F.A.Q.

Definitions and general questions on data in insurance

1. How is personal data defined?

"Personal Data" means any data relating to an individual who is or can be identified either from the data or from the data in conjunction with other information.
The definition is therefore very broad, and includes for example name, telephone number, email and IP address.

2. What is "sensitive data"?

Sensitive personal data consists in information on an individual which is of private nature and may lead to discrimination.
Because of the confidentiality of such information, regulatory frameworks provide more stringent protection for sensitive data than other types of personal data.

3. For which purpose do insurers need data?

Insurers' business is about understanding and measuring policyholders' risks, in order to provide them with first-rate products and services adapted to their needs (for instance, an insurance specifically designed according to the size of your car or your house). To do so, insurers leverage data all along the value chain, from product inception (more accurate design and pricing) to sales (informed customer marketing) and claims management (fraud analytics). Ultimately, this allows us to enhance customer experience through simplified procedures, more targeted and relevant information and quicker claims management. Data used by insurers are voluntarily and transparently provided by their clients.

4. What is "big data"? Why is it of relevance for insurers?

"Big" data is an expression that was coined in the late 1990s to describe a situation in which digital technologies provide not only an ever-increasing volume and variety of data (not only text, but also audio andvideo resources...), but also the technical resources to process and leverage it as added value for organisations and individuals.
It is especially relevant in the insurance sector because the insurance business model is inherently data-dependent. The processing of large amounts of data will help us to offer our clients adapted products and services evolving at the same pace as their needs.
Examples: AXA projects to better map the vulnerabilities to natural catastrophes by crossing historical public data with internal information on claims, in order to help authorities measure and reduce societal exposure to such disasters. AXA also leverages the increased precision of satellite image data to provide innovative parametric insurance solutions for farmers and contribute to food safety in emerging countries.

Collection and use of data by AXA

5. What type of data is collected?

AXA only collects and uses data to provide state-of-the-art protection and prevention solutions for our customers.
If one were to categorise, data collected by insurers would include:

• contact information - name, email address, marketing preferences...
• contract data, which allow the insurer to underwrite and manage the contract itself. The scope depends on the nature of the contract: for example it might include information about the contractor's financial situation and goals, health data, or driving history. Insurers may also collect data about past claims, or information necessary to comply with legislation.
• publicly available open data, e.g on natural catastrophes such as floods or storms in order to identify risk-prone areas and provide adapted risk prevention and management to customers

6. How is data collected? What are your sources?

There are three main stages during which an insurer obtains data:

• At application stage, in order to assess the risk and calculate the policyholder's premium.
• During the term of the policy
• When the claims process is conducted, to determine the amount that should be paid
  It can be obtained through different ways including in writing, face-to-face, by telephone or over the internet. The information can come both directly from clients (e.g. discussion with agents, filling forms) or indirectly (e.g. telematics devices installed on cars, health information in claims from expertise).
  AXA is particularly attached to the principle of obtaining data fairly and that the individual is informed of the use to which the information can be put, as well as the categories of people to whom it may be disclosed.

7. Does AXA buy data from third parties? What do you ask from your suppliers?

Yes, for example our Direct business buys leads on prospect customers from third party databases.
There are two kinds of databases, and we have designed policies accordingly to guarantee individuals' right to privacy:

• First, there are databases which collect nominative data to sell to retailers. AXA only works with such providers if they guarantee that the individuals concerned have opted-in to be included in these databases.
• The second category relates to non-nominative databases, which provide completely anonymised data. AXA only works with these providers if they provide an opt-out mechanism, meaning that any consumer can be removed from the database on their demand.

8. Does AXA use cookies? What is/are their purpose(s)?

Cookies are small text files that are placed on your computer by websites and/or applications that you visit. They are widely used in order to make websites and/or applications work, or work more efficiently, as well as to provide information to the owners of the website and/or application.
AXA uses cookies to better identify and address clients' and potential clients' needs. Our data privacy policy provides a clear "opt out" option so as to leave users a choice as to whether data is collected on them or not.
You can refuse cookies by configuring the preferences of your browser. For example for Microsoft Internet Explorer: select "Tools" then "Internet Options", then Click on "Privacy", then select the desired level using the cursor.

9. For how long does AXA keep data?

There is no single answer in terms of precise duration as it depends on the type of data and contract and the legislation of the country. Regulation and contractual obligations towards our clients require that we keep some forms of data over a long period, for example for health contracts as claims can take place many years later.

10. What do you mean by committing not to sell sensitive personal data?

By "sensitive personal data" we mean the kinds of confidential / non-public personal data that is sometimes provided to us by our customers at the time of their initial subscription for insurance coverage and during the term of their coverage.
This would include, for example, information concerning medical conditions or history, lifestyle choices or habits (e.g., smoker/non-smoker, exercise habits, etc.), or driving behaviours or history (e.g. past accidents or infractions) that a policyholder may provide to us as part of the policy application or administration processes in connection with health insurance, life insurance, auto insurance or other types of insurance coverage we provide to them.
We are very conscious that this type of information is personal, sensitive and, when entrusted to us by our policyholders, is entrusted for a very specific and limited purpose. We view ourselves as custodians of this data and treat it accordingly.We do not view it as an "asset" for sale and do not sell it to third parties outside the AXA Group.
We may market products jointly with other companies in cases where we believe there is a unique or otherwise compelling value proposition for our policyholders and customers.In this context, we may exchange certain client data and other information with a partner organization for joint marketing purposes but would do so only with appropriate confidentiality provisions in place and would not sell any of the sensitive personal data of our policyholders.

Customer access to data

11. What is the process to request a copy of the files that AXA has about me? What does such a summary look like?

Clients have a right to access their data, rectify errors and to opt-out from receiving marketing material.
Each AXA company specifies on its website how clients can lodge their demand, including:

• Web link to an enquiry form
• Email address
• Postal address
• Telephone number

The request is then handled by the customer requests departments and, for complex requests, they can involve their local data privacy teams, and the response can be validated by the entity's data privacy officer. If necessary, the answer can be validated by the General Counsel.
The process must be handled within one month of the date on which the request is lodged, unless it proves particularly difficult to find the necessary information to conduct the investigation (in line with regulation).

12. Examples of what answers to clients look like?

It depends on the local regulatory requirements. For example in France it is a paper copy of every document pertaining to the personal data of the individual. In Germany on the other hand the personal information is extracted from these documents and provided to the customer aggregated in one document.

13. Is it free?

It is free in most countries but not everywhere. In the UK there is a charge fee of 10 £ in line with regulation.

14. Is it possible to erase part or all of the data AXA has about me?

Yes, unless we are required to keep the data for legal or contractual reasons, notably if the data is critical to the management of an ongoing contract. For example, the French data retention legal framework allows insurers to keep personal data for very long periods.

IT Security

15. Can you give more detail about security procedures? Can you guarantee that client data is secure?

AXA's Information Security Policy is aligned with international standards and provides a framework which applies to all AXA entities. It aims at reaching and maintaining appropriate levels of confidentiality, integrity, availability and auditability of Information, as well as fostering trust in AXA for our customers, partners and employees.
It must however be noted that there is no such thing as zero-risk in this domain and we remain aware of the need to remain humble and discreet on the subject.

16. How does AXA protect its customers' data from unauthorized government and organisational scrutiny?

We do not share personal data with government authorities unless we are compelled to do so by regulation or a court order or similar process.

DPOs and BCRs

17. What is the role of the network of Data Privacy Officers (DPO)? How many DPOs are there in AXA? Who do they report to?

AXA has over 100 DPOs whose mandate is to ensure that personal and sensitive data is protected within the company.
Our global data privacy governance is composed of:
(i)a Group Data Privacy Officer (GDPO),
(ii)a Group Data Privacy Steering Committee,
(iii)a worldwide network of Data Privacy Officers coordinated by the Group Data Privacy Officer

The GDPO's job description requirements are as follows:

• 20 years of experience in International Finance sector of which
• 10 years of experience in operation departments or IT projects of which
  - 5 years of Heading a global operation or IT international function (e.g. CIO)
• 10 years of experience in Risk (e.g. Information Security or Operational Risk) or Compliance or Legal function of which
  - 5 years of Heading a global risk/compliance/legal international function
  - 5 years of Data Privacy Officer role
  The GDPO answers to the Group Chief Operating Officer and the Group General Counsel.

18. What are Binding Corporate Rules (BCRs)? Which added value do they bring clients?

BCRs are an internationally recognized standard providing adequate protection to personal data in multinational companies - reviewed and approved by 16 data protection authorities across Europe.
These 16 countries are France, Germany, Austria, Belgium, Spain, Greece, Ireland, Italy, Luxembourg, Netherlands, Poland, Czech Republic, Romania, United Kingdom, Slovakia, and Sweden.

The BCRs entail:

• Appointing a Data Privacy Officer (DPO),
• Processing personal data following the EU legal requirements on Data Privacy, which are among the most stringent in the world,
• A recurring internal audit program to check compliance,
• An effective program to manage demands from clients or employees about their personal data,
• A program providing specific training for AXA employees who are involved in the processing of personal data,
• Publishing the BCR on AXA's public Internet website and on AXA's Intranet.

Regulation and relationship with public authorities

19. Can you give examples of AXA's positions in public policy debates on data protection?

AXA plays a proactive role in public policy and regulatory debates around personal data protection, because the entire value chain involves the use of data.
Alongside other market players, AXA is consequently providing its expertise to regulators to ensure that the final outcome of these reforms takes into account the specificities of the insurance business model while still ensuring a significant level of protection of individuals' personal data. This includes for example the legitimate need for insurers to assess the risks of policy-holders, or to use data for motives of fraud detection.

20. What is the current state of regulation on personal data in France / in Europe / in the US / in Asia?

Legal frameworks on data privacy are heterogeneous across the world, reflecting different cultural preferences and approaches to these sensitive issues. This being said, Europe is known to have one of the most stringent data protection frameworks in place and it is this framework that is reflected in our Binding Corporate Rules and our Data Declaration.
There is a general movement to strengthen the existing frameworks, and this is an ever-evolving topic due to constant technological progress.
To learn more on the regulatory frameworks on the treatment of personal data, you can consult this page.

Data Innovation Lab (DIL)

21. What is the purpose of the DIL?

Set up in January 2014, the Data Innovation Lab (DIL) plays the role of AXA Group's centre of expertise for Big Data R&D projects. It supports AXA entities' on their data-linked projects by acting as an accelerator to carry out pilots, in compliance with applicable laws and the AXA Group's values, and by driving the creation of technological platforms to ease operational roll-out.
A legal officer and a security officer (as of June 2015) work for the DIL on data privacy and compliance matters.

22. How is data privacy preserved in the projects?

There are several means to preserve privacy in the DIL's projects.
The first one is privacy by design: protecting privacy by embedding it into the design specifications of technologies, data integration approaches, algorithms and business practices. The DIL is also implementing appropriate security measures such as encryption techniques and the relevant security procedures on our platforms and for data transfer, designed to protect client data from unauthorized use or disclosure.
The second one is to avoid processing using personal data by using anonymisation techniques.
Besides, whenever personal data is transferred from a local AXA entity, the DIL follows a very rigorous process controlled both by the Group's and the entity' data privacy experts to ensure compliance with regulatory and internal requirements.
When it is unavoidable to use personal data for a project, the DIL will use them in compliance with the applicable law(s) and the data privacy authorities' requirements. In France for instance the processing of personal data may require prior formalities (declaration or authorization) to the "Commission Nationale Informatique et Libertés" (CNIL) or the appointed data privacy officer of the entity.

Education and research

23. How can customers be informed and educated on data privacy? Does AXA plan to educate its customers on how to protect their data?

AXA already launched several initiatives, among them the "Guide du bon sens numérique" (digital behaviour guidelines) in France.
This will be complemented by initiatives in other countries in the coming months.

24. How does AXA plan to educate its employees on the importance and impact of protecting consumer and employee information and their role in safeguarding data?

AXA has set up a specific training program for AXA employees involved in the processing of personal data.
This training is focused on newly hired employees as part of their induction session upon AXA, and is especially devoted to employees who are more intimately involved with critical aspects of personal data.

25. Does the AXA Research Fund sponsor experts on data privacy?

The AXA Research Fund is in the process of supporting Paul Ohm, a US academic who is one of the top experts on data privacy.
His work is focused on understanding how data can lead to discriminatory actions and privacy invasions, in order to set safeguards for better protection standards. He actively encourages computer scientists to reflect critically on the social impacts of their work and helps policymakers understand the nature of the challenges ahead.
To support his work, he was granted the "AXA award - Big Data, Privacy, and Discrimination", for a total amount of EUR 250,000.
There is also a 2-year joint project research between AXA and Sciences Po's Médialab: "Insurance for building trust and enabling Big Data". This research will aim at determining how private actors can play a role in complementing legal frameworks on data privacy, for instance by building insurance offers in the field of data protection.