Verlingue appreciates the importance of ensuring that data remains confidential and makes strong commitments with regard to the protection of personal data.
Therefore, Verlingue has drafted this policy (hereinafter referred to as the “Policy”) to explain how your personal data are used, along with the precautions taken to ensure they remain confidential.
Personal data refers to “any information relating to a natural person who can be directly or indirectly identified or identifiable, by referring to an identification number or to one or more elements that are specific to them”.
Examples: a name, first name, phone number, location data, online identifier, photograph, IP address, voice recording, etc.
“Any operation or set of operations involving personal data, irrespective of the process used, including collecting, recording, organizing, storing, adapting or modifying, extracting, consulting, using, communicating by transmission, disseminating or any other form of provision, matching or profiling, as well as blocking, erasure or destruction” represent processing of personal data.
The Data Subject of personal data processing operations refers to any natural person whose personal data are processed by Verlingue in the course of its activities. These include, but are not limited to, the following:
- users of websites and extranets,
- insured persons/individual members,
- the beneficiaries, who are the natural persons of the insured persons,
- employees and managers of corporate clients,
- employees and managers of business partners,
- health professionals,
- the employees of the service providers,
- employees and managers who are individuals of Adelaïde Group companies.
This Policy applies to all processing of personal data, within the meaning of Act No. 78-17 of 6 January 1978 as amended, entitled the Data Protection Act and the General Data Protection Regulations of 27 April 2016 (hereafter referred to as the “GDPR”), carried out by Verlingue as part of its activities, whatever their mode of collection and processing.
Identity of the data controller
As part of its insurance distribution activity, Verlingue acts as the data controller of the personal data that is collected and processed. However, Verlingue may act either as a processor (Article 28 of the GDPR) or as a joint controller (Article 26 of the GDPR). Data Subjects will be informed of this quality when their personal data are collected and processed.
In the specific context of its activities as “Broker, management delegate” of insurance companies, Verlingue acts in principle as a joint controller with the Insurance Company. A formalised agreement defines the roles and responsibilities of the joint controllers.
In accordance with the provisions of Article 26.2 of the GDPR, the Data Subjects will be able to access the main features of this agreement, in particular by means of the information notices provided to them. The Data Subjects may also exercise their rights with regard to and against each of the data controllers.
It is understood that this Policy applies regardless of Verlingue’s status under data protection regulations.
What personal data are processed?
In particular, Verlingue processes the following personal data as part of its insurance distribution activities:
Connection to sites: connection, browsing or location data (cookies, connection mode, Internet browser type and version, operating system used, URL address, etc.)
Identification of persons interested in the contract: civil status, documents proving identity, contact details, nationality, social security number (NIR) and so on.
Information relating to the family, economic, property and financial situation: in particular, banking data, marital status, household composition, number and age of children.
Professional information: in particular the socio-professional category, field of activity, professional skills and qualifications, proof of unemployment, labour income, work stoppages, leave.
The information necessary for risk assessment and implementation of guarantees: including location data, information on insurable property, health information, information on convictions or offences, information on claims and claims history.
Verlingue specifies that it is required in the course of its activities to process “special categories of data” within the meaning of the regulations, in particular data concerning health. Verlingue will ensure that these data are processed in accordance with the provisions of Article 9 of the GDPR.
Verlingue ensures that only personal data that are strictly necessary are collected for the purpose of the implemented processes (data minimization).
It should be noted that personal data are collected by Verlingue directly or indirectly at their initiative and as controller or, where applicable, on the initiative of persons for whom Verlingue acts as a processor.
Legal basis and Purposes of the processes
The implemented processes satisfy explicit, legitimate and determined purposes.
In compliance with Article 6 of the GDPR, the legal basis of the processes implemented by Verlingue are as follows:
- the person’s consent,
- legitimate interest,
- compliance with a legal obligation to which Verlingue is subject,
- performance of a contract to which the Data Subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Verlingue collects personal data to fulfil the following purposes:
- putting forward offers and services adapted to your needs, carrying out specific studies and advice, administrative management,
- awarding, executing and managing insurance contracts,
- combating fraud, money laundering and terrorist financing,
- developing statics and actuarial studies,
- setting up commercial prospecting operations,
- ensuring that your claims are followed up and processed,
- contact us online to get in touch with one of our advisers.
Some of the purposes listed above may require your consent. In this case, your consent will be collected when the personal data are collected.
When Verlingue intends to process the personal data for purposes other than those listed above, they undertake to inform the Data Subjects and to obtain their prior consent if it is required in accordance with the GDPR or any other legislation governing data security.
Data Subjects are informed that consent is not required when the processing is necessary for the performance of a contract to which they are party. The same applies to the execution of pre-contractual measures taken at the request of the Data Subject.
Recipients of personal data
The recipients of personal data are the relevant departments of Verlingue. They may be communicated, if necessary, to other entities, in particular to:
- insurers in the performance of insurance contracts,
- processors to the extent necessary to carry out the tasks entrusted to them,
- third parties authorised to process your personal data, such as public authorities with special prerogatives,
- natural or legal person customers when they act as underwriters of insurance contracts,
- our partners for the purposes of the missions entrusted to us and only for statistical and actuarial studies.
When Verlingue uses a processor to process personal data, they will ensure that said processor provides sufficient guarantees and will formalise a written agreement to ensure the same level of confidentiality as if the personal data had been processed by Verlingue.
These personal data may be transferred outside the European Economic Area, in accordance with the applicable legal and regulatory provisions, including the GDPR and with appropriate safeguards.
Retention period – Data security
Verlingue keeps the personal data in a secure environment for the time required to fulfil the processing purpose.
Verlingue may keep certain personal data to:
- comply with a legal obligation to retain the data for a predetermined period,
- guarantee the applicable statutory prescription/limitation periods, particularly for insurance, commercial, civil and tax purposes,
- for statistical and actuarial purposes.
At the end of the applicable limitation period, the personal data will be either anonymised or deleted under the conditions provided for by Verlingue.
Verlingue will make sure to take all due diligence to ensure that the personal data remains confidential and secure, but will not be able to guarantee a total absence of flaws, in particular due to changes in intrusion techniques implemented by perpetrators.
Rights of persons
In accordance with the regulations, you have the right to access, rectify, delete, limit, portability and oppose for legitimate reasons the processing of your personal data (see www.cnil.fr for more information on your rights).
To exercise these rights or for any questions on the processing of personal data, you can contact our Data Protection Officer (DPO):
– Contact our DPO via e-mail: firstname.lastname@example.org
– Contact our DPO by post:
Le Délégué à la Protection des données
12 rue de Kerogan 29335 QUIMPER CEDEX
In compliance with regulations and to guarantee the confidentiality of personal data, you may be required to prove your identity by any means, including if necessary, by providing an identity document.
For any additional information or after contacting us, if you consider that your data processing rights are not observed, you can submit a complaint to the CNIL.
Modification of the data protection policy
This policy may change particularly in accordance with changes to national and/or European data protection regulations.
Please check this Policy regularly.
Last updated: on 1st April 2019