AURA Privacy Notice

Reinsurance Group of America, Incorporated is the ultimate parent company of RGA Technology Partners, Inc. RGA Technology Partners, Inc. (“RTP”) is a business services provider, offering an advanced automated underwriting solution, AURA, to insurance carriers.  For the AURA solution, RTP is a Processor for Data Protection purposes in the regions where they operate. To simplify contact with us, where related to data protection, you can contact us at privacy@rgare.com.  

The headquarters of Reinsurance Group of America, Incorporated is located in St. Louis, Missouri, United States of America.  

RGA Technology Partners, Inc. is located in St. Louis, Missouri, United States of America.  

RGA International Reinsurance Company dac located in Dublin, Ireland is our representative in the European Economic Area (‘EEA’).  

Other RGA group entities operate and provide products and services all over the world. A full list of all RGA entities is available at http://www.rgare.com/global-directory. 

AURA is a SaaS-based decision management platform that provides comprehensive and accurate underwriting decisions at the point-of-sale using a rules-based underwriting engine.

This privacy notice is designed to provide compliance with relevant laws in countries where AURA is used by RTP customers.  

RTP handles personal information in accordance with multiple local privacy laws at the place where the personal information is collected and processed.  If applicable laws provide for a lower level of protection of personal information than that established by this privacy notice, then this privacy notice shall prevail.  

Personal information means information, or a combination of pieces of information, that could reasonably allow an individual to be identified. 

As a Processor, we obtain information about you from the Controller, your insurance provider.  This means that we will receive personal information about you from our client, where you may be:

• applying for an insurance policy

As a Processor, we obtain information about you from the Controller, your insurance provider. When you apply for an insurance policy from an insurance company or an intermediary that is our client, the client provides us with your personal information. 

The type of information we collect and process about you is limited to only what is provided by your insurance provider and is limited to only what is necessary for AURA.  It may include any of the below (where permitted by law): 

• Personal details:
  First name, middle name, last name
• Personal characteristics:
  Leisure & interests, age, degrees & schooling, motor vehicle report, date of birth, height, body mass index, weight, criminal convictions or offenses, gender, marital status 
• Identification information:
  Social security number, driver’s license number, ID cards, passports
• Personal health information:
  National Health Service (NHS) Records, medical exams, health declaration items, attending physician statements, ICD-10 Codes, blood test results, EKG tracings, family health or morbidity history, medical diagnosis, drugs, therapies, medical products, equipment used, impairment questionnaires, pregnancy status & history, National Health Service (NHS) Number, medical treatment, medical history, laboratory test results
• Contact information:
  Home postal code, home postal address
• Employment and experience information:
  Occupation, title, risk industry
• Financial information:
  Annuity fund value, credit history, insurance claim history, True Risk Life Report, income, salary or other compensation
• Insurance policy and claims-related information:
  Underwriting recommendations, plan code, issue date, underwriting decision, sum assured, underwriting rating, insured amount, coverage denial
  
  

The type of information we collect and process about you is limited to only what is provided by the insurance provider and is limited to only what is necessary for AURA. It may include special categories of personal information (sometimes referred to as “sensitive personal information”). Depending on your particular circumstances these may include any of the below (where permitted by law): 

• Your health records:
  National Health Service (NHS) Records, medical exams, health declaration items, attending physician statements, ICD-10 Codes, blood test results, EKG tracings, family health or morbidity history, medical diagnosis, drugs, therapies, medical products, equipment used, impairment questionnaires, pregnancy status & history, National Health Service (NHS) Number. Medical treatment, medical history, laboratory test results
• Criminal data:
  Your driving record, criminal records, and sanctions (but only where it is lawful to collect this data).
  

RTP only processes your data as instructed by your insurance provider. The processing of your personal data is governed by a contractual agreement between RTP and your insurance provider, and the primary purpose is to assess risks and provide an underwriting decision. We may perform other services at their request, such as evaluating your data to improve our services to them. RGA does not process your data in any way not allowed under the agreement.

The way we analyze personal information for the purposes of risk assessment, fraud prevention, and detection, and to report to our clients as part of providing the services may involve profiling, which means that we may process your personal information using software that is able to evaluate certain personal aspects about you and predict risks or outcomes. For example, we may analyze personal information about your lifestyle to predict the likelihood of a claim being made on your insurance policy.

We do not make any decisions about your ability to obtain the insurance policy or the cost of it. However, the outcome of your personal information analysis, including your risk rating, is shared with your insurance provider and may impact the decisions made about your application. If you have questions about automated decision-making by the insurance provider, you should contact your insurance provider.

Whenever we process your personal information, we must have a legal basis. We rely on your consent provided directly to your insurance provider when you apply for a policy, as RTP is a Processor performing a service for them. 

RTP’s sharing of your data only occurs as allowed under the agreement between RTP and your insurance company.  We share your personal information with the following parties:

• Insurance providers. As a Processor, we share your personal information with your insurance providers. 
• Service providers. We may share your personal information with service providers that perform certain services and business operations for us, for example, IT system providers.
• Internal business partners. By instruction of the Controller, we may share your personal information with internal business partners, such as local RGA underwriters, to improve the services we provide to the Controller.
• Any law enforcement agency, court, regulator, government authority, or professional body. We may share your personal information with these parties where we believe this is necessary to comply with a legal or regulatory obligation or otherwise to protect our rights or the rights of any third party.

If you require further information on whom your personal information is shared with, please contact us using the contact details provided in the "Contact us" section below.

You have certain rights regarding your personal information, subject to local laws and circumstances relating to the processing of your personal data.

Your rights may include the right to:

• access your personal information and details relating to the processing of your personal information;
• rectify the information we hold about you;
• erase your personal information;
• restrict our use of your personal information;
• object to our use of your personal information;
• receive your personal information in a usable electronic format and transmit it to a third party (right to data portability); and
• lodge a complaint with your local data protection authority.

Since we receive your personal information directly from your insurance provider, you should contact your insurance provider first if you would like to exercise your rights. We encourage you to inform your insurance provider if your personal information needs to be corrected or updated (and you may be under a legal duty to do so).

If your insurance provider has not resolved your request or concern, or if you would like to contact us directly to discuss or exercise your rights, you may contact us via our online contact form, or using the contact details provided in section ‘Contact us’ below.

We are committed to working with you to obtain a fair resolution of any request, complaint, or concern about privacy. If, however, you believe that we have not been able to assist with your request, complaint or concern, you have the right to make a complaint to your local supervisory authority (i.e. the supervisory in the jurisdiction where you live or work) or the supervisory authority of the jurisdiction where you believe an infringement of data protection laws has occurred. Contact details of supervisory authorities are available at the following link: https://www.rgare.com/privacy-notice/english/supervisory-authorities-contacts 

We implement technical and organizational measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the on-going availability, integrity, and confidentiality of personal information. We evaluate these measures on a regular basis to ensure the security of the processing. 

We keep your personal data for as long as required to provide our services to your insurance provider as stated in the agreement with your insurance provider.  

If you would like to know more about the retention of your personal information, please contact us using the contact details provided in the "Contact us" section below.

We securely destroy personal information when its retention period has expired. However, we may decide to aggregate or anonymize data (which is not treated as personal information under this privacy notice) and retain it for longer if allowable under the agreement with your insurance provider.

Because we operate as a global business, your personal information may be transferred to, stored, and processed by RGA entities in other countries, which may include countries that are not regarded as ensuring an adequate level of protection for personal information under the European Union or your local law. Therefore, RGA has adopted Binding Corporate Rules (‘BCRs’) to enable us to make international transfers of your personal information within our group of companies in compliance with data protection laws of the European Union and other relevant countries. Summaries of our BCRs are available at https://www.rgare.com/about-rga/binding-corporate-rules/

If we need to transfer your personal information to service providers or other parties located outside the EEA or other relevant countries, we will make sure that adequate safeguards are in place with those parties. We typically put in place contractual commitments in accordance with applicable legal requirements to ensure that your personal information is adequately protected. For more information on the appropriate safeguards in place, please contact us using the contact details provided in the "Contact us" section below.

If you have questions or concerns regarding this privacy notice or the way in which your personal information has been used, please e-mail us at  privacy@rgare.com or call or write to us.  

For all other postal addresses, please see rgare.com

If you would like to exercise a data subject right, you may use our online contact form.

RGA’s Data Protection Officer for the EMEA region is Dean Scotson.
Should you have any questions or concerns for our DPO regarding the way in which your personal information has been used, please contact him via email at dpo@rgare.com.

You may request a copy of this privacy notice from us using the contact details set out above. We may modify or update this privacy notice from time to time. If we make a significant change to this privacy notice, we will post a notice about this on our website, and we may ask the insurance companies we work with to notify you on our behalf.