Master privacy policy

Chubb is a group of companies, including the Combined Insurance and Chubb Life Europe brands. The Chubb group company which was originally responsible for collecting information about you will be principally responsible for looking after your personal data (your Data Controller).  If you have an insurance policy with us, this will be the Chubb company named on that policy.  

You can find out the identity of each company that is processing your personal data in the context of providing your insurance cover in the following ways:  

Where you took out the insurance policy yourself: the Chubb company or / and, if purchased through a broker, the broker will have provided you with its name, address and contact details.

Where your employer or a third party took out the policy for your benefit: you should contact your employer who should provide you with details of the Chubb Company. 

Where your personal data has been passed to another Data Controller (e.g. a reinsurer): the first Data Controller will inform you of the other Data Controllers with whom they have shared your personal data who you can contact about their use of your personal data, as we do in  Section 6 of this policy.  

A description of the entities that make up the Chubb group is available at www.chubb.com/content/dam/chubb-sites/chubb-com/uk-en/footer/privacy-policy/documents/pdf/ChubbGroupEntities.pdf

You should be aware that although one Chubb company may be principally responsible for looking after your personal data, information may be held in databases which can be accessed by other Chubb companies.  When accessing your personal data, Chubb companies will comply with the standards set out in this Policy.

Prospective Insureds and Insured Persons. In order to underwrite and administer insurance policies, we collect information about the prospective insured, policyholder and related parties. This may include background and contact information on the prospective insured, policyholder or their representative, and matters relevant to the assessment of risk and management of insurance policies. The prospective insured or policyholder may be an individual, company or their representative. 

The nature of Chubb DIFC’s business is such that the overwhelming majority of its customers are corporate customers seeking to take out policies for property and casualty (P&C) cover, which requires us to collect very limited personal data.  The personal data which we do collect will primarily be in relation to corporate directors and / or employees of those customers. 

We may however, in limited circumstances collect limited basic information with respect to Prospective Insureds and Insured Persons, where underwriting group Accident and Health insurance policies (as a reinsurer). 

The level and type of personal data we collect and use varies depending on the type of policy that is applied for or held and may include information on other individuals who need to be considered as part of the policy. In some instances, it is necessary for us to collect and use Sensitive Personal Data, such as information about past criminal convictions. For Chubb DIFC, as a rule, this would primarily be in relation to directors of our corporate customers for “Know your client” purposes. We are required to establish a legal basis to use your Sensitive Personal Data - see Section 5 for further details. 

If you are an Insured Person, from time to time you may need to provide us with the personal data of third parties, for example an injured third party in relation to a claim under a liability policy. Again, it is unlikely that Chubb DIFC would be the Chubb entity requesting this information from you, with the Chubb entity with which you hold your policy being the more likely requestor. Wherever possible, you should take steps to inform the third party that you need to disclose their details to us, identifying Chubb as your insurer.  We will process their personal data in accordance with this Policy. 

Claimants. The nature of Chubb DIFC’s business means that it would not ordinarily handle information with respect to individual claims, although it may do on occasion for the purpose of supporting the Chubb entity through which you are insured. If you are making a claim under a policy, we will collect your basic contact details, together with information about the nature of your claim and any previous claims.  If you are an Insured Person we will need to check details of the policy you are insured under and your claims history.  Depending on the nature of your claim, it may be necessary for us to collect and use Sensitive Personal Data, such as details of personal injury you may have suffered during an accident. Again, the instances where Chubb DIFC would handle your Sensitive Personal Data are limited, with the Chubb entity through which you are insured being primarily responsible for such processing in the course of evaluating your claim. 

Business Partners and Visitors. If you are a business partner, we will collect your business contact details. We may also collect information about your professional expertise and experience. We may collect your contact details, if you visit our website, register for a newsletter or attend one of our events. If we collect personally identifiable information through our website, we will make it clear when we collect personal information and will explain what we intend to do with it.

For more information on what information we collect please see Appendix 1

Prospective Insureds and Insured Persons

• Information about you may be provided to us by an insurance broker, your employer, school, or any other third person who may be applying for a policy which names or benefits you. 
• We may collect information about you from other sources where we believe this is necessary to manage effective underwriting of the risk associated with a policy and/or helping fight financial crime. These other sources may include public registers and databases managed by credit reference agencies and other reputable organisations.
   

Claimant

• We may, on occasion, be provided with your personal data by third parties (such as ceding companies or insurance brokers) in relation to a potential claim. Under such circumstances, Chubb DIFC would not be the data controller and its role would be limited to sharing your personal data with the reinsurer which would handle the claim.  
• Chubb DIFC may also receive information about you if the claim is made by another person who has a close relationship with you or is otherwise linked to the claim - for example if the policyholder is your employer, or if you are the subject of a third party claim. Again, Chubb DIFC would not typically be the most appropriate recipient of such information, although it may receive such information from third parties (such as ceding companies or insurance brokers) in relation to a potential claim. Again, Chubb DIFC would not be the data controller with respect to such personal data and its role would be limited to sharing that personal data with the reinsurer which would handle the claim. 
• We may also be provided with information by your solicitors (or those acting on behalf of your employer).
• We may collect information from other sources where we believe this is necessary to assist in validating claims and/or fighting financial crime. This may include consulting public registers, social media and other online sources, credit reference agencies and other reputable organisations. 
   

Business Partner and Visitors

• We will collect information about you if you or your company provides your contact or other information to us in the course of working with us, either directly as a business partner or as a representative of your company.
• We may also collect information about you if you attend meetings, events or conferences that we organise, contact us through our website or sign up to one of our newsletters or bulletin services.
• We may collect information from other public sources (e.g. your employer's website) where we believe this is necessary to help manage our relationships with our business partners.
   

Applicable to all

• If you telephone Chubb (for example, when notifying a claim or discussing that claim with us) or if Chubb telephones you (for example, to sell an insurance policy) we may record the telephone call.  We may also use Interactive Voice Response ("IVR") technology to automate responses to voice commands, and to analyse call recording data.  We use call recordings as an evidence of your agreement to purchase an insurance policy or submit a claim, to help train our staff and to provide an accurate record of the call in case of complaints or queries.  We may also analyse call recordings using automated technology in order to detect where there may be customer service failings (and then to resolve these), or to detect potential evidence of fraud.  

Prospective Insureds and Insured Persons. If you are a prospective insured or an insured person we will use your personal data to consider an application for an insurance policy under which you benefit, assess and evaluate risk, and subject to applicable terms and conditions, provide you  with a policy. 

Due to the fact that it primarily acts as a reinsurance broker for corporate policies, Chubb DIFC only requests information on Prospective Insured Persons and Insured Persons under very limited circumstances, primarily where underwriting group Accident and Health insurance policies (as a reinsurer).

If you are an insured under our policy we will use your personal data to administer the policy, deal with your queries, and manage the renewal process.  We will also need to use your personal data for regulatory purposes associated with our legal and regulatory obligations as a provider of insurance.
 

Claimants. If you are a claimant the Chubb entity which handles your claim will use your personal data to assess the merits of your claim, and potentially to pay out a settlement. Due to the nature of its business, Chubb DIFC would not typically be involved in this process, although it may on occasion receive such information from third parties (such as ceding companies or insurance brokers). Under such circumstances, Chubb DIFC would not be the data controller and its role would be limited to sharing your personal data with the reinsurer who would handle the claim. 

The entity which reviews your claim may also need to use your personal data to evaluate the risk of potential fraud, a process which may involve Profiling, which uses automated processes.  If you are also an Insured Person, we will use personal data related to your claim to inform the renewal process and potentially future policy applications.  
 

Business Partners and Visitors. If you are a business partner we will use your personal data to manage our relationship with you, including sending you marketing materials (where we have appropriate permissions) and to invite you to events.  Where relevant, we will use your personal data to deliver or request the delivery of services, and to manage and administer our contract with you or with your employer. If you are a visitor, we will use your personal data; typically, to register for certain areas of our website, enquire for further information, distribute requested reference materials, or invite you to one of our events.
 

Data analytics. We routinely analyse information in our various systems and databases to help improve the way we run our business, to provide a better service and to enhance the accuracy of our risk and other actuarial models.  We take steps to protect privacy by aggregating and where appropriate anonymising data fields (particularly in relation to Policy Information and Claim Details, as defined in Appendix 1) before allowing information to be available for analysis. 

We will make sure that we only use your personal data for the purposes set out in Section 4 and in Appendix 2 where we are satisfied that:
 

• you have provided your consent to us using the data in that way, or
• our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your insurance policy), or
• our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have (e.g. to comply with DIFC requirements), or
• Our use of your personal data is necessary to support 'legitimate interests' that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights. 
   

Before collecting and/or using any Sensitive Personal Data we will establish a lawful exemption which will allow us to use that information.  If your Sensitive Personal Data is collected on a form (including on a website) or over the telephone, further information about the exemption may be provided on that form. This exemption will typically be:
 

• your explicit consent (if this is specifically requested from you on a data collection form, in language which references your consent); 
• the establishment, exercise or defence by us or third parties of legal claims.
   

PLEASE NOTE. If you provide your explicit consent to permit us to process your Sensitive Personal Data, you may withdraw your consent to such processing at any time.  However, you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and where you withdraw consent to an insurer’s or reinsurer’s use it may not be possible for the insurance cover to continue). This may mean that your policy needs to be cancelled.  If you choose to withdraw your consent we will tell you more about the possible consequences, including the effects of cancellation, (which may include that you have difficulties finding cover elsewhere), as well as any fees associated with cancellation.

Please see Appendix 2 to find out more about the information we collect and use about you and why we believe it is appropriate to use that information for such activities.

We work with many third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data. 

For Prospective Insureds and Insured Persons these third parties may include:
 

• Brokers, Other Insurers / Re-insurers and Third Party Administrators who work with us to help manage the underwriting process and administer our policies
• Service Providers, who help manage our IT and back office systems
• theDFSA, as well as other regulators and law enforcement agencies around the world
• credit reference agencies and organisations working to prevent fraud in financial services
• Legal Advisors and other professional services firms
   

For Claimants this may include:

As noted above, Chubb DIFC would not typically be involved in the claims administration process, although it may be indirectly involved by providing support to the Chubb entity which holds the insurance contract. ~
 

• Third Party Administrators who work with us to help manage the claims process
• Loss Adjusters and Claims Experts who help us assess and manage claims
• Service Providers, who help manage our IT and back office systems
• Assistance Providers, who can help provide you with assistance in the event of a claim
• Legal Advisors, who may be legal representatives for you, us or a third party claimant
• credit reference agencies and organisations working to prevent fraud in financial services
   

We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other insurers. If we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses. 

Insurance involves the use and disclosure of your personal data by various insurance market participants such as intermediaries, insurers and reinsurers. 

Please see below for relevant definitions:

Assistance Providers: these are a special category of service provider, which we use to help provide you with emergency or other assistance in connection with certain policies (e.g. certain travel policies).. 

Brokers: insurance brokers arrange and negotiate insurance coverage for individuals or companies and deal directly with insurers, such as Chubb, on behalf of the individuals or companies seeking coverage.

Claims Experts: these are experts in a particular field which is relevant to a claim, for example medicine, forensic accountancy, mediation or rehabilitation, who are engaged by Chubb to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants. 

Data Controller: means a natural or legal person (such as a company) which determines the means and purposes of processing of personal data.  For example, a Chubb entity which sells you an insurance policy will be your Data Controller as it determines how it will collect personal data from you, the scope of data which will be collected, and the purposes for which it will be used.

DFSA: means the Dubai Financial Services Authority, which is a financial regulatory body. The DFSA regulation of financial services firms in the DIFC. When discharging its general functions, the DFSA is responsible for contributing to the securing of an appropriate degree of protection for policyholders.

Prospective Insured and Insured Person: we use this term to refer to prospective, active or former individual policyholders, as well as any individual who benefits from insurance coverage under one of our policies (for example, where an employee benefits from coverage taken out by their employer).

Legal Advisors: we frequently use Legal Advisors to advise on complex or contentious claims or to provide us with non-claims related legal advice.  In addition, if you are a claimant you may be represented by your own Legal Advisor(s).

Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf.  

Other Insurers / Reinsurers: some policies are insured on a joint or "syndicate" basis.  This means that a group of insurers (including us) will join together to write a policy.  Policies may also be reinsured, which means that the insurer will purchase its own insurance, from a reinsurer, to cover some of the risk the insurer has underwritten in your policy.  Chubb purchases reinsurance, and also act as a reinsurer to other insurance firms. 

Profiling: means using automated processes without human intervention (such as computer programmes) to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile.

Sensitive Personal Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.  At Chubb, (other than in the context of our employees, which is outside the scope of this Policy) we routinely only process Sensitive Personal Data relating to health or criminal convictions. 

Service Providers: these are a range of third parties to whom we outsource certain functions of our business.  For example, we have service providers who help us with the administration of setting up a new policy record.  Some of these providers use 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction.  We require all our service providers to respect the confidentiality and security of personal data. 

Third Party Administrators (or TPA’s): these are companies outside the Chubb Group which administer the underwriting of policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions.

We may use your personal data to send you direct marketing communications about our insurance products or our related services.  This may be in the form of email, post, SMS, telephone or targeted online advertisements.  

In most cases our processing of your personal data for marketing purposes is based on our legitimate interests to provide information you might find helpful to manage your insured risks, insurance renewals and other products, services and offers that may be of interest to you, although in some cases (such as where required by law) it may be based on your consent. You have a right to prevent direct marketing of any form at any time - this can be exercised by following the opt-out links in electronic communications, or by contacting us using the details set out in Section 12.

We take steps to limit direct marketing to a reasonable and proportionate level, and to send you communications which we believe may be of interest or relevance to you, based on the information we have about you. 

From time to time we may need to share your personal data with members of the Chubb group who may be based outside Europe (outside of the European Economic Area). We may also allow our Service Providers or Assistance Providers, who may be located outside Europe, access to your personal data. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body.  

We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests:
 

• we will only transfer your personal data to countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights;
• transfers within the Chubb group of companies will be covered by an intra-group agreement which gives specific contractual protections designed to ensure that your personal data receives an adequate and consistent level of protection wherever it is transferred within the Chubb group;
• Transfers to Service Providers and other third parties will be protected by contractual commitments and where appropriate further assurances;
• any requests for information we receive from law enforcement or regulators will be carefully checked before personal data is disclosed.
   

You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 12 if you would like further information.  

'Automated Decision Making' refers to a decision which is taken solely on the basis of automated processing of your personal data.  This means processing using, for example, software code or an algorithm, which does not require human intervention. 

As Profiling uses automated processing, it is sometimes connected with automated decision making. Not all profiling results in Automated Decision Making, but it can do. 

You have certain rights in respect of automated decision making, where that decision has significant effects on you, including where it produces a legal effect on you.  See Sections 11 & 12 for more information about your rights. 

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy.  In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulator, tax or accounting requirements.

In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.