Data protection policy

The General Data Protection Regulation protects the privacy and rights of individuals. The policy applies to any person who manages or has access to the personal data of living natural persons. Within this context, the LALUX Group entities collect data in a more transparent manner. The policy defines and informs the persons concerned by the personal data held by these entities of the way in which they use and protect the information that the data subjects transmit to them. The policy is designed to ensure that personal data is handled correctly, securely and in accordance with the General Data Protection Regulation. It applies to information regardless of how it is used, recorded and stored and whether it is stored in paper files or electronically.

Personal data is any information that relates to a living natural person that can be identified from the information. The LALUX Group collects information on its clients / prospective clients as part of the management of insurance contracts. Example of personal data: Name, address, telephone number, driving licence number, license plate, health data, etc.

The General Data Protection Regulation is based on data protection principles, or “good information management” rules, i.e. data must be:

• Treated in a lawful, fair and transparent manner with regard to the data subject
• Collected for specific, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary for the purposes for which they are processed
• Accurate and, if necessary, kept up to date
• Preserved in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed
• Processed in such a way as to guarantee appropriate security of personal data.

Within the LALUX Group, the persons responsible for processing personal data are as follows:

• LALUX Group Société Anonyme
• LA LUXEMBOURGEOISE Société Anonyme d’Assurances
• LA LUXEMBOURGEOISE-VIE Société Anonyme d’Assurances (hereinafter LALUX Vie)
• DKV Luxembourg Société Anonyme, • APROBAT lalux-assurances Société Anonyme

PECOMA Actuarial and Risk S.A. Each controller declares that he respects Luxembourg legislation on the protection of privacy, as well as the provisions of the General Data Protection Regulation as from its entry into force.

In accordance with the General Data Protection Regulation, the controller collects and processes the personal data that the data subjects have communicated to him and those communicated subsequently for the following purposes:

• Assessment of risks, preparing, drawing up, managing and executing insurance contracts. The processing is necessary for the performance of a contract to which the data subject (i.e. the policyholder, the insured person(s)) is a party or for the performance of pre-contractual measures taken at the request of the latter, such as requests for offers/quotes. Personal data is therefore communicated to LALUX Group employees, LALUX network agents, the LALUX network banking partner for the marketing of certain LALUX Vie products, medical consultants, and experts, third parties such as garages, subcontractors, insurance brokers and reinsurers.
• Collecting and transmitting data, as the case may be, to the Administration des Contributions Directes (Luxembourg tax authority) for the purpose, as the case may be, of communicating it to the competent foreign authority of my tax domicile(s), in accordance with the law of 18/12/2015 concerning the automatic exchange of information relating to financial accounts in tax matters. Such processing is necessary in order to comply with a legal obligation to which the LALUX Vie controller is subject.
• Collecting and transmitting, if necessary, to the general social security administration in accordance with the law of 8 June 1999 on complementary pension schemes. Such processing is necessary in order to comply with a legal obligation to which the LALUX Vie controller is subject.
• Collecting and transmitting, if necessary, to the Commissariat Aux Assurances in the context of the amended law of 7 December 2015 on the insurance sector. Such processing is necessary in order to comply with a legal obligation to which the controllers are subject.
• Collect and transmitting, if necessary, to the external auditors within the framework of work required by the amended law of 8 December 1994 on the annual accounts of insurance and reinsurance companies. Such processing is necessary in order to comply with a legal obligation to which the controllers are subject.
• Preventing or detecting any risk of fraud or financial crime (including financing of terrorism, money laundering and prohibitions and restrictive financial measures against individuals, companies or groups). The data controllers use personal data to respect their obligations and comply with any applicable law or regulation. Such processing is necessary in order to comply with a legal obligation to which the controllers are subject or in the legitimate interests of the controllers. Personal data may be shared with a competent authority such as the financial intelligence unit in strict compliance with applicable law.
• Managing the commercial relationship with its customers – including (unless they refuse) informing them about products or services similar or complementary to those they have already subscribed to. Processing is necessary for the legitimate interests of data controllers in order to make their clients aware of and advise them on insurance products and services. Personal data are therefore communicated to the employees of the LALUX Group data controllers and to agents of the LALUX network. This does not apply to health data. These are only processed by the company from which they were collected.
• Corresponding with its lawyers, advisers or any other intervener in order to protect its rights in particular within the framework of the defence or the protection of legal rights and interests (for example the recovery of sums due, the transfer of debts), legal actions, the management of claims or disputes, etc. The processing is necessary in order to comply with a legal obligation or in the legitimate interests of the controllers. Personal data are therefore communicated to the parties mentioned above. The controllers act in accordance with the terms and conditions set out in Article 300 of the amended Insurance Industry Act concerning insurance professional secrecy.

PECOMA Actuarial and Risk S.A (PECOMA) as data controller processes and collects personal data for the following purposes:

• To calculate fees and establish the certificates of the affiliates of supplementary pension plans, underwritten by their employers.
• To establish financial information for employers of affiliates who have subscribed to a supplementary pension plan
• To collect the required data and transmit them, if necessary, to the General Social Security Inspectorate according to the amended law of 08/06/1999 relating to the supplementary pension schemes. If applicable, this treatment is necessary to comply with a legal obligation to which the PECOMA controller is subject
• To collect the required data and transmit them, if necessary, to external auditors as part of the work, required by the amended law of 08/12/1994 relating to the annual accounts of insurance and reinsurance companies. This treatment is necessary to respect to a legal obligation to which the controller is subject
• To prevent or detect any risk of fraud or financial crime
• To manage the commercial relationship with employers of affiliates who have subscribed to a supplementary pension plan, and
• To correspond with lawyers, advisors or other stakeholders to protect the rights and interests of PECOMA Actuarial and Risk S.A.

Sometimes data subjects may express their wish not to have their data used but the controller may still be obliged to use them for different reasons. In such a case, the controller will continue to use them if (i) the law obliges him to do so, (ii) he must perform a contractual obligation or a pre-contractual measure, (iii) it is in the public interest to do so or (iv) he has a legitimate interest in doing so.

In the context of data processing relating to a leasing offer, the LALUX agent acts as a business contributor. The business contributor and the leasing company are jointly responsible for this processing. The applicable data protection policy is that of the leasing company and can be consulted on their website. The Data Protection Officer of the leasing company is solely competent to respond to a request for the exercise of rights in connection with this processing or any question relating to data protection.

If the data subject no longer authorizes the processing of their personal data by the data controllers for the following purposes:

• Assessing risks, preparing, establishing, managing, executing insurance contracts
• Transmitting personal data to institutions / bodies that have the legal right to request them
• Preventing or detecting any risk of fraud or financial crime
  To manage the commercial relationship with its customers, except commercial prospecting; this will entail the termination of the contract and, where applicable, payment by the person responsible for processing the surrender value at the time of termination for products with a surrender value, less any costs due.

Therefore, the requirement to provide personal data has a contractual character and conditions the conclusion of the contract. In view of providing information about insurance products or services, if the data subjects object to their data being processed, then they will no longer receive information.

The controller is likely to use automated decision support systems, for example during checks aimed at preventing the risk of fraud, money laundering or financing of terrorism. The controller may use such procedures to enable him to determine whether the activity of a customer or contract involves a risk (of fraud or financial crime). Therefore, additional supporting documents may be requested by the controller, and he has the right not to accept a subscription.

However, the controllers do not carry out any processing involving an automated evaluation based on personal aspects, with the exception of a product distributed by a specific insurance intermediary. Except for the product distributed through a specific intermediary, all decisions are made in a humane and non-automated manner, by processing personal data involving human intervention. Sequencing, which does not involve any decision and does not commit the data subjects to the data controllers, is implemented to target marketing campaigns.

The data storage period is limited to the duration of the insurance contract and the subsequent period during which the data storage is necessary to enable the controllers to comply with their obligations according to the limitation periods or in application of other legal provisions.

Personal data collected from persons who are not customers of the controllers will be deleted from the systems after a period of three years after their last contact with an agent or employee of a controller. The period will be extended by three years if such persons give their explicit permission to process their data during this period.

The persons concerned by the personal data held by the controller have a right to request from the controller access to, rectification or deletion of personal data, or a limitation of the processing relating to personal data, or the right to object to the processing and the right to the portability of their data.

These persons may exercise these rights by sending a request to dpo@lalux.lu, except for PECOMA to dpo@pecoma.lu. The data subjects also have the option of lodging a complaint to a supervisory authority regarding the protection of their personal data.

9.1.

The controller must:

• Manage and process personal data correctly
• Protect the privacy of the data subjects
• Allow a data subject access to all personal data concerning him that is held by the data controller.
•  

9.2.

The controller has the legal responsibility to comply with the General Data Protection Regulation. The controller holds and uses personal data. The controller decides how and why information is used and is responsible for establishing practices and policies that comply with the General Data Protection Regulation.

9.3.

Each member of staff and each agent of the LALUX network who holds personal data must comply with the General Data Protection Regulation when managing this data.

9.4.

The controller’s subcontractors who hold personal data must comply with the General Data Protection Regulation when managing such data.

9.5.

The controller undertakes to respect the principles of data protection (see section 2). This policy is subject to change or modification, in particular in order to comply with regulatory, legislative, jurisprudential or technological developments and to invite the data subject to consult it regularly. For all questions or requests relating to the protection of personal data, please send a message to dpo@lalux.lu.