Logo Iris Global
IT

PRIVACY POLICY

Introduction:

The entity IRIS GLOBAL SOLUCIONES DE PROTECCIÓN SEGUROS Y REASEGUROS, S.A.U. makes this Privacy Policy available to the users of the website to our insured persons, and to anyone else interested, in order to comply with the regulations on personal data protection and the obligation to inform, explaining below how we may process the personal data provided to us that are subject to processing.

It is our aim to provide this information using clear and simple language. We have therefore chosen to structure all the information in a "question and answer" format:

1.- Who is the Data Controller of your personal data?

The Data Controller is IRIS GLOBAL SOLUCIONES DE PROTECCIÓN SEGUROS Y REASEGUROS, S.A.U. (hereinafter, “IRIS GLOBAL SEGUROS”), with tax ID code (CIF, as per the Spanish acronym) A78562246 and registered office at Julián Camarillo 36, 28037 Madrid (Spain). However, in certain processing activities, we act as data processors. For example, when you take out one of our products, such as Travel Assistance Insurance for individuals, we will act as personal data controllers.

2.- Are we always the Data Controllers of your personal data?

As we have already mentioned, this is not always the case. IRIS GLOBAL SEGUROS is also a reinsurance company that manages different guarantees assigned by other insurers and provides different services to the insured persons of the main insurer. Consequently, we may also act as data processors, carrying out processing on behalf of a data controller in order to provide a hired service. Acting in the capacity of data processors does not in any way imply that we avoid any type of responsibility for compliance with data protection regulations.

3.- Who is the Data Protection Officer?

IRIS GLOBAL SEGUROS has formally appointed a data protection officer which is structured as a collegial body. In addition, the following communication channel has been set up: The contact details of the Data Protection Officer have been duly communicated to and registered with the Spanish Data Protection Agency (AEPD, as per the Spanish acronym), the Spanish control authority.

4.- For what purposes do we process the personal data that we receive and with which you provide us?

As developed in the different Guides of the Spanish Association of Insurers and Reinsurers (hereinafter, “UNESPA”) on which we are based, in order to carry out their business activities, insurance companies must necessarily process personal data at different stages, especially in relation to the insurance contract and its guarantees. Prior to the conclusion of the contract, insurance companies collect data to analyse whether the risk is insurable and, if it is within the insurance parameters (homogeneity of risks), data processing is necessary to determine on what conditions and at what price the risk can be assumed. Once the contract has been concluded, the data are indispensable for the maintenance, development, and execution of the contract and for the fulfilment of the obligations arising from the insurance business. We therefore distinguish between two phases of personal data processing: pre-contractual and contractual.

Accordingly, we process the personal data available to us for the purposes of the management and administration of the entities – such as for the management of ongoing recruitment processes, the administration and management of the relevant systems, or for the sending and receipt of correspondence –, for other business purposes, and in addition for the following insurance-related purposes[In accordance with UNESPA’s guidelines in the "Guide to the Processing of Personal Data by Insurance Companies” (7th February 2019) at accessed June 2019.]:

In the Pre-contractual Phase:

  • Management of the application and offer of the insurance product that best suits the demands and needs of the client.
  • Assessment, selection, and pricing of risks associated with the application.
  • Communication of information to public authorities, regulators, or governmental bodies in cases in which it is required by law, local regulations, or in compliance with regulatory obligations.
  • Carrying out the corresponding checks in accordance with the provisions of current Spanish legislation on the prevention of money laundering and the financing of terrorism.
  • Consultation of common risk selection and pricing files.
  • Communication of the data of the policyholder, insured person, beneficiary, or injured third party to reinsurance entities when it is necessary for the conclusion of the reinsurance contract under the terms provided for in Article 77 of Spanish Law 50/1980, of 8th October, on Insurance Contracts; the receipt of the same data from the insurance company that carries out the transfer under the same terms; or the performance of related operations.
  • Fraud prevention.

In the Contractual Phase:

  • Formalisation of the insurance contract: contract data; need to obtain personal data for the formalisation of the contract.
  • Management of the policy or of certain guarantees assigned as reinsurance, as well as maintaining, developing, and controlling the legal and/or contractual relationship that may be established between the parties. For example, to manage the modifications and updating of data, banking information, extensions of coverage, etc.
  • Carrying out the necessary verifications and investigations for the determination and, where appropriate, the payment of the compensation to the insured person, the beneficiary, or the injured party.
  • Making communications related to the policy.
  • Management of the resolution of complaints and conflicts that may arise between policyholders, insured persons, beneficiaries, injured third parties, or rightful claimants of any of them.
  • Keeping the accounting books required by the Spanish Commercial Code and other applicable provisions, as well as the registers of accounts, claims, technical provisions, investments, reinsurance contracts, and issued policies, supplements, and cancellations.
  • Communication of information to public authorities, regulators, or governmental bodies in cases in which it is required by law, local regulations, or in compliance with regulatory obligations.
  • Carrying out commercial and/or advertising actions or communications, by any means, including electronic or equivalent communications in accordance with the provisions of Spanish Law 34/2002, of 11th July, on information society services and e-commerce, related to products or services similar to those hired.
  • Communication of the data of the policyholder, insured person, beneficiary, or injured third party to insurance or reinsurance companies when it is necessary for the conclusion of the reinsurance contract.
  • Intragroup transfer: exchange of intra-group information between insurance companies for the fulfilment of supervisory obligations.
  • Centralised management of intra-group IT resources, such as applications or servers.
  • Carrying out commercial and/or advertising actions or communications, by any means, including electronic or equivalent communications in accordance with the provisions of Spanish Law 34/2002, of 11th July, on information society services and e-commerce, related to products or services other than those contracted, or products offered by third parties by means of a profiling with external sources.
  • Fraud prevention and detection.
  • Determining the health care and compensation to be received by the injured party, if any, when these have to be paid and carrying out, where appropriate, the corresponding medical health check-up by a doctor or hospital.
  • Making the appropriate payment to the health care providers or the reimbursement to the insured person or their beneficiaries of the health care expenses that have been carried out within the scope of this insurance.

5.- What is the legitimacy and the conditions of lawfulness that we apply to the processing of your personal data?

The legal basis for the processing of your personal data is based on the following conditions of lawfulness, which may be cumulated on a case-by-case basis:

  • The development and execution of the relevant contract or the implementation of appropriate pre-contractual or contractual measures. The provision of the service in accordance with the guarantees described in the contracted policies, where different suppliers may intervene for the effective execution of the provision of the service or depending on the contracts that have been formalised between our clients and our entities, would legitimise the processing of the personal data of the data subject that we carry out. We also rely on this legal basis when we act as a reinsurer, in accordance with the reinsurance contracts we have with our clients. The purposes that would fit within this legitimacy basis have already been developed and referred to in the previous section.
  • Compliance with legal obligations that are applicable to IRIS GLOBAL SEGUROS as a company that is part of the insurance sector, whose applicable regulations for the performance of its activities and obligations are as follows:
  • Commission Delegated Regulation (EU) 2015/35, of 10th October 2014, supplementing Directive 2009/138/EC, as well as the solvency II community implementing regulations.
  • Spanish Law 50/1980, of 8th October, on insurance contracts (LCS, as per the Spanish acronym).
  • Spanish Law 20/2015, of 14th July, on the regulation, supervision, and solvency of insurance and reinsurance companies (LOSSEAR, as per the Spanish acronym).
  • Spanish Royal Decree 1060/2015, of 20th November, on the regulation, supervision, and solvency of insurance and reinsurance companies (RDOSSEAR, as per the Spanish acronym).
  • Spanish Royal Legislative Decree 8/2004, approving the revised text of the Law on third-party liability and insurance for the use of motor vehicles (Law on third-party liability for vehicles).
  • Spanish Law 26/2006, of 17th July, on insurance and reinsurance mediation (Law on mediation).
  • Directive (EU) 2016/97, on insurance distribution (IDD).
  • Spanish Royal Decree 1588/1999, of 15th October, approving the Regulation on the Organisation of Pension Commitments of Companies to Employees and Beneficiaries (Organisation Regulation).
  • Delegated Regulation (EU) 2017/2358, of 21st September, supplementing Directive (EU) 2016/97 with regard to product oversight and governance requirements (POG Regulation).
  • The legitimate interest of IRIS GLOBAL SEGUROS, such as, for example, for the assessment, analysis, and pricing of risks for the prevention of fraud or for the prevention and/or detection of money laundering and/or terrorist financing activities. We also invoke this condition for the processing of health data for the purpose of damage assessment, settlement of claims, risk assessment, and, where appropriate, any other activities arising from the management and processing of the insurance contract and/or the formalised legal or contractual relationship, in the terms provided for in Article 77 of the LCS, or for the performance of related operations as may be necessary. This legitimate basis would also entitle us to carry out the following processing:
  • Carrying out commercial and/or advertising actions or communications, by any means, including electronic or equivalent communications related to products or services similar to those hired.
  • Intragroup transfer: exchange of intra-group information between insurance companies for the fulfilment of supervisory obligations.
  • Centralised management of intra-group IT resources, (applications, servers).
  • Transfer (and acquisition) of portfolio, merger, demerger, transformation, etc.
  • The performance of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller, such as, for example, for the prevention of fraud or for collaboration with the law enforcement authorities.
  • In the consent we request for different processing purposes, such as for the performance of commercial and/or advertising actions or communications that may be of interest to our clients, policyholders, and the general public, either about our products or about products of third parties with which IRIS GLOBAL SEGUROS establishes collaboration agreements. Likewise, we ask for consent to be able to carry out customer profile evaluations and to apply segmentation techniques with internal and/or external data, in order to introduce improvements in the communications we make and to offer products and services adapted to their needs, even after the relationship has ended.

6.- How do we obtain your personal data?

The sources from which the personal data originate are the following:

  • Provided by you and/or the parties interested in the insurance application or for the formalisation of the legal or contractual relationship.
  • From the management, maintenance, and development of the legal or contractual relationship in connection with the insurance contract.
  • In the processing of claims arising from the insurance contract.
  • Provided by our clients or in accordance with the exchange and transfer of intra-group information between insurance companies.
  • Data from publicly accessible sources or public registers. For example, when we process certificates with Registers.
  • Data obtained from external sources. For example, data provided by IRIS GLOBAL SEGUROS providers from third-party databases, from different social networks, etc.

Having said the above, we inform you that, in case of obtaining your data from external sources, they will be processed exclusively for the purposes described in this Policy, serving this document as sufficient information regarding the processing we do with these data, and the conditions of processing that we make of the data from external sources. You will not be sent a new informative text in such cases, unless you expressly request it through the communication channel set out in this document.

7.- To which recipients will your personal data be communicated?

The personal data processed by IRIS GLOBAL SEGUROS to achieve the purposes detailed above and in accordance with the aforementioned conditions of lawfulness could be communicated to different recipients, especially with the aim of ensuring the proper development of the contractual relationship with our customers and thus provide the appropriate service in each case. In this sense, in addition to having to provide personal data by law in the event of an official request from a public body, it is necessary for us to work with a network of national and international providers and partners in order to achieve our objectives. Therefore, it is necessary for us to communicate personal data to various partners and, in order to ensure that this is a legitimate communication, we request consent and communicate it – where necessary – to the following recipients:

  • To collaborating entities, public or private, that intervene in the management of the insurance contract (reinsurance or co-insurance entities or entities intervening in the management of the policy, providers), which may be national, European community entities, or international entities located in third countries, as in the case of having to provide travel assistance abroad, for example.
  • To companies in the same group or intra-group of insurance companies for the fulfilment of supervisory obligations.
  • To Public Bodies and Administrations, in compliance with legal obligations or for the management of the services of the insurance contract or that are requested.
  • To possible third parties interested in the processing and management of claims derived from the execution and development of the insurance contract (interested parties, injured parties, beneficiaries, etc.), provided that the communication of data is strictly necessary.

We would like to point out that your personal data will only be communicated to third parties when it is strictly necessary to achieve the purposes described above, taking into consideration compliance with the principles of lawfulness, fairness, and transparency, data minimisation, purpose limitation, and integrity and confidentiality that are included in Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27th April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR or General Data Protection Regulation) and related and applicable data protection regulations.

In addition, we inform you that we have legal instruments that guarantee the adequate and appropriate communication of personal data, such as standard data protection clauses, codes of conduct and ethics for suppliers, or various data processor contracts with both our clients and our providers.

8.- What types of data do we process?

While the contractual relationship is in force at IRIS GLOBAL SEGUROS, and depending on the specific case, we may process the following personal data:

  • Personal identification data (e.g., name and surname, and Spanish tax identification number [NIF, as per the Spanish acronym]/foreign national ID number [NIE, as per the Spanish acronym]).
  • Contact details (e.g., postal and e-mail address, telephone number, etc.).
  • Personal characteristics and social circumstances (e.g., age, date of birth, marital status, characteristics of your dwelling, number of inhabitants of your dwelling, etc.).
  • Special category data (e.g., health data).
  • Academic, employment, and professional data (e.g., employment status, whether you are employed or unemployed, your general or specific training, etc.).
  • Economic, financial, or insurance data (e.g., your bank account number, insurance policy and class number, etc.).
  • Data of deceased persons (e.g., data for the processing of various pensions or civil status certificates, etc.).
  • Data relating to administrative offences and penalties (related to administrative offences and penalties, etc.)
  • Data on legal persons (e.g., company name, address, etc.).
  • Data on sole proprietors and liberal professionals
  • Location data (e.g., the destination where the insured person is travelling, where they need assistance, etc.).
  • Commercial information and consumer data (e.g., through the browsing experience of our website, for advertising and segmentation purposes, etc.).

We also inform you that IRIS GLOBAL SEGUROS may process personal data of other persons covered by the policy (for example, family members and relatives), only if necessary for the management of the purposes of the insurance contract. In the event that you have provided personal data of third parties, we remind you that, by formalising the insurance application, you must guarantee that you have obtained the consent of these persons to the processing of personal data carried out by IRIS GLOBAL SEGUROS in relation to the execution and development of the insurance contract, and that you must have informed these persons of their rights and of the purposes of data processing. Similarly, the processing of personal data of third parties that are related to the application that is formalised will be protected on the legal basis of the satisfaction of legitimate interest, in order to meet the objectives of our company and to perform the service that is provided effectively as a result of the requests made by clients and insured persons.

In the case of minors, we would like to point out that we do not knowingly collect information from minors under the age of 18 either through online services or on our website. For the collection of data from minors, we require the permission and consent of the holder of parental authority or guardianship over the minor. In this case, we may ask you to provide proof that you are the minor's legal representative for the processing of their personal data.

Finally, and most importantly, we inform you that, for the execution of the policy, it may be necessary to process your health data (for example, health data that may arise from the processing of a claim or, where appropriate, data necessary for the assessment of the risk), or special category data (for example, data revealing ethnic or racial origin, or trade union affiliation). We would like to remind you that we will only process this category of personal data upon request of the corresponding informed consent, only for the purposes of the execution of the insurance contract or of the services that may be provided by our company that require the processing of this type of data, and, exclusively, in the event that we are legitimised to do so.

9.- How long is your data retained?

Personal data will be retained for the duration of the contract and, thereafter, taking into account the legal periods applicable in each specific case, the type of data and the purpose of the processing.

You may request more information on the data retention periods at: proteccion.datos@irisglobal.es

10.- What are your rights regarding our processing of your data?

We inform you that you have the right to access your personal data and to obtain confirmation on how such data is being processed. Likewise, you have the right to request the rectification of inaccurate data or, where appropriate, request its erasure when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

We remind you that you have the right to object, at any time, to the processing of your data for advertising or promotional purposes.

In certain circumstances, you may request the restriction of the processing of your data, in which case we will only keep them for the exercise or defence of possible claims.

You may also, under certain circumstances, object to the processing of your personal data for the purposes stated, without affecting the lawfulness of the processing based on prior consent. In this case, our company will cease processing the personal data, unless there are legitimate reasons, or to guarantee the exercise or defence of possible claims.

Finally, you may exercise the right to portability and to obtain for yourself or for another service provider certain information arising from the contractual relationship entered into with our entities.

You may exercise these rights by the following means:

  • Letter addressed to IRIS GLOBAL SOLUCIONES DE PROTECCIÓN SEGUROS Y REASEGUROS, S. A. at the postal address Julián Camarillo 36, 28037 Madrid (Spain).
  • Email addressed to the email address proteccion.datos@irisglobal.es.

In both cases, proof of identity of the person exercising their rights must be provided by sending a copy of their national ID number (DNI, as per the Spanish acronym), NIE, or equivalent document, on both sides.

Once we have received your request, we will provide the information within a maximum period of one month from receipt of the request. This period may be extended by two months if necessary, taking into account the complexity and number of requests.

We also inform you that you may withdraw your consent at any time, where consent has been given for a specific purpose, without affecting the lawfulness of the processing based on the consent prior to its withdrawal.

Finally, you also have the right to lodge a complaint with the Spanish Data Protection Agency, the competent data protection supervisory authority. However, in the first instance, you may lodge a complaint with the Data Protection Officer, who will resolve the complaint within a maximum period of two months.

11.- Modifications to this Privacy Policy

This Policy is reviewed periodically and is subject to possible modifications to ensure that it complies with current regulation. We will inform you of such changes before they come into force, normally via our website. This Policy does not give rise to any contractual or legal liability; its sole purpose is to explain to you how we process the personal information we hold about you for the purposes for which it is used, and also to provide you with the information you need to exercise your data protection rights.

12.- Adherence to privacy and compliance policies

IRIS GLOBAL SOLUCIONES DE PROTECCIÓN SEGUROS Y REASEGUROS, S.A.U. is an entity located in Spain, which is part of SANTALUCÍA GROUP, a leading national group in the insurance sector in the Assistance and Funeral insurance classes, as well as one of the leading companies in Home insurance. Being part of SANTALUCÍA GROUP guarantees an optimum information security framework and offers more guarantees of data protection compliance.

13.- Doubts regarding our Privacy Policy or questions related to data protection

For any doubts, queries, or clarifications regarding this Privacy Policy or how we process the personal data we hold, or to resolve any discrepancies regarding how we protect and use the personal data of the data subjects, we offer the following communication channel where you can address your requests: proteccion.datos@irisglobal.es. The staff responsible for handling all such requests will respond as soon as possible.