Privacy, security and
personal data protection policy
OPTEVEN Group is committed to ensuring a high level of protection of the personal data of its customers or their representatives, its suppliers and other business partners, and/or candidates applying for jobs on one of OPTEVEN Group’s websites (hereinafter “You”), and the respect of their privacy is a key issue.
This is the reason why, OPTEVEN (hereinafter “We”) implemented technical and organisational measures to preserve the security and confidentiality of your personal data and, in particular, to prevent any distortion, damage, destruction, loss or disclosure of your personal data to unauthorised third parties.
- Who is the data controller?
- What personal data do we use?
- Why do we collect and use your personal data?
- Who processes your personal data?
- With whom do we share your personal data?
- What are our data protection commitments?
- Where is your personal data processed?
- How long will your personal data be stored?
- What are your preferences regarding commercial prospecting?
- Security of processing
- What are your rights regarding your personal data?
- How to contact us to exercise your rights?
- What is a personal data?
Personal data is any information or data that directly or indirectly identifies a natural person:
By reference to an identifier, such as a name, an identification number (e.g. claim number), an online identifier (e.g. email), a telephone number, a date of birth, etc.
By reference to one or more specific elements of their physical identity (e.g. handwriting).
By cross-referencing information such as date of birth, postal address, etc.
Personal data will be hereinafter referred to as “personal data”.
- What is a data processing operation?
Data processing is any operation or set of operations which is performed upon personal data, by automatic means or not, including collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available in any other way, alignment or combination, restriction, erasure or destruction.
- What is a data controller?
A data controller is any natural or legal person who determines, alone or jointly, the purposes and means of a processing operation.
2 Who is the data controller?
Depending on the nature of our relationship with you and/or the contracts you have entered into with OPTEVEN, the controller of your personal data may be one or more of the following entities jointly:
- OPTEVEN Assurances, a services company specialised in the management of commercial warranties for car business professionals and dealers, and the management of maintenance services attached to a car. OPTEVEN Services is a simplified limited company having its registered office located 10, rue Olympe de Gouges, 69100 Villeurbanne, France, with a share capital of 375 878 euros, registered to the trade register of Lyon under number 333 375 426.
- And/or OPTEVEN Services, a services company specialised in the management of commercial warranties for car business professionals and dealers, and the management of maintenance of maintenance services attached to a car. OPTEVEN Services is a simplified limited company with a share capital of 375 878 euros, registered to the trade register of Lyon under number 333 375 426.
- And/or OPTEVEN Courtage, is a simplified limited company with a share capital of 6 384 430 euros, registered to the trade register of Lyon under number 843 914 300, having its registered office located 10 rue Olympe de Gouges 69100 Villeurbanne, and registered to the ORIAS, the French national register for insurance brokers, under number 18008174 (orias.fr).
For example, if your contract concerns a “mechanical breakdown” insurance service, the data controller will be OPTEVEN Assurances. If your contract concerns a maintenance service for your vehicle, the data controller will be OPTEVEN Services.
OPTEVEN’s Data Protection Officer (DPO) is M. Thomas ROCHE, who can be reached at the following email address: firstname.lastname@example.org.
When OPTEVEN acts as a subcontractor, you can refer to the general or specific conditions of your contract with OPTEVEN for further information.
3 What personal data do we use?
3.1. Personal data we collect and use when you browse our website (group.opteven.com)
When you browse and use the services on our website, we collect the following personal data:
- If you use the contact form: your name, email address, phone number.
- Personal data collected by cookies: your IP address, browsing choices or patterns, frequency and dates of visits, duration of connection, display preferences, sites visited. We encourage you to read our cookies policy available here : https://group.opteven.com/cookies-policy/ for more information.
3.2. Personal data that we collect and use in the course of our activities (apart from the use and browsing of our website)
We collect and use your personal data to be able to offer you the most adequate insurance or service contract, that matches your needs.
Depending on the insurance or service contract concerned, we collect certain categories of personal data, including the following ones:
- Identification data (e.g. surname, first name, date and place of birth, identity card number, driving licence) ;
- Personal details (examples: postal address, email address, landline and/or mobile phone number);
- Your vehicle data (examples : number plate, vehicle identification number or “VIN”);
- Data relating to your contract (examples: customer identification number, contract number, warranty number, claim number);
- Data necessary for the fight against fraud, including insurance fraud, money laundering and terrorist financing;
- Connection and tracking data (examples: cookies, connection to our websites, connection to our mobile applications);
- Location data (GPS position of the mobile phone) when using mobile applications dedicated to assistance, published by OPTEVEN, in order to geolocate beneficiaries of assistance contracts to provide them the assistance services they’re entitled to, and to allow them to track the arrival of the assistance provider in charge of their breakdown services.
- Data relating to salary expectations and all data transmitted in the curriculum vitae as part of an unsolicited application or in response to a job offer for OPTEVEN Group.
This personal data may be collected directly by OPTEVEN because we are your direct contact in a contractual relationship or indirectly because you are, for example, the beneficiary of an insurance policy taken out by one of our partners.
If you provide us with the details of other persons (e.g. those designated as beneficiaries of your contract, users or passengers of your vehicle), you must first ensure that these persons have given their consent to the processing of their data by OPTEVEN and the purposes for which we use such data. For more information, you can redirect them to this Policy.
4 Why do we collect and use your personal data ?
4.1. Personal data we collect and use when you browse our website (group.opteven.com)
Your personal data are collected and processed by OPTEVEN for the following purposes:
- To provide you with the services offered on our website, in particular via the contact form or the career/recruitment platform if you wish to use these services.
- To contact you directly if you have requested it by filling and sending us the contact form
- For the implementation and management of our cookies, in accordance with our cookies policy that is available here: https://group.opteven.com/cookies-policy/
4.2. Personal data that we collect and use in the course of our activities (apart from the use and browsing of our website)
Your personal data are collected and processed by OPTEVEN for the following purposes:
For the conclusion and management of your contract, and the execution of the warranties of your contract
We use your personal data to conclude and execute our insurance and services contracts, and in particular:
- To gather and understand your needs to ensure that we give you a consistent and high-quality customer advice;
- To draw up quotations to develop tailor-made solutions for your needs;
- To assess all risks, which supposes an examination, control and supervision of the risk, and evaluation to determine a pricing;
- To comply with the cover of the relevant contract;
- To communicate with you, in particular in case a claim arises, to give you all useful information and guide you through the process;
- To ensure the implementation of the benefits of your contract;
- Provide an online assistance service for beneficiaries of assistance services who use OPTEVEN’s mobile applications,
We inform you that the telephone conversations between you and OPTEVEN may be recorded for evidentiary purposes, to improve our quality of service and to train and evaluate our employees, unless you object to it.
- For the management of complaints and disputes by our teams ;
- To comply with legal, regulatory, and administrative obligations applicable to us, in particular :
The fight against fraud, especially insurance fraud;
Anti-money laundering and combating the financing of terrorism;
Responding to any official request from any public supervisory authority or administration;
Supervision and risk management.
- For human resources purposes, to manage applications and recruitement processes
- For any legitimate interest
We use your personal data to deploy and develop our policies, improve risk management and enforce our rights, including :
- Proof of payment of premium or contribution;
- Information system management, ensure the continuity of our operations, and IT security;
- The training and awareness of our staff through the recording of calls made or received by our call platforms;
- To carry out studies or statistics
We use and exploit your personal data for statistical and actuarial purposes in order to :
- Assess your needs and interests,
- Develop our products and services offers ;
- Improve our quality of service
- Personalise our relationship with you ;
- Reduce the number of claims, in particular by implementing preventive measures.
- To carry out operations of customer relation commercial management and commercial prospecting
We use and exploit your personal data for the following purposes :
- Customer relation management operations and assessment of their level of satisfaction;
- Operations relating to prospecting, such as loyalty programs actions, prospecting, surveys;
- Management of customers’ opinions and consultations on our products, services or contents;
- elaboration of offers adapted to your needs or preferences in a timely and reliable manner (in particular an offer to renew your contract or to supplement your cover);
- Commercial solicitation on your part, for instance if you wish to receive a quote or documentation on our products, then OPTEVEN may offer you services and/or insurance products in connection with your request. If you wish to benefit from another product and/or service than what you initially requested, your information may also be transmitted to other entities of OPTEVEN Group, as identified on page 2 herein, to their distributors and partners. In the absence of contractual relationship between us, and except for products for which you have requested information, OPTEVEN will only send you commercial proposals by electronic means (email, SMS, MMS) if you have given your prior consent.
5 Who processes your personal data?
Regardless of their respective responsibilities, all OPTEVEN’s departments may be required to process your personal data for the purposes of their activity and to execute their tasks internally or for the benefit of customers. Each OPTEVEN employee who is required to process personal data is expressly authorised to do so by their line manager or company’s management
Our employees are alerted on the processing of personal data made available to them as part of their missions and are required to comply with OPTEVEN’s internal rules defined in accordance with the applicable European and national regulations.
6 With whom do we share your personal data?
Within the framework of our activities, we may communicate certain categories of your personal data, for the purposes listed above, to our subcontractors, our services providers duly authorised by OPTEVEN (tow trucks, debt management, (online) marketing, IT service providers, printing, logistics, opinion polls, market research, etc.), our partners, our lawyers, our experts who need it for their activities.
Except where OPTEVEN and these subcontractors act as joint-controllers, the recipients listed above act as subcontractors – defined as any company that processes personal data on the instructions and under the responsibility and control of OPTEVEN – for the processing of all or part of the personal data to the extent necessary for the performance of their services.
These recipients are contractually bound to respect the confidentiality and security of your personal data and to use it solely for the purposes of the services we have entrusted to them.
In case of necessary transfer of your personal data to a subcontractor outside the European Union, OPTEVEN will concludes a data transfer agreement with such subcontractor to ensure an adequate and equivalent level of protection of your personal data as the European Union’s standards.
Apart from the recipients listed above and unless we are obliged to do so by a judicial authority or by law, or to protect our rights and interests, we undertake not to communicate, share, make available or sell your personal data to third parties without your express prior consent.
7 What are our data protection commitments?
We are committed to ensuring the protection of your personal data right from the conception of our products, services, websites and applications.
We implement technical and organisational measures adapted to the degree of sensitivity of your personal data.
- Purpose limitation
Personal data is processed by OPTEVEN for a specific, explicit and legitimate purpose for each of the processing operations concerned.
The processing of personal data is also subject to the principle of lawfulness.
A processing is only lawful if at least one of the following six conditions is met:
- The data subject consented to the processing of their personal data for one or more specific purposes;
- The processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject;
- The processing is necessary for OPTEVEN to comply with a legal obligation,
- The processing is necessary to protect the vital interests of the data subject or of another natural person;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in OPTEVEN;
- The processing is necessary for the legitimate interests pursued by OPTEVEN or by a third party, unless the interests or fundamental rights and freedoms of the data subject prevail.
Consequently, your consent is not systematically required.
- Data minimisation
Personal data must be adequate, relevant and limited to the elements necessary for the purposes of the processing carried out by OPTEVEN.
This is why OPTEVEN endeavours to limit as much as possible the nature and volume of the data collected with regard to the purposes of the processing, while also limiting the duration of the processing thus carried out.
We deal exclusively with third parties who respect privacy and limit their access to the personal data necessary for the performance of their tasks. Information exchanges are carried out using secure protocols. To ensure a high level of security for your personal data, our subcontractors are subject to control and audit measures.
We protect the IT developments carried out on our tools by limiting transfers outside our infrastructure. Our information system is accessible only to authorised persons.
We do not share your personal data with business partners without your prior consent and without informing you of the possibility to exercise your right to object.
8 Where is your personal data processed?
We may transfer your personal data to services providers located outside the European Union to the extent necessary to perform our services or to comply with a legal obligation (e.g. tax reporting obligations).
In such a situation, the transfer of your personal data is limited to countries that have been recognised by the European Commission as having an adequate level of protection. For other countries, such a transfer can only take place if the recipient of the data presents sufficient guarantees that the transfer will be carried out in accordance with the requirements of the applicable regulations, and as such complies either with the European Commission’s standard contractual clauses or with internal company rules that are binding.
9 How long will your personal data be stored?
We undertake to keep your personal data in a secure environment, only for as long as is adequate and necessary to achieve the purposes for which it was collected or for the minimum retention period provided for by applicable legislation, particularly in civil and commercial matters. This includes in particular the retention of certain personal data at the end of our contractual relationship, in order to comply with our legal obligations and within the framework of legal proceedings in order to defend our legal rights.
For example :
For purposes related to the existence of a contractual relationship with us, we store your personal data for the duration of your contract and then archive it for the duration of the legal statute of limitations for the purposes of proof for the establishment, exercise or defence of a legal claim.
For invoicing purposes, we retain your personal data for a period of ten (10) years after the end of your contract, in accordance with legal obligations.
If no contract is concluded, we will delete your personal data two (2) years after the last contact with you.
Cookies are retained for a period of thirteen (13) months from the date of collection.
Telephone records are kept for six (6) months.
10 What are your preferences regarding commercial prospecting?
We carry out various communication activities as part of our relationship with you in order to offer you products and services tailored to your needs.
If you have given your prior consent (except where permitted by applicable law), we may send you our commercial offers by email and/or SMS. Unless you object, we may also contact you by telephone or send you our offers by post.
You may withdraw your consent and/or object to receiving marketing communications from us at any time by contacting us as described in the section “What are your rights regarding your personal data?
We may also process the data we hold about you in order to send you commercial offers based on an analysis of your profile which may be of interest to you (or “profiling”). In accordance with the applicable regulations on the protection of personal data, you have the right to object to this type of profiling. In this case, we will no longer process your data for this purpose.
In addition, you have the possibility of registering free of charge on the “BLOCTEL” telephone marketing opposition list on the website www.bloctel.gouv.fr.
11 Security of processing
- Security requirements at OPTEVEN
The security of personal data processing and, more generally, the security of the information system is a priority for OPTEVEN, we implement an information systems security policy (PSSI) as well as an internal IT charter.
- Security of processing
OPTEVEN implements technical and organisational measures designed to guarantee a high level of security for the processing of personal data, the effectiveness, consistency and efficiency of which are taken into account by the PSSI.
- Privacy impact assessment
If a processing operation presents high risks for the rights and freedoms of the persons concerned, OPTEVEN will carry out a privacy impact assessment to verify the reality of the risks and to limit them before implementing the processing operation concerned.
- Data breach notification
A personal data breach is a breach of security, whether malicious or accidental, that results in the loss, alteration or unauthorised disclosure of data.
We protect it against malicious intrusion, loss, alteration or disclosure to unauthorised persons or third parties. Transfers of your banking data are encrypted using the Secure Shell (SSH) protocol.
However, despite our best efforts to ensure that your personal data is kept in a secure environment, we cannot fully protect it against the risk of hacking or unlawful disclosure of your data.
We take steps to limit intrusive and malicious actions. In the event of a breach of your personal data, we will notify the Commission Nationale de l’Informatique et des Libertés (CNIL) as soon as possible, and if possible within 72 hours of becoming aware of the breach.
When such a breach is likely to result in a high risk to your rights and freedoms, we inform you of the breach as soon as possible.
We are particularly vigilant in protecting your banking data and secure the exchanges during transactions and payment operations.
12 What are your rights regarding your personal data?
You have the following rights to your personal data:
- Right to information: you may obtain from OPTEVEN confirmation of the processing of your personal data concerning the purposes of the processing, the categories of data processed, the recipients of the data thus processed as well as the duration of the data storage.
- Access right : you may request and obtain a copy of the personal data we hold about you, and information about the processing operations carried out in your personal data.
- Right of rectification: you may request that your personal data be updated if you consider that it is no longer accurate or is incomplete.
- Right of deletion: you may request the deletion of all your personal data to the extent permitted by law.
- Right of limitation : you may request to stop for a limited period of time any processing operation other than data retention of some of your personal data, because you dispute the accuracy of such data (while we carry out the necessary checks), or you dispute the lawfulness of OPTEVEN’s processing of such data, or you wish to use such data for the establishment, exercise or defence of legal claims when we were about to delete it.
- Right to object on legitimate grounds: you may object to the processing of your personal data insofar as this is justified by reasons relating to your particular situation or in the event that this objection concerns commercial prospecting, including profiling. In the latter case, you have a general right of objection which we will implement without you having to justify any particular situation.
- Right to portability: you may obtain the recovery of personal data held by us in electronic format, for your own use or that of another data controller, where such personal data meets the following cumulative conditions:
○ You have provided this data to OPTEVEN or it results from your use of our services,
○ This data has been collected on the basis of your consent or the execution of the contractual relationship between you and OPTEVEN.
- Right to withdraw your consent: when you have given your consent to the processing of your personal data, you may withdraw it at any time, without calling into question the operations carried out prior to this withdrawal.
- Right to define the fate of your personal data post mortem : you can define directives concerning the fate of your personal data after your death (concerning its conservation, deletion, and if necessary its communication).
13 How to contact us to exercise your rights?
If you wish to exercise your rights indicated above or for any information on the protection of personal data, we invite you to send us your request by email to the following address: email@example.com or by post to the following address OPTEVEN, DPO / Legal and Compliance Department, 10 rue Olympe de Gouges – 69100 Villeurbanne.
When exercising these rights, you may be asked to provide proof of identity and, where appropriate, the information required to process your request.
You can also lodge a complaint directly with the Commission Nationale de l’Informatique et des Libertés (CNIL) on the following website: https://www.cnil.fr.
This privacy, security and personal data protection policy may be revised or amended in accordance with legislative and regulatory changes, or a change in the conditions of processing personal data.