1. Who does this privacy statement apply to?
Insurance Chief Financial Officers Forum (CFOF) is a high-level discussion group formed and attended members who can be found here. CFOF’s mission is to provide input to the development of financial reporting, sustainability reporting, prudential frameworks and related regulatory and other developments for insurance groups.
CFOF is led by a Chair and a Steering Group that consists of senior representatives from member companies.
The Steering Group relies on Working Groups (WGs) that oversees the CFOF’s areas of interest. The Virtual Project Office (VPO), administrated by Insurance Europe, runs the secretariat of the CFOF.
The VPO is responsible for requesting data subjects’ consent, when needed for processing their data.
The VPO process personal data in the context of CFOF as safely and reasonably as possible and in compliance with the applicable data protection legislation, including the General Data Protection Regulation 2016/679 of 27 April 2016 (‘GDPR’).
This Privacy Statement covers:
• Third party contacts: members of the European Parliament (MEP), MEP assistants, European or national institutions, authorities or agencies officials or staff members, international entities officials, contacts from international, European or national federations, from a law firm or a consultancy, from a company that has a contractual relationship with the CFOF, suppliers, journalists, academics, researchers, or any other individuals who contacted, have been contacted by CFOF, or the CFOF may plan to contact, in the context of its activities.
• CFOF’s website visitors
2. What is covered by this Privacy Statement?
This Privacy Statement tells you what personal data we process, why and how we process your personal data when we perform CFOF’s activities and when you use CFOF’s website, to whom we give that information, what your rights are and who to contact for more information or queries.
When we refer to website, we mean the web pages containing the domain name ‘cfoforum.eu’ and including all its subsites.
The website may link to other websites provided by members, members’ members or third parties. Whilst we try to link only to websites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices of other websites.
When linking to any such websites, we strongly recommend that you read the Privacy Statements on those websites before disclosing any personal information.
3. What personal data do we collect?
The main personal data that we generally collect and hold in our database includes:
• identification data (eg name, company, address, e-mail address, phone number, job title),
• data regarding the communication between us (eg e-mails, comments, questions sent and received, meetings),
• your picture, if we have obtained your explicit consent for this,
• when you use our website, the browser on your device automatically sends information to the server of our websites/application which temporarily stores it in a log file. More specifically, your IP address is automatically recorded without your intervention and stored until it is automatically deleted.
The CFOF website also uses cookies to gather statistics about the visits to the website and improve its performance and design. This data is anonymised, which means that we cannot identify you by processing it. For more information about the cookies we use and how you can control them, please consult the cookie section hereafter.
4. How do we obtain your personal data?
We may obtain your personal data in the framework of the execution of our business activities that serves the mission of CFOF and in particular because:
• you provided it to us (eg via social media, by providing us with your business cards, via an e-mail you sent to us, via a contract we have with you),
• you visited CFOF’s website (only regarding IP addresses)
• you sent an email to CFOF, eg to (75,65,2e,6d,75,72,6f,66,6f,66,63,40,6f,66,6e,69), to CFOF members or their staff
5. Why do we process your personal data?
For legitimate business purposes including:
• arranging and managing meetings with you, if applicable
• responding to any form of communication with us
• public affairs relations activities, including sending you:
o invitations to our meetings
o our press releases
o emails aiming to raise your awareness about insurance-related issues, such as links to a specific pages on our website
o our position papers, working papers, reports or any other type of publication in the context of our business activities
• security and troubleshooting purposes for processing your IP address when you visit CFOF’s website or extranet page
We will use your personal data only for the purposes for which we collected it or for reasons compatible with the original purpose. If we intend to use your personal data for reasons that are not related to the original purpose, we will contact you and notify you of the legal basis that allows us to do so.
6. What are the legal grounds for processing your personal data?
We process your personal data for the purposes mentioned in the previous section relying upon the following legal bases:
• The legitimate interests of CFOF in carrying out its mission. This includes, for instance, supporting our public affairs activities, or responding to your queries.
• When you use our websites, your IP address is processed based on our legitimate interest to ensure the functionality and security of the websites. In this respect, we will always determine case by case whether our interests are not overridden by your interests, fundamental rights and freedoms.
• For the fulfilment of our contractual obligations (in case we have a contract with you).
• Consent, where necessary.
7. What are your rights?
You have several rights concerning the personal data we hold about you. You have the right to:
• access your personal data, obtain confirmation that we are processing your personal data and request a copy of the personal data we hold about you;
• ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete;
• restrict our processing of your personal data where you believe that the data is not accurate, or we may not have grounds for processing it;
• ask that we delete the personal data that we hold about you, if you believe that there is no (longer a) lawful ground for us to process it;
• withdraw your consent to our processing of your personal data (to the extent such processing is based on consent);
• ask to receive a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit such personal data to another party (to the extent the processing is based on consent or a contract);
• object to our processing of your personal data for which we use legitimate interest as a legal basis, in which case we will cease the processing unless we have compelling legitimate grounds for the processing;
• object at any time to the processing of your personal data for direct marketing purposes.
The VPO will be your contact point for submitting a request to exercise any of your rights. To this end, you can send us a request, indicating the right you wish to exercise by e-mailing us at (75,65,2e,6d,75,72,6f,66,6f,66,63,40,79,63,61,76,69,72,70). You may also use these contact details if you wish to make a complaint to us relating to your privacy.
If you are unhappy with the way we have handled your personal data or any privacy query or request that you have raised with us, you have a right to complain to the Data Protection Authority (“DPA”) in your jurisdiction.
8. Who are the recipients of your personal data?
The VPO and CFOF members who are involved in internal and external communications and the organisation of events, will have access to your personal data on a “need-to-know” basis for the purposes described above.
We may disclose your personal data to our members or third parties that provide services to the CFOF or work with the CFOF and that reasonably require access to personal data relating to you for one or more of the purposes outlined in the “Why we process your data” section above. The following external parties may, for instance, be involved:
• external service providers we rely on for various business services
• law enforcement authorities in accordance with the relevant legislation
• external professional advisors (eg law firms or consultancies)
International transfers
In principle, we do not intend to transfer your data to third countries or international organisations. In case your data needs to be transferred to a third country or an international organisation (eg if we engage an non-EU-based processor), we will transfer your data only when an adequate level of protection according to an adequacy decision issued by the European Commission is provided or when there are appropriate safeguards (eg by means of Standard Contractual Clauses and relevant supplementary measures) that ensure your personal data is protected or when we can rely on derogations within the limits permitted by the GDPR. You can ask for more information and/or obtain a copy of those safeguards by sending us an e-mail (75,65,2e,6d,75,72,6f,66,6f,66,63,40,79,63,61,76,69,72,70)
We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Statement.
We reserve the right to disclose your personal data as required by law, or when we believe that disclosure is necessary to protect our rights and/or freedoms and/or comply with a judicial proceeding, court order and/or injunction, request from a regulator or any other legal process, including out of court proceedings, served on us.
9. For website visitors: cookies
The website use Cookies. Cookies are small text files that are stored by your browser onto your computer or mobile device when you visit these websites. The website uses only functional cookies that enable us to ensure the proper functioning of the website.
You can refuse the installation of cookies on your device. The ability to enable, disable and/or delete cookies can be completed in your browser. You can delete all cookies that are already on your device and you can set most browsers to prevent them from being placed. The settings are usually in the “options” or “preferences” menu of your browser. To understand them, the “Help” option in your internet browser or the following links may be helpful:
You can find more information about cookies at: www.allaboutcookies.org. Please note that turning off functional cookies might restrict the use of the website.
The website uses the following types of cookies:
Functional cookies
o Session cookies
▪ A session cookie is used each time you visit our Sites to give you a session ID. They link your actions on our Sites and each one will only last for a browser session, at the end of which it will expire. After your visit to our Sites all session cookies are deleted.
o Persistent cookies
▪ A persistent cookie allows the preferences or actions of the user across a site (or across different websites) to be remembered. It has a longer life than a session cookie and lasts for a period of time that varies from cookie to cookie. This type of cookie will not be deleted when you close your browser window and will be stored on your computer or mobile device. It will be activated every time you visit the website that created it.
o First-party cookies
▪ A first-party cookie is a cookie set by us or any of our processors.
o Third-party cookies
▪ A third-party persistent cookie is set by our service provider, CloudFlare, to identify trusted web traffic. It does not correspond to any user ID in the web application, nor does the cookie store any personally identifiable information.
For more information, please see: https://support.cloudflare.com/hc/en-us/articles/200170156-What-does-the-CloudFlare-cfduid-cookie-do-
Analytic cookies
These cookies are used to gather statistics about your visit to the Sites to improve their performance and design (“web audience measuring”). They are first-party cookies, which means that we have complete control over the information collected through them. This data is anonymised, so we cannot identify you by processing it.
These cookies collect information about the number of times that you visit the Sites, how long a visit takes, etc.
The analytical cookie we use is Google Analytics, which expires after two years and allows us to gather statistics about the web pages visited.
10. How is the security of your personal data ensured?
The associations employ strict technical and organisational (security) measures to protect your personal data from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage both online and offline.
These measures may include:
• training relevant staff to ensure they are aware of our privacy obligations when handling personal data
• administrative and technical controls to restrict access to personal data to staff members of the associations
• technological security measures, including fire walls, encryption and anti-virus software
• back-up systems
• login access blocks in case of loss or theft of devices
• physical security measures, such as staff security badges to access the associations’ premises
Although we use appropriate security measures once we have received your personal data, the transmission of data - especially over the internet (including by e-mail) - is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.
We limit access to your personal data to those who we believe reasonably need to access that information to carry out their tasks.
10. How is the security of your personal data ensured?
The associations employ strict technical and organisational (security) measures to protect your personal data from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage both online and offline.
These measures may include:
• training relevant staff to ensure they are aware of our privacy obligations when handling personal data
• administrative and technical controls to restrict access to personal data to staff members of the associations
• technological security measures, including fire walls, encryption and anti-virus software
• back-up systems
• login access blocks in case of loss or theft of devices
• physical security measures, such as staff security badges to access the associations’ premises
Although we use appropriate security measures once we have received your personal data, the transmission of data - especially over the internet (including by e-mail) - is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.
We limit access to your personal data to those who we believe reasonably need to access that information to carry out their tasks.
11. Data retention
We will retain your personal data for as long as:
• it is strictly necessary to fulfil the purposes we collected it for
• you have a role or function that is relevant to CFOF’s mission
• your relationship with the CFO forum persists (eg if you are a contractual party)
For website visitors: the IP that we collect when you visit our websites is retained for 90 days.
For more information about the expiry dates of the cookies used on the extranet websites, please consult the cookie section.
11. Data retention
We will retain your personal data for as long as:
• it is strictly necessary to fulfil the purposes we collected it for
• you have a role or function that is relevant to CFOF’s mission
• your relationship with the CFO forum persists (eg if you are a contractual party)
For website visitors: the IP that we collect when you visit our websites is retained for 90 days.
For more information about the expiry dates of the cookies used on the extranet websites, please consult the cookie section.
12. Automated Decision-making
Automated decisions are defined as decisions about individuals that are based solely on the automated processing of personal data and that produce legal effects that significantly affect the individuals involved.
As a rule, your personal data will not be used for automated decision-making. We do not base any decisions about you solely on automated processing of your personal data.
13. How to contact us?
We hope that this Privacy Statement helps you understand and feel more confident about the way we process your data. If you have any further queries about this Privacy Statement, please contact us:
• by e-mailing us at (75,65,2e,6d,75,72,6f,66,6f,66,63,40,79,63,61,76,69,72,70)
14. Changes to this privacy statement
We may modify or amend this Privacy Statement in the future. Should this happen, the revised Privacy Statement will be posted on CFOF’s website, and you may also be notified by e-mail.