Our Role as Data Controller
What kind of personal data do we process?
The precise nature of the personal data we process depends on your relationship with Swiss Re. However, in most cases, we may process a combination the following:
- Information about you – for example name, age, gender, date of birth, nationality, marital status, social security number, passport number or tax number. Even though in some instances we do not receive your name, we need enough information to help us identify you and your policy so that we can provide services to our clients.
- Contact information – in some cases, for example, we may receive your email, address, or phone number.
- Payment information – we may process information related to payments you make or receive in the context of an insurance policy or claim.
- Contractual information – for example details about the policies you hold and with whom you hold them.
- Health information – for example smoker status, weight, sports and leisure activities, family health or morbidity history, or medical related issues relevant to a policy you hold or a claim you have made.
- Financial information – for example bank account or payment card details, income, investment/savings or other financial information including household income, home valuation and household demographics
- Risk, fraud and credit related data – for example credit history, sanctions and criminal offences, and information received from various anti-fraud databases
- Employment history – for example information on previous or current employer, job role, salary, employment benefit options, educational background or professional licenses and qualifications
Why do we process this data?
We use your personal data primarily only to the extent that it is necessary for the purposes of conducting our business, and only for the purpose for which it was originally collected and any other permissible, related purpose. We may use your personal data for a number of reasons:
- Providing our services and fulfilling our contractual obligations to clients and other third parties
- Underwriting our business with clients
- Conducting data analysis, which helps us assess risks, price our products appropriately and improve our services
- Reviewing, managing and processing claims
- Assessing, improving and developing our services
- Enhancing our knowledge of risk and insurance markets in general
- Marketing purposes (e.g. newsletters, surveys, client events, etc.)
- Fulfilling legal or regulatory obligations and protecting ourselves and our clients against fraud, money laundering, terrorism and other crimes
Is there further processing of this data?
Swiss Re adheres to the principle of purpose limitation and only processes data for purposes related to those specified when personal data were collected. Processing for secondary purposes only takes place where we have a legal basis such as the consent of the data subject. To assess our adherence to this principle Swiss Re considers the relationship between the purposes for which the data have been collected and the purposes of further processing, the context in which the data have been collected, the reasonable expectations of the data subjects, the nature of the data and the impact of the further processing on the data subjects.
Where do we get personal data from?
In most cases, we receive personal data from third parties such as our corporate clients; that can be your insurer, agent or broker or other insurance market participants. On occasion, such as when you register for an event or receive information directly from us, we may receive personal data directly from you. We may receive your data also from other parties to a claim (claimant / defendant), witnesses, experts (including medical experts), loss adjustors, solicitors, and claims handlers, health care service providers or anti-fraud databases, sanctions lists, court judgements and other public databases.
Who do we share personal data with, or do we sell personal data?
Our employees have access to and process personal data based upon the "need to know" principle. In other words they have access to personal data where this is necessary in order to do their job. We regularly check who has access to our systems and data.
We may also share your personal data with the following categories of third parties:
- Our service providers and agents e.g. IT companies who support our technology. As for example, we process personal data (i.e. within our email system or other applications) with Microsoft`s Azure and Office 365. This externally hosted environment was found to be consistent with our privacy and security programmes and is regularly assessed so it continuously meets our standards.
- Our professional advisers, auditors, reinsurers, medical agencies and legal advisers, law enforcement agencies, regulators, government authorities.
- The client who provided us with your data.
- Contractors, brokers, external managers, other insurance market participants or financial institutions.
We do not sell personal data.
Data may be exported to further countries in line with legal requirements and the required measures to ensure protection of the data. This is particularly the case where personal data needs to be processed by internal services teams or by third parties in other Swiss Re locations and outside the EU or Switzerland. We make sure adequate safeguards such as binding contracts are in place with those internal and external parties.
How long do we keep personal data?
We keep your personal information in compliance with applicable retention periods and for as long as necessary for the purpose for which it was collected, and to comply with our legal and regulatory requirements. This may include keeping your information for a reasonable period of time after your relationship with us or our client has ended. We securely destroy personal data when they are no longer needed for the relevant purposes and its retention period has expired. In some circumstances we retain aggregated or anonymised data which can no longer be associated with you and is therefore not considered personal data. If you need more information about the retention or deletion of your personal data, please see also the section on your privacy rights below and contact us using the details provided at the end of this document.
What about information security?
We take particular care when working with third parties. We only share personal data with affiliates, business partners, third party service providers or vendors when we have a legitimate business purpose for doing so and when permissible by law. We require third parties to maintain similar standards to ours for the protection of personal data, as verified by our due diligence process.
Further information can be found here: Information Security at Swiss Re.
How do we manage incident response?
In the event of security or privacy incidents that may implicate unauthorised access to personal data, we have in place global and regional incident response procedures, including appropriate reporting channels such as 24/7 contact lines as well as a whistleblowing hotline. Our breach detection and containment procedures consider the potential business, reputational, legal and regulatory impact on our company. They also entail assessing whether the incident is an actual data breach which could have consequences for individuals and determining who needs to be notified, such as regulatory authorities, individual data subjects, or other stakeholders. To this end, we use the most effective communication channels depending on the severity and scale of the breach, including our public website when appropriate. We involve all relevant internal and external stakeholders in our attempt to minimise the harm to Swiss Re and affected individuals. We are constantly monitoring the threat environment and have prepared lines of communication both internally and externally with information-sharing centers, law enforcement and regulators. Our plans aim to mitigate and resolve such incidents in order to minimise harm to the company and to data subjects.
What are our legal grounds for processing personal data?
We only process personal data for legitimate business purposes and when a legal ground as set out in data protection law is applicable. There are a number of legal grounds that may apply of which the table below describes the ones most likely to be relevant to you.
We may process your personal data when we obtain your consent or when our client obtains consent from you.
|We take steps to ensure our clients only provide us with personal data when they are allowed to do so. Often this means our clients will obtain your consent to disclose personal data to reinsurers.|
Performance of a contract
If you have a contract with Swiss Re, the personal data may be processed when it is necessary in order to enter into or perform a contract.
|This could include discharging our obligations in relation to a claim you have made.|
Compliance with a legal obligation
Your personal information may be processed where we have a legal obligation to perform such processing, such as where we share information with our regulators, law enforcement agencies or the courts.
|If we receive an order from the authorities in relation to an investigation, we may be required to disclose personal data as part of that process.|
Necessary for an insurance purpose
In some locations, local laws include legal grounds for processing your medical and other sensitive personal data when it is necessary to do so in connection with an insurance product.
|In some cases, we receive personal data from our clients who seek opinion on complex claims.|
Another legal basis for processing personal data is when we have a legitimate interest in so doing and we can demonstrate that our interests are not outweighed by your rights or interests. Where we rely on legitimate interest as grounds for processing, we make sure we only process the minimum amount of data necessary and for the minimum amount of time necessary to achieve our objectives. We also make sure that our processing is not unnecessarily intrusive.
The table below sets out some examples of when we might rely on our legitimate interests to process personal data.
Use of personal data
Our legitimate interest
Our products are developed with our clients' needs in mind. We process personal data to make sure we provide the service our clients expect and our products are working as we intended.
We also use data to ensure our business is operating effectively - where we can we remove identifying information.
We need to be able to identify whether our products or services are operating effectively.
We need to develop new products and services, and make sure what we offer is fair.
We need to make sure we are treating clients and policy holders fairly.
|We process personal data in a range of applications and use a variety of technological means and processes to understand how those applications are working.||We need to make sure that our systems are secure and work properly.|
Your privacy rights
We recognise that you may have rights with regard to our processing of your data. While the nature and extent of these rights will differ from location to location, we have processes in place that allow us to respond in a timely manner to any valid request to:
- Access - You may have the right to find out what personal information we hold about you (this includes what category of personal data and/or specific personal data)
- Rectification - If any of your details are incorrect, inaccurate or incomplete you can ask us to correct them or to add information.
- Portability - In some circumstances you can ask us to send an electronic copy of the personal information you have provided to us, either to you or to another organisation.
- Object - You have the right to object to any processing done under legitimate interests. We will then re-assess the balance between our interests and yours, considering your particular circumstances. If we have a compelling reason, we may still continue to use your information.
- Prevent marketing - You have a specific right to object to our use of your information for direct marketing purposes, which we will always act upon.
- Restrict processing - If you are uncertain about the accuracy or our use of your information, you can ask us to stop using your information until your query is resolved. We will inform you of the outcome before we take any further action in relation to this information.
- Erase - You can ask us to delete your personal information if deleting your data is not in conflict with our legal and regulatory obligations. If we are using consent to process your information and you withdraw it, you can ask us to erase your information.
In any case where we use your data to make decisions solely by automated means (including using your data to build a profile about you), we will inform you that we are doing this and make sure that you are able to contest any such decision. Any new profiling activity or automated decision-making activity we carry out is subject to a robust assessment aimed at mitigating any risks to you. This assessment is carried out before the processing commences.
The easiest way to exercise your rights is to contact the data protection team using the contact details below. We will respond promptly and we do not normally charge for providing a response. Please note that, before we can process your request, we may need to verify your identity by asking you to provide a copy of an official identification document and/or a copy of an evidence of your residency address or similar.
If you are unhappy with how we process your personal data, you may have the right to complain to a data protection regulator or supervisory authority. We encourage you to contact us first so we can address your concerns.
Swiss Re Data Ethics
The digital transformation of the insurance industry is one of the key challenges facing all its players. Digital technology is being implemented across the whole value chain, from distribution through underwriting to claims. This raises crucial questions concerning market dynamics and competitors, customer behaviour, data use, artificial intelligence and more. Swiss Re continues to promote a sound ethical base for processing and does so in part via the Digital Governance Framework we have developed (DGF). The DGF incorporates assessments of the ethical implications of personal data processing as well as compliance risk. It aims to balance the needs for fast business innovation and effective risk management.
If you have questions about this topic, or if you wish to exercise your privacy rights, please contact our Global Data Protection Officer, David Evans, and his team at Data Protection.
For US residents you can find the relevant contact telephone number here.
You can also ask us to remove you from marketing communications, and we will do so. We will respond to your requests in a timely manner and in compliance with relevant legal or regulatory requirements. We ask that corporate clients contact us through the usual business channels.