Personal data

Last updated: January 2023

PURPOSE OF THIS POLICY

The Relyens group (made up of Relyens Mutual Insurance, its foreign branches and its subsidiaries), which has operations in various European Union countries, attaches great importance to the protection of personal data (hereinafter “PD”), particularly health data, which requires enhanced protection given its highly sensitive nature.

This policy summarises the commitments made by Relyens group companies to ensure that the PD they process remains secure and confidential, in compliance with the laws and regulations in force in each country in which they operate, notably:

  • The EU General Data Protection Regulation (GDPR) No. 2016/679 of 27 April 2016;
  • In France: Law no. 78-17 of 6 January 1978, as amended, relating to information technology, data and civil liberties;
  • In Italy: “Decreto Legislativo del 30 giugno 2003, n.196 e successive modifiche ed integrazioni”;
  • In Spain: “Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales”;
  • In Germany: “Bundesdatenschutzgesetz vom 30. Juni 2017 (BGBl. I S. 2097)”.

In this respect, Relyens group companies follow the European Data Protection Board’s guidelines and pay attention to instructions and recommendations issued by the competent authorities in their respective countries, which are as follows:

  • For France: the “Commission Nationale de l’Informatique et des Libertés”;
  • For Italy: the “Garante per la protezione dei dati personali”;
  • For Spain: the “Agencia Española de Protección de Datos”;
  • For Germany: the “Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen”.

Governance of personal data

Across the Relyens group, personal data governance is based on a set of procedures, including the following:

  • Policy for PD governance across Relyens group companies;
  • Internal personal data protection policy for employees;
  • IT user charter, governing the use of digital tools and data security.

In addition, the Relyens group has appointed a Group data protection officer (Group DPO) in charge of ensuring that group companies comply with regulations on personal data protection at all times.

The governance of the Relyens group also relies on Data Protection Officers (DPOs) appointed by each Data Controller as follows:

FOR FRANCE:

  • Relyens Mutual Insurance / Relyens Courtage / Relyens Technology Services (RTS): 18 rue E. Rochet – 69372 Lyon cedex 08
  • Relyens SPS / QualNet: Route du Creton – 18110 Vasselay

FOR ITALY:

  • Relyens Mutual Insurance – Rappresentanza Generale per l’Italia: Sede Secondaria: Via Carlo Imbonati, n.18 – 20159 Milano

FOR SPAIN:

  • Relyens Mutual Insurance: Paseo de la Castellana 110 – 28046 Madrid

FOR GERMANY:

  • Relyens Mutual Insurance Niederlassung Deutschland: Königswall 22 – 44137 Dortmund

Each DPO is responsible within their remit for regularly raising awareness on relevant issues among personnel who handle personal data.

Principles applicable to personal data processing

Purposes and lawfullness of personal data processing

PD is collected by Relyens group companies to fulfil specific objectives (purposes) which are systematically disclosed to data subjects.

The main purposes for which the PD collected is used are:

  • Underwriting and administration of insurance contracts (including implementation of pre-contractual measures);
  • Claims handling (including exercise of remedies and complaints management);
  • Provision of risk management services;
  • Marketing and sales prospecting activities;
  • Compliance with applicable legal, regulatory and administrative provisions.

Relyens group companies check that all their personal data processing operations are lawful. This lawfulness can be based on:

  • Implementation of pre-contractual or contractual measures (GDPR, Art. 6.1.b);
  • The consent of the data subject (GDPR, Art. 6.1.a);
  • The legitimate interest pursued by a Relyens group company or third party (GDPR, Art. 6.1.f);
  • A legal or regulatory obligation (GDPR, Art. 6.1.c).

Personal data collected

The main categories of PD collected by Relyens group companies are:

  • Identity data (name, address, etc.);
  • Data required for the underwriting and management of contracts and claims (*);
  • Data required to assess and award compensation for damages (*).
  • Data required to provide risk management services (*).

(*) including health data.

No personal data is collected without notifying the data subject.

Retention of personal data

Relyens group companies endeavour to set PD retention periods that are no longer than strictly necessary for the purpose concerned, in accordance with any statutory retention periods that may apply.

Disclosure of personal data

In view of, and depending on, the objectives pursued, personal data may be disclosed to Relyens group companies, and also, when the data concerns them, to partners, subcontractors, service providers, insurance brokers, reinsurers, professional bodies, insurance bodies, social bodies, individuals involved in the contract and duly authorised Authorities and third parties.

Security and confidentiality of personal data

Appropriate technical and organisational measures (such as the management of access rights/authorisations and pseudonymisation) are implemented across the Relyens group to ensure that PD remains secure and confidential. Given that all Relyens group companies are located within the European Union, personal data is not transferred in large amounts and/or regularly outside the European Union. However, if transfers of personal data outside the European Union are required, they are made only to countries with an adequate level of protection. Failing that, the transfer of personal data is subject to an appropriate management framework, after consulting the Relyens group DPO.

Communication on and management of individuals’ rights

Under current legislation, all individuals have the right to access, correct or delete their personal data, or to limit the processing thereof. Subject to specific exceptions relating to the type of processing concerned, all individuals also have the right to object to the processing of their PD (an absolute right in relation to sales prospecting) and/or the right to personal data portability.

Where personal data is processed on the basis of consent, the data subject may withdraw their consent at any time, without calling into question the lawfulness of the processing operations conducted prior to this withdrawal. To request to exercise their rights, data subjects can use the dedicated form or contact the data protection officer (DPO) of the company concerned directly:

FOR FRANCE:

  • Relyens Mutual Insurance / Relyens Courtage: by addressing an email to santesocial@relyens.eu or a letter for the DPO’s attention to: 18 rue E. Rochet – 69372 Lyon cedex 08;
  • Relyens Technology Services (RTS): by addressing an email to rts@relyens.eu or a letter for the DPO’s attention to: 18 rue E. Rochet – 69372 Lyon cedex 08;
  • Relyens SPS: by addressing an email to sps@relyens.eu or a letter for the DPO’s attention to: Route du Creton – 18110 Vasselay;
  • QualNet: by addressing an email to qualnet@relyens.euor a letter for the DPO’s attention to: Route du Creton – 18110 Vasselay;

FOR ITALY:

  • Relyens Mutual Insurance – Rappresentanza Generale per l’Italia: by addressing an email to privacy.it@relyens.eu or a letter for the DPO’s attention to: Sede Secondaria: Via Carlo Imbonati, n.18 – 20159 Milano

FOR SPAIN:

  • Relyens Mutual Insurance: by addressing an email to privacy.es@relyens.eu or a letter for the DPO’s attention to: Paseo de la Castellana 110 – 28046 Madrid

FOR GERMANY:

  • Relyens Mutual Insurance Niederlassung Deutschland:  by addressing an email to privacy.de@relyens.eu or a letter for the DPO’s attention to: Königswall 22 – 44137 Dortmund

If the data subject is not satisfied with the response provided by the Relyens group company concerned, they can refer the matter to the competent Supervisory Authority, as indicated in section 1) “Purpose of this Policy”.