Agreement concerning the exchange and use of personal data between the members and the gareat economic interest grouping
I. Subjectmatter of the agreement
This Agreement defines the conditions in which the data mentioned by the Rules of Procedure is collected, processed by GAREAT, and possibly returned to the Member companies.
GAREAT is the member of an Economic Interest Grouping (or EIG), the GPSA. In this respect, it benefits from the EIG’s resources, notably for computer services. It is therefore this EIG which is responsible for all the technical aspects relating to computer projects and which provides technical back-up.
In addition, GAREAT is likely to resort to the use of the service suppliers mentioned in Table 2 hereafter.
II. Organisation and role of the parties
The personal data concerned by the execution of this Agreement is specified in Table 1 hereafter.
Until such time as the data has been entered into its computer system, GAREAT’s role will be that of the recipient.
Once the data has been entered into its computer system, GAREAT’s role will be that of the data processor.
III. Details of the services and of the conditions of execution
- Use of the information
The information obtained by GAREAT can only be used for the performance of the assignments corresponding to its company objects.
In no event can GAREAT – on the basis of the said information – claim any grant of a licence or any copyright or prior possession.
GAREAT undertakes not to carry out analyses or specific processing which repose on the information transmitted in the framework of this Agreement on the exclusive behalf of a Member without the agreement of GAREAT’s Board of Directors.
All processing which reposes on the use of the information transmitted in the framework of this Agreement must previously be submitted to GAREAT’s Board of Directors for its opinion.
2. Technical arrangements for data transfer
The technical arrangements for the transfer of a Member’s data to GAREAT are the subject of discussion:
It is agreed that:
- for GAREAT, the technical aspects are the responsibility of the GPSA Economic Interest Grouping, which ensures that good practices are respected. On this point, GAREAT undertakes that the GPSA Economic Interest Grouping will respect the terms of this Agreement;
- for the Member, in the event that the responsibility for technical aspects is assumed by one or several of his subcontractors, the Member undertakes that these players will respect the terms of this Agreement;
- the conditions for transferring data will be studied in common and documented by GAREAT (possibly via the GPSA EIG) and the Member (or via his representatives).
IV. Protection of personal data
- General points
The Member declares that he meets his obligations with regard to the information of the persons concerned in matters concerning the processing of the personal data which the latter transmits to GAREAT in the framework of the execution of this Agreement.
In its capacity as a data controller, GAREAT ensures that the processing carried out by it complies with the regulations relating to personal data and that it therefore complies with (EU) Regulation 2016/679 of the European Parliament and Council of 27th April 2016 and with any specific rules which may be introduced by French law.
In particular, GAREAT has appointed a Data Protection Officer who ensures the implementation and maintenance of this compliance, and all GAREAT’s employees have been advised of the importance of protecting personal data.
The information sent to GAREAT in the framework of its company objects may contain personal data governed by this Agreement. This data should not, in principle, belong to the so-called “sensitive” data categories.
GAREAT processes data for the purpose of:
– Modelling the Grouping’s exposure,
– Structuring the reinsurance programmes and placing them on the basis of these modellings,
– Managing the cession of premiums and losses.
2. Data violation
In the event that data is violated in the course of a transfer, GAREAT and the Member concerned will contact one another within a maximum of 24 hours following the discovery of the existence of the violation in order to determine the action to be taken.
V. The parties’ obligations
- The Member’s obligations
The Member declares that he is the owner of all the data transmitted to GAREAT or that he has a right of use over this data which may be transferred to GAREAT.
The issuer of the data undertakes to exercise due diligence with service suppliers who wish to substantiate the lawfulness of the requests made by GAREAT in the framework of this Agreement.
2. GAREAT’s obligations
GAREAT will take all the measures necessary to preserve the confidential nature of the information. These measures cannot be less stringent than those taken by it to protect its own confidential information.
GAREAT undertakes that it will only communicate the said information to those members of its staff who need to possess and use it. In particular, GAREAT undertakes that it will require all of its employees to sign confidentiality clauses.
Given the data collection processes and media used, the data may contain information which is not listed in Table 1 hereafter. In this event, GAREAT undertakes not to use it or to pass it on for processing, notably to its subcontractors.
GAREAT undertakes that it will impose the duty to respect the clauses upon subcontractors whose services it may use in order to process the information covered by this Agreement.
Other than in the cases provided for by the regulations in force, GAREAT undertakes that it will not, for any reason whatsoever, divulge, communicate, transfer or transmit the data supplied in the context of this Agreement to any individual or legal entity, be he or it French or foreign, other than to the subcontractors mentioned in Table 2.
The Member cannot incur liability in the event that the data supplied is incorrectly used by GAREAT or that its use does not comply with normal practice.
In the event that the Member supplies erroneous data, GAREAT cannot incur liability for the direct or indirect consequences of its processing.
VII. Inception date and period of the Agreement
This Agreement incepts on the same date, and is entered into for the same period, as the Rules of Procedure to which it is attached. It may, however, concern data prior to that date or even apply to data transmitted before that date.
The Agreement’s confidentiality provisions will apply throughout the period of the Agreement and after its expiry or its cancellation for whatever reason.
VIII. Cancellation of the agreement
Unless otherwise agreed, in the event that this Agreement or the Rules of Procedure to which it is attached cease to apply for whataver reason, GAREAT undertakes that it will delete all the information which has been transmitted to it by the Member and that it will send the Member official confirmation that this information has been destroyed.
This deletion does not, however, concern the analyses and studies which may have been carried out using the said information.
This deletion must take place no later than 3 months after the effective cancellation date unless the law imposes a different timeframe.
This Agreement completes the stipulations in the Rules of Procedure relating to the exchange and use of data between the Members and GAREAT. In this respect, the stipulations of this Agreement cannot be dissociated from those of the Rules of Procedure with which they form a coherent ensemble of right and obligations.
* * *
Table 1: Data collected and processed by GAREAT in the framework of this agreement
The categories of data which may be collected or exchanged in the framework of the Agreement are as follows:
|Categories of data
|Data on the portfolio
Identification of the insurance company
Identification of the risk
Identification of the contract
Identification of the segment (Personal Lines, Professional Lines, …)
Address and or coordinates of the site of the risk
|Data on losses
Identification of the insurance company
Identification of the contract
Identification of the loss
Date of occurrence
Causes and circumstances
Cost of the loss
Table 2: Identification of the players involved in the implementation of this agreement
Player(s) responsible for the technical provisions of data transfer:
- GIE GPSA
Service suppliers who may receive and process data on GAREAT’s behalf:
- Cbt Mazars