Privacystatement

    Personal data can be collected for specified, explicit and legitimate purposes. The purpose with relevance to the registration of data in the CIS database is CIS’s specified objective. Our specified objective is set out in our Articles of Association, which state the following:

    ‘The objective of CIS is to protect the common interests of its members by contributing to and supervising information sharing between members, between members and the police and judicial authorities, and with other organisations approved by its board, so that members can detect, prevent and combat abuse of financial products and services and manage risks in the broadest sense of the word.’

    CIS seeks to achieve this objective by collecting, classifying, managing and distributing factual information in order to provide members with a better understanding of the nature and scope of the risks presented to them for assessment and the obligation to pay compensation or make other payments, based on the available information.

    CIS also seeks to achieve this objective by carrying out checks on compliance with applicable laws and regulations by members when processing information from factual data within the scope of the specified objective for which this data was obtained.

    CIS members are primarily insurance companies and their authorised agents. CIS has produced a User Protocol (for members) and Privacy Regulations (for data subjects/consumers) which can be found on the CIS website and which contain the rules and instructions for recording personal and other data, the correct use of the CIS database by CIS members and the use of the data managed by CIS. The Privacy Regulations are an extended version of this privacy statement.

    The processing of data via the CIS database is intended to help protect the common interests of our members in:

    • assessing and managing risks in general;

    • limiting losses, in particular by pursuing a responsible underwriting policy;

    • detecting, preventing and combating insurance fraud and crime;

    • exchanging factual information between members, and between members and the police and judicial authorities;

    • performing statistical analyses for insurance fraud and crime prevention purposes.

    In summary, personal data is processed because it is needed for the protection of our members’ legitimate interests and for the performance of the insurance contract between members and data subjects. The processing of personal data is therefore not based on the data subject’s consent. Legitimate interests are the processing of claims and combating fraud; these are legitimate interests for members because they need to be able to check the accuracy and completeness of claims. Performance of the insurance contract constitutes processing in connection with acceptance of a policy, for example.

    CIS and its members can be considered as the joint controller in respect of the CIS database; both CIS and its members are therefore responsible for the processing of the personal data. This is because of the close connection between the activities of CIS and its members. CIS is responsible for managing the data in the CIS database and the individual members are responsible for ensuring the accuracy of the data supplied. Our members will inform data subjects about the processing of their data in the CIS database and will refer them to the CIS Privacy Regulations. They can do so on a claim form, in a privacy statement, in policy terms and conditions, in the context of insurance applications, and/or by notifying individual data subjects.

    All the records listed below are processed in the CIS database for the purposes and principles referred to above in this Privacy Statement.

    The following types of data are processed:

    Claims: Neutral claim reports on an insurance product. Members can process claims as part of the performance of a contract with a data subject (such as acceptance of a policy) or based on a legitimate interest (such as claims handling and combating fraud).

    Information about the person or legal entity (if known):

    • initials, surname prefix and surname
    • date of birth and gender
    • street address, place of residence and country
    • phone number, e-mail address, IP address and bank/giro/IBAN (identification of the data subject)
    • party and role (own party, opposing party, etc.)
    • legal form and business classification
    • Chamber of Commerce number, company client number and RSIN number
    • item details:
      • brand, type, colour
      • details of claim
      • identifying data (registration number, chassis number etc.)
      • risk address, if different
    • details of report:
      • name of insurer, claim handler and department
      • industry
      • reason for report, starting date and end date
      • policy number, claim number and reference number
      • reference date and date of loss
      • cause of loss and country in which loss occurred
      • details of report to police
      • Loss amounts (amount reserved, actual amount of loss and amount actually paid)

     

    External Reference Index (EVR): Registration of reference data of persons or legal entities listed in the External Reference Index in accordance with the requirements of the Protocol in respect of the Incident Warning System for Financial Institutions (PIFI) on account of conduct that formed, forms or could form a threat to the interests of financial institutions or the continuity and/or integrity of the financial sector, such as insurance fraud.

    Information about the person or legal entity (if known):

    • initials, surname prefix and surname
    • date of birth and gender
    • street address, place of residence and country
    • Chamber of Commerce number
    • name of insurer, claim handler and department
    • industry
    • end date
    • policy number, claim number and reference number

     

    Confidential notices (VM): Registration of cancellations of insurance policies by the insurance company or authorised agent following failure to comply with the insurance contract attributable to the data subject.

    Information about the person or legal entity (if known):

    • initials, surname prefix and surname
    • date of birth and gender
    • street address, place of residence and country
    • phone number, e-mail address, IP address and bank/giro/IBAN (identification of the data subject)
    • party and role (own party, opposing party, etc.)
    • name of insurer, claim handler and department
    • industry
    • reason for report, starting date and end date
    • policy number and reference number

     

    Motor Traffic Guarantee Fund (WBF) reports: Registration of information on uninsured drivers, owners and registered keepers of motor vehicles, when the Motor Traffic Guarantee Fund registers and handles a claim caused by these uninsured parties.

    Information about the person or legal entity (if known):

    • initials, surname prefix and surname
    • date of birth and gender
    • street address, place of residence and country
    • phone number, e-mail address, IP address and bank/giro/IBAN (identification of the data subject)
    • party and role (own party, opposing party, etc.)
    • legal form and business classification
    • Chamber of Commerce number, company client number and RSIN number
    • name of insurer, claim handler and department
    • industry
    • policy number, claim number and reference number
    • loss amounts
    • item details:
      • brand, type, colour
      • details of claim
      • identifying data (registration number, chassis number etc.)

     

     

    Driving disqualifications (OBM): Registration of disqualifications from driving motor vehicles entered by the public prosecutor in the register of driving licences pursuant to Article 156(d) of the Decree on Driving Licences (Reglement Rijbewijzen).

    Information about the person or legal entity (if known):

    • initials, surname prefix and surname
    • date of birth
    • street address, place of residence and country
    • reference number

     

    Total loss reports: Registration of identity details of registered motor vehicles in respect of which a claim following a loss event is settled on the basis of a total loss.

    Information about the person or legal entity (if known):

    • initials, surname prefix and surname
    • street address, place of residence and country
    • date of birth and gender
    • identification of the data subject
    • party and role
    • name of insurer, claim handler and department
    • industry
    • policy number, claim number, reference number
    • type of cover
    • actual loss amount
    • item details:
      • brand, type, colour
      • details of claim
      • identifying data (registration number, chassis number etc.)

     

     

    Sanction lists: Reports concerning a person or organisation that is, or is considered to be, involved in terrorist activities.

    Information about the person or legal entity (if known):

    • initials, surname prefix and surname
    • street address, place of residence and country
    • date of birth and gender
    • reference number

     

     

    Special Reports

    Entries in the External Reference Index, confidential notices, details of registered owners and drivers of uninsured motor vehicles, driving disqualifications, total loss reports and sanction lists are also referred to as Special Reports.

    Claim reports are supplied by members of CIS.

    External Reference Index entries are supplied by members who comply with the terms and conditions of the Incident Warning System for Financial Institutions.

    Confidential notices are supplied by members of CIS.

    Motor Traffic Guarantee Fund reports are supplied by the Motor Traffic Guarantee Fund.

    Driving disqualifications are obtained via the Centre for Vehicle Technology and Information (RDW) on behalf of the Public Prosecution Service.

    Total loss reports are supplied by motor vehicle insurers or the Insurance Bureau for Vehicle Crime.

    Sanction list reports are supplied by organisations such as the European Commission and De Nederlandsche Bank (DNB).

    Claim reports, total loss reports and Motor Traffic Guarantee Fund reports are kept for a maximum of five years.

    Reports of cancellations of insurance policies due to failure to comply with contractual obligations are also kept for a maximum of five years. Reports of cancellations of insurance policies due to failure to comply with contractual financial obligations can be consulted in the CIS database for up to three years.

    EVR reports can be consulted in the CIS database for a maximum of eight years after entry in the members’ incident register, unless a longer period has been designated under the Incident Warning System for Financial Institutions (PIFI).

    Reports on driving disqualifications can be consulted in the CIS database for up to five years after expiry of the disqualification period.

    Sanction list reports can be consulted for up to 30 years.

    Information from the CIS database is provided to:

    • CIS members;
    • the Centre for Combating Insurance Crime (CBV) and the Centre for Insurance Statistics (CVS), both part of the Dutch Association of Insurers, for the purposes of investigating insurance crime;
    • the police and judicial authorities, by the Dutch Association of Insurers’ Centre for Combating Insurance Crime (in connection with requests for information).

    CIS and the provider take appropriate technical and organisational measures to protect personal data against loss or any form of unlawful processing. These measures guarantee an appropriate level of security in view of the risks involved in the processing and the nature of the data to be protected.

    CIS members also take appropriate technical and organisational measures within their own organisations to protect personal data against loss or any form of unlawful processing.

    CIS, its members and the provider have entered into a processor agreement which sets out what is done in the event of a data breach.

    Right of access

    You have the right to access your personal data held in the CIS database. You can exercise your right of access free of charge at CIS. Instructions on how to access your data and the data access form can be found on the CIS website

    Correction, addition and removal

    If you submit a request to CIS to correct, add to, restrict or remove your personal data, CIS will forward it to the member responsible for registering the data concerned. The member will inform you, either directly or via CIS, whether it will comply with your request and will reach a decision regarding the correction, addition, restriction or removal of your data as quickly as possible.

    There are a number of reasons why your request to have your data restricted or removed may not be complied with. The data may be required in connection with the performance of an insurance contract, for example, or it may be required in connection with possible legal action or in defence of a member that has been held liable.

    Instructions on how to submit a request and the corresponding form can be found on the CIS website

    Right to object

    You have the right to object to the processing of your data by submitting a reasoned objection to both CIS and the responsible member.

    Data portability

    The right to data portability does not apply to you in this case since CIS is the only organisation by and for insurance companies and their authorised agents which helps its members optimise their processes and provides support in assessing acceptances and claims.

    Automated decisions

    You are not subject to a decision based solely on automated processing, including profiling, which may produce legal effects concerning you or may similarly significantly affect you. However, this does not apply if the decision is necessary for entering into, or performance of, a contract, if it is permitted under the provisions of a law or if you have given a member explicit consent in this regard.

    CIS’s contact details can be found on the website. For specific cases you can also contact our Data Protection Officer at fg@stichtingcis.nl.

    If you are of the opinion that a member of CIS is not acting in accordance with the CIS Privacy Regulations, you should first file a complaint with the complaints committee and/or the management of the member concerned for assessment. If you don’t receive a response or if you don’t agree with their response, you can file a complaint with CIS.

    If you are of the opinion that a member is in breach of the provisions of the Code of Conduct for the Processing of Personal Data by Financial Institutions or the Incident Warning System for Financial Institutions, after having filed your complaint with that member’s complaints committee for assessment, you can contact the Financial Services Complaints Institute (KiFiD), PO Box 93257, 2509 AG The Hague.

    You can also file a complaint with the Data Protection Authority at https://autoriteitpersoonsgegevens.nl/en.