Protecting your data is our priority

Auchan is committed to maintaining the confidentiality of your personal data. We are constantly improving our systems to ensure the protection of the data you provide us when using our services. Feel free to read our privacy policy to learn more about how we personnalise your experience with Auchan.

Protection of the customer data

We are committed to maintaining the confidentiality of your information in accordance with our customer privacy policy

Protection of the applicant data

We also maintain the confidentiality of your personal data when you apply for us in accordance with our privacy policy for applicants

Your personal data belong to you.

We process your personal information in conformity with regulations in effect applicable to the processing of personal information and, in particular, in conformity with the European Regulation relative to the protection of natural persons.


The new legislation on data protection

Since the first European directive of 1995 the technology progressed and continues to evolve more and more quickly. Many changes have taken place since and with this the need to adapt a legal framework in order to ensure optimal protection of people with regard to the processing of their personal data and with this their right to respect for their private life. It therefore appeared necessary for the European legislator to lay down, on the one hand, a strong protection framework for citizens while taking account of new technological developments, and, on the other hand, a harmonization of the rules in force in the different States members of the European Union.

It is with this in mind that the European Commission in 2012 initiated a reform of the existing legal framework, with the aim of adapting the rules. This reform led two texts on data protection which contains:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (repealing Directive 95 / 46 / EC), which provides for the general regime for the protection of personal data. It provides for an implementation period of two years and will come into force definitively from May 25, 2018.
  • Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of preventing and detecting infringements criminal proceedings, investigations and prosecutions in the matter or execution of criminal sanctions, and the free movement of such data (repealing Council Framework Decision 2008/977 / JHA).

Personal data

There are 3 types of personal data:

  • clear data: data allowing the immediate identification of a person.
  • pseudonymized data: possibility of identifying a person through a more or less significant search effort
  • anonymized data: total impossibility of establishing a link with a natural person

There is a particular category of data: sensitive data. These are the data relating to:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical convictions;
  • union membership;
  • health data;
  • sex life;
  • genetic data;
  • judicial data;
  • biometric data.

The processing of personal data

Processing is defined as any operation or any set of operations carried out or not using automated processes and applied to personal data or sets of data, such as collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, reconciliation or interconnection, limitation, l ‘erasure or destruction.

The actors around personal data

  • The data subject: is designated by the term “data subject” any person who can be identified, directly or indirectly, by means of an identifier (for example, a name, an identification number or location data) or one or more specific elements specific to their physical, physiological, genetic, psychic, economic, cultural or social identity. In other words, a data subject is an end user whose personal data may be collected.
  • The third party: is a natural or legal person, public authority, service or body other than the data subject, the controller, the processor and the persons who, placed under the direct authority of the data controller or processor, are authorized to process personal data.
  • The supervisory authority: independent public authority responsible for monitoring the application of this Regulation, in order to protect the fundamental freedoms and rights of natural persons with regard to processing and to facilitate the free flow of data personal information within the European Union.
    In Luxembourg, it is the Commission Nationale pour la Protection des données (CNPD).
  • The data controller: the natural or legal person, the public authority, the service or another body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of this processing are determined by Union law or the law of a Member State, the controller may be designated or the specific criteria applicable to his designation may be provided for by law ‘Union or by the law of a Member State.
  • The processor: the natural or legal person, public authority, service or other body which processes personal data on behalf of the controller.
  • The data protection officer (DPO): The mission of the data protection officer within a company or organization is to ensure that it adequately protects personal data personnel of individuals, in accordance with the legislation in force.

What are your rights?

Anyone affected by data processing has a number of rights. These rights are greatly increased with the GDPR. This data protection legislation gives you rights to control the use of your own personal data:

1. The right to information

Who processes my personal data, why and how?

Companies or administrations must give you these elements in simple and clear language at the very moment of the collection of your data or, at the latest, within one month of the collection.

This right is limited in certain cases, for example for public security or the prosecution of criminal offenses.

In the event of a security breach resulting in a personal data breach liable to create a high risk for your rights and freedoms, the controller must inform you as soon as possible so that you can take the necessary precautions.

2. The right to contest a decision made on the basis of automated processes.

Your bank refuses you a consumer loan because the “system does not want”, what can you do?

Ask for explanations and if necessary contest this decision which was taken without human intervention. In fact, you have the right to be informed about the logic behind the decisions that are made on the basis of automated processes. The organization concerned must give you the opportunity to present your point of view and to challenge the decision, if necessary.

3. The right of access

You buy a product on the Internet and want to know what information has been kept by the online merchant?

Contact the controller directly, he must communicate all of your data to you.

4. The right of rectification

Have you noticed that any data concerning you is inaccurate, incomplete or just out of date?

Request the rectification of your personal data! Contact the controller to correct inaccurate information about you. This right prevents an organization from processing or disseminating false information about you.

5. The right to be forgotten

The conservation of certain data concerning you is no longer justified?

If the data controller no longer has any legitimate reason (for example legal obligations with regard to accounting) which justifies the retention of your data, this data must be deleted.

The right to be forgotten also allows you to demand the immediate withdrawal of personal data collected or published on a social network when you were a minor and not fully aware of the risks inherent in the processing.

6. The right to dereference

You are consulting a search engine (Google, Bing, Yahoo, etc.) and, when entering the combination of your first and last name, you find a search result that is incorrect or irrelevant?

Contact the search engine (check on its site, there is often a dedicated form) and ask for the dereference of the search result. It is necessary that you explain to the search engine why this result is no longer relevant or incorrect.

7. The right to data portability

Do you want to recover your data when you change operator online?

This right allows you to recover, free of charge, the data that you have communicated to an organization in a structured, commonly used and machine-readable format and, if necessary, to transmit it to another (social network, Internet service provider, site streaming, etc.) without the organization obstructing it.

The right to portability only applies if the data processing is:

  • performed using automated processes,
  • based on your consent or on a contract between you and the controller.
8. The right to object

Do you no longer wish to receive advertisements from a company? Do you no longer want to appear in your car dealer’s database?

Exercise your right to object directly to the controller if you have legitimate reasons.

You can object, without having to provide any justification, to the use of your data for commercial prospecting or canvassing with an ideological orientation (political parties, unions, religious groups, etc.)

You cannot object to processing provided by law.

9. The right to limitation

You notice that information concerning you is inaccurate or irrelevant. But rather than requesting deletion, would you prefer a limitation?

You can claim the blocking of the processing of your data:

  • when you dispute the accuracy of a data, the time that the controller can verify it;
  • if the processing is unlawful and you nevertheless oppose the erasure of your data, preferring such a limitation;
  • although no longer necessary, you need it for the establishment, exercise or defense of your legal rights;
  • In case of limitation, the data can no longer be subject to any processing. The limitation can be carried out in various ways (temporary movement to another file, data locking, temporary withdrawal from a website, etc.).

Are there specific rules regarding your child’s personal data?

The rules, rights and duties relating to the processing of personal data apply in the same way to minors and adults.

However, there are specificities concerning children:

  • the information transmitted to them must be written in a language understandable by them.
  • when the processing of personal data is based on the consent of the person, the consent of the parents is also required for children under 16 years of age.

What are the obligations to be observed by any data controller?

The legislation relating to the protection of personal data places a large number of obligations on the controller which can be summarized as follows:

  • respect all the legal rules laid down by the legislation relating to the protection of personal data at all times;
  • be able to demonstrate and document at all times its compliance with the legislation relating to the protection of personal data by appropriate technical and organizational measures;
  • ensure the security of the data processed. The controller must ensure that he only uses means that guarantee the confidentiality, integrity, availability and resilience of the processing systems;
  • ensure maximum data protection from the design stage and data protection by default;
  • choose (if applicable / if applicable) a subcontractor who offers sufficient guarantees and base his agreement with the subcontractor on a written contract containing confidentiality clauses.


Auchan Luxembourg has appointed a data protection officer who is available to answer your questions concerning the processing of your data. You can contact him:

  • by email: or ;
  • by phone: +352 43 77 43 26 57 or ;
  • by mail: 5, Rue Alphonse Weicker L-2721 Luxembourg.