Groupama // Universal Registration Document 2022

8

ADDITIONAL INFORMATION Regulatory environment

8.3.2

DISTRIBUTION OF INSURANCE

The IDD review, which has been slightly delayed, has been announced for 2023 or even 2024. The EU authorities are already paying particular attention to certain issues, such as the digitalisation of sales processes, product governance and certain network remuneration practices. The European Commission will soon release its retail investment strategy, aimed at strengthening the protection of savers and preserving the objective nature of advice.

All countries in which the Group carries out insurance businesses have regulations in place to protect policyholders, as insurance is a complex service to understand. At the EU level, the distribution of insurance policies is now regulated by the Insurance Distribution Directive (IDD) of 20 January 2016, transposed in France by way of order and decree in Book V of its Insurance Code, and supplemented by level 2 implementing texts (Commission Implementing Regulation on the duty to advise in life insurance, the standardised insurance product information document (IPID), conflicts of interest, and product governance) and level 3 implementing texts (FAQ of the EIOPA and the European Commission) as well as the recommendations of the ACPR. The aim of these texts is to strengthen the protection of insurance consumers and to standardise the rules applicable to all insurance distributors (insurance intermediaries and salespeople of insurance companies). Their scope concerns: all insurance networks (brokers, general agents, insurance agents, agents of insurance intermediaries, and salespeople of insurance companies); ❯ all types of products (non ‑ life and life) excluding those covering major risks, with provisions common to non ‑ life and life insurance and provisions specific to life insurance (insurance investment products); ❯ all types of customers (individuals, professionals, and companies excluding major risks); ❯ all marketing methods (face ‑ to ‑ face, home, and distance selling, including Internet and comparison tools). ❯ The obligations incumbent on distributors, including insurance companies, relate to the following aspects: the duty to advise and pre ‑ contractual information to be communicated to the customer; ❯ product governance and monitoring; ❯ the compensation of distribution networks, as the network compensation policy must not run counter to their obligation to act in the best interests of customers and to make a recommendation appropriate for the needs and expectations of customers; ❯ training of insurance distributors; ❯ conflict of interest prevention, for insurance investment products only, which consists in taking all reasonable measures to detect and prevent conflict of interest situations from adversely affecting the interests of customers. ❯

8.3.3

REGULATORY FRAMEWORK FOR PERSONAL DATA PROTECTION

The General Data Protection Regulation (GDPR) was transposed in France by law 2018 ‑ 493 on personal data protection, which entered into force on 25 May 2018, and by various implementing measures. It provides a regulatory framework for the protection of the personal data of individuals established in the territory of the European Union. It therefore applies to any organisation, whether established in EU territory or not, that accesses, uses, or transfers personal data of EU nationals. This applies to all insurance and service companies of the Group directly dealing with EU nationals. This EU regulation builds on the historical national regulatory frameworks of the various EU countries, where they existed before 2018. The GDPR has several objectives: Provide a standard legal framework applicable throughout the European Union, facilitate data transfers between Member States, strengthen the fundamental rights of individuals to control their personal data, with greater transparency as to how such data are used, make companies accountable through probation measures to ensure their compliance at all times, give credibility to the regulation by allowing the supervisory authorities to impose sanctions of up to 4% of a group’s global revenue. The GDPR also provides for some adaptability of its Articles, at the hands of the national protection authorities, to allow the specific features of national legal frameworks of the member countries to be integrated. Furthermore, although the GDPR aims to facilitate data exchange between Member States, it provides a very strict framework for transfers of personal data outside the EU Member States. This aspect was further strengthened following the July 2020 ECJ “Schrems2” ruling invalidating the existing EU ‑ US Privacy Shield. As such, any transfer of data to a non ‑ EU country that has not been the subject of a decision by the European Commission as to whether that country has an adequate level of data protection, requires organisations to conduct very precise assessments of the characteristics of the non ‑ EU country with regard to the presented risks for the fundamental rights of the persons for whom their data are transferred. This reinforcement of control has an impact on the choice of the location of data processors and partners with which group companies can exchange data.

368

Universal Registration Document 2022 - GROUPAMA ASSURANCES MUTUELLES