Introduction

The purpose of this policy is to establish rules for personal data processing and private rights compliance in respect of all Gerep-managed data. The official legislation underlying this policy is the GDPR (General Data Protection Regulation) and the French Data Protection Act (“Loi Informatique et Libertés”). The concepts referred to in this policy, including ‘processing’, ‘personal data’, ‘data subjects’ and ‘data controller’, are defined in the GDPR.
Gerep strives to safeguard confidentiality of personal data that the firm processes as part of its ongoing customer services.

Main data protection terms


• GDPR is the EU’s General Data Protection Regulation plus transposed legislation in EU member states where Gerep operates.
• Data Controller is an entity that collects and stores personal data. It decides what personal data it collects about you and how such data is used. Any insurance firm that uses your personal data for the purposes set out below under “How we use and disclose your data”, may be a data controller.
• Personal data means all data from which you can be identified and that relates to you. It may include data on any insurance claim you have made.
• Personal data processing includes collection, use, storage, disclosure or erasure of your
personal data.

Data controller identity and contact details


The data controller for personal data we collect when providing our services is Gerep, 4 rue de Vienne, 75008 Paris, France.

Personal data that may be processed

We collect and process the following personal data:
• Private data: name, address (and proof of address), other contact details (e.g. email and phone numbers), gender, marital status, family information, date and place of birth, employer, job title and career experience, relationship with the insured, beneficiary or claimant.
• Identification data: identity numbers issued by government agencies (e.g. depending on your resident country, social security or national insurance number, passport number, ID card number, tax identification number and driving license number).
• Financial data: payment card number, bank account number and account information, income data and other financial data.
• Insured risk: data relating to the specific risk insured.
• Special personal data categories: the following data is considered to fall under a special personal data category:

o Medical data: current or past physical or mental health conditions, state of health, information about injuries or disabilities, medical procedures performed, relevant personal habits (e.g. smoking or alcohol consumption), medical prescriptions, medical records;
• Policy information: information on quotes that people receive and policies they take out.
• Previous claims made: information on previous insurance claims, which may include special personal data categories (as defined above).
• Claims outstanding: information on outstanding claims, which may include special personal data categories (as defined above).
• Marketing data: whether or not people have consented to receive our and third party marketing.

Processing of special data categories is prohibited unless:

  1. The data subject has given their express consent to processing of relevant special data categories, and such consent is valid under applicable law and regulations; or
  2. Processing is necessary for purposes of complying with the data controller’s or the data subject’s specific rights and duties pursuant to employment, social security and welfare law, insofar as is authorised by applicable legislation subject to adequate guarantees; or
  3. Processing of special data categories is necessary for preventive or occupational medical purposes, assessment of a worker’s capacity for work, medical diagnosis, health or social care or healthcare systems and services or social welfare management pursuant to EU or a member state law or a contract concluded with a healthcare professional and is subject to conditions and guarantees, where such data is processed:
    o by a health professional subject to a duty of confidentiality, or by another person also subject to a duty of confidentiality; or
    o processing is necessary to protect public health under EU or a member state law, which provides for appropriate and specific measures for the protection of human rights and freedoms of the person concerned, including duty of confidentiality;
  4. Processing is necessary for public archive purposes, for scientific or historical research purposes or for statistical purposes, in accordance with EU or a member state regulations or law, which must be proportionate to the objective pursued, to respect essential data protection rights and provide for appropriate and specific measures for the protection of the data subject’s underlying rights and interests;

Sources of personal data
We collect personal data from various sources, including (depending on your country of residence):
• You and your family, online, by phone or written correspondence;
• Your employer(s);
• In the event of a claim, a third party, including claimant, defendant, witnesses, experts (including medical experts), adjusters, lawyers and claims administrators;
• Other insurance firms, such as insurers, reinsurers and other brokers;
• Any anti-fraud database and other third-party databases, including lists of sanctions;
• Government agencies including tax authorities;
• Claim forms.

How we use and disclose your data – data relevance

Your data is collected and processed in a fair and lawful manner. This policy forms part of our transparency approach.

• Data must be adequate, relevant and not excessive in relation to the purposes for which they are collected.
• The collection and processing of your personal data is necessary for Gerep to manage and fulfil your contract.
• Personal data is collected for specific purposes and distributed to relevant people. It must not later be used in a way that is incompatible with said purposes.
• Personal data is collected fairly; this means data is never collected without those persons being informed.
• “Legal grounds” are included in the General Data Protection Regulation (GDPR) that allow companies to process personal data only when permitted thereto by “lawful grounds” specified in the GDPR.

Please note that in addition to disclosures set out in the table below, with due regard to the purposes specified herein we may disclose personal data to third-party firms, who perform services on our behalf. GEREP also requires that all such service providers produce appropriate guarantees to secure personal data privacy and confidentiality.

Purpose of processing  Legal grounds  Disclosures
Quotes / Effective date
Establish customer relations, including checks for fraud, money laundering and sanctions.Performance of our contract. Compliance with legal duties.Anti-fraud databases.
Policy management
Various customer services, including customer communications.Performance of our contract for our legitimate interests (correspondence with you, beneficiaries and claimants in order to examine insurance policy claims). 
Premium collection or refunds, claim settlement and handling and other payments.Performance of our contract for our legitimate interests.Insurers.
Claims handling
Management of insurance claims.Performance of our contract for our legitimate interests.Insurers, claims handlers, lawyers, claims adjusters, third-party experts involved in handling or processing claims (such as healthcare professionals).
Investigate fraud and impose sanctions.For our legitimate interests or compliance with legal duties.Insurers, lawyers, the police, experts, other insurers, anti- fraud databases, third parties involved in investigations or lawsuits such as private investigators.
Renewal
Transfer of company assets, company sales and reorganisations.For our legitimate interests (structuring our business appropriately), or compliance with a legal obligation.Group companies, courts, potential and actual buyers.
General risk modelling.For our legitimate interests (set up risk models for placing a risk with appropriate Insurers). 
Compliance with legal or regulatory obligations.Compliance with legal obligations.Insurance, data protection and other regulators, police, insurers.

Health data processing
In strict compliance with our corporate object, we may be required to process data concerning your health and notably process your medical records. On this point, in addition to respecting the principles set out above, we pay particular attention to data collection methods and to ensuring enhanced security measures.
Your medical records are covered by patient confidentiality. They are only intended for our Medical Dept. and for any person under the responsibility of the Chief Medical Officer.

Consent
The processing of data concerning the health of an insured person, sensitive data within the meaning of the Data Protection Act and the GDPR, is subject to their prior written consent. In practice, signing an insurance policy is equivalent to receiving consent for us to process health data for the purposes of said policy. For any other service requiring such data processing, specific consent is required.
For marketing and PR purposes, we need your prior consent.
You, as well as anyone other than yourself, may at any time withdraw your consent to personal data processing. However, this may prevent us from continuing to offer our services.

Data retention period
We undertake that data collected will be kept in a form that identifies you for a period not exceeding the period necessary for the purposes for which said data was originally collected and processed.
Under management of complementary health insurance schemes and related services, data mentioned above in this data privacy policy are kept for 10 years after policy expiry in accordance with the duration necessary for policy performance. The retention periods must also allow for compliance with the statute of limitations as prescribed in France’s Mutual Societies Code, Insurance Code and articles 2219 et seq. of the Civil Code.
Under our website management procedures, account statements, statements of change of situation and data mentioned above in this data privacy policy are kept for 2 years.

Security measures
We aim to always store your personal data in the safest and most secure manner, and only for the time necessary to achieve the purpose of processing. As such, we take appropriate physical, technical and organisational steps to prevent as far as possible any alteration or loss of your data or any unauthorised access thereto. Such security measures vary depending on the degree of personal data sensitivity, format, location, quantity, distribution and storage. They include steps to protect personal data against any unauthorised access. Where applicable, security measures will include communications encryption via SSL, a firewall, employee training, access controls, segregation of duties and similar security protocols.
We restrict personal data access to staff and third parties who need access thereto for legitimate, relevant and professional purposes.

Data collection and retention limits
We collect, use, disclose and process personal data that is necessary for the purposes determined herein or as permitted by law.
Our personal data retention periods are based on business and legal requirements. We keep personal data for as long as necessary for the processing purposes for which it was collected and for any other permitted and related purpose, or as required by law. For example, we may retain some transaction data and associated correspondence, until the end of the insurance claim associated with said transaction or to comply with data retention regulatory requirements. Should personal data no longer be required, either we irreversibly anonymise it (and we may continue to store and use it), or we definitively destroy it.

Cross-border transmission of personal data
We do not transmit personal data to countries outside the European Economic Area (EEA).
You may request additional information on the specific protection measures applied when exporting your personal data by contacting the data protection officer at the address below.

Accuracy, responsibility, openness and your rights
We make every effort to keep personal data that is accurate, complete and current. Please contact us using the contact form on our website http://www.gerep.fr/fr/contact to update your personal details.
Questions about our privacy practices should first be addressed to our Data Protection Officer. In some circumstances, you are entitled to ask us to:
• Provide further details on how we use and process your personal data;
• Provide a copy of your personal data that we keep;
• Correct any inaccuracies in the personal data we hold;
• Delete personal data for which we no longer have a lawful basis justifying processing;
• Withdraw consent, if processing is consent based;
• Oppose any processing of personal data that we justify on lawful grounds as “legitimate interests”, unless our reasons for undertaking such processing outweigh any damage to your privacy; and restrict the way we deal with personal data while we review your request.

Your rights may be subject to some exceptions to protect the public interest (e.g. to prevent or detect illegal activity) and our interests. We respond to most queries within 30 days.

If we are unable to respond to a request or complaint, you may contact :
CNIL
3, place de FONTENOY TSA 80715
75334 PARIS CEDEX 07

Questions, requests or complaints
To submit questions or requests regarding this Data Privacy Policy or our privacy practices, please write to the local representative of our Data Protection Officer:

Gerep

Délégué à la Protection des Données 4, Rue de VIENNE
75008 PARIS

Amendments to this data privacy policy
This policy may change at any time and was last updated as of 24 May 2021. If we do change it, we will also update the last change date. Any changes we make hereto shall be immediately effective.