Data retention policy

Legal terms

1. Introduction

1.1 This policy sets out the policies and procedures of Think Insurtech SAS and our website www.thinkinsurcare.com (the "company") with respect to the retention, archiving and deletion of data, whether in hard copy or digital form, and including personal data.

1.2 The company is subject to a range of statutory obligations in relation to the retention of data. On the one hand, the company is obliged to retain some classes of data for a minimum period. On the other hand, it is a fundamental principle of data protection law that personal data should be only retained for so long as required. Moreover, the retention of some classes of data may represent an unnecessary security risk. For these reasons, the company recognises the importance of formulating clear and specific policies in relation to data retention.

2. Definitions

2.1 In this policy:
(a) "appointed person" means the individual primarily responsible for handling data retention, archiving and deletion by the company, being the data protection officer of the company;
(b) "data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
(c) "data processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(d) "data subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(e) "deletion" means the permanent and irreversible deletion of data from all relevant databases and storage media in the possession or control of the company including, where necessary to ensure the deletion of the data, the destruction of the relevant storage media; and
(f) "personal data" means any information relating to a data subject.

3. Data retention, archiving and deletion

3.1 The company must archive and delete data in its possession and/or control in accordance with schedule 1 (Data retention periods), save as set out in this section 3.

3.2 Notwithstanding the archiving rules set out in this policy, the company may retain non-archived copies of data to the extent that the data is reasonably required in non-archived form for:
(a) the fulfilment of any legal or contractual obligations of the company; and/or
(b) the establishment, exercise or defence of any legal claims.

3.3 The company must not delete data to the extent that:
(a) the company has a legal obligation to retain the data;
(b) the company has a contractual obligation to retain the data (providing that such contractual obligation is not overridden by any legal obligation to delete the data); and/or
(c) the retention of the data is reasonably required for the establishment, exercise or defence of any legal claims (providing that such requirement is not overridden by any legal obligation to delete the data).

3.4 The company must not archive or delete any records to the extent that the legal department of the company has issued a legal hold instruction in relation to such records.

4. Data subject to contractual deletion obligations

4.1 The following categories of data processed by the company are or may be subject to contractual deletion obligations:
(a) confidential information disclosed to the company by another person under a non-disclosure agreement or the confidentiality provisions of a contract; and
(b) personal data with respect to which the company acts as a data processor.

4.2 Any deletion obligations with respect to confidential information will be set out in the relevant contract, and may vary from contract to contract. The company must comply with those obligations.

4.3 If the company acts as a data processor with respect to personal data, the law requires that the processing contract includes an obligation upon the company to delete the personal data after the end of the provision of services relating to the processing, save to the extent that the law requires storage. All personal data that the company processes on behalf of a data controller will be subject to appropriate deletion obligations taking the law into account, and the company must comply with those obligations.

4.4 To ensure compliance with its contractual deletion obligations, the company shall maintain a register of those obligations identifying, with respect to each relevant contract, the data to be deleted and the dates for deletion of that data.

5. Default archiving and deletion methods

5.1 Data must be archived by the company specify methods, save to the extent that specific archiving methods are provided for in schedule 1 (Data retention periods).

5.2 Data must be deleted by the company specify methods, save to the extent that specific deletion methods are provided for in schedule 1 (Data retention periods).

6. Reviewing and updating this policy

6.1 The appointed person shall be responsible for reviewing and updating this policy.

6.2 This policy must be reviewed and, if appropriate, updated annually.

6.3 This policy must also be reviewed and updated on an ad hoc basis if reasonably necessary to ensure:
(a) the compliance of the company with applicable law, codes of conduct or industry best practice;
(b) the security of data stored and processed by the company; or
(c) the protection of the reputation of the company.
6.4 The following matters must be considered as part of each review of this policy:
(a) changes to the legal and regulatory environment;
(b) changes to any codes of conduct to which the company subscribes;
(c) developments in industry best practice;
(d) any new data collected by the company;
(e) any new data processing activities undertaken by the company; and
(f) any security incidents affecting the company.

SCHEDULE 1 (DATA RETENTION PERIODS)

1. Introduction

1.1 This schedule 1 sets out the methods to be used by the company when archiving and deleting data and the periods during which data must be archived and deleted by the company.

1.2 If a data record falls under more than one section of this schedule 1, then the earlier section shall take precedence over the later section, unless the record constitutes a duplicate copy of data that is separately governed by the earlier section.

2. Insurance data: retention, archiving and deletion

2.1 In this policy, "insurance data" means copies of all insurance policies taken out by the company, together with all correspondence with insurers and claims data relating to such policies, but shall exclude.

2.2 Permanent data must not be deleted.

2.3 Permanent and insurance data must be archived and deleted as follows:
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
We will retain your personal data as follows:
- The duration of your insurance plan for the effective management of your health & travel insurance.
- 3 years when you request a comparison quote.
- 5 years in the event of insurance fraud and 5 years in connection with the prevention of money laundering and the financing of terrorism

All applicable current and/or future international, regional, federal, or national Data Protection Laws, regulatory guidance, legislation, statutes, codes, regulations, recommendations and/or opinions issued by a relevant data protection authority, in any jurisdiction, relating to the Processing of Personal Data, including the privacy and security of Personal Data, including Amended French Data Protection Act no. 78-17 of 06.01.1978 on Information Technology, Data Files and Civil Liberties and, in particular, the General Data Protection Regulation 2016/679 of 27 April 2016 and any European Union or EU Member State legislation, regulation, recommendation or opinion replacing, adding to or amending, extending, repealing or consolidating the Data Protection Law relating to the requirements on collection, processing and use of Personal Data by Data Processors on behalf of Data Controllers.

Data Protection Supervisory Authority

An independent public authority which is established by a Member State pursuant to Article 51 of the Regulation; a supervisory authority which is concerned by the processing of personal data because:
the controller or processor is established on the territory of the Member State of that supervisory authority;

data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing;

or a complaint has been lodged with that supervisory authority;

The French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés), hereinafter referred to as the “CNIL”) is the French Supervising Authority. The CNIL is an independent administrative authority responsible for ensuring that information technology remains at the service of citizens and does not jeopardise human identity or breach human rights, privacy, or individual or public liberties. It supervises enforcement of Data Protection Agreement and frequently issues decisions and guidelines relating thereto. www.cnil.fr/english/

The English version of this policy is the original version and shall be referred to in the event of differences between the French version which is only the translation of the “Legal terms”.