By means of this privacy notice, we inform you about the processing of your personal data by AXA XL and the rights that have been granted to you in accordance with the applicable data protection legislation.
This information is also applicable in relation to the insured person. Where the insured person is not also the policyholder, the policyholder shall forward this information to the insured person.
In addition, this information also applies to third parties (e.g. legal representatives, plenipotentiaries, etc.) which have been authorised by the customer and to which this information has been forwarded.
Data Controller responsible for the Processing of your Personal Data
XL Insurance Company SE
AXA XL – A Division of AXA
8 St Stephen's Green
Tel.: +353 1 607 5300
Fax: +353 1 607 5333
You can contact our Data Protection Officer by post at the address given in the document adding "- DPO -" to the address or via e-mail at: email@example.com
Purpose and Legal Basis of the Data Processing
We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA), the applicable provisions affecting or ensuring data privacy within the Insurance Act 2015, as well as all other applicable laws.
When applying for an insurance contract, we require your personal information to conclude the contract and to assess the risks that would be assumed by us. Once the contract has been concluded, the personal data is processed within the performance of the contractual relationship, e.g. for policing or invoicing. Information related to claims are necessary to ascertain whether the incident leading to the claim has occurred and to assess the amount of damage.
The conclusion or the performance of the insurance contract, as well as the processing of a claim, are not possible without processing your personal data. This applies also to quotation purposes.
We also require your personal data to compile statistics that are specific to the insurance industry, for instance to develop new pricing models or to fulfil regulatory requirements. We use the data contained in all contracts entered into with an AXA company to review the entire customer relationship, for instance to advise on policy adjustments, additions, for goodwill decisions or to provide complete information.
Legal basis for the processing of personal data for pre-contractual and contractual purposes and the handling of claims is Article 6 (1) (b) GDPR. Where special categories of personal data (e.g. your health data) are required for this purpose, we will obtain your consent in accordance with Article 9 (2) (a) in conjunction with Article 7 GDPR. Where we use these data categories to compile statistics, we do so in accordance with Article 9 (2) (j) GDPR in conjunction with Section 19 DPA.
Moreover, we process your personal data to protect our legitimate interests or the legitimate interests of third parties. The legal basis thereof is Art. 6 paragraph 1 (f) GDPR. This may be necessary in the following cases especially:
- to guarantee IT security and IT operations including testing (where not required for the performance of the contract already),
- for the marketing of our insurance products and other products by AXA Group companies and their cooperation partners, as well as for market surveys and opinion polls, unless you have objected to the use of your data for this purpose,
- for the prevention and prosecution of criminal offenses, unless this is already subject to a statutory obligation; in particular, we use data analysis and research (also in publicly accessible sources) to detect indications of insurance fraud,
- for risk management within AXA XL and the AXA Group as a whole,
- for business management and the improvement of processes, services and products.
In addition, we process your personal data for the fulfilment of legal obligations such as regulatory requirements, storage periods required under commercial and fiscal law or for the fulfilment of our advisory duties. The basis for processing in this case are the applicable statutory provisions in conjunction with Article 6 paragraph 1-point (c) GDPR.
Where we wish to process your personal data for a purpose not mentioned above, we will inform you in advance within the framework of our legal obligations, including on our website www.axaxl.com/de.
Data and data categories
We process, particularly the following data and data categories:
- Master and contract data (e.g. name, address, contact details, marital status, occupation, start and expiry dates, details of the risk to be insured)
- Special categories of personal data (e.g. health data, personal data)
- Information about personal situations (e.g. creditworthiness data, material assets)
- Data on your claims and other data arising from the fulfilment of our legal obligations
- Data on contacts to you and on transaction processing
- Roles of the data subjects (e.g. policyholder, insured person, injured party, witness)
- Powers of attorney
- Social insurance number, tax identification number
- Data of prospects
Categories of recipient of the personal data
We insure the risks we accept with special insurance companies (reinsurers). It may be necessary to submit your contract and possibly your benefit/claim data as well to a reinsurer so that it may form its own opinion of the risk or the claim. We may also obtain advice from the reinsurer AXA XL based on its particular expertise in risk or benefit assessment or in the evaluation of procedural matters. We only transmit your data to the reinsurer where it is necessary for the performance of our insurance contract with you, i.e. in the extent that is required to protect our legitimate interests.
Where you receive assistance from an intermediary regarding your insurance contracts, your intermediary will process the application, contract and loss data required to conclude and perform the contract. AXA XL also transmits this data to the intermediaries who are responsible for you, insofar as they require the information for your support and advice in their insurance and financial services matters.
Data processing within AXA Group:
Specialized companies or divisions within our group of companies are assigned central responsibility for certain data processing tasks for the group of affiliated companies. Where you have entered into an insurance contract with one or several companies in our group, your data may be processed centrally by a group company, for instance for the central management of address data, for telephone customer service, for the processing of contracts and benefits/claims, for collections/disbursements or for the central processing of mail. You will find the AXA companies participating in centralized data processing in the attached List of service providers. You can access the respective current version at any time at www.axaxl.com/de.
External service providers:
In some cases, we use external service providers in order to comply with our contractual and legal obligations as well as to pursue our legitimate interests. These include in particular: experts, appraisers, lawyers, loss adjustors, and fiscal representatives; service companies, especially regarding IT, postal, and document management services; advertisers and advertising networks to send you marketing communications, as permitted under local law and in accordance with your contractual preferences and consent.
In addition, we may transfer your personal data to other recipients, such as public authorities (e.g. due to statutory notification obligations to social insurance carriers, tax authorities or criminal prosecution authorities), credit institutions (e.g. to process payment transactions), or credit agencies (e.g. to check creditworthiness and assess risks).
Period of data storage
We erase your personal data as soon as it is no longer necessary for the purposes set out above. However, this period may be extended by statutory retention or limitation periods. For this reason, data retention with AXA XL is subject to an internal retention policy, that governs the deletion of data, taking into account the statutory minimum and maximum periods. As these periods may vary according to the purpose of the processing, please contact our Data Protection Officer for further information.
Rights of the data subject
You may exercise the following rights at the address indicated in the application form:
- Confirmation and access to personal data stored about you (Art. 15 GDPR).
- Rectification or completion of inaccurate or incomplete data (see also Art. 16 GDPR);
- Immediate erasure of data concerning you (Art. 17 GDPR), or the restriction of the processing in accordance with Art. 18 GDPR, if a deletion should is not yet to be considered for reasons pursuant to Art. 17 para. 3 GDPR;
- Reception of the data concerning you, and which have been provided by you, in a structured, common and machine-readable format as well as transmission of those data to other providers/controllers (Art. 20 GDPR);
- Complaint to the supervisory authorities listed below, if you are of the opinion that the processing of personal data relating to you infringes any of the data protection regulations (Art. 77 GDPR).
Right to object
You have the right to object to the processing of your personal data for direct marketing purposes.
Where we process your data to pursue our legitimate interests, you may object to this processing on grounds relating to your particular situation that contradict data processing.
Data Protection Supervisory Authorities
The data protection supervisory authorities competent for us are:
As lead data protection supervisory authority within the meaning of Art. 56, 60 GDPR
Data Protection Commission
(An Coimisiún um Chosaint Sonraí)
21 Fitzwilliam Square South
as well as the data protection authority for the fulfilment of tasks and exercise of competences in the territory of the United Kingdom (Art. 55, 60 GDPR)
Information Commissioner's Office (ICO)
In general, you can address written complaints to both supervisory authorities.
Exchanging data with your previous insurer
In order to be able to check and, if necessary, amend your details when the insurance contract is established or when the insured event occurs, personal data may be exchanged to the necessary extent with the previous insurer named by you in the application form.
Data transfer to a third country
Where we transfer personal data to AXA companies and service providers outside the European Economic Area (EEA), the transfer will only take place if the level of data protection has been decided to be adequate in the respective third country by the EU Commission or other appropriate data protection safeguards (e.g. binding internal company data protection regulations, EU standard contract clauses or EU-US Privacy Shield) are in place. You can request detailed information about this and on the level of data protection subject to our service providers using the contact information given above.