Data Controller responsible for the Processing of the Personal Data
The personal data collected are processed by:
XL Insurance Company SE
AXA XL – A Division of AXA
8 St Stephen's Green
Tél : +353 1 607 5300
Fax : +353 1 607 5333
You can contact our Data Protection Officer by post at the address given in the document adding "- DPO -" to the address or via e-mail at: email@example.com
Personal data that may be processed
AXA XL collects and processes the personal data you have provided to us with regard to the conclusion of the insurance contract, and in this context, for the fulfillment of our contractual obligations and the appropriate handling of your claims. The conclusion and execution of the insurance contract or the processing of a claim are not possible without the processing of your personal data. We also need your personal data for quotation purposes.
We process, in particular, the following data and data categories:
- Master and contract data (e.g. name, address, contact details, marital status, occupation, start and expiry dates, details of the risk to be insured)
- Special categories of personal data (e.g. health data, personal data)
- Information about personal situations (e.g. creditworthiness data, material assets)
- Data on your claims and other data arising from the fulfilment of our legal obligations
- Data on contacts to you and on transaction processing
- Roles of the data subjects (e.g. policyholder, insured person, injured party, witness)
- Powers of attorney
- Data of prospects
The processing of special categories of personal data depends on the requirements of the insurance policy or the insurance services we provide (e.g. in the event of a claim settlement). Consents required in this regard, particularly pursuant to Art. 9 (2) (a) and Art. 7 RGPD, shall be obtained if necessary.
Purposes and Legal Bases of the Data Processing
AXA XL collects and processes personal data in accordance with the General Data Protection Regulation (GDPR), the Federal Data Protection Act ("Datenschutzgesetz" - DSG), the Federal Law on Insurance Contracts ("Versicherungsvertragsgesetz" - VVG) as well as all other generally applicable legal and regulatory provisions.
The personal data collected will be processed to manage and fulfill the insurance contract for which AXA XL is the insurer.
Your data is only used for the following purposes:
a) Performance of insurance contract with AXA XL respectively pre-contractual inquiriest referring to such a contract, including the processing and profiling necessary for risk assessment and fraud prevention, as well as quality and opinion surveys, particularly for the following purposes:
- Conclusion, administration (including commercial purposes) and fulfillment of your insurance contract and, in the event of a claim, for the assessment and settlement of the claim, the management of lawsuits and complaints, as well as evaluation, selection, review and pricing of the risk for the calculation of the insurance premium. Necessary medical data shall be processed in accordance with the guidelines on medical confidentiality and the protection of sensitive personal data.
- To perform appropriate checks and controls to assess the risk of fraud during the pre-contractual and / or contractual phase of the insurance contract and to assess your solvency.
b) Compliance with our legal obligations including the fight against money laundering and the financing of terrorism, by means of a system for monitoring contracts, which may lead to a notification or freeze of credit.
c) Compilation of insurance-specific statistics and issueing commercial communication referring to our own products and insurance services, including, where appropriate, the possible development of commercial profiles based on the legitimate interest of AXA XL in the context of the following purposes:
- Sending of information or advertises (including the development of corresponding profiles), offers and promotions, gifts and loyalty rewards, or any other commercial action. The shipment regarding our own products and insurance services is is done by mail, e-mail, telephone, SMS or other equivalent electronic means concerning our own insurance products and services.
- Development of actuarial profiles and market analysis to improve our products and services..
- AXA XL is required by law to verify that your personal data is accurate, complete, if necessary, up-to-date. We may ask you to verify this, or we may complete your dossier by our own (for instance, by storing your e-mail address, if you contacted us by e-mail)..
d) Management of your insurance contract and our relationship based on the legitimate interests of AXA XL in context of exceptional commercial transactions, such as mergers and other transactions, business sales, and due diligence..
Data Exchange and Recipients
The personal data collected may be forwarded to cooperation partners involved in the conclusion, administration and fulfillment of the contract:
- Other insurance companies or reinsurers
- Insurance intermediaries (e.g. brokers),
- Service providers (e.g., external consultants, asset managers).
Personal data may also be transmitted to:
- Members of the AXA Group, including those located outside the European Economic Area, in compliance with Binding Corporate Rules approved by the European Data Protection Authorities,
- Supervisory authorities (e.g., administration, regulator, courts)
- affiliated partners, if you have consented..
If we transfer personal data to service providers outside the European Economic Area, to so-called Third Countries who do not provide a level of data protection comparable to those of the European Economic Area, a transfer will only take place in accordance with the applicable European directives and under consideration of the provisions in Art. 6 DSG.
AXA XL provides appropriate suiteable safeguards to ensure the protection of the personal data transferred.
Transfers within AXA Group are carried out in the basis of Binding Corporate Rules (BCR). AXA Group was the first insurance group to have BCR established and approved by 16 European Data Protection Authorities, including the CNIL (French Data Protection Authority). It is an internationally recognized proceeding to ensure an adequate level of data protection for a multinational group (refer also to Art. 47 GDPR). These rules guarantee an inviolable minimum level of data protection applied by all AXA Group companies worldwide.
When transferring personal data to an organisation in a Third Country that is neither part of AXA Group nor has signed the BCR, AXA XL will ensure, in accordance with Art. 44 et seq. GDPR and Art. 6 DSG, an adequate level of data protection. In this context, acceptable guarantees are, in particular, EU standard contractual clauses within the meaning of Art. 46 GDPR, as well as adequacy decisions of the European Commission pursuant to Art. 45 GDPR.
The personal data is stored during the period required for the fulfillment of the business operations for which they were originally collected. If applicable, the retention period may be extended by means of statutory or regulatory periods or due to limitation periods.
For this reason, AXA XL adopted an internal policy on the retention of personal data, which regulates the deletion of data, by taking into account the statutory minimum and maximum retention periods.
Since retention periods may vary depending on the purpose of the processing, please refer to our Data Protection Officer in case of further inquiries.
Security Measures Taken for the Protection of Personal Data
AXA XL is committed to ensuring the security of your personal information by adapting technical and organisational measures in accordance with the applicable data protection regulations to ensure a level of security appropriate to the risk.
The AXA Group, which operates in over 50 countries, has committed itself to a policy and corporate governance dedicated to the protection of international personal data. This includes a stringent control of data transfers, in particular when outside the European Economic Area and its legal protection, for instance by systematically obtaining prior the necessary authorisations of the data protection authorities.
In the event that, in pursuance of its purposes, AXA XL needs to transfer data to a Third Country outside the European Economic Area, AXA XL will provide appropriate safeguards to ensure good level of protection for such data.
We guarantee the processing of data in compliance with the regulations on medical confidentiality and the protection of sensitive personal data, such as health data.
Should a violation / impairment of your personal data result in an increased risk for your rights and freedoms, we shall inform you immediately.
Rights of the Data Subjects
Everyone whose personal data has been collected has the following rights:
a) The right to access the data at any time (Art. 15 GDPR, Article 8 (5) DSG), have it rectified or completed (Art. 16 GDPR, Art. 5 (2) DSG), to have it deleted (Art. 17 GDPR, Art. 12 (2) (b) and Art. 15 (1) DSG), and to request the restriction its processing (Art. 18 GDPR) or to oppose its processing (Art. 21 GDPR).
b) The right to data portability, i.e. to receive a copy of the personal data provided to AXA XL in a structured, commonly used and machine-readable format and to have it transmitted to another data controller, provided this does not infringe applicable data protection laws and violates the rights and freedom of other natural persons (Art. 20 (1) GDPR).
c) The right to request the restriction of the processing of personal data within the meaning of Art. 18 GDPR and Art. 12 (2) (b) and 15 (1) DSG. In this case, data from AXA XL will be retained solely for the purpose of enforcing or defending against claims.
d) The right to object to the processing of personal data in accordance with Art. 21 GDPR. In this case, AXA XL shall cease the processing unless it is required for compelling and legitimate reasons or to enforce or defend against claims.
e) The right to lodge a complaint with our data protection officer or one of the supervisory authorities mentioned below, if the data subject considers that the processing infringes data protection laws (Art. 77 GDPR and Art. 29 DSG)..
Lead Supervisory Authority within the Meaning of Art. 56 (1) GDPR :
Data Protection Commission
(An Coimisiún um Chosaint Sonraí)
21 Fitzwilliam Square South
Supervisory Authority for the Performance of the Tasks and Exercise of the Competences in the Territory of the Swiss Confederation (Art. 55 GDPR, Art. 26 DSG):
Federal Data Protection Commissioner (EDÖB)
Tel: 0041 58 462 43 95
www.edoeb.admin.ch (Contact form)
Your rights expire with your decease. However, you may consider making dispositions regarding the storage or deletion of your personal information in case of your death.
These dispositions may be generally or specifically. Unless you have made any dispositions or in case of conflicting dispositions, your heirs may exercise your rights.
For furhter information about your rights refer to the website of the Federal Data Protection Commissioner (www.edoeb.admin.ch).
As of December 2019