Data Protection and Privacy Compliance at Swiss Re
Swiss Re is a leading wholesale provider of reinsurance, insurance and other insurance-based forms of risk transfer. We operate in over 80 offices located in more than 30 countries. As a global reinsurance and insurance provider, we receive and process the personal data of individuals. We have instituted a comprehensive, global data protection compliance framework in order to fulfill our responsibilities to protect personal data and to respect privacy rights in compliance with data protection and privacy laws and regulations around the world.
Click here for the German version.
Our policies and standards
Our commitment to data protection and privacy is stated in the Swiss Re Code of Conduct: "We handle personal data with the greatest care and use it only for legitimate and specified business purposes". Furthermore, our global data protection compliance framework – including policies, standards, information security measures, appointed Data Protection Officers, training and awareness programmes and business-relevant procedures – sets forth the following key principles:
- We respect the privacy rights of Swiss Re's employees, customers, clients, business partners and other individuals whose personal data we have and use.
- We protect personal data by implementing appropriate technical and organisational measures in our data processing operations.
- We obtain personal data fairly and only use it for legitimate business purposes.
- We hold ourselves accountable for demonstrating compliance with applicable legal and regulatory requirements and understanding of our roles and responsibilities.
These principles, stated in our Data Protection Policy, are applicable to all of Swiss Re's entities worldwide. They are derived from internationally recognized privacy principles. As a Swiss company doing business in the EU, we comply with the EU General Data Protection Regulation (GDPR) where applicable to our global business operations. In this respect, Swiss Re has implemented enhanced or new processes in compliance with the GDPR, and these are described throughout our Global Policy and Standard on Data Protection.
In addition, whenever there are local laws or particular business units where the type of data processing that call for more elaborate guidance or heightened scrutiny, we establish governing standards and adopt tailored safeguards appropriate for the situation in question. Finally, we recognise that today's digital reality is that data circulates globally, and risks may present themselves in unprecedented ways. Consequently, we take care to understand relevant laws and regulations and assess the risks that arise as personal data is processed in our global operations.
Our role as a data controller
What kind of personal data do we process?
The precise nature of the personal data we process depends on your relationship with Swiss Re. However, in many cases, if we are handling your personal data as part of our role as a re/insurer, we may process the following:
- Information about you – for example name, age, gender, date of birth, nationality. Even though in some instances we do not receive your name, we need enough information to help us identify you and your policy so that we can provide services to our clients.
- Contact information – in some cases, for example, we may receive your email, address, postcode and phone number.
- Financial information – we may process information related to payments you make or receive in the context of an insurance policy or claim.
- Contractual information – for example details about the policies you hold and with whom you hold them.
- Health information such as smoker status or medical related issues relevant to a policy you hold or a claim you have made.
Why do we process this data?
We may use your personal data for a number of reasons:
- Underwriting our business with our clients
- Managing claims
- Assessing, improving and developing our services
- Enhancing our knowledge of risk and insurance markets in general
- Fulfilling legal or regulatory obligations and protecting ourselves and our clients against fraud.
Where do we get personal data from?
In most cases, we receive personal data from third parties such as our corporate clients. On occasion, such as when you register for an event or receive information directly from us, we may receive personal data directly from you.
Who do we share personal data with or are we selling personal data?
Our employees have access to and process personal data based upon a "need to know" basis in order to do their job. We regularly check who has access to our systems and data.
We may also share your personal data with the following categories of third parties:
- Our service providers and agents e.g. IT companies who support our technology. As for example, we process personal data (i.e. within our email system) with Microsoft`s Azure and Office 365. This externally hosted environment was found to be consistent with our privacy and security programmes and is regularly assessed so it continuously meets our standards.
- Our professional advisers: auditors; reinsurers; medical agencies and legal advisers.
- The client who provided us with your data.
We do not sell personal data.
When applicable, we apply cross-border rules in line with applicable data protection laws and regulations. So, if for example, EU personal data needs to be processed by internal services teams or by third parties outside the EU or Switzerland, we make sure adequate safeguards are in place with those internal and external parties. We typically do this by using EU model contract clauses to make sure this processing also complies with Swiss and EU data protection laws and regulations. The same way, we apply data localization rules and adopt required safeguards when regulations demand to do that.
How long we keep personal data
We keep your personal information for as long as necessary for the purpose it was collected, and to comply with our legal and regulatory requirements. This includes keeping your information for a reasonable period of time after your relationship with us or our client has ended.
If you need more information about the retention or deletion of your personal data, please contact us using the contact details provided in this document.
Ultimately, our employees play one of the most important roles in holding ourselves to our commitment. Our employees are involved in every step of the data lifecycle, including sourcing and receiving personal data, processing it in compliance with laws and regulations, employing safeguards, and establishing the means and schedules of retention and deletion. It is therefore imperative that our employees understand their role and be committed to safeguarding personal data. We design our training programme to be relevant, focused on the individual and also focused on concrete risks. We mandate a global eLearning training for all employees and supplement with bespoke trainings for particular regions, business units, and employee functions. In addition, we run regular data protection and information security awareness campaigns with executive sponsorship. We also share with our employees other knowledge resources on data protection and privacy topics, including guidance on ways that they can better protect and safeguard their own personal privacy. It is important that our employees understand the seriousness of protecting personal data and respecting privacy rights with the ability to relate this back to the risks and consequences from an individual perspective. With our efforts, we wish to realize our goal that our employees and business partners understand their respective roles and responsibilities for data protection compliance.
Our data protection experts
A team of full-time Data Protection Officers (DPOs) covers all of our business units, group functions and regions. They are leading professionals and leaders in the international profession of data protection and privacy. They speak at global conferences, engage in industry knowledge sharing and collaboration initiatives, and monitor regulatory developments in the areas of data protection and privacy. Swiss Re itself hosts a regular data protection symposium for its clients and other stakeholders to address topics of the greatest relevance in this field.
In addition, our Data Protection Officers regularly engage in an internal global network of subject-matter experts to support compliance needs by business units, group functions, and by region or jurisdiction.
Where a heightened risk exposure on data protection and privacy is recognized, key governance tasks are embedded in the respective units. This is typically the case where greater amounts of personal data are being processed or where sensitive personal data is involved. We coordinate with our internal operational risk management, audit, and information security colleagues so that we can optimise the implementation of the data protection compliance framework, identify and address gaps, further mitigate risks and monitor compliance.
Our information security
To assure the confidentiality, integrity and availability of personal data within our care, we have a comprehensive, risk-based information security programme. We recognise the impact on individuals from the increasing volume, variety and pace of information usage and the heavy dependence on the Internet as a business channel and communication medium.
Our information security programme and management approach is based on the international information security standard ISO/IEC 27002. We have implemented multiple layers of protection to minimise the risks to personal data and the privacy of individuals. Such protection includes network security controls, logical and physical access controls, maintaining up-to-date inventories (authorised hardware and software), system hardening and monitoring, usage of state-of-the-art protection software, monitoring and response procedures, as well as regular information security awareness training of all involved employees.
Annually, we review our information security policies. We also conduct at least annually a risk assessment of Swiss Re’s cyber security resilience, benchmarked against best practice security standards. The process includes stakeholders throughout the company and results in mitigation measures and the revision of controls to respond to technological developments and evolving threats. It considers particular risks of Swiss Re's business operations related to cyber security, our business information collected or stored, our IT landscape, and the availability and effectiveness of controls to protect information and IT landscape. And, we further test the effectiveness of our incident response plans with simulation exercises with cross-functional stakeholders, and evolve them based upon the lessons learned from each exercise.
Our internal audit function tests the design and effectiveness of implemented safeguards to ensure effective coverage and to maintain focus on key risks. This is a cycle that we continue to improve, as risks are always evolving and security can never be 100% assured. Vigilance and collaboration are crucial to our efforts to ensure the security of personal data. Finally, our compliance Policy Management Framework includes at least annual reviews of our information security policies to ensure that their requirements still appropriately address our risk exposure. Our internal assurance functions and external auditors also regularly audit these policies.
We take particular care when working with third parties. We only share personal data with affiliates, business partners, third party service providers or vendors when we have a legitimate business purpose for doing so and when permissible by law. We require third parties to maintain similar standards to ours for the protection of personal data, as verified by our due diligence process. We have implemented a holistic and consistent risk mitigation process to identify and assess the cyber resilience of third parties providing goods or services to any of Swiss Re's legal entities. A risk-based approach is followed, covering the whole lifecycle of our engagement with a third party. The applied methodology is based on international standards and frameworks such as ISO/IEC 27002, COBIT and NIST, and takes into account the criticality of the processed data, the way the data is processed and Swiss Re's dependency on the third party. Once we enter into these relationships, we continue to monitor the data practices of third parties and reserve the right to conduct audits as appropriate. We require them to maintain these standards with their sub-contractors and other parties that might further process our personal data on their behalf.
In the event of security or privacy incidents that may implicate unauthorised access to personal data, we have in place global and regional incident response procedures, including appropriate reporting channels such as 24/7 contact lines as well as a whistleblowing hotline. Our breach detection and containment procedures consider the potential business, reputational, legal and regulatory impact on our company. They also entail assessing whether the incident is an actual data breach which could have consequences for individuals and determining who needs to be notified, such as regulatory authorities, individual data subjects, or other stakeholders. To this end, we use the most effective communication channels depending on the severity and scale of the breach, including our public website when appropriate. We involve all relevant internal and external stakeholders in our attempt to minimise the harm to Swiss Re and affected individuals. We are constantly monitoring the threat environment and have prepared lines of communication both internally and externally with information-sharing centers, law enforcement and regulators. Our plans aim to mitigate and resolve such incidents in order to minimise harm to the company and to data subjects.
What are our legal grounds for processing personal data?
We only process personal data for legitimate business purposes and when a legal ground as set out in data protection law is applicable. There are a number of legal grounds that may apply of which the table below describes the ones most likely to be relevant to you.
We may process your personal data when we obtain your consent or when our client obtains consent from you.
We take steps to ensure our clients only provide us with personal data when they are allowed to do so. Often this means our clients will obtain your consent to disclose personal data to reinsurers.
Performance of a contract
If you have a contract with Swiss Re, the personal data may be processed when it is necessary in order to enter into or perform a contract.
This could include discharging our obligations our obligations in relation to a claim you have made.
Compliance with a legal obligation
Your personal information may be processed where we have a legal obligation to perform such processing, such as where we share information with our regulators, law enforcement agencies or the courts.
If we receive an order from the authorities in relation to an investigation, we may be required to disclose personal data as part of that process.
Necessary for an insurance purpose
In some locations, the laws that implement GDPR include legal grounds for processing your medical and other sensitive personal data when it is necessary to do so in connection with an insurance product.
In some cases, we receive personal data from our clients who seek opinion on complex claims.
Another legal basis for processing personal data is when we have a legitimate interest in so doing and we can demonstrate that our interests are not outweighed by your rights or interests. Where we rely on legitimate interest grounds for processing, we make sure we only process the minimum amount of data necessary and for the minimum amount of time necessary to achieve our objectives. We also make sure that our processing is not unnecessarily intrusive.
The table below sets out some examples of when we might rely on our legitimate interests to process personal data.
Use of personal data
Our legitimate interest
Our products are developed with our clients' needs in mind. We process personal data to make sure we provide the service our clients expect and our products are working as we intended.
We also use data to ensure our business is operating effectively-where we can we remove identifying information.
We need to be able to identify whether our products or services are operating effectively.
We need to develop new products and services, and make sure what we offer is fair.
We need to make sure we are treating clients and policy holders fairly.
We process personal data in a reange of applications and use a variety of technological means and processes to understand how those applications are working.
We need to make sure that our systems are secure and work properly.
Your privacy rights
We recognise that you may have rights with regard to our processing of your data. While the nature and extent of these rights will differ from location to location, we have processes in place that allow us to respond in a timely manner to any valid request to:
- Access - You may have the right to find out what personal information we hold about you (this includes what category of personal data and/or specific personal data)
- Rectification - If any of your details are incorrect, inaccurate or incomplete you can ask us to correct them or to add information.
- "Port" data - In some circumstances you can ask us to send an electronic copy of the personal information you have provided to us, either to you or to another organisation.
- Object - You have the right to object to any processing done under legitimate interests. We will then re-assess the balance between our interests and yours, considering your particular circumstances. If we have a compelling reason, we may still continue to use your information.
- Prevent marketing - You have a specific right to object to our use of your information for direct marketing purposes, which we will always act upon.
- Restrict processing - If you are uncertain about the accuracy or our use of your information, you can ask us to stop using your information until your query is resolved. We will inform you of the outcome before we take any further action in relation to this information.
- Erase - You can ask us to delete your personal information if deleting your data is not in conflict with our legal and regulatory obligations. If we are using consent to process your information and you withdraw it, you can ask us to erase your information.
At all events where we use your data to make decisions solely by automated means (including using your data to build a profile about you), we will inform you that we are doing this and make sure that you are able to contest any such decision. Any new profiling activity or automated decision-making activity we carry out is subject to a robust assessment aimed at mitigating any risks to you. This assessment is carried out before the processing commences.
The easiest way to exercise your rights is to contact the data protection team using the contact details below. We will respond promptly and we do not normally charge for providing a response. Please note that, before we can process your request, we will need to verify your identity by providing a copy of an official identification document and a copy of an evidence of your residency address.
If you are unhappy with how we process your personal data, you may have the right to complain to a data protection regulator or supervisory authority. We encourage you to contact us first so we can address your concerns.
If you have questions about this topic, please contact our Global Data Protection Officer, Dr Stefan Weiss, and his team at [email protected].
For US residents you can find your contact telephone number here.
We are available for you, and our global team of Data Protection Officers will respond to legitimate individual requests for clarity, access to your personal data, or the exercise of any other privacy rights. You can also ask us to remove you from marketing communications, and we will do so. We will respond with your requests in a timely manner and in compliance with relevant legal or regulatory requirements. We ask that corporate clients contact us through the usual business channels.