1. Introduction
This Privacy Policy (the “Policy”) explains how AUTOGLAS LUXEMBOURG, IMPORT-EXPORT S.à.r.l., a company registered in Luxembourg with registration number B39730, located at 43, Rue de Luxembourg; L-8077 Bertrange, Luxembourg (hereinafter “we”, “our”, or “Autoglas”) collects, uses, stores, and otherwise processes personal data.
By “personal data” we mean any information relating to an identified or identifiable natural person.
The processing of your personal data is governed by different legal texts, including the following:
- EU Regulation 2016/679 of 27 April 2016 (the “GDPR”);
- The Luxembourg Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection framework (the “Luxembourg Data Protection Law”);
- The Luxembourg Law of 30 May 2005 on specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector;
- Any other applicable Luxembourg legislation implementing EU privacy directives (together the “Applicable Law”).
Please read this Policy carefully before sharing your personal data with us. We reserve the right to update this Policy to remain compliant with the Applicable Law or to reflect changes in our practices. The latest version is always available free of charge at www.autoglas.lu.
2. Data Controller
Autoglas is the data controller responsible for the personal data described in this Policy. As data controller, we determine the purposes and means of processing your personal data.
Contact details for data protection queries:
- By post: Autoglas Luxembourg, 43, Rue de Luxembourg; L-8077 Bertrange, Luxembourg
- By e-mail: info@autoglas.lu
- By telephone: +352 290 150
We may engage third-party processors to process personal data on our behalf. Where we do so, we ensure that appropriate data processing agreements are in place and that processors provide sufficient guarantees regarding technical and organisational security measures as required by Article 28 GDPR.
When we handle a job involving your insurer, we and the insurer each act as separate, independent controllers, each for our own purposes. We remain responsible for the processing described in this Policy.
3. Your Rights
Under the GDPR and the Luxembourg Law of 1 August 2018, you have the rights set out below. To exercise any of these rights, please submit a written, dated, and signed request:
- By post: Autoglas Luxembourg, 43, Rue de Luxembourg; L-8077 Bertrange, Luxembourg
- By e-mail: info@autoglas.lu
We will respond to your request as soon as possible and within one (1) month of receipt. In complex or high-volume cases, we may extend this period by a further two months, in which case we will inform you within one month of receiving your request. We may ask you to provide proof of identity; we will only request information reasonably necessary for this purpose.
3.1 Right of access (Article 15 GDPR)
You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data together with information about: the purposes of processing; the categories of data; the recipients or categories of recipients; the planned retention period; the existence of automated decision-making including profiling; and your rights to rectification, erasure, restriction, and to lodge a complaint.
3.2 Right to rectification (Article 16 GDPR)
If your personal data is inaccurate or incomplete, you have the right to have it corrected or completed without undue delay.
3.3 Right to erasure – “right to be forgotten” (Article 17 GDPR)
You may request the deletion of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis for processing; you object to processing based on legitimate interests and no overriding grounds exist; you object to processing for direct marketing purposes; the data has been unlawfully processed; or deletion is required to comply with a legal obligation. We may be unable to delete data needed to initiate or defend legal proceedings or where retention is required by Luxembourg or EU law.
3.4 Right to data portability (Article 20 GDPR)
Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
3.5 Right to object (Article 21 GDPR)
You have the right to object at any time to processing based on our legitimate interests (Article 6(1)(f) GDPR), including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. You have an unconditional right to object to processing for direct marketing purposes at any time.
3.6 Right to restriction of processing (Article 18 GDPR)
You have the right to request that we restrict processing of your personal data where: you contest its accuracy and we need to verify it; the processing is unlawful and you prefer restriction to erasure; we no longer need the data but you require it for legal claims; or you have objected to processing and are awaiting the outcome of the balancing assessment.
3.7 Right to lodge a complaint
If you remain unsatisfied with our response, you have the right to lodge a complaint with the Luxembourg supervisory authority, the Commission Nationale pour la Protection des Données (the “CNPD”), at any time. Contact details are provided below:
Address: 15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
Telephone: +352 26 10 60 1
E-mail: info@cnpd.lu
Website: www.cnpd.lu
You also have the right to seek an effective judicial remedy before the competent courts in Luxembourg.
4. Personal Data We Collect and Why
We process personal data only to the extent necessary for the purposes described below.
4.1 Categories of data and purposes
| Category | Data collected | Purpose |
|---|---|---|
| Identity | Name, first name, address, city | Necessary to arrange a mobile appointment, send contract-related documents, and invoice. |
| Identity | Licence plate / chassis number | Used to verify glass-damage insurance coverage and order the correct windscreen model. |
| Contact | E-mail address | Used to confirm appointments and, where a valid legal basis applies, to send commercial communications (see section 4.2(c)). |
| Contact | Telephone number | Used to contact you regarding your appointment and, where applicable, for service follow-up. |
| Preference | Language | Used to communicate with you in your preferred language. |
| Connection data | IP address | Used, where you have given prior consent to the relevant cookies (see section 7), to remember your preferences and compile website usage statistics. |
| Profiling | Main area of interest (via cookies) | Only collected where you have given prior consent to analytics or advertising cookies (see section 7). |
| Insurance | Policy number | Noted on the work order where the vehicle is insured against glass damage. |
We do not process special categories of personal data (Article 9 GDPR). We do not carry out automated individual decision-making that produces legal or similarly significant effects (Article 22 GDPR).
4.2 Legal bases for processing
We rely on the following legal bases under Article 6 GDPR:
(a) Performance of a contract (Article 6(1)(b) GDPR)
We process identity, contact, vehicle, and insurance data to the extent necessary to enter into and perform our service contract with you. This includes responding to enquiries, assessing insurance coverage, arranging appointments, executing the repair or replacement, invoicing, and maintaining customer records. If you do not provide required data, we may be unable to provide the requested service.
(b) Compliance with a legal obligation (Article 6(1)(c) GDPR)
We may process certain personal data to comply with Luxembourg legal obligations, including accounting and tax obligations under the Luxembourg Commercial Code (Code de commerce) and applicable legislation.
(c) Legitimate interests (Article 6(1)(f) GDPR)
We process certain data for the following legitimate interests, after having carried out a balancing assessment to ensure a fair balance with your rights and freedoms:
- To keep you informed about relevant news, products, and services where you have an existing relationship with us and have not objected (see section 3.5 for your right to object at any time).
- To compile anonymised or pseudonymised statistics, conduct market research, and analyse marketing campaign effectiveness.
- To track business activity (call volumes, website visits, sales) for internal management purposes.
- To establish, exercise, or defend legal claims, including debt collection.
- To improve our services, including through optional call recording (you are always informed at the start of a call).
(d) Consent (Article 6(1)(a) GDPR)
Where we rely on your consent as a legal basis (e.g. for certain marketing communications or non-essential cookies), we will obtain your prior, freely given, specific, informed, and unambiguous consent. You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
(e) Sending commercial electronic communications
We may send you commercial e-mails where one of the following applies:
- You have given us your prior, freely given, specific, informed, and unambiguous consent (opt-in); or
- You are an existing customer, the communication concerns similar products or services to those you have already purchased, and you have been given a clear and easy opportunity to opt out both at the time of data collection and in every subsequent communication (soft opt-in, in accordance with Applicable Law).
Every marketing e-mail includes a free and easy “Unsubscribe” link. You may also object at any time using the contact details in section 2.
4.3 How we share your data
We share your personal data only as described below and in accordance with Applicable Law:
(a) Within Autoglas
Your data may be accessed by internal departments where necessary for the performance of our contract or other legitimate purposes described above.
(b) Third-party service providers (processors)
We may share data with carefully selected third-party processors that assist us with: website development and maintenance; marketing, events, and customer communications; statistics and reporting; document printing and production; IT support, security, and business operations. All processors are bound by data processing agreements compliant with Article 28 GDPR and may only process data in accordance with our instructions.
(c) Business partners acting as independent controllers
When we act as an intermediary for a business partner (e.g. an insurance company), we may share data with that partner in accordance with their instructions. In such cases, the partner is another (independent) data controller for that processing.
4.4 Source of your data
We usually collect your personal data directly from you. In some cases, typically where your repair or replacement is covered by insurance, we also receive personal data about you from your insurer, including your identity and contact details, vehicle data and policy/claim information.
5. Retention Periods
We retain personal data only for as long as necessary for the purposes for which it was collected, subject to any applicable legal retention obligations under Luxembourg law. The following retention periods apply:
| Data / purpose | Retention period |
|---|---|
| Customer contract data (identity, contact, vehicle, insurance) | Duration of the contractual relationship + 10 years (Luxembourg statutory limitation period for contractual claims under the Luxembourg Code de Commerce). |
| Marketing communications (e-mail address) | Until you unsubscribe or object, whichever is earlier. |
| Website analytics / connection data (IP address) | Maximum 14 months from collection (in accordance with CNPD guidance on analytics cookies). |
| Accounting and invoicing records | 10 years from the end of the financial year (Luxembourg Commercial Code, Article 16, and applicable fiscal legislation). |
| Call recordings | Maximum 3 months unless required for a pending complaint or legal claim. |
After the applicable retention period, data is either deleted or anonymised. Where we retain data beyond the active processing period for archival or legal purposes, access is restricted to authorised personnel only.
6. Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. These measures include, but are not limited to:
- Encryption of data transmissions, including financial information (TLS/SSL with a certificate issued by a recognised certification authority).
- Anti-virus software, firewalls, and access controls.
- Role-based access management and confidentiality obligations for employees and suppliers.
- Regular security reviews and supplier due diligence.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 GDPR.
7. Cookies and Similar Technologies
Our website (www.autoglas.lu) uses cookies and similar tracking technologies. A cookie is a small text file stored on your device when you visit a website.
7.1 Types of cookies we use
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Required for the website to function (e.g. session management, language preference). Cannot be disabled. | No – exempt under Luxembourg ePrivacy law |
| Functionality | Used to remember visitor information on the website (e.g. language, timezone, enhanced content). | Yes – prior consent required |
| Performance | Used to see how visitors use the website (e.g. analytics cookies). These cookies cannot be used to directly identify a visitor. Provider: Google Analytics (Google LLC, USA). For more information, see the Google Privacy Policy at policies.google.com/privacy. | Yes – prior consent required |
| Targeting | Used to identify visitors between different websites (e.g. content partners, banner networks). These cookies may be used to build a profile of visitor interests or show relevant advertisements on other websites. | Yes – prior consent required |
| Unclassified | Cookies that have not yet been assigned to a category or are in the process of categorisation. These cookies are treated as requiring prior consent until classified. The cookie list is updated regularly by our cookie management provider (CookieScript). | Yes – prior consent required |
7.2 Cookie consent
In accordance with the Luxembourg Law of 30 May 2005 on electronic communications in the information society, we will only place non-essential cookies after you have given your prior, freely given, specific, and informed consent via our cookie consent banner. You may accept all, reject all, or configure your preferences by category.
Our cookie consent banner is managed by CookieScript (UAB “Inovirtual”, Lithuania), which acts as a data processor on our behalf.
You may withdraw or modify your cookie consent at any time by clicking the “Cookie settings” link in the footer of our website, or by adjusting your browser settings. Note that disabling certain cookies may affect the availability of some website features.
Our website uses Google Analytics (provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to compile aggregated website usage statistics. Tracking is implemented via server-side tagging, which means data is collected using first-party cookies set on our domain before being forwarded to Google Analytics.
Google processes analytics data on our behalf to provide analytics services. Data may be transferred to the United States. Google LLC participates in the EU-U.S. Data Privacy Framework. For more information, please see Google’s Privacy Policy at https://policies.google.com/privacy.
8. What is our policy on data concerning minors?
Our website and services are not targeted to minors. If you learn that your minor child has provided us with their personal data without your consent, please contact us (see our contact details under section 2 above).
9. What happens in the event of a change to this Policy
Should we plan to use personal data for a new purpose or change our privacy policy in any other way, we will update this Policy and you will be notified through our website or by message. We recommend that you check this page regularly. The date of last amendment of this Policy is shown at the top of the document.
10. What to do in case of dispute?
In the event of a dispute arising between us, we are committed to prioritising dialogue and good faith in seeking an amicable resolution.
This policy was last reviewed on the 24 June 2026. Autoglas reserves the right to update this Policy at any time. The current version is always available at www.autoglas.lu.