What is this notice?
This is the “AXIS EU/UK/SWITZERLAND Privacy Notice”. The notice applies to all individuals purchasing a policy with AXIS Capital Group (“AXIS”) or benefitting from an insurance policy purchased by an employer or third party on their behalf and to all AXIS business partners.
At AXIS, we routinely collect and use personal information about individuals, including insured persons, claimants or business partners. We take our responsibilities to handle your personal data with care very seriously and protecting the privacy of your personal data is of great importance to us. In this Privacy Notice, we want you to understand when, why and how we collect and use personal information about you, your rights regarding this information, the conditions under which we may disclose it to others and how we keep it secure.
We may amend this notice at any time, but we shall ensure that the most recent version of the document will always be available on our website.
Important: This Privacy Notice does not supersede the terms of any insurance policy or contract you have with AXIS, nor does it limit or affect any rights you have under applicable data protection regulations.
Who collects your personal data?
AXIS is a group of companies that operate in various jurisdictions around the world. The AXIS entity that originally collected data from you will be principally responsible for managing your personal data (“Data Controller”) and will be responsible for deciding how your personal data will be held and used.
To find out the identity of the AXIS company or companies that collect personal data about you as part of providing insurance coverage, check:
- If you purchased the policy yourself, the AXIS company you contracted with or your broker (if purchased through a broker) will provide you with the details of the AXIS company.
- If your employer or other third party purchased the insurance for your benefit, your employer or the third party will provide you with the details of the AXIS company.
- If you are an AXIS business partner, your contact at AXIS will provide you with the details of the AXIS company.
- If your personal data is transferred to another entity (for example, a reinsurer or third-party claims administrator), your AXIS insurer will provide you with the details of the other entity.
AXIS companies that receive your personal data each constitute a separate Data Controller, each of which is responsible for deciding how it holds and uses your personal data.
AXIS is subject to different European data protection laws in the various jurisdictions in which it operates.
- The EU GDPR applies to data collected by an AXIS entity located within the EU and/or data held by an AXIS entity located outside the EU, where that entity has collected data from or about you while you were located within the EU.
- The UK GDPR applies to data collected by an AXIS entity located within the UK and/or data held by an AXIS entity located outside the UK, where that entity has collected data from or about you while you were located within the UK.
- The Swiss Federal Act on Data Protection (FADP) applies to data collected by an AXIS entity located within Switzerland and/or data held by an AXIS entity located outside Switzerland, where that entity has collected data from or about you while you were located within Switzerland.
What type of personal data do we collect about you?
We shall process your personal data in order to provide you with the insurance coverage related to the policy you purchased or are benefitting from. The types of personal data we collect about you depend on your relationship with AXIS.
- If you are an Insured Person or Potential Insured, we collect your personal data in order to determine eligibility for, underwrite, and administer insurance policies. In some instances, we may need to collect “special category personal data”, such as data about your medical and criminal history.
- If you are a claimant making a claim under an AXIS policy, we may need to collect your contact information, as well as data about your claim and previous claims. We may also need to collect special category personal data, depending on the nature of your claim.
- If you are a business partner, we will collect your business contact details.
We process personal data you provide to us, which may include the following categories of information:
- Anti-fraud information
- Banking Information
- Claims/Policy Numbers
- Credit History and Credit Score
- Date and Place of Birth
- Gender
- Family Information
- Government identification numbers - National Insurance, Social Security, Passport, Tax, Driver’s License
- Marital Status
- Name, Address, Phone Number, Email
- Risk information
and the following categories of special category personal data:
- Criminal History
- Health Data / Medical History
- Racial or ethnic origin
Where we will process special category personal data about you, we shall apply safeguards in accordance with the applicable data protection legislation.
How do we collect data about you?
If you are an insured or potential insured, we collect data from you or your representative through the policy application process. We may also collect data about you from your family members or employer, credit reference agencies, anti-fraud databases, sanctions lists, and relevant government agencies, including public registers or databases.
If you are a claimant, we collect data about you when you notify us of a claim, or if the claim is made by someone with a close relationship to you or who otherwise has authority to make a claim on your behalf. We may also collect personal data about you from others who are involved in the claim, including lawyers, witnesses, experts, and adjusters. Finally, we may consult other public sources to validate the claim or protect against fraud or other financial crime.
If you are a business partner, we collect data about you when you or your company provides that data to us as part of the business relationship.
If you decide not to supply personal data that we have requested and as a result we are unable to comply with our professional, legal or regulatory obligations, then we may be unable to enter into a relevant contract with you. Where were already have a contractual relationship with you, a decision by you not to provide the requested personal data may cause delay in fulfilment of our contractual obligations or may result in our being unable to continue the relationship.
Why do we collect data about you?
We collect your personal data for the following purposes.
If you are an insured or potential insured:
- Account setup, including background checks
- Complying with legal or regulatory obligations
- Customer service communications
- Direct marketing activities
- Evaluating risks to be covered
- Managing insurance or reinsurance claims
- Payments to/from individuals
- Risk modelling and underwriting
If you are a claimant:
- Complying with legal or regulatory obligations
- Defending or prosecuting legal claims
- Investigating or prosecuting fraud
- Managing insurance or reinsurance claims
If you are a business partner:
- Managing our business relationship with business partners
- Marketing purposes
Our legal basis for processing your personal data
Where we process your personal data for the purposes set out above, we generally rely on one or more of the following legal bases.
For all personal information:
- Performance of a contract – we must use your personal data to perform a contract with you – for example, to perform your insurance policy with us
- Legitimate interests – as an insurance business, we have a legitimate interest in using your personal data to provide your insurance cover, manage our business relationship with you and protect ourselves from fraud
- Legal obligation – we must use your personal data to comply with our legal or regulatory obligations – for example, in relation to carrying out background checks or reporting financial crime
It may be necessary for us to process some special category personal data in order to comply with legal or regulatory obligations (such as making reasonable adjustments for clients with disabilities), or if we need to do so in order to seek confidential legal advice or establish or defend legal claims. We shall also use your special category personal data, where appropriate, on the following specific bases:
- Insurance purpose - it is necessary for us to use your special category personal data for an insurance purpose
- Legal claims - it is necessary for us to use your special category personal data to establish, exercise or defend legal claims
- Fraud prevention - it is necessary for us to use your special category personal data to prevent fraud or a particular kind of fraud
- Preventing or detecting unlawful acts - it is necessary for us to use your special category personal data to prevent or detect an unlawful act
In some instances, we may use your personal data, including special category personal data, on the basis of your express consent. Where we rely on your consent as a legal basis for processing your personal data, we shall expressly inform you that we are doing so at the time that we request your consent. You do not have to give your consent and you may withdraw your consent at any time. However, if you do not give your consent, or you withdraw your consent, this may affect our ability to provide you with certain services. If you choose to withdraw your consent, we shall inform you of the consequences of withdrawal.
Further information on the purpose for processing your personal data and the legal bases we rely on are included in the table at the bottom of this Privacy Notice.
How long do we keep your personal data?
We shall retain your personal data in accordance with our retention policies and, in any case, for no longer than necessary to provide the services agreed in your contract with us or to comply with legal or regulatory requirements. Retention periods for personal data are reviewed periodically and the periods for storage specified in it may alter depending on changes to law and regulation, client relationship requirements, best practice and similar matters.
Where we process personal data on the basis of consent, withdrawal of consent will result in deletion of the relevant data within a reasonable period.
It may be necessary for AXIS to suspend any planned destruction or deletion of personal data where legal or regulatory rules require that we preserve the data, or where proceedings are underway which require the data to be retained until those proceedings have finished. For example, data that relates to litigation or is reasonably foreseeable to be relevant for litigation purposes must be retained until that litigation is completed.
Where does your personal data go?
We may need to transfer your personal data to third parties or to other AXIS group companies, to help manage our business and delivery of services to you. The third parties may include:
If you are an insured or potential insured:
- Anti-fraud agencies
- Brokers
- Banks or financial services providers
- Credit reference agencies
- Courts
- Customer service providers
- Legal counsel
- Law enforcement authorities (domestic or foreign)
- Other insurers or reinsurers
- Service providers who supply back-office support
- Regulators, including the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Central Bank of Ireland (CBI), Information Commissioners’ Office (ICO) or the Irish Data Protection Commissioner (DPC)
- Third party administrators
If you are a claimant:
- Adjusters and other claims experts
- Anti-fraud agencies
- Back-office service providers
- Courts
- Credit reference agencies
- Law enforcement authorities (domestic or foreign)
- Legal counsel
- Outside legal counsel
- Ombudsmen, including Financial Services and Pensions Ombudsman Office (FSPO) and Financial Ombudsmen Service (FOS)
- Other insurers or reinsurers
- Regulators, including the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Central Bank of Ireland (CBI), Information Commissioners’ Office (ICO), or the Irish Data Protection Commissioner (DPC)
- Service providers who supply back-office support
- Third-Party Administrators
If you are a business partner:
- Back-office service providers
Transferring your personal data outside the EU
We may transfer your personal data to other companies in our group and our suppliers in the United States, Canada, Bermuda, India, Singapore, Dubai, and the Philippines. We do this for management purposes, reporting activities on company performance for regulatory or statutory purposes, in the context of a business reorganisation or group restructuring exercise, and for system maintenance support and hosting of data.
Whenever it is necessary to transfer your personal data to other companied of the group, agents or contractors located outside of the EEA, we shall take appropriate steps to ensure that such transfer adequately protects your rights and interests.
We shall only transfer your personal data to countries recognized as providing an adequate level of legal protection, or where we are satisfied that protections are in place to properly protect your privacy rights.
Transfers between AXIS companies are covered by intra-organizational agreements that provide specific requirements designed to ensure your personal data receives adequate protection whenever it is transferred within AXIS.
Transfers to our service providers and business partners are protected by contractual agreements approved by the European Commission or by the UK Information Commissioner’s Office (ICO). Before transferring your data to our service providers, we ensure they can provide adequate level of data protection.
Automated decision-making
We do not make any decisions about you which have a legal or similarly significant effect on you based solely on automated processing (i.e. without human intervention).
Your Rights
You have certain rights in relation to how AXIS collects and uses your personal data. To exercise any of these rights, please contact in the first instance the AXIS entity that originally collected the data from you. Your rights include:
Right to access – you may:
- Confirm whether we are collecting and using your personal data
- Obtain a copy of your personal data from AXIS
- Obtain additional information about your personal data, including:
- What data we have
- How we collect your data
- How we use it
- To whom we disclose it
- Whether we transfer it outside the EEA, and how we protect it
- How long we keep it
- Your rights
- how you can make a complaint
Right to Rectify – you may ask us to correct personal data that is inaccurate.
Right to Erasure – you may ask us to erase your personal data only where:
- It is no longer needed for the purposes for which it was collected
- You have withdrawn consent that you explicitly provided
- It was unlawfully processed
- You have an appropriate Right to Object (see below)
- AXIS must comply with a legal obligation to erase the personal data
- AXIS is not required to erase your personal data if continued collection and use of it is necessary
- To comply with a legal obligation
- To establish, exercise or defend legal claims of the company or our insureds.
Right to Restrict Use – you may ask us to restrict the use of your personal data only where:
- You contest its accuracy, in order to give us the opportunity to verify and correct it
- Its collection and use is unlawful, but you do not want it erased
- It is no longer needed for the purposes for which it was collected, but is still needed to establish, exercise, or defend legal claims
- You have exercised the right to object and that decision is pending.
- We may continue to use your personal data where:
- You have consented to its use, and have not withdrawn that consent
- We must use it to establish, exercise, or defend legal claims
- We must use it to protect the rights of another person.
Right to Data Portability – you may ask that we provide your personal data to you in a structured, portable format, or that your personal data be directly transferred to another company, but only if our collection and use of that information:
- Is based on your consent, or on the performance of a contract with you
- Is carried out by automated means.
Right to Object– you may object to the collection and use of your personal data for which AXIS uses “legitimate interest” as its basis for collection, if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you object, we have the opportunity to demonstrate that our legitimate interests are compelling enough to override your rights and freedoms.
Right to Information About Automated Processing – you may ask for information regarding the logic involved, as well as the significance and the envisaged consequences of such processing.
Right to File Complaints – you may file a complaint with your local supervisory authority regarding our collection and use of your personal data.
Local supervisory authorities for AXIS companies are set out below. We also provide below details of the EU representatives (for UK-based AXIS companies), UK representative (for EU -based AXIS companies) and Swiss representative:
| AXIS Company | Local Supervisory Authority | EU Representative |
|---|---|---|
| AXIS Managing Agency Limited | ICO | AXIS Specialty Europe SE (ASE SE) – EU Representative: Email: [email protected] or Phone: +353 1 632 5937 |
| AXIS UK Services Limited (formerly Novae Management Limited) | ICO | Not applicable |
| AXIS Underwriting Limited (formerly Novae Underwriting Limited) | ICO | Not applicable |
| AXIS Corporate Capital UK II Limited (formerly Novae Corporate Underwriting Limited) | ICO | Not applicable |
| AXIS Re SE | DPC | FDPIC online form: https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt/anzeigeformular_dritte.html |
| AXIS Specialty Europe SE | DPC | Not applicable |
International Transfers – you may ask for information on the protections under which your personal data is transferred outside of the EEA. We might redact certain portions of this data for reasons of commercial sensitivity.
The following may apply to your request regarding your personal data:
- We shall respond to all valid requests within one month of receipt.
- You will generally not be charged a fee when we process your request.
We reserve the right to charge a reasonable fee if your request is manifestly unfounded or excessive or you ask us for further copies of information already provided.
How to Contact Us
Please address all inquiries, requests, and other communications regarding your personal data or this Privacy Notice to:
Contact: Data Protection Officer Email: [email protected] Address: 52 Lime Street, London EC3M 7AF Phone: +44-20-7877-3800
Appendix to AXIS Privacy Notice – UK/EU
Data marked * in the table below is ‘special category personal data’
| PURPOSE | PERSONAL DATA PROCESSED | LEGAL BASIS FOR PROCESSING | WE MAY DISCLOSE TO OR SHARE WITH |
|---|---|---|---|
| Insured or potential insured | |||
| Account setup, including background checks |
|
|
|
| Complying with legal or regulatory obligations |
|
|
|
| Customer Service Communications |
| Performance of a contract | Customer service providers |
| Direct marketing | Name, address, phone number, email |
| Service providers |
| Evaluating risks to be covered |
|
|
|
| Managing insurance or reinsurance claims |
|
|
|
|
|
|
|
| Risk modelling and underwriting |
|
|
|
| Claimants | |||
| Complying with legal or regulatory obligations |
|
|
|
| Defending or prosecuting legal claims |
|
|
|
| Investigating or prosecuting fraud |
|
|
|
| Managing insurance or reinsurance claims |
|
|
|
| Business Partners | |||
| Managing our business relationship with business partners |
|
|
|
Effective date: 18 March 2024 v2.1
