• Individual
  • Professional
  • ACL Sport
  • Municipalities
Suggestions
  • Individual
  • Professional
  • ACL Sport
  • Municipalities
page

Privacy Policy of the Automobile Club of Luxembourg (ACL)

 

  1. Identity of the data controller

This privacy policy is provided to you by the Automobile Club du Luxembourg (ACL), a non-profit association registered with the Luxembourg Trade and Companies Register under number F630, in its capacity as data controller for the personal data collected. The ACL has its registered office at 54, route de Longwy, L-8080 Bertrange, Luxembourg.

Data Protection Officer (DPO): The ACL has appointed an external data protection officer, Luxgap Sàrl (2, Rue de l’École, L-8376 Kahler Garnich, Luxembourg), who can be contacted at dpo@acl.lu.

The DPO is responsible for monitoring compliance with applicable personal data regulations and acts as a point of contact for any questions relating to data processing carried out by the ACL.

  1. Personal data collected (online and offline)

The ACL ensures that it only collects personal data that is strictly necessary for the purposes described below. This data may be collected online (when using our website acl.lu, the ACL mobile app, via forms or emails) or offline (when signing up or making requests in branch, by phone via our Contact Center, at events or on-site services, etc.). The categories of data collected include:

  • Identification data: surname, first name, date of birth, gender, nationality, ACL membership number if applicable,
  • Contact details: postal address, email address, telephone number (landline and/or mobile),
  • Member account data: login details (e.g., membership number or email address), preferences, and member profile settings on the MyACL customer portal.
  • Vehicle information: for members who are motorists, cyclists, or motorcyclists, ACL may record data such as the make, model, registration number, chassis number (VIN), or other technical characteristics of the vehicle. This information may be necessary to provide you with certain services (e.g., roadside assistance, technical diagnostics, insurance, or vehicle-related benefits).
  • Location data: As part of our 24/7 roadside assistance service, we may collect your exact geographical location (e.g., GPS location transmitted by the eCall mobile app or coordinates provided by telephone) in order to dispatch assistance to your location.
  • Billing and financial data: information necessary for the payment of membership fees and services (e.g., membership and renewal history, invoices, chosen payment method, bank details such as IBAN account number or credit card information). Note: ACL does not store your payment card details beyond the transaction, as these may be processed directly by secure payment providers.
  • Content of requests and communications: when you fill out an online form (request for a personalized itinerary, registration for an event, contact, newsletter subscription, etc.) or contact the ACL (by email, mail, or via the Contact Center), we collect the information you provide us at that time. For example, this may include desired destinations and travel constraints provided for mobility/travel advice, the nature of the breakdown reported during a roadside assistance call, your questions submitted to the advice service, or the details of a claim. This information may be stored in our systems in order to follow up on your request. Please note: Telephone calls to our contact center may be recorded for quality and training purposes, or to retain proof of instructions given (which is useful for responding to subsequent requests or clarifying inaccuracies).
  • Data relating to sports and leisure services: if you participate in ACL Sport activities (competitions, races, rallies, etc.), karting sessions, or training courses at the Maison du Cycliste/Motard, we may process information such as your sports license number, age category, competition results, karting lap times, or any other data necessary for the organization and monitoring of these events (e.g., medical certificate of no contraindication for sports practice, if required).
  • Travel and insurance data: as part of our mobility/travel advisory services or when booking trips through the ACL, you may be asked to provide additional information such as the first and last names of travelers, dates of birth (e.g., to ensure appropriate travel insurance coverage), travel preferences, special needs (accommodation, mobility), or even copies of identity documents (passport) depending on the requirements of third-party providers (travel agencies, airlines, hotels, etc.). Similarly, if you take out insurance through ACL, the data necessary for the management of these contracts and any claims will be collected.
  • Health data (special data): in exceptional cases, ACL may need to process certain sensitive data about you, but only if you provide it yourself and if it is essential for the provision of a service. This may be the case, for example, if, in the context of a request for assistance abroad or reimbursement of medical expenses, you send us medical certificates or health documents that we may need to forward to an insurance company in order for you to receive compensation. Similarly, participation in certain events ( , sports competitions, organized trips, etc.) may require limited medical information (e.g., allergies, special conditions) to ensure your safety. This health data is collected and used only with your explicit consent and only for the specific purpose for which you have provided it.
  • Browsing data and cookies: when you visit our website and use the mobile application, we may collect data relating to your device and your browsing. This includes, for example, the device’s IP address, the unique identifier of the terminal, the type and version of the browser, the language, the pages viewed, the date and time of connection, as well as information collected by cookies and trackers (see Cookie Policy below). This browsing data is generally used for anonymous statistical purposes or to improve your online experience.

Accuracy of data: You agree to provide accurate, complete, and up-to-date information and to update it in the event of any changes. The ACL may, at reasonable intervals, invite you to verify and update your data (e.g., confirmation of your contact details or your registered vehicle fleet).

Data relating to minors: ACL’s services are primarily intended for adults. However, certain services may concern minors (e.g., YoungACL membership for young drivers, bicycle courses for children via the Maison du Cycliste, karting sessions for accompanied minors, etc.).

Sensitive data: With the exception of the limited cases mentioned above (health data provided for assistance or sports purposes), the ACL does not wish to collect any special categories of personal data about you (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data or data relating to sex life/sexual orientation). You are therefore asked not to provide such information unless it is strictly necessary. However, if you voluntarily provide sensitive data (e.g., by attaching a document containing this type of information), we will assume—unless you indicate otherwise—that you consent to this information being processed in accordance with your specific request. This data will be subject to enhanced protection and deleted as soon as possible after the relevant purpose has been fulfilled.

  1. Purposes of processing and legal bases

The ACL processes your personal data only for specific, explicit, and legitimate purposes, and will not use it in a manner incompatible with these initial purposes. For each processing operation, the ACL ensures that it has a valid legal basis within the meaning of the General Data Protection Regulation (GDPR). The main purposes and applicable legal bases are as follows:

  • Provision of requested services (performance of a contract) – The main reason we process your data is to provide you with the services you request from as part of your membership or one-off requests. This includes managing your membership (registration, renewal, benefits), providing assistance and mobility services (e.g., roadside assistance, repatriation, technical diagnosis, vehicle rental via Clubmobil, provision of rental bicycles or motorcycles, etc.), the organization of personalized trips or itineraries, the sending of the member magazine and other benefits related to membership status, mobility/travel advice, or participation in events, leisure and sports activities (ACL Sport competitions, Maison du Cycliste/Motard training courses, karting, etc.). Your data is therefore necessary to perform the contract concluded with you or to take pre-contractual measures at your request. For example, when you call for roadside assistance, the processing of your location and vehicle identification data is essential for us to fulfill our obligation to provide assistance under your membership contract. Similarly, your payment data is used to bill you for the membership fee or paid services you have ordered. Without this information, we would not be able to register you, provide you with assistance, bill you correctly, or provide the expected service.
  • Administrative and accounting management and compliance with legal obligations – Certain processing is carried out because we are required to do so by law. For example, we retain billing data (e.g., invoices, payment details, accounting documents) for the legal periods in force in order to meet our tax and accounting obligations. Issuing invoices and keeping accounts involves processing your identity and billing data on the basis of our legal obligation (e.g., Article 16 of the Luxembourg Commercial Code requiring the retention of documents for 10 years from the end of the financial year). Similarly, ACL may process or communicate certain data in order to comply with other legal or regulatory obligations: responding to a request from the police or judicial authorities, managing safety recalls or mandatory campaigns concerning your vehicle, complying with insurance law (e.g., transmission of relevant data to the insurer in the context of legal assistance or travel insurance provided), or meeting the requirements of the Motor Sports Federation in terms of licenses and official classification. In all these cases, the legal basis for processing is compliance with a legal obligation to which the ACL is subject (Article 6(1)(c) GDPR).
  • Communication to members and information about ACL services (legitimate interest or performance of the contract) – As a mobility club, the ACL is committed to keeping its members informed about available services, events, and benefits that may be of interest to them. As part of your membership, you will receive communications about the Club and your benefits (e.g., invitations to the general meeting, new services offered to members, changes to the terms and conditions, the “ACL Infos” newsletter on mobility news, Autotouring magazine, etc.). These communications may be considered an integral part of your membership contract (member information and support) or justified by the ACL’s legitimate interest in promoting the mobility and safety of its members. The ACL ensures that these communications remain proportionate and in line with your expectations as a member. You can also object to these communications at any time if you consider them to be unwanted (see section “Individual rights”).
  • Prospecting and promotion to non-members (consent or legitimate interest) – The ACL may also contact people who are not yet members (e.g., prospects who have requested a brochure, website users who have agreed to receive the newsletter, non-member participants in a public event, etc.) in order to present its services, events, or promotional offers to them. In accordance with regulations, these commercial prospecting emails or text messages are only sent with your prior consent (e.g., by checking a box to subscribe to ACL communications on a form) or, in certain limited cases, on the basis of the ACL’s legitimate interest in promoting its mobility and tourism services. The latter case applies only if you have already expressed an interest in our services (e.g., request for information, participation in a mobility initiative) and the subject of the communication is directly related to them. In all cases, each marketing message includes a simple unsubscribe link allowing you to withdraw your consent or opt out of receiving further solicitations.
  • Service improvement and statistics (legitimate interest) – ACL constantly strives to improve its services and better understand the needs of its members and customers. To do this, we may analyze certain data: number of support calls and response times, benefit usage rates, satisfaction survey results, website traffic, etc. These analyses are carried out using aggregated or anonymized data as much as possible, without seeking to profile individual members. For example, the ACL compiles overall statistics based on all the services provided in order to tailor its offerings to members’ requests. Similarly, we may record telephone calls to the assistance center and store these recordings temporarily to evaluate the quality of our service and train our staff. The legal basis for this processing is the ACL’s legitimate interest in ensuring a high level of service quality, innovating, and remaining competitive, as long as your rights and freedoms do not override this interest. If you have any questions or objections regarding these analyses, you may of course object to them (see “Individual rights”).
  • Safety of persons and property, fraud prevention (legitimate interest) – Your data may be processed for the purpose of ensuring the safety of ACL services and facilities, as well as preventing possible abuse. For example, when accessing the karting tracks or workshops at the Maison du Motard, you may be asked to present your membership card or ID to verify your right of access. The ACL may also implement fraud control and prevention measures (e.g., to prevent misuse of assistance services or identity theft). Some of these activities may involve data processing (access logging, video surveillance of ACL local s with on-site signage, etc.) based on our legitimate interest in protecting our members, staff, and resources.
  • Other legal bases and specific purposes – In specific cases, the ACL may process your data on the basis of your explicit consent (e.g., processing health data for emergency medical assistance, use of certain analytical or advertising cookies – see cookie policy, publication of testimonials with your consent). Consent, when required, is collected in a clear manner and can be withdrawn at any time (without retroactive effect). Finally, we may process data to protect your vital interests or those of another person (legal basis of Article 6(d) GDPR), but only in life-threatening or safety-threatening emergencies (e.g., communicating vital medical information to first responders if you are unconscious in an accident).

In any case, the ACL undertakes not to further process your data in a manner incompatible with the purposes for which it was originally collected or for which you have given your consent. If we wish to use your data for a new purpose not covered by this policy, we will inform you in advance and obtain your consent if necessary.

  1. Data retention period

Your personal data is retained by the ACL for a period not exceeding that necessary for the purposes for which it is processed, subject to legal retention obligations. In general:

  • Member management data: Information related to your membership (identity and contact details, membership history, and service usage history) is retained for the duration of your active membership. When your membership ends (unsubscription, non-renewal), we archive your data for the time necessary to complete all termination formalities and settle any outstanding services. Beyond that, this data may be stored in an intermediate database for 10 years after the end of membership in order to protect the legitimate interests of the ACL (e.g., keeping a record of services rendered, facilitating re-membership) and for possible claims or disputes (contractual limitation period). After this period, the data is either deleted or truly anonymized.
  • Billing, accounting, and insurance data: All documentary data relating to financial transactions (membership invoices, invoices for services such as car rental, assistance reimbursement documents, receipts, etc.) are kept for 10 years from the end of the financial year in question, in accordance with Luxembourg commercial and tax law requirements. Similarly, if an insurance claim has been processed, we keep the files and supporting documents for the corresponding legal period (often 10 years, or longer if a dispute is ongoing).
  • Contact Center data (calls, requests): Telephone call recordings, where they exist, are kept for a limited period (usually 6 months), unless there is a specific incident that justifies longer retention (e.g., if a call concerns a dispute or accident under investigation). Tickets and requests sent via our forms or by email are kept for the time necessary to process them, then deleted.
  • Data related to assistance and mobility services: Roadside assistance reports (breakdowns, towing, etc.) and associated data (location of breakdown, vehicle repaired, etc.) are kept for an average of 10 years after the assistance file is closed. This allows us to analyze the quality of our interventions and to have a history in case of subsequent disputes. Vehicle technical diagnostic reports are kept for as long as necessary to provide you with follow-up service (e.g., comparison of history during a subsequent diagnosis) and in accordance with technical recommendations (usually a few years), unless you request otherwise.
  • Data relating to sporting activities and events: Information about your participation in ACL Sport competitions (results, rankings, penalties) or events/leisure activities (registrations for tourist rallies, workshops, etc.) may be kept for historical archiving purposes for as long as it is relevant for sporting or statistical purposes. For example, competition results may be published and remain accessible on the website or in our archives beyond the year of the competition, in the legitimate interest of preserving the club’s sporting history. If you wish to have your personal data deleted from a published result, you can request this and it will be assessed on a case-by-case basis (taking into account the public interest in sporting results).
  • Prospecting data and newsletters: If you are not a member and have provided us with your contact details to receive newsletters or offers, we will retain this data until you unsubscribe or for a period of 3 years after the last contact from you. If during this period you no longer show any interest (no interaction, no response to requests), your data will be deleted or archived anonymously. For members, contact details are kept for the duration of membership for the purpose of sending communications related to club services, unless you object.
  • Application data: If you apply for a position at ACL (via our website or otherwise), your data (resume, cover letter, etc.) will be kept for the duration of the recruitment process. If the application is unsuccessful, unless you consent to us keeping it for longer, we will destroy your data no later than three months after the end of the recruitment process. If you are hired, your data will be included in your personnel file and retained in accordance with applicable HR rules (outside the scope of this policy).

At the end of the periods mentioned above, personal data is either deleted from our systems or irreversibly anonymized so that it can be used for purely statistical purposes. In certain cases, specific legal obligations may require us to retain data for longer than the periods indicated (e.g., retention of a document related to a dispute until the end of the legal proceedings, which may exceed the limitation period under common law). In any event, the ACL undertakes to limit the retention period of your data and to carry out regular erasures or anonymizations in accordance with the regulations.

  1. Data recipients (sharing and disclosure)

Within ACL: Access to your personal data is strictly limited to ACL staff and departments who need to know it in order to carry out their duties. For example, the accounting/billing, roadside assistance, ACL Sport, communications/marketing, travel advice, and IT departments may receive some of your data, each for their own purposes. ACL ensures that these individuals are subject to confidentiality obligations and trained in data protection. Internal access to your information is restricted according to authorization rules so that each employee only sees the data necessary for their role.

Within the ACL group and affiliated entities: ACL works with trusted subsidiaries and partners to offer certain services. For example, ACL Services S.A. is an affiliated entity that may be involved in the management of the professional call center or other business services. Similarly, ACL may call on sister companies or partners in the context of organized trips, events (e.g., co-organizing a rally with another automobile club), or for the granting of certain negotiated member benefits. In such cases, data may be shared between ACL and the affiliated entity concerned, always in accordance with the intended purpose and confidentiality requirements. When these entities act as subcontractors on behalf of the ACL, a contract in accordance with Article 28 of the GDPR is in place to regulate the processing. When they act as joint controllers (e.g., joint organization of an event), you will be informed and the responsibilities of each party will be determined in a transparent manner.

External service providers (subcontractors): The ACL uses several external service providers to assist it in providing its services. These subcontractors, acting on our instructions, may have access to some of your personal data to the extent necessary for their mission. These include:

  • IT and hosting providers: for example, the host of the website and our databases, the publisher of our membership management software, IT maintenance providers, or the cloud solutions we use. These providers may process your data (storage, backup, etc.) for the sole purpose of ensuring the proper functioning and security of our systems.
  • Secure payment provider: when making online payments (membership, Clubmobil reservations, etc.), your banking data may be processed directly by a certified payment provider (e.g., a service such as PayPal, Stripe, or another bank) acting as the recipient of your transaction data. This provider guarantees the security of transactions and only communicates non-sensitive information (payment confirmation, whether provided or not) to the ACL.
  • Printers and mailers: for the postal delivery of the member magazine (Autotouring) or letters to members, the ACL may use a printing or postal delivery service provider. The latter only receives the necessary data (e.g., list of recipients’ names and addresses) and must treat it confidentially and delete it after delivery.
  • Marketing and communication service providers: these may be companies that manage the sending of electronic newsletters, satisfaction surveys, or promotional campaigns on our behalf. For example, if the ACL uses an external emailing platform to distribute its newsletter, your email address and possibly your name are uploaded to this secure platform. These service providers are not allowed to use your data for any other purpose.
  • Audience analysis providers and online tools: as detailed in the Cookies section, we use tools such as Google Analytics or Hotjar to understand how the site is used, as well as Intercom to offer an online chat feature. These services may involve the transmission of certain data (mainly technical or pseudonymous) to these providers. For example, Google Analytics collects information via cookies and generates statistical reports on website traffic for the ACL; Hotjar anonymously analyzes browsing behavior (mouse movements, clicks) to improve usability; Intercom processes the data you enter in the chat and technical information to enable live messaging. These companies act as subcontractors or separate controllers, as the case may be, and their own privacy policies apply in addition (see Cookie Policy). The ACL contractually ensures that these service providers guarantee a level of data protection in accordance with the GDPR, in particular when transfers outside the EU are involved (see section on transfers).
  • Other specialized subcontractors: these may include, for example, an event agency helping to organize a member event, a service provider providing contact center services outside office hours, a debt collection company in the event of non-payment, or any external expert linked to a particular service (e.g., an independent instructor running a course at the Maison du Cycliste, in which case they may have access to the list of participants). In all cases, these recipients only use your data for the purpose of the service entrusted to them and may not under any circumstances use it for their own purposes.

Partners and third parties related to the services requested: Depending on the services you use, ACL may also share certain data with third-party partners who then act as independent data controllers (or joint controllers), as they provide part of the service directly to you. This includes:

  • Roadside assistance partners: ACL is a member of the European ARC Europe network and collaborates with many other local automobile clubs and breakdown services around the world. This means that if you break down abroad, your relevant data (identity, membership number, location, vehicle, nature of the breakdown) will be sent to the partner club or local service provider to carry out the repair on site, including outside the EU if necessary (see international transfers). Similarly, in Luxembourg, the ACL uses approved breakdown services: they receive the information they need to locate you and assist you (vehicle, breakdown, contact details). All these parties are bound by a contract with the ACL that includes confidentiality clauses.
  • Garage owners, dealers, and technical specialists: following a repair or diagnosis, you may be offered the option of taking your vehicle to a partner garage. With your consent, ACL may provide this garage with basic information about the case (detected breakdown, vehicle type, etc.) to prepare for the repair. As part of the Diagnostic Center, if more extensive repairs are necessary, a technical report on your vehicle may be provided to a third-party repairer of your choice.
  • Insurance companies and brokers: several ACL services include an insurance component (e.g., repatriation or travel medical insurance, organized trip cancellation insurance, personal liability insurance offered to members in certain cases, or driver legal protection). When you make a claim under these guarantees, the ACL must provide the insurers concerned with the information required to open and manage the claim file. For example, in the event of a claim for reimbursement of medical expenses incurred abroad and advanced by the ACL, the supporting documents (invoices, medical certificates, etc.) will be sent to the insurance company covering this risk so that the ACL can be reimbursed. These recipients then process your data under their own responsibility (as insurers) and inform you of their terms and conditions where applicable.
  • Travel organizers, hotels, carriers: if you book a trip, accommodation, or ticket through our mobility/travel advisory services, we often act as an intermediary with other service providers (tour operators, partner travel agencies, airlines or rail companies, hotels, etc.). Your necessary data (travelers’ names, passport details where applicable, preferences) is then passed on to these third-party providers to make the booking on your behalf. They will only receive the essential data and are themselves bound by professional secrecy (particularly in the case of approved travel agencies) and compliance with the GDPR if they are subject to it.
  • Sports authorities and federations: within the framework of ACL Sport, if you participate in official competitions, ACL may be required to communicate certain data concerning you to the relevant national or international sports authorities ( .g., license registration with the FIA federation via ACL, transmission of race results for national rankings, etc.). These organizations will then process your data in accordance with their own regulations (you will be informed of this when you obtain your sports license).
  • Commercial partners offering member benefits: the ACL negotiates discounts and benefits for its members with partners (hotels, shops, leisure parks, etc.). In general, these benefits are granted upon presentation of the membership card directly to the partner, without any exchange of personal data from the ACL. However, if a benefit requires verification from us (e.g., a partner campaign requiring confirmation that a promo code corresponds to an active ACL member), we may confirm limited information to the partner (e.g., membership validity, without other personal details). This is only done if necessary and with security measures in place (often via an automated system rather than a manual exchange of personal data).

Apart from these cases, ACL never sells or rents your personal data to third parties for marketing or other purposes. Any transfer not listed here would only be made with your explicit consent or under a legal/administrative obligation. For example, the ACL may be required to disclose certain information to the police or a judicial authority upon legal request (e.g., as part of an investigation following a serious accident). In such a case, we would ensure that only the data specifically requested by the authority is provided, in accordance with the law.

Finally, the ACL may disclose data to its external advisors (lawyers, accountants, auditors) if this is necessary for the defense of its rights (e.g., management of a dispute with a member or supplier) or for audit obligations. These recipients are also bound by professional confidentiality.

  1. Data transfers outside the European Union

In general, the ACL prefers to store and process your personal data within the European Union, where the GDPR applies. However, certain processing operations may involve the transfer of data to countries outside the European Economic Area (EEA), particularly in the following situations:

  • Assistance abroad: If you request assistance outside the EU (e.g., breakdown while traveling in Russia, the United States, or elsewhere in the world), ACL will need to transmit your relevant data to the local service provider or partner automobile club involved, even if it is established in a country not covered by an adequacy decision of the European Commission. This transfer is necessary for the performance of the assistance contract you have with us (Article 49(1)(b) GDPR) and will be limited to the information that is essential (identity, location, problem encountered). Similarly, in the event of a medical emergency abroad, we may disclose vital data to local emergency services (Article 49(1)(f) – protection of vital interests).
  • Travel reservations outside the EU: When ACL helps you book tourist services in third countries (hotel, transportation, excursions outside the EU), your required data (personal details, contact information, passport number if requested, etc.) will be transmitted to the service providers or authorities in those countries, in accordance with your request. For example, if you book a hotel in Switzerland or the United States through our services, we will need to pass on your name and booking details to that hotel (this transfer is necessary to fulfill your booking). These providers are required to use this information solely for the purpose of providing the requested service.
  • IT tools and services: Some of our IT subcontractors or online tools may store or access data outside the EU. This is the case for Google or Hotjar (which may transfer data to the United States), Intercom (whose servers may be outside the EU), or other cloud service providers (e.g., Microsoft/Azure, Amazon AWS) that may have global infrastructures. The ACL ensures that, in such cases, appropriate safeguards are in place: either the country of destination has been granted an adequacy decision by the European Commission, guaranteeing an equivalent level of protection (e.g., Switzerland, Canada, or the new EU-US Data Privacy Framework, if applicable), or we have entered into Standard Contractual Clauses adopted by the European Commission with the recipient, accompanied by additional measures if necessary. These contractual mechanisms oblige the recipient to protect your data in accordance with European standards. In addition, where possible, we ask for your informed consent for such transfers. For example, by accepting analytical or interaction (chat) cookies on our site, you consent to certain associated data being processed by our suppliers located in third countries, such as the United States, despite the potential risks to your data (government access, etc.). You can, of course, refuse these cookies if you prefer to avoid such transfers (see Cookie Policy below).

In any event, data transfers outside the EU remain limited to the needs of the services you use or the obligations mentioned. ACL documents and supervises each transfer in accordance with Chapter V of the GDPR. If you would like to know more about the transfer of your data to a given country (in particular to obtain a copy of the safeguards implemented, such as standard contractual clauses), you can contact our DPO (see section 1).

  1. Your rights as a data subject

In accordance with data protection regulations, you have rights relating to the personal data we process about you. These rights may be exercised, within the limits provided for by law, under the conditions described below:

  • Right of access: You have the right to obtain confirmation that we hold personal data about you, and to receive a copy of it along with information related to its processing (purposes, categories of data, recipients, retention periods, etc.). Upon your request, the ACL will also provi you with a copy of the data being processed, in an understandable form, unless otherwise required (e.g., not affecting the rights of others).
  • Right to rectification: You may request the correction or updating of inaccurate or incomplete data concerning you. The ACL will ensure that any incorrect information is corrected as soon as possible once your identity has been verified (e.g., correction of your name, address, contact details, or update of your vehicle model). In addition, in your online customer area, you have the option of directly modifying and updating some of your basic personal data.
  • Right to erasure (right to be forgotten): In certain cases, you can have your personal data deleted, for example if it is no longer necessary for the purposes for which it was collected, if you withdraw your consent (for processing based solely on consent), or if you object to processing and there is no compelling legitimate reason to retain it. However, this right is not absolute—the ACL may have to retain certain data despite your request, in particular to comply with a legal obligation (e.g., not deleting an invoice before the tax deadline has expired), or for the establishment, exercise, or defense of legal claims. In this case, we will inform you of the reasons for this partial or total refusal.
  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on the ACL’s legitimate interest. If you exercise this right, we will cease the processing in question, unless we can demonstrate that there are legitimate and compelling reasons to continue (e.g., overriding legitimate interest or necessity for the defense of legal rights). Important: You may object without reason to the processing of your data for commercial prospecting or direct marketing purposes. In other words, whether you are a member or not, if you no longer wish to receive our newsletters, magazines, or commercial invitations, simply let us know and we will stop sending them (there is an unsubscribe link in every newsletter email to make this easy). The ACL will respect your choice as soon as possible.
  • Right to restriction of processing: This right allows you to request the temporary suspension of data processing in certain situations, for example while the accuracy of data you dispute is being verified, or in the event of unlawful use of your data but where you do not wish it to be erased (just frozen). When the restriction is granted, we may retain the data but no longer process it (except for storage) without your consent, with the exception of certain legitimate processing (defense of rights, etc.). If the restriction is subsequently lifted, you will be informed in advance.
  • Right to portability: For data that you have provided to us directly and that is processed automatically on the basis of your consent or a contract, you may request to receive it in a structured, commonly used, and machine-readable format so that you can transmit it to another data controller.  Where technically possible, you may also ask us to transfer it directly to that third party. However, this right does not apply to most of the ACL’s processing operations (as they are often based on legitimate interest or legal obligation), but could apply, for example, to your online account data or information provided for registration for an online event.

Exercising your rights: The rights listed above may be exercised free of charge (except in the case of manifestly unfounded or excessive requests) by contacting us at the following address: by mail to Automobile Club du Luxembourg – GDPR Manager, 54 route de Longwy, L-8080 Bertrange, Luxembourg, or by email to dpo@acl.lu. For security and confidentiality reasons, we may ask you to prove your identity (e.g., by providing a copy of your ID) in order to prevent your data from being disclosed to an unauthorized person. We will endeavor to respond to your requests as soon as possible and in any event within the one-month period provided for by the GDPR (which may be extended by two months if necessary due to the complexity or number of requests – in which case you will be informed of the extension).

  1. Data security

The Automobile Club du Luxembourg implements appropriate technical and organizational security measures to ensure a level of security appropriate to the risk presented by the processing of your data. Specifically, the ACL takes the following precautions:

  • Logical and IT security: use of firewalls and intrusion detection systems to protect the ACL network, website communication via an encrypted HTTPS/TLS protocol, robust password policies and secure storage (user and member passwords stored in hashed form), anti-virus software, and regular software updates. Sensitive data (e.g., payment information, medical documents) benefit from additional protection measures (field encryption, restricted access).
  • Access control and confidentiality: strict limitation of access to personal data to only those who need it, via individualized user rights and access traceability. ACL staff and our service providers are subject to confidentiality agreements and contractual data protection obligations. Internal training is provided to raise employee awareness of good security and data protection practices.
  • Physical security: protection of ACL premises and data centers hosting servers (building access control systems, video surveillance of certain sensitive areas, anti-intrusion and fire protection devices). Paper archives containing personal data are stored in secure cabinets or rooms.
  • Testing and maintenance: ACL ensures that its information systems are regularly tested, analyzed, and updated to prevent security breaches. Security audits and intrusion tests may be carried out periodically by specialized entities.
  • Incident management: despite all the precautions taken, no system is foolproof. The ACL has therefore implemented an internal procedure for managing incidents/breaches involving personal data. In the event of a proven breach of your data that could pose a high risk to your rights and freedoms (e.g., leakage of sensitive data), we undertake to inform you as soon as possible and to notify the competent data protection authority (CNPD) within 72 hours, as required by the GDPR. We will provide you with the necessary information on the nature of the data concerned and the measures taken to mitigate the effects.

The ACL would like to emphasize that the security of your data is an ongoing priority. However, everyone also has a role to play: it is your responsibility to keep your login details confidential (e.g., your MyACL account password) and to remain vigilant, particularly in the face of phishing attempts or other scams aimed at obtaining your information. The ACL will never ask you for your password by email or phone. If you have any doubts about the authenticity of a communication supposedly from the ACL, please do not hesitate to contact us directly.

  1. Policy on cookies and trackers

When you visit our website acl.lu or use the ACL mobile app, cookies and similar technologies may be stored on your device (computer, smartphone, etc.). A cookie is a small text file stored in your browser that allows your device to be recognized during subsequent visits. Cookies perform various functions: some are necessary for the website to function, others facilitate navigation by remembering your preferences, and others are used to analyze website traffic or offer you personalized content. A cookie itself does not contain any directly identifiable information, but it can associate your browsing with a unique identifier linked to other information stored on the server.

Your choice: When you first visit our site, a cookie banner is displayed to inform you about the use of cookies and ask for your preferences. You can accept all cookies, refuse them (except for strictly necessary cookies), or configure them in detail. You can change your choice at any time by using the Cookie Management module at the bottom of the page or by configuring your browser (see “How to refuse cookies” below). Please note that if you accept cookies by continuing to browse the site (implicit consent), we will consider that you consent to the use of cookies as long as you do not change your settings. If you refuse non-essential cookies, the site will remain accessible but some optional features may be degraded.

Cookies we use: Our site uses several types of cookies:

  • Strictly necessary cookies (technical cookies): These cookies are essential for browsing the site and enjoying its basic features. Without them, certain services (e.g., access to the secure member area, the contents of the shopping cart on the e-shop) would not function properly. For example, they are used to store your language preference from one page to another, to keep your session open during your visit (session cookie), or to balance the load on our servers. These cookies do not use personal data for marketing purposes and do not require your prior consent (their use is based on the legitimate interest of providing the service you request).
  • Functional and personalization cookies: These are cookies that are not essential but improve your experience. For example, a cookie may remember certain choices you make on the site (font size, display preferences) so that they are offered to you by default on your next visits. In the context of the ACL website, this type of cookie is fairly limited (mainly language, which is already covered by necessary cookies).
  • Audience analysis cookies: These cookies (analytics) collect information about how visitors use our site (number of visits, most viewed pages, browsing paths, error rates, etc.). The ACL uses Google Analytics, a service provided by Google, Inc. Google Analytics places cookies on your browser and collects information (such as your IP address, which is anonymized, the type of device, the pages visited, and the duration of your visit) in order to provide us with statistical reports on website traffic. This data helps us understand how the site is used and improve its content. Analytics cookies will only be placed with your consent. If you refuse them, your visit will not be included in our statistics. You can also choose to install the Google Analytics opt-out module available for your browser to block any collection by this tool, regardless of the site you visit.
  • User experience measurement cookies: In addition to Google Analytics, we use Hotjar, a tool for analyzing browsing behavior. Hotjar installs cookies that tell us how you interact with the site (mouse movements, clicks, scrolling). This allows us to improve the ergonomics of the pages based on the behaviors observed. Hotjar stores your IP address anonymously and does not provide us with any personal data about you, only aggregated information about interactions. Hotjar cookies are treated as analytical cookies and are subject to consent. Hotjar also offers an opt-out option on their site, which we respect if you activate it.
  • Chat and support cookies: We use an online chat service via the Intercom platform to allow you to chat live with our support teams from the website. When chat is enabled, Intercom may place cookies to remember yo r from page to page, keep a conversation history, and detect if you are a known user (e.g., if you are logged into the member area, Intercom may link your chat session to your account in order to better assist you). These cookies are related to the functionality of the site (customer support) and are only activated when you use the chat feature. Conversation data is processed in accordance with Intercom’s privacy policy.
  • Social media cookies: Our site may include social media modules (share buttons, links to our Facebook, Twitter, LinkedIn, YouTube pages, etc.). If you interact with these modules, cookies may be placed by the corresponding social media platforms, even outside our site. For example, the Facebook “Like” plugin or sharing via AddThis (a third-party sharing tool) may collect information about your browsing and associate it with your user profile on these platforms. These third-party cookies are subject to their own privacy policies, ACL has no direct control over them and does not receive any personally identifiable information from these cookies (except for any aggregated statistics provided by the platform). We invite you to consult the policies of Facebook, Twitter, Google/YouTube, LinkedIn, etc. to find out how your data is used via these cookies. You can refuse these cookies by not clicking on the share buttons or by logging out of your social media accounts when browsing our site.

Your consent: On your first visit, as long as you have not accepted or configured cookies, no non-essential cookies will be stored on your device. If you choose “Accept all,” you consent to all of the cookies described above. If you choose to refuse analytical and personalization cookies, only basic technical cookies will function. You can change this choice at any time via the “Cookie management” page (link at the bottom of the page). Please note that withdrawing your consent only has an effect for the future: cookies that have already been installed will remain until they expire unless you manually delete them from your browser.

How to refuse or delete cookies: There are several ways to control cookies:

  • Browser settings: Most browsers (Chrome, Firefox, Safari, Edge, etc.) allow you to manage cookies on a case-by-case basis or globally. You can configure your browser to systematically refuse cookies (or only third-party cookies), or to warn you before saving a new one. You can also delete all or part of the cookies already stored. As each browser has its own settings, we invite you to consult the corresponding help section (usually under “Privacy” or “Cookies” in the settings). Please note that blocking all cookies may disrupt the functioning of certain websites, including ours—for example, if you block session cookies, you will not be able to log in to the member area. ACL cannot be held responsible by for the consequences of refusing or deleting cookies that are necessary for your user experience.
  • Online tools: In addition to browser settings, you can use online services to manage your choices regarding targeted advertising and audience measurement cookies. For example, the YourOnlineChoices website (www.youronlinechoices.com/fr) offered by the EDAA brings together many advertising networks and allows you to refuse their cookies at once if you wish. Similarly, Google offers an “Opt-out” extension for Analytics. These tools have their limitations (they also rely on cookies to remember your refusal…), but can be useful.
  • Configuration via our website: As indicated, we provide a cookie management module on our website, allowing you to review your initial preferences. By clicking on “Cookie management” at the bottom of the page, you can view the list of cookies used and adjust your consent (enable/disable certain categories). This is based on an integrated technical solution that complies with the GDPR.

For more detailed information on the cookies we use and their characteristics (lifespan, specific purpose, origin), please visit our dedicated page or contact our DPO.

  1. Management of member profiles and the MyACL customer area

The ACL provides its members with a secure online customer area, called MyACL, accessible via our website or mobile app. This personal area allows you, as a member, to more easily manage your information and take advantage of our digital services. Here are a few points regarding the processing of your data in this area:

  • Account creation and access: When you join, a MyACL account is created and linked to your member profile. You receive or choose login credentials (e.g., your email address or member number and a password). These credentials are personal and confidential. It is your responsibility not to disclose them and to choose a sufficiently strong password. The ACL does not have access to your password in plain text (it is stored in encrypted form) and will never ask you for it through any channel. If you forget your password, a secure reset procedure is available.
  • Data displayed in your profile: Once logged in, you can view and modify certain information in your profile: your contact details (address, email, phone number), your communication preferences (newsletter subscription, language choice, etc.), information about your registered vehicles, your membership plan and its expiration date, your online order history (e.g., highway vignettes, e-shop products), and your service history (e.g., list of breakdown services you have used, diagnostic appointments made, etc.). This data comes from our member database and is updated in real time. The customer area is an interface that allows you to check the accuracy of your information and keep it up to date.
  • Modifying your data: Via MyACL, you can directly modify certain personal data concerning you. For example, you can correct your phone number, change your mailing address if you move, add or remove a vehicle from your list of covered vehicles, etc. The changes you validate are immediately recorded in our internal systems, without the need to contact us separately. For other types of more sensitive data (e.g., change of name following marriage, change of date of birth, etc.), or in case of difficulty, you may be asked to contact our services to provide proof before updating, in order to avoid any errors or fraud.
  • Online services: The MyACL space also allows you to access various online services without re-entering your information: route requests, service reservations (e.g., booking a karting session or a diagnostic), online payment of your membership fee, downloading useful documents (terms and conditions, insurance certificates, etc.). Each use of a service via MyACL generates data processing as described in this policy, exactly as if you had done so through another channel, with the difference that the digital channel facilitates processing. For example, if you order a highway sticker via your account, we will process your identity, address, and vehicle data to complete the order, just as we would have done by mail or at the counter. All interactions via the portal are tracked and secured.
  • Customer area security: MyACL is protected by enhanced security measures: encrypted connection (HTTPS), mechanisms to prevent unauthorized access (lockout after several failed login attempts, anti-bot captcha), connection logging to detect any suspicious activity, etc. However, it is essential that you contribute to this security by using a unique and complex password and by logging out after use, especially if you are using a public computer. If you suspect that an unauthorized third party has accessed your account, please notify us immediately so that we can take action (blocking the account, resetting the password, etc.).
  • Profiling: The member area itself does not perform profiling in the sense that no automated decisions about you are made solely on the basis of your profile data. Your account information is used primarily to present it to you and to facilitate your actions. The ACL may, at most, use certain profile data to better target its communications (e.g., not offering you motorcycle deals if you have only registered cars, or inviting you to an event close to where you live), but this segmentation remains manual or basic and has no significant legal effect on you. In particular, we do not automatically score our members or refuse service automatically. Any important decision (e.g., suspension of your membership for abuse) would involve human intervention and an individual review of your situation.
  • Closing your profile: If you cease to be a member or if you expressly request it, your MyACL account may be deactivated or deleted. In practice, when a membership ends, the account is first deactivated (you no longer have access, but the data remains stored for the post-membership retention period indicated above). The data is then archived or deleted as planned. If you request the deletion of your account while you are still a member, please note that we will still need to keep the information necessary to administer your membership offline. Furthermore, deleting the account will prevent the use of online services, but will not terminate the membership itself.

In summary, the MyACL member area is a tool provided for your convenience, and its use is optional. If you prefer not to use it, you can still interact with the ACL through traditional channels (phone, counter, mail) to obtain the same services. As the data in the customer area is taken from the central member database, not using the MyACL area does not prevent the ACL from processing your data in the normal course of membership. However, the customer area gives you more control and transparency over your own data. We encourage you to use it and to regularly check the accuracy of your information.

  1. Specific processing related to certain ACL services

In order to give you a complete picture, we detail below the specific processing features of certain key ACL services. These elements supplement the general information already provided:

 

  • Contact Center (call center): The ACL operates a contact center to respond to requests from its members and customers 24 hours a day. When you call our numbers (general or specific), Call Center staff may access your member file (if you provide your membership number or other identifying information) in order to process your request in a personalized manner. As mentioned, an audio recording of the call may be made for quality purposes. Contact Center agents also enter a report of your call into our system to ensure follow-up or traceability. This data includes the date/time of the call, the reason (request for information, complaint, assistance, etc.), and the response or action taken. If your call concerns a specific service (e.g., filing a complaint), the data may be forwarded to the relevant internal department (in this case, our quality department), which will contact you. Please note that ACL also offers call center services on behalf of business customers (B2B) via ACL Services S.A. In this case, the data processed belongs to the customer in question, with ACL acting as a subcontractor. This does not concern your member data, unless you work for a company that is a customer of the Call Center. In addition, the Contact Center may book additional services for you (taxi, hotel, replacement vehicle) if your l plan provides for this: in this case, your identity data may be communicated to the third-party providers providing these services (see section on recipients).

 

  • Roadside Assistance (24/7 mobility assistance): This flagship ACL service involves the processing of data in emergency situations. When you call the Contact Center for assistance (via 26 000 or via the eCall mobile app), we collect your real-time location data (breakdown address, GPS coordinates) as well as details about your broken-down vehicle (make, model, registration number) and the nature of the breakdown or accident. This information is forwarded to our internal patrol officers or partner breakdown services to enable a rapid response. Geolocation can be done either through the information you provide verbally or, if you use the app, by automatically sending your GPS position to the ACL teams. Location data is used solely to organize on-site assistance and is not stored beyond the processing of the incident (unless mentioned in the assistance report, e.g., “breakdown repaired at such-and-such location”). Calls to the roadside assistance service or contact center may be recorded as mentioned above, and the ACL may contact you afterwards to follow up on your satisfaction. Finally, please note that for the safety of our teams, ACL breakdown mechanics are equipped with geolocation systems in their vans, but this is for internal personnel management purposes and does not involve the processing of your data.

 

  • ACL Sport (sporting events and competitions): Through its sports commission, ACL organizes and supervises various motorsport activities (rallies, slaloms, karting, etc.) and represents the FIA at the national level. If you take part in these activities, we process specific data: event registrations (contact details, sometimes a copy of your driver’s license to verify eligibility, category of vehicle entered), issuance of sports licenses (information sent to the national/international federation, including a medical certificate of fitness if required for the type of license), management of rankings and penalties (points obtained, times achieved, ranking in the competition). This data is used to ensure fairness in sport and to monitor performance. Competition results (containing your name, race number, nationality, ranking, etc.) may be published on our website, social media, or in the specialist press as part of the promotion of motorsport. This is generally expected in the sporting context (legitimate interest in transparency of results) – however, if you are a non-licensed participant who does not wish to appear publicly, please let us know. ACL Sport may also keep a record of your participation and titles won, in particular to contribute to national statistics and the club’s history. In addition, in certain competitions, geolocation systems for race cars may be used for safety purposes (rallying) – this data is not used outside the context of the event. Finally, ACL Sport complies with current sports regulations: for ex , in the event of disciplinary proceedings or anti-doping controls, the necessary data will be processed and transmitted to the competent authorities in accordance with federal and legal obligations.

 

  • Maison du Cycliste & Maison du Motard: These ACL initiatives aim to promote soft mobility and safety for two-wheeled vehicles. The Maison du Cycliste offers bicycle training (learning to ride or getting back in the saddle, technical workshops) and community events around cycling, while the Maison du Motard offers motorcycle training (advanced skills, safety) and brings together the motorcycling community. If you participate in these activities, we collect your registration data: identity, contact details, level of experience, and possibly practical information (e.g., height to provide a suitable bike, type of motorcycle owned to tailor the training, etc.). This data is used to manage the logistics of the session (forming groups of similar levels, preparing equipment). You may also be asked to fill out a brief health questionnaire or mention any physical limitations so that the training can be adapted (e.g., indicate if you have heart problems for intense outings—purely voluntary). This information remains confidential and is intended solely for qualified instructors. After the training, we may keep a record of your participation and evaluate your feedback (satisfaction questionnaire) to improve our offerings. With your consent, we may also contact you about new sessions or invite you to join the community (e.g., via a dedicated cycling or motorcycling newsletter). Finally, during public events (e.g., supervised rides, mechanical workshops), photos/videos may be taken. The ACL ensures that image rights are respected: we avoid close-ups of individuals without permission. If a published photo depicts you and you wish to have it removed, you can request this.
  • Promotion of mobility (projects and municipalities): The ACL is actively involved in promoting sustainable and innovative mobility in Luxembourg. This involves pilot projects (e.g., testing electric vehicles, carpooling solutions, etc.), studies and surveys on travel habits, public or private conferences, or partnerships with municipalities to improve local traffic. In this context, the ACL may collect and process data from the public or participating volunteers. For example, we may launch an online survey of residents of a municipality on their modes of transport: the responses, possibly coupled with socio-demographic information (age group, postal code), are analyzed in aggregate form to formulate recommendations. Individual data from this type of study is anonymized as soon as possible. If you participate in a pilot project (e.g., electric bike loan for X weeks), we will collect your contact details for project management, usage monitoring (e.g., mileage readings, weekly feedback), and possibly geolocation data (if the project includes GPS tracking of the route for analysis of typical journeys, always with your consent). These projects are voluntary and with a specific framework (information form and specific consent). The results are generally published in statistical form and no personal data is disclosed publicly without authorization. Finally, in the context of actions with municipalities, the ACL may process data provided by the municipality (e.g., local accident data, road map) – in principle, this data does not contain any personal data, or if it does, it is anonymized.

 

  • Clubmobil (vehicle rental): The ACL offers a car rental service (“Clubmobil”) for its members and the general public, with vehicles available at preferential rates. When you make a vehicle reservation through Clubmobil, we collect the data necessary to manage the rental agreement: details of the main driver and additional drivers (last name, first name, date of birth, address, telephone number, email address), a copy of a valid driver’s license, as well as payment and security deposit information (e.g., credit card imprint). This data is essential for drawing up the rental agreement in the proper form (checking that you meet the conditions, minimum age, valid license, etc.) and for complying with the law (keeping a register of vehicle renters). During the rental period, we may record information about the use of the vehicle: mileage, dates and times of pick-up and return, condition of the vehicle (condition reports), incidents, or any fines. If the vehicle is equipped with a telematics or GPS system (e.g., to locate the car in case of non-return), this is used only when necessary and not to track your movements in real time. After the rental, your data is kept for the legal period (rental contracts = accounting documents) and to manage any disputes (damage discovered after the fact, fines received late – in the latter case, we will forward your contact details to the authorities upon request, in accordance with the highway code).

 

  • Communication (newsletter, magazine, events): The ACL communicates regularly with its members and subscribers through various channels. For the electronic newsletter (monthly or thematic newsletter), we use your email address and, where applicable, your preferred language. We track the effectiveness of these mailings in aggregate form (open rates, clicks on links) and, if you are a member, we may link this information to your member profile in order to tailor our content. Important: this tracking of responses to newsletters is used solely to improve the overall quality of the content (topics that most interest readers, optimal formatting, etc.) and not to profile you individually for advertising purposes. For example, if we find that a large proportion of members never click on “motorcycle” articles, we may decide to highlight them differently, but we will not target or exclude individual recipients on this basis. You can unsubscribe from the newsletter at any time via the link provided or by contacting us at in accordance with the section on the right to object. For the “Autotouring” magazine (or other current title), sent by post, we use your name and address. Printing and shipping are entrusted to a service provider as indicated above, under our control. If you no longer wish to receive the paper magazine, please let us know (some members choose to view it online only). Finally, when we organize promotional or social events (e.g., an open house, a mobility roadshow, etc.), we may use your contact information to invite you if you match the target audience (e.g., residents of a region for a local event, electric vehicle owners for an e-mobility event, etc.). These targeted mailings are based on objective criteria from your profile data, and you can of course refuse to receive this type of invitation. At events, we may ask you to register in advance (processing of your identification data) and, if necessary, to sign a liability waiver (this is the case, for example, for vehicle test drives). These documents are kept for the duration of the event and then archived as evidence in the event of an incident (statute of limitations).

 

  • Mobility/travel advice: This service includes the assistance provided by the ACL to help you plan your trips: route advice, tourist information, hotel reservations, travel insurance, etc. When you request a customized itinerary, you can do so via a web form or at an agency. We then collect your travel details (departure point, destination, desired stops) and your preferences (highways yes/no, desired visits, etc.), in addition to your contact details so we can send you the results. This travel information is not strictly “personal,” but we treat it with the same confidentiality. If you visit an agency for travel advice, the agent will be able to consult your past travel history with ACL (if available) to better guide you. With regard to travel insurance (cancellation, assistance, etc.), if you purchase these products through us, the necessary data (personal details, travel dates, insured amounts, persons to be covered) is shared with our partner insurer as explained above. We keep a copy of the insurance policy and your related declarations for the duration of the insurance and beyond if a claim occurs. Finally, if you take part in an ACL organized trip (e.g., group excursion), in addition to the data already mentioned for any reservation, you may be asked for specific information related to the trip: dietary habits or restrictions (for meal planning), passport number and expiration date (for group formalities), name of a person to contact in case of emergency during the trip. This data is collected in your interest, with your consent, and transmitted only to the relevant service providers (tour guide, hotel for menus, etc.). It is deleted after the end of the trip, unless it reappears on the contractual documents (the list of travelers may be archived with the trip file).

 

  • Diagnostic Center (vehicle technical diagnostics): ACL has a vehicle diagnostic center where members can have their vehicles tested and checked (battery, brakes, etc.) without waiting for the official technical inspection. If you use this service, we will record your appointment (date, time, type of diagnostics requested), along with your contact details for confirmation. During the diagnosis, technicians collect technical data on the vehicle using electronic tools (measured values, error codes, component status). A diagnostic report is drawn up, which may contain the chassis number (VIN) and registration number of the vehicle tested, as these details often appear on reports for identification purposes. This report is given to you and the ACL keeps a copy. Although this technical information relates to a vehicle, it is treated as personal data because it is linked to you (the owner/user). The ACL uses this data solely to: advise you on maintenance/repairs to be carried out, perform overall statistical analyses (e.g., “X% of vehicles tested have such and such a fault” – anonymously), and, if you wish, remind you of future checks (e.g., a reminder can be scheduled to check your battery again in 6 months). This data is not shared with third parties unless you request it (e.g., to send the report to your mechanic) or in exceptional safety cases (critical defect affecting road safety – in which case, with your consent, we may inform a competent authority).
  • Karting (ACL Karting in Mondercange): The ACL manages a karting track open to the public and members, with leisure sessions and friendly competitions. When you book a karting slot or participate in a race, we collect your identification data (last name, first name, date of birth to verify the minimum age or classify by age category, e.g., junior/adult) and your contact details (phone/email) for booking management purposes. You may be asked to sign a liability waiver before taking to the track, especially if you are a new participant, to certify that you are fit to drive and to inform you of the safety rules. If you are a minor, parental authorization is required and therefore the parent/guardian must provide and sign their contact details. During the activity, a timer records your lap times; at the end, a ranking for the session is established. These results (with your first name or pseudonym if provided) may be displayed on site and sometimes published on a screen or internal website to attract participants (ranking of the day, track record, etc.). If you participate in a karting championship or tournament organized by the ACL, you will be provided with specific rules regarding the use of your data (publication of rankings, podium photos, etc., similar to what is described for ACL Sport). Reservation data is kept for commercial and statistical purposes (attendance rates, number of laps completed), as well as to be able to contact you if necessary (e.g., lost property, or Covid health alert if applicable). The track regulations also require responsible behavior; in the event of an incident (accident, non-compliance with the rules), a report may be drawn up with your information for internal management and insurance purposes.
  • Accounting & billing: This is not a “service” for you per se, but an essential part of our processing. Whether for membership, participation in a trip, or any paid service, ACL generates accounting entries and invoices. This involves processing your data for billing purposes: issuing the invoice in your name (or in the name of your company if it is a B2B contract), mentioning your address, your membership number if applicable, details of the service and the amount due. We also record payments received (date, method, transaction reference). If you choose to pay by direct debit (SEPA), we process your IBAN and SEPA mandate to automatically collect the annual membership fee: this data is secured and transmitted to our banking partner on the due dates. For online card payments, as mentioned, we do not store card numbers ourselves; however, we do keep the transaction confirmation and the last 4 digits for reference purposes. The ACL may also, at your request, save certain payment methods for future use (e.g., linking your member account to a SEPA mandate or a credit card token) – this is done with your consent and the data is stored by the payment provider in tokenized form. All accounting transactions are kept for 10 years (see storage). Please note that for the management of unpaid bills or debt collection, if you do not pay an amount due despite reminders, the ACL reserves the right to transfer your file to a debt collection agency or a lawyer, which involves providing them with your contact details and the nature of the debt. Fortunately, this remains rare and proportionate (legitimate interest + obligation to perform the contract).

In summary, each of the specific ACL services mentioned above falls within the general purposes described in section 3. We wanted to provide these details in order to be transparent about what each service actually involves in terms of data. If you would like more details about a particular service, you can consult the specific terms and conditions for that service (available on our website or on request) or contact the manager of the service concerned directly. The ACL strives to clearly document its processing activities in each area of activity.

In addition, the ACL has recently begun deploying artificial intelligence (AI) solutions as part of its member retention analyses, commonly known as churn analysis. The aim of this approach is to anticipate the risks of non-renewal of membership by identifying, on the basis of objective and measurable data, the factors likely to influence member satisfaction or loyalty. The algorithmic models use various indicators such as the frequency and nature of service use (assistance, events, travel, training), interactions with ACL communication channels, renewal times, and changes in usage profiles over time. These analyses enable us to tailor our communication activities, optimize our service offerings, and improve the overall quality of our relationship with members.

 

The processing of data in this context is based on the legitimate interest of the ACL (Article 6(1)(f) of Regulation (EU) 2016/679 – GDPR), which is to ensure the ongoing satisfaction of its members, enhance the relevance of its services, and guarantee the sustainability of its associative model. This processing is governed by the fundamental principles of the GDPR, in particular purpose limitation, data minimization, accuracy of the information processed, and transparency towards data subjects (Article 5 of the GDPR). The data used comes exclusively from the ACL’s internal management systems and is not resold or exploited for commercial purposes by third parties.

In order to ensure exemplary compliance and ethical use of artificial intelligence, the ACL applies strict governance measures: control and traceability of access, detailed documentation of algorithmic logic, regular supervision of model performance, and continuous evaluation of their relevance to the objectives pursued. Furthermore, no automated decisions are made based solely on the results generated by AI: the analyses produced are used solely as a decision-making tool, enabling the ACL to focus its efforts on better understanding the expectations of its members.

  1. Changes to the privacy policy

This privacy policy may be amended to reflect changes in our processing practices or to comply with legal/regulatory changes. In the event of a substantial update (e.g., new purpose, new significant recipients, etc.), the ACL will inform you through the usual channels (e.g., announcement on the website, info in the newsletter, or direct email) and/or the next time you log in to the member area. We encourage you to check this page regularly to review the latest version in effect.

Note: Only the French version of this document is authoritative. The translation is provided for information purposes only.

Last update: October 6, 2025