GDPR
The GDPR is a major new EU regulatory and political milestone. It has been brought into being after more than three years of political negotiation, achieving a shared, unified vision of data confidentiality for European citizens, which represents a vital step towards the single digital market.
The GDPR is important legislation, which AXA Wealth Europe is adopting in full.
The aim of the GDPR is to protect the rights of citizens regarding the way in which their personal data are processed by businesses operating within the EU, as well as by businesses outside the EU which process the personal data of European citizens.
It introduces a set of “digital rights” for EU citizens (explicit consent, access to data, deletion, portability, etc.) and a set of obligations for businesses (such as protection by design and by default, data breach notifications, etc.).
The GDPR is more than a set of technical standards, as it incorporates many ethical and moral concepts relating to privacy as a “human right”, and emphasises values such as “fairness” and “transparency”.
By virtue of this regulation, AXA Wealth Europe is responsible for implementing appropriate measures, such as:
- Ensuring that the customers’ personal data have been collected with their consent or on other legal grounds
- Ensuring that the data are not retained after the storage period laid down by the Law
- Ensuring that only data required for a specific use are collected and used, and that they are used for that specific purpose only
- Ensuring that the personal data are stored in a secure environment to prevent any risks of loss, leakage or theft
The GDPR allows anyone whose personal data may be processed to obtain all information on the processing their data will undergo.
a. Right of Access
Every data subject has the right to access their data held by AXA Wealth Europe. Before granting access, the data controller will always verify the identity of the person making the access request regardless of who this is.
The data controller will make the required data available within one month from receipt of the request.
The right of access is theoretically exercised free of charge for the data subject unless it involves an excessive expense for the Companies, in which case payment may be requested.
b. Right to withdraw consent
All data subjects have the opportunity to withdraw their consent at any time. The withdrawal of consent does not compromise the lawfulness of the processing for which it was originally given.
c. Right to erasure / correction
Anyone whose personal data has been collected for processing is entitled to have incomplete data completed or inaccurate data changed as quickly as possible.
Data subjects also have the option of requesting that the data controller delete their data, as soon as possible, when:
- The data are no longer required for processing;
- The data subject withdraws consent (and there is no other justification for the Processing);
- The data subject objects to the processing;
- Deletion is necessary in order to comply with a legal obligation.
d. Right to oppose or restrict processing
All data subjects may request that the processing of their data be restricted where:
- The data subject disputes the accuracy of the data in question and requests suspension of processing in order to enable the data controller to verify the quality of the data;
- he subject does not wish to have the data deleted, but merely to restrict their use;
- The data are obsolete, but are needed by the person in question to exercise or defend legal claims.
e. Right to data portability
Data subjects have the right to receive personal data concerning them from AXA Wealth Europe in a structured, commonly used and machine-readable format, and may send this data to another data controller without being hindered by the data controller to whom the personal data was disclosed.
All requests should be sent to the address dpo@axa.lu
AXA Wealth Europe reserves the right, in the event of a manifestly unfounded or excessive request (repeated request, etc.), to refuse to respond to the request. In case of refusal, AXA Wealth Europe undertakes to indicate the reasons for the refusal and the possibilities for appeal to a higher authority.
In order to allow us to process your request as soon as possible, please provide the following information:
- Your client number
- Your last name
- Your first name
- Your email address
- Your telephone number
- The purpose of your request
- A description of your request
Transfer of data outside the European Union
Data of a personal nature may be transferred to a country outside the European Union in the following authorised cases and and subject to the strict limits and conditions laid down by the Luxembourg law on insurance secrecy:
- the destination is a country which provides an adequate level of protection as required by the European Union or which is deemed by a competent authority to do so;
- the transfer is governed by the standard contractual clauses adopted by the European Commission;
- the transfer is to a member of the AXA Group which has signed the binding corporate regulations guaranteeing an adequate level of protection;
- the transfer is authorised pursuant to one of the exceptions set forth in Article 49 of the European Data Protection laws (in particular in the case of the specific consent of the data subject, for the fulfilment of insurance contracts, for the safeguarding of human life, and for the establishment, exercise or defence of legal claims, etc...).
Only the data which are relevant to the purpose of the transfer can be transferred. In order to guarantee legitimate processing of personal data, the Company shall, prior to any transfer or at the request of the data subjects, provide full information on the purpose, the nature of the data and the destination country or countries.
In accordance with the principles described above and in compliance with the conditions and limits set
by the law on the insurance sector (Article 300 (2bis)), you are informed that the Company may subcontract to external or intra-group service providers, the following services and operations:
- The filtering of the databases of customer names (prospective policyholders, Insured persons and Beneficiaries) in the light of the monitoring lists put in place as part of the fight against money laundering and the financing of terrorism and/or international financial sanctions, in accordance with the legal obligations incumbent on the Company
- Type of service providers: intra-group companies and external subcontractors;
- Type of data provided to service providers: personal data identifying the data subjects;
- Countries concerned: intra-group and external subcontractors (France, Belgium, Germany and Portugal).
- Administration of the digital tools used to underwrite and manage the policy.
- Type of service provider: external subcontractors;
- Type of data provided to service providers: the personal identification data of the data subjects as well as the policy-related data;
- Country of establishment of service providers: France, Luxembourg.
Any new subcontracted services will be indicated in the following section and will be kept up to date at all times.
New outsourced services: The subcontracting of the operations described above is always subject to the signature by each service provider of a confidentiality agreement concerning the personal data to which it has access.
List of our partners
As part of our aim to constantly improve the quality of our service, we work with and choose subcontractors who are driven by the same high standards and who take great care to respect the confidentiality of personal data (for those who have access to it). Each of them has signed a confidentiality agreement.
As a result, you will find below a regularly updated summary table listing, for each of them,:
- The name of the service provider and country;
- The subcontracted services;
- The nature of the information collected (personal data or not)
As this list is subject to change, we recommend that you consult our site regularly.
LIST OF SUBCONTRACTED SERVICES
1 - "Personal data" refers to personally identifiable information, which may include, but is not limited to: the following information: (i) For policyholders who are natural persons: surname, first name(s), date and place of birth, passport/identity card number, national and/or tax identification number, insurance policy number, customer reference, postal and/or electronic address, place of residence, telephone number(s), legal capacity, nationality(ies), profession/activity, identity document(s); (ii) For policyholders who are legal persons: name, postal and/or electronic address, date of incorporation, incorporating documents registration number, national and/or tax identification number, insurance policy number, customer reference, telephone number(s), holding structure, names of beneficial owners.
Insurance policy data may include, but is not limited to, the following information: insurance policy account number(s), insurance policy value, all types of transactions (surrender and payment, policy settlement, transfer of rights, etc.), origin of assets, origin of wealth, insurance policy status statements, etc.
2 - The term "policy(ies)" refers to the insurance policy or capitalisation policy issued by the insurance company.