Table of Contents

  1. Purpose.
  2. Scope.

III. Legal Framework.

  1. Definitions
  2. Principles of processing.

5.1      Principle of lawfulness
5.2.     Principle of purpose limitation.
5.3.     Principle of data minimalization.
5.4.     Principles of data accuracy and storage limitation.
5.5.     Principle of Integrity and Confidentiality.
5.6.     Principle of Accountability.

  1. Rights of Data Subjects

6.1.     Transparent information, communication and modalities for the exercise of the rights of the data subject
6.2.     Information where personal data are collected from the data subject and information where personal data have not been obtained from the data subject
6.3.     The right of access by the data subject
6.4.     The right of rectification and erasure.
6.5.     The right to restriction of processing.
6.6.     Notification of the data subjects regarding rectification or erasure of personal data or restriction of processing
6.7.     The right of data portability.

VII.      Responsibilities
7.1.     The Board of Directors
7.2.     The Management Committee.
7.3. Data Protection Officer
7.4.     IT.
7.5. The Chief Legal and Compliance Officer
7.6.     The Human Resources
7.7.     Marketing.
7.8.     All Staff

VIII.     Procedure.
8.1.     Collection and processing of personal data by the Company
8.2. Collection and processing of personal data by third parties
8.3.     Transfers of Personal data to third countries or to third parties
8.4.     Data protection impact assessment
8.5.     Code of Ethics and Professional Conduct

  1. Personal data breach.
  2. Communications with the DPA.
  3. Sanctions

XII.      Training and information.

I.              Purpose

Gatsby & White Agency S.A. (herewith after denominated “GWA” or as the “Company”) has been incorporated on 9 August 2018 as an insurance agency in Luxembourg.

This Personal Data Protection Policy and Procedure (hereafter as the “Policy”) is established by the Group of Gatsby & White with the purpose to establish the principles, the rules, the organisation and internal procedures and processes in terms of collecting, processing and retention of all types of personal data within the Company.

For the exercise of its activities, the Company collects and processes the following type of personal data:

  • Personal data of its staff (permanent, temporary or consultants) which is related with employment activities;
  • Personal data of customers, policyholders, insured persons, beneficiaries, legal representatives of corporate entities for the purposes of fulfilling the legal obligations for customer due diligences arising from the AML/CTF Legislation in power;
  • Personal data of the legal representatives of business partners, services providers, business referees, independent sub-brokers with whom the Company enters into business relationships for the purposes of fulfilling the legal obligations for third party due diligences arising from the AML/CTF Legislation in power;

The main aim of this Policy is to ensure that all the natural persons in the scope of this Policy are aware that their data is being collected and processed, that they are given the opportunities to understand how can they exercise their rights and that they consent the use of their personal data related with the activities of the Company and their activities as employees, clients and business partners or collaborators.

II.            Scope

This Policy shall be approved by the Board of Directors and apply to all employees (permanent, temporary or on contract) of the Company without exemptions.

It applies in all jurisdictions in which the Company operates regardless of local laws or culture.

The present Policy shall therefore be read as if entirely applicable to all the companies belonging to GW in accordance with local and documented legal frameworks.

This Policy unifies all the content which was previously prepared on existing documents on personal data protection within the Company and the Group.

III.          Legal Framework

This Policy is based on the following legislation:

  1. The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereafter as “GDPR”).
  1. The Law of 7 December 2015 on the Insurance Sector as amended.
  2. The Law of 12 November 2004 (amended) on the fight against money laundering and terrorist financing transposing Directive 2001/97/EC of the European Parliament and of the Council of 4 December 2001 amending Council Directive 91/308/EEC on prevention of the use of the financial system for the purpose of money laundering.
  1. Act of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework.

IV.          Definitions

The following definitions and abbreviations are used in this Policy:

AML” refers to anti-money laundering.
Board” refers to the Board of Directors of the Company.
Business relationship”: means a professional or commercial business relationship which is connected to the business activities of GW and which is expected to have an element of duration.
CAA” is the Insurances Supervisory Authority in Luxembourg or Commission Commissariat Aux Assurances referring to www.caa.lu
CTF” refers to Counter Terrorism Financing.
Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Cross-border processing” means either:

(a)  processing of personal data which takes place in the context of the activities of establishments in more than one EU Member State of a controller or processor in the EU where the controller or processor is established in more than one EU Member State; or

 

(b)  processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the EU but which substantially affects or is likely to substantially affect data subjects in more than one EU Member State.

Delegates” are defined as any third party carrying out on behalf of the Company one or more functions in line with a delegation agreement;
DPA” refers to the Data Protection Authority;
DPO” refers to the Data Protection Officer;
EU” refers to the European Union;
Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
GW” or the “Company” is intended as the Group of Gatsby & White including therefore the following companies: Gatsby & White S.A., Gatsby & White (Liechtenstein) AG and Gatsby & White Belgium S.A.
GWA” is intended as Gatsby & White Agency S.A.
Management Committee” of “Management” refers to the persons in charge with the daily management of the Company.
Media” or “Social media” refers to all type of available massive communications means such as radio, television, newspapers, any Internet media and social networks;
Personal data” means any information relating to an identified or identifiable natural person (“Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
Staff” or “Employees” refers to and the employees of the Company and it includes the members of the management and of the Board;
Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

V.            Principles of processing

The Company acknowledges and respects the following principles related with the collection, controlling and processing of the personal data:

5.1  Principle of lawfulness

The principle of lawfulness[1] means that the personal data shall be processed in a lawful, fair and transparent manner in relation to the data subject. The data subject must have given his/her consent to the processing of his/her personal data for the specific purposes that the Company is collecting them such as for employment of its staff or the exercise of contractual and legal obligations related with its customers and third parties.

5.2.     Principle of purpose limitation

The principle of purpose limitation[2] means that the personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with these purposes. The Company ensures to indicate in a clear way the purpose of collection and processing of the personal data to the data subjects before collecting and processing their personal data.

5.3.     Principle of data minimalization

The principle of data minimalization[3] means that the personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The Company must ensure that the collected personal data will be processed and used only for the purposes that it is collected and in line with the consent of the data subject. In cases of need to use of process the personal data for other purposes, consent will be requested from the data subjects and in case it is not given, the processing shall not be done, unless it is related with the need to fulfil a legal obligation.

5.4.     Principles of data accuracy and storage limitation

The personal data must be accurate and, where necessary, kept up to date[4]. The Company must ensure to erase or rectify without delay the personal data that are inaccurate.
The personal data must be kept in a form which permits identification of data subjects for no longer that is necessary for the purposes for which the personal data are processed[5].

The personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes or if it is necessary for fulfilling legal obligations of the Company. The storing of the personal data for longer periods is approved by a written decision of the Board of the Company. When the need for processing the personal data for longer period ends, the personal data will be erased by the Company.

5.5.     Principle of Integrity and Confidentiality

The personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures[6]. The Company ensures to protect the confidentiality of the personal data by using technical IT means, by restricting access only to the authorized persons and by defining who is the authorized staff for accessing and processing which category of personal data and for which purposes.

5.6.     Principle of Accountability[7]

The Company acknowledges that as controller of the personal data, it is responsible for the protection of the personal data that it has collected and for ensuring that on one hand, the rights of data subjects are respected and on the other hand, that the purpose of the collection and procession is fulfilled.

The Company is also responsible for controlling, detecting, informing and mitigating any possible data breaches and for putting in place a framework of technical means and organizational arrangements in order to fulfil its legal obligations arising from the collecting and processing of personal data. For the cases of delegation of services to third parties which also includes collection and procession of personal data in order to fulfil the contractual obligations, the Company is responsible for controlling and ensuring that the third party is respecting the legal obligations related with the protection of personal data.

Where processing of personal data is based on consent, the Company must be able to demonstrate that the data subject has consented to processing of his/her personal data.

VI.          Rights of Data Subjects

The Company, during the collection and procession of personal data which is collected for the purposes of employment or for the exercise of the operational activities of the Company, ensures to inform and to guarantee the data subjects with the following rights which are provided by the laws in power:

6.1.     Transparent information, communication and modalities for the exercise of the rights of the data subject[8]

The Company must ensure to inform the data subject before the collection of personal data on the purposes of the collection and processing of personal data.

For the case of collecting and processing the personal data of the employees, the Company ensures to put a clause in the employment agreement or an addendum for existing employment agreements related with obtaining the consent from the concerned employee for the collection and processing their personal data related with employment contract related obligations.

The Company shall ensure that the employees are informed on the purpose of the collection and procession for employment purposes and on their rights as data subjects and that in the case where the employees refuse to share their personal data related with the employment, this may bring the end of the employment agreement because it is not possible for the Company to implement the employment agreement obligations without the necessary personal data of the employees.

For the case of collecting and processing the personal data of the customers/policyholders or third parties related with the fulfilling contractual and legal and professional obligations of AML/CTF, the Company ensures to inform and obtain the consent of the customer/policyholder or third party for the collection and procession of their personal data through the contractual documents that are signed at the time of establishing the business relationship. The Company ensures to inform the customer/policyholder or third party on the purpose of the collection and procession of their personal data for the purposes of contractual and legal obligations and on their rights as data subjects.

6.2.     Information where personal data are collected from the data subject and information where personal data have not been obtained from the data subject[9]

Where personal data relating to a data subject are collected from the data subject, the Company as controller shall, at the time when personal data are obtained, must provide the data subject with all of the following information:

  1. the identity and the contact details of the Company and, where applicable of the Company’s representative;
  2. the contact details of the DPO, where applicable;
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  4. where the processing is necessary for the purposes of legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or the fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child[10], inform on the legitimate interests pursued by the controller or by a third party;
  5. the recipients or categories of recipients of the personal data, if any;
  6. where applicable, when the Company intends to transfer personal data to a third country or to a third party, refer to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

In addition to the above-mentioned information, the Company as Controller shall, at the time when personal data are obtained, provide the data subject with the following further information which is necessary to ensure fair and transparent processing:

  1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  2. the existence of the right to request from the Company access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  3. where the data subject has given consent to the processing of his/her personal data for one or more specific purposes, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  4. the right to lodge a complaint with the Data Protection authority;
  5. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  6. when applicable, the existence of automated decision-making[11], including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The Company must obtain the consent from the data subjects in the form of a written declaration in a clear way and distinguishable from other matters, in an intelligible and easily accessible form, by using clear and plain language[12].

For personal data which is not collected and processed directly by the Company, but by the delegates or third parties, in line with the respective agreements, the Company ensures that the third party is implementing the above-mentioned legal requirements concerning information to data subjects on the purpose of the collection of the personal data and on obtaining their consent in a clear and distinguishable way.

6.3.     The right of access by the data subject[13]

The Company ensures to provide to the concerned data subjects, their rights provided by the laws in power and the GDPR as indicated below:

The Company must inform the data subjects as to whether or not their personal data that concerns to them, are being processed, and where that is the case, the Company will grant access to the personal data and include the following information:

  1. the purpose of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or third parties;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the Company, rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or to object such processing;
  6. the right to lodge a complaint with the National Data Protection Authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. when applicable, the existence of automated decision-making, including profiling[14], and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  9. where personal data are transferred to a third party or to a third country, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

6.4.     The right of rectification and erasure[15]

The Company must ensure to grant to the data subject without undue delay the rectification of inaccurate personal data concerning him/her. By considering the purposes of the processing, the data subject shall have the right to complete incomplete personal data by means of providing supplementary information.

The Company must grant to the data subjects the right to obtain from the Company the erasure of personal data concerning him/her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject has given consent to the processing of his/her personal data for one or more specific purposes and he/she withdraws the consent on which the processing is based[16] and where there is no other legal ground for the processing;
  3. the data subject objects to the processing of his/her personal data and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for marketing purposes;
  4. the personal data have been unlawfully processed;
  5. the personal data have to be erased for compliance with a legal obligation to which the Company is subject-

Ba taking into consideration the above-mentioned conditions for erasure, however, in cases when the personal data is absolutely necessary for the execution of contractual obligations such as the employment contract, the Company must inform the data subject that it is not possible to erase the personal data without terminating the employment agreement. When the employment agreement is terminated, the Company will erase the personal data once all the legal, tax and civil liability obligations are fulfilled towards the employee and the responsible authorities and not later than 5 years which is the period of record keeping defined in internal policies and procedures.

In cases of compliance with the legal obligations for due diligences for AML/CTF or any other law in power, or for the establishment, exercise and defence of legal claims, the Company is excluded from the obligation to erase the personal data. The Company ensures to inform the concerned customer, policyholder, business partner or third party on such exclusion when it is obtaining their consent and if the personal data is not provided and the consent is not given, it won’t be possible to enter into the business relationship.

6.5.     The right to restriction of processing[17]

The Company must grant to the data subjects, the right to obtain from the restriction of processing where one or the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. the data subject has objected to processing[18] pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted on the above-mentioned conditions, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. The Company will inform the data subject who has obtained restriction of processing before the restriction of processing is lifted.

6.6.     Notification of the data subjects regarding rectification or erasure of personal data or restriction of processing[19]

The Company will communicate any rectification or erasure of personal data or restriction of processing carried out[20] to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Company will inform the data subject about those recipients if the data subjects request it.

6.7.     The right of data portability

The Company will grant to the data subjects the right to receive their personal data concerning him/her, which he/she has provided to the Company, in a structured, commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided, where:

  1. the processing is based on consent given by the data subject to the processing of his/her personal data for one or more specific purposes or on a contract to which the data subject is party in order to take steps at the request of the data subject, prior to entering into contractual arrangement;
  2. The processing is carried out by automated means.

In exercising his/her right to data portability as mentioned above, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where it is technically feasible.

VII.        Responsibilities

The Company has appointed the following bodies for the internal implementation and to put into practice the legal requirements for the protection of personal data:

 7.1.    The Board of Directors

The Board of Directors of the Company is responsible for the following:

  • To approve an internal policy on protection of personal data in line with the defined principles in the GDPR and applicable legislation;
  • To appoint a person in charge as DPO and to provide the necessary human and technical resources for the performance of his/her duties concerning the protection of personal data;
  • To collaborate with the DPO and the Management to create and put in place conditions for practical measures for the implementation of this data protection policy;
  • To monitor the implementation of data protection measures regularly with the reports from the DPO and Management Committee;
  • To be informed without delay about the violations of this Policy and of the data protection laws;
  • To decide on the resources needed to implement IT mechanisms and systems for protection of personal data and to give to the data subjects their rights to access, rectify and erase personal data in accordance with the laws in power and the GDPR;
  • In cases of personal data breaches to decide on remediation plan as proposed by the Management Committee and to control the implementation of this plan;

7.2.     The Management Committee

The Management Committee is responsible for the following:

  • To implement the personal data protection policy, procedures and principles that are approved by the Board of Directors;
  • To approve changes to marketing documents, contracts, form, disclaimers, website content, etc., concerning relations with natural persons to reach their consensus and to inform the customers on their rights;
  • To collaborate with the DPO and the Compliance Officer for the implementation and controls of this Policy;
  • To ensure that the employees have granted their consent as part of the employment agreement or for existing contracts as amendment, concerning the collection of personal data for employment purposes;
  • In cases of data breaches to collaborate with the DPO, the IT, the could services providers and any related departments for preparing an implementing action plan for remediating the situation;

7.3. Data Protection Officer

By taking into consideration the size, type of activities, nature, scope, context, purposes of processing and quantity of personal data that is being collected and processed and since the Company does not process large and special categories of personal data and does not require systematic monitoring of data subjects on a large scale, it is considered that a separate function of DPO is not needed and required. Therefore, it is decided that at this stage of the development of the Company, the DPO function is exercised by the Chief Compliance and Legal Officer. If the circumstances will change in the future, the Company will assess the needs of a separate DPO function.

The Company ensures that the DPO function fulfils the professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the below mentioned tasks. The name and the details of the DPO are communicated to the National Data protection Authority[21].

The DPO reports to the Board of Directors. The Board shall ensure that the DPO does not receive any instructions regarding the exercise of his/her tasks. He/she cannot be dismissed or penalized for performing his/her tasks. The Company ensures that those tasks and duties do not result on conflicts of interests and that the Chief Legal and Compliance Officer who acts as DPO has sufficient time to dedicate to DPO duties.

The main responsibilities of a DPO are as below[22]:

  • To inform and advice the Company and the employees who carry out collection and processing of personal data on their obligations pursuant to the data protection legislation in power;
  • To prepare, review and amend when necessary the Company’s data protection Policy and procedures;
  • To monitor compliance with the data protection legislation in power and with the data protection Policy and Procedures of the Company in relation to the protection of personal data by including the assignment of responsibilities, raising awareness and training of involved staff;
  • Where requested and necessary, to provide advice as regards the data protection impact assessment and monitor its performance[23];
  • To cooperate with the National DPA;
  • To act as contact point for the National DPA on any personal data related matter;
  • To act as contact point for the data subjects with regard to all issues related to processing of their personal data and to exercise their rights;
  • To monitor the implementation of the legal obligations on protection of personal data by third parties which are acting as delegates of the Company when they collect and process personal data on behalf of the Company;
  • To review and comment when necessary, any documents related with matters of personal data collection and processing;
  • To provide training sessions on personal data protection to all employees and to answer to personal data questions from the employees or internal departments within the Company.

The DPO, during the performance of his/her tasks, shall have due regard to the risks associated with processing operations, by considering the nature, scope, context and purposes of processing.

7.4.     IT

The IT is responsible for the following:

  • Establish technical systems to guarantee the protection of personal data according to this internal Policy and procedure;
  • Ensure that access rights to the personal data are granted only to the authorized persons;
  • Set up cyber-attack protection systems;
  • Inform the DPO and the Management Committee in case of detected data breaches;
  • Establish technical systems in the event of remedial measures for data breaches.

7.5. The Chief Legal and Compliance Officer

The Chief Legal and Compliance Officer who is also acting as appointed DPO, besides the DPO tasks and within the legal function:

  • To perform legal review and amend where necessary the documents related to the consent of natural persons for personal data collection and processing, such as the employment agreement, services agreement, delegation agreement, other contracts for business arrangements;
  • To prepare legal notices on personal data protection for the Company’s website and any other documents;
  • To consider the personal data protection obligations while preparing legal documents related to the Company, such as employment contracts, services contracts, sub-contracts, delegation contracts, etc;
  • To advise the Board of Directors and the Management Committee when there is a need for legal interpretation on personal data protection legislation or documents;
  • To support the Company in the case of complaints related to the personal data protection and in case of administrative or judicial proceedings.

7.6.     The Human Resources

The person in charge of human resources function is responsible for the following:

  • To ensure that all the employees have signed the employment agreement or an addendum which contains the clause on consent on personal data collection and processing related with the employment;
  • To plan continuous training and staff awareness in collaboration with the DPO;
  • To implement this Policy and Procedure concerning the personal data of the staff of the Company;
  • To ensure to receive signatures on contracts on confidentiality and protection of personal data.

7.7.     Marketing

The persons in charge of sales and marketing which includes the Client Services, Brokers and Sub-brokers of the Company are responsible for the following:

  • To implement this Policy and Procedure and the legal obligations on personal data protection;
  • To take into consideration the protection of personal data during the preparation and presentation of marketing materials;
  • To ensure that a clause of no legal liability is included in the marketing materials;
  • To collaborate with the DPO with regards to the review of marketing materials concerning the mentioning of personal data related clauses;
  • To inform the customers, policyholders and partners on the collection and processing of their personal data, to specify the purposes of such collection and processing and to obtain their consent;
  • In cases of detected data breaches, to inform the DPO and the Management.

7.8.     All Staff

All the staff of the Company have the following obligations:

  • To familiarize themselves on the legal obligations related with protection of personal data by reading this Policy and Procedure and attending internal trainings organized on this subject;
  • To apply and respect this Policy and Procedure during their daily work;
  • To inform the clients, policyholders and business partners on their rights and obligations related to personal data collection and processing by the Company;
  • To collect and retain customer consent before processing their personal data;
  • To respect the clean desk and computer security procedures and the principle of confidentiality and Chinese walls during their daily work;
  • To immediately inform the DPO and the Management in the event of a detected data breach;
  • To follow the instructions of the DPO, the Management and the Board of Directors concerning the protection of personal data.

VIII.      Procedure

8.1.     Collection and processing of personal data by the Company

The Company is collecting and processing directly personal data in the following situations:

  1. Personal data of its staff needed for employment purposes;
  2. Personal data of customers, policy holders, insured persons and economic beneficiaries for fulfilling the contractual obligations of the insurance policy and the legal obligations for client due diligences for AML/CTF Law purposes;
  3. Personal data of the legal representatives of third-party business partners such as of insurance companies, business collaborators, independent sub-brokers and services providers for purposes of exercising its commercial activities.

The Company as an employer is collecting and processing the following personal data of the employees for the purposes of human resources, payroll and implementation of legal, tax and social security obligations:

  1. Name, surname;
  2. Gender;
  3. Address;
  4. Email and telephone number;
  5. Curriculum vitae (CV);
  6. Copy of ID/Passport;
  7. Criminal record certificate;
  8. Bank account number and details;
  9. Tax card and tax identification number (TIN);
  10. Social security number;
  11. Doctors certificates for capacity to work or for work absences;
  12. Emergency contact person name, surname and contact details;
  13. Photo for the website.

All employees when entering into an employment agreement with the Company, have accepted to give their consent on providing their personal data to the Company, and they acknowledge that they are well aware of their rights as data subjects, that the Company may share this personal data with third parties which provide payroll and tax services and that they are ware that if they withdraw their consent for sharing these personal data with the Company, it will bring the employment agreement to an end because the Company will not be able to fulfil its contractual and legal obligations which arise from the employment contract.

These personal data and related documents are kept by the person in charge of Human resources and when payroll is outsourced to a third-party services provider, the necessary personal data is shared with this third party by ensuring that the third party will provide for equivalent protection of personal data as the Company. The HR physical files are locked and access is restricted only to Human Resources, Management and the Board. The HR electronic files have also restricted access rights which are provided by the IT with the supervision of the Management.

The Company, for the purposes of complying with the legal obligation to perform customer due diligences for AML/CTF purposes, collects the following personal data from customers, policyholders, insured persons and beneficiaries:

  1. Name, surname;
  2. Place and date of birth;
  3. Nationality;
  4. Gender;
  5. Address;
  6. Telephone and email;
  7. Profession and work place;
  8. Official identification number;
  9. Tax identification number;
  10. Bank account details.

In addition, the Company is collecting the following documents from the customer, policyholders and insured persons in order to verify the above-mentioned personal information and to perform customer due diligences required by the AML/CTF legal obligations:

  1. Certified copy of valid ID/passport;
  2. Proof of residence such as utility bill, residence certificate or social security and other correspondence which indicate the address;
  3. Correspondence from central or local government department or agency;
  4. Letter of reference, tax or legal memo from independent third party or regulated financial services provider;
  5. CV;
  6. Bank statements, payslip and professional background information;
  7. FATCA/CRS self-certification form;
  8. Suitability assessment profile;
  9. Mandate and enter into relationship documents;
  10. Any other documents needed to make verifications for due diligences and AML/CTF as estimated by the Compliance officer.

Regarding the legal representatives of third parties, before entering into business relationships, the Company collects the following personal data:

  1. Name, surname;
  2. Place and date of birth;
  3. Nationality;
  4. Gender;
  5. Professional address;
  6. Telephone and email;
  7. Profession and work place;
  8. Official identification number;
  9. Tax identification number.

These personal data and related documents are kept by the Company in safe and restricted area where only the authorized persons such as the person in charge of the customer or third party from Client Services team, the Compliance officer and the Management can have access. The KYC electronic files, have also restricted access and only the persons working on those customers and third parties can have access.

8.2. Collection and processing of personal data by third parties

The Company is authorizing third parties to collect and process personal data of its customers when the Company is acting as intermediary and other parties are involved in the same customer relationship and legal arrangement such as the insurance company, asset manager and the Bank. All the necessary arrangements for such collection and processing are arranged in the respective legal arrangements and the Company ensures to that all concerned parties have personal data protection policies and measures in place.

8.3.     Transfers of Personal data to third countries or to third parties

Any transfer of personal data to third parties within Luxembourg must be approved by the Management Committee after the review and consideration of the DPO. The Company ensures that the concerned data subjects are informed and have granted their consent at the beginning of the relationship on this transfer.  In case of absence of such information and consent, a new information must be submitted by requesting the new consent.

The Company, ensures that the third party has technical and organisational measures in place to ensure protection of the personal data in line with the laws in power and that the contractual arrangement provides in a specific, clear and precise language the obligations and responsibilities on the protection of personal data.

If needed to transfer the personal data to a third country which is not a EU country, nor EEA country which has adopted GDPR, the Company shall check if this third country has been considered by the EU Commission and that the EU Commission has confirmed that it provides adequate level of protection of personal data. Such transfer does not require any specific authorization[24].

In the absence of an EU Commission decision, the Company may transfer personal data to a third country only if the Controller or the processor of that country has provided appropriate safeguards, and on conditions that enforceable data subject rights and effective legal remedies for data subjects are available[25]. The Company must verify these appropriate safeguards and will keep written evidence of the verifications that were made.

In case of non-sufficient safeguards available, the Company must notify the National DPA and wait for its approval before transferring the personal data to this third country.

In case when approval is granted by the National DPA, the Company shall ensure that the legal requirements on contractual clauses and technical organisational measures for the protection of personal data are fulfilled. A transfer of personal data to a third country is only done after the Board of Directors of the Company has approved after review and consideration of the Management Committee.

In the case when the National DPA refuses the transfer of personal data to a third country, the Company shall respect this decision and shall not perform the transfer of the personal data.

8.4.     Data protection impact assessment

Where a type of processing in particular using new technologies and considering the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Company, shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks[26]. The Company shall seek advice form the DPO, when carrying out data protection impact assessment[27].

The data protection impact assessment shall contain at least:

  1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the Company;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. an assessment of the risks to the rights and freedoms of data subjects;
  4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR and personal data protection laws by considering the rights and legitimate interests of data subjects and other persons concerned.

A data protection impact assessment referred shall in particular be required in the cases of systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person[28].

At the present, the Company is not collecting and processing personal data in a large scale and it is not performing automated processing and profiling. If the circumstances change in the future, the Company will ensure to perform a data protection impact assessment in line with the GDPR requirements.

8.5.     Code of Ethics and Professional Conduct

The Company has established a Code of Ethics and Professional Conduct which is approved by the Board of Directors and it is applicable to all staff. This Code of Ethics provides for the principles such as clean desk, confidentiality and personal data protection.

In addition, the Company has established Complains Handling Procedure which indicates procedures and structures to handle complaints about infringements of the Code of Ethics and any breaches and misbehaviour by the Company or its employees. This Complains Handling Procedure is transparent and has been communicated to data subjects, customers, policy holders, business partners and to any relevant party.

IX.          Personal data breach

A personal data breach occurs when there is a breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorized disclosure of, or access to, personal data, transmitted, stored or otherwise processed by the Company.

In case of personal data breach, the Company must, without undue delay and, where feasible, not later than 72 hours after becoming aware of it, notify the DPA on this breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons[29]. Where the notification to the DPA is not made within 72 hours, it shall be accompanied by the reasons for the delay.

The notification for the data breach must, at least:

  • describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The notification of the violation shall be sent to the email address databreach@cnpd.lu. It is possible to use the downloadable gpg public key[30] to secure the transmission of information by encrypting it.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The Company will document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation must enable the DPA to verify compliance with the GDPR and national data protection laws[31].

When the personal data breach is likely to result in high risk to the rights and freedoms of the natural persons, the Company shall communicate the personal data breach to the concerned data subjects without undue delay[32]. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures such as contact details of the DPO, the consequences of the personal data breach and the measures taken by the Company to address the occurred personal data breach[33].

The communication to the data subject in case of a personal data breach shall not be required if any of the following conditions are met[34]:

  1. the Company has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  2. the Company has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in the above point is no longer likely to materialise;
  3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

When the personal data breach has occurred with a third party which collects and processes personal data on behalf of the Company, based on the agreement between the parties, the Company shall ensure that the above-mentioned procedure is followed as soon as it has information on the data breach. If the third party has done the notification to the DPA, and when necessary to the concerned data subjects, the Company shall request a copy of all the communications and shall not duplicate the notification.  In cased when the third party has not done the notification to the DPA and when necessary to the concerned data subjects, the Company shall proceed with the notification itself through the DPO with the support of the Management Committee. The Company will ensure that the mitigation measures that are needed are undertaken by the responsible third party.

X.            Communications with the DPA

The DPO is responsible for communications with the DPA with the initiative of the Company such as for notifications of data breaches or requests of authorizations and for communications with the request of the DPA.

The DPO ensures to transmit to the Company any information, recommendation, order or advice from the DPA concerning the collection and processing of personal data.

XI.          Sanctions

Infringements of the GDPR provisions shall be subject to administrative fines from 10,000,000-20,000,000 EUR or in case of an undertaking, from 2-4% of the total worldwide annual turnover of the preceding financial year, whichever is higher[35].

Non-compliance with an order by the DPA may be subject to administrative fines up to 20,000,000 EUR or in case of an undertaking, from 2-4% of the total worldwide annual turnover of the preceding financial year, whichever is higher[36].

The National DPA has the right to impose the above-mentioned administrative fines, depending on the circumstances of each individual case.

XII.        Training and information

The DPO is responsible for raising the awareness of the staff, of the Management and of the Board on the protection of personal data and on the related legal obligations.

The DPO provides in-house training to all the staff on this Policy and Procedure and on the GDPR and personal data protection laws in power.

All questions related with personal data protection matters, on this Policy and Procedure and on the legal framework in power can be addressed to the following staff:

  • The Chief Legal and Compliance Officer who acts as DPO;
  • Management of the Company.

 

 

[2] Article 5 (1) (b) of the GDPR

[3] Article 5 (1) (c) of the GDPR

[4] Article 5 (1) (d) of the GDPR

[5] Article 5 (1) (e) of the GDPR

[6] Article 5 (1) (f) of the GDPR

[7] Article 5 (2) of the GDPR

[8] Article 12 of the GDPR

[9] Articles 13 and 14 of the GDPR

[10] Based on point (f) of Article 6(1) of the GDPR

[11] Currently, the Company is not performing automated decision making and profiling as referred to in Article 22(1) and (4) of the GDPR

[12] Article 7 of the GDPR

[13] Article 15 of the GDPR

[14] Currently, the Company is not performing automated decision making and profiling.

[15] Articles 16 and 17 of the GDPR.

[16] According to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR

[17] Article 18 of the GDPR

[18] Pursuant to Article 21(1) of the GDPR

[19] Article 19 of the GDPR

[20] In accordance with Articles 16, 17 (1) and 18 of the GDPR

[21] Article 37 (7) of the GDPR. The form for the declaration of the DPO to the DPA is available at: https://cnpd.public.lu/en/professionnels/dpo.html

[22] Article 39 of the GDPR

[23] Pursuant to article 35 of the GDPR

[24] Article 45 (1) of the GDPR

[25] Article 46 (1) of the GDPR

[26] Article 35 (1) of the GDPR

[27] Article 35 (2) of the GDPR

[28] Artcile 35 (3) of the GDPR

[29] Article 33 (1) of the GDPR

[30] See https://cnpd.public.lu/en/professionnels/obligations/violation-de-donnees/violation-donnees-rgpd.html

[31] Article 33 (2) of the GDPR

[32] Article 34 (1) of the GDPR

[33] Article 34 (2) of the GDPR

[34] Article 34 (3) of the GDPR

[35] Article 83 (4) and (5) of the GDPR

[36] Article 83 (6) of the GDPR