Data protection policy

Aware of the importance of ensuring their confidentiality, Verlingue is strongly committed to the protection of personal data (hereinafter “DCP”).
Verlingue has therefore drawn up this policy (hereinafter the “Policy”) to inform you of the use made of your PII and the precautions taken to guarantee its confidentiality.

Definitions-Scope of application

A DCP is defined as “any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more factors specific to that person”.

Examples: a surname, first name, telephone number, location data, online identifier, photograph, IP address, voice recording, etc.

The processing of personal data includes “any operation or set of operations which is performed upon such data, regardless of the process used, and in particular collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

The Data Subject is any individual whose personal data is processed by Verlingue as part of its activities. This includes, but is not limited to:

  • users of websites and extranets,
  • policyholders/members who are natural persons,
  •  the policyholder’s natural beneficiaries,
  • employees and directors of corporate customers,
  • employees and managers of commercial partners,
  • healthcare professionals,
  • employees of service providers,
  • employees and managers of companies in the Adelaide Group

This Policy applies to all processing of PII, within the meaning of Act no. 78-17 of 6 January 1978 as amended, known as the Data Protection Act, and the General Data Protection Regulation of 27 April 2016 (hereinafter “GDPR”), carried out by Verlingue in the context of its activities, regardless of the method of collection and processing.

Identity of the data controller

In the context of its insurance distribution business, Verlingue acts as the controller of the DCP collected and processed. However, Verlingue may act either as a processor (Article 28 of the GDPR) or as a joint controller (Article 26 of the GDPR). The Data Subjects will be informed of this capacity at the time their DCP is collected and processed.

In the specific context of its activities as a “Broker delegated to manage” by insurance companies, Verlingue acts in principle as joint data controller with the insurance company. A formal agreement defines the roles and responsibilities of the joint processors.

In accordance with the provisions of Article 26.2 of the RGPD, Data Subjects will be able to access the broad outlines of this agreement in particular by means of the information notices provided to them. Data Subjects will also be able to exercise their rights with regard to and against each of the data controllers.

It is understood that this Policy applies regardless of Verlingue’s status with regard to data protection regulations.

What personal data are processed?

The following personal data are processed by Verlingue as part of its insurance distribution activities:

Connection to sites: connection, browsing and location data (cookies, connection method, type and version of Internet browser, operating system used, URL address, etc.).

Identification of persons interested in the contract: civil status, documents proving identity, contact details, nationality, social security number (NIR), etc.

Information relating to the family, economic, property and financial situation: in particular, bank details, marital status, household composition, number and age of children.

Professional information: including socio-professional category, field of activity, professional skills and qualifications, proof of unemployment, income from work, sick leave, holidays.

The information needed to assess the risk and provide cover: in particular location data, information on insurable assets, health information, information on convictions or offences, information on claims experience and previous claims.

Verlingue specifies that in the course of its activities it is required to process “special categories of data” within the meaning of the regulations, in particular data concerning health. Verlingue will ensure that it processes such data in compliance with the provisions of Article 9 of the GDPR.

Verlingue ensures that it only collects PII that is strictly necessary for the purposes of the processing carried out (data minimisation).

It should be noted that PCDs are collected by Verlingue directly or indirectly on its own initiative and in its capacity as data controller or, where applicable, on the initiative of persons for whom Verlingue acts as subcontractor.

Legal basis and Purposes of processing

The processing carried out is for explicit, legitimate and specific purposes.

In accordance with Article 6 of the RGPD, the legal basis for the processing carried out by Verlingue is either:

  • the person’s consent,
  • legitimate interest,
  • compliance with a legal obligation to which Verlingue is subject,
  •  the performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at the data subject’s request.

Verlingue collects PCDs for the following purposes:

  • proposing offers and services tailored to your needs, carrying out specific studies and consultancy, administrative management,
  • conclusion, performance and management of insurance contracts,
  • combating fraud, money laundering and the financing of terrorism,
  • development of statics and actuarial studies,
  • setting up sales prospecting operations
  • ensure that your complaints are followed up and processed
  • to compile statistics on website visits. To find out more, please consult our cookies policy,
  • contact us online to speak to one of our advisers.

Some of the purposes listed above may require your consent. In this case, consent will be obtained at the time the DCP is collected.

Where Verlingue intends to process DCP for purposes other than those listed above, it undertakes to inform the persons concerned and to obtain their prior consent if this is required in accordance with the GDPR or any other data protection legislation.

Data Subjects are informed that consent is not required where processing is necessary for the performance of a contract to which they are party. The same applies to the performance of pre-contractual measures taken at the request of the Data Subject.

Recipients of personal data

The recipients of DCP are the Verlingue departments concerned. It may be communicated, if necessary, to other entities, in particular:

  • insurers in the performance of insurance contracts,
  • subcontractors to the extent necessary to carry out the tasks entrusted to them,
  • third parties authorised to process your DCP, such as public authorities with specific prerogatives,
  • customers who are individuals or legal entities when they act as policyholders,
  • to our partners in the context of the assignments entrusted to us and solely for the purposes of statistical and actuarial studies.

When Verlingue uses a subcontractor to process DCP, it ensures that the subcontractor provides sufficient guarantees and formalises a written agreement to ensure the same level of confidentiality as if the DCP had been processed by Verlingue.

These DCP may be transferred outside the European Economic Area, in compliance with the applicable legal and regulatory provisions, in particular the RGPD, and subject to appropriate safeguards

Retention period – Data security

Verlingue keeps PCDs in a secure environment for as long as is necessary for the purposes set out above.

Verlingue may retain certain DCP for:

  • meet a legal obligation to retain data for a predetermined period,
  • guarantee the applicable legal limitation/forclusion periods, particularly in insurance, commercial, civil and tax matters,
  • for statistical and actuarial purposes,

At the end of the applicable limitation period, DCP will either be anonymised or deleted in accordance with the conditions laid down by Verlingue.

Verlingue will do everything in its power to guarantee the confidentiality and security of DCP, but cannot guarantee that there will be no vulnerabilities, in particular due to developments in intrusion techniques used by offenders.

Personal law

In accordance with the regulations, you have a right of access, rectification, deletion, limitation, portability and opposition on legitimate grounds to the processing of your personal data (see www.cnil.fr for more information on your rights).

To exercise these rights or if you have any questions about the processing of DCP, you can contact our Data Protection Officer (DPO):
– Contact our DPO via e-mail: dpo@verlingue.fr
– Contact our DPO by post:
Le Délégué à la Protection des données
Verlingue SAS
12 rue de Kerogan 29335 QUIMPER CEDEX

n accordance with regulations and to guarantee the confidentiality of DCP, you may be asked to prove your identity by any means, in particular by producing an identity document if necessary.

For any further information or if, after contacting us, you feel that your rights with regard to data processing, data files and individual liberties have not been respected, you may submit a complaint to the CNIL.

Changes to the data protection policy

This policy is updated annually and may change in the event of new national and/or European regulations on data protection. Please consult this Policy regularly

 

Last update our: 2024