Privacy statement


Data Privacy Notice


AWP HEALTH & LIFE SA, FRANCE

AWP Health & Life SA, France,
a part of Allianz Group is a French authorised insurance company providing insurance products and services on a cross-border basis.

Protecting data and the privacy of those AWP Health & Life SA insures and contracts with is a top priority. This privacy notice explains how and what type of personal data will be collected, why it is collected and to whom it is shared or disclosed.  Please read this notice carefully.

In the event, a contract of insurance entered into with the Insurer covers any Dependents of the category of employees to be covered and/or includes the declaration of beneficiaries in the event of death; this Data Privacy Notice must be equally communicated to such third parties.

Personal data concerning parties to contractual agreements, the category of employees to be covered, their Dependents and/or beneficiaries as applicable, and/or any identified or identifiable natural living person to whom personal data relates hereto, herein referred to as “Data Subject(s)”including the signatories to contractual agreements and the various schedules, exhibits, attachments and other documents referenced or incorporated therein and/or endorsements, amendments or addendums thereto, are used for the sole purpose of the management thereof, whether or not by automated means, such as collection, processing, recording, organization, purpose limitation and data minimization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transfer, dissemination or otherwise making available, alignment or combination, security, relating to the collection and processing of personal data, including but not limited to the privacy and security thereof, in accordance with the Amended French Data Protection Act no. 78-17 of 06.01.1978 on Information Technology, Data Files and Civil Liberties and all applicable laws and regulations relating  to the protection and processing of Personal Data, including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) of the European Parliament and of the Council of 27 April 2016, herein after referred to as the “Regulation”, sector-specific laws and applicable guidance and codes of practice issued  by supervisory authorities.

The terms defined and used herein shall have the meaning given in the Regulation, as defined hereinafter, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and “Personal Data" shall be any personal and/or sensitive data in relation to the Data Subjects. Please see Definitions hereinafter.

Any and all necessary endorsements, as applicable, to existing contractual agreements, all relevant Data Protection Agreements with third-parties, and Data Transfer Agreements relating to the collection, processing, use, storage, and/or transfer of any personably identifiable data made available by the AWP Health & Life SA to third parties or collected by the third parties on behalf of the AWP Health & Life SA are concluded in application of all aspects of data protection and information security regulations.

AWP Health & Life SA assures Data Subjects that AWP Health & Life SA maintains and ensures any authorised third-parties contracted with AWP Health & Life SA maintain the appropriate security measure for the protection and use of personal data in application the Amended French Data Protection Act no. 78-17 of 06.01.1978 on Information Technology, Data Files and Civil Liberties and the laws and regulations relating to the protection and processing of Personal Data, and, in particular pertaining to Sensitive data, as applicable, the implementation of confidentiality relating to medical data processing in accordance with the Regulation, the French AERAS Agreement (Insurance and Loans with an Increased Health Risk), effective 2006, revised on 1 February 2011 and 2 February 2015 and the Code of Conduct appended to it as well as the French Code of Medical Ethics.

 

Data Controller

A data controller is natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing and who controls and is responsible to keep and use personal data in paper or electronic files. AWP Health & Life SA, the Insurer, is the Data Controller, as defined by relevant data protection laws and regulations, and determines the purposes and the means of the processing personal data in the performance and management of contractual agreements.
 

Data Processor

When applicable, the Data Processor is a third-party authorised by a separate Data Protection and Administrative Agreement, to collect, process and use any personably identifiable information made available by the Data Controller to the Data Processor or collected by the Data Processor on behalf of the Data Controller (Personal Data), in relation to all aspects of data protection and information security.
 

Categories of Personal Data

The various types of Personal Data that may be collected and processed in the performance and management of a contract agreement by any authorised third party Data Controller or Processor shall include but is not limited to the following information:

  • Basic Personal Details: including Full Name, status title, address, phone number, email address, IP address via webpage without disabling cookies, age, date of Birth, gender, nationality, identification document and/or identification document number ( passport, identity card)..),signatures;

  • Basic Employee HR Employment Details: including Personnel number, Job title/role, Job status full time – part time, Details /description of role, language, Health Insurance Details, Grade, Policyholder/Entity, Business Unit/Division, Office Location, Country of Origin and Country of Expatriation,  Reporting Manager, Start Date, Hours of Work, Relocation dates and details, End date and reason for termination, Contract type- fixed term/temporary/permanent, Correspondence, Results of Criminal Checks relating to prevention of Fraud and/or Terrorist Activities;

  • Financial Details: including bank account/credit card information, payment information, salary/wage, bonus payments; Pay Statements, Benefits and entitlements data, share schemes data, housing/relocation or other allowances, compensation data, third-party reductions;

  • Health, Welfare and Absence Related Administrative Data: related to the Policyholder’s relationship with the Data Subject, such as an employee personnel file including performance related information, Record of absence/ leave, Reason for absence, details of physical and psychological health or medical condition, health and Safety related information and Reporting, Occupational health related information and reporting, Grievances and Complaints, harassment details, Disability, access, special requirements details, Ill health retirement pensions, retirement

  • Education & Professional Experience & Affiliations Data: life data, which may include information related to education and training, qualification/certifications, languages, employment history, skills, awards or performance reviews or any other information relating to professional life;

  • Family, Lifestyle and Social Circumstances: including Marital Status, Dependents/Spouse/partner/family details, Next of kind/emergency contact details, Ethnicity, Religion/Religious beliefs, Other diversity and equality information…and Data relating to personal life which may include information about likes and dislikes or other information related to personal life; and

  • Sensitive Data: may include any data that may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a Data Subject’s sex life or sexual orientation including Medical Questionnaires, Enrolment forms, consent forms, Declaration of Beneficiary forms, medical reports, medical assessments reports, or death certificates, requests for prior approvals, medical expenses invoices, claims history.

 

Categories of Data Subjects

The Personal Data processed by the Insurer and/or on behalf of the Insurer in order to perform its obligations under, or otherwise in connection with, a contractual agreement, depending on the services provided, the categories of Data Subjects may include but are not limited to the following:
 

  • Current or former personnel including directors, officers, employees, relations of employees, providers of natural persons ( agents, intermediaries) agency workers, invitees, Insurers, subcontractors, representatives of business partners ( providers, clients, brokers, intermediaries), policyholders, contract holders, Insureds, beneficiaries, relatives and/or dependents of contract holders, insureds or beneficiaries where applicable;

  • Contacts or other personnel of customers, prospects, vendors, affiliates, business partners or other related organizations.

Insofar as Personal data and/or other sensitive data are required for the underwriting, administration, and management of an insurance contract, Dependents of Insured persons and/or beneficiaries in the event of death shall be considered “Data Subjects” for purposes of the application of the Regulation.


Consent

The collection and use of the personal data provided to the Data Controller and any authorised third party where applicable may require the express consent of the Data Subject, unless otherwise provided by the applicable laws and regulations:

Swipe to view more

Purpose Express consent  
Conclusion, performance and fulfilment of the obligations and rights of an Agreement and Insurance contract administration (e.g., quotation, underwriting, claims handling) Required when necessary.  However, where personal data is needed to be processed in order to underwrite insurance and/or process a claim AWP Health & Life SA will not need to obtain Data Subject express consent.  
To administer debt recoveries Not required  
To inform Data subjects, or permit Allianz Group companies and selected third parties to inform Data Subjects, about products and services that may interest Data Subjects in accordance with marketing preferences. Modifications to preferences may be requested at anytime by contacting their AWP Health & Life SA representative or by contacting AWP Health & Life SA as specified hereunder Required  
For automated decision making (including profiling) for credit scoring purposes, to personalize Data Subject experience [on the website] (by presenting products, services, marketing messages, offers, and content tailored to Data Subject), and to make other decisions about Data Subject using computerised technology such as assessing which products might be most suitable for Data Subject Required, when necessary.  However, where AWP Health & Life SA or authorised third party need to process personal data in order to underwrite insurance and/or process a claim AWP Health & Life SA will not need to obtain Data Subject express consent.  
Fraud prevention and detection Not required  
Meet any legal obligations (e.g., tax, accounting and administrative obligations) Not required  
To redistribute risk by means of reinsurance and co-insurance

Not required

 

As mentioned above, AWP Health & Life SA  may collect and  process information containing personal data received where relevant from public databases, third parties such as brokers and business partners, physicians, hospitals, other medical administrative authorities, other insurers, credit reference and fraud prevention agencies, advertising networks, analytics providers, search information providers, claims adjustors, intermediaries, delegated authorities, attorneys and notaries.

For those purposes indicated above where AWP Health & Life SA has indicated that it does not require express consent from the Data Subject or where AWP Health & Life SA otherwise require the personal data to underwrite insurance and/or process claim, AWP Health & Life SA will process the personal data based on legitimate interests and/or to comply with legal obligations.

Access and Processing of Personal data

 

AWP Health & Life SA will ensure that personal data is processed in a manner that is compatible with the purposes indicated above.  For the stated purposes, personal data may be obtained or disclosed to the following parties through contractual arrangements to protect personal data with those who may operate as authorised third party data controllers and/or processors:

 

  • Public authorities, other Allianz Group companies, other insurers, co-insurers, re-insurers, insurance intermediaries/brokers, and banks

  • With entitles outside of the Allianz Group that perform certain services on behalf of AWP Health & Life S.A such as risk assessments and claims handling that involve the collection and use of health and other data without which AWP Health & Life S.A would not be able to administer a policy or pay any claims.

  • Policyholders, employers, brokers, other Allianz Group companies, insurance intermediaries, third party administrator to underwrite, and/or administer the policy or process any data and discharge operations (claims, IT, postal, document management, etc.);

  • Physicians, nursing and hospital staff, other medical institutions, care homes, statutory health insurance funds, professional associations and public authorities to administer the policy or process any claims;

  • Other Allianz Group companies, technical consultants, experts, lawyers, loss adjustors, repairers, medical doctors; and service companies to discharge operations (claims, IT, postal, document management); and/or

  • Advertisers and advertising networks to send Data Subject marketing communications, as permitted under local law and in accordance with Data Subject communication preferences.  AWP Health & Life SA does not share personal data with non-affiliated third parties for their own marketing use without permission from the data Subject.


AWP Health & Life S.A and these third parties shall perform this exchange in accordance with the data and medical confidentially obligations and procedures required to share the data and to use fort he aforementioned purposes.

Finally, AWP Health & Life SA may also share personal data in, including but nor limited to, the following instances:

 

  • In the event of any contemplated or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in any insolvency or similar proceedings; and

  • To meet any legal obligation, including to the relevant ombudsman, court, arbitrator, attorney if a Data Subject makes a complaint about the products or services AWP Health & Life SA has provided to the Data Subject.

  • With coinsurers to distribute the coverage of the insurance risk jointly with other companies to which AWP Health & Life S.A issues a policy, and/or to handle claims jointly.

  • With other insurers/reinsurers that may be covering the same insurance risk at the same time – multiple insurance – to distribute the payment of any compensation that may be owed to me, or to collaborate in the detection or prevention of fraud and financial crime.  

 

Data Transfers

Personal data may be processed both inside (Cross-Border Processing) and outside of the European Economic Area (EEA) (Data Transfers Outside of the EEA)  by the parties’ specified hereinabove, subject to contractual restrictions regarding confidentiality and security in line with applicable data protection laws and regulations.  No personal and/or sensitive data may be disclosed to parties who are not authorized to process them.

In the event of a transfer personal and/or sensitive data outside of the EEA and where such transfers shall be done in application of the terms and conditions stipulated in Data Transfer Agreements in conjunction with the rules of the Regulation (EU), sector-specific laws and applicable guidance and codes of practice issued by supervisory authorities. 

In addition, a transfer of personal and/or sensitive data outside of the EEA for processing within the Group Allianz, the Insurer agrees to the transfer on the basis of Allianz’ approved binding corporate rules known as the Allianz Privacy Standard (Allianz’ BCR) which establish adequate protection for personal data and are legally binding on all Allianz Group companies.  Allianz’ BCR and the list of Allianz Group companies that comply with them can be accessed at https://www.allianz.com/en/).

Where Allianz’ BCR do not apply, the necessary steps shall be taken to ensure that the transfer of personal data outside of the EEA receives an adequate level of protection as it does in the EEA.  For further information concerning such safeguards AWP Health & Life SA rely upon for such transfers the Data Subject may contact their AWP Health & Life SA representative or by contacting AWP Health & Life SA directly as specified hereunder.

 

Data Subject Rights

The Data Protection Regulation confers certain rights on Data Subjects, including:

  • The right to access: the Data Subject shall have the right to obtain from the controller confirmation as to whether or not Personal Data concerning him are being processed, and, where that is the case, access to the Personal Data in a concise, transparent, intelligible and easily accessible form to learn the origin of the data, the purposes and ends of the processing, the details of the data controller(s), the data processor(s) and the parties to whom the data may be disclosed;

  • The right to Withdraw:  the Data Subject shall have the right to withdraw consent at any time where personal data is processed with express consent;

  • The right to rectify : the Data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate or incomplete Personal Data concerning the Data Subject;

  • The right to erase (“right to be forgotten”): the Data Subject shall have the right to obtain the deletion or removal of Personal Data without undue delay;

  • The right to restriction of processing: the Data Subject shall have the right to obtain from the controller restriction of processing in certain conditions:

  • The right to object: the Data Subject shall have the right to object on grounds relating to his particular situation, at any time to processing of Personal Data concerning him. The controller shall then no longer process the Personal Data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims;

  • The right to obtain human intervention for a decision based solely on automated processing including profiling: Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him similarly significantly affects the Data Subject;

  • The right to data portability: Data Subject shall have the right to receive the Personal Data concerning him, which he has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller;

  • File a complaint with the AWP Health & Life SA and/or the relevant Data Protection Supervisory Authority.

 

The Data Subject may exercise these rights by contacting their AWP Health & Life SA representative or by contacting AWP Health & Life SA directly as specified hereunder providing the Data Subject’s name, email address, account identification, and purpose of the request:

 

AWP Health & Life S.A.

Informatique et Libertés

Eurosquare 2

7 rue Dora Maar

93400 Saint Ouen

France                  

Email : informatique.libertes@allianzworldwidecare.com

 

Objection to the Processing of Personal and/or Sensitive Data

Where permitted by applicable law or regulation, Data Subject has the right to object to the processing of personal data, or request AWP Health & Life SA to stop processing the data (including for purposes of direct marketing). Once the Data Subject has informed AWP Health & Life SA, it shall no longer process the personal data of the Data Subject unless permitted by applicable laws and regulations.                                 

The Data Subject may exercise this right in the same manner as for the other rights indicated hereinabove.

 

Data Retention

AWP Health & Life SA will retain the personal data of Data Subjects as permitted by applicable laws and regulations, and, specifically as follows:

Swipe to view more

Documents Data Retention Duration  
Proposal, Quotations 3 years  
Contracts and Endorsements Covers Life  
Individual Enrollment Forms
  • 5 years from the date of the termination of contract(if no claim)

  • 5 years from the date of the termination of the insurance coverage
 
Individual enrollment forms of Disabled Insured Filed in the relevant claims file  ( see below: “claims files”)  
Contributions and Premiums, Commissions and Fee slips and Records 5 years  
Computerized Accounting Records 30 years  
Claims files in the event of Death, Total and Irreversible Loss of Autonomy, Incapacity, Disability
  • if the benefit has been paid: 10 years from the last date of payment

  • if the benefit has not been paid in totality or partially to the beneficiary(ies) in the event of death of the Insured: 30 years from the date of the recognition of the death of the Insured by the company.

  • if the benefit could not be paid in total or partial due to the disappearance of absence of the Insured: 30 years from the date of recognition by the company of the determination of the disappearance or absence of the Insured
 
Healthcare claims (illness/accident medical expenses) 3 years from the date the claims is closed  
Permanent Partial Disability Due to Illness (PPDI)- Permanent Partial Disability Due to Accident Disability (PPDA) - Monthly Payments - Hospital Reimbursement - Resource Guarantees - End of Carrier Compensation - Education Allowance
  • if the benefit has been paid: 10 years from the last date of payment

  • if not paid: 30 years
 
Other Contractual Documents (Administrative Agreements, Treaties, conventions, endorsements, other varied agreements. Life  

AWP Health & Life SA will not retain personal data of the Data Subject for longer than necessary and will retain said data only for the purposes for which it was obtained.

 

Contact Information

If the Data Subject has any queries about how AWP Health & Life SA uses personal data, the Data Subject can contact the Data Protection Officer as follows:

AWP Health & Life S.A.
Data Protection Officer
Eurosquare 2 
7 rue Dora Maar
93400 Saint Ouen
France 
Email AWC.DataPrivacyOfficer@allianz.com



AWP Health & Life SA Data Protection Updates

The Data Subject shall be informed of any an important change that may impact the personal data of the Data Subject. Otherwise the Data Subject may contact their AWP Health & Life SA representative or by contacting AWP Health & Life SA directly as specified hereinabove.

This Data Protection Notice was updated on 1 May 2018.

DEFINITIONS

The following terms shall have the meaning given in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“the Regulation”) and as defined hereunder:


Applicable Laws

Unless otherwise stipulated herein, (a) European Union or Member State laws with respect to any Personal Data in respect of which any company of the group Legal Entities is subject to EU Data Protection Laws; and (b) any other applicable Data Protection Law with respect to any Personal Data which any company of a Group of Legal Entities is subject to.

 

Binding Corporate Rules

Personal Data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

 

Confidential Information

Confidential information shall include (but not be limited to) information of a confidential nature relating to policies and policyholders and the business affairs, strategies, commercial and technical knowledge of the parties.

 

Consent of the Data Subject

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

 

Corporate Personal Data

Any Personal Data Processed by a contracted Data Processor and/or Sub-Processor on behalf of the Data Controller or Corporate Group Member of the Data Controller pursuant to or in connection with the relevant Administrative Agreements including but not limited to the signatories to the Administrative Agreement(s) and the present DPA, and any Confidential Information which relates to the Parties’ businesses and/or customers or employees of the Parties.

 

Cross-Border Processing

Processing of Personal Data that takes place in the context of the activities of establishments in more than one Member State of a Data Controller or Data Processor in the European Union where the Data Controller or Data Processor is established in more than one Member State; or processing of Personal Data which takes place in the context of the activities of a single establishment of a Data Controller or Data Processor in the European Union but which substantially affects or is likely to substantially affect Data Subjects in more than one Member State.

 

Data

Personal data, sensitive data and other information made available by the Data Controller to the Data Processer or made available by the Data Processor to Data Controller in connection with the Agreement, and any other data and information processed by the Data Processor in connection with the Agreement, including the personal data of the signatories to the Agreement and the present Addendum, and that which relates to the Parties’ businesses and/or customers or employees of the Parties.

 

Data Controller         

Natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of Personal Data. The role of Controller is not determined by who collects the data or who access to them, but by who determines the purposes and the means of the processing. Legal Entities without own legal personality may be controllers different from the parent company where they determine the purposes and means of the processing performed on their behalf. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

 

Data Processing or Process

Any operation or set of operations which is performed by a Data Processor on behalf of a Data Controller, on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Data Processor

A natural or legal person and/or legal entity, public authority, agency or other body which processes Personal data on behalf of the Data Controller. Existence of a Processor depends on a decision taken by the controller, who can decide either to process data within his organization or to delegate all or part of the processing activities to an external organization.

Defining elements:

  • Separate legal entity
  • Processing of data on behalf of the controller
  • Processor is called to implement the instructions given by the controller at least with regard to the purpose of the processing and the essential elements of the means


Data Protection Law

All applicable current and/or future international, regional, federal, or national Data Protection Laws, regulatory guidance, legislation, statutes, codes, regulations, recommendations and/or opinions issued by a relevant data protection authority, in any jurisdiction, relating to the Processing of Personal Data, including the privacy and security of Personal Data, including Amended French Data Protection Act no. 78-17 of 06.01.1978 on Information Technology, Data Files and Civil Liberties and, in particular, the General Data Protection Regulation 2016/679 of 27 April 2016 and any European Union or EU Member State legislation, regulation, recommendation or opinion replacing, adding to or amending, extending, repealing or consolidating the Data Protection Law relating to the requirements on collection, processing and use of Personal Data by Data Processors on behalf of Data Controllers.

 

Data Protection Supervisory Authority

An independent public authority which is established by a Member State pursuant to Article 51 of the Regulation; a supervisory authority which is concerned by the processing of personal data because:

  • the controller or processor is established on the territory of the Member State of that supervisory authority;
  • data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
  • a complaint has been lodged with that supervisory authority;

The French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés), hereinafter referred to as the “CNIL”) is the French Supervising Authority. The CNIL is an independent administrative authority responsible for ensuring that information technology remains at the service of citizens, and does not jeopardise human identity or breach human rights, privacy, or individual or public liberties. It supervises enforcement of Data Protection Agreement and frequently issues decisions and guidelines relating thererto. www.cnil.fr/english/

 

Data Subject

The identified or identifiable natural living person to whom the personal data relates; an identifiable natural living person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Data Subject Request

A request from a Data Subject for access to, correction, amendment, transfer or Deletion of the Personal Data of the person

 

Data Transfers Outside the EEA

The processing or disclosure of the personal data to any party who carries on business, outside of the European Economic Area ( EEA) in compliance with applicable data protection laws. The use of standard contractual clauses in Data Transfer Agreements entered into between Parties or any other third-parties upon approval of the Data Controller for the transfer of Personal data outside of the EEA (Commission Decision 2010/87/EU), or any replacement clauses subsequently approved by the European Commission shall be required. All data processing will be in accordance with the terms and conditions stipulated in all Data Transfer Agreements providing the Information on Personal Data Processing required by GDPR articles 13 and 14.

 

Identifiable Natural Person

Natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined in GDPR, Article 4.1

 

Information System

Any structured set of Personal Data which are accessible according to specific criteria, whatever the form or method of its creation, storage, organisation and access. It may be comprised of any one or more kinds of Support (eg: data bases, physical files, computer directories, etc)

 

Legal Entities (Group of)

In respect to either Party, a related legal entity is: a controlling legal entity and its controlled legal entities:

(a)        a controlling corporate body;

(b)       a controlled corporate body affiliate; or

(c)        a controlled corporate body affiliate of a controlling corporate body.

For the purposes of this definition:

  • Corporate Body Affiliate means a legal entity that owns or controls, is owned or controlled by, or is or under common control or ownership with Company where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
  • Corporate Group Member means Corporate Body or any Corporate Body Affiliate;
  • Corporate Personal Data means any Personal Data Processed by a Contracted Processor on behalf of a Corporate Group Member pursuant to or in connection with the relevant Administrative Agreements;


One corporate body controls another when at the relevant time:

(a)        it owns either directly or indirectly or is otherwise in a position to cast, or control the casting of, not less than 50% of the shares entitled to vote at general meetings of that other corporate body; or

(b)       it controls the composition of a majority of the board of that other corporate body.

 

 

Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

 

Personal Data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

 

Personal Data Breach

Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

 

Recipient

A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

 

Regulator

As applicable, any person or law enforcement or other agency having Regulatory,  supervisory   or  governmental   authority  (whether   under  a  statutory  scheme  or otherwise) over all or any part of the Processing of Personal Data in connection with the provision or receipt of the Services, including, without limitation, the European Data Protection Supervisory Authorities.

 

Sensitive Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

  • ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
  • ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
  • ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

 

Sub-Processor  

Any Third Party subcontractor (excluding employees of a Data Controller or any employees of a sub-contractor of a Data Controller) appointed on behalf of a Data Controller by a Data Processor to Process Personal Data  -also may be referred to as a Contracted Sub-Processor or Subcontractor for purposes of applicable Data Protection Laws.

 

For the purposes of applicable Data Transfers Outside the EEA, as stipulated herein, a contracted Sub-Processor means any processor engaged by a Data Importer or by any other Sub-Processor of the Data Importer who agrees to receive from the Data Importer or from any other Sub-Processor of the Data Importer Personal Data exclusively intended for Processing activities to be performed on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract.

 

Standard Contractual Clauses

The contractual clauses stipulated in a Data Transfer Agreement executed by and between a Data Controller and a Data Processor and/or a Data Controller and a Data Controller, transferring Personal Data from the EEA to a Data Processor or other Data Controller in a Third Country, which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws in particular pursuant to the European Commission's decision of 5 February 2010 on Standard Contractual  Clauses  for  the  transfer  of  Personal  Data  to  processors  established  in  Third Countries.

 

Technical and Organisational Security Measures

Those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of Data over a network, and against all other unlawful forms of processing.

 

Third Country(ies)

A country or Recipient: (i) not recognized by the European Commission as providing an adequate level of protection for Personal Data; and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data.

 

Third party

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;