Overview of WiiRe’ s Commitments to Privacy
WiiRe Risk Solutions, S.L., is an independent reinsurance intermediary authorised by the Dirección General de Seguros (DGSFP) with registered office at Calle Fernando el Católico 61, 28015. Madrid – Spain. Listed in the Company Register of Madrid under Volume 42470, Folio 150, Page M-751570, VAT no.: B16968653, and listed in the administrative register of the DGSFP (Spanish Directorate General of Insurance and Pension Funds) under Code RJ0100. Public Liability Insurance pursuant to Law 26/2006 of 17 July.
At WiiRe Risk Solutions, S.L. (“WiiRe”, ”we”, “us”, “our”), we regularly collect and use information which may identify individuals ("personal data"), including insured persons or claimants. We understand our responsibilities to handle personal data provided to us with care, to keep it secure and to comply with applicable data protection laws.
The purpose of this Fair Processing Notice is to provide a clear explanation of when, why and how we collect and use personal data ("Notice"). We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to navigate to the information that may be most relevant to you and to allow you to click on a topic to find out more.
Do read this Notice with care. It provides important information about how we use personal data and explains the legal rights of those whose personal data we process. This Notice is not intended to override the terms of any (re)insurance policy or contract you have with us or any rights you might have available under applicable data protection laws. We may amend this Fair Processing Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. Please regularly check this Notice for updates.
1. WHO IS RESPONSIBLE FOR LOOKING AFTER PERSONAL DATA?
WiiRe Risk Solutions, S.L. (WiiRe) is either provided with personal data or in some cases may originally be responsible for collecting information and is a Controller.
You should be aware that although WiiRe may be principally responsible for looking after personal data provided to us, information may be held in databases which can be accessed by other WiiRe Group companies.
2. WHAT PERSONAL DATA DO WE COLLECT
Insured Persons
In order to advise, arrange, place and administer (re)insurance policies, we collect information about the policyholder and related parties. This may include background and contact information on the policyholder or their representative and matters relevant to the management of the (re)insurance policy and assessment of risk. The Policyholder may be an individual, company or their representative.
The level and type of personal data we collect varies depending on the type of policy in place. In some instances, it is necessary for us to collect and use Special Categories of Data, such as information about a past criminal conviction or health details. We are required to establish a legal exemption to collect and use Special Categories of Data – see Section 5.
From time to time, we may need to collect the personal data of third parties, for example an injured third party relevant to a claim under a liability policy. Wherever possible, you should take steps to inform the third party that you need to disclose their details to us, identifying WiiRe as your broker and providing them with a copy of this Fair Processing Notice.
Claimants
When making a claim under a policy, we will collect basic contact details, together with information about the nature of the claim and any previous claims. In respect of Insured Persons, we may need to check details of the insurance policy and the Insured Person’s claims history.
Depending on the nature of the claim, it may be necessary for us to collect and use Special Categories of Data, such as details of a personal injury that may have been suffered during an accident. We are required to establish a legal exemption to use Special Categories of Data – see Section 5 for further details.
For more information on what information we collect, please see Appendix 1.
3. WHEN DO WE COLLECT PERSONAL DATA?
Insured Persons
We may collect information about individuals from you directly when you engage us to advise you on your risks and to arrange, place and manage mid-term adjustments to (re)insurance policies.
Personal data about individuals and any beneficiary under a Policy may also be provided to us by (re)insurer(s), other brokers, employers, family members or any other third person who may be applying for a policy.
We may collect information from other sources where we believe this is necessary to assist in fighting financial crime. This may include consulting public registers, other online sources and other reputable organisations.
Claimant
We may collect information about individuals when we are notified of a claim and shall disclose such information to (re)insurers and other third parties such as a loss adjuster, assessors, third party administrators and claims handlers. We may also collect information about individuals if or when the claim is made by another person who has a close relationship with the claimant or is otherwise linked to the claim – for example if the policyholder is an employer of the claimant.
We may collect information about individuals from the insured as part of any disclosure about their previous insurance claims history.
We may also be provided with information by solicitors.
We may collect information from other sources where we believe this is necessary to assist in fighting financial crime. This may include consulting public registers, other online sources and other reputable organisations
4. WHAT DO WE USE PERSONAL DATA FOR?
Insured Persons
We may use personal data to advise insurance risks and arrange (re)insurance policies. We may need to use personal data for purposes associated with our legal and regulatory obligations as a (re)insurance intermediary.
Claimants
We may process personal data as part of the claims process. We may need to use personal data to evaluate the risk of potential fraud. We may use personal data related to your claim to inform the renewal process and potentially any future policy applications
5. HOW DO WE USE PERSONAL DATA?
We will make sure that we only use personal data for the purposes set out in Section 4 and in Appendix 2 where we are satisfied that:
Before collecting and/or using any Special Categories of Data we will establish a lawful exemption which will allow us to use that information. This exemption will typically be:
PLEASE NOTE. If explicit consent has been provided to permit us to process Special Categories of Data, such consent may be withdrawn at any time. However, please be aware that the withdrawal of consent may mean that we are unable to continue to provide (re)insurance services (and it may not be possible for the (re)insurance cover to continue). This may mean that we will not be able to arrange and place policies, advise on risks, assist with any policy enquiries or assist with claims which have made against the policies. If consent is withdrawn we will provide more information about the possible consequences, including the effects of cancellation, (which may include difficulties in finding other cover), as well as any associated cancellation fees. Please see
Appendix 2 to find out more about the information we collect and use and why.
6. WHO DO WE SHARE PERSONAL DATA WITH?
We work with many third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to personal data.
For Insured Persons these third parties may include:
For Claimants this may include:
We may be under legal or regulatory obligations to share personal data with courts, regulators, law enforcement or in certain cases other insurers. Also, if we were to sell part of our businesses, we would need to transfer personal data to the purchaser of such businesses.
7. INTERNATIONAL TRANSFERS
From time to time we may need to share personal data with members of the WiiRe Group who may be based outside of the European Economic Area ("EEA"). Depending on the services we provide, we may also transfer personal data to (Re)insurers, our Service Providers or Assistance Providers, who may be located outside the EEA. We will always take steps to ensure that any international transfer of information is carefully managed to protect the rights and interests of the relevant individuals:
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 11 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).
8. DATA ANALYTICS
We routinely analyse information in our various systems and databases to help improve the way we run our business, to provide a better service and to enhance the accuracy of our risk models. We take steps to protect privacy by aggregating and where appropriate anonymising data fields (particularly in relation to policy information and claim details) before allowing information to be available for analysis.
9. HOW LONG DO WE KEEP PERSONAL DATA?
We will retain personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Notice and Appendix 2. In some circumstances we may retain personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.
In specific circumstances we may also retain personal data for longer periods of time so that we have an accurate record of dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to personal data or dealings.
We maintain a data retention policy which we apply to records in our care. Where personal data is no longer required, we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.
10. WHAT ARE INDIVIDUAL S’ RIGHTS?
Individuals have a number of rights in relation to their personal data.
As an individual you may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making or the basis for international transfers. You may also exercise a right to complain to your Supervisory Authority. These are set out in more detail as follows:
RIGHT |
WHAT THIS MEANS |
Access |
You can ask us to:
|
Rectification |
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it. |
Erasure |
You can ask us to erase your personal data, but only where:
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
|
Restriction |
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
We can continue to use your personal data following a request for restriction, where:
|
Portability |
You can ask us to provide your personal data to you in a structured, commonly used, machine readable format, or you can ask to have it 'ported' directly to another Controller, but in each case only where:
|
Objection |
You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis (see Section 5) if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. |
International Transferes |
You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Economic Area. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity. |
Supervisory Authority |
You have a right to lodge a complaint with your local Supervisory Authority about our processing of your personal data. In Spain, the Supervisory Authority for data protection is the Agencia Española de Protección de Datos (https://www.aepd.es).We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your Supervisory Authority at any time. |
To exercise your rights, you may contact us as set out in Section 11. Please note the following if you do wish to exercise these rights:
11. CONTACT AND COMPLAINTS
The primary point of contact for all issues arising from this Notice, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following ways:
admin@wiire.es
Delegado de Protección de Datos
WiiRe Risk Solutions, S.L.
Calle Fernando el Católico 61, 3ºA
28015 – Madrid – Spain
If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.
APPENDIX 1: CATEGORIES OF PERSONAL DATA GLOSARIO Y TÉRMINOS
INFORMATION TYPE |
EXAMPLES OF DETAILS OF INFORMATION THAT WE MAY CAPTURE |
Insured Person |
|
Contact Details / Personal Attributes / Personal Directory |
Name, address, telephone number, email, age or date of birth, National identifier, licences e.g. driver or pilot |
Policy Information |
Policy number, relationship to the policyholder, details of policy including insured amount, exceptions etc., previous claims |
Personal Risk Information / Background Checks |
Gender, marital status, date of birth, claims history, professional history, CV, background/vetting information, claims history |
Financial Information |
Bank account details (where you are the payer of the policy premium) or card data used for billing, salary or wage details, insured amounts |
Marketing |
Name, email address, interests / marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address) |
Anti-fraud Data |
Name, address, history of fraudulent claims, employment history, details of incident giving rise to claim |
Claimant |
|
Contact Details / Personal Attributes / Personal Directory |
Name, address, passport, age or date of birth, National Identifier, email, marital status, birth certificate, death certificate, passport |
Policy Information (excluding third party claimants) |
Policy number, relationship to the policyholder/insured person, details of policy including insured amount, exceptions etc., previous claims |
Claim Details |
Details of incident giving rise to claim such as photographs, CCTV and video footages, utility bills |
Financial Information |
Bank account details used for payment, salary details |
Anti-fraud Data |
Name, address, history of fraudulent claims, employment history, details of incident giving rise to claim |
APPENDIX 2: LEGAL BASIS FOR PROCESSING
ACTIVITY |
TYPE OF INFORMATION COLLECTED |
THE BASIS ON WHICH WE USE THE INFORMATION |
WHO WE MAY DISCLOSE THE INFORMATION TO |
|
Insured Person |
||||
Set up a record on our systems |
|
|
|
|
Carry out background, sanction, fraud and credit checks |
|
|
|
|
Consider the underwriting submission, assess risk and write policy |
|
|
|
|
Manage renewals |
|
|
|
|
Provide client care, assistance and support |
|
|
|
|
Receive and return premiums and payments. |
|
|
|
|
Marketing |
|
|
|
|
Cumply with legal and regulatory obligations |
|
|
|
|
Claimant |
||||
Receive notification of claim |
|
|
|
|
Assess claim |
|
|
|
|
Monitor and detect fraud |
|
|
|
|
Settle claim |
|
|
|
|
Comply with legal and regulatory obligations |
|
|
|
APPENDIX 3: GLOSSARY
Assistance Providers: these are a special category of service provider, which we use to help provide you with emergency or other assistance in connection with certain policies.
Claimant: a party making a claim under a (re)insurance policy.
Claims Experts: these are experts in a particular field which is relevant to a claim, for example medicine, forensic accountancy, mediation or rehabilitation, who are engaged to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants.
Controller: means a natural or legal person (which determines the means and purposes of processing of personal data.
DGSFP: the Dirección General de Seguros y Fondos de Pensiones, which is the insurance regulatory body in Spain.
AEPD: the Agencia Española de Protección de Datos regulates the processing of personal data by all organisations within the Spain.
Insured Person: we use this term to refer to both individual Policyholders, as well as any individual who benefits from (re)insurance coverage under one of our policies (for example, where an employee benefits from coverage taken out by their employer).
Insurer: a company that underwrites an insurance risk.
Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf.
Reinsurer: an insurer who insures the risks of other insurance companies.
Policyholder: means the original insured, assured, insured and reinsured.
Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.
Grupo WiiRe: WiiRe Risk Solutions, S.L. or any other related company.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.
Solicitors: we frequently use solicitors to advise on complex or contentious claims or to provide us with non-claims related legal advice. In addition, if you are a claimant you may be represented by your own solicitor(s).
Third Party Administrators (or TPAs): these are companies outside the WiiRe Group which administer the underwriting of policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions.