We are Athora, the parent company of among others Zwitserleven, Reaal (Life) and ACTIAM. We offer insurance policies and other financial products and services.
We collect your personal data when you purchase products or services from us, when you visit our websites or use our mobile apps, if your employer has arranged a pension scheme with us or if you are the beneficiary of an insurance policy. We also need personal data to be able to provide, maintain and improve our products and services. We handle your personal data securely and with due care in everything we do. In this Privacy Statement we explain, among others what we do with your personal data, why we need it, when we share it with third parties, how we protect it and what your rights are.
Athora takes your privacy seriously. If you want to exercise your right of access, or if you have a question or a complaint? Please contact us via e-mail on email@example.com or by posting a letter to Athora, attn. Data Protection Officer, PO Box 274, 1800 BH Alkmaar, the Netherlands. If you are not satisfied about the way we handle your complaint, you can contact the supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
We may amend this privacy statement. This privacy statement was most recently amended in December 2020.
Finally, if you are in doubt whether a message, app or website originates with us, or if you discover a personal data breach, please contact us via firstname.lastname@example.org.
1. Who are we?
ACTIAM N.V. provides financial services and carries out asset management activities for professional clients and retail customers.
ACTIAM N.V. is subsidiary of Athora Netherlands N.V. that is responsible for the processing of personal data by Athora Netherlands and its Dutch subsidiaries. For more information, please go to www.athora.nl. Athora ensures that Athora Netherlands N.V. and its Dutch subsidiaries comply with the applicable legislation and regulations on privacy. The following terms and conditions solely apply to ACTIAM N.V.
We process your personal data in accordance with the General Data Protection Regulation (GDPR), which took effect in all of Europe on 25 May 2018.
2. Which personal data do we collect?
Personal data is any data that pertains to a person and that can be traced back to that person. Different bits of data, gathered together, may also be traced back to a person. For example: your gender alone does not constitute personal data, but it may well do if it is combined with your postcode and date of birth. The personal data that we collect at ACTIAM is made up of the following three categories:
a. Personal data necessary for providing products or services
This includes, for example, your name, address, place of residence, email address, telephone number, date of birth or bank account number. It also includes the type and term of the agreement you conclude with us. This also includes the data we record whenever you contact our or Athora employees.
b. Personal data on your use of our website, apps and social media
When you visit our websites or use our (future) apps, we record the IP address, the internet service provider, the browser you are using, the operating system, your click behaviour and the web pages you visit. We also record the date and time of your visit and, if applicable, the website from which you were referred to our website. Depending on the preferences you have set on social media sites, certain data may be shared with us. For more information about cookies and other comparable technologies we use, please see our cookie statement.
c. Sensitive personal data
This includes financial data, social security number, passport, driving licence, location, account login details, etc.
3. What do we use personal data for?
a. To be able to review, conclude and perform the agreement or the formation of it
We use personal data for formulating and performing the agreement. We need your personal data to deliver our products and to perform our services.
We may also use data that is available from public sources, such as the Chamber of Commerce (KvK), Statistics Netherlands (CBS), the Land Registry and from market research agencies to enable us perform for instance Know Your Client tasks.
We may review your application or registration by means of a fully or partly automated process. If this is the case, we will inform you about this. If you do not agree with the result of an automated review and/or handling, please contact us about it. See Section 10e.
After we approve your application for access to our online services or process your registration, we use your personal data to perform the agreement and to provide our products and services. A few examples are listed below.
- We use your contact details to send you user name and password data and to answer your questions. We also register your questions in our systems.
- We use your personal data to perform our online services. For example, we make your personal data available within your secure personal account and save your settings preferences.
- We may record telephone conversations for the purpose of training and coaching or to prevent and combat fraud and abuse and to comply with legal obligations. You are entitled to listen to the recorded telephone conversation.
b. For the purpose of aligning our products and services with you and sending you relevant information
We strive to offer you the very best products and services that make your life as easy as possible. We only send you messages containing news and offers from ACTIAM that are relevant to you. We may use several different digital media to send you our messages. These include email, apps, social media and your personal account. We may, for example, send you messages about the latest developments, news, promotions, competitions, loyalty programmes, general offers and our new or existing products or services.
We use your personal data to align our services, products and messages to your preferences and behaviour. We do this based on our legitimate interest. We carefully balance our interests against your interests. We may combine and analyse the following personal data for this purpose (please also see Section 10):
- Personal data that you provide to us and data about your purchase of a product or service.
- Personal data that you share with us when you visit our websites and use our apps, such as your click behaviour (see also Section 2b).
- Data from public sources and from market research agencies. We use these sources to subdivide customers into segments and target groups. This allows us to better align our adverts to your personal situation, wishes and needs.
- Personal data that you have shared with us using your social media profile, provided that you have given us your consent for this.
If you no longer wish to receive messages from us, you can easily unsubscribe from all commercial news messages at any time. One way to do this is by clicking on the appropriate link provided in the message.
c. To prevent and combat fraud and abuse
As a financial service provider, we strive to prevent fraud. Prior to and during the term of the agreement, we process personal data for the purpose of preventing, identifying, investigating and combating fraud. We do this based on our legitimate interest. We carefully balance our interests against your interests.
Automated processing may be used to perform risk assessments on applications which focus on fraud. For this purpose, we collaborate with Athora and with FRISS, a third party that provides risk assessments and identifies fraud risks.
On the basis of this assessment, we decide whether further investigation by our Fraud & Integrity department is necessary.
d. For the purpose of complying with our legal obligations
As a financial service provider, specific laws sometimes require us to record certain personal data. The Money Laundering and Terrorist Financing (Prevention) Act (Wet ter voorkoming van witwassen en financieren van terrorisme, “Wwft”) requires us to determine and verify the identity of our customers or other third party business relations. In addition, under the Sanctions Act (Sanctiewet), we are required to check data pertaining to these third parties against lists of sanctioned persons (terrorism) compiled by recognised authorities.
In addition, we are obliged to transfer personal data to government institutions, supervisory authorities, courts or other financial institutions upon request; for instance to the Dutch Tax & Customs Administration, the Netherlands Authority for the Financial Markets (AFM), the Netherlands Authority for Consumers and Markets (ACM), De Nederlandsche Bank (DNB) or an investigative authority such as the police, the Fiscal Intelligence and Investigation Service (Fiscale Inlichtingen- en Opsporingsdienst (FIOD)) or the Public Prosecutors Office.
4. Storage and the exchange of personal data within Athora Netherlands N.V. and its Dutch subsidiaries
In deviation from other Dutch subsidiaries of Athora Netherlands N.V., ACTIAM stores personal data separate from Athora Netherlands N.V. and its Dutch subsidiaries to prevent access to that personal data. Certain ACTIAM tasks (for instance legal affairs, compliance, finance and fiscal affairs) are performed by Athora. Athora employees appointed to perform these tasks can be allowed access to the ACTIAM personal data to the extent necessary to fulfil their ACTIAM tasks.
We do this for the following purposes:
- to ensure that information can be retrieved by and be released in a controlled manner to the persons who need it for the performance of their work;
- for the purposes of fulfilling legal obligations such as Know Your Client and the prevention and combating of fraud and abuse;
- to be able to quickly answer any general questions you may have about the products and services of the ACTIAM;
- to provide you with a high-quality and efficient service;
- for the purpose of aligning our products and services to you, for sending you appropriate and relevant information and for contacting you about other products, if you have given us your consent for this;
- to guarantee the quality of the personal data;
- for the purposes of research and innovation; and
- for use in internal reports and management reports.
5. To whom do we provide your personal data?
a. Advisers, intermediaries and authorised agents
For some services and products, we collaborate with independent advisers, intermediaries and/or authorised agents. They are each independently responsible for processing your personal data. We may also exchange your personal data with independent advisers for use in marketing activities, but only if you have given your consent for this.
b. Other companies with which we work
Several examples of types of companies we work with are listed below. We sometimes do this, because it is more efficient or because these parties are better than we are at one aspect of our service provision. We only provide these parties with the personal data they require to perform the subcontracted work. We have taken the requisite contractual and organisational measures with these parties to ensure that your personal data are processed for these purposes only and that this is done in a secure manner.
- Middle and Back-office activities delegated to BNP Paribas Security Services
- Support staff functions such as IT, finance, legal affairs, compliance, human resources, etc. have been delegated to Athora Netherlands N.V.
- External advisors necessary for the performance of our services
c. Government institutions, regulators and other financial institutions
We will only provide your personal data to government institutions (such as the Dutch Tax & Customs Administration and the police) and to regulators (such as the Netherlands Authority for the Financial Markets and De Nederlandsche Bank) if we have a legal obligation to do so. Finally, we may also be compelled by a court order to provide personal data.
d. Service providers for mail, printing, IT, etc.
We may engage third parties to carry out certain activities. These include POSTNL or IT service providers that maintain, design and improve our IT systems, tools and portals.
6. International transfer of personal data
In principle, Athora and ACTIAM do not transfer personal data to countries outside the EEA (European Union and Norway, Iceland and Liechtenstein). Some of our suppliers or third parties we work with are established in countries outside the EEA, or they store data outside the EEA. Regulations in these countries do not always afford the same level of protection as those within the EEA. This is why we conclude agreements with these parties to ensure that privacy is safeguarded to a similar extent as in the EEA.
7. Security of your personal data
We have taken appropriate technical and organisational security measures to protect your personal data against misuse and unlawful or unauthorised use. To this end, we have implemented an IT security policy based on the ISO27001 standard. Our IT processes and structure are based on this policy, and these processes in turn given further protection to personal data.
We adhere to strict access and security policies that apply to all personal data. Moreover, all of our employees are obliged to keep your personal data secret.
Be careful with the devices you use for our online services and take your own security measures. If you are unsure about whether a message, app or website originates with us, or if you discover a weak spot in our services, please contact us via email@example.com. Where necessary, we will inform the Dutch Data Protection Authority of this.
8. Retention period
We do not use your personal data for any longer than is necessary for the purposes for which we obtained it. The period during which certain personal data are stored depends, among other things, on the nature of the personal data, the purpose of the processing and legislation. Tax law, for example, requires us to keep data for at least 7 years.
In some cases, it is our choice to retain personal data for a long time, sometimes even for years after you have stopped being our customer. This is not for commercial purposes, but in order to comply with document retention requirements under the law. We may also retain your personal data for a longer period if we expect we will need it for (potential) legal proceedings in the future.
In other words, the retention period can differ for each purpose. ACTIAM complies with Athora’s policy for storing data and monitors compliance with the measures taken. We will share this policy with you upon request.
After the expiry of the retention period, your personal data will be deleted or converted into data that can no longer be traced back to you. We will then only use the data for historical, statistical or scientific purposes.
9. Other environments and social media
Depending on the preferences you have set on social media, certain personal data may be shared with us when you use social media. One example of this is using social media to contact us. We will then receive the information linked to your public profile. We can use Facebook to ensure that only our customers and users can view our messages via Facebook. For more information, please go to https://www.facebook.com/business/a/custom-audiences. For more information about social media cookies, please see our cookie statement.
If you use social media to contact us, we cannot guarantee the security of any personal data that you share with us via social media such as WhatsApp. Many social media providers are established outside the EEA and store your personal data outside the EEA. For this reason, it is possible that your personal data does not enjoy the same level of protection there as it does within the EEA. This is your own responsibility. We therefore recommend that you do not disclose any confidential, special and/or sensitive personal data to us via social media. We will never use social media to share such information with you.
For more information on the personal data we receive and to adjust your settings, please consult the website and the privacy statement of the social media provider. The use of these services is your own responsibility. This Privacy Statement does not apply to third-party services.
10. Your rights
As a customer or user of our services, you have a number of rights which are described below. If you wish to invoke these rights, please contact us via email (firstname.lastname@example.org). Before we can handle your request, we may ask you to identify yourself. We do this to make sure that we do not disclose any of your personal data to an individual posing as you.
We will send you a first response within five working days. We aim to provide you with a reasoned response within a month’s time. This is, however, not always possible if the case is a complicated one. In that case, we will inform you of this in good time, stating when you can expect to receive a reply from us.
a. Right of access
You have a right to see all your personal data processed by us and you have a right to know the purposes for which we use this personal data and, where applicable, to which third parties we have disclosed this personal data.
b. Right of rectification
You may give instructions to change your personal data if it is incorrect.
c. Right to have personal data deleted
You have the right to have your personal data deleted if we no longer need it for the purpose for which it was collected. It is possible, however, that we do have an interest in retaining your file for a longer period of time, for example because a legal retention period applies or due to fraud. In that case, we may not be able to comply with your request fully or at all.
d. Right to object
You may object to our use of your personal data if we use your personal data for purposes or bases other than the performance of an agreement, compliance with a legal obligation or ACTIAM’s legitimate interests.
e. Right to restriction of processing
Under certain circumstances you have the right to restriction of the processing of your personal data. If this right applies we will temporarily refrain from using your personal data. We will however retain them.
f. Right not to be subjected only to automated decision-making
The review of your application may be partly automated. If this is the case, we will expressly inform you about this. If you do not agree with the result of an automated decision, please contact us.
g. Right to data portability
You have the right to request us to transfer the personal data you have provided to us to another insurer and/or to have the relevant personal data sent to you.
h. Right to withdraw consent
In those cases where we can only use personal data with your explicit consent, you have the right, at any time, to withdraw the consent you granted previously.