Personal data protection - CCR
Created in 1946, the Caisse Centrale de Réassurance (hereafter "CCR") is a reinsurance company governed by the French Insurance Code. A private limited company, its capital, amounting to EUR 60,000,000, is 100% owned by the State.
It has the distinctive feature of offering insurance companies, with the State's guarantee, unlimited covers for specific branches in the French market, in particular natural disasters and terrorism.
CCR carries out a public reinsurance activity. It has a subsidiary fully dedicated to private reinsurance in France and abroad, the company CCR RE, as well as two subsidiaries predominantly involved in property.
It also manages various Public Funds on behalf of the State as a legal representative.
Its registered office is located at:
157, boulevard Haussmann
75008 Paris
France
Tel.: 01 44 34 31 00
CCR and protection of personal data
CCR is responsible for processing personal data (hereafter the “personal data”) for which it has defined the purposes and the resources, in accordance with 2016/679 Regulation (EU) of 27 April 2016 relating to the protection of natural persons with regard to the processing of personal data and the free movement of such data (the “GDPR”).
CCR and the company CCR RE are joint controllers of certain processing of personal data. They concluded an arrangement of joint responsibility. The DPO of CCR and CCR RE is appointed as point of contact for reception and processing of requests to exercise of data subject’s rights.
CCR is very mindful of the protection of individuals’ personal data (“The data subjects”) that appears in such processing. This undertaking reflects the special interest that it gives, in addition to its employees and lessees, to other persons whose personal data its clients, partners and service providers are required to provide to it. In its reinsurance activity, CCR’s clients are in particular the insurance and reinsurance companies (“the cedants”). CCR receives premiums from these cedants in exchange for which it pays them part of their claims. It therefore has no direct (contractual, financial or other) relationship with the insureds and third party victims, about whom these companies might provide it with certain personal data.
To ensure that they have the best information about the processing of this data, CCR has drawn up this Personal Data Protection Policy (the “Policy”). It applies to all personal data that it collects, either directly from the data subjects, or indirectly through its clients, partners and service providers, themselves subject to the GDPR.
In 2015, CCR appointed a Data Protection Correspondent and then in 2018 a Data Protection Officer who is bound by professional secrecy and is subject to an obligation of confidentiality in performing his duties:
Arnaud VERREY - 157, boulevard Haussmann -75008 Paris (France)
The CNIL (French data protection authority) certified the skills of CCR’s Data Protection Officer. Any question or request related to the processing of personal data by CCR must be sent directly to CCR’s Data Protection Officer.
In addition, the data subjects must exercise their rights, supported by a copy of an identity document, by post to said Officer or by email to droit.dacces@ccr.fr.
On what legal grounds do we process your data?
The legal grounds for processing are set in Article 6 of the GDPR.
Areas |
Legal grounds |
Public reinsurances |
Processing necessary for the performance of a public interest task. |
Management of public funds |
Processing necessary for the performance of a public interest task. |
Employee data management |
Processing necessary for the performance of the employment contract. |
Rental management |
Processing necessary for the performance of the rental agreement. Processing necessary for the performance of a legal obligation to which CCR is subject. |
CCR's relations with its service providers |
Processing necessary for the purposes of the legitimate interests pursued by CCR and its service providers. |
Extranet sites |
Processing necessary for the performance of a public interest task. Processing necessary for the purposes of the legitimate interests pursued by CCR, its ceding insurance companies and the other visitors to the site. |
Website |
Processing necessary for the purposes of the legitimate interests pursued by CCR. Consent for cookies. |
How do we process your data?
Your personal data is collected for specified, explicit and legitimate purposes and is not subsequently processed in a manner that is incompatible with those purposes. It is also appropriate, relevant and limited to what is necessary in relation to those purposes.
CCR also affords great importance to the security of the personal data that appears in its processing and does all that it can to ensure state of the art physical, technical and organisational security measures to protect such data against the accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access. These measures are reassessed and updated if necessary. A copy of the security measures put in place by CCR can be obtained from the DPO.
Only people who need to process such data in performing their duties can access it. The processing in which your personal data appears is recorded in a processing register in accordance with the GDPR which is not accessible to you.
This data is almost totally hosted in France, and secondarily in a State of the European Union, a State that ensures an adequate level of protection or a third State with appropriate safeguards.
What is the purpose of processing your data?
Areas |
Data processed |
Purposes |
Public reinsurances |
Civil status, Identity, identification data. Professional life. Economic and financial information. Information regarding the insureds (address).
|
Taking out, managing and performing reinsurance treaties. Assessment, acceptance, control and monitoring of the risk. Payment of claims Data analysis, compilation of statistics and actuarial, technical and scientific studies on behalf of CCR or on behalf of the State. Research and development activities. Compliance with the applicable regulations (including the setting up of regulatory provisions and other capital requirements). |
Management of public funds |
FNGRA (French National Agriculture Risk Management Fund): Civil status, Identity, identification data. Professional life. Economic and financial information.
FAPDS (Guarantee fund for loss/damage arising from acts of prevention, diagnosis or care): Civil status, Identity, identification data. Professional life. Economic and financial information. Health data. |
Settlement and monitoring of requests for indemnification.
Monitoring and management of rights of recourse, claims and litigation. |
Employee data management |
Civil status, Identity, identification data. Professional life. Private life. Economic and financial information. |
Documentation with a view to possible recruitment. Entering into and performance of an employment contract from the date that it is entered into until its expiry. |
Rental management |
Civil status, Identity, identification data. Professional life. Private life. Economic and financial information.
|
Entering into and performance of the lease from the date that it is entered into until its expiry. Management of the relations between CCR and its lessees. |
Relations with its service providers |
Civil status, Identity, identification data. Professional life. |
Management of the contacts between CCR and its points of contact within its service providers, in all of CCR's areas of activity. |
Extranet sites |
Civil status, Identity, identification data. Professional life. |
Management of online spaces dedicated to public reinsurances. Sending of ceding insurance companies' accounts to CCR. |
Website |
Civil status, Identity, identification data. Professional life. |
Management of a public site on the governance, mission and activities of CCR. |
For how long is your personal data kept?
Your personal data is kept for a period not exceeding that needed for the purposes for which it is processed or for any other authorised purposes.
Because of the specific nature of the insurance and reinsurance sector, CCR is required to keep certain personal data of insureds and third party victims beyond the period of the reinsurance contract plus the applicable statutory limitation period.
Also, CCR may keep your data for a longer period, once aggregated or anonymised, as such data is then no longer governed by the GDPR.
Who are the recipients of your data?
In respect of the purposes set forth, the list of recipients authorised to know your personal data is strictly limited. It concerns the relevant departments of CCR and its respective subsidiary companies, and any of their service providers and subcontractors.
In addition, CCR can transmit your personal data to any court, any regulatory or control body as well as to any public authority, should this be required.
What are your rights regarding the data collected?
You can exercise a certain number of rights with CCR, which will consider your request and reply to you within the applicable legal time frames:
- the right of access (Article 15 of the GDPR) gives you the opportunity to obtain, from CCR, the communication, in an accessible form, of the personal data concerning you, together with any available information regarding its origin.
- the right to question (Article 15 of the GDPR) allows you to question CCR to enable it to provide you with any information relating to your personal data and the processing thereof.
- the right to rectification (Article 16 of the GDPR) offers you the possibility of obtaining rectification of the personal data concerning you, when it is inaccurate.
- the right to erasure (right to "be forgotten") (Article 17 of the GDPR) allows you to obtain the erasure of the personal data concerning you when:
ü your data is no longer necessary in relation to the purposes for which it was collected or processed;
ü you withdraw your consent and there is no other legal ground for the processing;
ü you object to the processing and there are no overriding legitimate ground for the processing;
ü your data has been unlawfully processed;
ü your data has to be erased to comply with a legal obligation.
- the right to object (Article 21 of the GDPR) gives you the possibility to object, at any time, for reasons relating to your particular situation, to the processing of the personal data concerning you when the processing is based on your consent or CCR's legitimate interest or your personal data is processed for marketing purposes.
- the right to restriction of processing (Article 18 of the GDPR) allows you to obtain from CCR the restriction of processing when:
ü you contest the accuracy of your personal data, for a period enabling CCR to verify the accuracy of such data;
ü the processing of your personal data is unlawful and you object to its erasure and request the restriction of its use instead;
ü CCR no longer needs your personal data for processing purposes, but it is still needed by you for the establishment, exercising or defence of legal rights;
ü you object to the processing, pending the verification regarding whether the legitimate grounds pursued by CCR override your own interest.
- the right to portability of the data (Article 20 of the GDPR) gives you the possibility of receiving, in a structured, commonly used and machine-readable format, the personal data which you have provided to CCR and the right to transmit such data to another data controller without hindrance from CCR, when:
ü the processing is based on your consent or on a contract;
ü the processing is carried out by automated means.
Where it is technically possible, you have the right to have the data transmitted directly from one data controller to another.
Where applicable, you have a right to complain to the CNIL (French data protection authority) if you consider, after having exercised your rights with CCR, that said rights have not been respected:
Commission Nationale Informatique et Libertés (CNIL)
3 Place de Fontenoy
TSA 80715
75334 Paris Cedex 07
Miscellaneous
This Policy is dated 2 January 2023.
It is accessible from CCR's website and a copy of this Policy can be sent by CCR on request.
The information contained in this Policy is provided for information purposes. The information can be subject to amendments, corrections, updates or partial or total deletions at any time without any prior notice from CCR.