CNA Hardy is a trading name of the group of companies which include CNA Insurance Company Limited, Hardy (Underwriting Agencies) Limited and CNA Insurance Company (Europe) S.A. See https://www.cnahardy.com/site-services/LegalEntityDetails for all our legal entity and branch office names and registered contact details.
In this Claims Privacy Statement "we" and "us" means the CNA Hardy company/ies who administer or underwrite the insurance policy to which your claim relates and (where relevant) their branch offices which are physically located in your country.
How we use Personal Information
We are committed to protecting the privacy of customers, claimants and other business contacts.
This Claims Privacy Statement is relevant to all claimants. Their Personal Information is processed by us, including but not limited to on electronic instruments and devices, in connection with claims they have brought against companies and other organisations who have either directly or indirectly taken out insurance policies with us. We want you, the claimant, to know how we may collect, use, share and otherwise process your Personal Information. That is why in our claims communications with you we included a link to this Claims Privacy Statement.
This Claims Privacy Statement does not apply to any individuals other than claimants. In particular, if you are an individual at an insured person who has taken out a policy with us, or if you are a broker, intermediary or any other person, you should refer to the separate Privacy Statements we have made available to you. In particular, Individuals at insured persons should refer to the Insurance Policy Privacy Statement issued alongside their Policy located at . Users of our website who are not claimants should refer to the separate Website and General Privacy Statement located at https://www.cnahardy.com/privacy/website
What information does this Claims Privacy Statement cover
This Claims Privacy Statement relates to Personal Information that we obtain either directly from you or indirectly via relevant third parties (such as the person we have insured and the brokers or intermediaries who are relevant to the person’s insurance policy). In addition, it may be collected from the third party sources mentioned in the "Sharing and Obtaining of Personal Information section" below. In all such cases, it may be obtained by telephone, email, or any other method used from time to time by you or relevant third parties to submit your claim to us, or in any other communications between us and them.
The meaning of Personal Information
"Personal Information" has the same meaning as personal data. Personal data is defined in data privacy laws applicable in your country. It includes any information relating to an identified or identifiable natural person (or in some jurisdictions, information related to a legal entity). This means any individual or legal entity who can be identified directly or indirectly by reference to an identifier such as name, identification number, location data, online identifiers (for example, IP addresses – if they can be used to identify you) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Put simply, this includes data which either by itself or with other data held by us or available to us, can be used to identify you directly or indirectly.
Personal Information also includes special categories of personal data. This is data about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation or certain personality profiles. For example, details about your mental or physical health or condition as may be relevant to your claim. It also includes details of any criminal convictions or offences as may be relevant to your claim (see "Fraud Prevention" below).
If the CNA Hardy company processing your personal information is located in France, please note the following. The special categories of personal data which may be collected about you are limited to the following: health and condemnation & offences data.
If the CNA Hardy company processing your personal information is located in Switzerland, please note the following. Personal Information also includes sensitive personal data, personality profiles or profiling. Sensitive personal data is data about your racial or ethnic origin, political, religious, trade union-related or ideological views or activities, genetic data, biometric data, data about social security measures and data concerning your health, sex life, sexual orientation or that belongs otherwise to your intimate sphere. For example, details about your mental or physical health or condition as may be relevant to your claim. It also includes details of any criminal or administrative proceedings and sanctions as may be relevant to your claim (see "Fraud Prevention" below). Personality profiles means a collection of data that permits an assessment of essential characteristics of the personality of a natural person.
Other individuals such as dependants, next of kin or anyone helping you with your claim
If you decide to provide us (whether directly or indirectly such as via a broker or intermediary) with Personal Information about another individual in connection with your claim, such as your dependants, next of kin or anyone helping you with your claim, or provide us with documents or related files containing any such Personal Information, you should show them a copy of this Claims Privacy Statement. You must make sure you are authorised to provide their Personal Information to us (whether directly or indirectly) for the purposes described below. If for any reason you give us this Personal Information without first seeking authorisation from the other individuals to whom it relates, it is essential that you seek their permission as soon as you possibly can and if they do not give their permission you must tell us immediately. In all such cases "you" and "your" in this Claims Privacy Statement also means those other individuals.
Important notice about international transfers including to the United States
Due to the global nature of our business, your Personal Information will be transferred to third parties located in other countries, including outside the European Economic Area. "Third parties" in this context may include any of the persons mentioned in "Sharing and Obtaining of Personal Information" below. These other countries will either have different data protection laws than your country of residence or they will not have data protection laws. They may not be deemed by the European Commission as providing adequate protection for Personal Information.
In particular, we transfer Personal Information to our group companies who are located in the United States. A list of all group companies to whom data is transferred is available on request but includes ‘Continental Casualty Company’, ‘The Continental Corporation’, ‘CNA Financial Corporation’ and the ‘The Continental Insurance Company’. Details on the US companies can be found on the website www.cna.com
We do this for the purpose of administering your claim and all other forms of processing in connection with that.
The United States is not deemed by the European Commission to have adequate protections for Personal Information. It is possible that U.S. defence and security authorities, among others, may gain access to the Personal Information in line with local laws.
Steps will be taken to put in place safeguards (including around security) to protect your Personal Information when it is in these other countries. This includes use of European Model Clause contracts, including addendums in accordance with the requirements under applicable local laws.
You can find out what EU Model Clauses are online at the following
address: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.
If you have any questions please contact us (details below). Please note commercially sensitive information may be removed/blanked out from copies supplied to you.
The categories of Personal Information we may collect
Personal Information collected from you or relevant third party sources may include the following if you are the claimant:
- Your full name, home address, date of birth, other identification details such as the proof of identity and proof of address documentation you supply in connection with your claim.
- Your contact information, including email address, telephone number and home address.
- Payment card and bank account details including sort code and account number.
- Notes and call recordings.
- Sensitive information about health including details about your mental or physical health or condition as may be relevant to your claim.
- Criminal conviction or offence details including any actual or suspected fraud, money laundering or other crime which you may have committed.
- Any other Personal Information which you voluntarily provide to us from time to time.
If you are the claimant’s dependent, next of kin or any other person helping him with his claim, we will not collect sensitive information about your health but we may collect some or all of the other Personal Information listed above – if this is needed to administer his claim.
In circumstances where you are not obliged to provide the Personal Information we request from you, we will make this clear in our communications with you. However, our usual practice is not to request any of the Personal Information listed above unless this is necessary, and by this we mean is it necessary for the purposes described in this Claims Privacy Statement (see below).
The purposes for which we use and process Personal Information
Personal Information may be used and otherwise processed by us for the following purposes:
- Insurance administration, including communicating with you in respect of your claim, processing your claim, assessing, verifying, and validating your claim history and ensuring payment of your claim.
- Obtaining case assessments from external experts, in particular medical appraisals.
- Verifying your identity, including by performing identity checks (see "Fraud Prevention Checks" below).
- Assistance and advice on medical matters, such as to make payments to any persons or organisations providing medical care to you where that payment is due and is part of the insured risk under the policy you are claiming against.
- Management and audit of our business operations, including accounting.
- To the extent permitted or required under applicable law or regulation, fraud prevention and anti-money laundering checks and other activities relating to the prevention, detection and investigation of crime (see "Fraud Prevention Checks" below).
- Establishment and defence of legal rights.
- Legal and regulatory compliance, including compliance with laws in your own country and, in addition, compliance with laws outside your country of residence such as in the United States where we process your claim.
- Subject to local applicable laws, monitoring and recording of telephone calls and email communications where necessary for compliance with regulatory rules or self-regulatory practices or procedures relevant to our business, to prevent or detect crime, and security purposes, and, with your consent where that is required under local applicable laws, for quality and training purposes, market research and analysis and developing statistics. Providing your consent to the processing of your data for these purposes is voluntary and the lack of your consent will not prevent us from administering your claim. In some cases, alternatives to consent may apply to justify this (if and to the extent this activity occurs in your country). You will be notified of any call recording in advance of such a call or in additional notices where that is required.
The legal basis for our use and other processing of your Personal Information under applicable data privacy laws
We have described above the purposes for which we may use and otherwise process your Personal Information in connection with your claim. We are required by law to indicate to you the legal basis for this use and other processing. This will include (as relevant):
- Processing of your claim in order that we may perform our obligations under the relevant insurance contract with the insured person.
- Processing for legitimate interests provided these are not overridden by your interests and fundamental rights and freedoms (this includes our own legitimate interests and those of other entities and branches in our group of companies), in particular this is relevant when we use and process your Personal Information in order to process your claim, to validate your claims history or that of any other person or property likely to be involved in the policy or claim, and to deal with our legal and regulatory compliance obligations and good governance obligations.
- Processing which is necessary for compliance with our legal obligations laid down by European Union law (where relevant) and (where permitted and justified) by national laws in all of our countries.
- Processing as necessary for the establishment, exercise or defence of legal claims or rights.
Your consent may also be a lawful reason for processing your Personal Information in certain cases. This means your freely given, specific, informed and unambiguous consent. For instance, where special categories of personal data are processed.
This consent may be collected from you at the time at which you submit your claim including, for instance, when you sign the claim form. It means in certain cases, explicit consent, which would be collected from you before you undergo a medical assessment to verify parts of your claim or to help with the settlement of your claim. You should be aware that you are entitled under applicable data privacy law to withdraw your consent, where that has been given, at any time.
You should be aware that if you do this and if there is no alternative lawful reason for us to rely on to justify the relevant use or other processing of your Personal Information, this may affect our ability to administer your claim.
In summary, we need certain categories of Personal Information in order to administer your claim. Certain other Personal Information is processed for our legitimate interests in cases where this does not result in overriding prejudice to you. Certain other Personal Information is processed based on a consent.
Fraud Prevention Checks
We may conduct identity verification searches and also share your Personal Information with Fraud Prevention Agencies (including those in your country) when we are administering your claim. If false or inaccurate information is provided and fraud is identified details will be passed to Fraud Prevention Agencies. Law enforcement agencies may access and use this information. To protect against financial crime and for legal and regulatory compliance purposes we may conduct an identity search at the Fraud Prevention Agencies. This will not affect your credit rating. If an identity check fails, we may need to ask you for specific documentary evidence of your identity.
Fraud Prevention Agencies will report to us on whether or not any fraud, money laundering or identity verification risks are identified. Please note that we do not have to ask you for your consent to these checks in cases where they are justified by alternative lawful grounds for processing Personal Information, such as our own legitimate interests having regard to our legal and regulatory compliance obligations and good governance obligations (see above).
UK specific insurance market fraud monitoring system
Where you are a UK resident Data Subject and it is permitted under applicable data privacy laws, we may submit your Personal Information into the UK insurance industry wide fraud monitoring system. This is an industry wide fraud database administered by a third party and used by other members of the insurance industry in the UK. This will involve us disclosing your Personal Information to the third party who administers the fraud database. They will in turn share it with other members/their other insurance customers if any fraud risk is identified. Steps will be taken to put in place safeguards to protect your Personal Information when it is held by that third party. This may include written contracts between us and them to govern the security of your Personal Information and how it may be shared.
Data Anonymisation
We may convert your Personal Information into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from that data. We may use this aggregated data to conduct market research and analysis, including to produce statistical research and reports. For example, we may produce reports on which of our product offerings and insurance coverage attract the fewest or the highest number of claims and the average values of those claims. We may share aggregated data in several ways, including for the same reasons as we might share Personal Information (see "Sharing and Obtaining of Personal Information" below).
Sharing and Obtaining of Personal Information
Personal Information may be shared for the above purposes with our group companies (see "International Transfers" above) and it may be shared with (or collected from) brokers and other distribution parties, insurers and reinsurers, Fraud Prevention Agencies, medical practitioners and healthcare professionals and other service providers who help us and our group of companies to operate our business. These are the sources from which your Personal Information may have originated. These are not publically available sources.
Personal Information will be shared with regulatory authorities, courts and governmental agencies to comply with legal orders, legal or regulatory requirements and government requests. It may also be shared in the context of a sale of all or part of our group of companies or transfer of business assets.
Personal information (including details of injuries) may be recorded on claims registers shared with other insurers, where applicable in your locality (please note this is not applicable in Switzerland). We may be required by law or regulatory obligations relevant to the insurance industry in your country to register all third party claims for compensation relating to bodily injury to workers’ compensation boards. We may search these registers to detect and prevent fraud or to validate your claims history or that of any other person or property likely to be involved in the policy or claim.
In some instances, it may be necessary to transfer Personal Information between our European and international offices (for further details – see above). This may include Personal Information being disclosed to legal or regulatory bodies in order to comply with diverse legal regulations, including those imposed on our parent company based in the United States (where this is lawful under applicable data privacy laws).
In addition, we may share your Personal Information, including but not limited to that which is contained in Medical Reports, Private Investigators’ Reports and Rehabilitation Co-ordinators’ Reports, where appropriate and where permitted under privacy laws, with any or all of the following persons:
- The intermediary, broker or agent who is relevant to the insurance policy to which your claim relates.
- Your employer or your employer’s nominated intermediary, if they are the Policyholder.
- Your nominated GP or other medical practitioners whose care you are under or who is otherwise relevant to your claim (such as independent medical practitioner if you explicitly consent to undergo a medical assessment to verify parts of your claim or to help with the settlement of your claim).
- Insurance industry bodies in your country, our insurance partners, Trustees in Bankruptcy, reinsurers, underwriters, loss adjusters, medical agencies (in the UK and abroad) and our subcontractors and agents.
- Insurance loss and claims assessment agencies – this information will be used by agency users in assessing insurance claims and evaluating losses.
- Our legal and other professional advisers.
- Government regulators and the Ombudsman.
- In limited and controlled circumstances, other insurance companies where we are under a legal duty to provide it.
Except as described in this Claims Privacy Statement, we will not discuss your claim with anyone unless you provide their name and give express written consent (this includes your spouse, any relative or friend, or legal advisor). For security we will ask them to verify their identity by confirming your date of birth, post code and policy number.
Retention period or criteria used to determine the retention period
Personal Information will be retained for the period necessary to fulfil the purposes described above. In particular, we will retain it for as long as we need to in order to administer your claim. After your claim is settled, we will retain it only for as long as is necessary and the relevant retention period will be determined by reference to law or regulation or for litigation or regulatory investigations.
The criteria we use to determine data retention periods after claims are settled includes the following: (i) Retention in case of queries. We will retain it for a reasonable period (up to 6 months) in case of queries from you; (ii) Retention in case of claims. We will retain it for the period in which you might legally bring claims against us. This period will vary depending on your local country; (iii) Retention in accordance with legal and regulatory requirements.
If you would like further information about our data retention practices please contact us (see "Requests or questions" below).
Monitoring of calls and other communications
To help improve our service and in the interests of security, upon your consent where that is required, we may monitor and record phone calls. You will be notified of any call recording at the outset of such a call where that is required. For more information see "The purposes for which we use and process Personal Information" above.
Requests or questions
You have various rights under data privacy laws in your country. These may include (as relevant):
- The right to obtain confirmation as to whether or not your Personal Information is processed and, where that is the case, the right to request access the Personal Information we hold about you and obtain a copy of it in a structured, commonly used and machine-readable format and transmit such data to another controller, in the cases provided for by applicable law. Unless required otherwise by the applicable law, we may refuse access if it would interfere with the privacy rights of other persons or adversely affect their rights and freedoms.
- You have also the right to be informed: i. of the source of your personal data; ii. of the purposes and methods of the processing; iii. of the logic applied to the processing, if the latter is carried by electronic means; iv. of the data identity of the data controller and of the data processor/s, if appointed, and the local privacy representative, if any; v. of the entities or categories of entities to whom or which your personal data may be communicated.
- You have the right to rectification including to require us to correct inaccurate Personal Information; the right to request restriction of processing concerning you or to object to processing of your Personal Information; the right to request the erasure anonymization or blocking of your Personal Information if processed unlawfully or where it is no longer necessary for us to retain it; the right to be told about any changes of your Personal Information that have been notified to the entities to whom or which the Personal Information was communicated or disseminated, unless this requirement is impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
- You have the right to data portability including to obtain Personal Information in a commonly used machine readable format in certain circumstances such as where our processing of it is based on a consent.
- You have the right to object, in whole or in part, on legitimate grounds, to the processing of your Personal Information; the right to object to the processing of your Personal Information, where it is made for the purpose of sending advertising materials or direct marketing or selling or for the performance of market or commercial communication surveys (though we do not use your Personal Information for marketing – please note).
- You have the right to object to automated decision making including profiling (if any) that has a legal or significant effect on you as an individual; and the right to withdraw your consent to any processing for which you have previously given that consent.
Please see "Contact Us" if you wish to exercise any of these rights (as relevant).
Consequences of failure to provide Personal Information
You have the right to be informed about the possible consequences of failure to provide the Personal Information we ask you for directly. For example, if on the claim form certain Personal Information is missing or if this proves to be inaccurate, or if this is the case based on our telephone conversations or email correspondence, and if that data is not provided by or on your behalf as part of follow up, then we may not be able to administer your claim.
Updated and changes to this Claims Privacy Statement
Because of these ongoing changes, changes in the law and the changing nature of technology, our data practices, this Claims Privacy Statement will change from time to time. We encourage you to check this page frequently.
Please click this link to access the previous version of this Claims Privacy Statement.
Contact Details
If you wish to exercise your data privacy related rights against us, please e-mail: [email protected].
We welcome comments about this Privacy Statement. Please use the same contact details as above for this purpose.
Your right to lodge complaints with the data privacy supervisory authority in your country
Without prejudice to any other administrative or judicial remedy you might have, you have the right to lodge a complaint with the relevant data protection supervisory authority in your country if you consider that we have infringed applicable data privacy laws when processing your Personal Information. This means the country where you are habitually resident, where you work or where the alleged infringement took place. Here are the names of the supervisory authorities and how you can locate their contact details for this purpose:
If the CNA Hardy company processing your personal information is located in Italy, please note the following.
Your Personal Information will be processed by the Country Manager who is duly instructed and in charge of the relevant processing at CNA Hardy in Italy.
Last updated: 01.01.2019