Privacy

1. Key aspects of our policy

Bracht, Deckers & Mackelbert NV (hereinafter: BDM) believes that personal privacy of the data subject from whom it collects information is of essential importance.

Pursuant to the General Data Protection Regulation (GDPR)[1] we are consequently implementing measures so that the collected personal data:

  • is processed in a manner that is, with respect to the data subject, lawful, fair and transparent (‘lawfulness, fairness and transparency’);
  • is only collected for specified, explicit and legitimate purposes (‘purpose limitation’);
  • is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’);
  • is accurate and, where necessary, kept up to date (‘accuracy’);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (‘storage limitation’);
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. Identity and contact details of the controller

A. Primary controller

Bracht, Deckers & Mackelbert NV (B.D.M. NV or BDM)
Entrepotkaai 5
2000 Antwerpen

BDM acts as the controller with respect to the personal data that it either processes itself or that it outsources for processing.

B. Secondary controllers

BDM also acts as the underwriting agent for those insurer(s) it represents, hereinafter referred to as the insurance pool companies. These insurance pool companies receive certain personal data, in accordance with their contractual agreements with BDM, that is required within the scope of business operations and their statutory obligations as insurers. You can contact BDM’s data protection officer to find out which insurers are part of the insurance pool, what personal data they receive and who their data protection officers are. You can also find the details of the insurance pool companies in your policy special terms and conditions.

BDM can also act on behalf of those insurance pool companies that are the leading insurer, and therefore as the mandatory for co-insurers. These co-insurers will normally receive all the information (including personal data) for policies and claims in which they have a stake. You can contact BDM’s data protection officer to find out who the co-insurers are, what personal data they receive and who their data protection officers are. You can also find the details of the co-insurers in your policy special terms and conditions.

3. Contact details of the data protection officer

Data protection officer:

BDM
Entrepotkaai 5, 2000 Antwerpen
tel. +32 3 242 09 36
e-mail: privacy [at] bdmantwerp.be

4. Purposes for which the personal data is processed and legal basis for the processing

A. Purposes of the processing

BDM acts as an underwriting agent.

An underwriting agent is an insurance intermediary that, as the mandatory for multiple insurance companies, has multiple mandates that allow it to underwrite risks presented by insurance intermediaries in the name of and on account of the insurance companies it represents.

As an underwriting agent, BDM processes personal data for the following purposes:

  • Providing and managing insurance services, including acceptance and pricing, risk analysis, compiling loss statistics, the administrative management of insurance policies, collecting premiums and paying compensation, dispute management and reinsurance
  • Customer management, including debt management, assessing creditworthiness, records of previous agreements, transactions already completed and invoices
  • Statistical research, for the purpose of further refining our product range on the basis of specific target markets (monitoring products and governance arrangements), reviewing pricing on the basis of historical claims ratios and restructuring portfolios
  • Preventing and detecting fraud, preventing and detecting abuse or improper use of insurance policies (through the non-payment of premiums, reporting false claims, etc)
  • Complying with international, supranational and national legislation, such as preventing and detecting the contravention of international, supranational and national legislation (including the contravention of trade and economic sanctions) and identifying the ultimate beneficiary or beneficiaries of an insurance policy
  • Marketing, to the extent that such concerns personal data provided in a business-to-business relationship (such as the personal contact details of an insurance broker).

B. Legal grounds for processing personal data

BDM processes your personal data on the basis of one or more of the following legal grounds:

  • CONTRACT: It is necessary to process personal data in order to perform a contract to which you are party or to implement measures at your request prior to concluding a contract.
  • PERMISSION: You have consented to the processing of your data for one (or more) specific purposes.
  • If you provided personal data to BDM that it did not (explicitly) request, BDM shall process this data on the basis of the implicit consent that is contained in the provision of this data, and shall observe the objective that you envisaged when providing your personal data.
  • You can withdraw your consent at any time. If there are no other legal grounds for processing the data when consent is revoked, BDM shall delete that personal data. However, revocation of consent shall have no bearing upon the legitimacy of the processing prior to that revocation.
  • STATUTORY OBLIGATION: It is necessary to process personal data in order to comply with the obligation that BDM or that the insurance pool companies or co-insurers it represents are subject to.
  • VITAL INTERESTS: It is necessary to process the personal data in order to protect your vital interests or those of another natural person, should you not be physically or legally able to provide consent.
  • COMPELLING PUBLIC INTEREST: It is necessary to process the personal data for reasons of substantial public interest under Union or Member State law, where the proportionality to the endeavoured objective is guaranteed, the substantive content of the right to the protection of personal data is respected and suitable and specific measures are implemented for the purpose of protecting the fundamental rights and interests of the data subject.
  • LEGITIMATE INTERESTS: It is necessary to process personal data for the purposes of the legitimate interests of BDM, the insurance pool companies or co-insurers it represents, or a third party.

We regard the following legitimate interests as being able to play a role in this respect:

  • The legitimate reliance of interested third parties on professional policy and claims management. When it comes to processing personal data, the ability of an insurer to perform its obligations is dependent on the consent of the policyholder as well as contractual and also statutory obligations. Even in the absence of a direct contractual relationship, a third party non-policyholder must be able to be certain that certain of his/her personal data will be properly processed by BDM (such as a third-party beneficiary or a witness).
  • The interest of BDM and its customers/policyholders in respect of detecting and preventing (insurance) fraud that BDM and its customers/policyholders could fall victim to. BDM has an interest (as other underwriters and insurers do) in the perpetrators of fraud being identifiable. BDM’s other policyholders also have an interest in that, as they deserve protection against the risk of financial losses on the part of BDM due to scams or fraud.
  • The financial necessity for BDM of being able to correctly identify defaulters so that financial losses can be minimised (for example, non-payment of premiums). BDM has an interest (as other underwriters and insurers do) in defaulters being identifiable. BDM’s other policyholders also have an interest in that, as they deserve protection against the risk of financial losses on the part of BDM due to unpaid premiums.
  • Statistical research. It is of financial interest to BDM to be able to process personal data so that it can compile statistics for the purpose of analysing risks in order to make the correct and properly-priced underwriting decisions and amend our product range in respect of specific target markets and historic claims ratios.
  • Instituting, exercising, substantiating or defending against a legal claim.
  • Commercial purposes. In some cases personal data can be processed for commercial purposes. However, these cases will only involve personal data provided in a business-to-business relationship.

5. Recipients or recipient categories of personal data

A. BDM staff

Your personal data can be consulted within the company by BDM staff. However, it is ensured that only those persons that require access to your personal data as part of their job can actually access your personal data.

B. Insurance pool companies and co-insurers

Your personal data can be provided to insurance pool companies and co-insurers represented by BDM and their reinsurers, within the context of providing and managing insurance services. At your request, we shall provide you with a list of insurers concerned, their data protection officers and the personal data provided.

These insurers and reinsurers shall observe the necessary safeguards and statutory obligations with respect to your privacy.

C. Service providers within the context of policy and claims management

In performing its tasks BDM engages external service providers (including adjustors, inspectors, lawyers, medical advisors, loss adjustors, representatives in Belgium and correspondents abroad). Your personal data can accordingly also be provided to these service providers. These service providers shall observe the necessary safeguards and statutory obligations with respect to your privacy. BDM shall only provide that data required by these service providers for performing their tasks. BDM shall demand of these service providers that they implement the necessary technical and organisational measures in order to process your personal data in a secure and confidential manner.

D. Relevant parties within the context of policy and claims management

Your personal data can, within the context of policy and claims management, be provided to the following persons:

  • your insurance intermediary or representative (such as your insurance broker, lawyer, adjustor, a family member you have appointed, an administrator appointed by the courts, etc)
  • other insurance companies, their representatives in Belgium, their correspondents abroad, their reinsurers, their loss adjustors, their inspectors, their lawyers and/or their medical advisors
  • judicial bodies and/or law enforcement authorities
  • opposing parties and third parties and their representatives
  • the policyholder listed in the applicable policy terms and conditions
  • any person or entity seeking redress or from which redress is sought under a claim

BDM shall always ensure that only that personal data necessary or relevant to those parties is provided.

▸ Within the scope of its insurance services, BDM shall always endeavour to communicate with you through your insurance intermediary. Subject to your express objection, this insurance intermediary shall also be provided with your personal data.

E. Recipients within the context of combatting and preventing fraud and countering insurance abuse

BDM can, within the context of combatting and preventing fraud and countering insurance abuse, store your personal data in an internal database and provide it to DATASSUR. You will be informed thereof by DATASSUR and can always demand access to or the correction of the provided data from DATASSUR, de Meeûsplantsoen 29, 1000 BRUSSELS.

F. Recipients within the context of compliance with international, supranational and national obligations

In order to comply with international, supranational and national obligations in respect of, inter alia, verifying that parties comply with trade and economic sanctions and identifying the ultimate beneficiary or beneficiaries of an insurance policy, BDM can provide your personal data to service providers. These service providers shall observe the necessary safeguards and statutory obligations with respect to your privacy. BDM shall only provide that data required by these service providers for performing their tasks. BDM shall demand of these service providers that they implement the necessary technical and organisational measures in order to process your personal data in a secure and confidential manner.

G. Recipients on the grounds of supranational and national obligations

In some cases BDM can be obliged to provide, pursuant to the applicable supranational and national legislation, your personal data to official bodies within the European Union.

H. The data protection officer

In some cases the data protection officer can, within the context of performing his/her statutory tasks, access your personal data.

6. Transferring personal data to third-party countries or an international organisation

BDM will only transfer personal data directly to parties located in countries outside of the European Union in the following cases:

  • There is an adequacy decision on the part of the European Commission in place
  • Suitable safeguards are provided and you have enforceable rights and effective legal remedies
  • As a result of a judicial ruling or one by an administrative authority, which is enforceable under international agreements
  • You have consented to your personal data being transferred
  • Such a transfer is necessary for the performance of your contract or to implement precontractual measures
  • Such a transfer is necessary to conclude or perform an agreement concluded in your interest
  • The transfer is necessary due to important grounds of public interest
  • The transfer is necessary for the establishment, exercise or defence of legal claims
  • The transfer is necessary for protecting the vital interests of a person and the data subject is unable to provide consent
  • On the basis of the legitimate interests of BDM or an insurance pool company or co-insurer, in which event BDM shall inform both you and the supervisory authority.

7. Period for which the personal data will be stored

As a rule, your personal data will be stored by BDM for the following periods:

  • Within the context of providing and managing insurance services, including acceptance and pricing, risk analysis, compiling loss statistics, the administrative management of insurance policies, collecting premiums and paying compensation, dispute management and reinsurance:
  • For the purpose of managing a claim: the longest of the following periods: either for up to 10 years or after the claim has been definitively closed or until all options for a legal action with respect to the claim become time-barred
  • For the purpose of managing a policy: the longest of the following periods: either 10 years after the end of the period of cover provided by the policy or for up to 10 years after the definitive closure of all claims under the policy or until all options for a legal action with respect to the claims under the policy become time-barred
  • For collected precontractual information, after which the contract was concluded: up to 3 years after this information is provided
  • Within the context of customer management, including debt management and assessing creditworthiness, records of previous agreements, transactions already completed and invoices: until all options for legal action with respect to the unpaid premiums become time-barred
  • In the context of statistical research, for the purpose of further refining our product range on the basis of specific target markets (monitoring products and governance arrangements), reviewing pricing on the basis of historical claims ratios and restructuring portfolios: for that period applicable for the policies and claims (see above), after which this data can be stored for an additional period of 10 years in pseudonymised form
  • Within the context of preventing and detecting fraud, preventing and abuse or improper use of insurance policies (through the non-payment of premiums, reporting false claims): in accordance with the storage periods employed by DATASSUR, de Meeûsplantsoen 29, 1000 Brussels
  • Within the context of compliance with international, supranational and national legislation, such as preventing and detecting the contravention of international, supranational and national legislation (including the contravention of trade and economic sanctions) and identifying the ultimate beneficiary or beneficiaries of an insurance policy: for the storage periods applicable for policies and claims (see above), insofar as a policy or claim is concerned, unless the relevant statutory or regulatory provision prescribes a longer storage period
  • Within the context of marketing, to the degree that the personal data concerned was provided in a business-to-business relationship (such as the personal contact details of an insurance broker): for the duration of our commercial relationship with that company, plus one year
  • Personal data not connected to a file or policy and that was lawfully obtained by BDM: if this personal data was provided to us by a policyholder or the policyholder’s insurance intermediary for the purpose of providing and managing insurance services, then that data is stored for the storage period applicable to policies and claims (see above), insofar as a policy or claim is concerned

8. Your rights as a data subject

In order to exercise your rights, please send an email to the data protection officer:

BDM
att: the data protection officer
Entrepotkaai 5, 2000 Antwerpen
tel. +32 3 242 09 36
e-mail: privacy [at] bdmantwerp.be

A. Identification for the purpose of exercising your rights

You have certain rights when it comes to the processing of your personal data. In order to exercise these rights, BDM must naturally be able to identify you in its systems.

If your personal data was only saved in an unidentifiable manner in BDM’s files, then BDM is unable to guarantee that you can be traced. If that is the case, you are unable to exercise your rights.

(a)      You are the policyholder

If you enter into a contract with BDM then your most important data will be stored in a structured and identifiable manner so that BDM can rapidly provide you with contract-related information. Certain additional information, within the scope of policy and claims management, will be stored in a non-identifiable manner. By linking this data to your contract, it can also be traced at your request.

If you, the policyholder, exercise your rights vis-à-vis BDM as a data subject (see below), then BDM could inform your insurance broker thereof.

(b)       You are not a policyholder but you are listed in the policy or claim

Your data will be processed within the scope of a specified policy or claim. In principle you are not identifiable in BDM’s systems, but you can be traced using the specific policy or claim.

BDM will store your data in an identifiable manner when:

  • BDM processes your personal health data.
  • The BDM collaborator who processes your data wishes to trace you as a party to a policy or claim.
  • At your explicit request.

The identifiable personal data that is stored may only pertain to the following information:

  • Identifiable personal data: name, title, (home and work) address, (home and work) telephone number, (home and work) email
  •   Personal details: preferred language (Dutch, French or English), date of birth
  •   Identifiable financial data: bank account number (IBAN and/or BIC)

The additional personal data will be stored in a non-identifiable manner and can be provided to you by linking it to a policy or claim.

(c)       You are not a policyholder and are not listed in the policy or claim

This will only be the case in the event of the following:

  •   BDM was provided with information in order to conclude a contract, but the contract was not concluded. In these cases your data will   be stored in a non-identifiable manner. Your data can however still be manually traced during the storage period provided for.
  •   An application was made to BDM within the context of its insurance activities, but it believes that a policy or claim cannot be opened. Your data will be stored in a non-identifiable manner for the storage period provided for.

You are entitled at any time to request that BDM store your data in an identifiable manner.

 

(d)       You are a professional partner of BDM

The only personal data is that which is provided to BDM within the context of professional communications. This data will be identifiable.

If you believe that this personal data should be erased or blocked, then you can contact BDM in that respect.

B. Right of access

You have the right to obtain confirmation from BDM on whether or not your personal data is processed and to gain access to the following information:

  • The purposes of the processing
  • The personal data categories involved
  • The categories of recipients to whom the personal data has been or will be disclosed
  • The storage period
  • Information on the source of the data
  • Information on your rights
  • Information on whether or not automated decision-making exists
  • The appropriate safeguards if your data is transferred outside of the EU

You can request a copy of your processed personal data free of charge.

Please note that this means just a copy of your personal data and not of the files or documents in which this data is included.

C. Right to rectification

You have the right to obtain the immediate rectification of your personal data that is incorrect.

You also have the right to have incomplete personal data completed.

D. right to erasure

You have the right to demand the erasure of your data in the following cases:

  •             The personal data is no longer required for those purpose for which it was collected;
  •             You withdraw your consent and BDM has no other legal basis for processing your personal data;
  •             When you assert your right to object and there are no overriding legitimate grounds for the processing;
  •             Your personal data was unlawfully processed;
  •             Your personal data must be erased in order to comply with a statutory obligation to which BDM or its joint controllers is subject.

In spite of the above, your personal data will not be erased if the processing is required:

  •             For exercising the right of freedom of expression and information;
  •             For performing a statutory processing obligation to which BDM or its joint controllers is subject;
  •             For the establishment, exercise or defence of legal claims;
  •             For statistical purposes.

E. Right to restrict processing

You have the right to demand the restriction of the processing of your personal data in the following cases:

  •            You dispute the accuracy of the personal data: the processing will be restricted for the period required to verify the accuracy of the personal
                data;
  •             The processing is unlawful, but you object to the erasure of your personal data and demand that its usage be restricted;
  •             BDM or its joint controllers no longer need the personal data for the purposes of the processing, but you require it for the establishment,
                exercise or defence of legal claims;
  •             Pending the response to you exercising your right to object.

If the processing of your personal data is restricted due to the above reasons, BDM shall only be able to further process it on the basis of the following grounds:

  •             You consented to the processing;
  •             For the establishment, exercise or defence of legal claims;
  •             For the protection of the rights of another natural person or legal person;
  •             For reasons of important public interest of the Union or of a Member State.

If BDM or its joint controllers revoke the processing restriction, you will be informed thereof.

F. Right to object


(a)       Right to object to the processing on the basis of the ‘legitimate interests’ legal ground

You have the right to object to the processing of your personal data at all times on the grounds of reasons specific to your situation, with such on the basis of the ‘legitimate interests’ legal ground, including with respect to profiling on the basis of these interests.

BDM and its joint controllers shall then cease the processing, unless they demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or that pertain to the establishment, exercise or defence of legal claims.

(b)       Right to object to direct marketing

BDM shall only use personal data for direct marketing that was provided to it for the purpose of professional communications within the context of its insurance activities.

You have the right to object hereto at any time. BDM shall also provide an opt-out option in its commercial communications.

G. Right to data portability

You have the right to demand the transmission of your personal data, in a structured, commonly-used and machine-readable format, to another party if:

  • The processing is dependent on your consent or your contract and
  • The processing is dependent on automated procedures.

The insurance companies have reached agreements on what data must be transferred. That means that when you request that data be transferred to another insurer, only that data agreed-to between the insurance companies shall be transferred. Additional personal data will only be provided at your explicit request. You will be provided with information in this respect when exercising your right to data portability.

H. Complaints

If you have any complaints, you can approach the listed data protection officer.

You are also always entitled to submit a complaint to a supervisory authority. The supervisory authority for Belgium is the Privacy Commission (Commissie voor de Bescherming van de Persoonlijke Levenssfeer), Drukpersstraat 35, 1000 Brussels (https://www.privacycommission.be/nl).

9. Obligation to provide personal data

In some cases you could be required to provide specific personal data.

If you are a policyholder or insured party, we refer you to the policy terms and conditions and the provisions and/or references to statutory laws it contains.

The following statutory obligations are of particular concern:

  • Art. 58 of the Law of 4 April 2014 on insurance: the policyholder is obliged to accurately provide all information that could affect the risk assessment when taking out a policy (the penalty in the event of noncompliance is contained in art. 59-60 of the same law).
  • Art. 74 of the Law of 4 April 2014 on insurance: the insured party is obliged to, as soon as possible and in any event within the period provided for in the agreement, report the claim to the insurer. The insured party must also forthwith provide all useful information and respond to any questions asked (the penalty in the event of noncompliance is contained in art. 76 of the same law).

If you are not a policyholder or insured party, then please refer to any agreements you concluded with BDM or the insurance pool companies or co-insurers.

If you, as the party suffering damage, wish to lodge a claim within the scope of an insurance contract taken out through BDM, then also refer to the law of general application, under which the burden of proof falls on the party suffering damage. You shall have to provide the relevant data in order to substantiate your claim.

If you have any questions in this respect or require further clarification on the actual contractual provisions and/or legislative texts, then please contact the listed data protection officer.

10. How to provide your personal data to BDM

You can provide us with your general personal data (name, address, etc) using the proposal form that your insurance broker makes available to you.

Should you wish to provide us with medical data then, for the purpose of treating it confidentially, we ask you to preferably provide it to us in one of the following ways:

a)         If it is within the scope of managing your insurance policy (outside of the management of claims):

  • By post, in a sealed envelope clearly marked ‘CONFIDENTIAL - B.D.M., M-data Production Department, Entrepotkaai 5, 2000 Antwerp’.
  • By email to medicaldata-production [at] bdmantwerp.be .

b)         If it is within the scope of managing a claim:

  • By post, in a sealed envelope clearly marked ‘CONFIDENTIAL - B.D.M., M-data Claims Department, Entrepotkaai 5, 2000 Antwerp’.
  • By email to medicaldata-claims [at] bdmantwerp.be .

Should you wish to provide us with data concerning criminal convictions and offences, then, for the purpose of treating it confidentially, we ask you to preferably provide it to us in one of the following ways:

a)         If it is within the scope of managing your insurance policy (outside of the management of claims):

  • By post, in a sealed envelope clearly marked ‘CONFIDENTIAL - B.D.M., S-data Production Department, Entrepotkaai 5, 2000 Antwerp’.
  • By email to judicialdata-production [at] bdmantwerp.be .

b)         If it is within the scope of managing a claim:

  • By post, in a sealed envelope clearly marked ‘CONFIDENTIAL - B.D.M., S-data Claims, Entrepotkaai 5, 2000 Antwerp’.
  • By email to judicialdata-claims [at] bdmantwerp.be .

11. Automated decision-making

BDM only performs profiling within the context of the segmentation permitted under the law when an insurance contract is concluded. You can see these segmentation criteria on our website https://www.bdmantwerp.be/en/downloads/document-type/segmentation-criter...

BDM undertakes that a member of staff will always be able to deal with your insurance application. You can approach this member of staff through your broker to ask any questions or comments you have on the segmentation.

12. Cookie policy on the BDM website (www.bdmantwerp.be )

A. What are cookies?

A cookie is a small text file that is stored on your computer or mobile device by a website’s server when you visit a website. The cookie contains a unique code that means we can recognise your browser when visiting the website (known as a ‘session’ cookie) or during later revisits (a ‘permanent' cookie). Cookies can be installed by the server of the website you visit or by partners of that website. A website's server can only read the cookies it has installed itself, and has no access to other information found in your computer or mobile device. Cookies are stored in the folder of your browser on your computer or mobile device. A cookie usually consists of the name of the server that placed the cookie, an expiry date, and a unique number code.

Cookies generally make the interaction between the visitor and the website faster and easier, and help the visitor navigate between the different parts of a website. Cookies can also be used to make the content or advertisements on a website more relevant for the visitor, and can be adapted to his/her personal tastes and needs.

B. Use of cookies on BDM’s website

We use different types of cookies on BDM’s website

  1. Essential cookies: these cookies are essential for visiting our website and for using specific parts thereof. For example, these cookies allow you to navigate between the different parts of the website, complete forms, etc. Cookies are also essential when you wish to log into your personal account in, for example, the secured brokers’ zone and we must safely verify your identity before giving you access to your personal information. If you decline to accept these cookies, certain parts of the website will either not function or not function in full.
  2. Functional cookies: functional cookies are cookies that facilitate the functioning of our website and make it a more pleasant experience for the visitor, and ensure that you have a more personalised browsing experience. These include the cookies that remember your choice of language and your customer segment, or whether you were already asked to participate in a survey, so that you are not asked to repeat the survey every time you visit our website. When you log into the secured brokers’ zone a cookie is installed on your browser that allows us to recognise you as a visitor to our website and to adapt the content of our welcome page to your personal situation, even when you do not log into the secured brokers’ zone the next time you visit.
  3. Performance cookies: we use performance cookies to collect information on how visitors use our website for the purpose of improving the content of the website, adapt it to what the visitors want and to make it more user-friendly. For example, there is a cookie that counts the number of unique visitors and another one that records which pages are the most-visited. We use Google Analytics to analyse the website use, which also makes use of cookies for that purpose.
  4. Share buttons Our website can contain ‘share’ buttons that make it easy for users to share articles with contacts on third-party websites such as Facebook, Twitter and LinkedIn. These sites could use session and permanent cookies, installed through the share buttons, in order to improve their services (which includes understanding interactions between users or for tracking joint use and web traffic routing). Further information can be found in the FacebookTwitter and LinkedIn privacy policies.

C. Managing cookies

You can decline to accept cookies through your browser settings. You can delete the cookies already installed on your computer or mobile device at any time.

____________________________________________________________

[1]     Regulation (EU) 2016/679 of the European Parliament and of the Council OF 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.