GFIA Global Federation of Insurance Associations

Last date of revision: 3 October 2018

1. WHO DOES THIS PRIVACY STATEMENT APPLY TO?

2. WHAT IS COVERED BY THIS PRIVACY STATEMENT?

3. DATA WE COLLECT

4. HOW WE OBTAIN YOUR PERSONAL DATA

5. WHY WE PROCESS YOUR PERSONAL DATA

6. THE LEGAL GROUNDS FOR PROCESSING YOUR PERSONAL DATA

7. YOUR RIGHTS

8. RECIPIENTS OF YOUR PERSONAL DATA

9. WEBSITE VISITORS: COOKIES

10. SECURITY OF YOUR PERSONAL DATA

11. DATA RETENTION

12. AUTOMATED DECISION-MAKING

13. HOW TO CONTACT US?

14. CHANGES TO THIS PRIVACY STATEMENT

1. WHO DOES THIS PRIVACY STATEMENT APPLY TO?

The Global Federation of Insurance Associations (GFIA) ("We”) is established to represent national and regional insurance associations that serve the general interests of life, health, general insurance and reinsurance companies and to make representations to national governments, international regulators and others on their behalf.

We act as a data controller for all personal data processed by GFIA. We process any personal data as safely and reasonably as possible and in strict compliance with the applicable data protection legislation, including the General Data Protection Regulation 2016/679 of 27 April 2016 (GDPR).

Please note that data protection rules apply to personal data. Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

This Privacy Statement covers:

• Third party contacts: members and officials of international, regional and national institutions, organisations, authorities and agencies, any other business contacts, such as contacts from other international, regional and national federations, from a law firm or a consultancy, suppliers and journalists, as well as any other individuals who contacted or have been contacted by GFIA, such as individuals who signed up for updates through GFIA’s sign-up page
• GFIA’s events participants
• GFIA’s website visitors

Separate privacy statements apply to GFIA members (national and regional member associations) or (re)insurance companies affiliated to GFIA’s members.

2. WHAT IS COVERED BY THIS PRIVACY STATEMENT?

This Privacy Statement tells you what personal data we process, why and how we process your personal data when we perform our business activities, when you participate in GFIA events or when you use our websites ("the Sites”) and any of the services we offer through the Sites, to whom we give that information, what your rights are and who to contact for more information or queries.

When we refer to "the Sites”, we mean the web pages containing the domain name ‘gfiainsurance.org‘ and including all its subsites (http://www.gfiainsurance.org).

The Sites may link to other websites provided by members, members’ members or third parties. Whilst we try to link only to websites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices of other websites.

When linking to any such websites, we strongly recommend that you read the Privacy Statements on those sites, before disclosing any personal information.

3. DATA WE COLLECT

The main personal data we collect and hold in our database includes:

• identification data (eg name, company, address, e-mail address, phone number, job title).
• data regarding the communication between us (eg e-mails sent, meetings)
• your picture if you have published an article of yours in our Annual Report or if you are a speaker at one of our events and we have obtained your consent for this
• When you use our Sites, the browser on your device automatically sends information to the server of our Sites/application which temporarily stores it in a log file. More specifically, your IP address is automatically recorded without your intervention and stored until it is automatically deleted.
• The Sites also use cookies to gather statistics about the visits to the Sites and improve their performance and design. This data is anonymised, which means that we cannot identify you by processing it. For more information about the cookies we use and how you can control them, please consult the cookie section hereafter

4. HOW WE OBTAIN YOUR PERSONAL DATA

We obtain your personal data:

• in the framework of the execution of our business activities that serves the mission of our federation, for instance:
• because you provided it to us (eg by providing us with your business cards, via an e-mail you sent to us, via a contract we have with you), or
• because someone else has provided it to us (eg a colleague of yours or another third-party service provider that we use in the framework of our business activities), or
• because your personal data is publicly available.
• when you complete the sign-up page on our Sites and buy our products or services via our Sites.
• when you register for an event we organise. We only process the data that you have provided to us yourself.

5. WHY WE PROCESS YOUR PERSONAL DATA

• For legitimate business purposes including:
• arranging and managing meetings
• responding to any form of communication with us
• public affairs and relations activities, including sending you:
• invitations to our networking events, such as conferences, seminars, meetings, receptions, cocktails or any other types of gatherings
• our press releases
• emails aiming to raise your awareness about insurance-related issues, such as links to a quiz or specific pages on our website
• our position papers, insight briefings, working papers, reports (eg our annual report) or any other type of publication in the context of our business activities
• taking all necessary actions with respect to the organization of the events you are subscribed to, including:
• providing events information (such as confirmation emails, venues, participant lists, presentations, follow-up information and reports)
• preparing invoices (if relevant)
• printing badges, etc.
• Security and troubleshooting purposes for processing your IP address when you visit our Sites.
• For direct marketing purposes, such as:
• inviting you to attend our paid events, if you are a previous attendee or if we have obtained your consent for this
• sending you update emails about our paid services or products, if you are an existing customer or if we have obtained your consent for this

We will use your personal data only for the purposes for which we collected it or for reasons compatible with the original purpose. If we intend to use your personal data for reasons that are not related to the original purpose, we will contact you and notify you of the legal basis that allows us to do so.

6. THE LEGAL GROUNDS FOR PROCESSING YOUR PERSONAL DATA

We process your personal data for the purposes mentioned in the previous section relying upon the following legal bases:

• The legitimate interests of GFIA, whose mission is:
• to contribute to an international dialogue on issues of common interest by formalising contact, cooperation and dialogue among national and regional insurance associations
• to co-operate with other international organisations, particularly those representing the insurance industry
• to represent member associations’ interest to, among other, international regulatory groups, standard-setters and governments to increase the industry’s effectiveness

GFIA is registered on the EU transparency registry and its mission is expressly included therein.

This includes, for instance, supporting our business activities, supplier management, or responding to your queries, organising our events in the best possible way and promoting our future public relations activities.

We will also rely on our legitimate interest to process your personal data when you buy products or services via our Sites in order to process your order and send you future update emails on paid services or products.

When you use our Sites, your IP address is processed based on our legitimate interest to ensure the functionality and security of the Sites.

In this respect, we will always determine case by case whether our interests are not overridden by your interests, fundamental rights and freedoms.

• For the fulfillment of our contractual obligation (in case we have a contract with you).
• Consent, where necessary

7. YOUR RIGHTS

You have several rights concerning the personal data we hold about you. You have the right to:

• access your personal data, obtain confirmation that we are processing your personal data and request a copy of the personal data we hold about you
• ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete
• restrict our processing of your personal data where you believe that the data is not accurate or we may not have grounds for processing it
• ask that we delete personal data that we hold about you, if you believe that there is no (longer a) lawful ground for us to process it
• withdraw consent to our processing of your personal data (to the extent such processing is based on consent)
• ask to receive a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit such personal data to another party (to the extent the processing is based on consent or a contract)
• object to our processing of your personal data for which we use legitimate interest as a legal basis, in which case we will cease the processing unless we have compelling legitimate grounds for the processing
• object at any time to the processing of your personal data for direct marketing purposes

You can also click on the unsubscribe link included in relevant mailings, including direct marketing emails, to stop receiving such communication.

To exercise any of your rights, you can send us a request, indicating the right you wish to exercise by e-mailing us at . You may also use these contact details if you wish to make a complaint to us relating to your privacy.

If you are unhappy with the way we have handled your personal data or any privacy query or request that you have raised with us, you have a right to complain to the Data Protection Authority ("DPA”) in your jurisdiction.

8. RECIPIENTS OF YOUR PERSONAL DATA

All GFIA secretariat staff members who are responsible for our internal and external communications and the organisation of events, will have access to your personal data on a "need-to-know” basis for the purposes described above.

We may disclose your personal data to our members, our members’ members, third parties that provide services to us that reasonably require access to personal data relating to you for one or more of the purposes outlined in the "Why we process your personal data” section above. The following external parties may for instance be involved:

• external service providers we rely on for various business services
• law enforcement authorities in accordance with the relevant legislation
• external professional advisors (eg law firms or consultancies)

If you are a participant in one of our events, we may disclose your personal data (eg your name and the company or entity you work for) to all attendees of this event. We may also share your personal data (eg job title and email address) with our sponsors if you provide us your consent to do so.

If our federation enters into a joint venture with or is sold to or merged with another entity, your information may be disclosed to our new partners or owners.

International transfers

To achieve the objective of our processing as described above, we may transfer your personal data outside the European Economic Area (EEA). We transfer your personal data only to third parties outside the EEA when that country provides an adequate level of protection according to an adequacy decision issued by the European Commission or when the third party has agreed to provide appropriate safeguards that ensure your personal data is protected (within the limits permitted by the GDPR, eg by means of Standard Contractual Clauses). You can ask for more information and/or obtain a copy of those safeguards by sending us an e-mail ().

When an event you are subscribed to is organised outside the EEA, it may be necessary that a company located in a third country outside the EEA, requires access to your personal data to process and/or store these personal data (eg travel agency, hotel) where necessary for the performance of a contract with you or to take precontractual measures to execute your subscription to our event in the best possible way (article 49(b) or (c) GDPR).

In general, we will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Statement.

We reserve the right to disclose your personal data as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator or any other legal process served on us.

9. WEBSITE VISITORS: COOKIES

The Sites use Cookies. Cookies are small text files that are stored by your browser onto your computer or mobile device when you visit these Sites. The Sites use cookies that enable us to ensure the proper functioning of the website (functional cookies), as well as analytic cookies that collect anonymous, aggregated usage data to improve the Sites (analytic cookies).

You can refuse the installation of cookies on your device. The ability to enable, disable and/or delete cookies can be completed in your browser. You can delete all cookies that are already on your device and you can set most browsers to prevent them from being placed. The settings are usually in the "options” or "preferences” menu of your browser. To understand them, the "Help” option in your internet browser or the following links may be helpful:

• Cookie settings in Internet Explorer
• Cookie settings in Firefox
• Cookie settings in Chrome
• Cookie settings in Safari

You can find more information about cookies at: www.allaboutcookies.org. Please note that turning off functional cookies might restrict your use of our website(s).

The Sites use the following types of cookies:

• Functional cookies
• Session cookies: a session cookie is used each time you visit our Sites to give you a session ID. They link your actions on our Sites and each one will only last for a browser session, at the end of which it will expire. After your visit to our Sites all session cookies are deleted.
• Persistent cookies: a persistent cookie allows the preferences or actions of the user across a site (or across different websites) to be remembered. It has a longer life than a session cookie and lasts for a period of time that varies from cookie to cookie. This type of cookie will not be deleted when you close your browser window and will be stored on your computer or mobile device. It will be activated every time you visit the website that created it.
• First-party cookies: a first-party cookie is a cookie set by us or any of our processors.
• Third-party cookies: no third-party cookies are set.
• Analytic cookies

These cookies are used to gather statistics about your visit to the Sites to improve their performance and design ("web audience measuring”). They are first-party cookies, which means that we have complete control over the information collected through them. This data is anonymised, so we cannot identify you by processing it.

These cookies collect information about the number of times that you visit the Sites, how long a visit takes, etc.

The analytical cookie we use is Google Analytics, which expires after two years and allows us to gather statistics about the web pages visited.

10. SECURITY OF YOUR PERSONAL DATA

We employ strict technical and organisational (security) measures to protect your personal data from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage both online and offline.

These measures include:

• training relevant staff to ensure they are aware of our privacy obligations when handling personal data
• administrative and technical controls to restrict access to personal data to GFIA secretariat staff members
• technological security measures, including fire walls, encryption and anti-virus software
• back-up systems
• login access blocks in case of loss or theft of devices
• physical security measures, such as staff security badges to access our premises

Although we use appropriate security measures once we have received your personal data, the transmission of data - especially over the internet (including by e-mail) - is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.

We limit access to your personal data to those who we believe reasonably need to access that information in order to carry out their tasks.

11. DATA RETENTION

We will retain your personal data for as long as:

• it is necessary to fulfil the purposes for which we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements
• you have a role or function that is relevant to GFIA’s daily business activities and mission
• your relationship with GFIA persists (eg if you are a contractual party)

For website visitors: the IP that we collect when you visit our Sites is retained for 90 days.

For information about the expiry dates of the cookies used on the Sites, please consult the cookie section.

12. AUTOMATED DECISION-MAKING

Automated decisions are defined as decisions about individuals that are based solely on the automated processing of personal data and that produce legal effects that significantly affect the individuals involved.

As a rule, your personal data will not be used for automated decision-making. We do not base any decisions about you solely on automated processing of your personal data.

13. HOW TO CONTACT US?

We hope that this Privacy Statement helps you understand, and feel more confident about, the way we process your data. If you have any further queries about this Privacy Statement, please contact us:

• by e-mailing us at or
• by calling us at +32 2 894 30 81.

14. CHANGES TO THIS PRIVACY STATEMENT

We may modify or amend this Privacy Statement in the future. Should this happen, the revised Privacy Statement will be posted on our website, and you may also be notified by e-mail.