Hong Kong Privacy Statement
XL Insurance Company SE, Hong Kong Branch and Catlin Hong Kong Limited (“we”, “us” or the "Insurer") are part of AXA XL, a division of AXA. We recognize the importance of protecting the privacy and the rights of individuals in relation to their personal data and are committed to compliance with the Personal Data (Privacy) Ordinance (Cap. 486), its subsidiary legislation and the guidelines issued by the Privacy Commissioner for Personal Data. This Privacy Statement describes how we collect, use, store, transfer and/or disclose your personal data when we provide our services as an insurance and reinsurance business. It also describes your choices regarding use, access and correction of your personal data. Personal data is data, or a combination of pieces of data that could reasonably allow you to be identified.
Data Controllers responsible for the Processing of your Personal Data
XL Insurance Company SE, Hong Kong Branch Unit 3601-02 36/F Central Plaza, 18 Harbour Road, Wanchai, Hong Kong
Catlin Hong Kong Limited 20F, AXA SOUTHSIDE, Wong Chuk, Hong Kong
Personal data we use
As an insurance and reinsurance business, we need to obtain data about the individuals covered in an insurance policy, or individuals that are beneficiaries of, or have made claims under, an insurance policy, or individuals who are involved in an incident giving rise to an insurance claim. This is so that we can properly assess the risks associated with providing insurance or reinsuring a particular block of insurance policies and administer and manage our products and services. This privacy notice applies to any individual whose personal data, we process in the course of providing the services (each a data subject or you).
We may be required by law to collect certain personal data about you, or as a consequence of any contractual relationship we have with you. Failure to provide this data may prevent or delay the fulfilment of these obligations.
Data we collect about you
The type of data we may collect and process about you will depend upon the type of insurance we are offering or underwriting. It may include any of the below (where permitted by law):
- Personal details: Your name, age, gender, date of birth, photographs, marital status, nationality, height and weight, leisure activities and interests.
- Identification data and criminal data: Your government-issued ID card, driving licence, driving record and criminal record (but only where it is lawful to collect this data).
- Contact Information: Your address, telephone numbers and email address.
- Information about your family and home: Your family health or morbidity history, number of children and name, age and gender of children, your dwelling type, your household income, home valuation and household demographics.
- Employment and experience data: Your employment history, job role, salary, employment benefit options, educational background and any professional licences and qualifications.
- Financial data: Details pertaining to your bank account, annual income, investment/savings, tax payer ID, credit history and transaction history.
- Data to conduct our business: Data relating to underwriting insurance products and managing and processing insurance claims, such as previous insurance records and claims histories, services relating to our businesses and your business dealings or relationship with us. From the data we collect about you, we may also derive or generate further data such as risk ratings.
Sources of the information we collect
We collect personal data from you directly when you voluntarily provide it to us, for instance if you submit application forms to be considered for insurance products or contact us. We also collect your personal data from a variety of sources:
- From other insurance companies that we work with
- From other reinsurers and retrocessionaries
- From third party claims handlers who are involved in a claim or assist us in investigating or processing claims, including witnesses and external claims data collectors and verifiers
- From our business partners with whom we work to provide insurance products
- From public sources, such as public databases (where permitted by law)
- From Lloyd’s Coverholders, insurance brokers or any other intermediaries
- From third party evidence providers
- From healthcare service providers
- From financial institutions
- From pension processing platforms
- From individuals that you may be associated with (e.g. joint account holders, company employees or directors, family members, etc.)
Occasionally we may collect your personal data from a third party, in particular from authorised, regulatory, public sources such as government regulators, industry self-governing bodies and other publicly available records. This will be most common when we are complying with our legal obligations regarding money laundering and other financial crimes.
How we use your personal data and the basis on which we use it
We use your personal data to:
- to provide our services and fulfil our contractual obligations to you and other third parties
- to review, process and manage claims
- to conduct data analysis, which helps us assess risks, price our products appropriately and improve our services
- to help us prevent and detect fraud, money laundering, terrorism and other crimes
- to help develop new, and improve existing, services
- to operate and expand our business activities
- to carry out background checks, where lawful
- to perform administrative activities in connection with our services
- to exercise, defend and protect our legal rights or the rights of third parties
- to comply with legal obligations and to cooperate with regulatory bodies to which we are subject
- for research and development of new insurance products
- to audit our business
- for marketing purposes
We may obtain your consent to collect and use certain types of personal data when we are required to do so by law (for example, in relation to our direct marketing activities). If we ask for your consent to process your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this Privacy Statement.
Your rights over your personal data
You have certain rights regarding your personal data. These include the following rights to:
- access your personal data;
- correct the data we hold about you;
- withdraw your consent to our use of your personal data.
If you would like to discuss or exercise such rights, please contact us at the details below. We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate. We will contact you if we need additional information from you in order to honour your requests.
We may share your personal data with third parties under the following circumstances:
- AXA group companies. We operate as a global business, so we may share your personal data with group companies who may use this information for the purposes described in this Privacy Statement.
- Insurance companies, Lloyd’s Coverholders, intermediaries, financial institutions, retrocessionaires and business partners. We may share your personal data with insurance companies, intermediaries, financial institutions, retrocessionaires and business partners that use your personal data in connection with the provision of insurance and processing of claims. For example, we may share your personal data with other reinsurance businesses for the purposes of settling claims.
- Service providers. We may share your personal data with service providers that perform services and other business operations for us, for example, IT and analytics providers, actuarial service entities, auditors and advisers.
- Any law enforcement agency, court, regulator, government authority or professional body. We may share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.
- Asset purchasers. We may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this Privacy Statement.
- Customer companies. We may share our personal data with your company or employer in certain circumstances, for example, if your company has a corporate insurance product with us and you make a claim under that product.
Because we operate as part of a global business, the recipients referred to above may be located outside of Singapore. See the section on "International Data Transfer" below for more information.
International Data Transfer
Your personal information may be transferred to, stored, and processed in a country that is not regarded as ensuring an adequate level of protection for personal data. We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your data is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details below.
Where we transfer personal data from EU countries to AXA companies and service providers outside the European Economic Area (EEA), We provide safeguards to ensure the security and the confidentiality of your personal data, by framing the transfer through either (i) the Standard Contractual Clauses adopted by the European Commission or (ii) through Binding Corporate Rules when your personal data is transferred to other entities of the AXA Group
Our Cookies Policy
When you visit our website, we may collect usage information to help us understand how our website is navigated and used.
We use session cookies, persistent cookies and Google Analytics.
Session cookies: Session cookies allow our website to link the various actions of a user during a browser session, including which pages the user visited before visiting this one. Session cookies expire when the browser session ends.
Persistent cookies: Persistent cookies are stored on a user's device in between browser sessions, storing information about the preferences or actions of the user across a site (or possibly across different AXA Group websites).
If you have questions about your rights or concerns regarding the way in which your personal data has been used, please contact our Data Protection Officer at dataprotectionHK@axaxl.com.
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the data protection authority.