Industries Products International Solutions Risk Control Claims News, Insights & Events

Industries

We provide deep expertise, attentive service and tailored business insurance solutions to help manage exposures and minimize loss across a wide array of industries.

Privacy Policy

Welcome to CNA Hardy Privacy Policy

1. About this privacy notice

1. This privacy notice tells you how CNA Hardy uses your personal data when you visit our website, make contact with us, use our products and services or where your personal data is processed by us as a result of insurance being obtained by one of our clients (in the UK, either through the London Insurance Market, the company market and in the case of CICE, various European markets). It sets out the ways in which we collect personal data, the uses of that personal data and the ways in which we may share any personal data relating to you.
  In the UK, this notice should be read in conjunction with the Core Uses Information Notice published by Lloyd's Market Association (LMA), which explains how your personal data may be processed by the various participants in the insurance market when insurance is obtained through the London Insurance Market.
2. This notice is directed at our website users, policy holders or insured beneficiaries, claimants, brokers, intermediaries, reinsurers, managing agents, attendees at our events or recipients of our newsletters and marketing materials and any other individuals who otherwise interact with us in connection with our business (collectively referred to as “you”). This notice does not cover our processing of personal data relating to our staff, who should refer to our Employee Privacy Notice hosted on our intranet.
3. Our website may contain links to other websites operated by other organisations. If you follow a link to any of those third party websites, please note that they have their own privacy notices. We are not responsible for their notices or their processing of your personal data. Please check these notices before you submit any personal data to them.

2. Who we are

1. CNA Hardy is a trading name of the group of companies which include the following entities:
  - CNA Insurance Company Limited which acts as main data controller in connection with our business on the company market.
  - Hardy (Underwriting Agencies) Limited which is the managing agent of Lloyds Syndicate 382, where coverage is provided under syndicate 382.
  - CNA Hardy International Services Limited which is an appointed representative of CICL and a coverholder of Hardy Underwriting Agencies Limited.
  - CNA Services (UK) Limited which undertakes, among other things, background and sanctions checks on behalf of the other CNA entities.
  - CNA Insurance Company (Europe) S.A. (“CICE”) which undertakes basic back office management, with the remainder of processing (for example, underwriting) being undertaken by individual branches (depending on the location of the broker and/or the insured).
2. For ease, when we talk about “we” or “us” or “our” we mean each of these companies to the extent that it acts as a controller of your personal data. Please contact us using the details provided within the Contact Us section if you would like further information about which CNA Hardy entity processes your personal data as a controller.
3. See https://www.cnahardy.com/site-services/LegalEntityDetails for all our legal entity and branch office names and registered contact details.

3. Personal data we collect about you

1. We will generally collect personal data as a result of:
  - (a) Information you provide to us about yourself: personal data that you provide to us when you use our website or our services, such as your name, email address, telephone number and home address.
  - (b) Correspondence between us: if you contact us, we will typically keep a record of that correspondence. We do not record telephone calls.
  - (c) Website, social media and communication usage: the pages on the website www.cnahardy.com are published by CNA Hardy and Investis Digital Limited (IDX) on behalf of CNA Hardy. When you visit CNA Hardy’s website, we collect some basic information such as the origin of the link you clicked to reach our website, your internet service provider's domain name, IP address, which pages you accessed on the site and what links you have interacted with on the site. We and Investis Digital use this information only to analyse the use of our website to help guide improvements, to see what content our users are particularly interested in and to inform our marketing communications. For further information, please see our Cookies Policy.
  - (d) Survey information or reviews of our products / services: where you have chosen to complete surveys that we use for market research purposes or to review our products / services.
  - (e) Information following your attendance at or interest in one of our events: including your contact details and role information in connection with events you have been invited to, events you have attended and any feedback you have provided in connection with an event.
  - (f) Our marketing activity: we will keep a record of your marketing preferences, any marketing we have previously issued to you and how you’ve interacted with marketing content received by us.
  - (g) Social media platforms: we may receive personal data relating to you when you interact with our content provided on social media platforms, We receive anonymised engagement statistics provided by LinkedIn, to see how LinkedIn users are interacting with our content. This information is not identifiable to you.
  Additional personal data collected in connection with brokers, coverholders and other intermediaries
2. Where you are a broker, coverholder or other intermediary we may also collect the following additional personal data:
  - (a) User credentials and passwords relating to your use of any of the following platforms:
    - (i) our broker platforms;
    - (ii) Lloyds’ Electronic Claim File (ECF) platform;
    - (iii) market platforms PPL, WhiteSpace and PlacingHub;
    - (iv) Schemeserve (quote and bind platform);
    - (v) VIPR Intrali bordereaux management system for delegated underwriting, bordereaux management and management information; and
    - (vi) Salesforce (for client relationship management purposes).
  - (b) Legal obligations and eligibility checks. We undertake initial checks using third party background check services applicable to your jurisdiction (for example, Reg UK in the UK). This may include information relating to criminal convictions and offences, for example where required as part of our business acceptance, finance (including credit checks where permitted in your jurisdiction), administration and anti-money laundering checks. Where indicated, we may undertake additional checks (including using third party service LexisNexis Bridger) against politically exposed persons and sanctions screening lists. We will also sometimes undertake additional adverse media checks; and
  - (c) Optionally, information about your interests, hobbies and preferences (for example, what types of events you are likely to be interested in).
  Additional personal data collected in connection with policyholders, insureds and staff members of insureds
3. Where you are a policyholder, insured or staff member of an insured, we may also collect the following additional personal data as a result of:
  - (a) Our legal obligations and eligibility checks. We undertake initial checks using third party service applicable to your jurisdiction (for example, Reg UK in the UK). This may include information relating to criminal convictions and offences, for example where required as part of our business acceptance, finance (including credit checks), administration and anti-money laundering checks. Where indicated, we may undertake additional checks (including using third party service LexisNexis Bridger) against politically exposed persons and sanctions screening lists. We will also sometimes undertake additional adverse media checks;
  - (b) Our assessment of your insurance needs and the insured risk. The exact nature of personal data collected in this regard will depend on the nature of coverage you are seeking or have obtained from us; and
  - (c) Our provision of quotes and/or policies. We process information about the quotes you receive and policies you take out.
  Additional personal data collected in connection with claimants and staff members of claimants
4. Where you are a claimant (or staff member of a claimant we may also collect the following additional personal data (to the extent permitted under applicable laws in your jurisdiction) as a result of:
  - (a) Our client providing details of your claim to us and our assessment of the claim. The personal data we collect for this purpose will vary depending on the nature of the insurance coverage and nature of the claim itself. Depending on the nature of the coverage offered, this may include:
    - (i) Where compliant with local law, unique identifiers such as a social security number and/or national insurance number, payroll number and/or tax information;
    - (ii) Demographic details where these are relevant to the claim, such as age, marital status, gender;
    - (iii) Employment information such as work pattern, salary and benefits information, employment history, employment benefits, role type, date of termination / retirement;
    - (iv) Where relevant (for example, in connection with claims relating to personal injury such as casualty or medical malpractice claims) health information which may include special categories of personal data such as information about your state of health, medical records, and medical assessments;
    - (v) Financial information (where legally permitted and in accordance with applicable law) such as credit history, any court orders or bankruptcy, payment card details, bank account details, deductions, bonus payments, receipt or entitlement to receive state benefits;
    - (vi) Criminal records information such as the existence of criminal offences or (optionally, where relevant to coverage and/or a claim) alleged criminal offences, or confirmation of clean criminal records (for example, in connection with Directors and Officers coverage) where legally permitted and in accordance with applicable law; and
    - (vii) Details relating to age, disability, race, sexual orientation, marriage or civil partnership status etc. (only where this is strictly necessary and where permitted under applicable anti-discrimination acts, including but not limited to:
      - (A) in Belgium, the Anti-Racism Law of 30 July 1981, the Law on Equal Treatment for Men and Women of 10 May 2007, and the Anti-Discrimination Law of 10 May 2007;
      - (B) in Denmark, the Act on Prohibition against Discrimination on the Labour Market as supplemented by Danish Act on Equal Treatment of Men and Women) and in connection with gender, specifically, the Danish Act on Equal Treatment of Men and Women;
      - (C) in Germany, the General Equal Treatment Act;
      - (D) in Italy, the Legislative Decree no. 198/2006 on equal opportunities for men and women and Legislative Decree no. 286/1998 on immigration and legal status of foreigners;
      - (E) in Luxembourg, the Labour Code and Criminal Code;
      - (F) in the Netherlands, the General Act on Equal Treatment (Algemene wet gelijke behandeling) and the Act on Equal Treatment of Disabled and Chronically Ill People (Wet gelijke behandeling op grond van handicap of chronische ziekte);,
      - (G) in the UK, the Equality Act 2010;and/or
    - (viii) to the extent applicable, trade union information where relevant to your coverage (for example for employment practices liability coverage).
  - (b) Factual details and evidence relating to the claim. This is supporting information that we process to consider whether the validity and value of a claim. This may include documentary evidence and/or export reports from third parties (for example, governmental authorities such as the Ministry of Justice injury portal for casualty claims, in the UK).
5. Personal data relating to other individuals. You may sometimes provide personal data of other individuals to us, such as information about your emergency contact, partner, representative (such as an individual you have given power of attorney) next of kin, dependents and/or beneficiaries (and this is usually the only context where we may process the personal data of non-claimant children). Personal data of children will only be processed where strictly relevant. For example, if we need to take into account the costs of your dependents or where a child is involved in a personal injury claim. You should provide those individuals with a copy of this privacy notice prior to disclosing their personal data to us, to ensure that they understand that we have been provided with their personal data and have been made aware of how we will use their personal data

4. Consequences of failure to provide required personal data

1. Should you choose not to provide your personal data (or authorise its provision by a third party) we may terminate or refuse coverage, reject a claim or terminate our business relationship with you. We sometimes need to collect and use your personal data to enter into a contract with you or to perform our obligations under a contract with you, or because the law requires us to collect the personal data. If you don’t provide us with this information, we might not be able to enter a contract with you or perform it or provide goods or services to you. In this case, we might have to cancel the contract or service you have with us but we will notify you if this is the case.

5. Sources of personal data

1. Sometimes, we will collect personal data directly from the data subject. In other instances, provided that it complies with applicable professional secrecy rules (including where necessary, your consent has been obtained), we will collect it from the sources identified below:
  Brokers, coverholders and other intermediaries
  - (a) Public websites and company websites of intermediaries themselves; and/or
  - (b) Panel agreements.
  Policyholders, insureds and staff members of insureds
  - (c) The insurance broker or other intermediary that you or your insurer has appointed; and/or
  - (d) Other insurance market participants (as explained in the Core Uses Information Notice). For example, Lloyds may share personal data with us in order for us to confirm whether we provide coverage.
  Claimants and staff members of claimants
2. Provided that it complies with applicable professional secrecy rules and more generally to the extent permitted by applicable laws, we may also collect information about you from other sources. For example:
  - (a) the insurance broker or other intermediary that you or your insurer has appointed;
  - (b) your employer, if we provide insurance cover to your employer or an entity that contracts with you;
  - (c) your family members or personal representative (for example, someone to whom you have granted power of attorney);
  - (d) credit reference agencies (for example, in Belgium, the Central Credit Registers, in France the Centrales des crédits and in the Netherlands Kredietcentrales);
  - (e) anti-fraud databases, sanctions lists, court judgements and, where our Special Investigations Unit have grounds to consider that a claim may be fraudulent, other relevant databases;
  - (f) government agencies such as the open electoral register and/or HMRC in the UK, or the Federal Public Service Finance (SPF Finances in French and FOD Financiën in Dutch); and/or
  - (g) parties including the other party to the claim (claimant / defendant), witnesses, experts (including medical experts), loss adjustors, legal advisors, and claims handlers.

6. Why we use your personal data

The purposes for which we process your personal data will depend on your relationship with us (for example, whether you are an insured, claimant, broker, intermediary or business contact). Please see each of the tables below that is applicable to you, to understand the purposes for which we use your personal data and the lawful basis on which we undertake processing of personal data for that purpose.
More information about the personal data collected in connection with particular services may be provided to you in separate, service-specific privacy notices.
Processing for general business purposes

Purpose	Lawful basis for processing
Corresponding with you. Including communications relating to our website, our services or service requirments, our events and any feedback or complaints.	Where you are a directly insured individual, performance of a contract (insurance policy)- to the extent that correspondence with you is part of contract performance. Otherwise, legitimate interests – to communicate with our insureds, insurance claimaints, brokers, intermediaries, service providers and regulators.
Administration of our business. Including processing: (a) To deliver our services; (b) To operate our business and manage and develop our relationships; and (c) to update and maintain our systems and platforms (including prevention of disruptions, troubleshooting, monitoring, and analysis required to detect malicious code/actors).	Where you are a directly insured individual, performance of a contract (insurance policy)- to deliver our services as part of contract performance. Otherwise, legitimate interests – to deliver our services and ensure the security and resilience of our systems and platforms.
Vetting and risk management. We undertake checks to vet our potential clients and suppliers.	Where you are a directly insured individual, performance of a contract (insurance policy)- to conduct our vetting and risk management processes as part of contract performance. Legal obligation- to the extent that our processing relates to a legal obligation to comply with our legal/ regulatory obligations to undertake AML/KYC checks. For example: in Belgium, the Belgian Anti-Money Laundering Law, 18 September 2017; in Denmark, the Danish Anti-Money Laundering Act; in France, the French Monetary and Financial Code; in Germany, the Money Laundering Act; in Italy, the Legislative Decree no. 231/2007 and Legislative Decree no. 209/2005, the Italian Insurance Code); in Luxembourg, the Law on anti-money laundering and fight against terrorism dated 12 November 2004 (where the processing relates to investment-related insurance companies) and the Danish Act on Insurance Companies; and in the Netherlands, the Sanctions Act 1977. Otherwise, legitimate interests – to manage risk in accordance with our legal obligations and internal policies. To the extent that special categories of personal data or personal data relating to criminal convictions and/or offences is processed for this purpose (for example, information relating to politically exposed persons or sanctions) we rely on necessity for reasons of substantial public interest (detection and prevention of fraud) other than in the following jurisdiction: Belgium Consent (health data only).
Improvement and development of our business. This includes processing (including data analytics, modelling and benchmarking): (d) to improve the quality, content and relevance of our communications and services [by following your interactions with that communication, such as whether you receive, open or click on a link within an email communication]; (e) understand the needs and interests of our customers; (f) to undertake trend analysis and market segmentation (including for marketing purposes); (g) to conduct market insight activities (for example, requiring our underwriting team to provide general insights relating to particular insurance lines or sectors); and/or (h) to personalise our services or communication based on profiles we have applied to you. We automatically process certain of your personal data, including your interactions with us (such as how often you look at a product or page) and services you have purchased or looked at, to create a profile about you. Such profiles may be used to personalize our services, inform our marketing practices and/ or as part of security threat / fraud detection and prevention.	Legitimate interests – to improve our products and services and better understand our customer base.
Legal and regulatory purposes. Including processing in the course of our client onboarding, business acceptance, fraud detection and claims administration procedures: (i) in order to comply with and in order to assess compliance with applicable laws, rules and regulations, and internal policies and procedures (for example, our “know your customer”, trade sanctions and anti money-laundering obligations); (j) to prevent and detect fraud and/or other criminal activity or misconduct; (k) to obtain and update credit information with credit referencing agencies in the relevant jurisdiction as identified above (we undertake credit checks prior to binding a risk where this is permitted in the relevant jurisdiction); and/or (l) establishment and handling of legal claims.	Legal obligation- – to comply with our legal/ regulatory obligations, to the extent that our processing relates to a legal obligation, we rely on necessity to comply with a legal obligation. For example: in Belgium, Belgian Anti-Money Laundering Law, 18 September 2017 and the Belgian Insurance Law, 4 April 2014; in Denmark, the Danish Anti-Money Laundering Act, the Danish Act on Insurance Companies, Danish Credit Agreements (in connection with credit information), Danish Insurance Contracts Act (in connection with legal claims); in France, the French Monetary and Financial Code, the French Insurance Code (in connection with claims administration procedures) and art. L.123-22 of the French Commercial code (in connection with accounting data), in Germany, the Insurance Supervision Act; in Italy, the Italian Insurance Code (209/2005); in Luxembourg, the Law on anti-money laundering and fight against terrorism dated 12 November 2004, the Law on the insurance sector dated 7 December 2015, the Criminal Code, the Labour Code and Law on the insurance contract dated 27 July 1997; in the Netherlands, the Act on the Financial Supervision and the Dutch Civil Code; and in the UK, the UK Insurance Act 2015. Otherwise, we rely on legitimate interests (to exercise our legal rights and comply with our regulatory obligations). In case of processing special categories of personal data the legal basis for processing is the establishment, exercise or defence of legal claims. Where we are undertaking Politically Exposed Persons (PEP) and/or sanctions checks, this may require processing of personal data relating to criminal offences and convictions, sanctions or political views (as applicable), we rely on necessity for reasons of substantial public interest (insurance claims, anti-fraud measures and/or compliance with applicable laws, particularly in the UK, the Sanctions and Anti-Money Laundering Act 2018 and in Denmark, section 8(1)(3) of the Danish Data Protection Act), and equivalent regulations other than in the following jurisdiction: Netherlands Relevant exception under the Dutch GDPR Implementation Act.
Business support. Including consultancy, banking, legal, insurance, audit and accounting services, subject to applicable law and obtaining any consent required under professional secrecy law.	Legitimate interests – to receive professional support in connection with our business and to comply with our legal obligations and internal policies. Legal obligation- to comply with a legal and/or regulatory obligation, where the processing relates to activity required by law. For example: in Belgium, the Belgian Anti-Money Laundering Law; in Denmark, the Danish Act on Insurance Companies, the Danish Financial Statements Act and the Danish Bookkeeping Act; in France, the French Commercial Code (accounting documents only); in Germany, the Commercial Code and the General Fiscal Code; in Italy, the Italian Civil Code; and in Luxembourg, the Law on insurance sector dated 7 December 2015 (in respect of audit and annual accounts) and law on commercial companies dated 10 August 1915; and the Law on annual accounts dated 19 December 2002 (annual accounts only).
Investigating complaints or suspected non-compliance with law, regulatory obligations or our policies, procedures, terms and conditions.	Legal obligations where the investigation is required by law. For example: in Belgium, the Belgian Anti-Money Laundering Law, 18 September 2017; and in Denmark, the Danish Act on Insurance Companies and the the Danish Consolidated Act on the Working Environment; in Germany, the Insurance Supervision Act; in Italy, the IVASS Regulation no. 24/2008; in Luxembourg, the Law on insurance sector dated 7 December 2015 and Law on the insurance contract dated 27 July 1997; in the Netherlands, the Act on the Financial Supervision and the Dutch Civil Code. Otherwise legitimate interests – to protect our business and manage our relationships.
Establishment and handling of legal claims.	Legitimate interests – to ascertain and/or exercise our legal rights. Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions, necessity for the establishment, exercise or defence of legal claims.
Establishment and handling of legal claims.	Legitimate interests – to ascertain and/or exercise our legal rights. Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions, necessity for the establishment, exercise or defence of legal claims.
Purposes outlined in our cookies notice.	Legitimate interests – in relation to “strictly necessary” cookies. Consent- for all other cookies.
Restructuring our business. Including in the context of internal re-organisations, business sales, transfers, mergers and acquisitions (and the planning, administration and negotiation of the same).	Legitimate interests – to transfer books of business or restructure or sell our business.
Relationship management and targeting of events. Including keeping a record of invitees and attendees and recording any event-specific feedback.	Legitimate interests – to build an events programme that services our partners/brokers.
Marketing. To communicate with you in order to provide you with information about services, products and/or events that may be of interest to you via email, phone, social media.	We rely on the following lawful bases depending on your jurisdiction. Belgium, France, Germany, Luxembourg, UK Legitimate interests– to better understand your interests and inform you of products and services offered by CNA Hardy. Denmark, Italy, Netherlands Consent
Social media. We may use your personal data to undertake advertising campaigns on social media platforms such as LinkedIn and Youtube in order to provide information about upcoming services or new products and to ensure you only receive relevant advertising about our products and services.	Legitimate interests – to inform you of products and services offered by CNA Hardy, unless otherwise provided in our cookies policy, other than in the following jurisdiction: France Consent.

1.1 Processing for claims purposes

Purpose	Lawful basis for processing
Assessing aspects of a claim and/or supporting evidence relating to a claim – corporate customers. This may relate to your employment or occupational status (giving rise to a requirement to process personal data relating to trade union membership); your health status (giving rise to a requirement to process health data) or any criminal record you may have or alleged offences you may have committed (giving rise to a requirement to process personal data relating to criminal offences and/or convictions).	Legitimate interests – to assess claims effectively and in accordance with applicable law, other than in the following jurisdiction: Italy Performance of a contract (insurance policy)- to deliver our services as part of contract performance. Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions, the following lawful bases depending on your jurisdiction: Belgium, France, Germany & Italy Consent. Denmark Necessity for reasons of substantial public interest. Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only). Luxembourg & UK Necessity for reasons of substantial public interest (insurance claims). Netherlands We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon. For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to: (i) assess the insured risk, provided you have not objected to the processing; or (ii) perform the insurance contract or assist with the management and performance of the insurance contract. In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions.
Assessing aspects of a claim and/or supporting evidence relating to a claim – directly insured individuals. This may relate to your employment or occupational status (giving rise to a requirement to process personal data relating to trade union membership); your health status (giving rise to a requirement to process health data) or any criminal record you may have or alleged offences you may have committed (giving rise to a requirement to process personal data relating to criminal offences and/or convictions).	Performance of a contract insurance policy)- necessary to perform services as part of contract performance. Where this requires processing of special categories of personal data relating to criminal offences and/or convictions, we rely on the following lawful bases depending on your jurisdiction: Belgium, France, Germany & Italy Consent. Denmark Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only). Necessary for the establishment of a legal claim (health data only). Luxembourg & UK Necessity for reasons of substantial public interest (insurance claims). Netherlands We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon. For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to: (i) assess the insured risk, provided you have not objected to the processing; or (ii) perform the insurance contract or assist with the management and performance of the insurance contract. In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions.
Identification of actual or potential beneficiaries under a claim. This may include the processing of personal data relating to partners and dependents of insured individuals, for example.	Legitimate interests – to administer claims effectively and in accordance with applicable law.
Administering claims. Including issue of payment to beneficiaries.	Legitimate interests – to administer claims effectively and in accordance with applicable law. Legal obligation To the extent our processing relates to a legal obligation, we rely on necessity to comply with a legal obligation. For example: in Denmark, the Danish Insurance Contracts Act; in France, the French Insurance Code (which will apply in respect of any direct payments and will apply to the contract under which payment is made); in Germany, the Insurance Contract Act; in Italy, the Italian Civil Code; in Luxembourg, the Law on insurance sector dated 7 December 2015 and law on the insurance contract dated 27 July 1997; and in the Netherlands, the Dutch Civil Code.
Reinsurance coverage.	Legitimate interests – to obtain appropriate coverage that reflects the nature and extent of risk. Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions, the following lawful bases depending on your jurisdiction: Belgium, France, Germany & Italy Consent. Denmark Necessity for reasons of substantial public interest. Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only). Netherlands We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon. For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to: (i) assess the insured risk, provided you have not objected to the processing; or (ii) perform the insurance contract or assist with the management and performance of the insurance contract. In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions. UK & Luxembourg Necessity for reasons of substantial public interest (insurance claims).
External audit of/by reinsurers.	Legitimate interests – performance of a reinsurance contract to ensure adequate coverage and to maintain flexibility in provision of coverage .
Co-insurance coverage.	Legitimate interests – to collaborate with other insurers to provide appropriate coverage that reflects the nature and extent of risk.

1.2 Processing for insurance, underwriting and/or reinsurance purposes

Purpose	Lawful basis for processing
Quotation and inception: corporate customers. This includes: Evaluating the risks to be covered, assessment of the insurance needs and matching to appropriate policy/premium Setting your organisation up as a client, including possible fraud, sanctions, credit and anti-money laundering checks This may relate to your employment or occupational status (potentially, where relevant for example in connection with an employment claim, giving rise to a requirement to process personal data relating to trade union membership); your health status (giving rise to a requirement to process health data) or any criminal record you may have or alleged offences you may have committed (giving rise to a requirement to process personal data relating to criminal offences and/or convictions).	Legitimate interests – to understand your coverage requirements and price our offering accordingly. Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions we rely on the following lawful bases depending on your jurisdiction: Belgium, France, Germany & Italy Consent. Denmark Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only). Netherlands We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon. For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to: (i) assess the insured risk, provided you have not objected to the processing; or (ii) perform the insurance contract or assist with the management and performance of the insurance contract. In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions. Luxembourg & UK Necessity for reasons of substantial public interest (insurance claims).
Quotation and inception: directly insured individuals. This includes: Evaluating the risks to be covered, assessment of the insurance needs and matching to appropriate policy/premium Setting you up as a client, including possible fraud, sanctions, credit and anti-money laundering checks Evaluating the risks to be covered and matching to appropriate policy/premium Receipt of premium This may relate to your employment or occupational status (potentially, where relevant for example in connection with an employment claim, giving rise to a requirement to process personal data relating to trade union membership); your health status (giving rise to a requirement to process health data) or any criminal record you may have or alleged offences you may have committed (giving rise to a requirement to process personal data relating to criminal offences and/or convictions).	Performance of a contract (insurance policy)- necessary to enter into a contract and subsequently as part of contract performance. Where this requires processing of special categories of personal data and./or personal data relating to criminal offences and/or convictions we rely on the following lawful bases depending on your jurisdiction: Belgium, France, Germany & Italy Consent. Denmark Necessary in order to comply with legitimate interests (section (8)(1)(2) Danish Data Protection Act) (criminal offence and/or convictions data only). Netherlands We will ensure that a relevant exception under the Dutch GDPR Implementation Act can be relied upon. For example, with respect to the processing of health data, we will generally rely on the exception applicable to insurers to: (i) assess the insured risk, provided you have not objected to the processing; or (ii) perform the insurance contract or assist with the management and performance of the insurance contract. In some cases we may rely on your explicit consent to process special categories of personal data and/or personal data relating to criminal offences and/or convictions. Luxembourg & UK Necessity for reasons of substantial public interest (insurance claims).
Identification of actual or potential beneficiaries under an insurance policy. This may include the processing of personal data relating to partners and dependents of insured individuals, for example.	Legitimate interests – to understand which individuals benefit from coverage.
Renewals. This includes: Contacting the insured/policyholder to renew the insurance policy Evaluating the risks to be covered and matching to appropriate policy/premium	For directly insured individuals, performance of a contract. Otherwise, legitimate interests – to offer to renew coverage.

7. Profiling

1. When calculating insurance premiums, we may compare your personal data against industry averages using Schemeserve (a third party quote and bind platform). Your personal data may also be used to create the industry averages going forwards. This is known as profiling and is used to ensure premiums reflect risk. We also use profiling to understand fraud patterns. Where special categories of personal data (and/or criminal convictions or offences data) are relevant to your coverage or claim, these may also be used for profiling, where permitted in your jurisdiction. For example:
  - (a) health information in connection with personal injury coverage;
  - (b) criminal convictions or offences data in connection with Directors and Officers coverage; and
  - (c) details relating to age, disability, race, sexual orientation, marriage or civil partnership status etc (only where is strictly necessary) as defined under the applicable anti-discrimination act (eg. in the UK the Equality Act 2010;
    - (i) in Belgium, the Anti-Racism Law of 30 July 1981, the Law on Equal Treatment for Men and Women of 10 May 2007, and the Anti-Discrimination Law of 10 May 2007;
    - (ii) in Denmark the Act on Prohibition against Discrimination on the Labour Market);
    - (iii) in Germany, the General Equal Treatment Act;
    - (iv) in Italy the Legislative Decree no. 198/2006 on equal opportunities for men and women;
    - (v) in Luxembourg the Labour Code and Criminal Code;
    - (vi) in the Netherlands, the General Act on Equal Treatment and the Act on Equal Treatment of Disabled and Chronically Ill People; and/or
  - (d) to the extent applicable, trade union information in connection with employment practices liability coverage.

8. Who we share your personal data with

1. We share your personal data outside our organisation with our suppliers or contractors, for the purposes described in this notice. They are bound by obligations of confidentiality. Our suppliers and contractors include: IT and communications service providers; payment processors; call centres; repair service providers; marketing agencies and partners; and our courier and delivery suppliers.
2. Provided that it complies with the rules on professional secrecy, we may also share your personal data to the following categories of recipients, for the following purposes:
  - (a) Within CNA Hardy: we may share your personal data with other CNA Hardy entities, brands, divisions, and subsidiaries for the processing purposes outlined in this notice;
  - (b) Insurance market participants where necessary to offer, administer and manage the services provided to you, such as insurers and insurance underwriters, co-insurers, reinsurers, brokers, intermediaries and loss adjusters. The insurance underwriter is the insurer that is underwriting your insurance policy and is named in your policy documentation. You should refer to the insurer’s privacy statement for further information about their privacy practices. In the UK only, further information relating to sharing of personal data across the insurance market and how other types of participants process personal data is set out in the Core Uses Information Notice;
  - (c) Vetting and risk management agencies such as credit reference, criminal record, fraud prevention, data validation and other professional advisory agencies, where necessary to prevent and detect fraud in the insurance industry and take steps to assess the risk in relation to prospective or existing insurance policies and/or the services;
  - (d) Legal advisers, loss adjusters, and claims investigators, where necessary to investigate, exercise or defend legal claims, insurance claims or other claims of a similar nature;
  - (e) Medical professionals, e.g., where you provide health information in connection with a claim against your insurance policy;
  - (f) Law enforcement bodies, when required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request, and where necessary to facilitate the prevention or detection of crime or the apprehension or prosecution of offenders;
  - (g) Public authorities, regulators and government bodies, where necessary for us to comply with our legal and regulatory obligations, or in connection with an investigation of suspected or actual illegal activity;
  - (h) Third-party suppliers, where we outsource our processing operations to suppliers that process personal data on our behalf. Examples include IT service providers who manage our IT and back office systems and telecommunications networks, and contact centre providers. These processing operations shall remain under our control and will be carried out in accordance with our security standards and strict instructions;
  - (i) Successors of the business, where we sell or transfer an affiliate or book of business, or acquire or merge with another organisation, in whole or in part. Personal data may be shared with relevant third parties as part of our due diligence process and transferred to the acquiring entity (where applicable);
  - (j) Internal and external auditors where necessary for the conduct of company audits or to investigate a complaint or security threat; and
  - (k) Business partners such as joint venture entities, sponsors and/or other third-party business partners who collaborate or co-operate with CNA Hardy on projects, events, products or Services. You should refer to their privacy notices for more information about their privacy practices.
3. In addition, we may disclose information about you where required to do so by law, such as in connection with any legal proceedings or prospective legal proceedings, law enforcement purposes, or in order to establish, exercise or defend our legal rights including providing information to others for the purposes of fraud prevention and reducing credit risk.

10. How long we keep your personal data

1. How long we will hold your personal data for will vary and will be determined by the purpose for which we are using it. We will need to keep the data for as long as is necessary for that purpose in line with our business needs, which is for as long as our relationship is in place and after it terminates we will keep the data for local statutory limitation periods in each relevant jurisdiction allowing us to defend possible claims (which may vary between jurisdictions). For example, if you are located in the UK or Belgium and we have an insurance contract with your organisation, we will typically retain your personal data for a period of 7 years following termination of that contract, unless litigation is anticipated where we will keep it for a longer period or unless another retention period is required by the applicable laws and regulations.
  - 1.1 Please contact us for more information on the specific retention periods based on your jurisdiction.
2. For retention periods relating to cookie data specifically, please refer to our Cookies Policy.

11. Your rights & contacting us

1. Data protection laws give you specific rights in relation to your personal data. These rights are conditional and there may be circumstances where the right you have requested does not apply to some or all of your personal data. Where this is the case, we will explain the basis of our decision.
2. The Right to be Informed and have Access. You are entitled to know whether we hold your personal data and if so, receive a copy of your personal data.
3. The Right to Data Portability. You have the right to receive some of your personal data in a portable and reusable format.
4. The Right to Data Rectification. If you believe that we hold incorrect or incomplete information about you. If you are an insured, please let your broker know and they will assist us in correcting it.
5. The Right to Erasure. Where certain conditions are met, you have the right to the erasure of your personal data. The majority of the personal data we collect about you is to meet our legal obligations or to fulfil a contract of insurance. As such, most of the personal data we hold about you will need to be retained in line with our stated retention periods in order to fulfil these obligations (see also, the right to object and the right to withdraw consent).
6. The Right to Restrict Processing. In certain circumstances, you may ask that we continue to store your personal data but not use it. For example, if you consider that we hold personal data relating to you that you may need for legal purposes, you can request us to not delete this information.
7. The Right to Object (and the right not to be subject to a decision based solely on automated processing). Where you believe you have reasons to object to the use of your personal data, for example, where our use is based on legitimate interests, you can make an objection request and provide us with the details of why you believe CNA Hardy should stop using your personal data for a particular purpose. Whenever we rely on legitimate interests, we have undertaken a thorough assessment of the processing activity and have balanced our business interests against your rights and freedoms, as well as ensuring we have minimised the use of your personal data. You are also able to object to any decision based solely on automated processing and have the right to obtain human intervention on the part of the controller, and to express your point of view. See also, the right to refuse marketing.
8. The Right to Withdraw Consent. Where we process your Personal data based on your consent, you can withdraw your consent at any time by contacting us. This does not affect the legality of any processing carried out before you withdrew your consent. See also, the right to refuse marketing.
9. The Right to Refuse Marketing. You have the right to ask us not to process your personal data for direct marketing purposes at any time. To exercise this right, you can click the “unsubscribe” option on any direct marketing email you receive from us, or contact us at [email protected]. If you choose to unsubscribe from marketing, we may keep a ‘suppression list’ containing your details so we know you have unsubscribed and to ensure you are not contacted again. Your personal data held on a suppression list will not be used for any other purpose.

12. Contact us

1. If you have any questions about this privacy notice or how we handle your personal data, you can contact our Data Protection Officer (DPO) at [email protected].
2. If you are not satisfied with our use of your personal data or our response to you, you have the right to complain to your local data protection authority:
  - (a) In the UK, this is the Information Commissioner’s Office (ICO): https://ico.org.uk/concerns/ The ICO encourages individuals to seek to resolve queries directly in the first instance, and we would welcome the opportunity to assist with your query.
  - (b) Details of European data protection authorities can be found here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

13. Changes to our Privacy Notice

1. We may update this notice from time to time. If we, we will update the date it was last changed below. In the event of significant changes of the notice, you will be notified directly.
2. This notice was last updated on 25.06.2024.
3. To request a printed copy of this privacy notice please contact us using the contact details shown above.