Privacy policy

 

Information provided pursuant to Art. 13 of Regulation (EU) 2016/679

(General Data Protection Regulation – GDPR)

  •  GENERAL INFORMATION

In compliance with the provisions of Articles 12 and 13 of Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”), this page describes the processing of personal data carried out by the Data Controller, as defined in point 2 below, with regard to the data subjects involved in the processing listed below (“data subjects“).

The information on this website does not refer to other processing operations carried out following the navigation of websites reached through links that may be present within it.

  • DATA CONTROLLER

The Data Controller of the Processing is:

as part of the execution of certain processing activities, the owner may use the support of service providers, who will act as data controllers under specific agreements signed pursuant to Article 28 of the GDPR.

  • DATA PROTECTION OFFICER

The Data Controller has not appointed a Data Protection Officer (DPO), as it does not fall within the terms of the provisions of art. 37-39 GDPR 2016/679

  • TYPES OF PROCESSING
  • CONTACT REQUEST DATA

The management of contact requests, proposed by filling in the forms on this website, involves the acquisition of personal data of the interested party/user. 

Purpose of the processing

(Art. 13, par. 1, lett. c), GDPR)

The personal data collected are used for the sole purpose of responding to the requests sent, and communicating with the data subject in any subsequent phases. The communication of some data is mandatory and indicated through special asterisks.

Categories of personal data

  • personal data (name, surname),
  • contact details (e-mail address),
  • any other data/information entered in the request.

Lawfulness of processing

(Art. 13, par. 1, lett. c), GDPR)

The processing is carried out in order to perform an activity requested by the data subject (art. 6, par. 1, lett. b), GDPR).

Scope of communication

(Art. 13, par. 1, letters e) and f) of the GDPR)

The data are processed exclusively by authorized personnel, instructed in the processing and adequately trained. They may also be processed by other subjects, involved by the Data Controller for purposes related to the processing itself (support for the management of the website; consulting firms): these subjects have the role of data processors and have signed specific agreements with the Data Controller pursuant to art. 28, par. 3, GDPR.

In any case, the personal data collected will not be disclosed to third parties, or disseminated or transferred outside the European Union/European Economic Area.

Processing methods

(Recital 39, GDPR)

Personal data are processed lawfully, correctly and transparently, in compliance with the principles provided for by current legislation. The processing of personal data takes place through IT and automated tools. Taking into account the nature and characteristics of the processing, the Data Controller has adopted technical and organisational security measures aimed at limiting or excluding the risks of data loss, any unlawful or incorrect use, or unauthorised access.

Data retention period

(Art. 13, par. 2, lett. a), GDPR)

Personal data is kept for the time necessary for the management of the relationship with the applicant.

Nature of the provision

(Art. 13, par. 2, lett. e), of the GDPR)

The data are provided voluntarily by the data subjects. However, failure to provide them may affect the management of the request and the sending of feedback.

  • CUSTOMERS AND SUPPLIERS AND THEIR CONTACT PERSONS

As part of the performance of activities related to contractual relationships with customers and suppliers, personal data of these subjects may be processed.

Purpose of the processing

(Art. 13, par. 1, lett. c), GDPR)

The data are processed in order to:

  • conclude contractual/professional relationships, 
  • to fulfil pre-contractual, contractual and regulatory obligations related to existing or future relationships, as well as to manage the necessary communications related to them;
  • exchange communications in relation to the contractual relationship established between the parties;
    • to comply with the obligations provided for by laws, regulations, European standards or orders of the Authority;
  • exercising the legitimate interests or rights of the Data Controller (for example: right of defence in court; protection of credit positions; ordinary internal operational, managerial and accounting needs).

Categories of personal data

  • personal data (name, surname, tax code/VAT number);
  • contact details (telephone number; e-mail/certified email address; domicile/registered office addresses);
  • data relating to the professional sphere (data relating to the company for which the data subject works);
  • bank and payment details.

Lawfulness of processing

(Art. 13, par. 1, lett. c), GDPR)

The processing activities for these purposes are carried out on the basis of various conditions of lawfulness: for the fulfilment of contracts or pre-contractual measures (Article 6, paragraph 1, letter b) of the GDPR); for compliance with legal obligations (Art. 6(1)(c) GDPR); for the pursuit of the legitimate interests of the Data Controller (e.g.: exercise or defense of rights in or out of court) (Article 6, paragraph 1, letter f), of the GDPR).

Scope of communication

(art.13, par. 1, lett. e) and f), of the GDPR)

The data are processed exclusively by authorized personnel who are instructed in the processing and adequately trained. They may also be processed by other subjects, involved by the Data Controller for purposes related to the processing itself (e.g.: tax/tax consultants; law firms; public bodies and competent authorities; etc.). In some cases, these subjects have the role of data processors and have signed specific agreements with the Data Controller pursuant to art. 28, par. 3, GDPR. In specific cases (e.g. investigations and assessments), personal data may be made available to the competent authorities.

In any case, personal data will not be disclosed to third parties, or disseminated or transferred outside the European Union/European Economic Area.

Processing methods

(Recital 39, GDPR)

Personal data are processed lawfully, correctly and transparently, in compliance with the principles provided for by current legislation. The relevant processing is carried out through IT and paper tools.

Taking into account the nature and characteristics of the processing, the Data Controller has adopted technical and organisational security measures aimed at limiting or excluding the risks of data loss, any unlawful or incorrect use, or unauthorised access.

Data retention period

(art.13, par. 2, lett. a), of the GDPR)

The data are kept for the time strictly necessary for the fulfilment of contractual or regulatory obligations.

Nature of the provision

(art.13, par. 2, lett. e), of the GDPR)

The provision of data is mandatory for the fulfilment of the purposes described above 

  • BROWSING DATA

The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, successful,  error, etc.) and other parameters related to the user’s operating system and computing environment. 

Purpose of the processing

(Art. 13, par. 1, lett. c), GDPR)

These data are used for the sole purpose of obtaining statistical information on the use of the site and to check its correct functioning. The data could also be used to ascertain responsibility in the event of hypothetical computer crimes against the site (legitimate interests of the owner).

Lawfulness of processing

(Art. 13, par. 1, lett. c), GDPR)

The processing is necessary for the pursuit of the legitimate interests of the Data Controller in the security of its information system, and for the evaluation of the use of the website and its operation (Article 6, paragraph 1, letter f), of the GDPR).

Scope of communication

(art.13, par. 1, lett. e) and f), of the GDPR)

The data are processed exclusively by authorized personnel who are instructed in the processing and adequately trained. They may also be processed by other subjects, involved by the Data Controller for purposes related to the processing itself (e.g. support for the management of information systems; of this website). In some cases, these subjects have the role of data processors and have signed specific agreements with the Data Controller pursuant to art. 28, par. 3, GDPR. The data may be communicated to the competent authorities in specific cases.

In any case, personal data will not be disclosed to third parties, or disseminated or transferred outside the European Union/European Economic Area.

Processing methods

(Recital 39, GDPR)

Personal data are processed lawfully, correctly and transparently, in compliance with the principles provided for by current legislation. The processing is carried out using IT and automated tools.

Taking into account the nature and characteristics of the processing, the Data Controller has adopted technical and organisational security measures aimed at limiting or excluding the risks of data loss, any unlawful or incorrect use, or unauthorised access.

Data retention period

(Art. 13, par. 2, lett. a), GDPR)

The data are normally stored for the fulfilment of the purposes indicated above, for short periods of time, with the exception of any extensions related to investigation activities.

Nature of the provision

(art.13, par. 2, lett. e), of the GDPR)

The provision of data is implicit in accessing and browsing the website. 

  • COOKIE

For more general information on cookies and how to enable and disable them, please consult the Cookie Policy document 

  • RIGHTS OF THE DATA SUBJECT (GDPR art. 15-22)

At any time, the interested party may exercise the following rights:

  • request confirmation of the existence of processing activities of their personal data.
  • obtain information about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed and the storage period (or, if this is not possible, the indication of the criteria that allow it to be determined).
  • obtain the rectification and deletion of data.
  • obtain, under the conditions and in the cases provided for by current legislation, the limitation of processing.
  • obtain, in the cases provided for by current legislation, the portability of the data, i.e. receiving them from a data controller, in a structured, commonly used and machine-readable format, also in order to transmit them to another data controller without hindrance.
  • in the cases provided for by current legislation, object to the processing at any time and also in the case of processing for direct marketing purposes.
  • lodge a complaint with the Guarantor for the protection of personal data, in accordance with the procedures provided for by this authority.

Requests should be addressed to the Data Controller by writing to the e-mail address info@idclex.com for the processing described.

This information document is last updated at 18/11/2024.

Support in istitutional relations

  • For managing relations with administrative bodies(Authority for the Protection of Personal Data, Competition and Market Authority, Institute for Insurance Supervision)
  • For the establishment and authorization of undertakings to carry out insurance activities in the Italian Republic
  • To European under takings for the process of notifying the Institute for Insurance Supervision of their intention to operate in the Italian Republic
  • For the establishment of intermediaries based in Italy and their authorization to perform the brokerage activity in the Italian Republic
  • For the process for European intermediaries of notifying the Institute for Insurance Supervision of their intention to operate in the Italian Republic

Documents, processes and compliance check

  • Drafting and revising information sets for life and non-life products
  • Drafting reporting agreements under art. 107, clause 3 of Legislative Decree 209/2005
  • Drafting horizontal cooperation agreements under Art.22, clause 10 of Legislative Decree 179/2012 converted by law 221/2012
  • Planning sales methods with remote communication techniques and compliance check of web portals, processes, scripts for telephone operators
  • Planning sales methods for instant insurance
  • Drafting ad hoc procedures for the POG under Art. 30 decies of Legislative Decree 209/2005 and IVASS regulation 45/2020

Advertising, consumer rights, privacy and data protection

  • Issues relating to advertising communication law
  • Planning prize events in accordance with Presidential Decree 430/2001
  • Issues relating to civil, insurance and consumer law regarding the activities of undertakings operating inItaly under the rules on establishment or under the freedom to provide services
  • Civil, insurance and consumer law issues relating to distribution and broker agenet works

Artificial Intelligence

  • Consulting and general training for compliance with EU Regulation 2024/1689 (AI ACT)
  • Obligations for AI users: support for conducting fundamental rights impact assessments and meeting transparency requirements for limited risk AI systems.
  • Obligations for AI providers: consulting to meet governance and data quality requirements, drafting technical documentation, and assessing IT security requirements.
  • Obligations for importers of AI: Verification of compliance of the high risk AI system.
  • Obligations for AI distributors: assessment of AI system compliance, implementation of corrective actions where necessary.
  • Consulting for the certification of artificial intelligence management systems according to ISO42001.

Cybersecurity

  • Compliance Regulation 38/2018 IVASS
  • Rulo CISO (Chief Information Security Officer) outsourcing
  • Training
  • Advice on the implementation of EIOPA guidelines on security and governance of information and communication technology
  • Conducting security testing, vulnerability assessment and penetration testing to assess the security posture with regard to quantifying cyber insurance policy premiums of insurance company client organisations
  • Advice on obtaining ISO27001, ISO22301 and other international standards focused on data protection and information security
  • Consulting for the drafting of Business Continuity plans
  • Consulting on the application of the TIBER-IT framework for conducting advanced cybersecurity testing.
  • Compliance DORA Regulation on Operational Digital Resilience.
  • Risk analysis of ICT suppliers

Privacy

  • Compliance EU Regulation 2016/679 (GDPR)
  • Consulting for compliance with Italian data protection regulations (Legislative Decree 196/2003)
  • DPO (Data Protection Officer) role in outsourcing
  • Training
  • Compliance with the Privacy Guarantor Order on System Administrators’ Logs
  • Compliance with the Italian Data Protection Authority’s provision on cookie management
  • Conducting impact assessments for data processing using new technologies
  • Compliance management in the insurance chain
  • Data processing in tender notices of insurance companies awarded contracts
  • Subjective role of privacy in bancassurance
  • Processing of health data in the context of life insurance policies and claims management
  • Processing of data of third party beneficiaries of life insurance policies
  • Processing of judicial data in the context of checks carried out by the anti-money laundering function
  • Privacy impact assessment of usage-based insurance policies
  • Regulating data protection in the use of Artificial Intelligence in the insurance value chain (IVASS and EIOPA guidelines):
    • predictive models of disease development patterns (design and development of insurance products);
    • advanced risk assessments that combine traditional and new data sources (including IoT data);
    • Price optimisation: microtarget/individualised pricing based on individual non-risk behavioural data;
    • virtual assistants and chatbots using natural language processing (NLP) and insurance semantics to support customer communication;
    • Advanced fraud analysis: complaint scoring, anomaly detection, social network analysis and behavioural patterns;
    • Automated segmentation of claims by type and complexity and automated verification of invoices and payment process.
  • Compliance in the design and development of insurance apps in the Insurtech sector
  • Data protection in the insurance agent network
  • Data protection in the network of insurance adjusters
  • Turnkey privacy compliance for Insurtech start-ups