We are keen to protect personal data. Our commitment is reflected in the emphasis we place on the trust placed in us by our clients, business partners and all those who share personal data with us.
What is the purpose of this Policy?
This Policy (‘Policy’) contains information on how we collect and process your personal data.
It applies to all the personal data we collect from you and to information about you that is provided to us by a third party.
It contains essential complementary information applicable to all the processing carried out by Chapka Assurances.
The Policy is not contractually binding and does not impose an obligation on either party beyond those imposed by the legislation governing the protection of personal data and/or the contractual commitments applicable between us.
Who is the data controller?
Chapka Assurances, a brand of Aon France, whose offices are at 31-35 rue de la Fédération, 75015 Paris, is responsible for the content of this Policy.
We generally act as data controller in relation to the services we provide to our clients when directly or indirectly collecting and processing clients’ personal data.
When and how do we collect your personal data?
In the context of our business as insurance brokers, we process our clients’ personal data. For example, when you subscribe an insurance policy, submit a claim online, browse our websites, use our tools or apply for a job with us, you will send us information some of which is liable to identify you directly or indirectly.
What data do we collect?
When you request a quote or subscribe a policy online, we ask you to provide the personal data we require for the transaction. We undertake to protect your personal data and privacy. We use the information you provide to record your requests for a quote and the policies you subscribe.
The information we request from you varies according to the services we provide.
However, certain data are required for all the services we provide:
- Contact details such as your first name, surname, title, e-mail address, postal address and telephone numbers; and
- Practical information on how we should contact you (e-mail or post) and whether you wish to sign up for our newsletter.
The data you provide to us directly when subscribing a policy with us
During our various contacts, you may provide us with information about you. Your personal details are collected particularly when you subscribe a policy and so that you can access other offers and services.
These data include the following:
- Information concerning your method of payment (including your bank card number via a payment service provider); and
- Other information you wish to provide to us.
Data we collect during a business relationship
These data include the following:
- Information concerning our business relationship with you, the policies you have subscribed, the services you have requested and (where applicable) invoicing and payment information; and
- Claims submitted to our claims department.
Data we collect in connection with the subscription, management and performance of insurance and/or reinsurance policies
- Data used to identify the parties to a policy and individuals concerned by or involved with the policy (civil status, contact details, nationality, etc.);
- Data required to assess risk (nature of travel service purchased, origin, destination, departure and return dates, and geographic location);
- Policy subscription, application and management data (method of payment, bank account details, etc.);
- Data used to determine or assess losses and settlements (details of claims, data concerning victims, etc.);
- Login and traceability data (cookies); and
- Sensitive data required for the purposes of a policy or in order to take pre-contractual or necessary measures in order to comply with applicable law, regulations and administrative requirements (medical reimbursement data, description of physical injuries, production of medical certificates, medical questionnaires, etc.).
Sensitive data – Data minimisation
We only process sensitive data that we strictly require in order to provide our services. Such data primarily include unique identification numbers, medical data and banking data, and are processed in order for us to fulfil our contractual obligations and provide the requested service. Accordingly, we may request your consent to process and share such data. If you provide us with sensitive data concerning other individuals such as relatives, you must inform the relevant individuals and, where necessary, obtain their consent.
Source of data
We collect data directly from you as well as from the following:
- Individuals concerned by your policy: the person who subscribed the policy and the policy beneficiary(ies);
- Individuals involved with your policy (loss adjusters, victims, etc.); and
- Our key contacts who work for our business partners (insurers, reinsurers, brokers, business providers, etc.).
Information we collect via our websites and social media
‘Websites’ means our online policy subscription website and our professional blogs.
When you purchase one of our services, wish to access content or browse one of our websites, we may collect some or all of the following information:
- Your contact details such as your name, e-mail address, postal address and telephone numbers; and
- Information posted online in public or community discussions and in the context of all other online activities.
You can contact us through social media, links on our websites, plug-ins and social media applications.
You may also choose to link your account with us with third-party social media. When you link your account or contact us, you can authorise us to access information from your social media account (your name, e-mail address, photo, title, birthday, posts and ‘likes’).
If you post information when interacting with us through social media, plug-ins or other applications, depending on your privacy settings, this information could become public.
You can control the information you share on social media using your privacy settings on each social media site. For more information on how to set your privacy settings and how social media sites manage your personal data, please refer to their help guide, privacy policies and conditions of use.
If you browse our websites on your mobile phone or other mobile device, we may collect the IP address temporarily assigned to your device by your provider as well as information on your device’s operating system, your internet service provider and your location.
How do we use your personal data?
Below are details of the various purposes for which we may process your personal data.
Insurance and reinsurance advice and brokerage services:
- Subscription, management and performance of insurance and reinsurance policies;
- Analysis of client’s/insured’s specific requirements;
- Risk analysis, acceptance, control and monitoring;
- Policy management from the pre-contractual phase through to termination;
- Settlement of claims;
- Exercise of remedies and management of claims and disputes;
- Preparation of statistics and data analysis;
- Research and development;
- Compliance with administrative, legislative and regulatory provisions, including those applicable to the following:
- the fight against money laundering and the financing of terrorism;
- the fight against fraud; and
- the freezing of assets, sanctions, etc.
Managing relations with clients and prospects – Invoicing
We process the data of some of our clients’ representatives in order to:
- contact our clients in the context of a current or future relationship;
- send out information on products and services similar to those purchased;
- invite our business partners to events and manage their participation;
- conduct satisfaction surveys; and
- manage invoicing and monitor outstanding debt and disputes.
We process our clients’ data on an aggregated basis in order to prepare placement statistics and develop innovative services for our clients.
We undertake to seek your prior consent to re-use your data for a purpose other than that for which they were collected.
Know-your-client and checks linked to vigilance and anti-corruption.
The legal bases for processing the personal data we collect are as follows:
- Implementation of pre-contractual and contractual measures involving the client, the insured or the beneficiary;
- Fulfilment of statutory and tax obligations;
- Your consent, where necessary; and
- Our legitimate interests, subject to your own interests and fundamental rights.
Do we collect data concerning children?
We do not directly collect personal data from children.
For how long do we retain your personal data?
The period for which we retain data depends on the purpose for which they were collected.
The period for which we retain your data will depend primarily on the services purchased by you and the term of our business relationship.
Owing to our contractual obligations with risk bearers (insurers and reinsurers) as well as the various limitation periods applicable by law, we will retain some of your data after our contractual relationship has ended.
If you do not subscribe a policy, data will be retained for no more than three years from the date they are collected (preparation of a quote, request for information, etc.).
We have adopted appropriate organisational and security measures to ensure that data are permanently destroyed or archived.
Will we share your personal data?
The following persons may access your personal data:
- Individuals who provide services in the context of their respective duties;
- Insurers, co-brokers, managers and assistance companies;
- Service providers, loss adjusters, lawyers and medical consultants;
- Our service providers;
- Individuals concerned by your policy (manager, victims, witnesses and third parties involved with the policy); and
- Authorised third parties (courts, regulatory authority, auditors/controllers (statutory auditors, auditors and internal controllers).
We do not sell, hire or make available to unaffiliated third parties your personal data for marketing purposes.
We may communicate information concerning you to our partners (insurers, co-brokers, reinsurers, etc.), and certain third parties that provide specialist services (online payment services) may access your personal data. These business partners act as separate or joint data controllers (if management duties are delegated for example) and are responsible for the protection of personal data.
We may use the services of selected service providers.
These third parties are contractually required not to communicate or access personal data transmitted to them in connection with the services provided.
These service providers are:
- IT service providers that host and manage our information system (servers and applications), our back-ups, etc.; and
- Digitalisation, electronic publishing, archiving service providers, etc.
As data are processed by some of our insurance partners in order to manage your claims, processing is likely to involve the transfer of personal data to countries that may or may not be members of the European Economic Area or the United Kingdom, whose data protection legislation differs from that in force in the European Union.
Where data are transferred to these countries, we ensure that adequate legal measures are taken to protect your rights and data in accordance with the requirements imposed by law and our obligations.
- Implement standard contractual clauses approved by the European Commission, which guarantee that personal data are processed according to the level of protection in force within the European Economic Area; and
- We use service providers that are Privacy Shield certified or recipients that have adopted a specific stringent contractual framework, according to the forms adopted by the European Commission, as well as appropriate security measures to protect the personal data that are transferred.
The personal data transfers that are strictly necessary are carried out under conditions and subject to guarantees that ensure that the data remain confidential and secure.
Data transferred outside the European Economic Area are transferred primarily to the United Kingdom and Mauritius.
Additional information on how your data are accessed by recipients outside the EEA can be obtained by contacting us as stated below.
We can also provide you with details of the security measures we have adopted.
What security measures are applied to protect your data?
The security of your personal data is crucial for us, and we have adopted state-of-the-art physical, technical and organisational security measures to protect your data against loss, misuse, accidental modification and destruction. We will protect your data from unauthorised access, use and disclosure, using encryption procedures and access restrictions. Your data may only be accessed by individuals who require such access for the purpose of their duties.
Our service providers are contractually required to keep all personal data confidential and must not use any personal data other than as permitted.
What choices do you have regarding your personal data?
When we collect your personal data or data concerning your relatives, we will inform you which data are compulsory or optional and of the consequences that will arise should you fail to reply.
Our information policies, data forms and questionnaires indicate the fields that must be completed and the reasons why we collect data.
We may suggest products and services to you similar to those for which you contacted us. You may unsubscribe from our communications at any time by clicking on the link in our e-mail or SMS.
Consumers who do not wish to receive unsolicited calls can sign up free of charge to the telephone preference service referred to in Article L223-1 of the French Consumer Code, either directly on the www.bloctel.gouv.fr website or by sending a letter to: Opposetel, Service Bloctel, 6 Rue Nicolas Siret, 10000 Troyes.
However, if you so wish, we will contact you by telephone if you request a quote or submit a request via our online services.
How can you update your communication preferences?
Even if you agree to receive e-mails from us, you can unsubscribe at any time, by following the instructions included in our e-mails.
Right of access
You have the right to access the personal data we hold about you.
You may also get in touch with your usual contact or request a copy of your personal data stored in our databases in accordance with applicable law.
In order to do so, you must produce proof of your identity by providing us with a copy of a valid form of ID. We may ask you to cover the cost of any unjustified or repeated request.
Unless you ask us to use a different way of communication, we will send you the information you request in writing or by e-mail.
You may exercise your right of access by sending an e-mail to email@example.com.
Your request will be processed as quickly as possible and in any case within 30 days. We will inform you if we are unable to reply within this timeframe and will process your request as soon as possible.
If we are unable to respond positively to your request for legal reasons, we will inform you accordingly unless we are prohibited from doing so by virtue of a decision by an administrative or judicial authority or a statutory obligation.
Right to rectification
You have the right to obtain the rectification of inaccurate or incomplete data by providing us with a supplementary statement.
Right to be forgotten – Right to erasure
You have the right to obtain the erasure of your personal data for a specific reason. This applies where data are no longer necessary in relation to the purposes for which they were collected, processed or archived, they have been unlawfully processed or they have to be erased for compliance with a legal obligation.
In certain circumstances, you may also issue instructions concerning the retention, erasure and communication of your personal data after your death.
Right to data portability
You have the right to portability of the data you have provided to us as well as data resulting from the performance of the policy or policies you subscribed with us and data collected with your consent. This right does not apply to anonymous data, data that have been deduced or derived, or structured data included in our information systems.
This right applies on the condition that it is technically feasible to transmit data in a structured, commonly used format that is readable by the information system of another controller.
Right to object
You have the right to object to processing of personal data in our legitimate interests, unless the reasons for the processing are greater than the potential threat to the rights and freedoms of the data subject.
Right to restriction of processing
You can ask us to restrict the processing of your personal data where one of the following applies:
- You contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data;
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- We no longer need the data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims; or
- You object to processing based on our legitimate interests, pending the verification whether our legitimate interests override your interests.
Please do not hesitate to contact us at firstname.lastname@example.org for any further information about this Policy.
You have the right to submit a complaint to the Commission Nationale de l’Informatique et des Libertés (CNIL), the regulator that oversees compliance with personal data obligations.
Commission Nationale Informatique et Libertés
3 Place de Fontenoy
75334 Paris Cedex 07
We may update this Policy and you are encouraged to consult the Policy at regular intervals for information on how we process data.
This document was updated on 19 April 2019.