Published on 31/05/2018

SHARE

FAQ - GDPR: how it impacts on your complementary pension plan and/or your occupational health insurance

​​ 

1
Why is an agreement required for the processing of personal data?

A characteristic feature of a supplementary pension plan/occupational health insurance is the tripartite relationship that exists between AG Insurance as the pension institution/insurer, the employer as the organiser/policyholder and the participants for whom the insurance is taken out. The employer and the pension institution/insurer will both process personal data for this purpose and will cooperate closely with each other. It is prudent to agree unambiguous arrangements in this regard. After all, under GDPR it is very important for data subjects to know who to approach in order to exercise their rights.

Therefore, the annex to your (group) insurance states a clear and transparent arrangement for processing personal data. This arrangement makes it possible to provide date subjects with effective protection completely consistent with GDPR. With this in mind, it is important for you to sign the annex and return it to us.

This annex also applies to all supplementary pensions/occupational health insurance plans that you as an employer have concluded with AG Insurance and it will be appended to your (group) insurance.

2
What Is GDPR?

​The General Data Protection Regulation, widely known by its abbreviation GDPR, comes into effect on 25 May 2018. This new European regulation changes the rules for protecting privacy and harmonises them across all Member States of the European Union. Every organisation that processes personal data must comply with GDPR.

3
Which personal data does AG Insurance process and for which purposes?

You can take out a (group) insurance with AG Insurance if, as an employer, you wish to offer your staff members, and possibly also their family members, a fringe benefit in the form of a supplementary pension plan or a healthcare/incapacity insurance. You will then need to supply AG Insurance with personal data to enable us to perform the insurance. AG Insurance may also receive personal data from the individual (known as the ‘data subject’ under GDPR) or from third parties. Without processing these personal data, AG Insurance will be unable to affiliate the data subject at the pension plan or occupational health insurance. Similarly, AG Insurance needs the data subject’s personal data in order to pay out the pension capital on retirement or to reimburse hospitalisation costs.

Which personal data may AG Insurance process?
AG Insurance needs the following personal data to perform the pension plan and/or the occupational health insurance:

  • identification and contact details
  • financial data (such as remuneration details to allow calculation of the premiums and/or disability pension)
  • personal characteristics (such as age)
  • family composition, if applicable

With a view to risk acceptance, the data subject will in some instances have to fill in a questionnaire. For that purpose, AG Insurance might need to collect the following data:

  • health data
  • occupation and employment, lifestyle information
  • situations and behaviour that constitute a risk

In highly exceptional cases, and insofar as a law that offers appropriate safeguards allows us to do so, AG Insurance may process the following sensitive data:

  • judicial data (relating to such matters as money laundering)

For which purposes will AG Insurance process the data?
Together with you, we will process the personal data in order to:

  • manage the supplementary pension plan, based on the law (Supplementary Pensions Act);
  • manage the occupational health insurance, based on performance of the contract.

AG Insurance may further process the personal data in order to:

  • manage the database of persons for performance of the insurance contract;
  • establish statistics, detect and prevent misuse and fraud, compile evidence, ensure the security of goods, persons, IT networks and systems of AG Insurance and optimise processes (such as those for evaluating and accepting risks), based on the legitimate interests of AG Insurance;
  • provide advice on such matters as pension accrual and about options at retirement, based on the legitimate interests of AG Insurance, unless the data subject objects;
  • conduct prospecting using data obtained for the purpose of the occupational health insurance, based on the legitimate interests of AG Insurance, unless the data subject objects.

For every processing, the only data that we will process are those relevant to fulfilling the intended purpose.

If necessary for the aforementioned purposes, AG Insurance may also disclose these data to third parties, such as an insurance broker, in accordance with GDPR.

4
Why isn’t AG Insurance a processor in relation to the employer?

​It follows from the tripartite relationship and from AG Insurance’s specific obligations for performing the insurance plans that AG Insurance is not practising purely executive tasks. With the exception of a few specifically defined activities, AG Insurance cannot be regarded as a processor of personal data (which would moreover mean that AG Insurance would have no direct obligations towards participants or beneficiaries as regards the exercise of their rights).

5
What are your obligations under GDPR?

As an employer, you process personal data for such purposes as your payroll accounting. For all your data processing, also for other purposes, you must comply with GDPR.

What must you do for the occupational insurances that you have taken out with AG Insurance?

Provide information
GDPR requires you to inform the participants of the data that you process about them (such as surname, first name, address and so on), the purposes for which you process the data (such as payroll accounting), and also any partners (such as external payroll accounting firms) to which you disclose such data (‘information tot data subject’).

Consequently, you will need to inform the employees that, for the purpose of the supplementary pension and/or occupational health insurance you have taken out for them, personal data will be disclosed to and processed by AG Insurance.

What exactly must you inform the data subjects about?

  • Your disclosure of personal data to AG Insurance
  • The purposes for which the personal data are intended and the legal ground for their processing
     you will find this information in question 3, or in our General Terms and Conditions that you received together with the agreement for data processing (refer to question 1)
  • Their right to:
  • access the processed data and, if necessary, to have them rectified
  • object to processing of their data, restrict the processing of the data or have the data erased
  • if consent is requested for the processing of the data, the right to withdraw such consent at any time, without prejudicing the lawfulness of processing under consent given prior to withdrawal
  • submit a complaint to a supervisory authority.
  • The contact details of our Data Protection Officer (‘DPO’); refer to question 7

How exactly can you do this?

  • You can publish information on your intranet about the processing of data by AG Insurance. If you provide an overview of personnel benefits, you can also present this information in the overview.
  • You can state in a general information clause the partners to which you disclose the personal data and the purposes for which you disclose the data. You can mention this in your Privacy Notice, for example.
  • In the case of new participants, you can append an information clause to the affiliation documents.

Health data
It is possible that AG Insurance will have to process health data in order to perform the supplementary pension and/or occupational health insurance. As health data are of a sensitive nature, AG Insurance has always attached special importance to ensuring that data subjects explicitly agree to the processing thereof.

With a view to handling affiliations and claims smoothly, please obtain the explicit consent of the data subjects (the main insured party and any additional insured parties) for the processing of their health data by AG Insurance. It suffices that you get this explicit consent once.

The collecting of this explicit consent is required to be able to obtain death benefit coverage under the group insurance or the reimbursement of medical costs. If there is only a life coverage, you don’t have to obtain the explicit consent.

At any time, the participants have the right to withdraw their consent for AG Insurance to process health data. However, this might result in AG Insurance being unable to meet a request for service and/or perform the contractual relationship.

The health data entrusted to AG Insurance by participants will be treated in the strictest confidence by AG Insurance, under the supervision of a professional healthcare practitioner.

How exactly can you do this?
You can obtain explicit consent by getting the affiliate to sign an (online) form. To this end, you can use this template (according as to a supplementary pension and/or occupational health insurance has been taken out, you can delete as appropriate in this template).

  • You can provide the form on your intranet.
  • For new participants, you can always append the form to the documents supplied at the start of employment or on affiliation.
6
How does AG Insurance protect the obtained personal data?

Due to the nature of its activities, AG Insurance is strongly dependent on its information and information systems. As such, it is vital that this information is adequately protected from all identified threats, whether these are internal or external, deliberate or accidental.

AG Insurance has implemented an Information Security Management System to provide an answer to these requirements.

Within this context, information security within AG Insurance is primarily aimed at the protection of the information AG Insurance receives, processes and stores and at the continuity and the reliability of the daily operations.

More in particular, the objectives of the AG Insurance Information Security Management System are to ensure that:

  • Accountability and responsibility of information security is established;
  • Information assets are protected against unauthorized access;
  • Confidentiality and privacy of information is maintained;
  • Integrity and availability of information is guaranteed through protection measures;
  • Continuity of critical business activities is ensured;
  • Proportionated security controls are implemented to protect assets and give confidence to interested parties;
  • Regular information security review are performed to enable continuous improvement;
  • Regulatory and legislative requirements are met.

As proof of our commitment to your security and privacy, we have been awarded a number of external certifications, independent auditors have duly signed off on our accounts, and we conduct internal audits on a regular basis. Some of the certifications we have obtained include the following:

  • International Professional Practices, awarded to our Internal Auditing department by the IFACI in 2013

To guarantee the security of the IT infrastructure, AG Insurance is assessing and validating its security controls through an industry leader in information security, Verizon. Following periodic assessments are executed :

  • Policy review (Annually)
  • Process and Procedure validation (Annually)
  • Physical Inspection (Annually)
  • External Risk Assessments (Quarterly)
  • Internal Risk Assessments (Bi-annually)
  • E-Mail Filter Check Tests (Bi-annually)
  • Desktop Risk Assessments (Bi-annually)
  • War Dials Assessments (Bi-annually)
  • Wireless Assessments (Bi-annually)

AG Insurance has received Verizon Cybertrust Enterprise Certification in a recurrent way since 2010, last certification being obtained in 03/2018. With the increasing focus on GDPR and Information Security, Verizon is currently finalizing a new security assessment that should lead to a renewal of our certification in the next few weeks.

  • ISAE 3402, awarded in 2012 for the management of pension funds
  • In March 2019, the AG Insurance IT department has been awarded ISO 27001:2013 certification, an international recognized standard, in recognition of our best practice for information security management system.
7
Who can participants approach with questions about data processing by AG Insurance?

​AG Insurance has established a contact point for participants and beneficiaries who have questions about how AG Insurance processes their personal data or who want to exercise their rights under GDPR. For those purposes, they may approach our Data Protection Officer (DPO). If you receive questions from participants about the processing of their personal data by AG Insurance, you may contact our DPO:
AG Insurance – Data Protection Officer
Boulevard Emile Jacqmain/Emile Jacqmainlaan 53
1000 Brussels
AG_DPO@aginsurance.be


 

8
Where can you get answers to your questions as an employer?

Our Data Protection Officer deals only with privacy questions received from data subjects.

As an employer, you will find more information about how AG Insurance processes personal data in our General Terms and Conditions, and in our Privacy Notice available at www.aginsurance.be. If you have any further questions, please send an email to GDPR. Campaign@aginsurance.be