What exactly are personal data? They are all the data which enable a person to be identified, and thanks to technological developments they have become many and varied and are also the subject of many types of processing by businesses.
In order to conduct its insurance business correctly, Bâloise Vie Luxembourg processes many personal data which are communicated to it by its customers and partners. It should be noted that Bâloise Vie Luxembourg was already subject to the Loi modifiée du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel (Amended Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data).
What new features are introduced by GDPR?
A. New rights for individuals:
- greater transparency, more information to be given, and limiting the data processed to what is necessary;
- restricting the use of data to the cases permitted by law, namely, for an insurance company: when entering into a contract (or policy), or if a person gives their consent, or on the basis of a legitimate interest or legal obligation;
- strengthening existing rights such as the right of access, the right to correct and the right to object;
- the creation of new rights such as the right of deletion or the right to portability;
- strengthening the conditions for obtaining consent to the processing of medical data; consent which may be withdrawn at any time.
B. New obligations are imposed on data controllers:
- to keep a record of all data processing performed;
- to be in a position to document and prove that the company’s organisation is GRDP compliant;
- to conduct GRDP impact assessments when developing products and procedures;
- to appoint a Data Protection Officer (DPO) whose role is to inform and advise on GDPR, and to ensure compliance;
- to establish a variety of high level security measures to ensure the safeguarding and confidentiality of data when processed by the company, or by its subcontractors who must also comply with GRDP;
- to set up systems for rapid reaction to data leaks, with notifications to be made to the CNPD and in some cases also to the persons concerned.
C. Strengthening the powers of the supervisory authorities
The National Commission for Data Protection receives greater powers of control and is authorised to impose much more severe penalties: increasing from 2 to 4% of a group’s global turnover or from EUR10 to 20 million.
Non-compliance with GDPR is simply not an option.
GDPR is the introduction of a new culture of systematic, daily and continuous data protection. It is the business of each and every one of us in our company. This is why it is vital for all staff at Bâloise Vie Luxembourg to be trained in GDPR. GDPR, through its quality standards, also aims to restore a climate of trust between individuals and data controllers.
The Law of 2 August 2002 came into force on 1 December 2002 as was, in particular, amended by the Law of 27 July 2007 (overview of the main changes) and by the Law of 28 July 2011. It transposes into Luxembourg law the provisions of the Directive 95/46/EC of the European Parliament and Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.