Personal data protection

Policy regarding the protection of personal data within CCR RE

Who are we?

Created in 2016, CCR RE is a reinsurance company governed by the French Insurance Code. A private limited company, its capital, amounting to EUR 90,082,100, is 100% owned by the Caisse Centrale de Réassurance (CCR).

CCR RE covers a wide range of Life, Non-Life and Speciality risks in nearly 80 countries, as well as Natural Disaster risks worldwide. The security of the full range of CCR RE’s reinsurance is underpinned by the stability of both its underwriting policy and its teams.

CCR RE carries out its reinsurance activity. It has two branches overseas (Canada and Malaysia) and a representative office in the Lebanon plus a Luxembourg captive reinsurance subsidiary and three subsidiaries whose main activity is real estate.

Its registered office is located at:
157, boulevard Haussmann
75008 Paris
France
Tel.: 01 44 34 31 00


CCR RE and protection of personal data

CCR RE is responsible for processing personal data (hereafter the “personal data”) for which it has defined the purposes and the resources, in accordance with Regulation (EU) 2016/679 of 27 April 2016 relating to the protection of natural persons with regard to the processing of personal data and the free movement of such data (the “GDPR”).

CCR RE is very mindful of the protection of individuals’ personal data (“The data subjects”) that appears in such processing. This undertaking reflects the special interest that it gives, in addition to its employees and lessees, to other persons whose personal data its clients, partners and service providers are required to provide to it. In its reinsurance activity, CCR RE’s clients are in particular the insurance and reinsurance companies (“the cedants”). CCR RE receives premiums from these cedants in exchange for which it pays them part of their claims. It therefore has no direct (contractual, financial or other) relationship with the insureds and third party victims, about whom these companies might provide it with certain personal data.

To ensure that it provides the best information about the processing of this data, CCR RE has drawn up this Personal Data Protection Policy (the “Policy”). It applies to all personal data that it collects, either directly from the data subjects, or indirectly through its clients, partners and service providers.

In 2016, CCR RE appointed a Data Protection Correspondent and then in 2018 a Data Protection Officer who is bound by professional secrecy and is subject to an obligation of confidentiality in performing his duties:

Arnaud VERREY
157, boulevard Haussmann - 75008 Paris (France)

Any question or request related to the processing of personal data by CCR RE must be sent directly to CCR RE’s Data Protection Officer.

In addition, the data subjects must exercise their rights, supported by a copy of an identity document, by post to said Officer (157 boulevard Haussmann - 75008 Paris) or by email to droit.dacces@ccr.fr.

On what legal grounds do we process your personal data?

The legal grounds for processing are set in Article 6 of the GDPR.


Areas


Legal grounds

Market reinsurance

Processing necessary for the legitimate purposes pursued by CCR RE, its ceding insurance companies and their insureds, and the third party victims (other than bodily injury).
Processing necessary for the performance of a legal obligation to which CCR RE is subject.
Consent of an insured or a third party that is a victim of a bodily injury (to be obtained by the cedant prior to the transfer of the risk in accordance with a legal or contractual obligation).

Employee data management

Processing necessary for the performance of the employment contract.
Processing necessary for the performance of a legal obligation to which CCR RE is subject.

Rental management

Processing necessary for the performance of the rental agreement.
Processing necessary for the performance of a legal obligation to which CCR RE is subject.

CCR RE's relations with its service providers

Processing necessary for the purposes of the legitimate interests pursued by CCR RE and its service providers.

Extranet sites

Processing necessary for the purposes of the legitimate interests pursued by CCR RE, its ceding insurance companies and the other visitors to the site.

Website

Processing necessary for the purposes of the legitimate interests pursued by CCR RE.
Consent for cookies

Filtering mechanism (AML/CFT, international sanctions)

Processing necessary for the performance of a legal obligation to which CCR RE is subject.
Processing necessary for the purposes of the legitimate interests pursued by CCR RE.


How do we process your personal data?

Your personal data is collected for specified, explicit and legitimate purposes and is not subsequently processed in a manner that is incompatible with those purposes. It is also adequate, relevant and limited to what is necessary in relation to those purposes.

CCR RE also affords great importance to the security of your personal data that appears in its processing and does all that it can to ensure state of the art physical, technical and organisational security measures to protect such data against the accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access. These measures are reassessed and updated if necessary. A copy of the security measures put in place within the CCR group can be obtained from the DPO.

Only people who need to process your personal data in performing their duties can access it. The processing in which your personal data appears is recorded in a processing register in accordance with the GDPR which is not accessible to you.

This data is almost totally hosted in France, and secondarily in a State of the European Union, a State that ensures an adequate level of protection or a third State with appropriate safeguards.


What is the purpose of processing your data?
 

Areas

Data processed

Purposes

Market reinsurance

Civil status, Identity, identification data.
Professional life.
Economic and
financial information.
Private life
Health data.

Taking out, managing and performing reinsurance treaties.
Assessment, acceptance, control and monitoring of the risk.
Payment of claims.
Compilation of statistics, data analysis and actuarial studies. 
Research and development activities.
Compliance with the applicable regulations (including the setting up of regulatory provisions and other capital requirements).

Employee data management

Civil status, Identity, identification data.
Professional life.
Private life.
Economic and
financial information.

Documentation with a view to possible recruitment.
Entering into and performance of an employment contract from the date that it is entered into until its expiry.

Rental management

Civil status, Identity, identification data.
Professional life.
Private life.
Economic and
financial information.
 

Entering into and performance of the lease from the date that it is entered into until its expiry. Management of the relations between CCR RE and its lessees.

Relations with its service providers

Civil status, Identity, identification data
Professional life

Management of the contacts between CCR RE and its points of contact within its service providers, in all of CCR RE's areas of activity. 

Extranet sites

Civil status, Identity, identification data.
Professional life.

Management of online spaces dedicated to market reinsurance.

Website

Civil status, identity, identification data.
Professional life.

Management of a public site on the governance, mission and activities of CCR RE.

Filtering mechanism (AML/CFT, international sanctions)

Civil status, identity, identification data.
Professional life.
Economic and
financial information
Private life.

To detect a money laundering or financing of terrorism operation
Not to pay, via a cedant, a person subject to an international sanction


For how long is your personal data kept?

Your personal data is kept for a period not exceeding that needed for the purposes for which it is processed or for any other authorised purposes. Because of the specific nature of the insurance and reinsurance sector, CCR RE is required to keep certain personal data of insureds and third party victims beyond the period of the reinsurance contract plus the applicable statutory limitation period.

Also, CCR RE may keep your personal data for a longer period, once aggregated or anonymised, as such data is then no longer governed by the GDPR.

Who are the recipients of your personal data?

In respect of the purposes set forth, the list of recipients authorised to know your personal data is strictly limited. It concerns the relevant departments of CCR RE, CCR and their respective subsidiary companies, plus those of any of their service providers and subcontractors.

In addition, CCR RE can transmit your personal data to any court, any regulatory or control body as well as to any public authority, should this be required.

In its reinsurance activity, CCR RE transfers personal data to its Canadian branch and to its representative office in the Lebanon which are located outside of the European Union. Transfers to Canada, which is a State ensuring an adequate level of protection in the event of the transfer of personal data associated with a professional activity, do not require specific and appropriate safeguards. In March 2017, CCR RE (registered office) entered into standard data protection clauses with its representative office in the Lebanon.

What are your rights regarding the data collected?

You can exercise a certain number of rights with CCR RE, which will consider your request and reply to you within the applicable legal time frames:

the right of access (Article 15 of the GDPR) gives you the opportunity to get CCR RE to provide you, in an accessible form, with the personal data concerning you, together with any available information regarding its origin.

the right to question (Article 15 of the GDPR) allows you to question CCR RE to enable it to provide you with any information relating to your personal data and the processing thereof.

the right to rectification (Article 16 of the GDPR) offers you the possibility of obtaining rectification of the personal data concerning you, when it is inaccurate.

the right to erasure (right to "be forgotten") (Article 17 of the GDPR) allows you to obtain the erasure of the personal data concerning you when:

  • your personal data is no longer necessary in relation to the purposes for which it was collected or processed;
  • you withdraw your consent and there is no other legal ground for the processing;
  • you object to the processing and there are no overriding legitimate ground for the processing;
  • your personal data has been unlawfully processed;
  • your personal data has to be erased to comply with a legal obligation.


the right to object (Article 21 of the GDPR) gives you the possibility to object, at any time, for reasons relating to your particular situation, to the processing of personal data concerning you when the processing is based on your consent or CCR RE's legitimate interest or your personal data is processed for marketing purposes.

the right to restriction of processing (Article 18 of the GDPR) allows you to obtain from CCR RE the restriction of processing when:

  • you contest the accuracy of your personal data, for a period enabling CCR RE to verify the accuracy of such data;
  • the processing of your personal data is unlawful and you object to its erasure and request the restriction of its use instead;
  • CCR RE no longer needs your personal data for processing purposes, but it is still needed by you for the establishment, exercising or defence of legal rights;
  • you object to the processing, pending the verification regarding whether the legitimate grounds pursued by CCR RE override your own interest.


the right to portability of the personal data (Article 20 of the GDPR) gives you the possibility of receiving, in a structured, commonly used and machine-readable format, your personal data which you have provided to CCR RE and the right to transmit such data to another data controller without hindrance from CCR RE, when:

  • the processing is based on your consent or on a contract;
  • the processing is carried out by automated means.

Where it is technically possible, you have the right to have your personal data transmitted directly from one data controller to another.

Where applicable, you have a right to complain to the CNIL (French data protection authority) if you consider, after having exercised your rights with CCR RE, that said rights have not been respected:

Commission Nationale Informatique et Libertés (CNIL)
3 Place de Fontenoy
TSA 80715
75334 Paris Cedex 07

Miscellaneous

This Policy is dated 2 September 2020.

It is accessible from the websites of CCR and CCR RE and a copy of this Policy can be sent by CCR RE on request.

The information contained in this Policy is provided for information purposes. The information can be subject to amendments, corrections, updates or partial or total deletions at any time without any prior notice from CCR RE.