Purpose of the policy
The Relyens group (made up of Sham, its foreign branches and its subsidiaries), which has operations in several European Union countries, attaches great importance to the protection of personal data (hereinafter “PD”), particularly health data, which requires enhanced protection given its highly sensitive nature.
This document summarises the commitments made by Relyens group companies to ensure that the PD they process remains secure and confidential, in compliance with the laws and regulations in force in each country in which they operate, notably:
- The EU General Data Protection Regulation (GDPR) No. 2016/679 of 27 April 2016;
- In France: law No.78-17 of 6 January 1978;
- In Italy: “Decreto Legislativo del 30 giugno 2003, n.196 e successive modifiche ed integrazioni”;
- In Spain: “Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales”;
- In Germany: “Bundesdatenschutzgesetz vom 30. Juni 2017 (BGBl. I S. 2097)”.
To this end, Relyens group companies follow the European Data Protection Board’s guidelines and pay attention to instructions and recommendations issued by competent authorities in their respective countries:
- For France; the “Commission Nationale de l’Informatique et des Libertés”;
- For Italy: the “Garante per la protezione dei dati personali”;
- For Spain; the “Agencia Española de Protección de Datos”;
- For Germany: the “Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen”.
Governance of personal data
Across the Relyens group, personal data governance is based on a set of procedures, including the following:
- Policy for PD governance across Relyens group companies;
- Internal personal data protection policy for employees;
- IT user charter, governing the use of digital tools and data security.
In addition, the Relyens group has appointed a data protection officer (DPO) in charge of ensuring that group companies comply with regulations on personal data protection at all times.
At the same time, a DPO has been appointed by each Data Processing Manager as listed below:
For France :
- Sham / Sham Vie / Sham Conseil: 18 rue E. Rochet - 69372 Lyon cedex 08
- Sofaxis / Neeria / Qualnet: Route du Creton - 18110 Vasselay
For Italy :
- Sham - Rappresentanza Generale per l’Italia: Via Barberini 67 – 00187 Roma
- Roberto Ravinale & Partners S.r.l. : Corso Galileo Ferraris 46 – 10129 Torino
For Spain :
- Sham Espana: Paseo de la Castellana 110 - 28046 Madrid
- Sham Niederlassung Deutschland: Königswall 22 - 44137 Dortmund
Each local DPO is also responsible for regularly raising awareness on relevant issues among personnel who handle personal data within their remit.
Principles applicable to personal data processing
Purposes and lawfulness of personal data processing
PD is collected by Relyens group companies to fulfil specific objectives (purposes) which are systematically disclosed to the individuals concerned.
The main purposes for which the PD collected is used are :
- Underwriting and administration of insurance contracts (including implementation of pre-contractual measures);
- Claims handling (including exercise of remedies and complaints management);
- Marketing and sales prospecting activities;
- Compliance with applicable legal, regulatory and administrative provisions.
Relyens group companies check that all their personal data processing operations are lawful.
This lawfulness can be based on :
- Implementation of pre-contractual or contractual measures (GDPR, Art. 6.1.B );
- Obtaining the consent of individuals concerned (GDPR, Art. 6.1.a);
- The legitimate interest pursued by a Relyens group company or third party (GDPR, Art. 6.1.f);
- A legal or regulatory obligation (GDPR, Art. 6.1.c).
Personal data collected
The main categories of PD collected by Relyens group companies are :
- Identity data (name, address, etc.);
- Data required for the underwriting and management of contracts and claims (*);
- Data required to assess and award compensation for damages (*).
(*) including health-related data.
No personal data is collected without notifying the individuals concerned.
Retention of personal data
Relyens group companies endeavour to set PD retention periods that are no longer than strictly necessary for the purpose concerned, in accordance with any statutory retention periods that may apply.
Disclosure of personal data
In view of, and depending on, the objectives pursued, personal data may be disclosed to Relyens group companies, and also, when the data concerns them, to partners, subcontractors, service providers, insurance brokers, reinsurers, professional bodies, insurance bodies and social bodies, individuals involved in the contract and duly authorised Authorities.>
Security and confidentiality of personal data
Appropriate technical and organisational measures (such as the management of access rights/authorisations and pseudonymisation) are implemented across the Relyens group to ensure that PD remains secure and confidential.
Given that all Relyens group companies are located within the European Union, personal data is not transferred in large amounts and/or regularly outside the European Union.
However, if occasional transfers of personal data outside the European Union are required, they are made only to countries with an adequate level of protection. Failing that, the transfer of personal data is subject to appropriate management, approved by the Relyens group DPO.
Communication on and management of individuals’ rights
Under current legislation, all individuals have the right to access, correct or delete their personal data, or to limit the processing thereof.
Subject to specific exceptions relating to the type of processing concerned, all individuals also have the right to object to the processing of their PD (an absolute right in relation to sales prospecting) and/or the right to personal data portability.
For personal data processing requiring consent, the data subject is entitled to withdraw their consent at any time. The withdrawal of their consent will not affect the lawfulness of data processing requiring consent that was performed prior to consent being withdrawn.
To request to exercise their rights, data subjects can contact the data protection officer (DPO) of the company concerned:
- Sham / Sham Vie / Sham Conseil: by addressing an email to email@example.com or a letter for the DPO’s attention to: 18 rue E. Rochet - 69372 Lyon cedex 08 – France
- Sofaxis: by addressing an email to firstname.lastname@example.org or a letter for the DPO’s attention to: Route du Creton - 18110 Vasselay
- Neeria: by addressing an email to email@example.com or a letter for the DPO’s attention to: Route du Creton - 18110 Vasselay
- Qualnet: by addressing an email to firstname.lastname@example.org or a letter for the DPO's attention to: Route du Creton - 18110 Vasselay
- Sham - Rappresentanza Generale per l’Italia – by addressing an email to email@example.com or a letter for the DPO's attention to: Via Barberini 67 – 00187 Roma
- Roberto Ravinale & Partners S.r.l. – by addressing an email to firstname.lastname@example.org or a letter for the DPO's attention to: Corso Galileo Ferraris 46 – 10129 Torino
- Sham España – by addressing an email to email@example.com or a letter for the DPO's attention to: Paseo de la Castellana 110 - 28046 Madrid
- Sham Niederlassung Deutschland by addressing an email to firstname.lastname@example.org or a letter for the DPO's attention to: Königswall 22 - 44137 Dortmund
If the data subject is not satisfied with the response provided by the Relyens group company concerned, they can refer the matter to the competent Supervisory Authority, as indicated in section 1) “Purpose of this Policy”.