This notice is designed to provide you with information about the processing of your personal information by General Reinsurance Africa Limited and about your rights according to data protection law.
1 Responsible Party of the processing – Who are we?
General Reinsurance Africa Limited
(Reinsurer licensed to conduct composite insurance business)
2nd floor, South Wing, Granger Bay Court, Granger Bay, Victoria and Alfred Waterfront
Cape Town, 8001
Tel. +27 21 412 7700
You can contact our Information Officer at the above address.
2 How your personal information is collected?
We collect most of your personal information directly from the Primary Insurer. However, we may also collect information:
- from publicly accessible sources, e.g. Google, Twitter and LinkedIn;
- directly from a third party, e.g. Astute and CIPC;
- sanctions screening providers; and
- credit reference agencies.
3 Purposes of Processing and Data Categories
We process your personal information while complying with South Africa’s Protection of Personal Information Act (POPIA). Insurance companies often pass on a portion of their risks to reinsurers such as us. In these cases, General Reinsurance Africa may be involved at several stages of this process:
- during the insurance application;
- for the duration of your insurance policy and for the time we need to keep the data for the purposes listed below; or
- when you are bringing forth a claim to be paid by the reinsurer.
We process the data of insurance applicants, insurance holders, claimants, injured parties and beneficiaries.
Depending on the insurance product that your primary insurer reinsures with us, the categories of personal information we process can include:
- Personal details, e.g. name, profession and date of birth;
- Business details e.g. name and registration number;
- Insurance Contract based information;
- Claims related information;
- Health information, e.g. your medical history; and
- Financial information, e.g. payment history and credit score.
Some products offered by primary insurers may use innovative data, such as data generated by sports trackers or mobile apps.
We strive to only obtain information once it has been rendered anonymous or undergone de-identification. This means, in many cases, we can either not identify you from the data we receive at all, or we receive data that is related to you, but has been stripped of direct identifiers such as your name, which has been replaced by a number or another placeholder. Usually, the key to identifying you is held by your insurer and not transmitted to us, so we cannot relate this information to you.
We may process your data for the following purposes:
- For underwriting, claims management, pricing, monitoring and accumulation control (limitation of risk exposure);
- For accounting purposes and plausibility checks related to accounting;
- For analytical and statistical purposes, e.g. the creation and maintenance of statistical models and rate calculation tools;
- Product review and development;
- To prevent and detect criminal offences such as instances of insurance fraud;
- To perform internal and external (of your insurer) audits and quality checks;
- To monitor and revise internal processes;
- To further share a part of the risk with other reinsurers (retrocession); or
- To fulfil statutory obligations and mandatory retention periods.
4 Legal Basis
Depending on the circumstances at hand, we process your information for the above-mentioned purposes based on one or more of these legal grounds:
- The contract you concluded with your insurer – see s.11(1)(b), s.32(1)(b), s.32(2) and s.32(3) POPIA
- Your consent – see s.11(1)(a) and s.27(1)(a) POPIA
- Applicable laws that mandate and/ or allow the processing of data under the applicable circumstances – see s.11(1)(c) and s.27(1)(b) POPIA in conjunction with the respective laws
- The processing is necessary for the exercise and defence of claims – see s.27(1)(b) POPIA
- Special categories of personal data deliberately made public by you – see s.27(1)(e) POPIA
- Our legitimate interests – see s.11(1)(f) POPIA
- The processing is for statistical or research purposes see s.15(3)(e) and s.27(1)(d) POPIA
5 Categories of recipients of personal information
5.1 Data processing and sharing within the Gen Re group of companies
Your personal information we received from your primary insurer, may also be processed by Gen Re group employees located outside of the Republic of South Africa for:
- The purposes listed under abovementioned Section 3, and
- IT services, including the hosting of applications and systems that are used to process insurance and reinsurance related data.
5.2 Additional reinsurers
To enable us to meet our obligations under our reinsurance relationships, we may pass on a portion of the risks reinsured with us to other reinsurers for the purpose of risk mitigation.
5.3 External service providers
In some cases, we use external service providers in the following categories in order to meet some of our contractual and statutory obligations:
- Assessors / medical experts for the drawing up of expert opinions on underwriting and claims management
- Data management service providers for the storage and destruction of files
- IT service providers for the maintenance, operation and securing of systems and applications, data recovery and data destruction
- Data analytics providers
- Translators for the translation of underwriting and claims management documents
- Service providers to support application, claims and inventory processing
- Audit service providers to perform internal audits and IT security audits
5.4 Additional recipients:
Some primary insurers and additional reinsurers use intermediaries or service providers to initiate or manage their reinsurance relationship with us. In these cases, your information, which we process for the above-mentioned purposes, is transmitted between us and your primary insurer or between us and an additional reinsurer via such brokers and service providers.
In addition, it may become necessary for us to transmit your personal information to further recipients, such as public authorities, in order to comply with statutory notification obligations (e.g. social insurance agencies, financial authorities, supervisory authorities, auditors or law enforcement authorities).
6 Data transmission via a third country
Some of the recipients we transmit personal information to (see Section 5 above) are located outside the Republic of South Africa. Transmission may take place to a third country without your authorisation, if the recipient is subject to a law, binding corporate rules or binding company agreement which provide an adequate level of data protection. We make sure that the recipients of your personal information in any location outside South Africa comply with and fulfil South African data protection standards, i.e. by making sure appropriate technical and organizational privacy measures are in place.
Examples for the transmission of personal information to Gen Re group companies, located in third countries, include in particular the transfer to the United Kingdom, European Union member state countries, Australia and the United States. Subject to adherence with legal requirements, these transfers may include also special categories of personal data, e.g. health-related information.
7 What rights do you have in relation to your data?
7.1 Rights of data subjects
We must notify you:
- when any of your personal information is being processed by us, or a third party, unless we are exempted from giving notification; or
- when your personal information has been accessed or taken by an unauthorised person.
You may request to access, update, rectify, or remove the personal information you have submitted to us by contacting us.
In certain cases, you may also:
- object to us processing and using your personal information, or to transferring your information if you have reasons to disagree with the processing or transfer of information as a result of your particular situation;
- request the identity of all third parties, or categories of third parties, who have, or have had access to your personal information;
- submit a complaint with us, the Information Regulator or institute civil proceedings regarding alleged interference with the protection of your personal information.
8 Data storage period
We will delete your personal data as soon as it is no longer required for the above-mentioned purposes.
Moreover, we store your personal data in accordance with the retention periods as provided by various legislation.
If you have any questions about our processing of your personal information in terms of this Notice, please email us at InformationOfficer_SA@genre.com
Details of the Information Regulator
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O Box 31533, Braamfontein, Johannesburg, 2017
Complaints email: complaints.IR@justice.gov.za
General enquiries email: email@example.com
This privacy notice is for applicants, policyholders, insured persons, beneficiaries or injured parties.
Last updated 8 October 2021