The  new version of the Data Protection Statement comes into effect on 28 April 2022.

Part 1: To safeguard your privacy, we must work together

Protection of your data is very important to us. Our aim is to process personal data in a manner that is lawful, fair and transparent. In this Privacy Statement, we explain which of your personal details we collect from you as a natural person and then process.

In the following, the data referred to are yours as policyholder, prospective policyholder, insured person, payee or other data subject, such as a contact person of a company, agent holding power of attorney, aggrieved party, victim, counterparty, witness, expert, insurance intermediary, etc. Regardless of the capacity you act in, your rights remain unchanged and ADD will treat your data with equal care.

1.1 Make sure you read all of this information and look at what action is open to you.

We recommend that you read this information carefully, so that you know the purposes for which ADD uses your data. This data protection statement also contains more information about your privacy rights and how you can exercise them.

ADD may make amendments to this data protection statement. The most recent version is always available at https://www.add.be/privacy. In the case of important substantive changes, ADD will inform you via its website or other communication channels.

For more information on privacy legislation in Belgium in general, you can also visit www.dataprotectionauthority.be, the website of the Belgian Data Protection Authority.

We also recommend that you read ADD’s cookie policy for information on what cookies are, which cookies ADD uses and how to change your choice.

1.2 ADD takes great care when dealing with your personal data.

ADD NV is an insurance broker recognised in Belgium (under the control of the FSMA) and is registered for all European countries in order to be able to offer insurance services on the basis of Freedom of Service (FoS) for customers in the European Union. ADD's registered office is located at Industrieweg 1, 3001 Heverlee.

ADD NV also operates abroad via the Worldwide Broker Network (https://wbnglobal.com).

ADD is a part of the KBC group (hereinafter referred to as 'KBC').

ADD insures business customers and private individuals. That means that ADD acts as an intermediary between you as customer and an insurance company when taking out insurance policies, and in fulfilling its role and mediator during the policy term. You will find more information about what ADD does on its website at https://www.add.be/en.

ADD is data controller of personal data in the context contemplated in this data protection statement

1.3 Contact ADD if you have any questions about the processing of your data.

If you have questions about privacy or if you wish to exercise your rights, you can contact ADD by one of the following means:

• Call or e-mail your dedicated contact
• Contact privacy@add.be
• Drop by one of our regional head offices (in Heverlee or Merelbeke). See www.add.be

Part 2: Your right to privacy.

You have a lot of rights when it comes to processing your data. When ADD asks you for consent to process your data, you can subsequently withdraw that consent again any time you wish.

2.1 You can access your data

If you would like to access the data that ADD processes about you, let them know. As corporate customer, you can access certain data yourself without a request, such as via ADD Connect.

If you exercise your right of access, ADD will give you as complete a list as possible of your data. It is possible that some personal data from the usual back-up files, logs and stored records are not included in that list, not being data subject to processing at that time and, for that reason, not being immediately available. Therefore, they cannot be disclosed. Nonetheless, they do get erased from these files in the course of routine cleaning-up processes.

2.2 You can have your data rectified

It’s possible that certain data held on you by ADD is not or no longer correct. You can ask for the data to be corrected or completed at any time.

2.3 You can have your data erased

You may ask ADD to erase your personal data. If ADD no longer has a compelling reason for processing your personal data, ADD will erase them. A legal requirement may prevent the erasure.

2.4 You can object to your data being processed for certain purposes

If you disagree with how ADD invokes legitimate interest to process certain data (see 3.4), you can object. We will heed this objection unless there are compelling reasons not to do so, such as when we legally process data with a view to combating fraud.

2.5 You can ask for your data to be transferred to a third party

You can ask for your data to be transferred to a third party. You are entitled to ask ADD for personal data that you yourself have provided to ADD on the basis of consent or contract implementation to be transferred back to you or directly to a third party. Legislation lays down a number of limitations to this right, as a result of which it does not apply to all data.

2.6 You can ask to restrict the processing of your data

In certain cases, you are entitled to ask ADD to restrict the processing of your personal data. This right is subject to conditions. You may exercise your right to restrict processing:

• During the period that allows ADD to verify the accuracy of your personal data if you dispute the accuracy of your personal data that ADD is processing
• If a processing is unlawful, but you do not want the personal data to be erased
• If ADD no longer has any purpose in processing the personal data, but you still need them in the context of a legal claim
• Pending ADD's reply as to whether ADD's justifications outweigh yours, if you have exercised your right to object to a processing for which ADD had invoked legitimate interest as legal ground

2.7 You may exercise your rights

Always be as specific as possible when exercising your rights, so that ADD can deal with your question concretely and correctly. ADD will need to verify your identity to prevent someone else from exercising your rights. We may therefore ask you to provide additional information such as a copy of your ID card when such a request is made.

Do you have a question or a comment? You can get in touch with your usual contact by sending an e-mail to privacy@add.be or by dropping by one of our regional head offices (in Heverlee or Merelbeke). See www.add.be.

If you have a complaint about the exercise of your rights, ADD Complaints Management will be happy to look into it.

• ADD Complaints Management, Industrieweg 1, 3001 Heverlee
• Via ADD's digital channels, including its website at www.add.be – Contact – Direct contact

If the above contacts were unable to provide you with a satisfactory answer, you can contact ADD's Data Protection Officer in writing by sending a letter to: ADD NV - t.a.v. de Data Protection Officer - Industrieweg 1, 3001 Heverlee or by e-mail to privacy@add.be.

If you would like more information or if you do not agree with ADD’s point of view, be sure to visit the website of the Belgian Data Protection Authority, www.dataprotectionauthority.be. You can also ask a question and/or lodge a complaint there.

ADD works as insurance broker together with numerous insurers. They may also process your personal data. You may therefore also exercise your rights with the insurer by contacting them directly.

Part 3: ADD has many reasons for processing your personal data.

3.1 ADD must respect laws, legal obligations and public order

The main legal grounds for ADD having to process certain information about you are summed up here.

• Legislation on insurance distribution obliges ADD to analyse the wants and needs of prospective policyholders in the lead-up to signing a contract. It is sometimes necessary to categorise customers in the course of doing so. Natural persons are automatically classified as non-business customers though they may be regarded as being in the business category in certain circumstances. Where ADD gives advice on savings-type and investment-type insurance, then, depending on the type of customer, they have to gather information about the customer’s knowledge and experience, financial capacity, investment objectives and attitude to risk/return in relation to the products offered
• ADD must deploy all possible means to prevent and uncover money laundering, and report it to the authorities, and so ADD must take appropriate measures in this regard as well. For example, ADD must gather data on customers and groups of customers or issue risk alerts
• Specifically, for certain life insurance contracts, ADD must:
  • Identify you as customer, representative or ultimate beneficial owner
  • Verify your identity
  • Determine your profile (in relation to the risk of money laundering), which involves collating various personal and business data, such as whether you're a politically exposed person
  • Check your actions and transactions, and prevent certain transactions and report them to the Financial Intelligence Processing Unit
  • In doing so, ADD uses data given to it by you plus data that may come from other channels (such as Thomson Reuters's World-Check, Graydon, Trends and Company Web)
• For example, ADD requires a recent copy of your ID card when selling a number of insurance products. This is why ADD requests a copy of the ID card when insurance that falls under the money-laundering rules is taken out
• In the context of the fight against terrorism and the sanctions rules, ADD is required to screen customer data against sanctions lists. Transactions are also monitored. In some cases, underlying documents may be requested and payments may be held back. Here, too, ADD uses outside sources such as Thomson Reuters's World-Check
• ADD also has reporting obligations to administrative authorities such as transaction reports from market mechanism studies
• If ADD takes responsibility themself for collecting insurance premiums from their customers, it must take care of processing the transactions in books of account
• ADD may use personal data for the purposes of checks, investigations and opinions in areas subject to compliance considerations (such as prevention of money-laundering and fraud, investor and consumer protection, and privacy)
• Insurance brokers are responsible for appropriately controlling risk (including at group level). They are required to detect, prevent, mitigate and address risks. These include information management and statutory compliance risks, the risk of staff, customer and/or supplier fraud, and the risk of unethical behaviour by staff or breaches by them of their duties of care. This risk management must be ensured at both central level (gathering data on customers and groups of customers) and local level (e.g., by disseminating risk alerts)
• ADD also must respond appropriately when you exercise your rights under privacy legislation. ADD is also required to answer questions from the Data Protection Authority, for example, where a complaint is lodged
• ADD must also submit reports to, and be able to answer questions from, the regulators of financial institutions, such as the Financial Services and Markets Authority (FSMA) (www.fsma.be) in the context of the supervisory legislation
• ADD is also required to answer questions from the judicial authorities (police, public prosecutors and the bench, investigating judges and courts). These concern questions in the context of police legislation and (criminal) judicial procedure (including the Criminal Procedure Code)

3.2 ADD must be able to assess whether a contract or service may be entered into

Before ADD is able to intervene to contract insurance with an insurance company, it’s possible that certain data need to be processed in order to deal with the application and make a correct assessment of whether the contact is feasible and, if so, under what conditions.

For example, ADD needs to collect your data to:

• Gain a proper view of your insurance needs (in a meeting, a completed insurance application, etc.)
• Assess which product from which insurance company could provide appropriate cover for your risk
• Pass the right information to an insurance company or to insurance companies
• Be able to contact you with a tailored proposal
• Etc.

This applies to non-life insurance (such as car insurance, property insurance for your business) as well as life insurance (such as group insurance or loan balance insurance). For some forms of insurance, your health data may be processed by ADD.

Your medical data are processed in accordance with Article 4.3 Health data, which sets out ADD’s health policy.

3.3 ADD must be able to perform a contract correctly.

• As customer of ADD, you use a number of services that ADD as insurance broker must process for administrative and accounting purposes

• ADD must be able to contact you

ADD passes personal data given to it by you on to insurers and may also pass it on to other parties. For example, ADD must give data to the insurance company in order to fulfil its role as intermediary between customer and insurance company

Examples of processing by ADD are:

• Keeping information received from customers in an electronic file for further monitoring purposes
• Forwarding the completed insurance application to the insurance company to issue an offer, draw up a policy, open a claim file, settle a claim, etc.
• Discussing an insurance file with the insurer
• Delivering the insurance policy to the customer
• Collecting and recovering premiums that fall due
• Drawing up health and safety statistics for specific risks
• Providing an overview of a customer's insurance
• Etc.

To do so, ADD sometimes must submit certain personal data to internal or external specialists for an assessment of bodily injuries or material damage to which value can be attributed, and also to relevant third parties (such as co-insurers and re-insurance companies, lawyers, lease companies, repairers or relevant government agencies like the Industrial Accidents Fund).

ADD also exchanges the necessary information with WBN partners if you want to insure risks abroad for your company using ADD and the Worldwide Broker Network.

3.4 ADD processes personal data on the basis of legitimate interest

In addition to the purposes set out above, ADD as commercial business also has a number of legitimate interests that form the basis for processing personal data. In that regard, ADD ensures that the impact on your privacy is kept to a minimum and that, in all events, ADD’s legitimate interests remain proportionate to the impact that upholding them has on your privacy. However, if you object to these data being processed, you can exercise your right to object. ADD will respect the objection, unless ADD has compelling reasons not to do so.

There are various situations in which personal data are processed.

• ADD may use your personal data for the administration, (risk) management and oversight of the organisation, such as the legal department (including dispute management and legal risks), risk management (such as insurance risk vis-à-vis customers and customer groups worldwide), risk functions and inspections, complaints management and internal and external audit
• ADD may also use your personal data for ascertaining, exercising, defending and safeguarding the rights of ADD or of those it represents (e.g., in disputes)
• While apps are being developed, tests need to be carried out using personal data, including the final acceptance test before an app can be put into production
• If ADD investigates incidents in apps, ADD may process personal data for that purpose
• ADD may use personal data to support and simplify the acquisition, and termination of products and services by customers, to avoid you having to submit information that you had already given previously again, among other things, and also to send you messages for a service you have signed up for from us, in order to make it easier to use, for example
• ADD may send you newsletters, publicity and/or offers. Sometimes we do this on the basis of legitimate interest. For more information on the use of personal data for direct marketing, see 3.6

Personal data can also be used for information purposes. For example, through statistics, satisfaction surveys and market research

Personal data may also be used to develop models for customer convenience and marketing purposes:

• With insights gained from analytical models, ADD builds customer profiles. ADD then applies the model to you as individual or at the level of your family and, in exceptional cases, may also apply it to someone else for the following purposes:
  • Gathering data from different companies of the KBC group in these analytical models makes it possible to obtain data-driven insights that support the KBC group in making strategic choices
  • Developing commercial policies, taking into account customers' behaviour and wishes

Personal data can also be used for profiling for marketing purposes:

• Profiling to personalise and steer direct marketing. ADD uses them to determine customers' products and services or the commercial policy for a particular customer

3.5 In certain cases, ADD will request your consent to process personal data

You can read more about consent for direct marketing in 3.6.

If ADD requests consent for the processing of personal data, it is primarily in the following situations:

• For the processing of your health data
• For the processing of data of minors
• For the processing of criminal data
• For the processing of cookies on www.add.be. More info: Cookies | ADD (insurance-architects.be)
• To answer questions from third parties

However, the situations described above do not always require consent and ADD therefore sometimes uses a different legal ground for processing. For example, ADD sometimes has a legal obligation to answer questions from third parties or this may be required to implement a contract.

3.6 ADD uses your personal data for direct marketing

ADD wants to be able to make proposals to you as representative of your business concerning an extensive range of insurance policies and services. It may do so in response to explicit requests from you, or where ADD has an idea that you might be interested in or could benefit from a given product or service.

To make such proposals, ADD uses a basic set of personal data pertinent to you as contact, representative or relevant person at the business, including:

• Who you are
• Your job
• Your contact details
• The products you have and those you have no interest in

The sole aim is ultimately to be able to contact you with insurance information we can assume is of interest to your business.

If, in certain situations or for certain projects, ADD wishes to use additional personal data, we will request your consent.

You can receive these proposals in many different ways. For example, via the Internet, by e-mail, by post, by telephone and at events. In addition, ADD likes to keep up with the constantly evolving range of new technologies. ADD does its utmost to ensure that information is provided in a way that is clear, and will choose the most appropriate channel to inconvenience you as little as possible.

ADD imposes a number of restrictions on itself:

• ADD takes care in handling your personal data as prospect. For example, marketing material is only e-mailed to you with your consent
• ADD does not use spyware

When ADD offers you something, you're under no obligation to purchase it but we wouldn't do so if we weren't certain that it could truly be of service to you.

3.7 What if you do not wish to receive any direct marketing from ADD at all

You may not wish to receive any direct marketing from ADD at all. ADD respects that. Upon request, you may exercise your right to object to direct marketing. Simply e-mail privacy@add.be or drop by your ADD branch.

3.8 ADD does not sell your personal data

ADD does not sell or hire your personal data to third parties for their own use.

Part 4: ADD uses different types of data depending on the intended purpose.

ADD processes your personal data for a variety of purposes. The different types of data that exist are set out below.

4.1 It concerns information that's used to identify you, to contact you and to offer you the right advice

What data ADD uses for which purpose is also explained below.

4.2 Information in the public domain and information obtained through third parties

ADD sometimes processes public data.

• This might include information subject to a reporting duty (such as the publication of your company director)
• Data you yourself place in the public domain such as information on your website, your blog or via your publicly accessible social media profile, or information about you that ADD obtains from third parties (e.g., members of your immediate family)
• Information from sources such as the Crossroads Bank for Enterprises and Graydon also fall into this category

ADD may also receive personal data through third parties, who are responsible for ensuring that they gather the information concerned lawfully.

Those public data and data obtained via third parties may be relevant and used for the purposes set out by ADD in this data protection statement. These data may be relevant for verifying the accuracy of data we have on record and may serve to support direct or indirect marketing campaigns.

4.3 Health data

Health data are personal data connected to your physical or mental health, including data on medical services you received, which provide information on your state of health.

ADD will in principle only process your health data if it is relevant to its role as insurance broker and if you have given ADD your express consent to do so:

• ADD will only request your explicit consent where it is relevant to the file
• In the first instance, you are asked not to share health data with ADD in any way. For instance, if you have to complete a medical questionnaire before taking out hospitalisation insurance or life insurance, we ask you to send the completed form directly to the insurance company or the insurance company's consulting physician. This also applies to health data (e.g., hospital bills, temporary disability certificates) in the context of a claim settlement
• If, in the course of the file, it becomes apparent that your health data are relevant for ADD to help your file forward, ADD will ask you directly to provide the health data. In that case, ADD requires your explicit consent

When ADD processes health data, it does so with particular care. As such, when it's necessary, the processing is done under the supervision of a professional health-care practitioner (typically a doctor or physiotherapist). Health data are given a special classification of their own and, as a rule, are separately filed to alert staff to their sensitive nature. ADD staff are furthermore bound under a strict duty of confidentiality and are given special training in this regard. Where health data are passed on to a third party (such as an insurance company), this is done with appropriate care to ensure that the info is sent to the right person. These health data are also automatically erased from our files after a claim has been settled.

If you expressly consent to the processing of your health data, you authorise us to process your data in relation to all your insurance policies now and in the future, and for all claims and claim events in which you are involved. Your consent will remain valid until you revoke it. You are entitled to do so at any time. However, please bear in mind that this revocation may have implications for the further performance of your current insurance contracts and claims.

4.4 ADD retains data from offers, insurance applications, etc.

If you fill in a form provided by ADD, it naturally processes the data for the administrative management of the process for which you filled in the form.

• This can be an insurance application or some other app that ADD provides that you complete in order to receive an offer for an insurance policy. In this way, your data may be stored
• Some data will be pre-populated on the form if they are available. You will still be able to revise them

4.5 What you tell ADD staff members may be processed

If you contact an ADD staff member at one of our offices, by telephone, by e-mail, etc., this is generally registered:

• In order to constitute a record of what contacts there are between us and our customers
• So that there is a (short) record of what was said during that contact
• To remind our staff member of what still needs to be done

Even if you are not a customer, ADD may store such information as you disclose. That information can then be used if you become a customer subsequently.

By adopting this approach, ADD seeks to avoid you having to constantly provide information or answer questions a second time. This also allows us to improve the continuity of our service to you.

4.6 Monitoring written ADD correspondence

If you use e-mail to contact ADD or if you have digital communication channels that ADD uses (e.g., the www.add.be website or ADD Connect), ADD may use them to provide you with its statutory and official communications.

Correspondence with staff members in their capacity as ADD staff (sent to an office address, an office fax, or a job-linked or personal ADD e-mail address, etc.) is deemed to be business-related and may therefore be examined in the context of:

• Their duties
• Furnishing of proof
• Workplace checks
• Security
• Combating of fraud
• Optimisation and/or continuity of service to help ADD staff to correspond with you quickly and efficiently

4.7 More than just your own personal data may be involved

If you have a company or children, for example, you agree that ADD may also keep a record of those relationships and process the data of any associated persons. We may also process personal data of parties we have no direct relations with but who are involved in a relationship with us, such as being the beneficiary under a life insurance policy or as usual driver under a car insurance policy or as witness to an accident. And, if you provide information about your family members or related persons, we ask you to inform them of that fact (e.g., of a change of address that you've forwarded to us). If necessary in order to provide services as befits, we may also pass certain information on you and your insurance policies to members of your family or related parties, to avoid over-insurance for instance.

This has the following implications for legal persons.

• You agree that you're amenable to ADD's processing data relevant to the relationship with associated legal or natural persons as well as the data of those entities (e.g., parent company, subsidiaries, representatives, ultimate beneficial owners)
• In addition to the personal data of contact people, ADD also naturally stores data of your business
• We may exchange data on legal persons, such as contact details
• Please note that legal entities may only provide us with personal data of natural persons associated with them if those persons are sufficiently informed of this and, where necessary, have given their consent
• The legal entity accordingly indemnifies ADD in respect of all liability in this regard (vis-à-vis those concerned). For example, the company is responsible for complying with data protection legislation when it submits lists of users for online applications, or as part of a staff member’s group insurance membership
• ADD uses contact details of representatives of legal entities to arrange an appointment with the legal entity through the representative, to make commercial proposals and for relationship management

Part 5: Security and confidentiality

5.1 Not everyone can inspect your data at ADD

ADD takes the necessary technical and organisational measures to secure your data.

Only persons with appropriate authorisation can access personal data, and then only if those data are relevant to the performance of their duties.

Within ADD, your personal data are in principle only processed and consulted by certain departments that:

• You have a contractual relationship or contact with, or had one in the past or would like one in the future
• Require to be involved in the provision or aftercare of services
• Fulfil legal requirements (at group level) or requirements imposed by regulators or stemming from corporate governance principles
• Are tasked with preventing fraud, including money laundering, by staff and customers

Some examples:

• In a ‘total loss’ motor vehicle accident under a fleet file, the claims manager informs the contract manager that the vehicle can be removed from the insurance policy
• In relation to prevention of terrorism, we notify our compliance departments

Persons who are authorised to consult your data are moreover bound by a strict professional duty of confidentiality and must abide by all technical instructions to ensure the confidentiality of your personal data and the security of the systems in which the data are held.

5.2 Locations where data is processed are limited.

ADD uses the services of several processors to process personal data. These are companies that process data on the instructions of ADD.

5.2.1 Processors within KBC Group

ADD relies on entities within KBC group as processors. For example, the following control issues are outsourced to KBC group functions:

• Compliance function (DPO)
• Legal department
• Inspection

5.2.2 Processors characteristic of the insurance sector

ADD uses specialist third parties in Belgium and abroad to perform some processing operations. Such parties include:

• The management platform for accruing supplementary pension rights ‘E-gor’ (www.harukey.be) with information for cooperation between insurance companies, insurance broker, accountant and you as customer
• Loss assessors
• Lease companies
• Repairers (e.g., car repairers, glass repairers)
• Insurers or companies appointed by them who perform the audit on the proper functioning at ADD
• Veridass

5.2.3 Other processors

ADD may also make direct or indirect use of other processors, such as:

• consultants;
• ICT (security) service providers like Microsoft, Telenet, Fortinet, ..;
• marketing and communication agencies and similar companies, whereby ADD uses personal profile information on you that is held by them to be able to make targeted proposals to you via their channels (e.g., Google, Facebook, etc.);
• companies specialising in digital information archiving and access;
• companies specialising in prevention;
• translators and translation agencies

5.2.4 Processors outside the EEA

When ADD uses the services of processors, data may end up in countries where those processors' data centres are located.

Legislation in countries outside the EEA (such as Israel, the United States of America and India) doesn't always afford the same level of data protection as in EEA member states. Where a non-EEA country is viewed by the European Commission as not offering an adequate level of protection, ADD can cover the deficiency by, for example, entering into the necessary contractual guarantees with those processors (such as an agreement in accordance with a model approved by the European Commission) and by providing control mechanisms, and taking technical and organisational measures.

5.3 Processing by other data controllers

Besides using the services of other processors, ADD as data controller may also pass personal data on to other service providers or third parties such as insurers, lawyers, experts, WBN partners, supervisory authorities, who themselves are data controllers.

5.4  ADD takes specific measures to protect your data.

ADD ensures that strict rules are followed and that the processors concerned:

• Only have the data they need in order to perform their duties
• Give ADD a commitment that they will process the data securely and confidentially, and only use it for carrying out their duties

ADD declines liability if those processors (according to law) pass personal data of customers on to local authorities or if, despite the measures they have taken, incidents occur at those processors.

ADD takes internal technical and organisational measures to prevent personal data finding its way into the hands of, or being processed by, unauthorised parties or being accidentally altered or deleted.

Strict security measures are in place to protect premises, servers, the network, data transfers and the data itself.

To make online access to insurance as secure as possible, security experts at ADD analyse cyber-criminal activity so that they can hone the relevant security measures accordingly. ADD has the support of security experts at KBC group (see also www.kbc.be/secure4u) as well as by outside cyber experts to ensure it has the best possible security in place.

Together with you, we need to be aware that information shared by e-mail can sometimes be intercepted and, where possible, we must aim to use a different means of communication or to limit the amount of information sent.

ADD’s website may contain links to third-party websites or information. ADD does not check those websites or information. Parties offering those websites or this information may have their own privacy policies in place, which we advise you to read. ADD is not responsible for the content of those websites, their use or the privacy policies of those websites/third parties.

5.5 ADD does not keep your data for ever

ADD uses your personal data where it has a clear aim in mind. Once that aim no longer exists, ADD erases the data.

The starting point for keeping your personal data is the legal retention periods that ADD must observe in implementation of laws and regulations.

In addition, ADD keeps the data in your file for seven years after the insurance contract ends.

For business customers, personal data are kept for seven years after termination of the last contract.

The data that you provide to ADD so that it can produce an offer will, when the insurance policy is taken out, form part of the file that we keep in order to defend your interests in relation to that insurance. If the insurance never comes into being, we will keep the data that you provide us with when requesting an offer for a further three years after your initial request. That way, we are able to further help you if you change your mind and decide after all to take out the insurance policy, and we can help you further and avoid you having to give us the same information or answer the same questions. If the result of the offer led to an insurance policy being drawn up, this info is kept up to seven years after termination of the insurance contract.

ADD keeps these data to be able to defend you rights vis-à-vis the insurance company.

Personal data on potential customer prospects is used by ADD for three years, unless there was contact with the prospect in the meantime. In that case, a new three-year period starts. Prospects can always ask for their personal data to be erased.

5.6 ADD does not simply respond to questions from third parties without consideration

5.6.1 Compliance with the duty of discretion

Because ADD obeys its confidentiality duties and privacy legislation, we will only answer third-party queries if (i) they arise pursuant to a legal requirement or a legitimate interest, (ii) doing so is a prerequisite for performing the relevant contract, or (iii) the data subject has given consent. In the last case, ADD actually advises requesting the information directly from the data subject.

ADD declines liability if the lawful recipients of data, personal data of customers or legal entities, due to a foreign legal obligation, are required to pass these data on to the local authorities or process them without an adequate level of security.

5.6.2 The Belgian insurance industry’s ombudsman service must apply to ADD Complaints Management

ADD Complaints Management provides answers to the questions posed by the Belgian insurance industry’s ombudsman service.

5.6.3 Third parties must direct enquiries to the registered office of ADD NV, Industrieweg 1, 3001 Heverlee

If you as third party have queries about customers, for example because you work for the police or are a notary public or lawyer, you can contact ADD NV by post: Industrieweg 1, 3001 Heverlee or by e-mail to privacy@add.be. We will answer your question bearing in mind the duty of discretion and privacy legislation. Our staff and other departments will therefore refer you.

5.7 You can also help protect your data

There are certain aspects of (technical) data processing over which ADD has no or insufficient influence and is unable to guarantee total security. Examples include the Internet or mobile communications (e.g., smartphones).

ADD will always set up the necessary measures to avoid and ward off cyberattacks as much as possible. However, if hackers are active, ADD will not always succeed in defeating their cyberattacks in time. It sometimes does not even know that it is happening. For example, if a hacker manages to obtain your identity data by installing illegal software on your computer (spyware) or by creating a fake website (phishing).

ADD therefore invites you to regularly visit KBC’s website on safe Internet use: https://www.kbc.be/secure4u. The site will always provide you with the most up-to-date tips and recommendations on how to keep things safe and secure.

…