Data Protection Policy

Data Protection Policy

Aware of the importance of ensuring confidentiality, Génération is firmly committed to protecting personal data (hereinafter referred to as “PD”).

Génération has therefore developed this policy (hereinafter the “Policy”) to inform you about the use of your PD and the precautions taken to ensure its confidentiality.

Definitions – Scope of Application

Personal Data (PD) refers to “any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more elements specific to them.”

Examples: a name, first name, phone number, location data, online identifier, photograph, IP address, voice recording…

Processing of PD means “any operation or set of operations carried out on such data, regardless of the process used, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, cross-referencing or linking, as well as restriction, erasure, or destruction.”

The Data Subject of PD processing refers to any natural person whose PD is processed by Génération as part of its activities. This includes, but is not limited to:

  • users of websites and extranets,
  • insured members/individual policyholders,
  • dependents of insured individuals,
  • employees and executives of corporate clients,
  • employees and executives of business partners,
  • healthcare professionals,
  • employees of service providers,
  • employees and executives of Adelaïde Group companies.

This Policy applies to all PD processing, as defined by Law No. 78-17 of January 6, 1978, as amended, known as the French Data Protection Act, and the General Data Protection Regulation (GDPR) of April 27, 2016, carried out by Génération in connection with its activities, regardless of the method of collection and processing.

Identity of the Data Controller

As part of its activities, Génération primarily acts as the Data Controller for PD collected and processed. However, Génération may act as a Processor (Article 28 of the GDPR) or as a Joint Controller (Article 26 of the GDPR) and will inform the Data Subjects accordingly.

In the specific context of its activities as a “Delegated Management Broker” for insurance organizations, Génération generally acts as a Joint Controller with the insurance organization. A formalized agreement defines the roles and responsibilities of the joint controllers.

In accordance with Article 26.2 of the GDPR, Data Subjects may, upon request, access the main provisions of this agreement. They may also exercise their rights with or against each of the controllers.

This Policy applies regardless of Génération’s regulatory status concerning data protection.

What Personal Data is Processed?

Génération processes the following PD in its activities:

  • Account/space creation: member number, date of birth, email address, FINESS numbers.
  • Website connection: connection, navigation, or location data (cookies, connection methods, browser type and version, operating system used, URL address, etc.).
  • Identification of individuals involved in the contract: civil status, identity documents, contact information, nationality, Social Security number (NIR).
  • Family, financial, and economic data: including bank details, marital status, household composition, number and ages of children.
  • Professional information: including socio-professional category, activity sector, professional skills and qualifications, unemployment documentation, work income, work stoppages, and leave.
  • Risk assessment and guarantee implementation data: health information, claims history, and past claims records.

Génération specifies that it processes “special categories of data” under the regulation, particularly health-related data. Génération ensures compliance with Article 9 of the GDPR when processing such data.

Génération limits data collection to what is strictly necessary for the intended processing purposes (data minimization).

PD may be collected directly or indirectly by Génération as the Data Controller or, where applicable, at the initiative of parties for whom Génération acts as a Processor.

Legal Basis and Processing Purposes

Processing is carried out for explicit, legitimate, and specified purposes.

Under Article 6 of the GDPR, the legal bases for processing by Génération are as follows:

  • The Data Subject’s consent.
  • Legitimate interest.
  • Compliance with a legal obligation to which Génération is subject.
  • Performance of a contract to which the Data Subject is party or pre-contractual measures at their request.

Génération processes PD for the following purposes:

  • Offering tailored products and services, conducting specific studies, and providing advice.
  • Administrative management.
  • Contract underwriting, execution, and management.
  • Fraud prevention and anti-money laundering/terrorism financing measures.
  • Statistical and actuarial studies.
  • Commercial prospecting operations.
  • Managing complaints and claims.
  • Website traffic analytics (refer to our cookie policy).
  • Online contact for connection with an advisor.

Certain purposes may require consent, obtained during data collection.

If Génération intends to process PD for purposes other than those listed above, it commits to informing Data Subjects and obtaining their prior consent when required by GDPR or other data protection legislation.

Consent is not required when processing is necessary for contract performance or pre-contractual measures requested by the Data Subject.

Recipients of Personal Data

PD recipients include Génération’s relevant departments. Data may also be shared, if necessary, with:

  • Insurers, for contract execution.
  • Subcontractors and partners, within the scope of assigned tasks.
  • Authorized third parties, such as public authorities with specific powers.
  • Individual or corporate clients acting as policyholders, or partners conducting statistical or actuarial studies.

When Génération employs a subcontractor, it ensures sufficient safeguards and formalizes agreements to maintain confidentiality standards equivalent to those applied by Génération.

Data may be transferred outside the European Economic Area (EEA) in compliance with legal and regulatory requirements, including the GDPR, with appropriate safeguards.

Data Retention and Security

Génération securely retains PD for the duration necessary to fulfill the purposes of processing as stated.

Data may be archived for:

  • Legal retention requirements.
  • Legal limitation periods, particularly for insurance, commercial, civil, or tax matters.
  • Statistical purposes.

Archived PD is restricted to authorized personnel only. At the end of the retention period, PD is anonymized or deleted.

Génération strives to ensure PD confidentiality and security but cannot guarantee absolute protection against all intrusion techniques.

Data Subject Rights

Under applicable regulations, you have the right to access, rectify, delete, limit, port, and oppose PD processing on legitimate grounds (see www.cnil.fr for more information on your rights).

To exercise these rights or for any questions about PD processing, you can contact our Data Protection Officer (DPO):

  • By email: dpo@generation.fr
  • By mail:
    Data Protection Officer
    Génération SAS
    12 rue de Kerogan
    29335 QUIMPER CEDEX

For confidentiality reasons, proof of identity may be requested, such as an ID document.

If you believe your rights are not being respected after contacting us, you may file a complaint with the CNIL.

Changes to the Data Protection Policy

This Policy may evolve based on national and/or European data protection regulations.

Please review this Policy regularly.

Last updated: August 9, 2019