At Chubb ("we", "us"), we routinely collect and use personal data about individuals, including insured persons, claimants or business partners ("you"). We are aware of our responsibilities to handle your personal data with care, to keep it secure and comply with applicable privacy and data protection laws, in particular the General Data Protection Regulation (GDPR).
The purpose of this Policy is to provide a clear explanation of when, why and how we collect and use information which may relate to you ("personal data").
We have designed this Policy to be as user friendly as possible. Click on a topic in the list below to find out more, or explore individual topics in more detail by following the various links. We have labelled sections of the Policy to make it easy for you to navigate to the information that may be most relevant to you.
Do read this Policy with care. It provides important information about how we use personal data and explains your statutory rights. This Policy is not intended to override the terms of any insurance policy or contract you have with us, nor rights you might have available under applicable data protection laws.
Chubb Insurance South Africa Limited forms part of the Chubb group of companies, including the Combined Insurance and Chubb Life Europe brands. The Chubb group company which was originally responsible for collecting information about you will be principally responsible for looking after your personal information (your Responsible Party / Data Controller). If you have an insurance policy with us, this will be the Chubb company named on that policy.
You can find out the identity of each company that is processing your personal information in the context of providing your insurance cover in the following ways:
Where you took out the insurance policy yourself: the Chubb company or / and, if purchased through a broker, the broker will have provided you with its name, address and contact details.
Where your employer or a third party took out the policy for your benefit: you should contact your employer who should provide you with details of the Chubb Company.
Where your personal information has been passed to another Responsible Party (e.g. a reinsurer): the first Responsible Party / Data Controller will inform you of the other Responsible Parties / Data Controllers with whom they have shared your personal information who you can contact about their use of your personal information, as we do in Section 6 of this policy.
A description of the entities that make up the Chubb group is available at www.chubb.com/za.
You should be aware that although one Chubb company may be principally responsible for looking after your personal information, information may be held in databases which can be accessed by other Chubb companies. When accessing your personal information, Chubb companies will comply with the standards set out in this Policy and applicable data protection laws.
Prospective Insureds and Insured Persons. In order to underwrite and administer insurance policies, we collect information about the prospective insured, policyholder and related parties. This may include background and contact information on the prospective insured, policyholder or their representative, and matters relevant to the assessment of risk and management of insurance policies. The prospective insured or policyholder may be an individual, company or their representative. The level and type of personal information we collect and use varies depending on the type of policy that is applied for or held and may include information on other individuals who need to be considered as part of the policy, including children. In some instances, it is necessary for us to collect and use Sensitive Personal Data / Special Personal Information, such as information about health or past criminal convictions. It may also sometime be necessary for us to process personal information of children. We are required to establish a legal exemption to use your Sensitive Personal Data / Special Personal Information - see Section 5 for further details.
If you are an Insured Person, from time to time you may need to provide us with the personal information of third parties, for example an injured third party in relation to a claim under a liability policy. Wherever possible, you should take steps to inform the third party that you need to disclose their details to us, identifying Chubb as your insurer. We will process their personal information in accordance with this Policy.
Claimants. If you are making a claim under a policy, we will collect your basic contact details, together with information about the nature of your claim and any previous claims. If you are an Insured Person we will need to check details of the policy you are insured under and your claims history. Depending on the nature of your claim, it may be necessary for us to collect and use Sensitive Personal Data / Special Personal Information, such as details of personal injury you may have suffered during an accident.
Business Partners and Visitors. If you are a business partner, we will collect your business contact details. We may also collect information about your professional expertise and experience. We may collect your contact details, if you visit our website, register for a newsletter or attend one of our events. If we collect personally identifiable information through our website, we will make it clear when we collect personal information and will explain what we intend to do with it.
For more information on what information we collect please see Appendix 1
Save for personal information that we are required or permitted by law to collect, all personal information provided by you is provided voluntarily. However, if you do not provide personal information requested by us, or you withdraw consent previously provided, we may not be able to effectively manage our relationship with you and provide the services to you.
Prospective Insureds and Insured Persons
Claimant
Business Partner and Visitors
Employees
Prospective Insureds and Insured Persons. If you are a prospective insured or an insured person we will use your personal information to consider an application for an insurance policy, assess and evaluate risk, and subject to applicable terms and conditions, provide you with a policy. The underwriting process may include Profiling. If we have provided you with your policy we will use your personal information to administer your policy, deal with your queries, and manage the renewal process. We will also need to use your personal information for regulatory purposes associated with our legal and regulatory obligations as a provider of insurance.
Claimants. If you are a claimant we will use your personal information to assess the merits of your claim, and potentially to pay out a settlement. We may also need to use your personal information to evaluate the risk of potential fraud, a process which may involve Profiling, which uses automated processes. If you are also an Insured Person, we will use personal information related to your claim to inform the renewal process and potentially future policy applications.
Business Partners and Visitors. If you are a business partner we will use your personal information to manage our relationship with you, including sending you marketing materials (where we have appropriate permissions) and to invite you to events. Where relevant, we will use your personal information to deliver or request the delivery of services, and to manage and administer our contract with you or with your employer. If you are a visitor, we will use your personal information; typically, to register for certain areas of our website, enquire for further information, distribute requested reference materials, or invite you to one of our events.
Employees. If you are an employee we will use your personal information to manage the employment relationship with you, to comply with our obligations in law and to pursue our legitimate interests as your employer. We also process information of employees in order to conduct background checks.
Data analytics. We routinely analyse information in our various systems and databases to help improve the way we run our business, to provide a better service and to enhance the accuracy of our risk and other actuarial models. We take steps to protect privacy by aggregating and where appropriate anonymising data fields (particularly in relation to Policy Information and Claim Details, as defined in Appendix 1) before allowing information to be available for analysis.
We will make sure that we only use your personal information for the purposes set out in Section 4 and in Appendix 1 where we are satisfied that:
Before collecting and/or using any Sensitive Personal Data / Special Personal Information we will establish a lawful exemption which will allow us to use that information. If your Sensitive Personal Data / Special Personal Information is collected on a form (including on a website) or over the telephone, further information about the exemption may be provided on that form. This exemption will typically be:
PLEASE NOTE. If you voluntarily provide your explicit consent to permit us to process your personal information (including Special Personal Information) , you may withdraw your consent to such processing at any time. However, you should be aware that if you choose to do so we may be unable to continue to provide insurance services and/or other services to you (and where you withdraw consent to an insurer’s or reinsurer’s use it may not be possible for the insurance cover to continue). This may mean that your policy needs to be cancelled. If you choose to withdraw your consent we will tell you more about the possible consequences, including the effects of cancellation, (which may include that you have difficulties finding cover elsewhere), as well as any fees associated with cancellation.
Please see Appendix 1 to find out more about the information we collect and use about you and why we believe it is appropriate to use that information for such activities.
We work with many third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal information.
For Prospective Insureds and Insured Persons these third parties may include:
For Claimants this may include:
For Employees this may include:
We may be under legal or regulatory obligations to share your personal information with courts, regulators, law enforcement or in certain cases other insurers. If we were to sell part of our businesses we would need to transfer your personal information to the purchaser of such businesses.
Insurance involves the use and disclosure of your personal information by various insurance market participants such as intermediaries, insurers and reinsurers.
Please see below for relevant definitions:
Assistance Providers: these are a special category of service provider, which we use to help provide you with emergency or other assistance in connection with certain policies (e.g. certain travel policies).
Brokers/Intermediaries: insurance brokers arrange and negotiate insurance coverage for individuals or companies and deal directly with insurers, such as Chubb, on behalf of the individuals or companies seeking coverage.
Claims Experts: these are experts in a particular field which is relevant to a claim, for example medicine, forensic accountancy, mediation or rehabilitation, who are engaged by Chubb to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants.
FSCA: the FSCA is the Financial Sector Conduct Authority, which is a financial regulatory body. The FSCA focuses on the regulation of conduct by financial services firms.
Information Regulator: the Information Regulator is empowered to monitor and enforce compliance by public and private bodies with the provisions of, amongst other things, the Protection of Personal Information Act, 2013.
Prospective Insured and Insured Person: we use this term to refer to prospective, active or former individual policyholders, as well as any individual who benefits from insurance coverage under one of our policies (for example, where an employee benefits from coverage taken out by their employer).
Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf.
Other Insurers / Reinsurers: some policies are insured on a joint or "syndicate" basis. This means that a group of insurers (including us) will join together to write a policy. Policies may also be reinsured, which means that the insurer will purchase its own insurance, from a reinsurer, to cover some of the risk the insurer has underwritten in your policy. Chubb purchases reinsurance, and also act as a reinsurer to other insurance firms.
PA: the PA is the Prudential Authority, which is a financial regulatory body. The PA focuses on the prudential regulation of financial services firms. When discharging its general functions, the PA is responsible for contributing to the securing of an appropriate degree of protection for policyholders.
Profiling: means using automated processes without human intervention (such as computer programmes) to analyse your personal information in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who help us with the administration of setting up a new policy record. Some of these providers use 'cloud based' IT applications or systems, which means that your personal information will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal information.
Legal Advisors: we frequently use legal advisors to advise on complex or contentious claims or to provide us with non-claims related legal advice. In addition, if you are a claimant you may be represented by your own legal advisor.
Telematics data: allows a more personalised renewals quote through the use of data provided automatically to us by a device which monitors your behaviour. An example is data collected from a device fitted to a vehicle reflecting driving behaviour.
Third Party Administrators (or TPA’s): these are companies outside the Chubb group which administer the underwriting of policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal information is handled lawfully, and in accordance with this Policy and our instructions.
We may use your personal information to send you direct marketing communications about our insurance products or our related services. This may be in the form of email, post, SMS, telephone or targeted online advertisements.
In most cases our processing of your personal information for marketing purposes is based on our legitimate interests to provide information you might find helpful to manage your insured risks, insurance renewals and other products, services and offers that may be of interest to you, although in some cases (such as where required by law) it may be based on your consent. You have a right to prevent direct marketing of any form at any time - this can be exercised by following the opt-out links in electronic communications, or by contacting us using the details set out in Section 12.
We take steps to limit direct marketing to a reasonable and proportionate level, and to send you communications which we believe may be of interest or relevance to you, based on the information we have about you.
From time to time we may need to share your personal information with members of the Chubb group who may be based outside South Africa. We may also allow our Service Providers or Assistance Providers, who may be located outside South Africa, access to your personal information. We may also make other disclosures of your personal information overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body.
We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests:
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 12 if you would like further information.
'Automated Decision Making' refers to a decision which is taken solely on the basis of automated processing of your personal information. This means processing using, for example, software code or an algorithm, which does not require human intervention.
As Profiling uses automated processing, it is sometimes connected with automated decision making. Not all profiling results in automated decision making, but it can do.
If you are a Prospective Insured and Insured Person, we may use automated decision making to carry out a credit check on you. In an underwriting context, profiling is routinely carried out on your Personal Risk Information (as defined in Appendix 1) to assess your individual risk (or the impact you might have on the cumulative risk of a group of Insured Persons) in order to calculate insurance premiums or to make a decision about whether to extend or renew cover. We may also apply Automated Decision Making to Telematics Data to make decisions about renewal quotes.
If you are a Claimant, we may use Profiling or other forms of automated processing to assess the probability that your claim may be fraudulent or suspect in some way.
Where Special Personal Information is relevant to the Profiling, such as medical history for life insurance or past motoring convictions for motor insurance, your Special Personal Information may also be used in the models.
You have certain rights in respect of automated decision making, where that decision has legal consequences for you or which affects you to a substantial degree . See Section 10 and 11 for more information about your rights.
We will retain your personal information for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In some circumstances we may retain your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.
In specific circumstances we may also retain your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.
We maintain a data retention policy which we apply to records in our care. Where your personal information is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.
You have a number of rights in relation to your personal information.
You may request access to your personal information, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your personal information, objection to the processing of your personal information, and various information in relation to any Automated Decision Making and Profiling or the basis for international transfers. You may also exercise a right to complain to the Information Regulator. More information about each of these rights can be found by clicking on the relevant link or by referring to the table set out further below.
To exercise your rights you may contact us as set out in Section 12.
Please note the following if you do wish to exercise these rights:
Right | What this means |
Access | You can ask us to:
|
Rectification | You can ask us to rectify inaccurate personal information. We may seek to verify the accuracy of the data before rectifying it.
|
Deletion | You can ask us to erase your personal information, but only where:
We are not required to comply with your request to erase your personal information if the processing of your personal information is necessary:
There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request
|
Restriction | You can ask us to restrict (i.e. keep but not use) your personal information, but only where:
We can continue to use your personal information following a request for restriction, where:
to protect the rights of another natural or legal person. |
Objection | You can object to any processing of your personal information which has our 'legitimate interests' as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. |
Automated Decision Making | You can ask not to be subject to a decision which is based solely on automated processing (see Section 9), but only where that decision:
In such situations, you can also obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision.
However, in these situations you can still obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision. |
International Transfers | You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the Republic of South Africa. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity. |
Supervisory Authority | You have a right to lodge a complaint with your local supervisory authority about our processing of your personal information. In South Africa, the supervisory authority for data protection is the Information Regulator (inforeg@justice.gov.za / complaints.IR@justice.gov.za). We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time. |
Identity | We take the confidentiality of all records containing personal information seriously, and reserve the right to ask you for proof of your identity if you make a request in respect of such records. |
Fees | We will not ask for a fee to exercise any of your rights in relation to your personal information, unless your request for access to information is unfounded, respective or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request. |
Timescales | We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can tell us what exactly you want to receive or are concerned about. This will help us to action your request more quickly. |
Third Party Rights | We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects. |
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Information Officer.
Information Officer: Wihan du Preez
Email: dataprotectionoffice.rsa@chubb.com
Address: Ground Floor, The Bridle
38 Wierda Road West
Wierda Valley
Sandton
Tel: (011) 722 5751
Fax: 086 799 2237
Postal Address: PO Box 1192
Saxonwold
2132
The Regional Information Officer can also be contacted in the following ways:
Email address: dataprotectionoffice.europe@chubb.com
Write to:
Data Protection Officer,
Chubb, 100 Leadenhall Street,
EC3A 3BP, London
Web form:
If you have a complaint or concern about how we use your personal information, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.
The contact details of the Information Regulator in South Africa are as follows:
The Information Regulator (South Africa)
JD House
27 Stiemens Street
Braamfontein, Johannesburg, 2001
General enquiries: enquiries@inforegulator.org.za
Complaints (together with the complete POPIA/PAIA form 5): PAIAComplaints@inforegulator.org.za and POPIAComplaints@inforegulator.org.za