AXA Corporate Solutions Assurance, UK Branch
Registered Office: 6 Bevis Marks - EC3A 7BA, London - England
Registered in England Branch No. BR005793
o Association of British Insurers
o International Underwriting Association
o Motor Insurers’ Bureau
Please take your time to read this notice carefully. When using our AXA website, this notice should be read alongside the website terms and conditions.
1. ABOUT US
AXA Corporate Solutions Assurance, a French “Société Anonyme” acting through its UK Branch (referred to in this Privacy Notice as “AXA”, "we" "us" or "our") is part of the AXA Group of companies.
We are an insurance company dedicated to helping large companies conduct their business, through insurance solutions, loss prevention and claims handling. This means that in order for us to provide insurance services which include providing a quote, administering a policy, handling claims and dealing with any complaints, we collect and process personal information. This makes us a "data controller" of any personal information that you provide to us or which we collect and we are responsible for complying with data protection laws.
2. ABOUT THE INSURANCE MARKET
Insurance involves the use and disclosure of your personal data by various insurance market participants such as intermediaries, insurers and reinsurers. The London Insurance Market Core Uses Information Notice sets out those core necessary personal data uses and disclosures. Our core uses and disclosures are consistent with the London Market Core Uses Information Notice. We recommend you review this notice (by clicking the link above).
3. OUR PROCESSING OF YOUR PERSONAL INFORMATION
We collect varying information about you and use it for different reasons according to the relationship we have with you. For example, we will collect different personal information depending on whether you are a third party claimant, an individual whose information we receive as part of the policy administration process, a witness, a contact at our corporate client or our business partner.
In data protection law some of your personal data is known as “sensitive personal information” (which is information that relates to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership). Sometimes we will request or receive your sensitive personal data, primarily information relating to your health when, for example, if it is relevant to a claim you are making against one of our corporate clients and they have cover under a general liability insurance policy, employers' liability insurance policy or motor fleet insurance policy. We may also need details of any unspent criminal convictions you have, for example if you are an employee who drives a fleet vehicle belonging to your employer under their corporate motor policy, we may require details of any road traffic offences at the policy administration stage to assess risk, determine premium and provide cover or in order to handle claims made under an insurance policy or in limited circumstances for fraud prevention purposes or to carry out money laundering checks.
Where you provide personal information to us about other individuals (for example employees whose information is relevant to administering an insurance policy you are taking out on behalf of your corporate organisation) we will also be data controller of and responsible for their personal information. You should refer them to this notice.
In order to make this notice as user friendly as possible, we have split it into different sections. Please click on the section below that best describes your relationship with us.
First party and third party claimants:
If you are making a claim under a corporate policy that has been taken out with us (first party claimant, for example you are a CEO named on a motor policy), or against one of our corporate clients that we provide insurance cover to (third party claimant), this section will be relevant to you and sets out our uses of your personal information.
Individuals whose information is passed to us by corporate clients when we assess administer insurance policies, assess risk, determine premium and provide cover:
This section will be relevant where you are an individual whose information is passed to us by corporate clients when we assess administer insurance policies, assess risk, determine premium and provide cover for example a director under a directors and officers liability insurance policy, a CEO under a motor policy, an employee whose information is relevant to an employers' liability policy or where your information has been passed to us by your employer or one of our corporate clients as you have made a claim for compensation against your employer or that corporate client and your information forms part of previous claims history (for example you previously made a claim against your employers' previous employer’s liability insurance policy or a corporate’s general liability policy). This section sets out our uses of your personal information.
Witnesses to an incident which is pertinent to a claim made under an AXA policy:
If you are a witness to an incident or an individual who otherwise provides us with information in relation to an incident which is the subject of a claim under a policy we have provided, this section will be relevant to you and sets out our uses of your personal information.
Business contacts at corporate organisations who are prospective or existing policyholders:
If you are a business contact for our corporate policyholder or for a prospective corporate policyholder, this section will be relevant to you and sets out our uses of your personal information.
Brokers, sub-brokers and other business partners, such as lawyers, investigators, loss adjustors and claims handlers:
If you are one of our business partners, for example a broker, sub-broker, lawyer, investigator, loss adjustor or claims handler who we do business with, this section will be relevant to you and sets out our uses of your personal information.
4. WHAT MARKETING ACTIVITIES DO WE CARRY OUT?
We may use your personal information to provide you with marketing information about our products and services such as newsletters, product updates, thought leadership articles, client satisfaction surveys, company announcements and invites to corporate events that will be of interest to you.
We only want to send you marketing information that you have clearly indicated an interest in receiving. Therefore if you wish to opt out of any marketing communications, click the "unsubscribe" link in any email or contact us using the details set out in section 10.
Please note that, even if you opt out of receiving such marketing communications, we may still send you communications which are relevant to the nature of the products or the services we offer you such as customer service messages for example relating to service interruptions, delivery arrangements and changes to terms and conditions.
5. HOW LONG DO WE KEEP PERSONAL INFORMATION FOR?
We will keep your personal information for as long as reasonably necessary to fulfil the purposes set out in section 3 above and to comply with our legal and regulatory obligations.
We have a detailed retention policy in place which governs how long we will hold different types of information for. The exact time period will depend on your relationship with us and the type of personal information we hold, for example:
o Any personal information contained in policy records (excluding employers' liability cover and records kept on claim files) for example motor fleet cover, we will keep your personal information as part of those corporate client customer specific policy records for 20 years from the expiry of the corporate client's policy.
o Any personal information contained in records and documentation of an employers' liability policy we have provided, will be kept for 60 years.
o If you make a claim against a policy we have provided, we will keep your personal information for 7 years from the date on which the claim is settled or rejected.
o If you are a business contact at our corporate client, we will retain your emails which contain your personal information such as name and email address for 7 years from the date of the oldest email within the email chain.
If you would like further information regarding the periods for which your personal information will be stored, please contact us using the details set out in section 10.
6. WHAT IS OUR APPROACH TO SENDING YOUR PERSONAL INFORMATION OVERSEAS?
Sometimes we (or third parties acting on our behalf) will transfer your personal information to countries outside of the European Economic Area ("EEA").
Where a transfer occurs we will take steps to ensure that your personal information is protected. We will do this using a number of different methods including:
o putting in place appropriate contracts. We will use a set of contract wording known as the "Standard Contractual Clauses" which has been approved by the data protection authorities. You can find out more about the Standard Contractual Clauses at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
o transferring personal data only to countries that have been deemed by European data protection authorities to have adequate levels of data protection. You can find out more about this at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
o transferring personal data only to those companies in the United States who are certified under the "Privacy Shield". The Privacy Shield is a scheme under which companies certify that they provide an adequate level of data protection. You can find out more about the Privacy Shield at https://www.privacyshield.gov/welcome
o transferring personal data to other AXA entities in the AXA Group of companies in compliance with our binding corporate rules. These are a set of rules approved by the relevant data protection authorities which allow AXA group companies to transfer personal information between themselves. You can find out more about our binding corporate rules at https://www.axa-corporatesolutions.com/en/page/data-policy
As we are a global organisation and our operation involves a wide range of international transfers and depending on our relationship and your particular circumstances, we might transfer personal information anywhere in the world. We have therefore provided a summary of our regular data transfers outside the EEA is set out below. If you would like further information regarding our data transfers and the steps we take to safeguard your personal information, please contact us using the details set out in section 10.
When we use your personal information for underwriting purposes (including providing a quote, assessing risk and an insurance application and administering a policy), we will share your personal information with the following third parties who are located globally including the United States, the Far East:
o Network Partners
o Reinsurers or co-insurers
o Other AXA group companies
When we use your personal information for claims handling purposes (including investigating, assessing and paying out on a claim), we will share your personal information with the following third parties who are located globally including the United States, the Far East:
o Network Partners
o Corporate client policyholders
o Third party administrator
o Loss adjustors
o Claim handlers
o Other AXA group companies
7. HOW DO WE PROTECT YOUR INFORMATION?
We maintain strict physical, electronic, and administrative safeguards in accordance with applicable standards to protect your personal information from unauthorised or inappropriate access and prevent the loss or misuse of your personal information.
We have implemented various security policies to govern the security measures we have in place to protect your personal information and these are followed by all our employees including:
o Strict password protection rules requiring our staff to have minimum password requirements and to regularly change their passwords
o Limiting access to personal information to individuals on a need to know basis
o Procedures in place to govern how we deal with any security incidents and how personal information should be handled
We use encryption and authentication tools to protect information we gather on our website.
We have deployed an adequate procedure to identify and communicate any incident of data breach within 72 hours and to resolve it within a reasonable period of time.
8. AUTOMATED DECISION MAKING AND PROFILING?
What is automated decision making?
Automated decision making refers to a situation where a decision is taken using personal information that is processed solely by automatic means (i.e. using an algorithm or other computer software) rather than a decision that is made with some form of human involvement. We do not currently use automated decision making as all decisions are reviewed by a member of our team.
What is profiling?
Profiling is any form of automated processing of personal information which evaluates certain personal aspects. The administration of insurance (assessing risk, determining premium and cover) otherwise known as underwriting and in some circumstances, claims payment, will be based on profiling as it assesses the circumstances which need to be insured and the likelihood of that event occurring.
We will use profiling in the following circumstances:
o Underwriting: assessing risk and determining cover, for example when determining cover for corporate clients, we will consider the likelihood of an accident occurring (e.g. using claims history will include your personal information where you are an employee and you have previously made a claim against your employers' previous employer’s liability insurance policy) and the likely cost of replacing your vehicle (e.g. using our experience of dealing with claims more generally). We will compare this information against industry averages and our previous experience. The outcome of that profiling will then be used by us to determine extent of cover and premium.
o Assessing and handling claims - as part of our claims process, we use certain systems which determine the questions that we ask and will help decide on an appropriate claims settlement figure.
o Preventing and detecting insurance fraud – we use certain systems and software tools to identify likely indications of insurance fraud which might result in a claim being investigated by our fraud team.
We regularly review our profiling processes and in most circumstances, a member of our team will then make a decision based on any outcomes of the profiling described above.
9. YOUR RIGHTS
Under data protection law you have a number of rights in relation to the personal information that we hold about you which we set out below. These rights might not apply in every circumstance. You can exercise your rights by contacting us at any time using the details set out in section 10. We will not usually charge you in relation to a request.
Please note that although we take your rights seriously, there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn't comply with our own legal or regulatory obligations. In these instances we will let you know why we cannot comply with your request.
In some circumstances, complying with your request may result in your insurance policy being cancelled or your claim being discontinued. For example, if you request erasure of your personal information, we would not have the information required to pay your claim. We will inform you of this at the time you make a request.
o The right to access your personal information
You are entitled to a copy of the personal information we hold about you and certain details about how we use it. We will usually provide your personal information to you in writing unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means where possible.
o The right to rectification
We always take care to ensure that the information we hold about you is accurate and where necessary up to date. If you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.
o The right to restriction of processing
In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information.
o The right to withdraw your consent
Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information.
Please note that for some purposes, we need your consent in order to pay out on your claim. If you withdraw your consent, we may be unable to pay your claim. We will advise you of this at the point you seek to withdraw your consent.
o The right to erasure
This is sometimes known as the 'right to be forgotten'. It entitles you, in certain circumstances, to request deletion of your personal information. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdrawn consent.
Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example we may be unable to erase your information as you have requested because we have a legal or regulatory obligation to keep it.
o The right to object to processing
In certain circumstances, where we only process your personal data because we have a legitimate business need to do so, you have the right to object to our processing of your personal data.
o The right to object to direct marketing
You have control over the extent to which we market to you and you have the right to request that we stop sending you marketing messages at any time. You can do this either by clicking on the "unsubscribe" button in any email that we send to you or by contacting us using the details set out in section 10.
Please note that even if you exercise this right because you do not want to receive marketing messages, we may still send you service related communications where necessary.
o The right to data portability
In certain circumstances, you can request that we transfer personal information that you have provided to us directly to a third party.
o Rights relating to automated decision-making
Whilst we use software to carry out automated decision making (as set out in section 8 above), we will always have some form of human involvement to check any decisions made that arise out of such automated decisions. This complies with your data protection rights to have a decision taken by automated means reviewed.
o The right to make a complaint with the ICO
You have a right to complain to the Information Commissioner's Office (ICO) if you believe that we have breached data protection laws when using your personal information.
You can visit the ICO's website at https://ico.org.uk/ for more information. Please note that lodging a complaint will not affect any other legal rights or remedies that you have.
10. CONTACTING US
If you would like further information about any of the matters in this notice or if have any other questions about how we collect, store or use your personal information, you may contact our data protection officer by emailing Privacy.email@example.com or writing to:
The Global Data Protection Officer
AXA Corporate Solution Assurance, UK Branch
6 Bevis Marks
11. UPDATES TO THIS NOTICE
From time to time we may need to make changes to this notice, for example, as the result of changes to law, technologies, or other developments. We will provide you with the most up-to-date notice and you can check our website www.axa-corporatesolutions.com/using-your-personal-information periodically to view it.
This notice was last updated on 23 May 2018