transmit your personal data to authorized third parties in order to satisfy its legal obligations, particularly in case of judicial request.
3.7 Service Emails
a) Legal Bases and Purposes of Personal Data Processing
The webshop sends emails necessary for the management of your orders and your account (service emails). These emails are not promotional in nature. Emails strictly necessary for contract performance cannot be disabled.
• Under performance of contract (Article 6.1.b of the GDPR):
Account Creation Confirmation, Order Confirmation (online), Order Confirmation (cash desk), Order Cancellation (customer), Order Cancellation (Reception), Product Cancelled Notification, Order Refund, Product Refund, Refund Refusal, Gift Card, Coque Kaart Reload, Available Place Notification (waiting list).
• Under legitimate interest of the CNSC (Article 6.1.f of the GDPR):
Subscription Expiry Reminder, Password Reset, Account Lock, Password Change Notification.
• Emails related to orders and account: the processing is based on the legal basis of performance of a contract.
• Subscription expiry reminder: the processing is based on the legitimate interest of the CNSC to inform you of the due date of your subscription. You can object to receiving these reminders (Article 21 of the GDPR) by contacting dpo@coque.lu.
b) Categories of Personal Data Processed
Each email contains only the data strictly necessary for its purpose: name, first name, email address, and details of the transaction or action in question.
c) Personal Data Retention Periods
Data inserted in emails is extracted in real time from the webshop database. Information relating to your orders, your account, and your subscription is retained according to the retention periods specified in the corresponding sections. Copies of sent emails may, if applicable, be retained in CNSC mailboxes for a maximum period of two (2) years, necessary for operational follow-up and proof of exchanges, in accordance with internal archiving rules and CNSC data protection policy.
d) Recipients or Persons Accessing Your Personal Data
Your personal data is accessible only to:
• Authorized CNSC personnel;
• The technical service provider responsible for the webshop and email sending.
Outside of these recipients, your personal data is not communicated to third parties. However, the CNSC may be required to transmit your personal data to authorized third parties in order to satisfy its legal obligations, particularly in case of judicial request.
3.8 Authentication and Access Security
a) Legal Bases and Purposes of Personal Data Processing
The processing aims to secure access to your account (authentication, prevention of intrusions, lock after unsuccessful attempts, password reset). The legal basis is the legitimate interest of the CNSC in guaranteeing the security of its customers and its IT infrastructure.
b) Categories of Personal Data Processed
To meet these purposes, the CNSC may process the following data: email address, password (hashed), reset tokens, IP address, timestamp of connection attempts (successes and failures), number of consecutive attempts.
c) Personal Data Retention Periods
Connection logs and security data are retained for a period of 6 to 12 months. Reset tokens are invalidated immediately after their first use and no later than the expiration of their validity period (30 minutes).
d) Recipients or Persons Accessing Your Personal Data
Your personal data is accessible only to:
• Authorized CNSC personnel;
• The technical service provider responsible for the webshop and hosting.
Outside of these recipients, your personal data is not communicated to third parties. However, the CNSC may be required to transmit your personal data to authorized third parties in order to satisfy its legal obligations, particularly in case of judicial request.
3.9 Logging
a) Legal Bases and Purposes of Personal Data Processing
The processing aims to log actions carried out on the webshop for the purposes of security, traceability, anomaly detection, and regulatory compliance. The legal basis is the legitimate interest of the CNSC to ensure the security and integrity of its platform.
b) Categories of Personal Data Processed
Logs may contain, depending on the type of event: user identifier or technical account, timestamp (UTC), IP address, nature of action, result of action (success/failure), and if applicable, old and new values of modified data. The categories of logged events include in particular:
• Customers: login and login failures, account creation and deletion, order creation, modification and cancellation, payments (technical traces without banking data), payment failures and chargebacks, refunds and withdrawals, modification of contact details and password, password reset, consultation of order history and invoice downloads, cookie consent (CMP), modification of marketing preferences, data export (DSR), cart abandonment.
• Internal users (admin and back-office): back-office login, access to databases and customer data, consultation and modification of customer records, creation, modification and deletion of products, change of order status and price, management of permissions and internal accounts, export of customer data, processing of data subject rights, consultation of logs.
• System and technical accounts: application logs, web server logs (HTTP) and API logs, deployments and system changes, security incidents and anomalies, unauthorized access attempts, network security events, incoming and outgoing webhooks, log integrity.
c) Personal Data Retention Periods
Logs are retained for a period of 6 to 12 months, except for logs relating to transactions (10 years, in accordance with accounting obligations) and security incidents (until the closure of the incident and corrective actions).
d) Recipients or Persons Accessing Your Personal Data
Your personal data contained in the logs is accessible only to:
• Authorized CNSC personnel with restricted access to logs;
• The technical service provider responsible for the webshop and hosting.
Outside of these recipients, your personal data is not communicated to third parties. However, the CNSC may be required to transmit your personal data to authorized third parties in order to satisfy its legal obligations, particularly in case of judicial request.
4. Transfer of Your Personal Data Outside the European Union
Personal data collected in the context of the webshop is primarily processed within the European Union. If a transfer outside the European Union were to take place (for example via a payment or hosting provider), the CNSC will ensure that appropriate safeguards are put in place in accordance with the GDPR, in particular through the integration of standard contractual clauses (SCCs) adopted by the European Commission and the implementation, if necessary, of additional technical measures (data encryption, pseudonymization).
5. Security of Your Personal Data
Taking into account the evolution of technologies, implementation costs, the nature of the data to be protected as well as the risks to the rights and freedoms of individuals, the CNSC implements all appropriate technical and organizational measures to ensure the security of collected personal data.
These measures include:
• Encryption of data in transit (TLS) and at rest;
• Password hashing and application of a strong password policy;
• Progressive account lock after unsuccessful login attempts;
• Automatic logout after a period of inactivity;
• Logging of access and critical actions;
• Restriction of access to authorized personnel according to different profiles;
• Protection of data against any security breach resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure or unauthorized access to such data (personal data breach).
6. How to Exercise Your Rights Regarding the Use of Your Personal Data
Within the limits and conditions permitted by the GDPR, you have the right to request from the data controller access to personal data concerning you, the correction or deletion thereof, the limitation of processing of your personal data, and the portability of your data. An export of your data in PDF format is available from your personal area on the webshop. Deletion of your account is carried out upon request sent to the DPO.
When processing is based on your explicit consent (for example, submission of a medical certificate), you can withdraw your consent at any time (Article 7.3 of the GDPR), without affecting the lawfulness of processing carried out before this withdrawal. When processing is based on the legitimate interest of the CNSC, you can exercise your right to object (Article 21 of the GDPR) by explaining your particular situation.
The CNSC will respond to your request within a period of one (1) month from its receipt, a period that may be extended by two (2) months in case of complexity or a large number of requests, in accordance with the GDPR. To prevent fraudulent requests, proof of identity may be requested if there is reasonable doubt as to the identity of the requester.
You also have a right to object to the processing of your personal data, in particular a right to object to receiving subscription expiry reminders. You can also withdraw from a waiting list at any time from your personal area.
Child profiles associated with your account are automatically disabled when the child reaches the age of 16 plus one month. Profile data is retained in accordance with applicable retention periods.
If you believe, after contacting us, that your rights regarding your personal data are not respected, you can lodge a complaint with the National Commission for Data Protection (CNPD) (15, boulevard du Jazz, L-4370 Belvaux, Luxembourg) or with the supervisory authority of your place of residence.
To exercise these rights or for any question about the processing of your data, you can contact the DPO of the CNSC, by electronic means: dpo@coque.lu
7. General Terms and Conditions of Sale and Use
The use of the webshop is subject to the General Terms and Conditions of Sale and Use (GTCSU) of the CNSC, accepted by the user at each purchase.
The GTCSU can be consulted on the CNSC website.
8. Modification of This Notice
This notice may be updated at any time, in particular in case of evolution of the webshop or applicable regulations. The version published online is the version in force.
9. Language of Reference
In case of divergence of interpretation between the different language versions of this notice, only the original version in French language shall prevail.
Last modified: April 2026