PRELIMINARY: THE SUBSTANTIVE CHANGES IN THIS VERSION OF THE DKV PRIVACY STATEMENT

We have mainly clarified certain legal basis (section 7) and added the exchange of your data with our partner when you have an accident or illness abroad (including outside the European Economic Area) (sections 5.2. and 9).

This new version is effective as from August 2021.

1.           DKV AND YOUR PRIVACY

DKV Belgium N.V./S.A. (“DKV”) attaches significant importance to your privacy. Our aim is to process your personal data in a manner that is lawful, appropriate and transparent in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any national legislation adopted pursuant to the GDPR.

With this Privacy Statement we want to emphasise DKV’s engagement in this respect since privacy is a key value of our customer orientation strategy.

Please take the time to read this Privacy Statement to better understand which categories of personal data DKV processes from you. We also explain on what legal basis DKV processes your personal data, for which specific purposes and to whom we transfer those data.

This Privacy Statement also includes a description of your data protection rights, including a right to object to (some of) the processing activities we carry out, and explains how you can exercise them in accordance with the applicable data protection laws. To exercise any of your rights, you can file a request by contacting us via section 12.10. “How can you exercise your rights?”.

2.           DKV AND YOUR COOKIES

Please read our Cookie Policy when you use one of our digital solutions, such as our website or our applications My DKV or dkv-corpor@te. This Policy explains what cookies are, which ones DKV uses and how you can change your cookie preferences. Our Cookie Policy can always be found on our website or in the digital solution itself.

3.           WHAT IS THE SCOPE OF THIS PRIVACY STATEMENT AND FOR WHOM IS IT INTENDED?

DKV is a company incorporated under the laws of Belgium, whose registered office is located at Loksumstraat 25 Rue de Loxum, 1000 Brussels, Belgium, registered at the Belgian Crossroads Bank for Enterprises with company number 0414.858.607, tel.: +32(0)22876411.

In all the situations described in this Privacy Statement, DKV will process your personal data as controller, meaning that we determine the purposes and means, i.e. the why and the how, of the processing of these personal data.

This Privacy Statement is intended for all prospects, current and former policyholders, insured persons and/or beneficiaries under an insurance contract with DKV, including their proxies and legal representatives, when their personal data are processed by DKV.

Personal data refers to any information about an identified or identifiable natural person. This includes, for example, your name, your picture, your telephone number, your contract number, your email address, your bank account number, etc.

Certain of your personal data, such as your health data, are considered as sensitive personal data and receive special protection (see section 4.2. “Sensitive personal data”).

Processing means any operation or set of operations performed on (sets of) personal data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

4.           WHICH CATEGORIES OF PERSONAL DATA DOES DKV PROCESS?

During our interactions with you, we may collect and process both non-sensitive and sensitive personal data about you depending on the context (for example when you use one of our digital solutions, when you call us, when you complete a needs analysis or a medical questionnaire, when concluding or executing your insurance contract, etc.):

4.1.        Non-sensitive personal data

DKV may process your non-sensitive personal data, such as your:

•             identification data (e.g. surname, first name, ID card number, date of birth, age, place of birth, gender, nationality, language, picture, policy number, customer number, IP address that you leave behind when you surf on our website (used for cookies), etc.);

•             contact data (e.g. address, email address, telephone number, etc.);

•             product data (e.g. type of insurance, risk coverage, etc.);

•             financial data (e.g. bank account number, price (premium), invoice due date, payments (not) made or (not) received, contract status, etc.);

•             household composition (e.g. marital status, number of children, name(s) of child(ren), etc.);

•             professional data (e.g. name of the employer, position, etc.);

•             data relating to your education (e.g. a certificate of a university you studied at during an exchange abroad, etc.);

•             hobbies and interests (e.g. dangerous sports which may imply a risk of injuries);

•             data linked to your insurance contracts, communications hereto and complaint files;

•             product usage (including your usage of DKV’s digital services and/or Medicard);

•             preferences and your potential interests in DKV products (e.g. the proposals that DKV made to you, the website where you clicked on DKV’s advertising – please also read our Cookie Policy);

•             images and sounds recordings (e.g. images from video surveillance cameras, telephone recordings when you call DKV, etc.);

•             survey data (e.g. customer satisfaction survey data); and/or

•             profiling data (e.g. payment profile (bad payer), etc.).

4.2.        Sensitive personal data

Under the applicable data protection laws, certain data (referred to as “sensitive personal data”) receive special protection. Amongst the latter, DKV only processes health data and, in very limited cases, data relating to criminal convictions and offences.

4.2.1.    Health data

Being a health insurer, DKV needs to process your health data relating to your past and/or present health condition for pre-contractual or contractual purposes, including the suitability of your insurance coverages and combatting fraud.

DKV may process your health data, such as your:

•             physical data (e.g. weight, height, etc.);

•             life habits including your consumption habits, such as alcohol and smoking habits, etc.;

•             insurance risk profile;

•             past and/or present health condition (including any medical treatment);

•             RIZIV/INAMI codes (i.e. the official health care delivery codes, the medical treatments and medicines which you take);

•             claims (i.e. your declarations of medical expenses and/or your claims declarations such as a hospitalisation, dental intervention, a long-term care dependency or a disability to work, etc.);

•             claims statements (i.e. overview of the claims and/or medical costs with indication of the insurance coverage by DKV);

•             medical declarations and reports by the advising doctor of DKV or under his/her supervision.

In principle, DKV will only process your health data on the basis of your explicit consent or if needed for the establishment, exercise or defence of legal claims, in accordance with the applicable data protection laws. If you do not give your explicit consent or you wish to revoke your explicit consent, the conclusion, management and/or proper execution of the insurance contract(s) could be hindered.

Your health data can only be processed by advising doctors of DKV or under their supervision, by the employees of DKV who are charged with one or more tasks related thereto and by a limited amount of third parties whose intervention is necessary for the performance of some of these tasks, such as for example the printing and sending of your claims statements, etc. (see section 9 “To whom does DKV disclose personal data?”).

Please note that DKV does not and will not use your health data for direct marketing purposes, nor does DKV allow third parties to do so.

In order to help serving you better, easier and faster, DKV digitises and automates some of the processing of your personal data, including health data, for example to establish the pricing, to determine the conditions of acceptance and the extent of the insurance coverage, etc. (see section 6 “Does DKV process your personal data by automated means?”).

In all cases, DKV takes the necessary measures to protect your (non-)sensitive personal data at all times (see section 11 “How are your personal data protected?”).

In accordance with article 58 of the Act on Insurances of 4 April 2014, genetic data cannot be shared with DKV. Therefore, we ask you and the doctors to not share this data with DKV. In case DKV would however receive any genetic data from you or your doctor, DKV is obliged to store this data, but we will not use it in the conclusion, management nor in the execution of your insurance contract(s) (article 61 of the Act on Insurances of 4 April 2014).

4.2.2.    Personal data relating to criminal convictions and offences

DKV processes personal data relating to criminal convictions and offences for the establishment, exercise or defence of legal claims and/or in case of fraud. Such data is processed in very limited cases and only to the extent permitted by law, providing appropriate safeguards for your rights and freedoms.

5.           HOW DOES DKV OBTAIN YOUR PERSONAL DATA?

We may collect your personal data directly or indirectly from you:

5.1.        Collected directly from you

For example, this is the case when you:

•             become our customer (e.g. by completing forms (such as medical questionnaires, claims declarations, etc.) and/or concluding contracts on paper or online, etc.);

•             contact us or use our products and services through the various channels made available to you (DKV website, My DKV, DKV App, dkv-corpor@te, dkv-service@home, dkv-mc.be, DKV Contact Center, e-mail address, Medi-Card, etc.);

•             visit our websites after you provided your consent to non-functional cookies;

•             exceptionally visit our on-site premises (e.g. via the surveillance cameras, at the reception when completing the visitors’ register, etc.);

•             subscribe to our newsletters or accept our invitations to events.

5.2.        Collected indirectly from you

For example, this is the case when:

•             you have specifically authorised third parties or persons to share your personal data with DKV in the context of the conclusion, management and/or execution of the insurance contract(s) (e.g. via your proxies and/or legal representatives, your insurance intermediary, other insurers, lawyers, experts amongst which doctors, if applicable your mutuality, or, with regard to non-sensitive personal data, via your employer who concluded a collective insurance policy for the benefits of its employees, etc.);

•             you have an accident or become ill while on holiday abroad (including outside of the European Economic Area), and we need to collect certain of your personal data from our partner in that country;

•             we obtain your personal data via supervisory and governmental bodies/authorities (e.g. Financial Services and Markets Authority (FSMA) and/or sector and consumer associations (e.g. Ombudsman for Insurances, etc.);

•             your personal data is publicly available, such as for example:

             a publication of your appointment as a company director (Belgian Official Gazette, Crossroad Bank for Enterprises) or the solvency of your business (via Graydon);

             your personal data which are common knowledge or have been published in the press; and/or

             your own publications on your website, on your blog, and/or on your social media profile(s) for the strict purposes of combatting fraud when executing your insurance contract(s) and/or in the context of litigations.

Please note that DKV only processes the personal data which are relevant and necessary to the collection and processing purposes.

6.           DOES DKV PROCESS YOUR PERSONAL DATA BY AUTOMATED MEANS?

In order to help serving you better, easier and faster, DKV digitises and automates some of the processing of your personal data, including health data, for the conclusion, management and/or execution of your insurance contract(s).

If you consent to the processing of your health data, this consent also applies to the processing of this data in the context of automated decisions making (for example to define the pricing, to determine the conditions of acceptance and the extent of the insurance coverage, etc.).

However, please note you have the right to obtain human intervention in relation to automated decision making and profiling, to express your point of view and to contest the decision.

You can withdraw your consent at any time. However, if you withdraw your consent, this could hinder the conclusion, management and/or proper execution of the insurance contract(s).

You can exercise these rights by contacting DKV via section 12.10. “How can you exercise your rights?”.

7.           ON WHICH LEGAL BASIS AND FOR WHICH PURPOSES DOES DKV PROCESS YOUR PERSONAL DATA?

DKV collects and processes your personal data only if one of the following legal grounds applies and for the following specified, explicit and legitimate purposes:

7.1.        We need to process your non-sensitive personal data for the conclusion, management and/or execution of your insurance contract(s)

In the context of the conclusion, management and/or execution of the insurance contract(s) under which you are a policyholder, insured person or a beneficiary, DKV and, to a certain extent, insurance intermediaries process your non-sensitive personal data for the following purposes:

•             issue and execution of the insurance contract(s), including risk assessment and assessment of eligibility;

•             fulfilment of pre-contractual (including your needs analysis in line with the Insurance Distribution Directive (IDD) and AssurMiFID) and contractual obligations and obligations deriving from the insurance relationship with you, including:

             management of the contractual relationship;

             provision of customer service (e.g. responding to your calls and emails);

             processing calls, including recording, in the context of the conclusion, management and/or execution of the insurance contract(s);

             issue, collection and verification of invoices and premiums;

             management and settlement of claims and disbursements;

             management of the complaints and the litigations;

             training of our staff in the day-to-day performance of our (pre)contractual obligations towards you (e.g. how to use the applications in order to fulfil (pre)contractual obligations, etc.);

             recovery from third parties responsible for a claim; and/or

             communication with DKV staff relating to the conclusion, management and/or execution of the insurance contract(s);

•             re-distribution of risk through co-insurance, reinsurance, collective insurance and/or assistance insurance and/or assistance services; and/or

•             handling of specific requests you may have, including the provision of a coverage related or ancillary to the insurance contract.

To the extent that you communicate your health data in the pre-contractual or contractual relationship with us, we need to obtain your explicit consent as per below section 7.2.2.

7.2.        You have given your consent to the processing of your personal data

7.2.1.    You have given your consent to the processing of your non-sensitive personal data

DKV may, based on your consent, either directly or through insurance intermediaries, process your non-sensitive personal data in the view of for example following up on a simulation via our online subscription on www.dkv.be left incomplete.

You can withdraw your consent at any time via section 12.6. (“Right to withdraw consent”).

7.2.2.    You have given your explicit consent to the processing of your health data

As a health insurer, DKV needs your explicit consent in order to process your health data relating to your past and/or present health condition for pre-contractual or contractual purposes including the suitability of your insurance coverages and combatting fraud. DKV will only process your health data for the purposes for which you explicitly consented.

More specifically:

•             prior to the conclusion of the insurance contract(s), DKV processes, depending on the product, certain of your health data for purposes of:

             establishing appropriate pricing and cost management; and

             assessing risks and eligibility for the conclusion of the insurance contract by evaluating you as a (prospective) customer, based on your past and existing health data (including medical questionnaires and medical reports);

•             during the execution of the insurance contract(s), DKV needs to process your health data for the majority of the purposes provided in section 7.1. above, as well as for purposes of the management, processing and execution of your claims (e.g. in case you were hospitalised, if you need a reimbursement for dental or ambulatory expenses, etc.).

DKV also needs your explicit consent in order to be able to transfer (i.e. provide electronic access to) your claims statements from your individual policy(ies) to your broker.

If you do not give your explicit consent or you wish to withdraw your explicit consent, the conclusion, management and/or proper execution of the insurance contract(s) could be hindered.

7.3.        We may need to process your personal data for the establishment, exercise or defence of legal proceedings

DKV may need to process your personal data, including your health data and/or personal data relating to criminal convictions and offences, for the establishment, exercise or defence of possible legal claims or for the management of our own litigations respectively. DKV shall hereby comply with the applicable data protection laws.

7.4.        We need to process your personal data in order to comply with a legal obligation to which DKV is subject

DKV may also process your personal data (and to the extent necessary your health data) for reasons of compliance with numerous legal obligations to which DKV, as an insurer or insurance product distributor, is subject, such as legislation or obligations governing:

•             insurance companies, solvency II and market stability, as covered by the Act of 13 March 2016 on the Statute and the Supervision of insurance and reinsurance companies, Circulars of the National Bank of Belgium, etc.;

•             insurance policies and the distribution thereof, such as the Insurance Act of 4 April 2014, Insurance Distribution Directive (IDD), AssurMiFID etc.;

•             social security and social protection;

•             taxes or accounting;

•             the prevention of terrorism and market abuse;

•             investor and consumer protection;

•             data protection;

•             the security of our visitors via surveillance cameras in our offices, in accordance with the law of 21 March 2007 regulating the installation and use of surveillance cameras;

•             etc.

In addition, DKV may also be subject to the requirement to respond to:

•             questions from Government or Supervisory Authorities such as the Data Protection Authority, the Financial Services and Markets Authority (FSMA) or the National Bank of Belgium (NBB), Sector or Consumer Organisations such as the Ombudsman for Insurances, etc.;

•             its external auditor; and/or

•             judicial enquiries, Court orders and Court proceedings in general (whether civil or criminal).

7.5.        We need to process your non-sensitive personal data to pursue DKV’s legitimate interests to be able to function as a business

DKV processes your non-sensitive personal data to conduct administrative tasks which are indirectly linked to the conclusion, management and/or execution of insurance contract(s) with you. When doing so, DKV uses your non-sensitive personal data which is, whenever possible, anonymised or pseudonymised and in all cases minimised to what is necessary for the processing purposes they serve. DKV also ensures that this processing is necessary to achieve the purpose(s) and that our interests are balanced against your interests and the respect of your privacy, via a legitimate interests assessment.

You can ask more information on these legitimate interests assessments by contacting us (see section 14 “How to contact DKV?”). You may also exercise your right to object to this processing of personal data (see section 12.5. “Right to object to processing”).

More precisely, DKV processes your non-sensitive personal data on the basis of its legitimate interests in the following situations:

7.5.1.    Carrying out governance tasks and controls of DKV, ensuring security and preventing fraud

DKV may process your non-sensitive personal data in order to carry out governance tasks and controls of the company, to ensure security and to prevent fraud, consisting of:

•             compliance with applicable regulatory requirements and guidelines, standards and codes of conduct;

•             administration, management and oversight of our organisation (e.g. conducted by the legal department for governance tasks, legal risks, dispute resolution and litigations, by the risk management department, the complaints management department, the compliance department, the internal audit department, etc.);

•             re-distribution of risk through (co-)insurance and/or reinsurance;

•             monitoring our activities and the administrative knowledge of the various (legal) persons with whom DKV maintains contacts, making it possible to identify the files, intermediaries and other persons involved, if necessary;

•             the protection of DKV's customers, employees, business, assets and shareholders;

•             general physical security purposes;

•             communications (for example e-mails exchanges) and call recordings for purposes of proof, fraud prevention and detection;

•             general security operations and control of DKV’s computer networks and systems, including our application landscape (e.g. when investigating or solving incidents or access issues at customer level on systems or applications);

•             preventing, detecting and investigating late payments, crimes, abuse and fraud. As such we may detect that you are in arrears with the payment of your premium, that you are part of a collective debt repayment scheme, that you are involved in a fraud case, that you are providing your cooperation to terrorism,

weapons or human trafficking, etc. Such signals may lead to not granting a contract or insurance coverage to you or even that DKV decides to terminate your insurance contract.

These processing activities are pursued in our legitimate interest, which consists of safeguarding the operations of DKV in the light of the governance of the company and the prudential supervision to which an insurance company is subject. We may hereby receive non-sensitive personal data from you through internal, external or public sources.

7.5.2.    Monitoring and reporting

DKV is conducting studies, creating models and generating statistics for regulatory reporting, risk analysis or for profitability monitoring. We do this for both:

•             external reporting purposes in accordance with various general financial and insurance law regulations to which we are subject (e.g. NBB, BE GAAP, IFRS 17) or to share statistical data (not including personal data) on insurance with the sector organisation Assuralia, etc.; and

•             internal reporting purposes to comply with policies and guidelines set out by Munich Re and ERGO Group to which we belong, to allow them to assess the overall and financial risks in order to guarantee the viability and continuity of the Group.

These processing activities are pursued in our legitimate interest in the light of the prudential supervision (to have a healthy and financially viable business on the long term) to which DKV is subject.

7.5.3.    Commercial modelling and profiling

DKV may process your non-sensitive personal data for purposes of commercial modelling and profiling, consisting of:

•             conducting studies, creating models and generating statistics for strategy and commercial purposes such as developing new products and services, personalised pricing and our positioning on the market; and

•             building customer profiles and predictive models via insights gained from analytical models in order to respond effectively to customer and prospect needs.

These processing activities are pursued in our legitimate interest, which consists of improving and developing our products and services and planning our strategy and growth.

7.5.4.    Maintaining, improving and developing (the quality of) DKV products and services and enhancing customer experience

DKV may process your non-sensitive personal data for purposes of maintaining, improving and developing (the quality of) DKV products and services and enhancing customer experience, consisting of:

•             monitoring, reviewing, evaluating, simplifying, optimising, testing and/or automating our:

             internal processes and systems to make back-office operations more efficient;

             digital channels for improving your user experience (e.g. fixing bugs on our websites and mobile applications, etc.);

             distribution channels (in particular the broker and agent network); and/or

             products, services, systems and processes in order to ensure their continuous improvement;

•             monitoring the quality of our services (e.g. through conducting customer satisfaction surveys or by means of telephone communication records of the DKV Contact Centre, etc.); and/or

•             managing third party relationships (e.g. vendors, suppliers, business partners).

These regular processing activities are pursued in our legitimate interest, which consists of acting and providing services in the interest of our customers, as imposed by regulations such as e.g. the Insurance Distribution Directive (IDD) and AssurMiFID, and, more generally, for maintaining and improving our services to you.

7.5.5.    Direct marketing concerning services and products of DKV

Please note that DKV does not and will not use your sensitive personal data (such as your health data and personal data relating to criminal convictions and offences) for direct marketing purposes.

Direct marketing is carried out by different communication means (such as postal mail, e-mail, phone and any other form of electronic communication) by DKV itself or by insurance intermediaries, in accordance with the applicable legislation in this regard.

DKV may, based on its legitimate interests, either directly or through insurance intermediaries, process your non-sensitive personal data in the view of:

•             examining and optimising the DKV products and services you currently have, which includes:

             informing you about new insurance products;

             offering you other products or services of DKV that may be better suited to your needs;

             suggesting a range of derivative or complementary products and services of DKV that may be of interest to you;

•             informing you of your statutory right pursuant to Article 208 and following of the Insurance Act of 4 April 2014 which allows you to continue your coverage individually in case you lose your coverage under a collective insurance policy;

•             improving our services through a better understanding of your expectations and your experiences with our products and services.

The aforementioned direct marketing activities are pursued in our legitimate interest, which consists of informing our existing customers about the DKV products and services.

You can always object to the processing of your non-sensitive personal data by DKV for direct marketing purposes via section 12.5. “Right to object to processing”.

To propose DKV products and services to you, we may also process your non-sensitive personal data via marketing cookies based on your consent. We recommend that you read the DKV Cookie Policy when you use one of our digital solutions, available here.

8.           WHICH RULES APPLY TO MINORS AND THOSE WHO ARE LEGALLY INCAPACITATED?

We, in principle, only process personal data of anyone under the age of 18 or of those who are legally incapacitated after we receive the consent of the holder of parental or legal responsibility over the minor and/or the legally incapacitated person. The latter will be the legal representative of the minor or legally incapacitated person for all aspects related to the conclusion, management and/or execution of the insurance contract(s) as well as all privacy-related aspects in that regard.

As such, consent for the processing of personal data, including health data, on behalf of the child or the legally incapacitated person, can only be given by the holder of parental or legal responsibility.

When a minor reaches the age of 18 or DKV is informed that a person is no longer legally incapacitated, we will inform the concerned person of any consent we received of the holder of parental or legal responsibility and of the rights the concerned person has under the GDPR.

9.           TO WHOM DOES DKV DISCLOSE PERSONAL DATA?

Within the framework of our activities as an insurer, DKV may, depending on the situation, disclose your personal data to recipients

•             if necessary for the conclusion, management and/or execution of your insurance contract(s) (see section 7.1.);

•             if you have given your (explicit) consent (see section 7.2. );

•             if necessary for the establishment, exercise or defence of legal proceedings (see section 7.3);

 

•             if necessary for compliance with a legal obligation (see section 7.4.); or

•             if necessary for DKV’s legitimate interests (see section 7.5.).

Insofar strictly necessary for the purposes listed under section 7 “On which legal basis and for which purposes does DKV process your personal data?”, DKV discloses data to recipients, such as:

•             insurance intermediaries. DKV has a distribution network composed of independent insurance brokers and tied agents for purposes of assistance in proposing, concluding and/or executing insurance contracts;

•             insurance and reinsurance companies, for purposes of co-insurance, reinsurance, collective insurance, assistance insurance and/or assistance services and/or recovery of expenses;

•             services and healthcare providers, for purposes of allowing DKV to provide, develop, monitor and improve its services to you (including for the management, processing and execution of your claims), such as for example:

             claims settlement offices;

             medical experts or doctors or technical advisors intervening in the context of contract or claims management;

             private investigators for possible crimes or fraud investigations;

             IT service providers;

             marketing and communication agencies in view of executing our marketing campaigns (which will never involve your health data);

             in exceptional cases, translators and translation offices;

             external consultants to provide support to DKV for certain activities;

             in exceptional cases, the administrator of the building housing DKV's offices to inform about your visit (reception);

             debt-collection agencies (late premium payment); and/or

             companies responsible for document management (i.e. postal services, data entry, scanning, paper and electronic archiving, digitization, printing, mailing, etc.);

•             Group companies to which DKV belongs i.e. ERGO and Munich Re Group companies, for purposes of monitoring, reporting and reinsurance;

•             public entities, for purposes of compliance with legal and regulatory obligations DKV is subject to and/or for the establishment, exercise or defence of legal claims;

•             the Ombudsman for Insurances, consumers’ organisations and legal assistance insurers, for the purpose of complaints handling;

•             if applicable, your mutuality; and/or

•             certain regulated professions such as lawyers, notaries or auditors, for the purposes of contract or claims management, and/or for the establishment, exercise or defence of legal claims, etc.

Your personal data is mainly processed in the European Economic Area. However, in the framework of the provisioning of certain services, DKV may transfer some of your personal data to a limited amount of recipients located in countries outside the European Economic Area. For example, if you have an accident or illness while on holiday in a country outside the European Economic Area, we need to exchange some of your personal data with our partner in the concerned country.

In this case, DKV will take the appropriate and necessary measures to safeguard your personal data, for example by entering into Standard Contractual Clauses, including taking supplementary measures (technical, organisational and/or contractual) if required in order to ensure a level of protection which is essentially equivalent to the level of protection existing in the European Economic Area.

Please note that DKV only transfers your personal data subject to the necessary technical, organisational and contractual guarantees, in accordance with the applicable data protection laws.

10.         HOW LONG DOES DKV KEEP YOUR PERSONAL DATA?

DKV does not retain your personal data longer than is necessary for the purposes for which it was collected and is processed.

However, DKV must respect certain legal retention or prescription periods.

For example, the following retention periods could be applicable to the retention of your personal data:

•             the Insurance Act of 4 April 2014 specifies that (pre-)contractual documents relating to insurance contracts should be retained for a certain period of time, also after termination of the insurance contract;

•             even if no contract is concluded, DKV is still required to keep a record of all exercised insurance distribution acts (pre-contractual documents) for a certain period of time in accordance with the Insurance Act of 4 April 2014;

•             for tax and accounting data, the laws stipulate that such data must be retained for a period of seven years as of 1 January of the year after the closing of the financial year;

•             telephone recordings for purposes of monitoring the quality of the services of DKV are used for a period of one month as from the day of their recording. However, DKV retains the recordings longer for evidential purposes (for example in the context of complaints management, litigations and/or fraud) and to fulfil statutory compliance requirements. You can always request a copy of this recording by contacting DKV (see section 14 “How to contact DKV?”);

•             DKV generally keeps images recorded by security cameras in and around DKV premises (identified with a sticker) for one month as of the date of the recording, as defined by law.

The retention periods can become longer in case of a suspension or interruption of those periods due to for example an Ombudsman complaint, an official notice of default by a lawyer, a writ of summons, etc. In such cases, the personal data will be retained as long as necessary for reasons of the establishment, exercise or defence of possible legal claims notably taking into account the applicable legislation.

11.         HOW ARE YOUR PERSONAL DATA PROTECTED?

DKV has appointed a Data Protection Officer, who is in charge to oversee all actions in the field of personal data protection and an Information Security Officer, who is in charge to oversee all actions in the field of information security.

We implement appropriate technical and organisational measures in order to ensure an appropriate level of security of your personal data, including but not limited to physical and IT systems access controls (limited on a need-to-know basis), confidentiality commitments of all DKV employees and contractors, encrypted e-mails, etc.

Any transfer of personal data is also subject to the necessary technical, organisational and contractual guarantees in accordance with the data protection laws. For example, with our processors, the contractual safeguards include amongst others that they have to keep the personal data secure and confidential and may

only process them for the purposes and means defined by DKV. DKV also reserves the right to carry out audits on its processors to verify their compliance with the contractual and regulatory rules in force. The processors must ensure that DKV agrees to any potential sub-processing and that the same contractual obligations are applied by their own sub-processors.

For sensitive personal data, additional measures are taken:

•             For health data, additional access controls are performed and the access to medical declarations and reports is limited to the advisory doctors and certain employees (limited on a need-to-know basis), which act under the supervision of the advisory doctors. Persons who are authorised to consult your health data are bound by a strict confidentiality obligation and must abide by all technical instructions to ensure the confidentiality of your health data and the security of the systems in which the data is held.

•             For personal data relating to criminal convictions and offences, access is limited to the Legal and Compliance Department of DKV and/or lawyers representing DKV.

DKV follows the ISO/IEC 27001 Standard (hereafter called the ‘27001 Standard’) in establishing an Information Security Management System (ISMS) and implementing security controls across all security domains of this 27001 Standard.

In the event personal data is compromised as a result of a personal data breach, DKV will make the notifications required under the GDPR.

How can you help us to protect your data? By updating your personal data as much as possible via e.g. our digital channels (MyDKV, DKV App).

12.         WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?

In accordance with data protection laws, you benefit from a set of rights when DKV processes your personal data. In principle, you can exercise these rights free of charge, subject to statutory exceptions. These rights may be limited, for example if fulfilling your request would reveal personal data about another person, if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping or if they are subject to some statutory exceptions.

12.1.      Right to access your data

You are entitled to find out at any time whether or not DKV processes your personal data, and if we do process it, to have access to this data. You can view some of the data directly yourself, for example by using MyDKV. You may also receive additional information about:

•             the purposes of the data processing by DKV;

•             the categories of personal data involved;

•             the (categories of) recipients they are disclosed to (among which, recipients in third countries);

•             if possible, the retention period or, if that is not possible, the criteria to determine this period;

•             if appropriate, information on the rights you can exercise: rectification, erasure, restriction, objection, to lodge a complaint with a supervisory authority (see below);

•             the information that we have at our disposal about the source of the data if we do not collect the data from you;

•             the existence of automated decision-making, including profiling, and, at least in these cases, information about the underlying logic involved, as well as the significance and the consequences of such processing for you. In case such automated decision-making (including profiling) is carried out by DKV, see also section 12.8. “Rights related to automated individual decision-making (including profiling)”.

You are entitled to receive a free copy of the data being processed. DKV can request a reasonable payment for covering its administrative costs for any additional copy that you request. Please note that this right to obtain a copy can also not adversely affect the rights and freedoms of others.

12.2.      Right to rectify your data

You are entitled to have incomplete, incorrect, inappropriate or out-of-date personal data corrected.

To keep your data up-to-date, we request that you notify us of any change whatever the circumstances, such as a change in your marital status or family situation, address change, change of e-mail address or bank account number. Please note that most of these data can also directly be updated by you in MyDKV, via your insurance intermediary or via the contact forms available on our websites.

12.3.      Right to erasure (or right to be forgotten)

You have the right to have your personal data processed by DKV erased in certain specific cases. This is the case if:

•             they were no longer needed for the purposes for which the personal data were initially collected or were otherwise processed by DKV;

•             you withdraw your consent and DKV does not have any other legal basis for the processing of your data;

•             you object to the processing of your data and DKV does not have any compelling legitimate grounds that outweigh yours, or you object to the processing of your data for direct marketing purposes;

•             you consider that the processing is unlawful and insofar this is indeed the case;

•             your personal data have to be erased due to a legal obligation to which DKV is subject; or

•             your consent was given by a person holding the parental or legal responsibility when you were still a minor or legally incapacitated and you now want to withdraw it.

We must remind you that we are not always able or entitled to erase all your personal data as requested by you, since data protection laws provide for certain exceptions. We will inform you in more detail whether or not we are able to erase your data in our response to your request.

12.4.      Right to restriction of processing

Under certain circumstances, you may obtain from us the restriction of the processing of your personal data. This is the case when:

•             you contest the accuracy of your personal data: its use is restricted for the time that DKV can verify the accuracy of the data;

•             the processing of your personal data is unlawful: rather than erasing your data, you request its use to be restricted;

•             DKV no longer requires your personal data for its processing purposes, but you still need it for establishing, exercising or defending a legal claim: rather than erasing your data, its use is restricted to the establishment, exercise or defence of a legal claim; or

•             you object to the processing of your personal data: the use of your personal data is restricted pending that DKV verifies if our legitimate interests outweigh your interests, rights and freedoms.

Please note that when DKV restricts the processing of your personal data, this restriction will not apply to the storage of your data.

Once restricted, we will only be able to process your personal data:

•             if you provide your consent;

•             for the establishment, exercise or defence of legal claims;

•             for the protection of the rights of another natural or legal person; or

•             for reasons of important public interest.

12.5.      Right to object to processing

You have the right to object at any time to the processing of your personal data for the purpose of direct marketing. This also includes your right to object to profiling, insofar as this is related to direct marketing. In order to object to direct marketing, you can click on the unsubscribe link in the marketing e-mails you might receive or contact us via section 12.10. “How can you exercise your rights?” below. Please note that DKV does not process your health data for direct marketing purposes.

You also have the right to object against the processing of your personal data which is based on our legitimate interests (see section 7.5. “We need to process your non-sensitive personal data to pursue DKV’s legitimate

interests to be able to function as a business”) or on the public interest, at any time and for reasons relating to your specific situation. In that case, DKV will discontinue the processing of your personal data unless we can demonstrate compelling legitimate grounds for processing it, which override your interests, rights and freedoms (e.g. we process your personal data in the view to combating fraud) or if the processing of your personal data is associated with the establishment, exercise or defence of a legal claim (e.g. submitting an appeal to a court of justice).

Finally, when DKV processes your personal data for statistical purposes, you also have the right to object to this processing for reasons relating to your specific situation. Unless the processing would be necessary for the performance of a task carried out for reasons of public interest, DKV will no longer process your personal data for statistical purposes.

12.6.      Right to withdraw consent

Whenever DKV relies on your consent, you have the right to withdraw that consent at any time. However, please note that the withdrawal of your consent does not affect the lawfulness of the collection and processing based on your consent prior to its withdrawal. This means that your consent remains valid to justify the processing of your data by DKV before your withdrawal.

When you reach the age of 18 years old or if you are no longer legally incapacitated, you also have the right to withdraw the consent which was eventually given by the holder of your parental or legal responsibility when you were still a child or legally incapacitated.

You can withdraw your consent via section 12.10. “How can you exercise your rights?” below.

DKV may have other legal grounds for processing your data for other purposes, such as those set out in this Privacy Statement.

In addition, please consider that if you withdraw your consent for the processing of your health data necessary for the conclusion, management and/or execution of the insurance contract(s), such conclusion, management and/or execution could be hindered.

12.7.      Right to data portability

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit those data (or have it transmitted directly by DKV, if technically feasible) to another controller if:

•             the processing by DKV is based on your consent or on the execution of a contract to which you are party; and

•             to the extent that the respective data processing is done in an automated way.

In all other cases, you may not enjoy this right (for example, if the processing of your data is based upon a legal obligation).

This right cannot adversely affect the rights and freedoms of others.

12.8.      Rights related to automated individual decision-making (including profiling)

As indicated in section 6 “Does DKV process your personal data by automated means?” of this Privacy Statement on automated decision-making, certain personal data processing operations, including through our digital channels, may be automated to facilitate individual decision-making or to respond to certain insurance

queries more quickly. Such processing activities may produce legal effects concerning you (for example to define the pricing, to determine the conditions of acceptance and the extent of the insurance coverage, etc.).

In any event, such automated individual decision is:

•             necessary for the conclusion, management or execution of a contract between you and DKV;

•             based on your explicit consent; or

•             legally permitted.

You always have at least the right to obtain the intervention of one of our employees, the right to communicate your point of view and the right to contest the decision taken in this way – except where the automated individual decision is legally permitted.

12.9.      Right to lodge a complaint with a Supervisory Authority

Although we encourage you to contact DKV in first instance, in case you consider that DKV’s processing of your personal data infringes the data protection laws, you have the right to lodge a complaint with the Supervisory Authority in the Member State of your habitual residence, of your place of work or of the place of the alleged infringement. For the Belgian Data Protection Authority, you can lodge your complaint via www.dataprotectionauthority.be or via post at Rue de la Presse 35, 1000 Brussels.

12.10.   How can you exercise your rights?

To exercise any of your rights, you can file a dated and signed request, with a copy of the front of your identity card to enable DKV to verify your identity and to avoid anyone else exercising the rights on your personal data:

•             by email to privacy@dkv.be; or

•             by post to DKV Belgium NV/SA, Data Protection Officer, Loksumstraat 25, Rue de Loxum, 1000 Brussels, Belgium.

DKV will provide you with information on actions taken as soon as possible and in any event within one month of receipt of your request. We advise you to always be as specific as possible in your request to exercise your rights, so that DKV can handle your request appropriately. The contact methods mentioned above are also your first resort for all enquiries regarding data protection.

In case you would have a complaint concerning the exercise of your rights, you can contact DKV here.

13.         WHAT HAPPENS WHEN DKV MODIFIES THIS PRIVACY STATEMENT?

DKV reserves the right to modify and update this Privacy Statement whenever needed. The latest version of this Privacy Statement can always be found at www.dkv.be/privacy.

You will be informed that the DKV Privacy Statement has been updated via a banner on our digital channels (for example our website) and via a note on all our normal correspondence.

14.         HOW TO CONTACT DKV?

DKV is a company incorporated under the laws of Belgium, whose registered office is located at Loksumstraat 25 Rue de Loxum, 1000 Brussels, Belgium, registered at the Belgian Crossroads Bank for Enterprises with company number 0414.858.607, tel.: +32(0)22876411.

If you have any questions, comments, remarks, requests or complaints regarding this Privacy Statement or the processing of your personal data by DKV, please contact the Data Protection Officer of DKV, either:

•             by post at the following address: DKV Belgium NV/SA, Data Protection Officer, Loksumstraat 25, Rue de Loxum, 1000 Brussels, Belgium; or

•             by e-mail at the following address: privacy@dkv.be.

Please confirm that you have read our Privacy Statement in order to access your My DKV.