GDPR — General Data Protection Regulation
EU Regulation 2016/679 on personal data protection. EU data residency, access audit, insurance retention, right to erasure, contractual DPA.
GDPR for insurance data: sector specifics
GDPR (EU Reg. 2016/679) is Europe's unified personal-data protection framework, but insurance has specifics requiring dedicated solutions: health-data processing for life/health policies (art. 9 §1, \"special category\" sensitive data), actuarial profiling for pricing (art. 22 on automated decision-making), extended retention for long-term policies + pending claims, sharing with foreign reinsurers (potential extra-EU transfer), IVASS audits. NewPicass 14.Net is designed with these specific constraints: EU-exclusive data residency, E2E encryption on health data, audit log on special-category access, standard contractual DPA with transparent sub-processor list, erasure-right management balanced with insurance retention.
GDPR articles relevant to insurance
Principles
Processing principles
Lawfulness, purpose limitation, minimisation, accuracy, retention limitation, integrity, accountability. Tenant-level configurable for each NewPicass customer.
Special categories
Health data for life/health policies
Reinforced encryption (additional encryption layer on DB columns), granular access audit, dedicated RBAC for health data, immutable view log.
Erasure
Balanced right to be forgotten
Structured workflow: residual legal-basis assessment (insurance retention, pending litigation, AML), verifiable deletion, deletion certificate to controller.
Processor
Standard NewPicass DPA
Art. 28-compliant standard contract, public and updated sub-processor list, audit right, 24h data-breach notification.
Data Breach
24h breach notification
More stringent than GDPR 72h minimum. Technical logs, impacted categories, RCA, support to Privacy Authority notification.
Extra-EU transfers
EU-exclusive data residency
No extra-EU transfer without explicit customer agreement. Secondary backup in different EU country available only on documented request.
What the platform does vs what remains yours
Covered
- EU-exclusive data residency
- TLS 1.3 in transit + AES-256 at rest encryption
- Reinforced encryption on health data
- 10-year access audit log
- Granular RBAC by data category
- Data-subject rights API workflow
- Standard DPA with sub-processor list
- 24h customer data-breach notification
Customer responsibility
- DPO (Data Protection Officer)
- RoPA (Records of Processing Activities)
- Privacy notice to end customers
- Consent collection (marketing, profiling)
- Legitimate-interest vs erasure-request assessment
- DPIA (Data Protection Impact Assessment)
- Notification to Privacy Authority on significant breach
- GDPR training for employees
Where this framework lives in the platform
Frequently asked questions on GDPR
Where is my data physically located?
Italy. Two ISO 27001 certified data centers in active-active with synchronous replication, both in Italian territory. For customers with specific EU requirements (e.g. regulated insurers with EU data-residency constraints) we contractually confirm EU-exclusive residency. Never extra-EU transfers without specific customer agreement (e.g. secondary backup in different EU country). IP/data-center list available under NDA.
How long do you retain policy data?
Retention configurable per customer based on insurance regulatory requirements: default 10 years from relationship end for insurance data (aligned with IVASS Reg. 24), 5 years for marketing data, 7 years for accounting data (D.P.R. 633/1972). Minimum 10-year immutable audit trail for all customers. Automatic deletion beyond retention with deletion log.
How do you handle the right to erasure (art. 17)?
Structured workflow: end-customer of our regulated customer requests deletion → regulated customer assesses if legal grounds exist to refuse (e.g. mandatory insurance retention = legitimate ground art. 17 §3 lett. b) → confirmation to NewPicass → dedicated API verifiably deletes, keeping only data with residual legal basis, and produces deletion certificate. Typical time: 5-15 business days.
Do you have a standard DPA (Data Processing Agreement)?
Yes. Art. 28 GDPR compliant contractual DPA is part of standard NewPicass 14.Net contract. Includes: subject, duration, nature and purpose of processing, categories of data subjects and data, controller obligations, sub-processors (public and updated sub-processors list), 24h data-breach notification, controller audit right. Available in Italian and English.
What happens in case of a data breach?
Workflow art. 33-34 GDPR + DORA art. 17-23: NewPicass detects incident → notifies regulated customer within 24h (more stringent than GDPR 72h minimum) → provides technical logs, impacted data categories, number of subjects, RCA → regulated customer assesses whether to notify the Privacy Authority and/or data subjects. Documented procedures, annual data-breach process test.
Can I audit your infrastructure?
Yes, art. 28 §3 lett. h GDPR. The DPA includes controller audit right with reasonable notice. Alternatively we provide: ISO 27001:2023 certificate, annual SOC 2 Type II report (under NDA), penetration test report. For on-site physical audit: schedulable, customer-borne costs, typical annual frequency for enterprise customers.
Audit your GDPR compliance with us
45 minutes with a compliance engineer. We walk through the platform's coverage on this framework and identify the gaps you still need to close on your side.