Privacy, cookies and GDPR
What is GDPR?
The EU's directive on General Data Protection Regulation (GDPR) compels companies who are active in the EU, to comply with the new regulation regarding the protection of personal data. Expat & C° takes the protection of your personal data seriously and therefore has implemented all sorts of measures to keep your data safe.
As part of our aspiration to be as transparent as possible, we would like to provide you with the answers to a few FAQ.
Which information is being collected?
The information we gather can be classified into two categories:
General information: General information (e.g. your name, your contact details, your bank details, profession etc.) is information we need to administer your policy and claims (legitimate interests), but also to comply with other legislation (compliance with legal obligation) we are subordinated to, as for instance ‘Anti Money Laundering and Countering Financing of Terrorism Act’, ‘Bribery Act’, ‘Markets in Financial Instruments Directive’ …
Financial and Medical information: Financial and Medical information is needed for two reasons (legitimate interests):
We need financial/medical information to assess the risks to be insured and to provide you with the most suitable insurance policy (eg. Medical care policies, loss of income policies).
We also need financial/medical information to handle your claims following the policy conditions that you subscribed.
Why is this information being collected?
GDPR forces companies to only collect personal data which they absolutely need. This minimalistic view of data-gathering was already implemented in our way of working before GDPR-regulation obliged us to do so. In the contrary, above mentioned Acts and Directives oblige us sometimes to gather more information than strictly needed for the insurance business.
The information we gather depends on the insurance policy. For example, we only require that a health questionnaire is filled out when one wants to obtain an Expat Insurance, our most comprehensive policy. Medical examination is only asked for term life insurance and disability pension. For our other policies, we normally do not require that much information, which shows we already are quite minimalistic when it comes to data-collection.
The personal data submitted to the Underwriter are only intended for the following purposes: evaluation of the insured risks, management of the commercial relationship, management of the insurance contract and the claims covered by it, control of the portfolio and the prevention of fraud or abuse.
How will this information be used?
We will only use your personal data to evaluate the insured risks, to administer your policy and to provide the services you have requested from us. Some personal data can be used for marketing actions (mailings, newsletters), except when you raised objections.
Who will this information be shared with?
This information (or part of it) can be transferred to our reinsurer and service providers (e.g. Assistance Companies), expert or counsel for execution of their part of the service. Some of our IT-partners can see parts of the data.
All external service providers are bound by a special privacy-contract.
Employees have a limited access to data. Medical and financial information is only accessible to the underwriting and claims management services as part of their duties.
All information is handled with the greatest discretion.
How long will this information be in our possession?
This information will be in our possession for as long as we provide you with our insurance services.
When your policy comes to an end, and all claims are handled, we are legally obliged to conserve your data for minimum 5 years after last contact (MIFID Regulation), and financial data for 10 years (tax regulation). Data of persons blacklisted for (attempt of) insurance fraud, money laundering, bribery etc… can be kept as long as we think is necessary for legal procedures and prevention for new attempts.
Are you subjected to profiling?
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Expat & Co only profiles to estimate and evaluate the insured risks.
What are your rights?
All persons involved have the right:
- To glance into their own personal data
- To have their personal data corrected if necessary
- To have their personal data erased,
Please note that we are legally obliged to preserve your personal data during a certain period. Personal data cannot be completely erased during that period.
- To transfer your personal data
- To withdraw your consent, or to limit data processing
Please note that we cannot fully administer your policy and handle your claims correctly without the required personal details. The withdrawal of your consent, or limited consent, will undoubtedly have its repercussions and we will not be able the provide the service you have chosen.
How do we protect your personal data?
We have limited data access to employees, we implemented systems that encrypts all your personal data, we use advanced antivirus/antimalware detection programs and host our data on reliable European data centers. We will make sure to keep these systems up-to-date, in accordance with the latest technological changes.
Hard copy documents are stored in a closed archive, with limited access.
Expat & Co
Lange Haagstraat 72
1700 Dilbeek (Belgium)
+32 2 463 04 04
Data Protection Officer
+32 2 463 04 04
Your right to lodge a complaint
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to submit a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the European Regulation.
For Belgium this is www.privacycommission.be