Groupama // 2021 Universal Registration Document

8 ADDITIONAL INFORMATION Regulatory environment

The aim of these texts is to strengthen the protection of insurance consumers and to standardise the rules applicable to all insurance distributors (insurance intermediaries and salespeople of insurance companies). Their scope concerns: all insurance networks (brokers, general agents, insurance ❯ agents, and salespeople of insurance companies); all types of products (non-life and life) excluding major risks, with ❯ provisions common to non-life and life insurance and provisions specific to life insurance (insurance investment products); all types of customers (individuals, professionals, and companies ❯ excluding major risks); all marketing methods (face-to-face, home, and distance selling, ❯ including Internet and comparison tools). The obligations incumbent on distributors, including insurance companies, relate to the following aspects: the duty to advise and pre-contractual information to be ❯ communicated to the customer; product governance and monitoring; ❯ the compensation of distribution networks, as the network ❯ compensation policy must not run counter to their obligation to act in the best interests of customers and to make a recommendation appropriate for the needs and expectations of customers; training of insurance distributors; ❯ conflict of interest prevention, for insurance investment products ❯ only, which consists in taking all reasonable measures to detect and prevent conflict of interest situations from adversely affecting the interests of customers. The IDD review, which has been slightly delayed, has been announced for 2023. The EU authorities are already paying particular attention to certain issues, such as the digitalisation of sales processes, product governance and certain network remuneration practices.

This EU regulation builds on the historical national regulatory frameworks of the various EU countries, where they existed before 2018. The GDPR has several objectives: Provide a standard legal framework applicable throughout the European Union, facilitate data transfers between Member States, strengthen the fundamental rights of individuals to control their personal data, with greater transparency as to how such data are used, make companies accountable through probation measures to ensure their compliance at all times, give credibility to the regulation by allowing the supervisory authorities to impose sanctions of up to 4% of a group’s global revenue. The GDPR also provides for some adaptability of its articles, at the hands of the national protection authorities, to allow the specific features of national legal frameworks of the member countries to be integrated. Furthermore, although the GDPR aims to facilitate data exchange between Member States, it provides a very strict framework for transfers of personal data outside the EU Member States. This aspect was further strengthened following the July 2020 ECJ “Schrems2” ruling invalidating the existing EU-US Privacy Shield. As such, any transfer of data to a non-EU country that has not been the subject of a decision by the European Commission as to whether that country has an adequate level of data protection, requires organisations to conduct very precise assessments of the characteristics of the non-EU country with regard to the presented risks for the fundamental rights of the persons for whom their data are transferred. This reinforcement of control will have an impact on the choice of the location of data processors and partners with which group companies can exchange data. The EU financial system is subject to specific obligations to combat money laundering and terrorist financing (AML/CFT). At the EU level, these obligations have resulted from five successive directives since 1991. The Directive of 30 May 2018 amending the Directive of 20 May 2015 on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing, known as the “Fifth Directive”, was transposed by the order of 12 February 2020. It strengthens and complements the existing system and the obligations imposed on regulated professionals. A decree of 6 January 2021 on the AML/CFT system and internal control, the freezing of assets and the prohibition on making funds or economic resources available or using them, clarifies and supplements the applicable regulations, particularly with regard to the organisation and implementation of internal control of the system. Provisions are also applicable with regard to the freezing of assets and the prohibition of the provision of funds or economic resources. ANTI-MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM 8.3.4

8.3.3

REGULATORY FRAMEWORK FOR PERSONAL DATA PROTECTION

The General Data Protection Regulation (GDPR) was transposed in France by law 2018-493 on personal data protection, which entered into force on 25 May 2018, and by various implementing measures. It provides a regulatory framework for the protection of the personal data of individuals established in the territory of the European Union. It therefore applies to any organisation, whether established in EU territory or not, that accesses, uses, or transfers personal data of EU nationals. This applies to all insurance and service companies of the Group directly dealing with EU nationals.

327

Universal Registration Document 2021 - GROUPAMA ASSURANCES MUTUELLES