Business Privacy Notice

Francais | Deutsch | English

Protecting your privacy is very important to us.

We are committed to:

  • protecting personal data that we receive when we provide our services to clients.
  • maintaining transparent practices and explaining how we collect, process, and share that data.

This Business privacy notice explains how and why PartnerRe Ltd, its subsidiaries and affiliates (“PartnerRe”, “we” or “us“) collect and use personal data when we provide our services as a reinsurance business. A full list of all PartnerRe entities is available at http://partnerre.com/about-us/offices/.

In this privacy notice:

you or your, refers to:

  • the individual whose personal data is being processed by us (e.g. the insured/policy holder, beneficiary, claimant or other person involved in a claim or relevant to a policy);
  • the individual acting as or working for a business partner (“Business Partner’s Employee”).

There are other terms in bold with specific meanings. Those meanings can be found here.

WHO IS PARTNERRE?

PartnerRe Ltd. is a leading global reinsurer that helps insurance companies reduce their earnings volatility, strengthen their capital and grow their businesses through reinsurance solutions. Risks are underwritten on a worldwide basis through the PartnerRe‘s three segments: P&C, Specialty, and Life and Health.

WHAT IS REINSURANCE?

Reinsurance is insurance that is purchased by an insurance company. Insurance companies may choose to purchase reinsurance in order to pass on part of their risks from insurance contracts to reinsurers, to actively manage their insured portfolio, be able to fulfil their obligations to indemnify under their insurance relationships and to remain solvent after major claims events, such as major disasters like hurricanes and wildfires. The insurance company that purchases the reinsurance policy is called a “ceding company” or “cedent” or “cedant” under most arrangements. The company issuing the reinsurance policy is referred simply as the “reinsurer“. When a reinsurer purchases insurance from a further reinsurer, this is called retrocession and the further reinsurer is referred to as the retrocessionaire.

In order to obtain reinsurance or retrocession, information, including your personal data, needs to be shared between different insurance market participants.

PartnerRe is committed to safeguarding that information.

APPLICATION OF LOCAL LAWS

This privacy notice is designed to provide compliance with the EU General Data Protection Regulation (GDPR).  This privacy notice is also designed to provide compliance with the California Consumer Privacy Act (CCPA) and other applicable U.S. state data privacy/protection acts.

Where relevant applicable local regulations require stricter standards than those described in this privacy notice, we will ensure compliance with those stricter standards.

If applicable law provides for a lower level of protection of personal data than that established by this privacy notice, then this privacy notice shall prevail.

WHAT DATA DO WE COLLECT ABOUT YOU (YOUR PERSONAL DATA)?

The type of personal data we collect and process includes any of the below (where permitted by law):

Types of Personal dataDetails
Personal details Name, address (including proof of address), other contact details (e.g. email addresses and telephone numbers), gender, marital status, date and place of birth, age, nationality, height and weight, leisure activities and interests
Your family health or morbidity history, number of children and name, age and gender of children, your dwelling type
Identification detailsIdentification numbers issued by government bodies or agencies, including your social security number (or local equivalent), passport number, tax identification number and driving license number
Employment and experience informationYour employment history, employer, job role, salary, employment benefit options, educational background and any professional licenses and qualifications
Financial informationBank account or payment card details, income, investment/savings or other financial information including household income, home valuation and household demographics
Risk details Information about you which we need to collect in order to assess the risk to be insured and provide a quote. This may include data relating to your health, criminal convictions, or other special categories of personal data. For certain types of policy, this could also include telematics data.
Policy informationInformation about the quotes you receive and policies you take out
Credit and anti-fraud dataCredit history, credit score, sanctions and criminal offences, and information received from various anti-fraud databases relating to you
Previous and current claims Information about previous and current claims, (including other unrelated insurances), which may include data relating to your health, criminal convictions (but only where it is lawful to collect this data), or other special categories of personal data and in some cases, surveillance reports
Special categories of personal dataCertain categories of personal data which have additional protection under the GDPR. The categories are health (such as your and your family medical history, genetic test results and information, prescription history, death certificate and reports on medical diagnoses, tests and treatment), criminal convictions (but only where it is lawful to collect this data), racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric (fingerprint and voiceprint), or data concerning sex life or sexual orientation

WHERE DO WE COLLECT YOUR PERSONAL DATA FROM?

We collect your personal data from various sources, including:

  • You
  • Your insurer
  • Other insurance market participants;
  • Anti-fraud databases, sanctions lists, court judgements and other public databases;
  • In the event of a claim, third parties including the other party to the claim (claimant / defendant), witnesses, experts (including medical experts), loss adjustors, solicitors, and claims handlers;
  • From third party evidence providers;
  • From healthcare service providers;
  • From financial institutions;
  • From pension processing platforms; or
  • Directly from an individual.

Which of the above sources apply will depend on your particular circumstances.

With the exception of a Business Partner’s employee, we do not normally collect personal data from you directly. There might be instances where certain tools allow for data supplied by you directly to the insurer to be automatically provided to us. We also collect personal data if you voluntarily supply it to us, for example by sending us an email.

FOR WHAT PURPOSES DO WE USE YOUR PERSONAL DATA?

We use your personal data primarily only to the extent that it is necessary for the purposes of reinsurance, and only for the purpose for which it was originally collected and any other permissible, related purpose:

  • to provide our services and fulfil our contractual obligations to clients and other third parties; [1, 3, 4, 6]
  • to review, process and manage claims; [1, 3, 4, 6]
  • to conduct data analysis, which helps us assess risks, price our products appropriately and improve our services; [3, 7]
  • to carry out background checks and help up prevent and detect fraud, money laundering, terrorism and other crimes; [2, 3]
  • to help research and develop new and improve existing services and products; [3]
  • to operate and expand our business activities; [3]
  • to perform administrative activities in connection with our services; [3]
  • to exercise, defend and protect our legal rights or the rights of our clients or third parties; [3, 5]
  • to comply with legal obligations and to cooperate with regulatory bodies to which we are subject; [2]
  • to audit our business; [3]
  • for books of business transfers, company sales & reorganisations; [3] and
  • for marketing purposes (e.g. newsletters, surveys, clients events, etc.) (for Business Partner’s Employee only). [3]

The list above also indicates, by numbers at the end of each category corresponding to the list in the section below “WHAT ARE THE LEGAL BASES ON WHICH WE USE YOUR PERSONAL DATA?”, the legal basis for which we process your personal data (depending on the circumstances). Some of the bases for processing will overlap and there may be several grounds which justify our use of your personal data.

WHAT ARE THE LEGAL BASES ON WHICH WE USE YOUR PERSONAL DATA?

We are committed to processing your personal data fairly and lawfully and only to the extent necessary to achieve the purposes listed above.

We must have a legal basis to process your personal data. In most cases, our ability to obtain and process your personal data is based on one of the following legal bases:

Legal basesDetails
For processing personal data
1.    ConsentWhere consent is legally required to process your personal data, your insurance provider (or the organization that collected your personal data) will obtain consent from you.
2.    Compliance with a legal obligation Processing is necessary for compliance with our legal obligations, such as due diligence and reporting obligations, and responding to requests from our regulators.
3.    For our legitimate business
interests
Processing is necessary for our legitimate business interests as a data controller and reinsurer to provide our services to clients, to improve our services, to ensure we price our products appropriately, to manage risk, to manage our business efficiently, to perform audits, to maintain accurate records, and your interests and fundamental rights do not override those interests. 
For processing special categories of personal data
4.    ConsentWhere consent is legally required to process special categories of your personal data, your insurance provider (or the organization that collected your personal data) will obtain consent from you.You are free to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal by contacting the organization that collected your personal data. Withdrawal of this consent will however prevent us from continuing to provide the services to the insurance market participant and thus indirectly to you.
5.    For legal claimsProcessing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.
6.    Local law authorizationProcessing is otherwise authorized by local law.
7.    For statisticsProcessing is necessary for compiling (re)insurance specific statistics, analytics and actuarial calculation (for example for the development of new products, tariffs).

WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

We share your personal data with third parties under the following circumstances:

PartnerRe group companies. We operate as a global business, so we share your personal data with group companies who use this data for the purposes described in this privacy notice.

Insurance market participants and financial institutions. We share your personal data with insurance market participants, financial institutions and business partners that use your personal data in connection with the provision of insurance and processing of claims.

Service providers. We share your personal data with service providers that perform services and other business operations for us, for example, IT and analytics providers, medical specialists and hospitals, actuarial service entities, auditors and advisers.

Any law enforcement agency, court, regulator, government authority or professional body. We share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.

Asset purchasers/ mergers and acquisitions. We share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business or with whom a restructuration transaction is contemplated. Should such a sale or transfer or restructuration occurs, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this privacy notice.

INTERNATIONAL TRANSFERS

We transfer your personal data to recipients located in countries outside the European Economic Area (EEA). These countries’ data protection laws may not offer the same level of protection for personal data as offered in the EEA.

Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. In such cases, EU data protection laws allow PartnerRe to freely transfer your personal data to such countries.

When we transfer your personal data to other countries outside the EEA (except in case where we send your personal data back to the third party who first shared it with us as part of the same contractual relationship), we establish legal grounds for such a transfer, mainly in the form of standard contractual clauses or other legal grounds permitted by applicable legal requirements.

To regulate intra group personal data transfers, PartnerRe has executed a master data transfer agreement. For more information on the appropriate safeguards in place, please contact us at the details contained in the “Contact us about data protection” section below.

RETENTION OF YOUR PERSONAL DATA

The time for which we retain your personal data depends on the type of information and the purposes for which we use it. We retain your personal data pursuant to a retention schedule that is designed to keep personal data only for so long as is necessary and for a reasonable period thereafter to allow us to investigate, commence or defend legal claims brought by or against us or our clients, comply with our regulatory obligations and conduct analysis.

We securely destroy personal data when they are no longer needed for the aforementioned purposes and its retention period has expired. In some circumstances we retain aggregated or anonymised data which can no longer be associated with you and is not treated as personal data under this privacy notice.

To support us in managing how long we hold personal data and our record management, we maintain a data retention policy which includes clear guidelines on retention and deletion.

We consider the following criteria when determining how long a particular record will be retained, including any personal data contained in that record:

  • How long the record is needed to provide the requested products
  • How long the record is needed to support and enhance our operational processes
  • How long the record is needed to protect our rights and legal interests
  • How long the record must be retained to comply with applicable laws and regulations

The same personal data about you may be included in more than one record and used for more than one purpose, each of which may be subject to different retention periods based on the factors listed above.

PROTECTION OF YOUR PERSONAL DATA

We implement technical and organisational measures to ensure a level of security appropriate to the risk to the personal data we process. These measures are aimed at ensuring the on-going integrity and confidentiality of personal data. We evaluate these measures on a regular basis to ensure the security of the processing.

AUTOMATED DECISION MAKING AND PROFILING

Profiling

We collect your Personal data and compile the information received about you to analyze and predict aspects concerning your personal characteristics (such as but not limited to risk, behavior, preferences) as an insurance buyer, claimant or beneficiary of an insurance cover. We automatically process your Personal data using software.

Automated decision making

We currently do not take any automated decisions that will affect your ability to obtain or claim for insurance cover with an insurance company. Nevertheless, your Personal data may be used to derive profiles as described above. These profiles may become the basis of automated decision making.

YOUR RIGHTS

(Residents of California and other U.S. states with specific comprehensive privacy laws shall refer to “Your rights under state-specific privacy laws”)

If you have any questions in relation to the use of your personal data or would like to exercise any of the following rights, you should first contact the data protection contact of the relevant participant (as specified under IDENTITIES OF DATA CONTROLLERS SECTION). Under certain conditions, you have the right to ask us to:

  • provide you with further details on the use we make of your personal data/special category of data;
  • provide you with a copy of the personal data that you have provided to us;
  • update any inaccuracies in the personal data we hold;
  • delete any special category of data/personal data that we no longer have a lawful ground to use;
  • where processing is based on consent, withdraw your consent so that we stop that particular processing; Withdrawal of your consent will not affect the lawfulness of processing based on consent before its withdrawal but will prevent us from continuing to provide the services to the insurance market participant and thus indirectly to you.
  • object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;
  • receive your personal data in a usable electronic format and transmit it to a third party (right to data portability); and
  • restrict how we use your personal data whilst a complaint is being investigated.

In certain circumstances, we need to restrict the above rights in order to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege).

ADDITIONAL INFORMATION FOR U.S. RESIDENTS OF STATES WITH COMPREHENSIVE PRIVACY LAWS

This section is meant to provide supplemental or specific information for residents of California and certain other U.S. states regarding how we collect personal data and your rights regarding that information under respective state privacy laws.

How we collect personal data about you

The personal data we collect about you may include data within the categories below. These categories are defined by California law. Where we collect this data, the purposes for which we process it, and how we have disclosed personal data to third parties in the past 12 months are consistent with how we treat other data under this privacy notice as described above. We do not necessarily collect all data listed in a particular category, nor do we collect all categories of data for all individuals.

We have also shared data in each of the following categories with our affiliates and service providers for our business purposes within the last 12 months. As a reinsurance company, we may receive requests for data from regulatory authorities, our auditors and/or our legal advisors. If requested from such parties, we would share your personal data as appropriate.

We do not sell your personal data or share your personal data for “cross-contextual behavioral advertising,” as such term is defined under California law. We also do not sell or share your personal data for “targeted advertising”, as such term is defined under relevant state laws.

Depending on the circumstances, we may collect and process the following personal data about you:

  • Personal identifiers: such as name, title, addresses, email addresses, Internet Protocol address, account name, social security number (or local equivalent), passport number, tax identification number, driving license number, or other similar identifiers;
  • Other information about you: telephone numbers, income, investment/savings or other financial information including household income, tax status information, home valuation, household demographics, date of birth, physical and physiological data (e.g., height, weight), your family health or morbidity history, number of children and name, age and gender of children, your dwelling type, or other similar information;
  • Characteristics of classes protected under federal or California law: gender, marital status and dependents/relatives, age, nationality
  • Commercial information: such as records of personal property, products or services purchased, obtained, or considered, including information about the quotes you receive and policies you take out;
  • Professional or employment related information: such as your employment history, employer, job role, salary, employment benefit options, educational background and any professional licenses and qualifications; and
  • Recordings and usage information: information obtained through electronic means such as telephone recordings, internet usage data, and other information about your use of our information and communications systems.

We also collect what the California Consumer Privacy Act, and other state privacy laws, refer to as “sensitive personal data” (even though as with personal data more broadly, the California Consumer Privacy Act may not apply at all times). This data can include:

  • Social security, driver’s license, state identification card, or passport number;
  • Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • Biometric information for the purpose of uniquely identifying you;
  • Personal data collected and analyzed concerning a consumer’s health; or
  • Sexual orientation or other personal data concerning a consumer’s sex life.

Your rights under state-specific privacy laws

Depending on your state of residence, and subject to certain exceptions as set forth by law, you (or an authorized agent acting on your behalf) may have the right to ask us to:

  • provide you with details regarding the categories of personal data that we have collected;
  • provide you with details regarding the categories of sources from which personal data is collected;
  • provide you with details regarding the business or commercial purpose for collecting personal data;
  • provide you with details regarding the categories of third parties with whom we share personal data;
  • provide you with the specific pieces of personal data that we have collected about you;
  • provide you with details regarding the categories of personal data that we have disclosed about you for a business purpose;
  • delete the personal data that we have collected about you; and
  • correct inaccurate personal data.

You may also have the right to receive the details/data you request in a portable and readily usable format.

Depending on your residency, these rights may not apply to pseudonymous data if the information necessary to identify the consumer is kept separately and is subject to controls that prevent access to the information. Pseudonymous data is personal data that can no longer be attributed to a specific individual without the use of additional information, if the additional information is kept separately and is subject measures to ensure that personal data is not attributed to the specific individual.

Data solely retained for data backup or archive purposes is principally excluded from these rights until it is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.

Any disclosure(s) we make pursuant to your request under this Section will cover only data we collect and maintain on or after January 1, 2022.

In certain circumstances, we need to restrict the above rights in order to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege).

You have the right not to receive discriminatory treatment from us for exercising the rights conferred to you under the respective state privacy law.

If you would like to exercise any of the above state-specific rights, you (or an authorized agent acting on your behalf) can e-mail us at [email protected], or call us at 1-800-261-3164.Depending on where you reside, you may be entitled to make either one or two  requests per calendar year, free of charge. You will be charged a fee for subsequent requests exceeding this limit. Under applicable privacy law, and for the protection of your personal data, we may be limited in what personal data we can disclose.

Upon receipt of a request from you exercising any of the above-listed rights, we will need to verify your identity.  To do so, we will send you a pre-assessment form within 10 business days of receiving your request.  Such pre-assessment form will, among other things, request certain contact information and ask that you certify that you are either the consumer whose personal information is the subject of the request or the authorized representative of such consumer.

YOUR RIGHT TO COMPLAIN TO THE SUPERVISORY AUTHORITY

If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights in YOUR RIGHTS or Your rights under state-specific privacy laws, or if you think that we have breached the GDPR or any other applicable data privacy law or regulation, then you may have the right to appeal our decision or complain to your local supervisory authority (i.e. the supervisory in the jurisdiction where you live or work) or the supervisory authority of the jurisdiction where you believe an infringement of data protection laws has occurred. Each supervisory authority may have a different process for lodging complaints so we encourage you to contact the relevant supervisory authority first to check this.

IDENTITIES OF DATA CONTROLLERS

Important note:
The insurance lifecycle involves the sharing of your personal data between insurance market participants, some of which (like us) you will not have direct contact with. In addition, your personal data may not have been collected directly by an insurance market participant. You can find out the identity of the initial data controller of your personal data within the insurance market life-cycle in the following ways:

  • Where you took out the insurance policy yourself: the insurer and, if purchased through an intermediary, the intermediary will be the initial data controller and their data protection contact can advise you on the identities of other insurance market participants that they have passed your personal data to.
  • Where your employer or another organisation took out the policy for your benefit: you should contact your employer or the organisation that took out the policy who should provide you with details of the insurer or intermediary that they provided your personal data to and you should contact their data protection contact who can advise you on the identities of other insurance market participants that they have passed your personal data to.
  • Where you are not a policyholder or an insured: you should contact the organisation that collected your personal data who should provide you with details of the relevant participant’s data protection contact.

Where your personal data is processed in connection with the services provided by PartnerRe under an engagement with an insurance market participant, the relevant PartnerRe entity that has entered into such engagement with the relevant insurance market participant shall be the controller in respect of the personal data.

PartnerRe Ltd, located at Wellesley House South, 90 Pitts Bay Road, Pembroke HM08, Bermuda is the controller in respect of the personal data we receive in connection with your use of the PartnerRe website. Please refer to our Web Privacy and Cookie Policy and our Terms of Use.

CONTACT US ABOUT DATA PROTECTION

If you have questions or concerns regarding the way in which your personal data has been processed, please contact our Data Protection Officer at [email protected] or call or write to us.

Bermuda:

Wellesley House South
90 Pitts Bay Road
Pembroke HM08
Bermuda

Phone: +1 441 292 0888

Ireland:

3rd Floor, The Exchange

Georges Dock

IFSC

Dublin 1

Ireland

Phone: +353 1 637 9600

United States:

200 First Stamford Place

Suite 400

Stamford, Connecticut 06902

Phone: +1 203 485 4200

For all other postal addresses, please see https://partnerre.com/.

CHANGES TO THE PRIVACY NOTICE

We modify or update this privacy notice from time to time.

This privacy notice has been updated on June 30, 2023.

If we make changes to this privacy notice, we will update the date it was last changed and publish the revised privacy notice on our website.

GLOSSARY

Key insurance terms:

Beneficiary is an individual or a company that an insurance policy states may receive a payment under the insurance policy if an insured event occurs. A beneficiary does not have to be the insured/policyholder and there may be more than one beneficiary under an insurance policy.

Business partners: insurance market participants, lawyers, medical experts, accountants, auditors, loss adjusters, individual representative of corporate service providers, etc.

Claimant is either a beneficiary who is making a claim under an insurance policy or an individual or a company who is making a claim against a beneficiary where that claim is covered by the insurance policy.

Quotation is the process of providing a quote to a potential insured/policyholder for an insurance policy.

Insurance is the pooling and transfer of risk in order to provide financial protection against a possible eventuality. There are many types of insurance. The expression insurance may also mean reinsurance.

Insurance policy is a contract of insurance between the insurer and the insured/policyholder.

Insurance market participant(s) or participants: is an intermediary (broker), insurer, reinsurer, TPA, MGA, MGU, etc.

Insured/policyholder is the individual or company in whose name the insurance policy is issued. A potential insured/policyholder may approach an intermediary to purchase an insurance policy or they may approach an insurer directly or via a price comparison website.

Insurers: (sometimes also called insurance company or underwriters) provide insurance cover to insured/policyholders in return for premium. An insurer may also be a reinsurer.

Intermediaries (brokers) help policyholders and insurers arrange insurance cover. They may offer advice and handle claims. Many insurance and reinsurance policies are obtained through intermediaries.

MGA is a Managing General Agent and in insurance defined legally as an individual or business entity appointed by an insurer to solicit applications from agents for insurance contracts or to negotiate insurance contracts on behalf of an insurer and, if authorized to do so by an insurer, to effectuate and countersign insurance contracts.

MGU in insurance stands for Managing General Underwriter, which is used in life and health companies instead of managing general agent (MGA). The terms are used interchangeably, and there is little real distinction.

Premium is the amount of money to be paid by the insured/policyholder to the insurer in the insurance policy.

Reinsurers provide insurance cover to another insurer or reinsurer. That insurance is known as reinsurance.

TPA is a Third-Party Administrator, which is an organization that processes insurance claims or might administer other services such as underwriting, customer service, etc.

We, us or our refers to PartnerRe Ltd, its subsidiaries and affiliates.

you or your, refers to

  • the individual whose personal data is being processed by us (e.g. the insured/policy holder, beneficiary, claimant or other person involved in a claim or relevant to a policy);
  • the individual acting as or working for a business partner (“Business Partner’s Employee”).

Key data protection terms:

CCPA is the California Consumer Privacy Act of 2018, which regulates the collection, possession and sale of consumers’ personal data by businesses.

GDPR is the EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

Personal data is any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.  For California residents, it also includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular household.

Sensitive personal data is:

(1) Personal data that reveals:

(A) A data subject’s social security, driver’s license, state identification card, or passport number.

(B) A data subject’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

(C) A data subject’s precise geolocation;

(D) A data subject’s racial or ethnic origin, religious or philosophical beliefs, or union membership.

(E)The contents of a data subject’s mail, email, and text messages unless the business is the intended recipient of the communication.

(F) A data subject’s genetic data.

(2)        (A) The processing of biometric information for the purpose of uniquely identifying a data subject.

(B) Personal data collected and analyzed concerning a data subject’s health.

(C) Personal data collected and analyzed concerning a data subject’s sex life or sexual orientation.

(3) Sensitive personal data that is “publicly available” is not be considered sensitive personal data.