ADD NV Privacy Statement
The new version of the Data Protection Statement comes into effect on 11 July 2019
Part 1: To safeguard your privacy, we must work together
Protection of your data is very important to us. Our aim is to process personal data in a manner that is lawful, fair and transparent. In this Privacy Statement, we explain which of your personal details we collect from you as a natural person and then process.
In the following, the data referred to are yours as policyholder, prospective policyholder, insured person, payee or other data subject, such as a contact person of a company, agent holding power of attorney, aggrieved party, victim, counterparty, witness, expert, insurance intermediary, etc. Regardless of the capacity you act in, your rights remain unchanged and ADD will treat your data with equal care.
1.1 Make sure you read all of this information and look at what action is open to you.
We recommend that you read this information carefully, so that you know the purposes for which ADD uses your data. This data protection statement also contains more information about your privacy rights and how you can exercise them.
ADD may make changes to this data protection statement. The most recent version is always available at https://www.add.be/privacy., ADD will inform you of all substantive changes to the terms via its website, ADD Connect or other communication channels.
You will also find more information about the Belgian data protection legislation on the website of the Belgian Data Protection Authority (previously called the Privacy Commission) at https://www.dataprotectionauthority.be/.
1.2 ADD takes great care when dealing with your personal data.
ADD NV is an insurance broker recognised in Belgium (under the control of the FSMA) and is registered for all European countries in order to be able to offer insurance services on the basis of Freedom of Service (FoS) for customers in the European Union. ADD's registered office is located at Industrieweg 1, 3001 Heverlee.
ADD NV also operates abroad via the Worldwide Broker Network (https://wbnglobal.com).
ADD is a part of the KBC group (hereinafter referred to as 'KBC').
ADD insures business customers and private individuals. That means that ADD acts as an intermediary between you as customer and an insurance company when taking out insurance policies, and in fulfilling its role and mediator during the policy term. You will find more information about what ADD does on its website at https://www.add.be/en.
ADD is data controller of personal data in the context contemplated in this data protection statement
1.3 Contact ADD if you have any questions about the processing of your data.
If you have questions about data protection or if you wish to exercise your rights, you can contact ADD by one of the following means:
- Call or e-mail your permanent contact.
- Complete a contact form on the website at https://www.add.be/en (under the ‘Contact’ tab).
- Contact the welcome desk at one of our regional head offices (in Heverlee or Merelbeke; https://www.add.be/en).
- Pop into one of our regional head offices (in Heverlee or Merelbeke; find us via https://www.add.be/en.
Part 2: Your right to privacy.
You have a lot of rights when it comes to processing your data. When ADD asks you for consent to process your data, you can subsequently withdraw that consent again any time you wish.
2.1 You can inspect your data.
If you would like to access concerning you that is processed by ADD, let us know... Corporate customers see certain details themselves without a request, such as via ADD Connect.
If you exercise your right of access, ADD will give you as complete a list as possible of your data. It can happen that some personal data from the usual back-up files, logs and stored records is not included in that list. Nonetheless, it does get removed from such files in the course of subsequent routine cleaning-up processes.
Nor is health data within scope of the data processed on an ongoing basis and it is not therefore immediately available. You can specially request it from your insurer's Consulting Physician.
2.2 You can have your data rectified
It can happen that certain information held on you by ADD is not (or or is no longer) correct. You can ask for the data to be corrected or completed at any time.
2.3 You can have your data erased
You can ask ADD to erase your personal data.
If ADD no longer has an overriding ground for processing your personal data, ADD will erase it. Statutory duties can preclude erasure.
2.4 You can object to your data being used for certain purposes
If you disagree with how ADD invokes its legitimate interests to process certain data (see 3.4), you can object. We shall heed objections unless there are compelling reasons not to do so, such as when we process data with a view to combating fraud.
2.5 You can ask for your data to be transferred to a third party
You are entitled to ask for personal data that you have provided ADD with yourself to be transferred back to yourself or directly to a third party. The data protection legislation does provide for a number of restrictions on exercise of this right, so that it is not applicable to all data.
2.6 You can ask for processing of your data to be restricted
In some cases, you may ask ADD to restrict processing of your personal data. Exercise of this right is conditional. You can exercise your right to the restricted processing:
- during the period needed by ADD to verify the accuracy of your personal data if you challenge the accuracy of personal data concerning you that ADD processes;
- where processing is unlawful but you do not want the personal data erased;
- when ADD no longer has a purpose for processing the personal data but still needs it in connection with a legal claim;
- pending ADD's reply to whether ADD's justifiable grounds weigh more importantly than yours
2.7 You may exercise your rights.
Always be as specific as possible when you wish to exercise your rights, so that ADD can only handle your request appropriately.. ADD will need to be able to verify your identity to avoid someone else exercising your rights. We may therefore ask you to provide ID when such a request is made. Do you have a question or a comment? If so, please get in touch with your permanent contact or surf to the 'Contact' tab on the website at www.add.be, Or by e-mailing email@example.com. This is your primary point of contact in relation to privacy matters.
If you have a complaint about the exercise of your rights, ADD Complaints Management will be happy to look into it.
- ADD Complaints Management, Industrieweg 1, 3001 Heverlee
- via ADD's digital channels, including its website at https://www.add.be/en – Contact – Contactformulier
If you cannot obtain adequate resolution of the matter by the above routes, you can contact the ‘Data Protection Officer’ at ADD by writing to ADD NV, F.a.o. the Data Protection Officer, Industrieweg 1, 3001 Heverlee.
If you would like more information or if you do not agree with the standpoint adopted by ADD, be sure to visit the website of the Belgian Data Protection Authority at https://www.dataprotectionauthority.be/. You can also lodge complaints there.
Part 3: ADD has many reasons for processing your personal data.
3.1 ADD has to comply with certain legal requirements.
The main legal grounds for ADD having to process certain information about you are summed up here.
- The legislation on insurance distribution obliges insurance brokers to analyse the wants and needs of prospective policyholders in the lead-up to taking out a policy. It is sometimes necessary to categorise customers in the course of doing so. Natural persons are automatically classified as non-business customers though they may be regarded as being in the business category in certain circumstances. Where insurance brokers give advice on savings-type and investment-type insurance, then, depending on customer type, they have to gather information about the customer’s knowledge and experience, financial capacity, investment objectives and attitude to risk/return in relation to the products offered.
- Insurance brokers must deploy all possible means to prevent and uncover money laundering and report it to the authorities, and so ADD has to take appropriate steps in this regard as well. For example, they have to gather data on customers and groups of customers or issue risk alerts.
Specifically, for certain life insurance policies, ADD has to:
- identify you as a customer, representative or ultimate beneficial owner;
- verify your identity;
- determine your profile (in relation to the risk of money laundering), which involves collating various personal and business details, such as whether you're a politically exposed person;
- check your actions and transactions and prevent certain transactions and report them to the Financial Intelligence Processing Unit.
In doing so, ADD uses details given to it by you plus data that can come from other channels (like Thomson Reuters's World-Check, Graydon, Dun & Bradstreet, Trends, Company Web and Internet search engines).
- For example, ADD has to be in possession of a recent copy of your identity card. This is why Add requests a copy of identity cards when insurance is contracted that falls under the money-laundering rules.
- In the context of the fight against terrorism and the sanctions rules, insurance brokers are required to screen customer details against sanctions lists. Transactions are also monitored. In some cases, underlying documents are requested and payments may be held back. Here, too, ADD uses outside sources such as Thomson Reuters's World-Check.
- Insurance brokers are required to prevent, uncover and report improper use of inside knowledge or market manipulation and to notify suspect dealings to the authorities (see inter alia Articles 16 and 17 of the Market Abuse Regulation of 16 April 2014)..
- ADD can use personal data for the purposes of checks, investigations and opinions in areas subject to compliance considerations (like prevention of money-laundering and fraud, investor and consumer protection, and data protection).
- Insurance brokers are also under duties to report to the authorities such as with transaction reports of investigations into market forces and possible market abuse. Insurance brokers that take responsibility themselves for collecting insurance premiums from their customers have to take care of processing such transactions in books of account.
- Insurance brokers are responsible for appropriately controlling risk (including at group level). They are required to detect, prevent, mitigate and address risks. These include information management and statutory compliance risks, the risk of staff, customer and/or supplier fraud, and the risk of unethical behaviour by staff or breaches by them of their duties of care. This risk management has to be ensured at both central level (gathering data on customers and groups of customers) and local level (e.g. by disseminating risk alerts).
- Insurance brokers also have to respond appropriately when you exercise your rights under the data protection legislation: they are also required to answer questions from the Data Protection Authority, e.g. where a complaint is made.
- Insurance brokers must submit reports to, and be able to answer questions from, the regulators of financial institutions, such as the Financial Services and Markets Authority (FSMA) (www.fsma.be) and the National Bank of Belgium (www.nbb.be) in the context of the supervisory legislation.
- Insurance brokers have to respond to queries from the tax authorities or may need to voluntarily exchange information for the purposes of tax law (the Income Tax Code, the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS)).
- Insurance brokers are also obliged to respond to enquiries from the judicial authorities (police, prosecutors and the bench, investigating judges and courts. These concern questions in the context of police legislation and (criminal) judicial procedure (including the Judicial Code and the Criminal Procedure Code).
3.2 ADD has to be able judge whether it is feasible to contract an agreement or service
Before ADD contracts, it may be necessary for certain information to be processed in order to deal with the application and assess properly whether the agreement can be contracted and, if so, under what terms and conditions
Thus, ADD needs to collect details on you so as to:
- gain a proper view of the insurance needs (in a meeting, a completed insurance application, etc.);
- assess which product from which insurance company could provide appropriate cover for your risk;
- pass the right information to an insurance company or to insurance companies;
- be able to contact you with a tailored proposal.
This applies for both non-life insurance (like car insurance, property insurance for your business) and life insurance (like group insurance or loan balance insurance). In the latter case, it can happen that certain health details will be processed. This may be so where, in correspondence further to your request to take out insurance or open a claim file, you have already included medical info. Your medical details are processed in accordance with Article 4.3 (Medical data), which sets out the health policy of ADD.
3.3 ADD must be able to perform a contract correctly.
- As a customer of ADD, you use a number of services, which ADD, as an insurance broker, has to process for administrative and accounting purposes.
- There have to means of contacting ADD.
- ADD has to give data to the insurance company in order to fulfil its role as an intermediary between customer and insurer.
The purposes for which an insurance intermediary processes data include :
keeping information received from customers in an electronic file for further monitoring purposes
forwarding information received on to the insurance company (e.g., to prepare a policy, open a claim file or settle a claim)
discussing an insurance file with the insurer
collecting and recovering premiums that fall due
drawing up health and safety statistics for specific risks
providing an overview of a customer's insurance
To do so, ADD sometimes requires to submit certain personal details to internal or external specialists for an assessment of bodily injuries or losses to which value can be attributed, as also to relevant third parties (such as co-insurers and re-insurance companies, lawyers, lease companies, repairers or relevant government agencies such as the Industrial Accidents Fund).
ADD also exchanges necessary information with WBN partners if you want to insure risks abroad for your company using ADD and the Worldwide Broker Network.
3.4 ADD has to be able to function as a business.
This is known as its ‘legitimate interests’.
In addition to the purposes set out above, ADD as a commercial business, also has a number of legitimate interests that form the basis for processing personal data. In that regard, ADD ensures only a minimum let-up in the protection that is afforded to your data and, in all events, that ADD’s legitimate interests remain proportionate in consideration of the extent to which your data's protection is impinged upon by engaging in such processing. Nonetheless, if you harbour an objection to this use being made of your data, you may exercise your right to object. ADD will respect your objections unless ADD has compelling reasons for not doing so. And so it is that ADD processes personal data in various situations:
- ADD may utilise your personal data for the administration, (risk) management and oversight of the KBC group's organisation, such as the legal department (including dispute management and legal risks), risk management (such as insurance risk vis-à-vis customers and groups of customers worldwide), risk functions and inspections, complaints management and internal and external audit.
- ADD may also utilise personal data for determining, exercising, defending and preserving the rights of ADD or persons whom it might represent (e.g., in disputes).
- Data processing may be done to ensure that persons and goods are safe, de facto secure and under visual guard.
- Whilst applications are being developed, tests need to be carried out using personal data, including the final acceptance test before an app is put into production.
- ADD may process personal data in the course of investigating issues in applications.
- ADD may use personal data to support and simplify the acquisition, use and cancellation of products and services by customers, including avoiding your having to resubmit information you've previously provided and having to again go through a full identification process if you want to become a customer of another KBC group entity. ADD can then pass your identity details to other companies in the KBC group in order to speed up their identification processes, and also text you relative to services you've requested from us, for instance in order to make them easier for you to use.
- To be able to respond effectively to other customers or prospects (such as when making up simulations or tenders) and where ADD makes unsolicited offers in bespoke form, it can be that, in the form of carefully shielded underlying processes, it may look at your customer profiles. There is naturally no question of your personal data being divulged to anyone in this context.
- ADD send you certain offers and advertising. Sometimes we do this on the basis of legitimate interest. For more information on the use of personal data for direct marketing purposes, see 3.6.
- Personal data may also be used in evaluating, simplifying, testing or improving its processes, digital apps and standard-form documentation and to optimise promotional campaigns, simulation exercises and online sales, like using information from cookies (such as preference settings and browsing behaviour on our website) to follow up on a simulation left uncompleted, statistics, a satisfaction survey or market research. Personal data can be used as evidence
- Personal data may be used as evidence.
3.5 Add will request your consent to process your personal data in certain cases
For consenting to direct marketing, further details are given in 3.6.
If ADD requests consent to process personal data, it will be in the context of the following situations:
- When processing your health data;
- When processing data of minors
- When processing data of cookies on www.add.be.
More information: https://www.add.be/nl/cookies.
3.6 ADD uses your personal data for direct marketing
ADD wants to be able to make proposals to you as a representative of your business concerning an extensive range of insurance policies and services. It may do so in response to explicit requests or where ADD has an idea that you might be interested in or could benefit from a given product or service.
To make such proposals, ADD uses a basic set of personal data pertinent to you as contact, representative or relevant person at the business, including:
- who you are,
- your job,
- your contact details,
- the products you have and those you have no interest in.
The sole aim is ultimately to be able to contact you with insurance information we can assume is of interest to your business.
If, in certain situations or for certain projects, ADD wishes to use additional personal data, we will ask for your consent.
These proposals can be received by you in all sorts of ways: via the Internet and via apps, by e-mail, by post, by phone and at events. In addition, ADD likes to keep up with the constantly evolving range of new technologies. ADD is at pains to ensure that information is provided in a way that's clear and will choose the most appropriate channel to inconvenience you as little as possible.
ADD imposes a number of restrictions on itself:
- ADD takes care in handling your personal data as a prospect. E.g., marketing material is only e-mailed to you with your consent.
- ADD does not use spyware.
If you as a natural person do not want to receive any publicity whatsoever, you should exercise your right to object to direct marketing.
When ADD offers you something, you're under no obligation to take it but it wouldn't do so it it weren't certain that it would truly be of service to you.
3.7 What if you don't want to receive any direct marketing at all from ADD?
Perhaps you've no desire at all to receive direct marketing from ADD. ADD respects that. An ordinary request is enough to exercise your right to object to direct marketing.
Simply e-mail firstname.lastname@example.org or drop by your ADD branch.
3.8 ADD will not sell your personal data
ADD does not sell or hire your personal data to third parties for their own use.
3.9 ADD also shares information with other KBC entities.
In its function as an insurance broker and service provider, ADD also exchanges information with other KBC entities (e.g., KBC Insurance and KBC Autolease).
Part 4: ADD uses different types of data depending on the intended purpose.
ADD processes your personal data for a variety of purposes. The different types of data that exist are set out below.
4.1 They are information that's used to identify you, to contact you and to offer you the right advice
What data ADD uses for which purpose is also explained below.
|Data used to IDENTIFY you|
Name, sex, date of birth, nationality, address, identity card, customer number, national registration number, vehicle registration number, driving licence, your position within a company (as a contact within an ADD business customer).
|Data used to CONTACT you (securely)|
This information includes your telephone number, e-mail address, language and your user name in social media. However it also covers technical details such as identifiers for the devices you use (such as your Mac address, IP addresses or unique identifiers for your devices).
|To give you proper ADVICE and SERVICE|
The information stored by ADD includes:
4.2 Information in the public domain and information obtained through third parties
ADD sometimes processes public data.
- It could be information that's subject to a reporting duty (such as public notice of your appointment as a company director).
- Data you yourself place in the public domain such as information on your website, your blog or via your publicly accessible social media profile, or information about you that ADD obtains from third parties (e.g., members of your immediate family).
- Or data that is in the public domain, say, because it is common knowledge in your area or because it has appeared in the press. Information from sources such as the companies register and Graydon also fall into this category.
ADD may also receive personal data via third parties, for example by buying it from companies such as Trends or Company Web, which are responsible for making sure that information is gathered using lawful means.
Public data and data obtained via third parties may be relevant and may be used for the purposes set out by ADD in this privacy statement, it may be used to verify the accuracy of the information held by us and it may serve to support direct or indirect marketing campaigns.
4.3 Medical details
Health details are personal data relating to the state of your physical or mental health and include details of health services you've received that provide you with information as to what your state of health is.
ADD processes some of your medical data. In principle, ADD only processes your medical data if it has a bearing on its role as insurance broker (i.e. to transfer the medical questionnaires or health data you send to ADD concerning claims management to the company doctor or the claims department of the insurance company).
ADD processes medical data with particular care.
- For instance, if you have to complete a medical questionnaire before taking out hospitalisation insurance or life insurance, we ask you to send the completed form directly to the insurance company's doctor.
- For the most part, ADD only processes medical data so as to pass it to the insurance company. These documents that you send to us are not therefore retained by us.
- However, if you mention medical details in your general communications with us (by e-mail or letter, for instance), such communication will be retained in our records.
- Thus, when it's necessary, the processing is done under the supervision of a professional healthcare practitioner (typically a doctor or physiotherapist). Medical data is given a special classification of its own and, as a rule, is separately filed to alert staff to its sensitive nature. ADD staff are furthermore bound under a strict duty of confidentiality and are given special training in this regard.
- ADD also provides insurance companies with medical data provided to us by you (like hospital bills or certificates of temporary work disability) so as to substantiate your claim and so that you are paid.
- Where medical data is passed to a third party (like an insurance company), this is done with appropriate care to ensure that the info is sent to the right person.
ADD only requests your consent to be able to retain medical data.
If you consent to the processing of your health data, you authorise us to process your data in relation to all your insurance policies now and in the future, and for all claims and claim events in which you are involved. Your consent will remain valid until you revoke it. You are entitled to do so at any time. However, please bear in mind that this revocation may have implications for the further performance of your current insurance contracts or claims.
4.4 ADD retains data from offers, insurance applications, etc.
When you fill in an ADD form, they naturally process the data needed to administer the relevant matter at hand.
- It can be an insurance application or some other app that ADD provides that you complete in order to receive an offer of an insurance policy. When this is done, your details may be stored. A number of details no longer have to be retrieved. You will nevertheless sometimes be asked to check that the information is complete and up to date.
- Some details will be pre-populated on the form if they are available; you will still be able to revise them.
4.5 What you tell ADD staff members may be processed.
If you contact an ADD staff member at one of our offices, by telephone or via chat, etc., this is generally registered:
- in order to constitute a record of what contacts there are between us and our customers;
- so that there is a (short) record of what was said during that contact;
- to remind our employee what still needs to be done.
Even if you are not a customer, ADD will store such information as you disclose. That information can be used if you become a customer subsequently.
By adopting this approach, ADD seeks to avoid your having to constantly provide information or answer questions a second time. It also allows us to improve the continuity of our service to you.
4.6 Written ADD correspondence is carefully monitored.
If you use e-mail to contact ADD or if you have digital communication channels that ADD uses (e.g., the website at https://www.add.be/en or ADD Connect), ADD can use them to intimate to you its statutory and official communications.
Correspondence with staff members in their capacity as ADD employees (sent to an office address, an office fax or a job-linked or personal ADD e-mail address, etc.) is deemed to be business-related and may therefore be examined in the context of:
- their duties;
- the production of evidence;
- workplace checks;
- the fight against fraud;
- optimisation and/or continuity of service to help ADD staff to correspond with you quickly and efficiently.
4.7 Recording telephone, video and chat conversations ?
ADD does not record telephone conversations. Your voicemail messages are, by contrast, recorded and listened to on mobile phones.
If you wish, you can also chat with ADD. If they are of relevance for execution of your policy, such conversations are stored in our applications.
4.8 More than just your own personal details may be involved.
If you have a company or children, for example, you agree that ADD can also keep a record of those relationships and process the details of any associated persons. We may also process personal details of parties we have no direct relations with but who are involved in a relationship with us, like being the beneficiary under a life insurance policy or as a usual driver under a car insurance policy, or as a witness to an accident. And, if you provide information about your family members or related persons, we ask you to inform them of that fact (e.g., of a change of address that you've forwarded to us). If necessary in order to provide services as befits, we may also pass certain information on you and your insurance policies to members of your family or related parties, to avoid over-insurance for instance.
This has the following implications for legal persons.
- You agree that you're amenable to ADD's processing data relevant to the relationship with associated legal or natural persons as well as the details of those entities (e.g., parent company, subsidiaries, representatives, ultimate beneficial owners).
- In addition to the personal details of contact people, ADD also naturally stores details of your business.
- The data that we can share on legal entities cover all aspects of the customer relationship: products held, a (historical) summary of transactions and contacts, (where applicable) the corporate group the customer belongs to and details of designated contacts.
- Please note that legal entities may only provide us with personal details of natural persons associated with them if those persons are sufficiently informed of this and, where necessary, have given their consent.
- The legal entity accordingly indemnifies ADD in respect of all liability in this regard (vis-à-vis those concerned). For example, the company is responsible for complying with the data protection legislation when it submits lists of users for online applications or of beneficiaries of employee profit-sharing bonus programmes.
- ADD uses the contact details of representatives of legal entities to make appointments via the representative with the legal person, issue it with a commercial proposition and for relationship management purposes.
Part 5: Security and confidentiality
5.1 Not everyone can inspect your data at ADD
ADD takes the necessary steps to secure your data.
ADD is organised in a way that, when certain staff are absent, other staff can continue to work on files. Moreover, staff that administer an insurance policy have to be able to see the terms of the offer that was issued. And claims managers involved in settling insurance claims have to be able to see the policy conditions, and so on.
Therefore only the confidential and sensitive information is stored in a partitioned-off compartment of your file. This information can only be accessed by the group of staff that process it.
Only those with appropriate authorisation can access personal data, and then only if it is relevant to the performance of their duties. Within ADD, your personal data is in principle only processed and consulted by certain departments that:
- you have a contractual relationship or contact with, or had one in the past or would like one in the future;
- require to be involved in the provision or aftercare of services;
- fulfil legal requirements (at group level) or requirements imposed by regulators or stemming from corporate governance principles;
- that are tasked with preventing fraud, including money laundering, by employees and customers.
- In a ‘total loss’ motor vehicle accident under a fleet file, the claims manager informs the contract manager that the vehicle can be removed from the insurance policy.
- In relation to prevention of terrorism, we notify our compliance operatives.
Persons who are authorised to consult your data are moreover bound by a strict professional duty of confidentiality and must abide by all technical instructions to ensure the confidentiality of your personal data and the security of the systems in which the data is held.
5.2 Locations where data is processed are limited.
ADD uses the services of several processors to process personal data. These are companies that process data on the instructions of ADD.
5.2.1 Processors within KBC Group
The following control issues are outsourced to KBC group functions:
- financial reporting
- the compliance function
- the internal audit function,
- the inspection
5.2.2 Processors characteristic of the insurance sector
ADD uses specialist third parties in Belgium and abroad to perform some processing operations. Such parties include:
- insurance companies for drawing up offers, insurance contracts and administering and settling claims files;
- insurance brokers that operate worldwide: (via the WBN (www.wbnglobal.com) or https://live.origamirisk.com) for the purposes of insuring international risks;
- KBC's exclusive insurance agents, insofar as they call on ADD to find an insurance solution for their customers and to manage the insurance policies concerned.
- the management platform for accruing supplementary pension rights (‘E-gor’: www.harukey.be) with information for cooperation between insurance companies, insurance brokers, accountants and you as customer;
- lawyers and other consultants;
- loss assessors;
- repairers (such as car repairers, glass breakage repairers)
- insurers or companies appointed by them who perform the audit on the proper functioning of ADD
5.2.3 Other processors
ADD may also make direct or indirect use of other processors, such as:
- ICT (security) service providers like Microsoft, Telenet, Fortinet, ..;
- marketing and communication agencies and similar companies, whereby ADD uses personal profile information on you that is held by them to be able to make targeted proposals to you via their channels (e.g., Google, Facebook, etc.);
- companies specialising in digital information archiving and access;
- companies specialising in prevention;
- translators and translation agencies
5.2.4 Processors outside the EU
When ADD uses the services of processors, data may end up in countries where those processors’ data centres are located.
Legislation in countries outside the EEA (like Israel, the United States of America and India) doesn't always afford the same level of data protection as in EEA member states. Where a non-EEA country is viewed by the European Commission as not offering an adequate level of protection, ADD can cover the deficiency by, say, contracting with those processors according to a model approved by the European Commission.
5.3 Processing by other data controllers
As data controller, ADD may, in addition to using other processors, use other service providers or third parties, such as lawyer, who themselves are data controllers.
5.3 ADD takes specific measures to protect your data.
ADD ensures that strict rules are followed and that the processors concerned:
- only have the data they need in order to perform their tasks;
- give ADD a commitment that they will process the data securely and confidentially and only use it for carrying out the instructions issued to them.
ADD declines liability if a local processor is able (according to law) to pass customers' personal data to local authorities.
ADD takes internal technical and organisational measures to prevent personal data finding its way into the hands of, or being processed by, unauthorised parties or being accidentally altered or deleted.
Strict security measures are in place to protect premises, servers, the network, data transfers and the data itself,
To make online access to insurance as secure as possible, security experts at ADD continuously analyse cyber-criminal activity so that they can hone the relevant security measures accordingly. ADD has the support of security experts at KBC Group (see also www.kbc.be/secure4u) as well as by outside cyber experts to ensure it has the best possible security in place.
Together with you, we need to be aware that information shared by e-mail can sometimes be intercepted and, where possible, we must aim to use a different means of communication or to limit the amount of information sent.
5.5 ADD does not keep your data for ever
ADD uses your personal data where it has a clear aim in mind. Once that aim no longer exists, ADD deletes the data. As insurance broker, ADD has to show that we have provided you with sufficient information.
ADD keeps the details in your file for seven years after termination of the insurance contract.
For business customers, personal data are kept for seven years after termination of the last contract.
The details that you provide to ADD so that it can produce an offer will, when the policy is taken out, form part of the file that we maintain in order to defend your interests in relation to that insurance. If the policy never comes into being, we keep the details that you provide us with when requesting an offer for a further five years after your initial request. That way, we are able to further help you if you change your mind and decide after all to take out the insurance policy and we can help you further and avoid you having to give us the same information or answer the same questions. If the result of the offer led to an insurance policy being drawn up, this info is kept up to seven years after termination of the insurance policy.
ADD keeps such data to be able to defend you rights vis-à-vis the insurance company.
Personal data on potential customer prospects is used by ADD for five years, unless there was contact with the prospect in the meantime. In that case, a new five-year period starts. Prospects can always ask for their personal data to be removed.
5.6 ADD thinks before it answers queries from outside parties
5.6.1 It adheres to its confidentiality obligation.
ADD obeys its confidentiality duties and the data protection legislation and we will only answer third-party queries if (i) they arise pursuant to a legal requirement or a legitimate interest; (ii) doing so is a prerequisite for performing the relevant contract; or (iii) the data subject has given permission for us to do so. In the last case, it actually advises requesting the information directly from the data subject.
ADD declines liability if, under applicable (foreign) legal obligations, the lawful recipients of personal data require to pass personal data about customers on to the local authorities or process it without an adequate level of security.
5.6.2 The Insurance Ombudsman Service must apply to ADD Complaints Management.
ADD Complaints Management provides answers to the questions posed by the Insurance Ombudsman.
5.6.3 Third parties must direct enquiries to the registered office of ADD NV (Industrieweg 1, 3001 Heverlee)
If you as a third party have queries about customers, for example because you work for the police or are a notary public or lawyer, you can contact ADD NV's Third-Party Enquiries department, Industrieweg 1, 3001 Heverlee. This specialist department will answer your question bearing in mind its secrecy obligation and the privacy legislation. Our staff and other departments will therefore refer pass your enquiry on.
5.7 You can also help protect your data
There are certain aspects of (technical) data processing over which ADD has no or insufficient influence and is unable to guarantee total security. Examples include the Internet or mobile communications (e.g., smartphones).
If hackers are active, ADD does not always succeed in defeating their cyber-attacks in time. It sometimes does not even know that it is happening, for example if a hacker manages to obtain your identification details by installing illegal software on your computer (spyware) or by creating a fake website (phishing).
ADD invites you to regularly refresh your knowledge of safe Internet use. Various sites give you tips and recommendations for keeping things safe: