At Generali Employee Benefits, we understand the importance of respecting your fundamental rights and freedoms regarding your privacy and the protection of your personal data. We are committed to ensure the confidentiality and security of the personal data we collect and process.
This section of our dedicated privacy page aims at informing you about our practices regarding collection, use and disclosure of personal data in the context of our core services (reinsurance, multinational pooling, captive services, global underwriting). It is specifically aimed at the insured data subject.
For these processing activities, GEB is to be considered the responsible data controller as we determine both the why (purpose) and the how (means) of processing:
Assicurazioni Generali S.p.A
Grand-Duché de Luxembourg
Tel: +352 24 84 46
Our privacy page was last updated on 28/07/2020.
For the purpose of our privacy page, the following definition apply:
Generali Employee Benefits, “GEB” or “we”
Assicurazioni Generali S.p.A Luxembourg Branch (“GEB”), with registered office at Boulevard Marcel Cahen 52, L-1311 Luxembourg Grand-Duché de Luxembourg
The General Data Protection Regulation meaning EU Regulation 2016/679 of the European Union and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Sensitive personal data
Sensitive personal data is any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Controller means the natural or legal person which alone or jointly with others determines the purposes and means of the processing of personal data
Processor is the natural or legal person, which processes data on behalf of the controller
Data subject or “you”
Data subject means a natural person whose personal data is being processed
How does GEB collect your personal data?
GEB does not collect your personal data directly from you. We receive it through external sources such as our network partners, brokers, consultants and multinational or captive clients.
We obtain your personal data in the following ways:
- Through our global network of partners
When your employer subscribes to an employee benefits insurance policy, our network partner, functioning as initial and local insurer, obtains your personal data. The same goes for the situation where you make a claim. The network partners send all this information, amongst which is personal data, to GEB. This is either done as part of the (re)insurance chain, in the context of claims handling or for underwriting and quotations purposes.
- Through your employer
For quotations and underwriting purposes, your employer sometimes directly sends personal data to GEB. In this context, your employer should be understood as the local entity or the group level entity.
Which personal data does GEB collect?
In order to provide our services to our clients and fulfil our reinsurance function we process a wide variety of personal data, including special categories of (sensitive) personal data. Below is a comprehensive overview of all personal data we collect and process when offering our reinsurance, pooling, captive and (global) underwriting services.
For general quotations and underwriting, we collect and process the following personal data:
- Non-medical underwriting & quotes (in the form of census data):
- Date of birth;
- Salary amount;
- (Individual) medical underwriting & quotes (depending on the age and sum insured):
- Independent medical examination results;
- Blood profile (Blood Haematology + formula, FBS (Fasting blood sugar), Lipids (total cholesterol, HDL, triglycerides), CR (creatinine), BSR (blood sedimentation rate), CRP (C-reactive protein), Transaminase (SGOT and SGPT), GGT (Gamma-glutamyl transpeptidase), HBsAg (also HBeAg if HBsAg is positive), HCV, UA (uric acid), PSA (Prostate-specific antigen);
- Blood profile (AP (alkaline phosphatase), ELPHO (Protein electrophoresis), BIL (bilirubin - total, direct));
- Laboratory urinalysis;
- HIV antibodies;
- Resting & exercise ECG (graph and report);
- Chest X ray;
- Abdominal echo graph;
- HIV test.
For reinsurance activities, multinational pooling and captive services, we collect and process the following personal data:
- Unique ID number, provided to us by the network partner;
- Name and surname;
- Date of birth;
- Claim date;
- Payment date;
- Claim description.
For health and wellness reporting services, we collect and process the following data:
- Date of birth;
- Date of healthcare service;
- Date of discharge;
- Medical service provider ID;
- Medical service provider name;
- Diagnosis code;
- Diagnosis description;
- Claim submitted amount;
- Claim paid amount.
If necessary for the fulfilment of the (re)insurance policy, it may occur that we collect personal data of a relative (e.g. spouse, children, etc.).
For which purposes does GEB process your personal data?
We process your personal data for the following purposes:
- Non-medical underwriting and quotes
For non-medical underwriting and quotes, we process personal data based on our legitimate interest to provide our clients with accurate and market-oriented quotations and offers. As a quotation can potentially result in risk and exposure to GEB, it is in our legitimate interest to process and analyse the personal data in order to correctly assess all risks involved.
- Individual medical underwriting and quotes
The same holds for (individual) medical underwriting and quotes. However, for medical underwriting we also require sensitive personal data. We process this sensitive data based on the explicit consent you provided to our network partner (local insurer). Due to the potentially high sum insured and the linked risk and exposure for GEB, we need the medical and health related data to correctly assess any risks involved.
- Reinsurance (including claim handling), multinational pooling and captive services
For our reinsurance activities, pooling and captive services we process personal data based on our legitimate interest to run our business and provide services to our clients and network partners. As a reinsurer, we need the personal data to validate claims and prevent fraud and money laundering. For other services we need the personal data as it is inherently part of our network and single point of contact function to collect all necessary data and bundle it in valuable reports for our clients. If we process sensitive personal data during the claim handling process, we do this on the exception that it is necessary for the establishment, exercise or defence of legal claims. This reasoning is based on the fact that claims handling is considered an administrative process for settling legal claims.
- Health and wellness
For our health and wellness reporting services, we process sensitive data for statistical purposes. We do this to offer meaningful reports and insights to our clients using only aggregated data.
With which parties does GEB share your personal data and why?
We share your personal data with the following parties:
- Law enforcement, government and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation
Within the limits of the applicable laws, we share your personal data to authorities, law enforcement and government agencies upon their request in order to prevent criminal activities, meet national security requirements or respect law enforcement injunctions.
- Third parties that provide applications & systems
When necessary, we share your personal data with third parties whose services we are using (e.g. hosting services such as cloud providers, security service providers).
- Captive clients
We share reinsurance and quotations data with captive clients. As they are the retrocessionaire, they bear the final reinsurance risk and exposure. As a result, they have the legitimate interest in receiving all personal data involved.
- Network partners
When we fulfil our function as network manager and administrator, we occasionally share personal data with our network partners.
- Generali Group Head Office
When we fulfil our function as network manager and administrator, we occasionally share personal data with Generali Group Head Office (Assicurazioni Generali S.p.A, a limited liability company under Italian law, having its registered office at piazza Duca degli Abruzzi, 34132 Trieste, Italy). They assist us with specialized services such as, but not limited to, central underwriting.
We may transfer personal data to countries that are not in the European Economic Area (EEA). However, if such transfer occurs and the country does not fall under a Commission adequacy decision, GEB will ensure that appropriate safeguards are in place that provide sufficient protection for your fundamental privacy rights and freedoms. Such safeguards include, but are not limited to, Standard Contractual Clauses, as approved by the European Commission.
Which rights do you have and how can you exercise them?
GEB respects to the fullest extent the rights you have as a data subject. These rights include:
- The right of access
If you can prove your identity, you have the right to access all the information GEB has on you. This includes whether or not we have any data on you, the purposes for which we process your data, the types of personal data concerned, the recipients to whom your personal data will be disclosed and the rights you have under the GDPR.
You can exercise you right of access by sending an e-mail to firstname.lastname@example.org. We will provide you with one copy free of charge. For any additional copies, we may charge an administrative fee.
- The right of rectification
You have the right to rectify inaccurate, incorrect or outdated personal data we may have on you. Where personal data is incomplete, you have the right to complete it, including by means of providing a supplementary statement.
You can exercise your right of rectification by sending an e-mail to email@example.com.
- The right of erasure
You have the right to have your personal data erased without undue delay if one of the following conditions applies:
- The personal data is no longer necessary for the purpose for which it was collected;
- You withdraw your consent, if the legal basis for processing is consent;
- You exercise your right to object and we have no overriding legitimate grounds to continue the processing;
- The personal data has been unlawfully processed;
- We have to erase your personal data to be in compliance with a legal obligation under EU or Member State law.
You can exercise your right of erasure by sending an e-mail to firstname.lastname@example.org. It is up to GEB to assess the presence of the abovementioned criteria.
- The right of restriction
You have the right to obtain from us restriction to processing your personal data if one of the following conditions applies:
- For the period enabling us to verify the accuracy of your personal data, if you have contested the accuracy of the personal data;
- The processing is unlawfully and you request the restriction of processing instead of the erasure of the data concerned;
- We no longer need the personal data for the purposes for which it was collected but you need it for the establishment, exercise or defence of legal claims (e.g. an insurance claim);
- When you exercised your right to object, for the period we need to verify whether the legitimate grounds we rely upon override yours.
You can exercise your right of restriction by sending an e-mail to email@example.com. It is up to GEB to assess the presence of the abovementioned criteria.
- The right to object and not be subject to automated individual decision making (including profiling)
You have the right to object, at any time and on grounds specifically related to your particular situation, to the processing of your personal data provided that we process the data concerned based on our legitimate interest. In such case we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is necessary for the establishment, exercise or defence of legal claims (e.g. insurance claims).
Furthermore, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.
You can exercise your right to object and not be subject to automated decision making by sending an e-mail to firstname.lastname@example.org..
- The right to withdraw your consent
You have the right to withdraw your consent at any time for the processing activities for which we requested your consent. Any processing of your personal data we may have performed before your withdrawal shall remain lawful. However, if you do withdraw your consent, it may occur that we cannot provide you with a certain insurance cover.
You can exercise your right to withdraw consent by sending an e-mail to email@example.com.
- The right to lodge a complaint with the Data Protection Authority
You have the right to lodge a complaint with the EU Data Protection Authority in your jurisdiction, namely for Luxembourg the National Data Protection Commission (Commission Nationale pour la Protection des Données – CNPD) (https://cnpd.public.lu/en/commission-nationale.html)
We will duly address all your privacy related requests. Furthermore, within a period of one month, we will provide you either with a comprehensive answer or with clear reasons why the request will take longer than anticipated.To facilitate the exercise of your rights you may use this data subject request form.
How long will GEB retain your personal data?
GEB will only retain your personal data for as long as is necessary to fulfil the purpose for which we collected it. To facilitate the exercise of your rights you may use this data subject request form.