Relyens Commitment Charter on the protection of personal data

Last updated: october 2024

Preamble

Purpose of the Charter

This Charter embodies the commitments made by the companies of the Relyens group to ensure the security and confidentiality of personal data processed in the course of their activities.

As a company with a mission, Relyens’ ambition is to build, alongside healthcare players and territories, a world of trust that is based in particular on the protection of data, whether it is that of a prospect, a customer, a partner, a patient or any other beneficiary of Relyens guarantees or services.

Regulations on the protection of personal data

In the course of their activities, the companies of the Relyens Group process personal data either as data controllers, as joint data controllers or as processors (within the meaning of Article 28 of the GDPR).
The Data Protection Officers (DPOs) appointed within the Relyens Group can be contacted through the channels indicated in the section “Exercising your rights at Relyens”.

The collection and processing of personal data carried out by the Relyens Group is in strict compliance with the regulations, and in particular with the European General Data Protection Regulation No. 2016/679 of 27 April 2016 (known as the “GDPR”) and specific national texts:

COUNTRY OF ESTABLISHMENT NATIONAL TEXTS SUPERVISORY AUTHORITIES
France Law No. 78-17 of 6 January 1978, as amended, relating to data processing, files and civil liberties Commission Nationale de l’Informatique et des Libertés (CNIL)

3, Place de Fontenoy

TSA 80715

75334 Paris Cedex 07

Italy Decreto Legislativo del 30 giugno 2003, n.196 e successive modifiche ed integrazioni Garante per la protezione dei dati personali (GPDP)

Piazza Venezia 11

00187 Roma

Spain Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales Agencia Española de Protección de Datos (AEPD)

C/ Jorge Juan, 6

28001-Madrid

Germany Bundesdatenschutzgesetz vom 30. Juni 2017 (BGBl. I S. 2097) Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen

Kavalleriestraße 2-4

40102 Düsseldorf

Belgium Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data Data Protection Authority (DPA)

Rue de la Presse, 35

1000 Brussels

Portugal Lei n° 58/2019 de 08 de Agosto de 2019 (lei da proteção de dados pessoais) Comissão Nacional de Proteção de Dados (CNPD)

Av. D. Carlos I, 134 – 1.°

1200-651 Lisboa

Presentation of the Relyens Group

Relyens, a European mutual risk management group, specialising in healthcare players and territories, is organised as follows (Click here to consult the organisation of the Relyens group in graphic version):

COUNTRY OF ESTABLISHMENT ENTITY NAME TYPE OF ACTIVITIES
France Relyens Mutual Insurance

18 rue E. Rochet – 69372 Lyon cedex 08

Insurance Company
Relyens Life Insurance

18 rue E. Rochet – 69372 Lyon cedex 08

Insurance Company
Relyens SPS

Route du Creton – 18110 Vasselay

Insurance intermediary (brokerage)
Relyens Courtage

18 rue E. Rochet – 69372 Lyon cedex 08

Insurance intermediary (brokerage)
Relyens Proactive Solutions

18 rue E. Rochet – 69372 Lyon cedex 08

Service company
QualNet

Route du Creton – 18110 Vasselay

Service company
Italy Relyens Mutual Insurance (branch)

Sede Seconaria: Via Carlo Imbonati, n.18 – 20159 Milano

Insurance Company
Relyens Proactive Solutions (Branch)

18 rue E. Rochet – 69372 Lyon cedex 08

Service company
Spain Relyens Mutual Insurance (branch)

Paseo de la Castellana 110 – 28046 Madrid

Insurance Company
Relyens Proactive Solutions (Branch)

Paseo de la Castellana 110 – 28046 Madrid

Service company
Germany Relyens Mutual Insurance (branch)

Königswall 22 – 44137 Dortmund

Insurance Company
Relyens Proactive Solutions (Branch)

18 rue E. Rochet – 69372 Lyon cedex 08

Service company
Belgium Relyens Mutual Insurance (under the freedom to provide services)

18 rue E. Rochet – 69372 Lyon cedex 08

Insurance Company
Portugal Relyens Mutual Insurance (under the freedom to provide services) Insurance Company

Glossary

Personal data

This is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by cross-referencing a number of pieces of information, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological or genetic identity of that natural person, psychological, economic, cultural or social.

“Sensitive» personal data

special categories of personal data are those that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, but also genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning sex life or the sexual orientation of a natural person (Article 9 of the GDPR).
In France, the following are also assimilated to this category:

  • the N.I.R (Social Security Number) and the I. N.S (National Health Identifier)
  • data relating to criminal convictions or offences (Article 10 of the GDPR)
  • data containing assessments of people’s social difficulties.

Processing

Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, storage, alteration, retrieval, consultation, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pseudonymization and anonymization

Pseudonymization is a technique that consists of replacing personal data with a pseudonym. For example, in a dataset, a person’s first and last name is replaced by an identifier: ‘Norbert Durand’ becomes ‘Client2983-AN’. To re-identify ‘Norbert Durand’ a posteriori, it is necessary to have a file containing the correspondence between his surname and first name and the associated identifier (pseudonym).

A dataset is considered anonymized if it is impossible to re-identify individuals by any means. Anonymization is irreversible, while pseudonymization is reversible, i.e. there is a possibility of re-identifying people by cross-referencing information or files.

In short, anonymization provides a higher level of protection than pseudonymization.

Data controller

this is the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor

A processor is the legal person, public authority, agency or body that processes personal data on behalf of the controller.

Data subject

This is the identified or identifiable natural person to whom the personal data relates (e.g. healthcare professional who is a client of Relyens, beneficiary of Relyens guarantees, agent of the Relyens customer, etc.).

Data Protection Officer

Better known by its Anglo-Saxon acronym “DPO” (for Data Protection Officer), this is the person within Relyens responsible for ensuring compliance with the regulations on the protection of personal data. This is the person to contact for any question relating to the processing of personal data carried out by the Relyens Group and to exercise the rights provided for by the regulations (for more details, see the dedicated section of this Charter).

Collection and processing of personal data at Relyens

Purposes and legal bases of the processing carried out by the companies of the Relyens group in their capacity as data controllers

The personal data collected by the companies of the Relyens group meet specific objectives (purposes) that are systematically brought to the attention of the persons concerned.

In addition, in order to be lawful, any processing of personal data carried out must be based on a legal basis (also known as a “legal basis”).

For the companies of the Relyens group, this lawfulness is based on one of these four legal bases:

  • The execution of pre-contractual or contractual measures: Art. 6.1.b) GDPR;
  • The consent of the data subject: Art. 6.1.a) GDPR;
  • The legitimate interest pursued by the companies of the Relyens group: Art. 6.1.f) GDPR;
  • A legal or regulatory obligation: Art. 6.1.c) GDPR.

The main purposes pursued by the companies of the Relyens group are:

Purpose of the processing Legal basis Example(s)
Underwriting, management and execution of insurance contracts (including the implementation of pre-contractual measures) Execution of pre-contractual or contractual measures

(Art. 6.1.b GDPR)

Drawing up an estimate or an insurance contract (collective or individual), compensation for a medical accident or sick leave, etc.
Risk management services Execution of pre-contractual or contractual measures

(Art. 6.1.b GDPR)

Carrying out a psychological support support mission, an audit in an Emergency Department … …
Execution of the legal, regulatory and administrative provisions in force Compliance with a legal or regulatory obligation

(Art. 6.1.c GDPR)

Verification of a person’s identity in the context of the fight against money laundering and terrorist financing
Compilation of financial and trade statistics Legitimate interest pursued by the companies of the Relyens group

(Art. 6.1.f GDPR)

Establishment of a loss report over the last 3 years
Claims Management Execution of pre-contractual or contractual measures

(Art. 6.1.b GDPR)

Sending an acknowledgment of receipt to a customer who has filed a claim on their claim file
Fraud Prevention Legitimate interest pursued by the companies of the Relyens group

(Art. 6.1.f GDPR)

Exchange of information on a fraudulent claim with dedicated agencies (e.g.:A.L.F.A for France)
Publication of institutional content, carrying out commercial prospecting and marketing actions by electronic means Legitimate interest pursued by the companies of the Relyens group

(Art. 6.1.f GDPR)

Sending a B-to-B emailing to present a new risk management service launched by Relyens to a healthcare professional…
Keeping the general accounts and the sub-accounts that may be attached to it Compliance with a legal or regulatory obligation

(Art. 6.1.c GDPR)

Payment of an expense report, issuance of an insurance receipt
Sending newsletters, participating in Relyens digital events Consent of the data subject

(Art. 6.1.a GDPR)

Participation in a webinar on medical control
Conducting satisfaction surveys and polls Legitimate interest pursued by the companies of the Relyens group

(Art. 6.1.f GDPR)

Sending of a satisfaction questionnaire following a professional training on the follow-up of the patient file

In certain situations, companies of the Relyens group may act as subcontractors for their customers: this is the case for Relyens Proactive Solutions and QualNet.

Compliance of data processing by design and by default

The companies of the Relyens group integrate privacy protection from the design phase of their products and services, and throughout their life cycle, from the collection of personal data to its deletion or anonymization.

The Relyens Group is committed to applying by default to personal data a level of protection that meets the requirements of the applicable regulations in this area.

The Relyens Group applies the principle of data minimization to each processing, which is concretely reflected as follows:

  • Only personal data that is strictly necessary for the purposes of the processing concerned is collected and processed;
  • Personal data is not kept beyond the time required for these purposes (deletion or anonymization if necessary);
  • Personal data is only accessible to Relyens employees and authorized recipients;
  • Personal data is, as soon as possible, pseudonymised or even anonymised

In addition, prior to any new project involving the processing of personal data, the DPO of the Relyens company concerned is consulted in order to obtain his recommendations to ensure the security and confidentiality of the data.

Transparency and information on the processing carried out

No collection of personal data is carried out by the companies of the Relyens group without the data subjects being informed.
For example, in quotes, contracts, contact forms on the Web, information mentions specify (non-exhaustive list):

  • The identity of the Data Controller;
  • The purposes of the processing of personal data;
  • The legal basis (legal basis) legitimizing the processing;
  • The (categories of) recipients of the data;
  • The maximum data retention period.

Categories of Personal Data Collected

The categories of personal data collected by Relyens Group companies may vary depending on the purpose of the processing, the type of data subjects and the product or service concerned.

Depending on the case, this may include:

Type of data Categories of data Examples of data that may be processed
Non-sensitive data Identification data Name, address, photograph…
Personal data Hobbies, lifestyle habits…
Data relating to employment status CV, professional training, positions held…
Economic, financial, asset or tax information, payment data Salary slip, income tax notice, credit card number, etc.
Location data List of trips to calculate mileage allowances …
Login data IP address, date and time of connection to the Customer Area …
Data necessary for risk assessment, contract entry and management, claims compensation, performance of services Medical speciality practised, surface area of buildings, gendarmerie report, etc.
Sensitive Data (1) Social Security Number, National Health Identifier (INS) Registered social security insurance 1.69.05.78.524.259 / 42
Health-related data Patient file, medical certificate of sick leave, etc.
Data relating to criminal convictions or offences (2) Judgement of the Criminal Court following the assault of a town hall officer, conviction for driving under the influence of alcohol
Other sensitive data (religious or philosophical beliefs, sexual orientation and life, trade union membership, etc.) (3) Assessment of Sexual Injury in the Context of a Medical Accident

(1) See definition in the glossary.
Sensitive data is specific personal data that must be subject to specific protections and whose processing is strictly regulated by regulations.
The lawfulness of the processing of special categories of personal data, in particular health-related data, is based on one of the conditions of Article 9.2 of the GDPR.
For the Relyens group, the possible scenarios are as follows:
(a) the data subject has given his or her explicit consent to the processing of such personal data for one or more specific purposes, except where Union law or the law of the Member State provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject;
(b) the processing is necessary for the performance of the obligations and the exercise of the rights of the controller or the data subject in the field of employment, social security and social protection law, in so far as such processing is permitted by Union law, by the law of a Member State or by a collective agreement concluded under the law of a Member State which provides for appropriate safeguards for the fundamental rights and interests of the data subject;
f) data processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in the exercise of their judicial function;
h) data processing is necessary for the purposes of preventive or occupational medicine, the assessment of the worker’s capacity to work, medical diagnosis, health or social care, or the management of health care or social protection systems and services on the basis of Union law, the law of a Member State or under a contract concluded with a health professional and subject to the conditions and guarantees referred to in paragraph 3;
(2) Data relating to criminal convictions or offences are collected and processed mainly in the context of motor vehicle and legal protection contracts.(3) Sensitive data other than those relating to health and criminal convictions/offences are only collected and processed on an exceptional basis by the Relyens Group, and only when the situation justifies it.

When personal data is collected directly by the companies of the Relyens group, it is specified whether the information to be provided is mandatory (generally indicated by the presence of an asterisk at the level of the section) or optional.

If certain mandatory information is not provided, the companies of the Relyens group may find themselves unable to respond to a request, to draw up a price proposal, to manage/execute an insurance contract or to provide a service.

Categories of recipients to whom the data are communicated

With regard to and depending on the processing purposes pursued, personal data may be exchanged within the companies of the Relyens group to enable them to carry out their missions, in compliance with the principle of data minimisation (lowest possible volume of data, lowest possible number of recipients, etc.).

Data may also be communicated to other stakeholders involved in the processing of personal data.

The table below specifies, by major categories, the potential recipients of personal data of the companies of the Relyens group (non-exhaustive list):

Categories of recipients (variable depending on data processing) Example of a field of activity Example(s)
Employees of Relyens Group companies (intra-Group data exchanges) Insurance, risk management, services Transfer of contact details between Relyens Mutual Insurance and Relyens Proactive Solutions to respond to a request for a quote
Relyens’ subcontractors Delegation of management Manager of health and provident expenses on behalf of Relyens
Relyens’ service providers Counsel Lawyers, medical experts, automotive experts
Computer science Developers, software publishers, cybersecurity companies, data hosting providers
Formation Professional training in risk management
Audit Medical Control Expert, Medical Risk Auditor
Records Management Paper-based storage of contracts and claims in a dedicated warehouse
Relyens’ partners Insurance Co-insurers, reinsurers, insurance brokers
Assistance Company ensuring the repatriation of goods and people
Other Partnerships with learned societies, business partners
Professional Organizations Insurance Agencies for the fight against fraud, for the settlement of motor vehicle claims in the U.S. E
Social Organizations Social protection Social organizations, complementary health insurance companies
Third parties with a right of communication All areas Police Authorities, Courts, Insurance Supervisory Authority (e.g.: ACPR for France), Supervisory Authorities for the Protection of Personal Data (e.g.: CNIL for France), Professional Ombudsmen
Persons involved in – or interested in – the contract (other than service providers) All areas Ministerial officers, tutors, curators, beneficiaries of the guarantees of a Relyens contract, beneficiaries

Place of data processing

The companies of the Relyens group prefer the processing and storage of personal data in the European Union.

However, if a transfer of personal data outside the European Union is necessary to carry out certain specific processing, this transfer is only made with countries with an adequate level of protection. Otherwise, the transfer of personal data is subject to an appropriate technical and legal framework and after prior consultation with the DPO of the Relyens group.
In any case, this transfer will be carried out in compliance with the provisions of Chapter V of the GDPR entitled: “Transfers of personal data to third countries or international organisations”.

Depending on their role in the context of the processing, these external recipients will process the data either as autonomous data controllers or as subcontractors duly appointed by the companies of the Relyens group, in accordance with the legislation on the protection of personal data.

Duration of data retention

The companies of the Relyens group endeavour to set the appropriate retention periods for personal data with regard to the purpose of the processing concerned, while taking into account any applicable legal limitation periods.

When the data has reached its retention period according to the reference system defined by the Relyens group, the companies of the Relyens group delete or anonymize it (a process that excludes any possibility of re-identification of the data subject).

The following table indicates the maximum retention period for personal data used by the companies of the Relyens group as data controllers (non-exhaustive list):

Purposes of processing Duration of data retention
Commercial prospecting Commercial prospecting: 3 years from the last contact with the prospect
Pre-contractual measures Quotation (or offer) not followed up or refused: 5 years from the effective date of the quotation/offer
Underwriting and management of insurance contracts The entire duration of the contract, including any subsequent warranty period, plus the applicable statutory limitation periods (*)
Claims Management Until the closing of the claims, plus the duration of the applicable legal statutes of limitations (*)
Fight against fraud In the event of a relevant alert, the data is kept for a maximum period of 5 years from the closure of the fraud file.
AML/CFT Controls 5 years from the completion of the inspection

(*) For practical reasons, due to the multitude of products and services historically marketed by the companies of the Relyens group, it is not possible within the framework of this Charter to exhaustively reproduce the different applicable retention periods, which vary in particular according to the insurance product, the guarantees taken out and whether or not claims have occurred on the contract.
To find out the retention period applicable to a particular data processing, contact the DPO of the Relyens company concerned.

Data security at Relyens

Relyens’ Information System (IS) is at the heart of the system for delivering services to its customers. This Information System is built to guarantee an efficient and adapted quality of service.

Relyens has a team of more than 100 professionals and IS experts who work on a daily basis to manage and continuously develop this Information System.

The Information System is built on robust and secure technical infrastructures, with the use of modern and innovative technologies. These infrastructures are based on equipment that is constantly renewed.

The entire infrastructure is hosted in two cross-border data centers, located in two geographically distant locations. Based on this redundant infrastructure, the Business Continuity Plan is designed and tested annually to ensure the continuity of services in the event of a major disaster or cyber attack.

Both the business management applications and the customer areas are developed and maintained in-house and are based on standard and market-leading technologies.

A chain of dematerialization of all incoming mail allows Relyens to build efficient management processes.

The security of access to information is based on a proven and recognized authentication and access control solution as well as on traceability of the actions carried out.

The IS Security Manager manages an IS Security Management System (ISMS) within Relyens. This ISMS is based on a security policy describing the organization and the security principles followed. Continuous monitoring is carried out through internal or external audits and allows for regular adjustment of security measures.
The changes are aimed at a continuous improvement of the ISMS and an adjustment of the measures in view of the evolution of IS risks.

A process of certification of the ISMS with regard to the ISO 27001 standard is underway.

A more detailed document on the protections implemented by the Group is available to customers and prospects upon request.

Exercising your rights over personal data at Relyens

GDPR rights

In accordance with applicable regulations, individuals have the following rights over their personal data:

Type of rights Purpose of the right
Right of access Obtain information relating to the processing of personal data, and obtain a copy of the same
Right to rectification Have inaccurate or incomplete personal data amended
Right to erasure Request the deletion of personal data, to the extent permitted by the regulations
Right to Limitation Request the restriction of the processing carried out on personal data
Right to object Object to the processing of personal data, for reasons relating to the particular situation of the data subject.

This right also makes it possible to object, unconditionally, to the processing of personal data for the purposes of commercial prospecting, including profiling insofar as it is related to such prospecting

Right to portability Recover, in certain cases, the personal data provided, or where technically feasible, request their transfer to another data controller
Withdrawal of consent Withdraw consent at any time (for processing of personal data based on the individual’s consent).

The data subject may withdraw his/her consent at any time, without this affecting the lawfulness of the processing carried out prior to such withdrawal

Post-mortem rights Define guidelines for the retention, deletion and communication of personal data after death

Exercising your rights at Relyens

Persons wishing to exercise any of the rights listed above may contact the Data Protection Officer (DPO) of Relyens, whose contact details are indicated below:

Relyens Entity Contact address of the DPO DPO contact email (*)
Relyens M.I France 18 rue E. Rochet – 69372 Lyon cedex 08 privacy.santesocial
Relyens Courtage 18 rue E. Rochet – 69372 Lyon cedex 08 privacy.santesocial
Relyens SPS Route du Creton – 18110 Vasselay privacy.sps
RPS France 18 rue E. Rochet – 69372 Lyon cedex 08 privacy.rps
QualNet Route du Creton – 18110 Vasselay privacy.qualnet
Relyens M.I Italy Sede Seconaria: Via Carlo Imbonati, n.18 – 20159 Milano privacy.it
Relyens M.I Spain Paseo de la Castellana 110 – 28046 Madrid privacy.es
Relyens M.I Germany Königswall 22 – 44137 Dortmund privacy.de
Relyens M.I Belgium 18 rue E. Rochet – 69372 Lyon cedex 08 (France) privacy.be
Relyens M.I Portugal Paseo de la Castellana 110 – 28046 Madrid (Spain) privacy.pt
RPS Italy 18 rue E. Rochet – 69372 Lyon cedex 08

(France)

privacy.rps
RPS Spain 18 rue E. Rochet – 69372 Lyon cedex 08

(France)

privacy.rps
RPS Germany 18 rue E. Rochet – 69372 Lyon cedex 08

(France)

privacy.rps

(*) Add @relyens.eu to the address indicated in this section to reconstitute the contact email address of the DPO (anti-spam measure)

IMPORTANT : These e-mail addresses are dedicated solely to the management of requests relating to the processing of personal data carried out by the companies of the Relyens group.
Please do not use them for any other purpose (e.g. contacting a claims manager, sending a CV, etc.) as the request will not be processed.

When the situation justifies it, the Data Protection Officer (DPO) may ask the person exercising his or her rights to provide a supporting document (national identity card, etc.) to verify his or her identity.

If the response provided by the Relyens Group does not satisfy him/her, the data subject has the possibility of lodging a complaint with the competent supervisory authority (refer to the section “Personal data protection regulations” in the preamble to this Charter for contact details).