CNA Hardy is a trading name of the group of companies which include CNA Insurance Company Limited, Hardy (Underwriting Agencies) Limited and CNA Insurance Company (Europe) S.A. See https://www.cnahardy.com/site-services/LegalEntityDetails for all our legal entity and branch office names and registered contact details.
How we use Personal Information
We are committed to protecting the privacy of customers, claimants and other business contacts.
This Insurance Policy Privacy Statement is relevant to all individuals whose Personal Data is processed by CNA Hardy in connection with the Policy, such as owners, directors, officers, shareholders, staff and other individuals who work for or are connected with the Insured (excluding brokers and intermediaries), this can include but not be limited to processing on electronic instruments and devices.
In this Insurance Policy Privacy Statement, "You" and "Your" means all such individuals as well as the signatories of the Policy.
The signatories of the Policy are encouraged to show a copy of this Insurance Policy Privacy Statement to all individuals before their Personal Data is provided to the CNA Hardy. The signatories must ensure they are authorised to provide the Personal Data about all individuals to the CNA Hardy for use as described below and, if necessary, ensure that they have obtained all relevant consents to CNA Hardy processing the individuals Personal Data described below.
CNA Hardy shall process Personal Data that it obtains in connection with the Policy (either direct from the Insured or indirectly via relevant third parties such as brokers or intermediaries or from the third party sources mentioned below) in accordance with the separate Website and General Privacy Statement located at https://www.cnahardy.com/privacy/website.
In the event of any conflict between the Website and General Privacy Policy and this Insurance Policy Privacy Statement, this Insurance Policy Privacy Statement will prevail.
The meaning of Personal Data
"Personal Information" has the same meaning as personal data. Personal data is defined in data privacy laws applicable in your country. It includes any information relating to an identified or identifiable natural person (or in some jurisdictions, information related to a legal entity). This means any individual or legal entity who can be identified directly or indirectly by reference to an identifier such as name, identification number, location data, online identifiers (for example, IP addresses – if they can be used to identify you) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Put simply, this includes data which either by itself or with other data held by us or available to us, can be used to identify you directly or indirectly.
Personal Data also includes special categories of personal data. This is data about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning your health, sex life or sexual orientation or certain personality profiles (as relevant). It also includes details of any criminal convictions or offences (see Fraud Prevention below).
If the CNA Hardy company processing your personal information is located in France, please note the following. The special categories of personal data which may be collected about you are limited to the following: health and condemnation & offences data.
If the CNA Hardy company processing your personal information is located in Switzerland, please note the following. Personal Information also includes sensitive personal data, personality profiles or profiling. Sensitive personal data is data about your racial or ethnic origin, political, religious, trade union-related or ideological views or activities, genetic data, biometric data, data about social security measures and data concerning your health, sex life, sexual orientation or that belongs otherwise to your intimate sphere. For example, details about your mental or physical health or condition as may be relevant to your claim. It also includes details of any criminal or administrative proceedings and sanctions (see Fraud Prevention below). Personality profiles means a collection of data that permits an assessment of essential characteristics of the personality of a natural person.
Important notice about international transfers including to the United States
Due to the global nature of our business, your Personal Information will be transferred to third parties located in other countries, including outside the European Economic Area. "Third parties" in this context may include any of the persons mentioned in "Disclosure of your Personal Information to third parties" below. These other countries will either have different data protection laws than your country of residence or they will not have data protection laws. They may not be deemed by the European Commission as providing adequate protection for Personal Information.
In particular, we transfer Personal Information to our group companies who are located in the United States. A list of all group companies to whom data is transferred is available on request but includes ‘Continental Casualty Company’, ‘The Continental Corporation’, ‘CNA Financial Corporation’ and the ‘The Continental Insurance Company’. Details on the US companies can be found on the website www.cna.com
The United States is not deemed by the European Commission to have adequate protections for Personal Information. It is possible that U.S. defence and security authorities, among others, may gain access to the Personal Information in line with local laws.
Steps will be taken to put in place safeguards (including around security) to protect your Personal Information when it is in these other countries. This includes use of European Model Clause contracts, including addendums in accordance with the requirements under applicable local laws.
You can find out what EU Model Clauses are online at the following
address: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.
If you have any questions please contact us (details below). Please note commercially sensitive information may be removed/blanked out from copies supplied to you.
The categories of Personal Data we may collect
Personal Data collected from the Insured, from you, or from relevant third party sources, may include the following:
- your full name, home address, date of birth, other identification details such as the proof of identity and proof of address documentation,
- your contact information, including your work related email address and telephone number, your work address, and (if you are a director, partner or other legal or beneficial owner of the Insured) your home address,
- notes and call recordings,
- criminal conviction or offence details including any actual or suspected fraud, money laundering or other crime which you may have committed, and
- any other Personal Data which you or the Insured voluntarily provide to us from time to time.
The purposes for which we use and process Personal Data
CNA Hardy may process Personal Data in order to arrange the Insured’s insurance cover (including communications about the Policy, for renewals and for administration/processing of Claims and of the Policy), for management and audit of our business operations including accounting, to verify identity/ies of relevant individuals such as sole traders, directors, officers, partners and other legal or beneficial owners of the Insured, to the extent permitted by the applicable law, to perform credit checks, fraud prevention and anti-money laundering checks (see Fraud Prevention Checks below), for establishment and defence of legal rights, to comply with legal or regulatory requirements, for other activities relating to the prevention, detection and investigation of crime, to administer accounts, to provide customer service, (with your explicit consent, where relevant) for market research and analysis and developing statistics and to market our products and services and those of our Group of companies.
The legal basis for our use and other processing of your Personal Data under applicable data privacy laws
We have described above the purposes for which we may use and otherwise process your Personal Data in connection with the Policy. We are required by law to indicate to you the legal basis for this use and other processing. This will include (as relevant):
- in order that we may perform our obligations under the Policy;
- processing for legitimate interests provided these are not overridden by your interests and fundamental rights and freedoms (this includes our own legitimate interests and those of other entities and branches in our group of companies), in particular this is relevant when we use and process your Personal Data in order to administer the Policy and to deal with our legal and regulatory compliance obligations and good governance obligations;
- processing which is necessary for compliance with our legal obligations laid down by European Union law (where relevant) and by national laws in all of our countries; and
- processing as necessary for the establishment, exercise or defence of legal claims or rights.
Your consent may also be a lawful reason for processing your Personal Data in certain cases.
This means your freely given, specific, informed and unambiguous consent. You should be aware that you are entitled under applicable data privacy law to withdraw your consent, where that has been given, at any time. You should be aware that if you do this and if there is no alternative lawful reason for us to rely on to justify the relevant use or other processing on your Personal Data, this may affect our ability to administer the Policy.
In summary, we need certain categories of Personal Data in order to administer the contract (the Policy). Certain other Personal Data is processed for our legitimate interests in cases where this does not result in overriding prejudice to you.
Sharing and disclosures of Personal Data
In order to arrange the Insured’s insurance cover, or process any Claims, or for the other purposes described above, CNA Hardy may disclose Personal Data to other companies within the CNA group, its insurance partners, brokers, intermediaries, agents, underwriters, loss adjusters, our legal and other professional advisers, government regulators and the Ombudsman, and other third parties and service providers who act for CNA Hardy and who help us and our Group of companies to operate our business.
Personal Data will be shared with regulatory authorities, courts and governmental agencies to comply with legal orders, legal or regulatory requirements and government requests.
It may also be shared in the context of a sale of all or part of our group of companies or transfer of business assets. It may be shared with Credit Reference Agencies and Fraud Prevention Agencies (further details below).
It may also be shared with Insurance industry bodies in your country.
In some instances, it may be necessary to transfer Personal Data between CNA Hardy’s European and international offices (for further details – see above). This may include Personal Data being disclosed to legal or regulatory bodies in order to comply with diverse legal regulations, including those imposed on the CNA Hardy’s parent company based in the United States (where this is lawful under applicable data privacy laws).
Retention period or criteria used to determine the retention period
Personal Data will be retained for the period necessary to fulfil the purposes described above. In particular, we will retain it for as long as we need to in order to administer the Policy. After termination or expiry of the Policy, we will retain it only for as long as is necessary and the relevant retention period will be determined by reference to law or regulation or for litigation or regulatory investigations.
The criteria used by CNA Hardy to determine data retention periods after termination or expiry of the Policy includes the following: (i) Retention in case of queries. We will retain it for a reasonable period (up to 6 months) in case of queries from you or the Insured; (ii) Retention in case of claims. We will retain it for the period in which you might legally bring claims against us. This period will vary depending on your local country; (iii) Retention in accordance with legal and regulatory requirements.
If you would like further information about our data retention practices please contact us (see Requests or questions details below).
Fraud Prevention Checks
We may conduct identity verification searches and also share your Personal Information with Fraud Prevention Agencies (including those in your country) when we are administering a Policy for you or the Insured. If false or inaccurate information is provided and fraud is identified details will be passed to Fraud Prevention Agencies. Law enforcement agencies may access and use this information. To protect against financial crime and for legal and regulatory compliance purposes we may conduct an identity search at the Fraud Prevention Agencies. This will not affect your credit rating. If an identity check fails, we may need to ask you for specific documentary evidence of your identity.
Fraud Prevention Agencies will report to us on whether or not any fraud, money laundering or identity verification risks are identified. Please note that we do not have to ask you for your consent to these checks in cases where they are justified by alternative lawful grounds for processing Personal Information, such as our own legitimate interests having regard to our legal and regulatory compliance obligations and good governance obligations (see above).
UK specific insurance market fraud monitoring system
Where you are a UK resident Data Subject and it is permitted under applicable data privacy laws, we may submit your Personal Information into the UK insurance industry wide fraud monitoring system. This is an industry wide fraud database administered by a third party and used by other members of the insurance industry in the UK. This will involve us disclosing your Personal Information to the third party who administers the fraud database. They will in turn share it with other members/their other insurance customers if any fraud risk is identified. Steps will be taken to put in place safeguards to protect your Personal Information when it is held by that third party. This may include written contracts between us and them to govern the security of your Personal Information and how it may be shared.
Data Anonymisation
We may convert your Personal Data into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from that data. We may use this aggregated data to conduct market research and analysis, including to produce statistical research and reports.
For example, we may produce reports on which of our product offerings and insurance coverage attract the fewest or the highest number of claims and the average values of those claims. We may share aggregated data in several ways, including for the same reasons as we might share Personal Data (see Sharing and disclosures of personal data above).
Direct Marketing
With your consent where relevant, CNA Hardy shall also use contact details to keep the Insured informed by post, telephone or e-mail of our additional products or services and developments in the insurance sector generally which may be of interest to the Insured. Please note that CNA Hardy may continue to use these contact details for these purposes after the Policy has lapsed. If at any time the Insured, or any of its contact persons, do NOT wish to be contacted for marketing purposes as set out above, you/they can use the un-subscribe mechanism referred included in the message, or alternatively e-mail or write to us at the addresses stated in the Schedule or using the alternative contact details below.
Requests or questions
You have various rights under data privacy laws in your country. These may include (as relevant):
- The right to obtain confirmation as to whether or not your Personal Information is processed and, where that is the case, the right to request access the Personal Information we hold about you and obtain a copy of it in a structured, commonly used and machine-readable format and transmit such data to another controller, in the cases provided for by applicable law. Unless required otherwise by the applicable law, we may refuse access if it would interfere with the privacy rights of other persons or adversely affect their rights and freedoms.
- You have also the right to be informed: i. of the source of your personal data; ii. of the purposes and methods of the processing; iii. of the logic applied to the processing, if the latter is carried by electronic means; iv. of the data identity of the data controller and of the data processor/s, if appointed, and the local privacy representative, if any; v. of the entities or categories of entities to whom or which your personal data may be communicated.
- You have the right to rectification including to require us to correct inaccurate Personal Information; the right to request restriction of processing concerning you or to object to processing of your Personal Information; the right to request the erasure anonymization or blocking of your Personal Information if processed unlawfully or where it is no longer necessary for us to retain it; the right to be told about any changes of your Personal Information that have been notified to the entities to whom or which the Personal Information was communicated or disseminated, unless this requirement is impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
- You have the right to data portability including to obtain Personal Information in a commonly used machine readable format in certain circumstances such as where our processing of it is based on a consent.
- You have the right to object, in whole or in part, on legitimate grounds, to the processing of your Personal Information; the right to object to the processing of your Personal Information, where it is made for the purpose of sending advertising materials or direct marketing or selling or for the performance of market or commercial communication surveys (though we do not use your Personal Information for marketing – please note).
- You have the right to object to automated decision making including profiling (if any) that has a legal or significant effect on you as an individual; and the right to withdraw your consent to any processing for which you have previously given that consent.
Please see "Contact Us" if you wish to exercise any of these rights (as relevant).
Consequences of failure to provide Personal Information
You have the right to be informed about the possible consequences of failure to provide the Personal Information we ask you for directly. For example, if on the claim form certain Personal Information is missing or if this proves to be inaccurate, or if this is the case based on our telephone conversations or email correspondence, and if that data is not provided by or on your behalf as part of follow up, then we may not be able to administer your claim.
Updated and changes to this Insurance Policy Privacy Statement
Because of these ongoing changes, changes in the law and the changing nature of technology, our data practices, this Claims Privacy Statement will change from time to time. We encourage you to check this page frequently.
Please click this link to access the previous version of this Insurance Policy Privacy Statement.
Contact Details
If you wish to exercise your data privacy related rights against us, please e-mail: [email protected].
We welcome comments about this Privacy Statement. Please use the same contact details as above for this purpose.
Your right to lodge complaints with the data privacy supervisory authority in your country
Without prejudice to any other administrative or judicial remedy you might have, you have the right to lodge a complaint with the relevant data protection supervisory authority in your country if you consider that we have infringed applicable data privacy laws when processing your Personal Information. This means the country where you are habitually resident, where you work or where the alleged infringement took place. Here are the names of the supervisory authorities and how you can locate their contact details for this purpose:
If the CNA Hardy company processing your personal information is located in Italy, please note the following.
Your Personal Information will be processed by the Country Manager who is duly instructed and in charge of the relevant processing at CNA Hardy in Italy.
Last updated: 01.01.2019