Frequently asked questions
"Personal Data" means any data relating to an individual who is or can be identified either from the data or from the data in conjunction with other information.
The definition is therefore very broad, and includes for example name, telephone number, email and IP address.
Sensitive personal data consists in information on an individual which is of private nature and may lead to discrimination.
Because of the confidentiality of such information, regulatory frameworks provide more stringent protection for sensitive data than other types of personal data.
Insurers' business is about understanding and measuring policyholders' risks, in order to provide them with first-rate products and services adapted to their needs (for instance, an insurance specifically designed according to the size of your car or your house). To do so, insurers leverage data all along the value chain, from product inception (more accurate design and pricing) to sales (informed customer marketing) and claims management (fraud analytics). Ultimately, this allows us to enhance customer experience through simplified procedures, more targeted and relevant information and quicker claims management. Data used by insurers are voluntarily and transparently provided by their clients.
"Big" data is an expression that was coined in the late 1990s to describe a situation in which digital technologies provide not only an ever-increasing volume and variety of data (not only text, but also audio andvideo resources...), but also the technical resources to process and leverage it as added value for organisations and individuals.
It is especially relevant in the insurance sector because the insurance business model is inherently data-dependent. The processing of large amounts of data will help us to offer our clients adapted products and services evolving at the same pace as their needs.
Examples: AXA projects to better map the vulnerabilities to natural catastrophes by crossing historical public data with internal information on claims, in order to help authorities measure and reduce societal exposure to such disasters. AXA also leverages the increased precision of satellite image data to provide innovative parametric insurance solutions for farmers and contribute to food safety in emerging countries.
AXA only collects and uses data to provide state-of-the-art protection and prevention solutions for our customers.
If one were to categorise, data collected by insurers would include:
There are three main stages during which an insurer obtains data:
Yes, for example our Direct business buys leads on prospect customers from third party databases.
There are two kinds of databases, and we have designed policies accordingly to guarantee individuals' right to privacy:
Cookies are small text files that are placed on your computer by websites and/or applications that you visit. They are widely used in order to make websites and/or applications work, or work more efficiently, as well as to provide information to the owners of the website and/or application.
There is no single answer in terms of precise duration as it depends on the type of data and contract and the legislation of the country. Regulation and contractual obligations towards our clients require that we keep some forms of data over a long period, for example for health contracts as claims can take place many years later.
By "sensitive personal data" we mean the kinds of confidential / non-public personal data that is sometimes provided to us by our customers at the time of their initial subscription for insurance coverage and during the term of their coverage.
This would include, for example, information concerning medical conditions or history, lifestyle choices or habits (e.g., smoker/non-smoker, exercise habits, etc.), or driving behaviours or history (e.g. past accidents or infractions) that a policyholder may provide to us as part of the policy application or administration processes in connection with health insurance, life insurance, auto insurance or other types of insurance coverage we provide to them.
We are very conscious that this type of information is personal, sensitive and, when entrusted to us by our policyholders, is entrusted for a very specific and limited purpose. We view ourselves as custodians of this data and treat it accordingly.We do not view it as an "asset" for sale and do not sell it to third parties outside the AXA Group.
We may market products jointly with other companies in cases where we believe there is a unique or otherwise compelling value proposition for our policyholders and customers.In this context, we may exchange certain client data and other information with a partner organization for joint marketing purposes but would do so only with appropriate confidentiality provisions in place and would not sell any of the sensitive personal data of our policyholders.
Clients have a right to access their data, rectify errors and to opt-out from receiving marketing material.
Each AXA company specifies on its website how clients can lodge their demand, including:
The request is then handled by the customer requests departments and, for complex requests, they can involve their local data privacy teams, and the response can be validated by the entity's data privacy officer. If necessary, the answer can be validated by the General Counsel.
The process must be handled within one month of the date on which the request is lodged, unless it proves particularly difficult to find the necessary information to conduct the investigation (in line with regulation).
It depends on the local regulatory requirements. For example in France it is a paper copy of every document pertaining to the personal data of the individual. In Germany on the other hand the personal information is extracted from these documents and provided to the customer aggregated in one document.
It is free in most countries but not everywhere.
The number of customer privacy data breaches in 2022 is 37.
Yes, unless we are required to keep the data for legal or contractual reasons, notably if the data is critical to the management of an ongoing contract. For example, the French data retention legal framework allows insurers to keep personal data for very long periods.
AXA's Information Security Policy is aligned with international standards and provides a framework which applies to all AXA entities. It aims at reaching and maintaining appropriate levels of confidentiality, integrity, availability and auditability of Information, as well as fostering trust in AXA for our customers, partners and employees.
It must however be noted that there is no such thing as zero-risk in this domain and we remain aware of the need to remain humble and discreet on the subject.
We do not share personal data with government authorities unless we are compelled to do so by regulation or a court order or similar process.
AXA has over 100 DPOs whose mandate is to ensure that personal and sensitive data is protected within the company.
Our global data privacy governance is composed of:
(i)a Group Data Privacy Officer (GDPO),
(ii)a Group Data Privacy Steering Committee,
(iii)a worldwide network of Data Privacy Officers coordinated by the Group Data Privacy Officer
The GDPO's job description requirements are as follows:
BCRs are an internationally recognized standard providing adequate protection to personal data in multinational companies - reviewed and approved by 16 data protection authorities across Europe.
These 16 countries are France, Germany, Austria, Belgium, Spain, Greece, Ireland, Italy, Luxembourg, Netherlands, Poland, Czech Republic, Romania, United Kingdom, Slovakia, and Sweden.
AXA plays a proactive role in public policy and regulatory debates around personal data protection, because the entire value chain involves the use of data.
Alongside other market players, AXA is consequently providing its expertise to regulators to ensure that the final outcome of these reforms takes into account the specificities of the insurance business model while still ensuring a significant level of protection of individuals' personal data. This includes for example the legitimate need for insurers to assess the risks of policy-holders, or to use data for motives of fraud detection.
Legal frameworks on data privacy are heterogeneous across the world, reflecting different cultural preferences and approaches to these sensitive issues. This being said, Europe is known to have one of the most stringent data protection frameworks in place and it is this framework that is reflected in our Binding Corporate Rules and our Data Declaration.
There is a general movement to strengthen the existing frameworks, and this is an ever-evolving topic due to constant technological progress.
To learn more on the regulatory frameworks on the treatment of personal data, you can consult this page.
Set up in January 2014, the Data Innovation Lab (DIL) plays the role of AXA Group's centre of expertise for Big Data R&D projects. It supports AXA entities' on their data-linked projects by acting as an accelerator to carry out pilots, in compliance with applicable laws and the AXA Group's values, and by driving the creation of technological platforms to ease operational roll-out.
A legal officer and a security officer (as of June 2015) work for the DIL on data privacy and compliance matters.
There are several means to preserve privacy in the DIL's projects.
The first one is privacy by design: protecting privacy by embedding it into the design specifications of technologies, data integration approaches, algorithms and business practices. The DIL is also implementing appropriate security measures such as encryption techniques and the relevant security procedures on our platforms and for data transfer, designed to protect client data from unauthorized use or disclosure.
The second one is to avoid processing using personal data by using anonymisation techniques.
Besides, whenever personal data is transferred from a local AXA entity, the DIL follows a very rigorous process controlled both by the Group's and the entity' data privacy experts to ensure compliance with regulatory and internal requirements.
When it is unavoidable to use personal data for a project, the DIL will use them in compliance with the applicable law(s) and the data privacy authorities' requirements. In France for instance the processing of personal data may require prior formalities (declaration or authorization) to the "Commission Nationale Informatique et Libertés" (CNIL) or the appointed data privacy officer of the entity.
AXA already launched several initiatives, among them the "Guide du bon sens numérique" (digital behaviour guidelines) in France.
This will be complemented by initiatives in other countries in the coming months.
AXA has set up a specific training program for AXA employees involved in the processing of personal data.
This training is focused on newly hired employees as part of their induction session upon AXA, and is especially devoted to employees who are more intimately involved with critical aspects of personal data.
The AXA Research Fund is in the process of supporting Paul Ohm, a US academic who is one of the top experts on data privacy.
His work is focused on understanding how data can lead to discriminatory actions and privacy invasions, in order to set safeguards for better protection standards. He actively encourages computer scientists to reflect critically on the social impacts of their work and helps policymakers understand the nature of the challenges ahead.
To support his work, he was granted the "AXA award - Big Data, Privacy, and Discrimination", for a total amount of EUR 250,000.
There is also a 2-year joint project research between AXA and Sciences Po's Médialab: "Insurance for building trust and enabling Big Data". This research will aim at determining how private actors can play a role in complementing legal frameworks on data privacy, for instance by building insurance offers in the field of data protection.