Purpose |
Lawful basis for processing |
Corresponding with you. Including communications relating to our website, our services or service requirments, our events and any feedback or complaints. |
Where you are a directly insured individual, performance of a contract (insurance policy)- to the extent that correspondence with you is part of contract performance.
Otherwise, legitimate interests – to communicate with our insureds, insurance claimaints, brokers, intermediaries, service providers and regulators. |
Administration of our business. Including processing:
- (a) To deliver our services;
- (b) To operate our business and manage and develop our relationships; and
- (c) to update and maintain our systems and platforms (including prevention of disruptions, troubleshooting, monitoring, and analysis required to detect malicious code/actors).
|
Where you are a directly insured individual, performance of a contract (insurance policy)- to deliver our services as part of contract performance.
Otherwise, legitimate interests – to deliver our services and ensure the security and resilience of our systems and platforms. |
Vetting and risk management. We undertake checks to vet our potential clients and suppliers. |
Where you are a directly insured individual, performance of a contract (insurance policy)- to conduct our vetting and risk management processes as part of contract performance.
Legal obligation- to the extent that our processing relates to a legal obligation to comply with our legal/ regulatory obligations to undertake AML/KYC checks. For example:
- in Belgium, the Belgian Anti-Money Laundering Law, 18 September 2017;
- in Denmark, the Danish Anti-Money Laundering Act;
- in France, the French Monetary and Financial Code;
- in Germany, the Money Laundering Act;
- in Italy, the Legislative Decree no. 231/2007 and Legislative Decree no. 209/2005, the Italian Insurance Code);
- in Luxembourg, the Law on anti-money laundering and fight against terrorism dated 12 November 2004 (where the processing relates to investment-related insurance companies) and the Danish Act on Insurance Companies; and
- in the Netherlands, the Sanctions Act 1977.
Otherwise, legitimate interests – to manage risk in accordance with our legal obligations and internal policies.
To the extent that special categories of personal data or personal data relating to criminal convictions and/or offences is processed for this purpose (for example, information relating to politically exposed persons or sanctions) we rely on necessity for reasons of substantial public interest (detection and prevention of fraud) other than in the following jurisdiction:
Belgium
Consent (health data only).
|
Improvement and development of our business. This includes processing (including data analytics, modelling and benchmarking):
- (d) to improve the quality, content and relevance of our communications and services [by following your interactions with that communication, such as whether you receive, open or click on a link within an email communication];
- (e) understand the needs and interests of our customers;
- (f) to undertake trend analysis and market segmentation (including for marketing purposes);
- (g) to conduct market insight activities (for example, requiring our underwriting team to provide general insights relating to particular insurance lines or sectors); and/or
- (h) to personalise our services or communication based on profiles we have applied to you. We automatically process certain of your personal data, including your interactions with us (such as how often you look at a product or page) and services you have purchased or looked at, to create a profile about you. Such profiles may be used to personalize our services, inform our marketing practices and/ or as part of security threat / fraud detection and prevention.
|
Legitimate interests – to improve our products and services and better understand our customer base. |
Legal and regulatory purposes. Including processing in the course of our client onboarding, business acceptance, fraud detection and claims administration procedures:
- (i) in order to comply with and in order to assess compliance with applicable laws, rules and regulations, and internal policies and procedures (for example, our “know your customer”, trade sanctions and anti money-laundering obligations);
- (j) to prevent and detect fraud and/or other criminal activity or misconduct;
- (k) to obtain and update credit information with credit referencing agencies in the relevant jurisdiction as identified above (we undertake credit checks prior to binding a risk where this is permitted in the relevant jurisdiction); and/or
- (l) establishment and handling of legal claims.
|
Legal obligation- – to comply with our legal/ regulatory obligations, to the extent that our processing relates to a legal obligation, we rely on necessity to comply with a legal obligation. For example:
- in Belgium, Belgian Anti-Money Laundering Law, 18 September 2017 and the Belgian Insurance Law, 4 April 2014;
- in Denmark, the Danish Anti-Money Laundering Act, the Danish Act on Insurance Companies, Danish Credit Agreements (in connection with credit information), Danish Insurance Contracts Act (in connection with legal claims);
- in France, the French Monetary and Financial Code, the French Insurance Code (in connection with claims administration procedures) and art. L.123-22 of the French Commercial code (in connection with accounting data),
- in Germany, the Insurance Supervision Act;
- in Italy, the Italian Insurance Code (209/2005);
- in Luxembourg, the Law on anti-money laundering and fight against terrorism dated 12 November 2004, the Law on the insurance sector dated 7 December 2015, the Criminal Code, the Labour Code and Law on the insurance contract dated 27 July 1997;
- in the Netherlands, the Act on the Financial Supervision and the Dutch Civil Code; and
- in the UK, the UK Insurance Act 2015.
Otherwise, we rely on legitimate interests (to exercise our legal rights and comply with our regulatory obligations).
In case of processing special categories of personal data the legal basis for processing is the establishment, exercise or defence of legal claims.
Where we are undertaking Politically Exposed Persons (PEP) and/or sanctions checks, this may require processing of personal data relating to criminal offences and convictions, sanctions or political views (as applicable), we rely on necessity for reasons of substantial public interest (insurance claims, anti-fraud measures and/or compliance with applicable laws, particularly in the UK, the Sanctions and Anti-Money Laundering Act 2018 and in Denmark, section 8(1)(3) of the Danish Data Protection Act), and equivalent regulations other than in the following jurisdiction:
Netherlands
Relevant exception under the Dutch GDPR Implementation Act.
|
Business support. Including consultancy, banking, legal, insurance, audit and accounting services, subject to applicable law and obtaining any consent required under professional secrecy law. |
Legitimate interests – to receive professional support in connection with our business and to comply with our legal obligations and internal policies.
Legal obligation- to comply with a legal and/or regulatory obligation, where the processing relates to activity required by law. For example:
- in Belgium, the Belgian Anti-Money Laundering Law;
- in Denmark, the Danish Act on Insurance Companies, the Danish Financial Statements Act and the Danish Bookkeeping Act;
- in France, the French Commercial Code (accounting documents only);
- in Germany, the Commercial Code and the General Fiscal Code;
- in Italy, the Italian Civil Code; and
- in Luxembourg, the Law on insurance sector dated 7 December 2015 (in respect of audit and annual accounts) and law on commercial companies dated 10 August 1915; and the Law on annual accounts dated 19 December 2002 (annual accounts only).
|
Investigating complaints or suspected non-compliance with law, regulatory obligations or our policies, procedures, terms and conditions. |
Legal obligations where the investigation is required by law. For example:
- in Belgium, the Belgian Anti-Money Laundering Law, 18 September 2017; and
- in Denmark, the Danish Act on Insurance Companies and the the Danish Consolidated Act on the Working Environment;
- in Germany, the Insurance Supervision Act;
- in Italy, the IVASS Regulation no. 24/2008;
- in Luxembourg, the Law on insurance sector dated 7 December 2015 and Law on the insurance contract dated 27 July 1997;
- in the Netherlands, the Act on the Financial Supervision and the Dutch Civil Code.
Otherwise legitimate interests – to protect our business and manage our relationships.
|
Establishment and handling of legal claims. |
Legitimate interests – to ascertain and/or exercise our legal rights.
Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions, necessity for the establishment, exercise or defence of legal claims.
|
Establishment and handling of legal claims. |
Legitimate interests – to ascertain and/or exercise our legal rights.
Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions, necessity for the establishment, exercise or defence of legal claims.
|
Purposes outlined in our cookies notice. |
Legitimate interests – in relation to “strictly necessary” cookies.
Consent- for all other cookies.
|
Restructuring our business. Including in the context of internal re-organisations, business sales, transfers, mergers and acquisitions (and the planning, administration and negotiation of the same). |
Legitimate interests – to transfer books of business or restructure or sell our business. |
Relationship management and targeting of events. Including keeping a record of invitees and attendees and recording any event-specific feedback. |
Legitimate interests – to build an events programme that services our partners/brokers. |
Marketing. To communicate with you in order to provide you with information about services, products and/or events that may be of interest to you via email, phone, social media. |
We rely on the following lawful bases depending on your jurisdiction.
Belgium, France, Germany, Luxembourg, UK
Legitimate interests– to better understand your interests and inform you of products and services offered by CNA Hardy.
Denmark, Italy, Netherlands
Consent
|
Social media. We may use your personal data to undertake advertising campaigns on social media platforms such as LinkedIn and Youtube in order to provide information about upcoming services or new products and to ensure you only receive relevant advertising about our products and services. |
Legitimate interests – to inform you of products and services offered by CNA Hardy, unless otherwise provided in our cookies policy, other than in the following jurisdiction:
France
Consent.
|
Purpose |
Lawful basis for processing |
Assessing aspects of a claim and/or supporting evidence relating to a claim – corporate customers. This may relate to your employment or occupational status (giving rise to a requirement to process personal data relating to trade union membership); your health status (giving rise to a requirement to process health data) or any criminal record you may have or alleged offences you may have committed (giving rise to a requirement to process personal data relating to criminal offences and/or convictions). |
Legitimate interests – to assess claims effectively and in accordance with applicable law, other than in the following jurisdiction:
Italy
Performance of a contract (insurance policy)- to deliver our services as part of contract performance.
Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions, the following lawful bases depending on your jurisdiction:
Belgium, France, Germany & Italy
Consent.
Denmark
Necessity for reasons of substantial public interest.
Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only).
Luxembourg & UK
Necessity for reasons of substantial public interest (insurance claims).
Netherlands
We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon.
For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to:
- (i) assess the insured risk, provided you have not objected to the processing; or
- (ii) perform the insurance contract or assist with the management and performance of the insurance contract.
In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions.
|
Assessing aspects of a claim and/or supporting evidence relating to a claim – directly insured individuals. This may relate to your employment or occupational status (giving rise to a requirement to process personal data relating to trade union membership); your health status (giving rise to a requirement to process health data) or any criminal record you may have or alleged offences you may have committed (giving rise to a requirement to process personal data relating to criminal offences and/or convictions). |
Performance of a contract insurance policy)- necessary to perform services as part of contract performance.
Where this requires processing of special categories of personal data relating to criminal offences and/or convictions, we rely on the following lawful bases depending on your jurisdiction:
Belgium, France, Germany & Italy
Consent.
Denmark
Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only).
Necessary for the establishment of a legal claim (health data only).
Luxembourg & UK
Necessity for reasons of substantial public interest (insurance claims).
Netherlands
We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon.
For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to:
- (i) assess the insured risk, provided you have not objected to the processing; or
- (ii) perform the insurance contract or assist with the management and performance of the insurance contract.
In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions.
|
Identification of actual or potential beneficiaries under a claim. This may include the processing of personal data relating to partners and dependents of insured individuals, for example. |
Legitimate interests – to administer claims effectively and in accordance with applicable law. |
Administering claims. Including issue of payment to beneficiaries. |
Legitimate interests – to administer claims effectively and in accordance with applicable law.
Legal obligation
To the extent our processing relates to a legal obligation, we rely on necessity to comply with a legal obligation. For example:
- in Denmark, the Danish Insurance Contracts Act;
- in France, the French Insurance Code (which will apply in respect of any direct payments and will apply to the contract under which payment is made);
- in Germany, the Insurance Contract Act;
- in Italy, the Italian Civil Code;
- in Luxembourg, the Law on insurance sector dated 7 December 2015 and law on the insurance contract dated 27 July 1997; and
- in the Netherlands, the Dutch Civil Code.
|
Reinsurance coverage. |
Legitimate interests – to obtain appropriate coverage that reflects the nature and extent of risk.
Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions, the following lawful bases depending on your jurisdiction:
Belgium, France, Germany & Italy
Consent.
Denmark
Necessity for reasons of substantial public interest.
Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only).
Netherlands
We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon.
For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to:
- (i) assess the insured risk, provided you have not objected to the processing; or
- (ii) perform the insurance contract or assist with the management and performance of the insurance contract.
In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions.
UK & Luxembourg
Necessity for reasons of substantial public interest (insurance claims).
|
External audit of/by reinsurers. |
Legitimate interests – performance of a reinsurance contract to ensure adequate coverage and to maintain flexibility in provision of coverage . |
Co-insurance coverage. |
Legitimate interests – to collaborate with other insurers to provide appropriate coverage that reflects the nature and extent of risk. |
Purpose |
Lawful basis for processing |
Quotation and inception: corporate customers. This includes:
- Evaluating the risks to be covered, assessment of the insurance needs and matching to appropriate policy/premium
- Setting your organisation up as a client, including possible fraud, sanctions, credit and anti-money laundering checks
This may relate to your employment or occupational status (potentially, where relevant for example in connection with an employment claim, giving rise to a requirement to process personal data relating to trade union membership); your health status (giving rise to a requirement to process health data) or any criminal record you may have or alleged offences you may have committed (giving rise to a requirement to process personal data relating to criminal offences and/or convictions).
|
Legitimate interests – to understand your coverage requirements and price our offering accordingly.
Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions we rely on the following lawful bases depending on your jurisdiction:
Belgium, France, Germany & Italy
Consent.
Denmark
Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only).
Netherlands
We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon.
For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to:
- (i) assess the insured risk, provided you have not objected to the processing; or
- (ii) perform the insurance contract or assist with the management and performance of the insurance contract.
In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions.
Luxembourg & UK
Necessity for reasons of substantial public interest (insurance claims).
|
Quotation and inception: directly insured individuals. This includes:
- Evaluating the risks to be covered, assessment of the insurance needs and matching to appropriate policy/premium
- Setting you up as a client, including possible fraud, sanctions, credit and anti-money laundering checks
- Evaluating the risks to be covered and matching to appropriate policy/premium
- Receipt of premium
This may relate to your employment or occupational status (potentially, where relevant for example in connection with an employment claim, giving rise to a requirement to process personal data relating to trade union membership); your health status (giving rise to a requirement to process health data) or any criminal record you may have or alleged offences you may have committed (giving rise to a requirement to process personal data relating to criminal offences and/or convictions).
|
Performance of a contract (insurance policy)- necessary to enter into a contract and subsequently as part of contract performance.
Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions we rely on the following lawful bases depending on your jurisdiction:
Belgium, France, Germany & Italy
Consent.
Denmark
Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only).
Netherlands
We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon.
For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to:
- (i) assess the insured risk, provided you have not objected to the processing; or
- (ii) perform the insurance contract or assist with the management and performance of the insurance contract.
In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions.
Luxembourg & UK
Necessity for reasons of substantial public interest (insurance claims).
|
Identification of actual or potential beneficiaries under an insurance policy. This may include the processing of personal data relating to partners and dependents of insured individuals, for example. |
Legitimate interests – to understand which individuals benefit from coverage. |
Renewals. This includes:
- Contacting the insured/policyholder to renew the insurance policy
- Evaluating the risks to be covered and matching to appropriate policy/premium
|
For directly insured individuals, performance of a contract. Otherwise, legitimate interests – to offer to renew coverage. |