Privacy at Chubb

At Chubb ("we", "us"), we routinely collect and use personal data about individuals, including insured persons, claimants or business partners ("you"). We are aware of our responsibilities to handle your personal data with care, to keep it secure and comply with applicable privacy and data protection laws, in particular the General Data Protection Regulation (GDPR).

 

How this Policy Works

The purpose of this Policy is to provide a clear explanation of when, why and how we collect and use information which may relate to you ("personal data"). We have designed this Policy to be as user friendly as possible. Click on a topic in the list below to find out more, or explore individual topics in more detail by following the various links. We have labelled sections of the Policy to make it easy for you to navigate to the information that may be most relevant to you.

Important

Do read this Policy with care. It provides important information about how we use personal data and explains your statutory rights. This Policy is not intended to override the terms of any insurance policy or contract you have with us, nor rights you might have available under applicable data protection laws.

Relevent Definitions

Please see below for relevant definitions used throughout this Policy:

ACPR: the Autorité de Contrôle Prudentiel et de Resolution (ACPR) is an administrative authority which monitors the activities of banks and insurance companies in France.
 

Assistance Providers: these are a special category of service provider, which we use to help provide you with emergency or other assistance in connection with certain policies (e.g. certain travel policies).
 

Brokers: insurance brokers arrange and negotiate insurance coverage for individuals or companies and deal directly with insurers, such as Chubb, on behalf of the individuals or companies seeking coverage.
 

Claims Experts: these are experts in a particular field which is relevant to a claim, for example medicine, forensic accountancy, mediation or rehabilitation, who are engaged by Chubb to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants.
 

CNIL: the Commission Nationale de l'Informatique et des Libertés (CNIL) regulates the processing of personal data by all organisations within France.
 

Data Controller: means a natural or legal person (such as a company) which determines the means and purposes of processing of personal data. For example, a Chubb entity which sells you an insurance policy will be your Data Controller as it determines how it will collect personal data from you, the scope of data which will be collected, and the purposes for which it will be used.
 

FCA: the FCA is the Financial Conduct Authority, which is a financial regulatory body. The FCA focuses on the regulation of conduct by financial services firms.
 

ICO: the Information Commissioners Office regulates the processing of personal data by all organisations within the UK.
 

Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf.
 

Other Insurers / Reinsurers: some policies are insured on a joint or "syndicate" basis. This means that a group of insurers (including us) will join together to write a policy. Policies may also be reinsured, which means that the insurer will purchase its own insurance, from a reinsurer, to cover some of the risk the insurer has underwritten in your policy. Chubb purchases reinsurance, and also act as a reinsurer to other insurance firms.
 

PRA: the PRA is the Prudential Regulation Authority, which is a financial regulatory body. The PRA focuses on the prudential regulation of financial services firms. When discharging its general functions, the PRA is responsible for contributing to the securing of an appropriate degree of protection for policyholders.
 

Profiling: means using automated processes without human intervention (such as computer programmes) to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile.
 

Prospective Insured and Insured Person: we use this term to refer to prospective, active or former individual policyholders, as well as any individual who benefits from insurance coverage under one of our policies (for example, where an employee benefits from coverage taken out by their employer).
 

Sensitive Personal Data: means any special categories of personal data under the GDPR (i.e. data relating to your health, genetic or biometric data,  sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership), as well as criminal offences data. At Chubb, (other than in the context of our employees, which is outside the scope of this Policy) we routinely only process Sensitive Personal Data relating to health or criminal offences.
 

Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who help us with the administration of setting up a new policy record. Some of these providers use 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.
 

Solicitors: we frequently use solicitors to advise on complex or contentious claims or to provide us with non-claims related legal advice. In addition, if you are a claimant you may be represented by your own solicitor(s).
 

Telematics data: allows a more personalised renewals quote through the use of data provided automatically to us by a device which monitors your behaviour. An example is data collected from a device fitted to a vehicle reflecting driving behaviour.
 

Third Party Administrators (or TPA’s): these are companies outside the Chubb group which administer the underwriting of policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions.

 

Privacy Policy

1. Who is responsible for looking after your personal data?

 

Chubb is a group of companies, including the Combined Insurance and Chubb Life Europe brands. The Chubb group company which was originally responsible for collecting information about you will be principally responsible for looking after your personal data (your Data Controller). If you have an insurance policy with us, this will be the Chubb company named on that policy.

You can find out the identity of each company that is processing your personal data in the context of providing your insurance cover in the following ways:

Where you took out the insurance policy yourself: the Chubb company or / and, if purchased through a broker, the broker will have provided you with its name, address and contact details.

Where your employer or a third party took out the policy for your benefit: you should contact your employer who should provide you with details of the Chubb company.

Where your personal data has been passed to another Data Controller (e.g. a reinsurer): the first Data Controller will inform you of the other Data Controllers with whom they have shared your personal data who you can contact about their use of your personal data, as we do in Section 6 of this policy.

A description of the entities that make up the Chubb group is available at  www.chubb.com/content/dam/chubb-sites/chubb-com/uk-en/footer/privacy-policy/documents/pdf/chubbgroupentities.pdf


You should be aware that although one Chubb company may be principally responsible for looking after your personal data, information may be held in databases which can be accessed by other Chubb companies. When accessing your personal data, Chubb companies will comply with the standards set out in this Policy.

California Residents

If you are a California resident, you have certain privacy rights under California law, including the California Consumer Privacy Act of 2018 (“CCPA”). Please see our California Privacy Notice at www.chubb.com/us-en/online-privacy-policy.html, which specifies these rights.

In most cases, your data controller will be Chubb European Group SE or Chubb Life Europe SE, acting through one of its European branch offices. However, you should always check your insurance contract (or contact us directly) to confirm the specific data controller in each case.

2. What personal data do we collect?

 

We collect and process non-sensitive as well as sensitive personal data and personal data relating to criminal convictions and offences. 

Prospective Insureds and Insured Persons. In order to underwrite and administer insurance policies, we collect information about the prospective insured, policyholder and related parties. This may include background and contact information on the prospective insured, policyholder or their representative, and matters relevant to the assessment of risk and management of insurance policies. The prospective insured or policyholder may be an individual, company or their representative. The level and type of personal data we collect and use varies depending on the type of policy that is applied for or held and may include information on other individuals who need to be considered as part of the policy. In some instances, it is necessary for us to collect and use Sensitive Personal Data, such as information about health, or past criminal convictions. We are required to establish a legal exemption to use your Sensitive Personal Data - see Section 5 for further details.

If you are an insured person, from time to time you may need to provide us with the personal data of third parties, for example an injured third party in relation to a claim under a liability policy. Wherever possible, you should take steps to inform the third party that you need to disclose their details to us, identifying Chubb as your insurer. We will process their personal data in accordance with this Policy.


Claimants. If you are making a claim under a policy, we will collect your basic contact details, together with information about the nature of your claim and any previous claims. If you are an insured person we will need to check details of the policy you are insured under and your claims history. Depending on the nature of your claim, it may be necessary for us to collect and use Sensitive Personal Data, such as details of personal injury you may have suffered during an accident.

Business Partners and Visitors. If you are a business partner, we will collect your business contact details. We may also collect information about your professional expertise and experience. We may collect your contact details, if you visit our website, register for a newsletter or attend one of our events. If we collect personally identifiable information through our website, we will make it clear when we collect personal information and will explain what we intend to do with it. Chubb may also collect Personal Data of Users who access our websites or of those who decide to consent, in the appropriate online sections, to receive newsletters from Chubb or to participate at one of the events organized by one of the companies of the group. If we collect personally identifiable information through our website, we will make it clear when we collect personal information and will explain what we intend to do with it.


For more information on what information we collect please see Appendix 1

3. When do we collect your personal data?

Prospective Insureds and Insured Persons

  • We will collect information from you directly when you apply for a policy. 

  • Information about you may also be provided to us by an insurance broker, your employer, family member or any other third person who may be applying for a policy which names or benefits you.

  • We may collect information about you from other sources where we believe this is necessary to manage effective underwriting of the risk associated with a policy and/or helping fight financial crime. These other sources may include public registers and databases managed by credit reference agencies and other reputable organisations

 

Claimants

  • We will collect information from you when you notify us of a claim. You might make a claim to us directly, or through your representative or through your broker or one of our representatives who manage claims on our behalf. We may discuss claims with you on the telephone, in person or via video interviews conducted by us or our third party representatives.

  • We may also collect information about you if the claim is made by another person who has a close relationship with you or is otherwise linked to the claim - for example if the policyholder is your employer, or if you are the subject of a third party claim.

  • We may also be provided with information by your solicitors (or acting on behalf of your employer).

  • We may collect information from other sources where we believe this is necessary to assist in validating claims and/or fighting financial crime. This may include consulting public registers, social media and other online sources, credit reference agencies and other reputable organisations.

 

Business Partners and Visitors

  • We will collect information about you if you or your company provides your contact or other information to us in the course of working with us, either directly as a business partner or as a representative of your company.

  • We may also collect information about you if you attend meetings, events or conferences that we organise, contact us through our website or sign up to one of our newsletters or bulletin services.

  • We may collect information from other public sources (e.g. your employer's website) where we believe this is necessary to help manage our relationships with our business partners.

 

Applicable to all

  • If you telephone Chubb (for example, when notifying a claim or discussing that claim with us) or if Chubb telephones you (for example, to sell an insurance policy) we may record the telephone call. We may also use Interactive Voice Response ("IVR") technology to automate responses to voice commands, and to analyse call recording data. We use call recordings as an evidence of your agreement to purchase an insurance policy or submit a claim, to help train our staff and to provide an accurate record of the call in case of complaints or queries. We may also analyse call recordings using automated technology in order to detect where there may be customer service failings (and then to resolve these), or to detect potential evidence of fraud.

4. What do we use your personal data for?

We use your personal data for the purposes set out below. Please refer to Appendix 2 for more detail, including in relation to the legal basis we rely upon in each case.
 

Prospective Insureds and Insured Persons. If you are a prospective insured or an insured person we will use your personal data to consider an application for an insurance policy, assess and evaluate risk, and subject to applicable terms and conditions, provide you with a policy. The underwriting process may include Profiling. If we have provided you with your policy we will use your personal data to administer your policy, deal with your queries, and manage the renewal process. We will also need to use your personal data for regulatory purposes associated with our legal and regulatory obligations as a provider of insurance.
 

Claimants. If you are a claimant we will use your personal data to assess the merits of your claim, and potentially to pay out a settlement. We may also need to use your personal data to evaluate the risk of potential fraud, a process which may involve Profiling, which uses automated processes. If you are also an insured person, we will use personal data related to your claim to inform the renewal process and potentially future policy applications.
 

Business Partners and Visitors . If you are a business partner we will use your personal data to manage our relationship with you, including sending you marketing materials (where we have appropriate permissions) and to invite you to events. Where relevant, we will use your personal data to deliver or request the delivery of services, and to manage and administer our contract with you or with your employer. If you are a visitor, we will use your personal data; typically, to register for certain areas of our website, enquire for further information, distribute requested reference materials, or invite you to one of our events. Chubb also uses the data of users registering through its websites to send them promotional materials or invitations to events.
 

Data analytics. We routinely analyse information in our various systems and databases to help improve the way we run our business, to provide a better service and to enhance the accuracy of our risk and other actuarial models. We take steps to protect privacy by aggregating and where appropriate anonymising data fields (particularly in relation to Policy Information and Claim Details, as defined in Appendix 1) before allowing information to be available for analysis.

5. Protecting your privacy

We will make sure that we only use your personal data for the purposes set out in Section 4 and in Appendix 2 where we are satisfied that:
 

  • you have provided your consent to us using the data in that way our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your insurance policy)

  • our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have (e.g. to comply with a regulatory obligation imposed by any competent regulatory authority), or

  • our use of your personal data is necessary to support 'legitimate interests' that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights.
     

Before collecting and/or using any Sensitive Personal Data we will establish a lawful exemption which will allow us to use that information. If your Sensitive Personal Data is collected on a form (including on a website) or over the telephone, further information about the exemption may be provided on that form. This exemption will typically be:

  • your explicit consent (if this is specifically requested from you on a data collection form, in language which references your consent);

  • the establishment, exercise or defence by us or third parties of legal claims; or

  • a specific exemption provided under local laws of EU Member States and other countries implementing the GDPR which is relevant to the insurance industry, such as the 'insurance purposes' exemption under the UK Data Protection Act 2018, or the processing of personal data of insured person's family members and Sensitive Personal Data of individuals covered under a group insurance.
     

PLEASE NOTE. If you provide your explicit consent to permit us to process your Personal Data or Sensitive Personal Data, , you may withdraw your consent to such processing at any time. However, you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and where you withdraw consent to an insurer’s or reinsurer’s use it may not be possible for the insurance cover to continue). This may mean that your policy needs to be cancelled. If you choose to withdraw your consent we will tell you more about the possible consequences, including the effects of cancellation, (which may include that you have difficulties finding cover elsewhere), as well as any fees associated with cancellation.
 

Please see Appendix 2 to your jurisdiction, to find out more about the information we collect and use about you and why we believe it is appropriate to use that information for such activities

6. Who do we share your personal data with?

We work with many third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data. 
 

For Prospective Insureds and Insured Persons these third parties may include:
 

(a) any data protection supervisory authority, as listed below, but in particular the CNIL (in relation to Chubb’s main establishment in the EU in France) or the ICO (in the UK);
 

(b) any insurance / financial services, but in particular the ACPR (in relation to Chubb’s main establishment in the EU in France) or the FCA or PRA (in the UK);
 

(c) as well as other regulators and law enforcement agencies in the E.U. and around the world
 

  • Credit reference agencies and organisations working to prevent fraud in financial services

  • Solicitors and other professional services firms
     

For Claimants this may include:
 

We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other insurers. If we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses.

 

7. Direct Marketing


We may use your personal data to send you direct marketing communications about our insurance products or our related services. This may be in the form of email, post, SMS, telephone or targeted online advertisements. When marketing to consumers, or where otherwise required by applicable law, we will target marketing to you only if you have provided your consent for marketing, unless marketing relates to the same or similar products and services which we have marketed to you previously and therefore received your contact information.
 

We may target marketing to companies if it has not explicitly denied such marketing.
 

In most cases our processing of your personal data for marketing purposes is based on our legitimate interests to provide information you might find helpful to manage your insured risks, insurance renewals and other products, services and offers that may be of interest to you, although in some cases (such as where required by law) it may be based on your consent. You have a right to prevent direct marketing of any form at any time - this can be exercised by following the opt-out links in electronic communications, or by contacting us using the details set out in Section 12.

We take steps to limit direct marketing to a reasonable and proportionate level, and to send you communications which we believe may be of interest or relevance to you, based on the information we have about you.

8. International Transfers

From time to time we may need to share your personal data with members of the Chubb group who may be based outside Europe which for these purposes includes the European Economic Area, the United Kingdom and Switzerland). We may also allow our Service Providers or Assistance Providers, who may be located outside Europe, access to your personal data. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body.
 

We will always take steps to ensure that any international transfer of information complies with data protection law:
 

  • We will only transfer your personal data to countries which are recognised as providing an adequate level of legal protection (which includes transfers to participants under the EU, or Swiss Data Privacy Frameworks, or the UK Extension to the Data Privacy Framework, also known as the UK-US Data Bridge), or where we can be satisfied that alternative arrangements are in place to protect your privacy rights.

  • Transfers within the Chubb group of companies will be covered by an intra-group agreement which gives specific contractual protections (known as ‘standard contractual clauses’) designed to ensure that your personal data receives an adequate and consistent level of protection wherever it is transferred within the Chubb group);

  • Transfers to  Service Providers and other third parties will always be protected by contractual commitments and where appropriate additional protections for international transfers, such as the standard contractual clauses;

  • On an occasional basis, we may rely on specific exemptions to transfer personal data to other countries without providing for an adequate level of protection, such as where the transfer is for important reasons of public interest (for example, to support a regulatory investigation), where the transfer is necessary to establish, exercise or defend legal claims, or where the transfer is necessary to perform a contract in your interest;

  • Any requests for information we receive from law enforcement or regulators will be carefully checked before personal data is disclosed.
     

You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 12 if you would like further information.

9. Automated Decision Making and Profiling

'Automated Decision Making' refers to a decision which is taken solely on the basis of automated processing of your personal data. This means processing using, for example, software code or an algorithm, which does not require human intervention.
 

As Profiling uses automated processing, it is sometimes connected with automated decision making. Not all profiling results in automated decision making, but it can do.

 

If you are a Prospective Insured and Insured Person, we may use automated decision making to carry out a credit check on you. In an underwriting context, profiling is routinely carried out on your Personal Risk Information (as defined in Appendix 1) to assess your individual risk (or the impact you might have on the cumulative risk of a group of Insured Persons) in order to calculate insurance premiums or to make a decision about whether to extend or renew cover. We may also apply Automated Decision Making to Telematics Data to make decisions about renewal quotes.
 

If you are a Claimant, we may use Automated Decision-Making to decide whether to accept or decline your claim.  Not all claims are processed using automated decision making – more complex claims are passed to a claims handler for manual review. 
 

We have introduced automated decision making as it helps us to process straightforward claims more quickly and accurately, creating a smoother claims journey for all parties.  Our algorithms go through rigorous testing before being used as part of the claims process.
 

Where we use automated decision making, we rely on the following legal bases:
 

  • For all non-sensitive personal data (e.g., name, address, email, phone number), processing is necessary for the performance of a contract (i.e., the insurance policy).

  • For all special category personal data (e.g., health data that may be relevant as part of your claim):
    •  where processing depends on your explicit consent under Member State law, we will ask you for this when you submit your claim;
    • alternatively, where explicit consent is not required, the legal basis that will apply is,
    • where processing is necessary for reasons of substantial public interest, on the basis of Member State law that allows for the  processing of health data in the context of insurance claims
       

Where we use automated decision making to make a significant decision about you (e.g., rejection of a claim) you can:

 

  • contest the automated decision / ask for human intervention – if you do this, we will ask one of our claims handlers to review the automated decision and determine whether it is correct; or

  • express your point of view on the automated decision.
     

If you are a Claimant, we may use Profiling or other forms of automated processing to assess the probability that your claim may be fraudulent or suspect in some way.
 

Where Sensitive Personal Data or criminal convictions is relevant to the Profiling, such as medical history for life insurance or past motoring convictions for motor insurance, your Sensitive Personal Data may also be used in the models.
 

You have certain rights in respect of automated decision making, where that decision has significant effects on you, including where it produces a legal effect on you. See Sections 11 and 12 for more information about your rights.

 

10. How long do we keep your personal data?

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulator, tax or accounting requirements.
 

For example, if you are a holder of an accident and health insurance, your Personal Data will typically be retained for 10 years after the cancellation or termination of the policy, unless an exception applies.
 

If you are the first claimant on an insurance policy covering property damage, your Personal Data in the claim file will typically be retained for the duration of the policy and for 10 years following the settlement of the claim, termination or cancellation of the policy, whichever is longer, unless an exception applies.
 

Other data retention periods may apply. More details can be provided upon request to the Data Protection Officer (whose contact information is available in Section 12).
 

In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
 

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.

 

11. What are your rights

You have a number of rights in relation to your personal data.


You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making and Profiling or the basis for international transfers. You may also exercise a right to complain to your Supervisory Authority. More information about each of these rights can be found by clicking on the relevant link or by referring to the table set out further below.
 

To exercise your rights you may contact us as set out in Section 12. Please note the following if you do wish to exercise these rights:

 

Right What this means
Access

You can ask us to:

  • confirm whether we are processing your personal data;
  • give you a copy of that data;
  • provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any Automated Decision Making or Profiling, to the extent that information has not already been provided to you in this Policy.
Rectification

You can ask us to rectify inaccurate personal data.

We may seek to verify the accuracy of the data before rectifying it.

Erasure

You can ask us to erase your personal data, but only where:

  • It is no longer needed for the purposes for which it was collected; or
  • You have withdrawn your consent (where the data processing was based on consent); or
  • Following a successful right to object (see 'Objection' below); or
  • It has been processed unlawfully; or
  • To comply with a legal obligation to which Chubb is subject.

We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:

  • For compliance with a legal obligation; or
  • For the establishment, exercise or defence of legal claims;

There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request

Restriction

You can ask us to restrict (i.e. keep but not use) your personal data, but only where:

  • Its accuracy is contested (see Rectification), to allow us to verify its accuracy; or
  • The processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
  • You have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal data following a request for restriction, where:

  • we have your consent; or
  • to establish, exercise or defend legal claims; or
  • To protect the rights of another natural or legal person.
Portability

You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where:

  • The processing is based on your consent or on the performance of a contract with you
  • The processing is carried out by automated means.

The right to portability includes only the data provided by you.

Objection

You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests.

Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

Automated Decision Making

You can ask not to be subject to a decision which is based solely on automated processing (see Section 9), but only where that decision:

  • produces legal effects concerning you (such as the rejection of a claim); or
  • Otherwise significantly affects you.

In such situations, you can obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision.

Your right to obtain human intervention or to contest a decision does not apply where the decision which is made following automated decision making:

  • Is necessary for entering into or performing a contract with you;
  • Is authorised by law and there are suitable safeguards for your rights and freedoms; or
  • Is based on your explicit consent.

However, in these situations you can still obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision.

Withdrawal

Where the processing of your personal data is based on consent (see Appendix 2), you can withdraw your consent to the processing of your personal data at any time. The withdrawal of your consent shall not affect the lawfulness of processing based on consent before your withdrawal

International Transfers

You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Economic Area.

We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.

Supervisory Authority

You have a right to lodge a complaint with a supervisory authority in your habitual residence, place of work or of an alleged infringement of the GDPR about our processing of your personal data.

The relevant supervisory authority for each relevant jurisdiction is as follows:

 

 

United Kingdom

ICO (https://ico.org.uk/).

Austria

Austrian Data Protection Authority (Österreichische Datenschutzbehörde), (https://www.dsb.gv.at)

Belgium

Belgian Data Protection Authority (www.dataprotectionauthority.be)

The Netherlands

The Data Protection Authority (https://autoriteitpersoonsgegevens.nl/en)

Bulgaria

CPDP (https://www.cpdp.bg/)

Czech Republic

Úřad pro ochranu osobních údajů  (ÚOOÚ, https://uoou.cz/)

Denmark

Datatilsynet (http://www.datatilsynet.dk/)

Faroe Islands

Dátueftirlitið (https://dat.fo/)

Finland

Tietosuojavaltuutetun toimisto  (https://tietosuoja.fi/)

France

CNIL (www.cnil.fr)

Germany

• Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg (https://www.baden-wuerttemberg.datenschutz.de/),

• Bayerisches Landesamt für Datenschutzaufsicht (https://www.lda.bayern.de),

• Berliner Beauftragter für Datenschutz und Informationsfreiheit (https://www.datenschutz-berlin.de),

• Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg (https://www.lda.brandenburg.de),

• Landesbeauftragte für Datenschutz und Informationsfreiheit der Freien Hansestadt Bremen (https://www.datenschutz.bremen.de/),

• Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit (https://www.datenschutz-hamburg.de),

• Hessischer Beauftragter für Datenschutz und Informationsfreiheit (https://www.datenschutz.hessen.de),

• Landesbeauftragter für Datenschutz und Informationsfreiheit Mecklenburg-Vorpommern (https://www.datenschutz-mv.de),

• Landesbeauftragte für den Datenschutz Niedersachsen (https://www.lfd.niedersachsen.de),

• Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (https://www.ldi.nrw.de),

• Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (https://www.datenschutz.rlp.de),

• Unabhängiges Datenschutzzentrum Saarland, Landesbeauftragte für Datenschutz und Informationsfreiheit (https://www.datenschutz.saarland.de),

• Sächsischer Datenschutzbeauftragter (https://www.saechsdsb.de/),

• Landesbeauftragter für den Datenschutz Sachsen-Anhalt (https://datenschutz.sachsen-anhalt.de),

• Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (https://www.datenschutzzentrum.de),

• Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit (https://www.tlfdi.de).

Gibraltar

Gibraltar Regulatory Authority (https://www.gra.gi/data-protection)

Hungary

NAIH (seat: 1055 Budapest, Falk Miksa u. 9-11., phone: +36 (1) 391-1400, e-mail: ugyfelszolgalat@naih.hu, web: www.naih.hu)

Ireland

CBI (www.centralbank.ie/) and DPC (www.dataprotection.ie/)

Italy

Garante per la Protezione dei Dati Personali (www.garanteprivacy.it.)

Norway

Norway Datatilsynet (https://www.datatilsynet.no/)

Poland

PUODO (Prezes Urzędu Ochrony Danych Osobowych)

(https://www.uodo.gov.pl/pl)

Portugal

CNPD https://www.cnpd.pt/)

Spain

AEPD (Agencia Española de Protección de Datos: www.aepd.es)

Sweden

Integritetsskyddsmyndigheten  (www.imy.se)

 

 

 

We ask that you please attempt to resolve any issues with us first although you have a right to contact your supervisory authority at any time.

Identity We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request in respect of such records.
Fees We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, respective or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
Timescales We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can tell us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
Third Party Rights We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.

 

12. Contact and complaints

The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. 

The Data Protection Officer can be contacted in the following ways:

Email: 

dataprotectionoffice.europe@chubb.com

Write to:

Data Protection Officer,
Chubb, 40Leadenhall Street,
EC3A 2BJ London


If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.

Updated September 2023

13. Country-specific additional information

Additional Information for Processing Subject to the Laws of France
 

In France, you have additional rights as follows:

Instructions on the processing of your data after your death: You have the right to issue instructions  on the processing of personal data after your death as follows:
 

  • You may issue instructions on the exercise of your rights under this section after your death, in particular in terms of retention period, deletion and/or communication of your data as well as designate a person in charge of exercising such rights.

  • You can issue general instructions and confide them to a trusted third party as well as a general registry created by decree.

  • You can issue instructions specific to the processing of your personal data by Chubb and register them with us using the email address specified below.

  • You can withdraw or modify your instructions at any time.

     

Succession Rights: In the event of your death, the above rights with respect to your Personal Data may be exercised by a person who has a personal interest in your Personal Data, or is acting on your behalf as your representative, or for family reasons deserving protection. You may expressly prohibit the exercise of some of the rights listed above by his or her assignees by sending a written statement to Chubb at the addresses listed in Section 12. The declaration may be withdrawn or modified later in the same manner.
 

Additional Information for Processing Subject to the Laws of Italy
 

In accordance with the Italian Data Protection Authority's guidelines and decisions, profiling is carried out without Sensitive Personal Data, and is based on the data subject’s consent or – only where the profiling is not invasive and depending on the personal data used and the type of monitoring activity performed – on the basis of Chubb’s legitimate interest.
 

Additional Information for Processing Subject to the Laws of Ireland

We will also add details of your policy to the Motor Third Party Liability Database maintained by the Motor Insurers Bureau of Ireland (MIBI). MIBI will make this information available to the Minister for Transport, Tourism and Sport and An Garda Síochána for the purposes of section 78A of the Road Traffic Act 1961 (as amended). MIBI may also use this information to:
 

  • comply with its own legal obligations (e.g. to provide information to members of the public who were involved in an accident with an unidentified driver pursuant to regulation 5(5) of SI 651/2003 (as amended)); and

  • for the performance of its obligations pursuant to the agreement with the Minister for Transport dated 29 January 2009 (as amended from time to time) which was entered into to provide compensation to individuals involved in accidents with uninsured drivers.
     

More details can be found on the MIBI data protection webpage at www.mibi.ie/ which will be updated to reflect MTPL when the project goes live.
 

If your personal data is stored in our databases and if other Chubb companies also have access to this information, your personal data will also be transferred these respective Chubb companies.
 

Additional Information for Processing Subject to the Laws of the Netherlands

The processing of personal data within The Netherlands is also governed by the Code of Conduct “Processing of Personal Data” (Gedragscode “Verwerking Persoonsgegevens”) of the Dutch Association of Insurers. You may consult the text of this Code via the website of the Association of Insurers, www.verzekeraars.nl/dutch-association-of-insurers, or you can request the Code from the Association of Insurers: Verbond van Verzekeraars, Postbus 93450, 2509 AL Den Haag, telephone +31(0)70-3338500.
 

In the Netherlands, Chubb may use your personal data for the purpose of complying with binding self-regulation such as the Protocol Incident Warning System for Financial Institutions (PIFI) www.verzekeraars.nl/branche/zelfreguleringsoverzicht-digiwijzer/protocol-incidentenwaarschuwingssysteem-financiële-instellingen in The Netherlands.
 

Additional Information for Processing Subject to the Laws of the United Kingdom

In the UK, insurance involves the use and disclosure of your personal data by various insurance market participants such as intermediaries, insurers and reinsurers. The London Insurance Market Core Uses Information Notice www.londonmarketgroup.co.uk/gdpr sets out those core necessary personal data uses and disclosures. Our core uses and disclosures are consistent with the London Market Core Uses Information Notice. We recommend you review this notice. 
 

We work in partnership with the Motor Insurers’ Bureau (MIB) and associated not-for-profit companies who provide several services on behalf of the insurance industry. At every stage of your insurance journey, the MIB will be processing your personal information and more details about this can be found via their website: mib.org.uk. Set out below are brief details of the sorts of activity the MIB undertake:
 

  • Checking your driving licence number against the DVLA driver database to obtain driving licence data (including driving conviction data) to help calculate your insurance quote and prevent fraud

  • Checking your ‘No Claims Bonus’ entitlement and claims history

  • Prevent, detect and investigate fraud and other crime, including, by carrying out fraud checks

  • Maintaining databases of:
    • Insured vehicles (Motor Insurance Database)
    • Vehicles which are stolen or not legally permitted on the road (MIAFTR)
    • Motor, personal injury and home claims (CUE)
    • Employers’ Liability Insurance Policies (Employers’ Liability Database)
       
  • Managing insurance claims relating to untraced and uninsured drivers in the UK and abroad

  • Working with law enforcement to prevent uninsured vehicles being used on the roads

  • Supporting insurance claims processes
     

If you are a Claimant we may share your personal data with credit reference agencies and organisations working to prevent fraud in financial services in relation to all parts of the claims lifecycle   – this includes the Insurance Fraud Bureau, whose Privacy Policy can be viewed here


As an FCA regulated firm, we are required to take steps to protect vulnerable customers. A vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to harm. This may be on the basis of a range of factors, including:
 

  •  Health (e.g., conditions or illnesses);

  •  Life events (e.g., bereavement, job loss or relationship breakdown);

  • Resilience (e.g., ability to withstand financial or emotional shocks); and

  • Capability (e.g., literacy, digital or financial skills).
     

In connection with this duty, we may collect and record personal data relating to vulnerable customers, in relation to factors such as those listed above.  We process this personal data on the basis of our legitimate interest in taking additional steps (at our discretion) to protect those customers and to understand the aggregate needs of our customer base, and on the basis of the substantial public interest in protecting the economic well-being of vulnerable customers. It is up to you whether you volunteer information about any vulnerable circumstances.
 

Additional Information for Processing Subject to the Laws of Spain

In Spain, in addition, we will block your data when it has been processed to comply with a rectification or erasure request. This data blocking consists on the identification and maintenance of the data, ensuring that the relevant technical and organisational measures are in place to stop its processing, including its visualization, except for the access of the competent authorities or for potential liabilities derived from the processing of the data and only until the statute of limitation period is met. Once this has occurred we will erase/anonymise the data.
 

Additional Information for Processing Subject to the Laws of Poland

Data Protection Officer - Nikolai Dythtchenko

Data Protection Officer,
Chubb, 40 Leadenhall Street,
EC3A 2BJ,  London