Data Protection/Privacy Statement

Under the terms of REGULATION (EU) 2016/679 (on the protection of natural persons with regard to the processing of personal data and on the free movement of such data), the "Data Subject" (policyholder / policyholder of the group policy or agreement / insured / beneficiary / their assignees) is hereby informed of the following.

Preliminary Notice
This Notice is provided by the insurance companies (Data Controllers) also in the interest of the other Data Controllers within the so-called insurance chain.

Identity and contact details of the data controller companies
The Data Controller is, to the extent of its competence, the insurance company providing the guarantees under the insurance contract, as indicated in the contractual documentation, namely:

AXA FRANCE VIE registered with the Commercial Register of Companies of Nanterre No. 310 499 959 with registered office at 313, Terrasses de l'Arche - 92727 Nanterre Cedex, France, admitted to operate in Italy under the regime of establishment. General Representative for Italy: Corso Como n. 17, 20154 Milan, Italy. Registered in the Register of Insurance Companies maintained by IVASS, in appendix List I, no. I.00149.

AXA FRANCE IARD registered with the Nanterre Commercial Register of Companies No. 722 057 460 with registered office at 313, Terrasses de l'Arche - 92727 Nanterre Cedex, France, admitted to operate in Italy under the establishment regime. General Representative for Italy: Corso Como No. 17, 20154 Milan, Italy. Registered in the Register of Insurance Companies maintained by IVASS, in appendix List I, no. I.00148.

AXA FRANCE VIE enrolled in the Commercial Register of Companies of Nanterre No. 310 499 959 with registered office at 313, Terrasses de l'Arche - 92727 Nanterre Cedex, France, authorized to operate in Italy under the regime of Free Provision of Services by IVASS (Institute for Insurance Supervision) Provision issued on February 20, 2006 pursuant to Article 24 of Legislative Decree 209/2005, enrolled in the Register of Insurance Companies maintained by IVASS, in appendix List II, no. II.00022 .

AXA FRANCE IARD enrolled in the Commercial Register of Companies of Nanterre No. 722 057 460 with registered office at 313, Terrasses de l'Arche - 92727 Nanterre Cedex, France, authorized to operate in Italy under the regime of Free Provision of Services by IVASS (Institute for Insurance Supervision) Provision issued on April 1, 2003 pursuant to Art. 24 of Legislative Decree 209/2005, registered in the Register of Insurance Companies kept by IVASS, in appendix List II, no. II.00600 .

Contact details of the data protection officer (dpo)

The Interested Party may contact the Data Protection Officer (DPO) of the Data Controller companies by writing to the Data Controllers (listed above) at the following contacts:

  • by mail: - Data Protection Officer - Corso Como n. 17 - 20154 MILAN
  • by e-mail: clp.it.privacy@partners.axa

Purposes of the processing for which the personal data are intended and legal basis of the processing

The purposes of the processing of personal data collected are as follows:

  1. purposes strictly related and instrumental to the offer, conclusion and execution of the insurance contract concluded (including any renewals), the payment of premiums, the management and settlement of claims and the management of complaints, including the prevention, detection and prosecution of insurance fraud;
  2. performance of administrative - accounting activities and those pertaining to the exercise of insurance activities, to which the Data Controller companies are authorized, including the redistribution of risk through co-insurance and/or reinsurance.
  3. Purposes arising from legal obligations, regulations, EU legislation, provisions issued by Authorities empowered to do so by law or by supervisory and control bodies.

    The Data Subject's consent is not required for the processing of his/her non-sensitive data strictly necessary for the provision of insurance services and/or products and/or benefits by the Data Controller and third parties to whom such data will be communicated.
    Conversely, consent is required for the processing of data essentially related to the health of the Interested Party and in any case those falling within the scope of so-called sensitive data. The consent of the Interested Party therefore concerns the processing of any sensitive data whose use will be strictly inherent to the provision of services, and / or insurance products and / or services mentioned whose processing is permitted by the general authorizations issued by the Guarantor for the protection of personal data. In addition, exclusively for the above-mentioned purposes and always limited to what is strictly related to the specific relationship between the Interested Party and the Data Controller, as the case may be, the personal data of the Interested Party may or must be communicated to other subjects in the insurance sector or of a public nature operating - in Italy or abroad - as autonomous data controllers, subjects all thus constituting the so-called "insurance chain", in part also in a merely organizational function. The consent of the Interested Party therefore also concerns the specific processing and communications within the "insurance chain" carried out by the aforementioned subjects.

    Without the personal data of the Data Subject, the Data Controller is not able to provide, the insurance services, services and/or products. Therefore, in relation to this specific purpose, consent is a necessary prerequisite for the performance of the insurance relationship. The Data Controller may, in addition, use the address data of the Data Subject to send service communications instrumental for the management of the insurance relationship.

    Legal basis of the processing: for the insurance purpose described above, the legal basis that legitimizes the processing is the need to have personal data for the execution of a contract to which the interested party is party or to the execution of pre-contractual measures taken at the request of the same. Another legal basis that legitimizes the use of data for this purpose is the need to have personal data to fulfill a legal obligation to which the data controller is subject. Finally, the processing is necessary for the pursuit of the legitimate interest of the data controller in carrying out the insurance business.

    The processing of data for additional and different purposes, such as market research, marketing activities and profiling, will be carried out only and exclusively with the express free consent of the Data Subject, and only after appropriate information has been provided to the Data Subject.

    The categories of personal data subject to processing

    The following categories of personal data of the Data Subject may be processed, only and exclusively for the purposes indicated above:

    1. identification data of the Interested Party, such as: the name and surname, place and date of birth, registered residence and domicile, details of the identification document, tax code, e-mail, telephone number;
    2. data of the Interested Party suitable to reveal the state of health, only if strictly necessary to execute the insurance contract, from the pre-contractual phase of assuming the risk to the liquidation phase of ascertaining the right to the benefit.

In the case of policies linked to loans or mortgages, data relating to the loan/mortgage strictly necessary for the insurance (e.g.: number of the insured loan, commencement and duration of the loan for the purposes of coverage, lending finance company, capital disbursed and monthly installment for the purposes of quantifying benefits in the event of a claim) are also processed. In the case of policies sold involving risks on motor vehicles, data identifying the insured vehicle (license plate, chassis number, registration date) are also processed.

In the case of premium payment by bank transfer or SEPA direct debit mode, the bank details (IBAN) of the Interested Party will also be processed, as well as in the case of settlement of the benefits under the contract.

Recipients / categories of recipients of personal data

Recipients of the Data Subject's personal data are first and foremost the employees and/or collaborators of the Data Controller companies, who are part of the internal organisation of the Data Controllers, and who process the data collected exclusively within the scope of their respective duties (e.g.: claims office, claims office, back-office office, underwriting office), in accordance with the instructions received from the Data Controllers and under their authority.

Recipients of the Data Subject's personal data are also the following categories of third parties, outside the organisation of the Data Controller companies, to whom the personal data may be communicated. These subjects act as autonomous data controllers, unless they have been designated as data processors. These subjects are:

  1. other subjects in the insurance sector (so-called insurance chain), such as insurers, co-insurers and reinsurers, brokers, agents and other insurance intermediaries (and their brokers)
  2. professionals, consultants, firms or companies operating in the context of professional consultancy and assistance relationships, such as law firms, medical practitioners, experts, privacy consultants, anti-money laundering consultants, tax consultants, anti-fraud consultants/companies, debt collection professionals/companies, companies in charge of monitoring/quality control of the offer and placement of insurance contracts, etc;
  3. persons who carry out activities connected with and instrumental to the execution of the insurance contract and the management and settlement of claims, such as: storage, management, archiving and destruction of documentation of customer and non-customer relations; transmission, enveloping, transport and sorting of communications to customers; customer assistance activities (e.g.: call centre, help desk); customer service activities (e.g.: call centre, help desk); and the provision of services to customers. call centre, help desk); activities of remote offer and placement of insurance contracts (external call centres); activities of medical underwriting of risk, management, settlement and payment of claims; activities of policy administration and support to the management and collection of premiums;
  4. insurance (ANIA) or financial sector associations to which the policyholders or the other owners of the insurance chain are affiliated;
  5. companies belonging to the group to which the Data Controllers or the other Data Controllers of the insurance chain belong (parent companies, subsidiaries and associated companies, even indirectly, pursuant to current legislation). Communication of personal data and information within the AXA Group worldwide is covered by the AXA Group BCRs (Binding Corporate Rules).
  6. other parties to whom the communication of data is required by law, such as, for example: IVASS, Bank of Italy - UIF (Financial Intelligence Unit), Inland Revenue Service, Judiciary, Police.

Transfer of personal data to recipients located in third countries

For some activities we use parties we trust - sometimes operating outside the European Union - who carry out tasks of a technical, organisational or managerial nature on our behalf; the same is also done by the parties already mentioned in this notice to whom the data is disclosed. In any case, the transfer of data outside the European Union will take place on the basis of the assumptions set out in the applicable legislation, including the use of binding corporate rules (BCR - Binding Corporate Rules) for transfers within the AXA Group, the application of standard contractual clauses defined by the European Commission for transfers to companies outside the AXA Group, or the verification of the presence of an adequacy finding of the personal data protection system of the country importing the data.

Data retention period

Personal data will be kept for a period of 10 years after the expiration or early termination, for whatever reason, of the insurance contract and, in any case, in accordance with the rules of the sector supervisory authority.

Data subject's rights

The Data Subject has the right to request from the Controller

  1. access to the personal data concerning him/her
  2. rectification of personal data concerning him/her; and
  3. the deletion of personal data concerning him/her
  4. the restriction of the processing of personal data concerning him/her.

The Data Subject also has the following rights vis-à-vis the Controllers:

  1. the right to object to the processing of personal data concerning him/her;
  2. the right to the portability of data concerning him/her. The 'right to portability' means the right to receive, in a structured, commonly used and machine-readable format, the personal data provided to the Data Controllers, as well as the right to transmit such data to another data controller without hindrance from the Data Controllers to whom he or she has provided it (pursuant to Art. 20 of the Regulation);
  3. the right to revoke consent at any time without prejudice to the lawfulness of the processing based on the consent before revocation;

Finally, the Data Subject has the following right

  1. the right to lodge a complaint with the Garante per la Protezione dei dati Personali, in order to complain about a violation of the rules on the protection of personal data. The complainant may submit the complaint to the Garante using the method he or she deems most appropriate, either by hand delivery to the Garante's offices (at the address indicated below) or by forwarding it by (i) registered mail with return receipt addressed to: Garante per la protezione dei dati personali - Piazza Venezia 11 - 00187 Roma; (ii) e-mail to: garante@gpdp.it, or (iii) protocollo@pec.gpdp.it; (iv) fax to: 06/696773785.

Source of personal data

The Data Controller companies collect the personal data of the Data Subject directly from the Data Subject (also through their outsourcers who come into contact with the Data Subject) or from the insurance intermediaries (and their intermediary staff) appointed or otherwise involved in the distribution of the insurance product or from the Policyholder of the Collective Policy or agreement.

Information on automated decision-making processes and profiling

The personal data collected are not subject to automated decision-making processes, nor are they subject to profiling, with the exception of the profiling required by law for anti-money laundering purposes.

Date of last update: 13.04.2022