Reinsurance
Product Family
Claims
Risk Consulting
Resources & Tools
Resources and Tools
About AXA XL
About AXA XL
About AXA XL
Get In Touch

Data Protection Statement

This Data Protection Statement provides information about the ways in which XL Insurance Company SE, XL RE Europe SE and XL Catlin Services SE (AXA XL or we or us) collect, store and use personal data relating to individuals (data subjects).

Notice: While all the information in this Data Protection Statement is important, certain details have been placed in a box to highlight them. The box contains information that data protection legislation specifies as being information that should be brought to your attention.

 

Contents

1.     General
2.     Our Privacy Principles
3.     How do we collect your personal information?
4.     What personal data does AXA XL process?
5.     What is the legal basis for the processing of personal data by AXA XL?
6.     Who are the recipients of personal data processed by AXA XL?
7.     How long does AXA XL retain personal data?
8.     Your rights
9.     Obtaining a copy of the privacy policy
10.    Cookie Policy

Date:                        August 2020

Version:                  v2020.3

  1. General

    AXA XL is committed to ensuring your privacy and personal information is protected. The document that referred you to this statement (for example, your insurance policy) will set out details of the processing activities and the respective entity or branch that is processing your personal information.

    It is important that you read this Data Protection Statement and, if you are a customer, show it to anyone else who is insured under your policy of insurance. Please also make sure that anyone else who is insured under your policy has given you consent to act on their behalf in providing their personal information to us.

    By providing your personal information or the personal information of someone included in your policy, you acknowledge that we may use it only in the ways set out in this Data Protection Statement. We may provide you with further notices highlighting certain uses we wish to make of your personal information.

    From time to time we may need to make changes to this Data Protection Statement, for example as a result of government regulation, new technologies, or other developments in data protection laws or privacy generally. We encourage you to review periodically the AXA XL website mentioned below to see the most up to date Data Protection Statement.

    Controller Information / DPO contact details

    In accordance with Art. 37 GDPR, AXA XL has appointed Iris Lanher as the Data Protection Officer (DPO). If you wish to contact the DPO of the Data Controller for the personal data subject to the data processing, you can do so by mail adding “Data Protection Officer” or “DPO” to the address below, or via e-mail at: legalcompliance@axaxl.com

    Contact Details

    XL Insurance Company SE
    XL Re Europe SE
    XL Catlin Services SE

    ADDRESS
    8 St Stephen's Green
    Dublin 2
    D02 VK30
    Eire

    Tel.: +353 1 607 5300
    Fax: +353 1 607 5333
    Web: https://axaxl.com

    Legislation

    AXA XL processes personal data in the context of its role as an insurance company under the legislative frameworks of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR), the Irish Data Protection Act 2018, the Irish Insurance Acts 1909–2009 and the regulations made under those Acts, as well as all other relevant legal provisions.

  2. Our Privacy Principles

    When we collect and process your personal information, we ensure to look after it properly and process it in accordance with our privacy principles set out below, keep it safe and to never sell it.

a) Personal information you provide is processed fairly, lawfully and in a transparent manner.
b) Personal information you provide is collected for a specific purpose and is not processed in a way which is incompatible with the purpose for which AXA XL collected it.
c) Your personal information is adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
d) Your personal information is kept accurate and, where necessary, kept up to date.
e) Your personal information is kept no longer than is necessary for the purpose for which the personal information is collected and processed.
f) We will take appropriate steps to keep your personal information secure.
g) Your personal information is processed in accordance with your rights.
h) We will only transfer your personal information to another country or an international organisation outside the European Economic Area (EEA) where we have taken the required steps to ensure that your personal information is protected. Such steps may include placing the party we are transferring information to under contractual obligations to protect it to adequate standards.
i) AXA XL does neither sell your personal information nor permit the selling of customer data by companies who provide services to AXA XL.

3.  How do we collect personal information?

The personal information we require about you (and, if applicable, other people insured under your insurance policy) will be gathered and stored as set out in this Data Protection Statement. Whilst there are several ways we collect your personal information; the two main ways are information you provide us with (which could include what you have written on an application form) or information we obtained by asking other organisations to share with us.

If you are a broker or business partner we may also collect your personal information from our day to day business activities with you, business referrals and your attendance at events. The categories of personal data being collected and processed are listed in Section 4 ‘What personal information do we collect?’ below.

In order to gather the personal information, we require about you, we may:
a) obtain personal information directly from you or anybody else insured under your insurance policy, your broker (or other representative), our agents, other insurance companies, and third parties who provide premium financing;
b) obtain personal information from third parties involved in an incident in which you and/or anybody insured under your policy of insurance are involved, including (without limitation) other drivers, passengers of your or any other vehicle, pedestrians, witnesses, neighbours, other insurance companies, solicitors representing any third party (whether in civil or, where applicable, criminal proceedings), any other expert appointed by a third party, or any other relevant person involved in the claims process;
c) carry out searches, whether online (via websites with publicly available information and various industry websites), through various media outlets (including, without limitation, newspapers, television and radio) or otherwise (including, without limitation, government or industry registers);
d) carry out credit, anti-money laundering and sanction list searches, usually through a third party;
e) obtain personal data from medical professionals and hospitals, the emergency services, such as the police, and any other relevant investigatory body or authority (in limited, mainly claims related, circumstances);
f) if you are a broker or business partner, obtain personal information from our day to day business activities with you, business referrals and your attendance at events; and
g) collect personal information via cookies. You can find out more about this in Section 10 ‘Cookie Policy’.

It is important that the information you give us is correct. You have a legal obligation to take reasonable care not to provide us with inaccurate, incorrect or incomplete information. If this happens we have certain legal rights which may include avoidance of the contract of insurance and refusal of all claims if you are a customer. As a result, you may also find it difficult to arrange this type of insurance in the future.

4.  What personal data does AXA XL process?

  1. (1) Personal Data

    As set out above, AXA XL processes personal data. This includes personal data received by AXA XL in the course of its activities as an insurance company. These include:

    • basic personal information, such as a data subject’s name and surname, date and place of birth, and, if needed, further identification information such as utility bills, national insurance number, passport and drivers’ licence, employment details,
    • contact information, such as a data subject’s postal and, if needed, professional address, email address, and phone number
    • other personal information that AXA XL requires in connection with the conclusion of an insurance contract or for the processing of a claim, in particular: employment details, financial information (i.e.: bank and credit card details), information about assets relevant to an insurance policy or claim (vehicle, real estates, art and valuables, etc.).
    1. (2) Sensitive Data

      When exercising our rights and obligations under the insurance contract, it may be necessary to process sensitive data categories within the meaning of Art. 9 (1) GDPR. Such sensitive data may include personal data relating to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; health data; and data concerning a natural person's sex life or sexual orientation. Whether such sensitive data is processed results from the respective insurance contract or circumstances (e.g. claims settlement). If necessary, consent as referred to in Art. 9 (2) (a), Art. 7 GDPR will be obtained prior to the processing. The sensitive data categories subject to the processing may also serve for the compilation of statistics within the meaning of Art. 9 (2) (j) GDPR and Sections 42, 54 Data Protection Act 2018.

    2. (3) Data relating to criminal convictions and offenses

      AXA XL occasionally also processes personal data relating to criminal convictions and offences. This also applies, in particular, to criminal data processed in connection with a claim, when the incident leading to the claim has been caused by an unlawful behaviour of a third party that may possibly be held liable. Further processing activities regarding criminal data may arise from the legal obligations of the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 and 2013 and (Amendment) Act 2018.

5.  What is the legal basis for the processing of personal data by AXA XL?

If you are a customer we mainly use your personal information so that we can provide a quote, set up, administer and manage your policy, including carrying out a risk survey, and to assess and pay claims as part of an insurance contract. However, there are several other reasons why we use your personal information; please see below for a more detailed list of how we use your personal information.

If you are a broker or business partner we mainly use your personal information for day to day business activities with you and to provide you with information relevant to our services in accordance with our marketing strategy, including a periodic newsletter, and invitations to events.

We may process your personal information for a number of different purposes. Data protection laws prescribe us to need a reason to use and process personal data. We have set out below the main reasons why we process your personal information and the applicable circumstances when we will do so. When the personal information we process about you is classed as sensitive personal information (known as ‘Special Categories’) (such as details about your health or criminal offences) we must have an additional legal ground for such processing, or where appropriate, we apply a specific exemption for insurance purposes.

  • a)  Processing is necessary in order for us to provide a quote on your insurance policy and services, such as assessing your application and setting you up as a policyholder, administering and managing your insurance policy, providing all related services including a risk survey, investigating or handling claims made by or against you or anybody insured under your policy of insurance, paying claims and communicating with you. In these circumstances, if you do not provide such information, we will be unable to offer you a policy or process your claim.

    Legal grounds:

    • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract (including a quote that is not taken up);
    • the processing is necessary for compliance with a legal obligation to which we are subject; and
    • the processing is necessary for the purpose of the legitimate interests pursued by us or by a third party. Our legitimate interest is to use your personal information to administer your insurance policy, handle claims and make certain types of payment that are not required by law or contract.
  • b)  b) To verify your (or your authorised representative’s) identity in any interaction between us and you (or your authorised representative), whether in person, on the telephone, online, or where necessary in any other circumstances

    Legal ground:

    • the processing is necessary for compliance with a legal obligation to which we are subject.
  • c)  To assess your insurance needs and to assess the nature and level of the risk associated with your proposed insurance policy to determine your eligibility and (if you are eligible) your premium.

    Legal ground:

    • the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract (including a quote that is not taken up).
  • d)  Where we have a legal or regulatory obligation to use such personal information, for example with our regulators, the Central Bank of Ireland (CBI) and our data protection regulator, the Data Protection Commission (DPC).

    Legal grounds:

    • the processing is necessary for compliance with a legal obligation to which we are subject.
  • e)  Where we need to use your personal information to establish, exercise or defend our legal rights, for example when we are faced with any legal claims or where we want to pursue any legal claims ourselves.

    Legal grounds:

    • the processing is necessary for compliance with a legal obligation to which we are subject;
    • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract; and
    • processing is necessary to protect your vital interests.
  • f)  For the detection and prevention of fraud, money laundering and other offences and to assist the police or any other authorised investigatory body or authority with any inquiries or investigations. Where permitted by law we also work with and share data with various bodies including other insurers, anti-fraud bodies and law enforcement agencies to help prevent fraudulent behaviour. In some cases, we are required by law to report details of certain criminal activities and suspected criminal activities to the appropriate authorities.

    Legal grounds:

    • the processing is necessary for the purpose of the legitimate interests pursued by us or by a third party. Our legitimate interest is to investigate and prevent potential fraudulent and other illegal activity;
    • the processing is necessary for compliance with a legal obligation to which we are subject; and
    • the processing is necessary for the performance of a task carried out in the public interest.
  • g)  To manage and investigate any complaints.

    Legal grounds:

    • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract;
    • the processing is necessary for compliance with a legal obligation to which we are subject; and
    • the processing is necessary for the purpose of the legitimate interests pursued by us or by a third party. Our legitimate interest is to provide good customer service and to resolve complaints you may have at the earliest opportunity.
  • h)  For reinsurance purposes.

    Legal grounds:

    • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract.
  • i)  AXA Group reporting purposes (where necessary).

    Legal grounds:

    • the processing is necessary for the purpose of legitimate interests pursued by us or by a third party. AXA’s legitimate interests are the proper running of its business.
  • j)  For statistical analysis, to review and improve performance of our products, services, processes, systems and website or to investigate the possibility of new processes, products or services and buy and sell any business or assets. Where possible we will anonymise the information we analyse.

    Legal grounds:

    • the processing is necessary for the purpose of legitimate interests pursued by us or a third party. Our legitimate interest is to engage in activities to improve and adapt the range of products and services we offer and to help our business grow, to monitor business performance and to monitor that systems and process are effective and efficient.
  • k)  For our own management information purposes including: managing our business operations such as monitoring business performance, maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice). We also undertake measures to secure our systems and to ensure the effective operation of our systems.

    Legal grounds:

    • the processing is necessary for the purpose of legitimate interests pursued by us or a third party. Our legitimate interest is to understand our business, monitor performance, maintain appropriate records and to protect the security of our systems.
  • l)  For staff training, performance and discipline.

    Legal grounds:

    • the processing is necessary for compliance with a legal obligation to which we are subject; and
    • the processing is necessary for the purpose of legitimate interests pursued by us or by a third party. Our legitimate interest is the proper running of the business and to provide good quality customer service.
  • m)  In order to store personal information and make back-ups of that information in case of emergencies and for disaster recovery purposes.

    Legal grounds:

    • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract; and
    • the processing is necessary for compliance with a legal obligation to which we are subject.
  • n)  For compliance with all relevant laws and regulations; and/or

    Legal grounds:

    • the processing is necessary for compliance with a legal obligation to which we are subject.
  • o)  For day to day business activities with you and to provide you with information relevant to our products and services in accordance with our marketing strategy, including a periodic newsletter and invitations to events.

    Legal grounds:

    • The processing is necessary for the purpose of legitimate interests pursued by us or by a third party. Our legitimate interest is to educate you on our products and services, to develop our business relationship with you and to grow our network and business.
  • p)  As otherwise set out in any other data protection notice, policy booklet, website, terms and conditions or other documentation provided to you by us or your broker.

 

6.  Who are the recipients of personal data processed by AXA XL?

There are various circumstances where we may share your personal information with other parties. Generally, this includes your representatives, our representatives and, if a claim is made, various claims related parties.

While the exact list of third parties changes from time to time, we feel that it is important that you have an idea of the types of third party that we share information with. The category headings and types of third party set out below are a non-exhaustive list and are only indicative of the companies and individuals with whom we share information where we need to do so.

  1. Your representatives:

    Other people or companies associated with you (for example your broker, including the software providers that facilitate the transfer of data to and from them), any party you have given us permission to speak to (such as relative, friend or employee), in certain circumstances other people insured under your policy of insurance.

  2. Our representatives:

    Our employees, agents, insurance companies and managing agents that provide cover under your insurance policy, premium credit providers, contractors including companies that provide services in relation to telecommunications and postage, data storage, document management and deletion, IT and IT security, fraud detection, making and receiving payments, data analysis and management information and risk analysis.

  3. In a claim situation:

    a) loss adjusters, our service providers and expert witnesses including but not limited to those relating to the assessment of liability, the assessment, repair, and replacement of property (including buildings, land and personal effects); solicitors and barristers;

    b) the agents, service providers and claims experts of people making claims against the policies or our customers including but not limited to those relating to the assessment of liability, the assessment, repair, and replacement of property (including buildings, land and personal effects); solicitors and barristers;

    c) witnesses to any incident(s) (whether resulting in a claim or not).

  4. Other third parties:

    Reinsurers, other insurance companies, external advisors (such as solicitors and accountants) and auditors, other AXA Group companies, third parties with whom we may choose to improve our processes, products or services, to deliver services or to investigate the possibility of new processes, products or services.

  5. State or government departments, bodies or agencies.

Disclosure of personal information to a third party outside AXA Group will only be made where the third party has agreed to keep your information strictly confidential and shall only be used for the specific purpose for which we provide it to them.

We may also disclose your personal information to other third parties where:

  1. We are required or permitted to do so by law or by regulatory bodies such as where there is a court order, statutory or regulatory obligation or Information Commissioner’s Office request; or
  2. We believe that such disclosure is necessary in order to assist in the prevention or detection of any criminal action (including fraud) or is otherwise in the overriding public interest.

Some of the recipients set out above may be in countries outside the EEA. In the event of a transfer of personal data outside the EEA we will take the required steps to ensure that your personal information is protected.

Where we transfer personal data to AXA companies and service providers outside the European Economic Area (EEA), We provide safeguards to ensure the security and the confidentiality of your personal data, by framing the transfer through either (i) the Standard Contractual Clauses adopted by the European Commission or (ii) through Binding Corporate Rules when your personal data is transferred to other entities of the AXA Group.

7.  How long does AXA XL retain personal data?
The retention periods for personal data held by AXA XL are based on the requirements of the data protection legislation set out above and on the purpose for which the personal data is collected and processed. The retention periods applied by AXA XL to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.

8.  Your Rights
You have the following rights in relation to our use of your personal information. However, certain restrictions may apply in some cases.

  1. (1)     Right to access your personal information

    You have the right to be given details about the personal information concerning you that we hold and why and how we use it. You also have the right to obtain a copy of the personal data we hold about you.

  2. (2)     Right to rectification

    We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us and ask us to update or amend it.

  3. (3)     Right to erasure

    You have the right to demand the erasure of your personal data, for example where the personal information we collected is no longer necessary for the original purpose or, where you withdraw your consent (where the legal grounds for processing was consent). However, this will need to be balanced against other factors. For example, according to the type of personal information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request.

    Where you request the erasure of personal information, we will need to keep a record of your request so we know that the deletion has happened and why. However, we will keep the record in such a way as to remove as much of the information you have asked us to delete as possible, while accurately reflecting the activity.

    In certain circumstances we may need to retain some information to ensure all of your preferences are properly respected. For example, we cannot erase all information about you where you have also asked us not to send you marketing material. Otherwise, we would delete your preference not to receive marketing material.

  4. (4)     Right to restriction of processing

    In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to process your personal information.

  5. (5)     Right to data portability

    In certain circumstances, you have the right to ask that we transfer any personal information that you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your personal information.

    (6)     Right to object

    Where we stated in this document that we process your personal information on the basis of a legitimate interest, you are entitled to object to the processing in question on grounds relating to your particular situation (see the legal grounds for processing set out in Section 5 ‘How do we use your personal information?’). We will then stop processing the personal information in question unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or unless we need to use it in relation to legal claims.

    Therefore, if you want to exercise this right, please contact the Data Protection Officer (details in Section 1 ‘General’ above) setting out the reasons why you want us to stop processing your data based on your particular situation. We will then evaluate whether your rights outweigh the necessity of our purpose(s).

    However, please note that if you object to us processing your data, we may not be able to provide certain services or benefits you would otherwise be entitled to under your insurance policy.

     

    (7)     Right to object to direct marketing

    You can ask us to stop sending you marketing messages at any time. However, it is not our practice to provide direct marketing to insurance policyholders.

     

  6. (8)     Right not to be subject to automated individual decision making, including profiling

    You have the right not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you.

    However, in certain circumstances we are entitled to use automated decision-making and profiling. These circumstances are restricted to situations where the decision is necessary for entering into, or performance of, a contract between you and us (i.e. your insurance policy or quote), where it is authorised by law or where you have provided explicit consent.

    Should we use automated decision-making you will always be entitled to have a person review the decision, to express your point of view and contest the decision. However, it is not our practice to use automated individual decision-making, including profiling.

  7. (9)     Right to withdraw consent

    For certain uses of your personal information, we may ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Withdrawal of consent would not invalidate any processing we carried out prior to your withdrawal of consent. Please note that in some cases we may not be able to process your insurance if you withdraw your consent.

    We do not general rely on consent for processing personal information in relation to insurance contracts; we generally rely on other legal grounds, such as the basis that processing is necessary for the performance of a contract to which you are party.

  8. (10)     Right to Complain

    If you have any concerns in relation to the way AXA XL processes your personal data, you can either contact our Data Protection Officer (DPO) by writing or e-mail under the aforementioned contact data, or address your issue directly to the following competent supervisory authority:

    Data Protection Commission

    (An Coimisiún um Chosaint Sonraí)

    21 Fitzwilliam Square South
    Dublin 2
    D02 RD28
    Eire

9.  Obtaining a copy of the Privacy Policy
A copy of this Data Protection Statement in PDF format can be obtained by contacting us via the DPO Contact Details above.

10.  Cookie Policy
For information on the cookies we use and how to manage them, please see our Cookie Policy https://axaxl.com