's Personal Data Protection Policy

This Policy sets forth the principles and guidelines for the protection of personal data, hereinafter referred to as “PD,” and for safeguarding the rights of data subjects with respect to the processing activities carried out by Verspieren Credit & Finance.

The purpose of this policy is to inform you about how personal data is collected, processed, and used, as well as the rights you have regarding such data in connection with your use of websites, extranets, and online platforms, and the purchase and management of insurance contracts designed, distributed, and/or managed by Verspieren Credit & Finance.

The terms “personal data” and “personal data processing” are defined in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as the GDPR: Personal data means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to that person, hereinafter referred to as the “data subject.”

This Policy applies to all DACP processed by Verspieren Credit & Finance, regardless of how they are collected or processed.

In this context, the policy on the processing of personal data places the following principles at the heart of its commitments:

A legal basis:The collection and processing of personal data are lawful and are based on a legal basis determined according to the intended purpose (or purpose) and the context in which the processing takes place.

Data relevance:The collection and processing of data are appropriate, relevant, and not excessive in relation to the purposes for which they are collected.

Retention period:The retention period for your data is determined based on the purposes of each processing activity and any related legal obligations.

Security and Confidentiality:Committed to protecting and securing your data, Verspieren Credit & Finance takes all necessary measures to ensure the confidentiality of this data and to prevent any unauthorized access, loss, or damage to it, as well as its disclosure to unauthorized persons. These measures are determined based on the risks associated with each data processing operation (data sensitivity, purpose of processing, etc.).

Transparency:Verspieren Credit & Finance demonstrates transparency by informing data subjects, at the time their personal data is collected, about how Verspieren uses that data and whether it may be shared with third parties.

Respect for Your Rights:Committed to respecting the rights of data subjects, Verspieren Credit & Finance informs them of the purpose for which their data will be processed. In addition, they are informed of how to exercise the rights available to them under applicable regulations: the right to access, correct, or delete their data, and the right to object to its collection on legitimate grounds.

Scope of the Policy

Personal data is collected and processed by Verspieren Credit & Finance in its capacity as the data controller.

As part of its business activities, Verspieren Credit & Finance processes personal data, both on its own behalf and on behalf of other entities.

Verspieren Credit & Finance may also act as a joint controller, a processor, or even a subprocessor on behalf of other data controllers with whom Verspieren has entered into a contractual agreement.

Individuals Affected by the Processing

Verspieren Credit & Finance, acting as a data controller or as a data processor—whether a subsequent processor or not—may process DACP data pertaining to the following categories of individuals:

visitors and users of websites and extranets;
potential individual customers;
employees and executives of potential corporate clients;
individual customers;
employees and executives of corporate clients;
beneficiaries who are individuals of clients who are individuals or legal entities;
business partners who are individuals;
employees and executives of business partners that are legal entities;
suppliers and subcontractors who are individuals;
employees and executives of suppliers and subcontractors who are individuals;
employees and individual executives of Verspieren Credit & Finance;
any third party identified by means of a document in a regulated format addressed to Verspieren Credit & Finance;
job applicants.

Specific Categories of Data Subjects

Whenever the consent of a minor under the age of sixteen is required for a purpose related to the direct provision of services offered by Verspieren Credit & Finance, such consent will be obtained from the minor’s legal representative who holds parental authority.

Similarly, Verspieren Credit & Finance will seek the consent of the legal representative of the adult under guardianship.

In accordance with regulations, Verspieren Credit & Finance informs minors over the age of fifteen of their right to object to those with parental authority exercising rights on their behalf regarding the processing of DACP data.

Personal Data Processed

The following list specifies the types of personal data of the individuals concerned that may be processed, in particular, in the course of Verspieren Credit & Finance’s activities.

Personal data is collected directly by Verspieren Credit & Finance when individuals provide such information through contact forms, questionnaires, and other fields made available to them when using the website’s services (recruitment, quote requests, extranets, etc.) or through a registration or subscription form for one of our services and/or products.

PII may also be collected indirectly while browsing the website (e.g., cookies), or by other companies within the Verspieren Group, or may be transmitted by insurers, corporate clients, or our broker partners in connection with the performance of insurance contracts and for the purposes of using personalized extranet services, or by recruitment firms as part of a recruitment process.

Verspieren Credit & Finance is committed to collecting only the data that is strictly necessary.

As part of the data collection process, the following data is processed:

personal identification data (last name, first name, addresses, ID card number, passport number, phone number, and other contact information such as email address and phone number);
data related to contract management (customer ID number, insured person ID number, contract number, claim file number, term, amounts, direct debit authorization, payment method information, or transaction-related data such as transaction number, details of the transaction related to the purchased product or service, Social Security number, driver’s license number);
data regarding family status, including information on marital status (marriage, civil partnership, common-law marriage), household composition (number of people in the household, ages), legal capacity, and the legal protection regime (minority, guardianship, curatorship);
data regarding economic, asset, and financial status (including earned income, movable and immovable property, tax information, bank account numbers (RIB/IBAN), and the composition of the tax household);
data regarding employment status;
the data necessary to assess the risk;
data related to the determination or assessment of damages and benefits;
geolocation data for individuals or property related to the insured risks or the services offered;
data regarding lifestyle habits and the use of property in connection with the insured risks or the services offered;
connection and tracking data (IP and/or MAC addresses, cookies, trackers, logins to the customer portal);
offense data used in connection with authorized processing operations;
where applicable, information regarding offenses, criminal convictions, and security measures concerning insured persons, interested parties, or parties to a contract;
data related to the management of the business relationship (data related to the organization of promotional campaigns, customer loyalty initiatives, prospecting, research, surveys, and satisfaction surveys; data related to individuals’ contributions, comments, reasons for requesting contact, etc.);
data related to the selection of candidates (degrees, work history, desired position, etc.);
data resulting from your interactions with Verspieren Credit & Finance (e.g., our websites, phone calls, correspondence, requests for information and documents, and our social media pages);
the data needed to combat insurance fraud, money laundering, and terrorist financing.

Verspieren Credit & Finance wishes to inform the individuals concerned that it does not process any data relating to racial origin, political opinions, philosophical beliefs, trade union membership, genetic data, or sexual orientation.

Purposes of Data Processing and Applicable Legal Bases

Verspieren Credit & Finance will process your data in accordance with the purposes and legal bases set forth below:

1 – Compliance with the legal and regulatory obligations to which Verspieren Credit & Finance is subject:

the fulfillment of the duty to advise;
prevention of insurance fraud;
the fight against money laundering and terrorist financing;
the fight against tax evasion, the conduct of tax audits, and reporting requirements;
monitoring and reporting of risks that Verspieren Credit & Finance may face;
responses to official requests from a duly authorized public or judicial authority.

2 – To perform a contract with you or to take steps, at your request, prior to entering into a contract, including:

assess risk characteristics to determine pricing;
handle complaints;
fulfill the contract's guarantees;
provide information about the contracts you have entered into;
respond to your requests;
to determine whether we can offer you a contract and, if so, under what terms.

3 – The pursuit of legitimate interests, which may include:

analyzing your habits and preferences regarding the use of the various communication channels we provide (emails or messages, visits to our websites, etc.);
commercial management of customers and prospects, including communication and customer loyalty initiatives, assessing customer satisfaction, and compiling sales statistics;
business purposes (assessing your satisfaction, marketing);
the implementation of preventive measures;
conducting research and development activities, particularly with the aim of improving all products and services offered by Verspieren Credit & Finance;
the defense of its interests at the administrative and judicial levels;
the pursuit of the corporate purpose of the company and its subsidiaries;
recruiting people to meet the needs of its business.

4 – Respecting Your Choice: Verspieren Credit & Finance obtains consent for certain specific processing activities.

In certain cases, Verspieren Credit & Finance may ask for your consent to process your personal data—particularly if Verspieren Credit & Finance engages in further processing or for purposes other than those set forth in this Policy (e.g., management of browsing data).

Retention Periods

The data of the individuals concerned is retained for the purposes indicated above and set forth below, in accordance with applicable legal requirements, particularly in civil, tax, commercial, and criminal matters.

The retention of data for evidentiary purposes involves interim archiving, access to which is strictly limited. At the end of the applicable statute of limitations, the data will be destroyed or irreversibly anonymized so that the individuals concerned can no longer be identified by any means.

Purpose	Relevant data	Duration
Recruitment Management	Data collected as part of the recruitment process	2 years since the last contact
Contract Award, Management, and Execution	Information provided at the time of application and during the term of an insurance contract	For the duration necessary to fulfill the contract Retention for evidentiary purposes for the period specified by the applicable legal provisions
	Policyholders' Bank Account Information	Time Required to Perform the Contract
	Credit Card Information	15 months on probation in accordance with applicable legal provisions
	NIR and RNIPP Data	Contract Term Archiving for evidentiary purposes in accordance with legal provisions
	Accounting documents and supporting documents	10 years – Article L.123-22 of the Commercial Code
	Documents with respect to which the tax authorities may exercise their rights of access, investigation, and audit	6 years (Article L.102 B of the Book of Tax Procedures); in certain cases, 10 years
	Documents and information relating to customers and their transactions, as part of efforts to combat money laundering and terrorist financing	5 years (Article L.561-12 of the Monetary and Financial Code)
	Statute of limitations for insurance benefits:
	Any service	2 years
	Incapacity / Disability	5 years / 10 years if paid to the Treasury
	Death Benefit	30 years
	Repetition of the undue payment	5 years
	Premium or Contribution Notice	10 years
In the absence of a contract and in connection with quotes and/or requests for information	Health Data	2 years in the active archive 3 years in interim storage for evidentiary purposes
	Other documents, such as estimates, business impact analyses, and information sheets	1 year if no contract is in place
Customer Management	Data collected in connection with business dealings with Verspieren Credit & Finance	3 years from the end of the business relationship if you purchased an insurance policy through Verspieren Credit & Finance
Lead Management	Data collected in connection with business dealings with Verspieren Credit & Finance	3 years from the date of collection by Verspieren Credit & Finance or from the date of your last contact with us, if no contract was entered into
Processing of data relating to offenses, convictions, or security measures in connection with the execution of contracts and the management of litigation	Data on offenses, criminal convictions, or security measures	Term of the contractual relationship; Retention in accordance with the time periods set forth in Articles L.114-1 et seq. of the Insurance Code, Article L.932-13 of the Social Security Code, and the provisions of the Civil Code relating to the statute of limitations
Rights Management	Proof of Identity	If the right of access, rectification, or portability is exercised, any identification documents that may have been collected may be retained for 1 year If the right to object is exercised, this data may be retained for 3 years from the date the right to object is exercised
Combating Insurance Fraud	Data from "irrelevant" alerts and/or Data from alerts that have not been classified	6 months from the date the alert was issued
	Relevant alert data	5 years from the closure of the fraud case
	Data in connection with legal proceedings initiated following a report	Until the conclusion of the legal proceedings; Retention for the applicable statute of limitations period
	Data included in the list of suspected fraudsters	5 years from the date of inclusion on this list
	Data and documents relating to the identity of regular or occasional insured individuals and, where applicable, the actual beneficiaries	5 years from the date the account is closed or the business relationship ends
Combating Money Laundering and Terrorist Financing	Documents and information relating to customers and the transactions they conduct in the context of the fight against money laundering and terrorist financing (documents recording the characteristics of the transactions referred to in Article L 561-10-2 of the Monetary and Financial Code)	5 years from the date of their execution
Tracking cookies	Placing cookies on your device	13 months from the filing date
Wiretapping and Telephone Recordings	A device for the occasional monitoring and/or recording of telephone conversations for: train its employees (for example, by reusing recordings as teaching aids to illustrate points during training sessions), evaluate them, improve service quality (for example, by analyzing the type of response provided to the customer), Handling and Management of Claims and Litigation	A maximum of 6 months
	Analytical documents (reports or analysis grids) may be prepared based on the listening sessions and recordings, provided they align with these objectives	Analytical documents may be retained for up to one year

Recipients of the data

DACPs are primarily intended for staff responsible for the award, managing, and fulfilling contracts, as well as to those responsible for managing client and prospect accounts at Verspieren Credit & Finance; however, this information may also be shared—for the purposes of managing and fulfilling your insurance contracts—with Verspieren Credit & Finance’s insurance and reinsurance partners, and with social security agencies when they are involved in the settlement of claims.

As part of its data processing activities, Verspieren Credit & Finance may also transfer DACP data to its joint data controllers, to processors in connection with the performance of their duties, as well as to service providers, agents, and suppliers to facilitate internal operations related to its business and website.

These recipients are required to maintain the confidentiality and security of the DACP and to implement appropriate measures.

Verspieren Credit & Finance may also disclose the DACP if such disclosure is required by law, a regulatory provision, or a court order, or if such disclosure is reasonably necessary to comply with legal proceedings, respond to potential claims, or protect the security of the DACP and the rights of the data subjects or those of Verspieren. If a data transfer outside the European Economic Area (hereinafter referred to as the “EEA”) is necessary, Verspieren undertakes to carry it out only under the following conditions:

the data importer is located in a country that the European Commission considers to provide an adequate level of protection;
if the recipient is not located in a country deemed by the European Commission to provide an adequate level of protection, Verspieren Credit & Finance will ensure that the data importer is bound by the European Commission’s Standard Contractual Clauses;
Any subsequent subcontractor located outside the EEA must meet at least one of the conditions set forth above.

Rights Regarding Data Processing

In accordance with the regulations, data subjects have certain rights regarding the personal data processed about them:

the right of access;
the right to rectification;
the right to restriction;
the right to request deletion / the right to be forgotten;
the right to object to a specific processing operation for which explicit consent was required;
the right to data portability.

You may exercise your rights, along with proof of identity, either by sending an email todpo@verspierencreditfinance.comor by mail to:

Verspieren Credit & Finance

Data Protection Officer

6 Rue de la Poste – 59100 Roubaix

Verspieren Credit & Finance reserves the right to request additional documentation from the applicant, in particular to verify his or her identity.

Verspieren Credit & Finance informs the individuals concerned that, in accordance with applicable public policy rules, requests regarding certain data or for certain purposes may not be granted, including those related to anti-money laundering and countering the financing of terrorism, taxation, etc.

If you believe that you have been unable to exercise your rights in accordance with the GDPR or any applicable data protection laws, you may file a complaint with the CNIL: Commission nationale de l’informatique et des libertés, 3 place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07.

Treatment Safety

Verspieren Credit & Finance fully acknowledges its role as a data controller and is committed to ensuring the security of processing operations involving PII in order to prevent any breaches of such data. A breach of personal data, as defined by the GDPR, is a security breach that results, accidentally or unlawfully, in the destruction, loss, alteration, or unauthorized disclosure of personal data that has been transmitted, stored, or otherwise processed, or in unauthorized access to such data.

To this end, Verspieren Credit & Finance takes appropriate technical and organizational measures to ensure a level of security commensurate with the risks posed by the processing operations carried out.

In this context, Verspieren Credit & Finance is committed to ensuring the security, availability, integrity, authenticity, and confidentiality of DACP data. In particular, Verspieren guarantees that its employees and those of its data importers are subject to a strict confidentiality obligation.

Despite all due care, Verspieren Credit & Finance cannot guarantee the absolute security of the protection measures in place due to the evolution of hacking techniques and the inevitable risks that may arise during the transmission of DACP.

Verspieren Credit & Finance has defined and implemented an intrusion detection system and an incident management procedure.

Verspieren Credit & Finance reminds users of its online services of their responsibility to protect their own data. Verspieren Credit & Finance urges users to ensure the confidentiality of their login credentials for online services and the content of those services.

If you suspect a security risk, have lost your login credentials, or encounter any other situation that could pose a risk to the websites or the DACP, Verspieren Credit & Finance urges those affected to contact Verspieren Credit & Finance immediately.

Use of Cookies

Visitors and users of Verspieren’s websites may refer to the legal notices on those sites to learn about Verspieren’s use of cookies.

Data Protection Officer

Given the nature, scope, and purposes of the data processing activities carried out by Verspieren Credit & Finance, a data protection officer has been appointed.

You may write to the Data Protection Officer with any questions regarding this Policy or with any requests concerning your personal data and the exercise of your rights in relation to it.

Contact:dpo@verspierencreditfinance.com

Verspieren Credit & Finance

Data Protection Officer

6 Rue de la Poste – 59100 Roubaix

Changes and Updates to the Personal Data Protection Policy

This Policy may be updated at any time and will take effect immediately. To keep you informed, we indicate the date of its most recent update.

This Policy was last updated on: March 20, 2019

Glossary

“Privacy Policy” and “Policy”: refer to this policy, which describes the measures taken for the processing, use, and management of personal data , as well as the rights of data subjects.

“Personal data” and “DACP”: refer toany information relating to the data subject that allows the data subject to be identified directly or indirectly.

“Processing”: means any operation or set of operations performed on personal data.

“Data Controller”: means the entity within the Verspieren Credit & Finance Group that processes personal data.

“Subcontractor”: means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.

“Data subject”: means the natural person in respect of whom personal data are processed, regardless of the purposes of such processing.

“Consent of the data subject”: means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Purpose of processing”: refers to the objective or main purpose of a computer-based application involving personal data. The use and processing of personal data must serve a specific purpose. Examples of purposes include recruitment management, customer management, satisfaction surveys, surveillance of premises, etc.

“Personal data breach”: means a breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data.

“Recipient”: means the natural or legal person, public authority, agency, or any other body to which personal data is disclosed.