The EU General Data Protection Regulation 2016/679 (“GDPR”) came into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR aims to meet the requirements of the digital age.
The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardise data protection laws and processing across the EU, giving individuals stronger more consistent rights to access and control their personal data.
Advent Insurance PCC (Advent) operates largely through professional third-party service providers – our Agents. These Agents are based in the territories where we sell, or have sold, our insurance products: Ireland, UK, France, Belgium, Spain and Portugal. We also use an authorized Insurance management company in Malta, to run our operations here. Nearly all contact that you, the policyholder, will have with Advent is through one of these Agents. In most cases the Agents both control and process data in their own right, and on our behalf as Insurer.
Advent works with our Agents to be assured of their continuing compliance with the new GDPR regime. Advent has reviewed, and continues to review, our outsourcing contracts to ensure that these capture the obligations of the parties involved and correctly state the Agents' and Advent's GDPR obligations and intentions.
Advent is committed to respecting your privacy rights. To this end we focus on ensuring the security and protection of the personal data we control, that is processed on our behalf by our Agents, and on ensuring that the personal data is used in accordance with the GDPR. We are committed to maintaining a compliant and consistent data protection regime that is effective and fit for purpose and demonstrates an understanding of, and appreciation for, the new Regulation.
Our status of compliance with GDPR is summarised in this statement.
HOW WE COMPLY WITH GDPR
- Information Review - identifying and assessing what personal data our Agents hold on our behalf, where it comes from, how and why it is processed, and if and to whom it is disclosed.
- Policies & Procedures – Having in place data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including: -
- Data protection - Accountability and governance measures to safeguard personal and other important information from corruption, loss or compromise, with a focus on privacy by design, and on the rights of individuals.
- Data Breaches – procedures to ensure that safeguards and measures exist to identify, assess, investigate, report and correct any personal data breach without delay.
- Data Retention & Erasure – procedures to ensure that Advent and its Agents meet the 'data minimisation' and 'storage limitation' principles, that personal data is stored, archived and destroyed compliantly and ethically, and that erasure procedures exist to meet the 'Right to Erasure' obligation. Procedures for record retention also include the maintenance of consent records.
- International Data Transfers & Third-Party Disclosures – procedures and contract terms to provide that Agents may not transfer your personal data to a data importer based in a country outside the EEA without our express written permission. Permission will only be given when the Agent has shown that the data importer is bound by measures to ensure that the data is transferred according to applicable EU law OR that the data importer has signed a data processing agreement to provide adequate protection of processed data according to European standards, for instance by using the applicable EU Model Clauses, or by any agreement which imposes at least an equivalent obligation on the data importer.
- Data Subject Access Request (DSAR) – Agents' procedures to give you access to or details of, your personal data held by them on our behalf, free of charge within 30 days. Agents are also required to have procedures to verify your identity, and to ensure that communications with you are compliant, consistent and adequate.
Lawful Basis for Processing: Whenever we collect or use your personal data, we'll make sure that we have a valid legal basis for doing so and that each basis is appropriate for the activity it relates to. Advent and its Agents use the following legal bases for collecting and processing your personal information:
- Consent: This basis applies when you have clearly given your specific consent for us to use your personal data. Consent is only applicable when using data for the purposes of marketing to you. You can withdraw your consent for us to use your personal data in this way, at any time.
- Contract: this applies when Processing is necessary for a contract Advent has with you, i.e. the insurance policy, or because you have asked us to take specific steps before entering into a contract, such as providing a quotation.
- Legitimate Interests: in addition to needing certain personal data for us to be able to quote for and to provide insurance, and to handle claims under insurance policies, processing may be necessary for Advent or its Agents to perform tasks in the exercise of official authority or in the public interest, such as to meet responsibilities we have to our regulators and tax officials, or otherwise meet our legal responsibilities. For example, this lawful basis may be used to share data legitimately with other insurers for the purposes of detecting fraud. We may also use your personal data to operate and improve our products and services and to keep you informed about them, or for any other relevant purpose to further our legitimate business interests, but never at the expense of your privacy rights. Where Advent or its Agents rely on legitimate interests as a lawful basis for processing data, it is appropriately documented, and details are included in our Privacy Notices.
- Legal obligation: The processing is necessary for Advent or the Agent to comply with the law (other than contractual obligations).
Other legal bases that are unlikely to apply to Advent or its Agents are:
- Public task or Public Interest: This legal basis is applicable to government organisations, e.g. tax departments. Advent does not provide a public service as part of its business and therefore cannot use this legal basis for processing data.
- The processing is necessary to protect someone's life.
If you would like to know more about the legal reasons or legitimate interests that apply to a particular way in which we use your personal information, you can contact either Advent through this website or our Agents at the contact details given below under paragraph headed: Contact details for Data Protection Purposes.
- Records: Advent and its Agents maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR are met.
- Privacy Notices/Policy: Each insurance product sold by Advent has a Privacy Notice. The purpose of the Privacy Notice is to ensure that all individuals whose personal data we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information. The Privacy Notice for the insurance product you have purchased or are thinking of purchasing can be viewed by clicking on the relevant link or document below:
- Obtaining Consent - the mechanisms our Agents use for obtaining your personal data are designed to ensure that you understand what you are providing, why, and how the personal data you give to our Agents will be used. The mechanisms include clear, defined ways for you to consent to our processing of your information. Your consent is recorded to ensure that we can evidence an affirmative opt-in to direct marketing, along with time and date records of when consent was given. The consent mechanisms also provide user friendly steps to allow you to withdraw your consent at any time.
- Direct Marketing - all direct consumer marketing material is produced by our Agents. The wording and processes for direct marketing include: clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out of marketing subscriptions; unsubscribe features on all subsequent marketing materials.
- Data Protection Impact Assessments (DPIA) - where our Agents process personal information that is considered high risk, involves large scale processing or includes special category/criminal conviction data, stringent procedures and assessment templates are in place for carrying out impact assessments that comply fully with the GDPR's Article 35 requirements. Documentation processes record each assessment, allow our Agents to rate the risk posed by the processing activity, and implement mitigating measures to reduce the risk posed to the data subject(s).
- Special Category Data - this is personal data which includes information about an individual's race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, and/or sexual orientation. Special Category Data is more sensitive and, therefore, needs more protection. To lawfully Process Special Category Data, Advent and its agents must first identify both a lawful basis (as set out above) and a separate condition for Processing. These do not have to be linked. Separate conditions for processing Special Category Data include Processing necessary for pursuing or defending legal claims, for preventative or occupational medical purposes, for the assessment of the working capacity of an employee, for medical diagnosis or the provision of health or social care, or for arranging certain types of insurance contracts. High-level encryptions and protections are applied on all such data. Where we rely on consent for processing, this is explicit and is verified by a signature, with the right to modify or remove consent being clearly signposted
- Processor Agreements - Advent's Agents are generally both controllers and processors of data in their own right, in addition to being processors of data on Advent's behalf. Advent has entered into compliant Processor Agreements and due diligence procedures with each Agent to ensure that they (as well as we), meet and understand their/our GDPR obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place, and compliance with the GDPR.
YOUR RIGHTS AS A DATA SUBJECT
In addition to the policies and procedures mentioned above which ensure that you can enforce your data protection rights, our Agents provide information on their websites of your right to access any personal data that the Agent holds about you and to request information about:
Your personal data held by Advent or its Agents;
Why the data is collected, held and processed;
The categories of personal data concerned;
The recipients to whom the personal data has/will be disclosed;
How long we intend to store your personal data for;
If we did not collect your personal data directly from you, the source of the data;
The right to have incomplete or inaccurate data about you corrected or completed and the process for requesting this;
The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use;
The right to lodge a complaint or seek judicial remedy and who to contact in such instances.
INFORMATION SECURITY & TECHNICAL AND ORGANISATIONAL MEASURES
Advent takes the privacy and security of individuals and their personal information very seriously and takes every reasonable measure and precaution to protect and secure the personal data that we control, or that is processed on our behalf. We work with our Agents to ensure that robust data security policies and procedures are in place to protect personal data from unauthorised access, alteration, disclosure or destruction. Our agents operate with several layers of security measures, including: SSL protocols, access controls, password policy, encryptions, pseudonymisation, schedule data back-ups, authentication.
Advent processes personal data through our Agents. Your contact with Advent Insurance PCC is primarily with one of these Agents. Each Agent has designated a contact person for Data Protection purposes, as follows:
|Autorama UK Limited t/a Vanarama Insurance Services
Customer Services Manager,
Email [email protected]
Phone: 0044 1442 838 195
|TUI Travel Belgium
Écrit au department juridique/Data Protection Officer,
Address: Gistelsesteenweg 1, 8400 Ostende, Belgium
E-mail: [email protected]
|Freedom Healthnet Limited
The Data Protection Officer
Freedom Health Insurance
County Gates House
300 Poole Road
Email: [email protected]
|Union Income Benefits Holdings Limited t/a Union Insurance Services
Data Protection Team,
Unit A, Piano Yard,
London NW5 1BF,
email: [email protected]
phone on: 0044 0343 178 1255
|Unlimitedcare – Servicos de Saude y Assistencia, S.A.
Data Controller Future Health Group, Address: Av. Marechal Craveiro Lopes, 6 - Campo Grande, 1700-284 Lisboa,
Mail: [email protected]
Telephone: 00 351-217 818 283
Fax: 00 351-213 519 032
|Vantage Insurance Services Limited (For Vueling Missed Flight Cover)
Website of the UK Agent: https://www.vantageinsurance.co.uk/
Website of the Airline: https://www.vueling.com/en/vueling-services/prepare-your-trip/choose-your-insurance/missed-flight-cover
Data Protection Officer:
Delegado de Protección de Datos,
Plaza Pla de l’Estany, 5, 08820,
El Prat de Llobregat,
|APR Prevoyance Assurances Chevalier
Customer Service Assurances
BP 51570-84916 Avignon Cedex 9, France
If you have any questions about our approach to GDPR, we suggest that you please contact in the first instant the [Data Protection Officer (DPO)/Appointed Person] of the Agent through which you place your insurance. If you wish to contact Advent Insurance PCC Limited directly please contact our Data Protection Officer, Anne Finn:
Email: Data Protection Officer/Director: [email protected]