united kingdom

By means of this privacy notice, we inform you about the processing of your personal data by AXA XL and the rights that have been granted to you in accordance with the applicable data protection legislation.

This information is also applicable in relation to the insured person. Where the insured person is not also the policyholder, the policyholder shall forward this information to the insured person.

In addition, this information also applies to third parties (e.g. legal representatives) who have been authorised by the customer and to which this information has been forwarded.

Controller Information / DPO Contact Details

In accordance with Art. 37 of the GDPR, AXA XL has appointed a Data Protection Officer (DPO). If you wish to contact the DPO of the Data Controller for your personal data, subject to the data processing, you can do so by mail adding "Data Protection Officer" or "DPO" to the post address below, or via e-mail at: legalcompliance@axaxl.com

Contact Details for AXA XL Companies

• AXA XL Insurance Company UK Limited
• AXA XL Underwriting Agencies Limited
• Angel Risk Management Limited
• XL Catlin Service SE (UK Branch)
• XL Re Europe SE (UK Branch)
• XL Insurance Company SE (UK Branch)

Address

20 Gracechurch Street
London, United Kingdom
EC3V 0BG

Web: https://axaxl.com

Purpose and Legal Basis of the Data Processing

We process your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA), the applicable provisions affecting or ensuring data privacy within the Insurance Act 2015, as well as all other applicable laws.

When applying for an insurance contract, we require your personal information to conclude the contract and to assess the risks that would be assumed by us. Once the contract has been concluded, the personal data is processed within the performance of the contractual relationship, e.g. for policing or invoicing. Information related to claims are necessary to ascertain whether the incident leading to the claim has occurred and to assess the amount of damage.

The conclusion or the performance of the insurance contract, as well as the processing of a claim, are not possible without processing your personal data. This applies also to quotation purposes.

We also require your personal data to compile statistics that are specific to the insurance industry, for instance to develop new pricing models or to fulfil regulatory requirements. We use the data contained in all contracts entered into with an AXA company to review the entire customer relationship, for instance to advise on policy adjustments, additions, for goodwill decisions or to provide complete information.

Legal basis for the processing of personal data for pre-contractual and contractual purposes and the handling of claims is Article 6 (1) (b) GDPR. Where special categories of personal data (e.g. your health data) are required for this purpose, we will obtain your consent in accordance with Article 9 (2) (a) in conjunction with Article 7 GDPR. Where we use these data categories to compile statistics, we do so in accordance with Article 9 (2) (j) GDPR in conjunction with Section 19 DPA.

Moreover, we process your personal data to protect our legitimate interests or the legitimate interests of third parties. The legal basis thereof is Art. 6 paragraph 1 (f) GDPR. This may be necessary in the following cases especially:

• to guarantee IT security and IT operations including testing (where not required for the performance of the contract already),
• for the marketing of our insurance products and other products by AXA Group companies and their cooperation partners, as well as for market surveys and opinion polls, unless you have objected to the use of your data for this purpose,
• for the prevention and prosecution of criminal offenses, unless this is already subject to a statutory obligation; in particular, we use data analysis and research (also in publicly accessible sources) to detect indications of insurance fraud,
• for risk management within AXA XL and the AXA Group as a whole,
• for business management and the improvement of processes, services and products.

In addition, we process your personal data for the fulfilment of legal obligations such as regulatory requirements, storage periods required under commercial and fiscal law or for the fulfilment of our advisory duties. The basis for processing in this case are the applicable statutory provisions in conjunction with Article 6 paragraph 1-point (c) GDPR.

Where we wish to process your personal data for a purpose not mentioned above, we will inform you in advance within the framework of our legal obligations, including on our website https://www.axaxl.com.

Data and data categories

We process, particularly the following data and data categories:

• Master and contract data (e.g. name, address, contact details, marital status, occupation, start and expiry dates, details of the risk to be insured)
• Special categories of personal data (e.g. health data, personal data)
• Information about personal situations (e.g. creditworthiness data, material assets)
• Data on your claims and other data arising from the fulfilment of our legal obligations
• Data on contacts to you and on transaction processing
• Roles of the data subjects (e.g. policyholder, insured person, injured party, witness)
• Powers of attorney
• Social insurance number, tax identification number
• Data of prospects

Categories of recipient of the personal data

Reinsurers:

We insure the risks we accept with special insurance companies (reinsurers). It may be necessary to submit your contract and possibly your benefit/claim data as well to a reinsurer so that it may form its own opinion of the risk or the claim. We may also obtain advice from the reinsurer AXA XL based on its particular expertise in risk or benefit assessment or in the evaluation of procedural matters. We only transmit your data to the reinsurer where it is necessary for the performance of our insurance contract with you, i.e. in the extent that is required to protect our legitimate interests.

Intermediaries:

Where you receive assistance from an intermediary regarding your insurance contracts, your intermediary will process the application, contract and loss data required to conclude and perform the contract. AXA XL also transmits this data to the intermediaries who are responsible for you, insofar as they require the information for your support and advice in their insurance and financial services matters.

Data processing within AXA Group:

Specialized companies or divisions within our group of companies are assigned central responsibility for certain data processing tasks for the group of affiliated companies. Where you have entered into an insurance contract with one or several companies in our group, your data may be processed centrally by a group company, for instance for the central management of address data, for telephone customer service, for the processing of contracts and benefits/claims, for collections/disbursements or for the central processing of mail.

External service providers:

In some cases, we use external service providers in order to comply with our contractual and legal obligations as well as to pursue our legitimate interests. These include in particular: experts, appraisers, lawyers, loss adjustors, and fiscal representatives; service companies, especially regarding IT, postal, and document management services; advertisers and advertising networks to send you marketing communications, as permitted under local law and in accordance with your contractual preferences and consent.

Other recipients:

In addition, we may transfer your personal data to other recipients, such as public authorities (e.g. due to statutory notification obligations to social insurance carriers, tax authorities or criminal prosecution authorities), credit institutions (e.g. to process payment transactions), or credit agencies (e.g. to check creditworthiness and assess risks).

Period of data storage

We erase your personal data as soon as it is no longer necessary for the purposes set out above. However, this period may be extended by statutory retention or limitation periods. For this reason, data retention with AXA XL is subject to an internal retention policy, that governs the deletion of data, taking into account the statutory minimum and maximum periods. As these periods may vary according to the purpose of the processing, please contact our Data Protection Officer for further information.

Rights of the data subject

You may exercise the following rights at the address indicated in the application form:

• Confirmation and access to personal data stored about you (Art. 15 GDPR).
• Rectification or completion of inaccurate or incomplete data (see also Art. 16 GDPR);
• Immediate erasure of data concerning you (Art. 17 GDPR), or the restriction of the processing in accordance with Art. 18 GDPR, if a deletion should is not yet to be considered for reasons pursuant to Art. 17 para. 3 GDPR;
• Reception of the data concerning you, and which have been provided by you, in a structured, common and machine-readable format as well as transmission of those data to other providers/controllers (Art. 20 GDPR);
• Complaint to the supervisory authorities listed below, if you are of the opinion that the processing of personal data relating to you infringes any of the data protection regulations (Art. 77 GDPR).

Right to object

You have the right to object to the processing of your personal data for direct marketing purposes.

Where we process your data to pursue our legitimate interests, you may object to this processing on grounds relating to your particular situation that contradict data processing.

Data Protection Supervisory Authorities

The data protection supervisory authorities competent for us are:

As lead data protection supervisory authority within the meaning of Art. 56, 60 GDPR

Data Protection Commission
(An Coimisiún um Chosaint Sonraí)

21 Fitzwilliam Square South
Dublin 2
D02 RD28
Eire

as well as the data protection authority for the fulfilment of tasks and exercise of competences in the territory of the United Kingdom (Art. 55, 60 GDPR)

Information Commissioner's Office (ICO)

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

In general, you can address written complaints to both supervisory authorities.

Exchanging data with your previous insurer

In order to be able to check and, if necessary, amend your details when the insurance contract is established or when the insured event occurs, personal data may be exchanged to the necessary extent with the previous insurer named by you in the application form.

Data transfer to a third country

Where we transfer personal data to AXA companies and service providers outside the European Economic Area (EEA), We provide safeguards to ensure the security and the confidentiality of your personal data, by framing the transfer through either (i) the Standard Contractual Clauses adopted by the European Commission or (ii) through Binding Corporate Rules when your personal data is transferred to other entities of the AXA Group.

Last Status: June 2020

republic of ireland

This Data Protection Statement provides information about the ways in which XL Insurance Company SE, XL RE Europe SE and XL Catlin Services SE (AXA XL or we or us) collect, store and use personal data relating to individuals (data subjects).

General

AXA XL is committed to ensuring your privacy and personal information is protected. The document that referred you to this statement (for example, your insurance policy) will set out details of the processing activities and the respective entity or branch that is processing your personal information.

It is important that you read this Data Protection Statement and, if you are a customer, show it to anyone else who is insured under your policy of insurance. Please also make sure that anyone else who is insured under your policy has given you consent to act on their behalf in providing their personal information to us.

By providing your personal information or the personal information of someone included in your policy, you acknowledge that we may use it only in the ways set out in this Data Protection Statement. We may provide you with further notices highlighting certain uses we wish to make of your personal information.

From time to time we may need to make changes to this Data Protection Statement, for example as a result of government regulation, new technologies, or other developments in data protection laws or privacy generally. We encourage you to review periodically the AXA XL website mentioned below to see the most up to date Data Protection Statement.

Controller Information / DPO contact details

In accordance with Art. 37 GDPR, AXA XL has appointed Iris Lanher as the Data Protection Officer (DPO). If you wish to contact the DPO of the Data Controller for the personal data subject to the data processing, you can do so by mail adding "Data Protection Officer" or "DPO" to the address below, or via e-mail at: legalcompliance@axaxl.com

Contact Details

• XL Insurance Company SE
• XL Re Europe SE
• XL Catlin Services SE

Address

8 St Stephen's Green
Dublin 2
D02 VK30
Eire

Tel: +353 1 607 5300
Fax: +353 1 607 5333
Web: https://axaxl.com

Legislation

AXA XL processes personal data in the context of its role as an insurance company under the legislative frameworks of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR), the Irish Data Protection Act 2018, the Irish Insurance Acts 1909-2009 and the regulations made under those Acts, as well as all other relevant legal provisions.

Our Privacy Principles

When we collect and process your personal information, we ensure to look after it properly and process it in accordance with our privacy principles set out below, keep it safe and to never sell it.

1. Personal information you provide is processed fairly, lawfully and in a transparent manner.
2. Personal information you provide is collected for a specific purpose and is not processed in a way which is incompatible with the purpose for which AXA XL collected it.
3. Your personal information is adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
4. Your personal information is kept accurate and, where necessary, kept up to date.
5. Your personal information is kept no longer than is necessary for the purpose for which the personal information is collected and processed.
6. We will take appropriate steps to keep your personal information secure.
7. Your personal information is processed in accordance with your rights.
8. We will only transfer your personal information to another country or an international organisation outside the European Economic Area (EEA) where we have taken the required steps to ensure that your personal information is protected. Such steps may include placing the party we are transferring information to under contractual obligations to protect it to adequate standards.
9. AXA XL does neither sell your personal information nor permit the selling of customer data by companies who provide services to AXA XL.

How do we collect personal information?

The personal information we require about you (and, if applicable, other people insured under your insurance policy) will be gathered and stored as set out in this Data Protection Statement. Whilst there are several ways we collect your personal information; the two main ways are information you provide us with (which could include what you have written on an application form) or information we obtained by asking other organisations to share with us.

If you are a broker or business partner we may also collect your personal information from our day to day business activities with you, business referrals and your attendance at events. The categories of personal data being collected and processed are listed in Section 4 'What personal information do we collect?' below.

In order to gather the personal information, we require about you, we may:

1. obtain personal information directly from you or anybody else insured under your insurance policy, your broker (or other representative), our agents, other insurance companies, and third parties who provide premium financing;
2. obtain personal information from third parties involved in an incident in which you and/or anybody insured under your policy of insurance are involved, including (without limitation) other drivers, passengers of your or any other vehicle, pedestrians, witnesses, neighbours, other insurance companies, solicitors representing any third party (whether in civil or, where applicable, criminal proceedings), any other expert appointed by a third party, or any other relevant person involved in the claims process;
3. carry out searches, whether online (via websites with publicly available information and various industry websites), through various media outlets (including, without limitation, newspapers, television and radio) or otherwise (including, without limitation, government or industry registers);
4. carry out credit, anti-money laundering and sanction list searches, usually through a third party;
5. obtain personal data from medical professionals and hospitals, the emergency services, such as the police, and any other relevant investigatory body or authority (in limited, mainly claims related, circumstances);
6. if you are a broker or business partner, obtain personal information from our day to day business activities with you, business referrals and your attendance at events; and
7. collect personal information via cookies. You can find out more about this in Section 10 'Cookie Policy'.

It is important that the information you give us is correct. You have a legal obligation to take reasonable care not to provide us with inaccurate, incorrect or incomplete information. If this happens we have certain legal rights which may include avoidance of the contract of insurance and refusal of all claims if you are a customer. As a result, you may also find it difficult to arrange this type of insurance in the future.

What personal data does AXA XL process?

Personal Data:

As set out above, AXA XL processes personal data. This includes personal data received by AXA XL in the course of its activities as an insurance company. These include:

• basic personal information, such as a data subject's name and surname, date and place of birth, and, if needed, further identification information such as utility bills, national insurance number, passport and drivers' licence, employment details,
• contact information, such as a data subject's postal and, if needed, professional address, email address, and phone number
• other personal information that AXA XL requires in connection with the conclusion of an insurance contract or for the processing of a claim, in particular: employment details, financial information (i.e.: bank and credit card details), information about assets relevant to an insurance policy or claim (vehicle, real estates, art and valuables, etc.).

Sensitive Data

When exercising our rights and obligations under the insurance contract, it may be necessary to process sensitive data categories within the meaning of Art. 9 (1) GDPR. Such sensitive data may include personal data relating to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; health data; and data concerning a natural person's sex life or sexual orientation. Whether such sensitive data is processed results from the respective insurance contract or circumstances (e.g. claims settlement). If necessary, consent as referred to in Art. 9 (2) (a), Art. 7 GDPR will be obtained prior to the processing. The sensitive data categories subject to the processing may also serve for the compilation of statistics within the meaning of Art. 9 (2) (j) GDPR and Sections 42, 54 Data Protection Act 2018.

Data relating to criminal convictions and offenses

AXA XL occasionally also processes personal data relating to criminal convictions and offences. This also applies, in particular, to criminal data processed in connection with a claim, when the incident leading to the claim has been caused by an unlawful behaviour of a third party that may possibly be held liable. Further processing activities regarding criminal data may arise from the legal obligations of the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 and 2013 and (Amendment) Act 2018.

What is the legal basis for the processing of personal data by AXA XL?

If you are a customer we mainly use your personal information so that we can provide a quote, set up, administer and manage your policy, including carrying out a risk survey, and to assess and pay claims as part of an insurance contract. However, there are several other reasons why we use your personal information; please see below for a more detailed list of how we use your personal information.

If you are a broker or business partner we mainly use your personal information for day to day business activities with you and to provide you with information relevant to our services in accordance with our marketing strategy, including a periodic newsletter, and invitations to events.

We may process your personal information for a number of different purposes. Data protection laws prescribe us to need a reason to use and process personal data. We have set out below the main reasons why we process your personal information and the applicable circumstances when we will do so. When the personal information we process about you is classed as sensitive personal information (known as 'Special Categories') (such as details about your health or criminal offences) we must have an additional legal ground for such processing, or where appropriate, we apply a specific exemption for insurance purposes.

1. Processing is necessary in order for us to provide a quote on your insurance policy and services, such as assessing your application and setting you up as a policyholder, administering and managing your insurance policy, providing all related services including a risk survey, investigating or handling claims made by or against you or anybody insured under your policy of insurance, paying claims and communicating with you. In these circumstances, if you do not provide such information, we will be unable to offer you a policy or process your claim.
   
   Legal grounds:
   • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract (including a quote that is not taken up);
   • the processing is necessary for compliance with a legal obligation to which we are subject; and
   • the processing is necessary for the purpose of the legitimate interests pursued by us or by a third party. Our legitimate interest is to use your personal information to administer your insurance policy, handle claims and make certain types of payment that are not required by law or contract.
2. To verify your (or your authorised representative's) identity in any interaction between us and you (or your authorised representative), whether in person, on the telephone, online, or where necessary in any other circumstances
   
   Legal ground:
   • the processing is necessary for compliance with a legal obligation to which we are subject.
3. To assess your insurance needs and to assess the nature and level of the risk associated with your proposed insurance policy to determine your eligibility and (if you are eligible) your premium.
   
   Legal ground:
   • the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract (including a quote that is not taken up).
4. Where we have a legal or regulatory obligation to use such personal information, for example with our regulators, the Central Bank of Ireland (CBI) and our data protection regulator, the Data Protection Commission (DPC).
   
   Legal grounds:
   • the processing is necessary for compliance with a legal obligation to which we are subject.
5. Where we need to use your personal information to establish, exercise or defend our legal rights, for example when we are faced with any legal claims or where we want to pursue any legal claims ourselves.
   
   Legal grounds:
   • the processing is necessary for compliance with a legal obligation to which we are subject;
   • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract; and
   • processing is necessary to protect your vital interests.
6. For the detection and prevention of fraud, money laundering and other offences and to assist the police or any other authorised investigatory body or authority with any inquiries or investigations. Where permitted by law we also work with and share data with various bodies including other insurers, anti-fraud bodies and law enforcement agencies to help prevent fraudulent behaviour. In some cases, we are required by law to report details of certain criminal activities and suspected criminal activities to the appropriate authorities.
   
   Legal grounds:
   • the processing is necessary for the purpose of the legitimate interests pursued by us or by a third party. Our legitimate interest is to investigate and prevent potential fraudulent and other illegal activity;
   • the processing is necessary for compliance with a legal obligation to which we are subject; and
   • the processing is necessary for the performance of a task carried out in the public interest.
7. To manage and investigate any complaints.
   
   Legal grounds:
   • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract;
   • the processing is necessary for compliance with a legal obligation to which we are subject; and
   • the processing is necessary for the purpose of the legitimate interests pursued by us or by a third party. Our legitimate interest is to provide good customer service and to resolve complaints you may have at the earliest opportunity.
8. For reinsurance purposes.
   
   Legal grounds:
   • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract.
9. AXA Group reporting purposes (where necessary).
   
   Legal grounds:
   • the processing is necessary for the purpose of legitimate interests pursued by us or by a third party. AXA's legitimate interests are the proper running of its business.
10. For statistical analysis, to review and improve performance of our products, services, processes, systems and website or to investigate the possibility of new processes, products or services and buy and sell any business or assets. Where possible we will anonymise the information we analyse.
    
    Legal grounds:
    • the processing is necessary for the purpose of legitimate interests pursued by us or a third party. Our legitimate interest is to engage in activities to improve and adapt the range of products and services we offer and to help our business grow, to monitor business performance and to monitor that systems and process are effective and efficient.
11. For our own management information purposes including: managing our business operations such as monitoring business performance, maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice). We also undertake measures to secure our systems and to ensure the effective operation of our systems.
    
    Legal grounds:
    • the processing is necessary for the purpose of legitimate interests pursued by us or a third party. Our legitimate interest is to understand our business, monitor performance, maintain appropriate records and to protect the security of our systems.
12. For staff training, performance and discipline.
    
    Legal grounds:
    • the processing is necessary for compliance with a legal obligation to which we are subject; and
    • the processing is necessary for the purpose of legitimate interests pursued by us or by a third party. Our legitimate interest is the proper running of the business and to provide good quality customer service.
13. In order to store personal information and make back-ups of that information in case of emergencies and for disaster recovery purposes.
    
    Legal grounds:
    • the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract; and
    • the processing is necessary for compliance with a legal obligation to which we are subject.
14. For compliance with all relevant laws and regulations; and/or
    
    Legal grounds:
    • the processing is necessary for compliance with a legal obligation to which we are subject.
15. For day to day business activities with you and to provide you with information relevant to our products and services in accordance with our marketing strategy, including a periodic newsletter and invitations to events.
    
    Legal grounds:
    • The processing is necessary for the purpose of legitimate interests pursued by us or by a third party. Our legitimate interest is to educate you on our products and services, to develop our business relationship with you and to grow our network and business.
16. The processing is necessary for the purpose of legitimate interests pursued by us or by a third party. Our legitimate interest is to educate you on our products and services, to develop our business relationship with you and to grow our network and business.

Who are the recipients of personal data processed by AXA XL?

There are various circumstances where we may share your personal information with other parties. Generally, this includes your representatives, our representatives and, if a claim is made, various claims related parties.

While the exact list of third parties changes from time to time, we feel that it is important that you have an idea of the types of third party that we share information with. The category headings and types of third party set out below are a non-exhaustive list and are only indicative of the companies and individuals with whom we share information where we need to do so.

1. Your representatives:

   Other people or companies associated with you (for example your broker, including the software providers that facilitate the transfer of data to and from them), any party you have given us permission to speak to (such as relative, friend or employee), in certain circumstances other people insured under your policy of insurance.

2. Our representatives:

   Our employees, agents, insurance companies and managing agents that provide cover under your insurance policy, premium credit providers, contractors including companies that provide services in relation to telecommunications and postage, data storage, document management and deletion, IT and IT security, fraud detection, making and receiving payments, data analysis and management information and risk analysis.

3. In a claim situation:

   1. loss adjusters, our service providers and expert witnesses including but not limited to those relating to the assessment of liability, the assessment, repair, and replacement of property (including buildings, land and personal effects); solicitors and barristers;
   2. the agents, service providers and claims experts of people making claims against the policies or our customers including but not limited to those relating to the assessment of liability, the assessment, repair, and replacement of property (including buildings, land and personal effects); solicitors and barristers;
   3. witnesses to any incident(s) (whether resulting in a claim or not).

4. Other third parties:

   Reinsurers, other insurance companies, external advisors (such as solicitors and accountants) and auditors, other AXA Group companies, third parties with whom we may choose to improve our processes, products or services, to deliver services or to investigate the possibility of new processes, products or services.

5. State or government departments, bodies or agencies.

   Disclosure of personal information to a third party outside AXA Group will only be made where the third party has agreed to keep your information strictly confidential and shall only be used for the specific purpose for which we provide it to them.

We may also disclose your personal information to other third parties where:

1. We are required or permitted to do so by law or by regulatory bodies such as where there is a court order, statutory or regulatory obligation or Information Commissioner's Office request; or
2. We believe that such disclosure is necessary in order to assist in the prevention or detection of any criminal action (including fraud) or is otherwise in the overriding public interest.

Some of the recipients set out above may be in countries outside the EEA. In the event of a transfer of personal data outside the EEA we will take the required steps to ensure that your personal information is protected.

Where we transfer personal data to AXA companies and service providers outside the European Economic Area (EEA), We provide safeguards to ensure the security and the confidentiality of your personal data, by framing the transfer through either (i) the Standard Contractual Clauses adopted by the European Commission or (ii) through Binding Corporate Rules when your personal data is transferred to other entities of the AXA Group.

How long does AXA XL retain personal data?

The retention periods for personal data held by AXA XL are based on the requirements of the data protection legislation set out above and on the purpose for which the personal data is collected and processed. The retention periods applied by AXA XL to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.

Your Rights

You have the following rights in relation to our use of your personal information. However, certain restrictions may apply in some cases.

(1) Right to access your personal information

You have the right to be given details about the personal information concerning you that we hold and why and how we use it. You also have the right to obtain a copy of the personal data we hold about you.

(2) Right to rectification

We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us and ask us to update or amend it.

(3) Right to erasure

You have the right to demand the erasure of your personal data, for example where the personal information we collected is no longer necessary for the original purpose or, where you withdraw your consent (where the legal grounds for processing was consent). However, this will need to be balanced against other factors. For example, according to the type of personal information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request.

Where you request the erasure of personal information, we will need to keep a record of your request so we know that the deletion has happened and why. However, we will keep the record in such a way as to remove as much of the information you have asked us to delete as possible, while accurately reflecting the activity.

In certain circumstances we may need to retain some information to ensure all of your preferences are properly respected. For example, we cannot erase all information about you where you have also asked us not to send you marketing material. Otherwise, we would delete your preference not to receive marketing material.

(4) Right to restriction of processing

In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to process your personal information.

(5) Right to data portability

In certain circumstances, you have the right to ask that we transfer any personal information that you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your personal information.

(6) Right to object

Where we stated in this document that we process your personal information on the basis of a legitimate interest, you are entitled to object to the processing in question on grounds relating to your particular situation (see the legal grounds for processing set out in Section 5 'How do we use your personal information?'). We will then stop processing the personal information in question unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or unless we need to use it in relation to legal claims.

Therefore, if you want to exercise this right, please contact the Data Protection Officer (details in Section 1 'General' above) setting out the reasons why you want us to stop processing your data based on your particular situation. We will then evaluate whether your rights outweigh the necessity of our purpose(s).

However, please note that if you object to us processing your data, we may not be able to provide certain services or benefits you would otherwise be entitled to under your insurance policy.

(7) Right to object to direct marketing

You can ask us to stop sending you marketing messages at any time. However, it is not our practice to provide direct marketing to insurance policyholders.

(8) Right not to be subject to automated individual decision making, including profiling

You have the right not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you.

However, in certain circumstances we are entitled to use automated decision-making and profiling. These circumstances are restricted to situations where the decision is necessary for entering into, or performance of, a contract between you and us (i.e. your insurance policy or quote), where it is authorised by law or where you have provided explicit consent.

Should we use automated decision-making you will always be entitled to have a person review the decision, to express your point of view and contest the decision. However, it is not our practice to use automated individual decision-making, including profiling.

(9) Right to withdraw consent

For certain uses of your personal information, we may ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Withdrawal of consent would not invalidate any processing we carried out prior to your withdrawal of consent. Please note that in some cases we may not be able to process your insurance if you withdraw your consent.

We do not general rely on consent for processing personal information in relation to insurance contracts; we generally rely on other legal grounds, such as the basis that processing is necessary for the performance of a contract to which you are party.

(10) Right to Complain

If you have any concerns in relation to the way AXA XL processes your personal data, you can either contact our Data Protection Officer (DPO) by writing or e-mail under the aforementioned contact data, or address your issue directly to the following competent supervisory authority:

Data Protection Commission

(An Coimisiún um Chosaint Sonraí)

21 Fitzwilliam Square South
Dublin 2
D02 RD28
Eire

Obtaining a copy of the Privacy Policy

A copy of this Data Protection Statement in PDF format can be obtained by contacting us via the DPO Contact Details above.

Cookie Policy

For information on the cookies we use and how to manage them, please see our Cookie Policy https://axaxl.com

Last Status: June 2020