Privacy and professional secrecy policy
The West of England Ship Owners Mutual Insurance Association (Luxembourg), hereinafter referred to as 'the Club': Privacy and Professional Secrecy Policy
Introduction
The EU Regulation n°2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) and any applicable national data protection laws (including but not limited to the Luxembourg law of 1st August 2018 organizing the National Commission for data protection and the general system on data protection, as amended from time to time) (collectively hereinafter the “Data Protection Laws”) provides individuals with control over their personal information.
The Club and its Manager, West of England Insurance Services (Luxembourg) S.A., regulated by the Luxembourg Commissariat aux Assurances, including their branches located in the United Kingdom, Hong Kong and Singapore, acting as data joint-controllers (“the Data Controllers” or “we”) collect, store and otherwise process by electronic or other means the data supplied by:
- the Members;
- any natural person related to the Members such as its contact person(s), employee(s), agent(s), representative(s) and/or beneficial owner(s) at the time of entry into the contract of Indemnity Insurance and during its execution;
- any Claimant or natural person related to a Claimant;
collectively (the “Data Subjects”) for the purposes outlined below.
The Data Subjects may, at their discretion, refuse to communicate the Personal Data to the Data Controllers. In this event however the Data Controllers may reject the entry into the contract of insurance if the relevant Personal Data is necessary to such entry or to enable the Data Controllers to handle an insurance claim.
In addition, the Data Controllers are subject to the laws and regulations of the Grand Duchy of Luxembourg. They are therefore subject to a duty of professional secrecy applicable to all activities carried out from the Grand Duchy of Luxembourg, pursuant to Article 300 of the law of 7 December 2015 on the insurance sector, as amended.
Purposes for the collection of Personal Data
The data processed includes the Data Subjects’ name, contact details (including postal and/or e-mail address), date and place of birth, professional title, signature, passport or ID card number (the “Personal Data”).
Subject to the Data Protection Laws, the Data Controllers will use the Personal Data, for various purposes depending on its relationship with the Data Subjects.
In particular, if false or inaccurate information is provided by the Data Subject or on his/her behalf or if we suspect or identify fraud, money laundering or terrorism financing, we will record this and may pass this information to fraud prevention agencies, law enforcement agencies and other organisations involved in crime and fraud prevention, who may access and use this information to prevent and detect fraud and money laundering.
We may use this information for those purposes when checking policy application details or during the policy term or at renewal. We may make searches during the policy term or at renewal. We may make anti-money laundering and counter terrorism financing checks during the policy term or at renewal.
In accordance with legal and regulatory requirements and our compliance and risk management procedures, we undertake due diligence and screening on the business that we underwrite, any financial transactions we make and all other non-underwriting activities in which we engage. This will include checking the Personal Data against sanctions lists, such as those published by the United Nations, the European Union, the UK Treasury and the USA Office of Foreign Assets Control (OFAC). If the checks reveal an actual or potential match with a sanctioned person or entity, we may provide details of the match, together with any information that we hold about a Data Subject or an entity or that is disclosed on the sanctions’ lists, to regulators, governments and law enforcement bodies for further investigation, legal or risk management purposes.
We may also contact the Data Subject or the entity to obtain further details which may help us to clear or confirm the potential match. We may retain the information that has been collected or used to carry out the checks, and records of the checks, for the period required to comply with our internal compliance and data retention policies.
The purposes of our data processing activities can thus be summarized as follows:
i. to enter into and execute the contract of insurance,
ii. to send information requested, to handle insurance queries, applications and any policy and related claims,
iii. to manage and deal with claims against our insured customer or to deal with an appointed agent, or representatives,
iv. for underwriting, claims handling, fraud prevention, anti-money laundering and counter terrorism financing purposes,
v. for relationship development and management,
vi. for compliance with our legal, regulatory and governance obligations.
Legal bases for the collection of Personal Data
The Personal Data are processed for the legitimate interests of the Data Controllers, in order to enter into and perform the insurance contract and to comply with legal obligations imposed on the Data Controllers.
The “legitimate interests” of the Data Controllers referred to above are:
(a) the processing purposes described in point (v) of the above paragraph of this clause;
(b) the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure;
(c) compliance with foreign laws and regulations and/or any order of a foreign court, government, supervisory, regulatory or tax authority;
(d) risk management; and
(e) exercising the activity of the Data Controllers in accordance with reasonable market standards.
Sensitive Personal Information
We may need to collect sensitive Personal Data such as information about physical or mental health or medical conditions in order to provide the relevant Data Subject with the insurance services he/she subscribed or to handle claims.
As part of its compliance with legal obligations such as AML/KYC, the Data Controllers may be required to process special categories of Personal Data as defined by the GDPR, including Personal Data relating to criminal convictions and offences.
Where sensitive personal information is collected, it will only be used for the specific purposes for which it was provided.
Transferring Personal Information
The Personal Data may be processed by the Data Controllers’ data recipients (the “Recipients”) which, in the context of the above-mentioned purposes, refer to the subsidiaries of West of England Insurance Services (Luxembourg) S.A. as well as any other third party supporting the activities of the Data Controllers.
The Recipients may, under their own responsibility, disclose the Personal Data to their agents and/or delegates (the “Sub-Recipients”), which shall process the Personal Data for the sole purposes of assisting the Recipients in providing their services to the Data Controllers and/or assisting the Recipients in fulfilling their own legal obligations.
The Personal Data will be stored in the EEA and UK and in those countries where the Data Controllers maintains offices.
Should we need to share your Personal Data with branches and offices outside the European Economic Area (the “EEA”) and UK, e.g., Singapore, Hong Kong and the United States, our insurance partners, loss adjusters and other third parties who act for us for further processing, all reasonable measures will be taken to safeguard your Personal Data in a manner that complies with the GDPR and guidance from the European Data Protection Board.
The Recipients and Sub-Recipients may, as the case may be, process the Personal Data as data processors (when processing the Personal Data on behalf and upon instructions of the Data Controllers and/or the Recipients), or as distinct data controllers (when processing the Personal Data for their own purposes, namely fulfilling their own legal obligations).
The Personal Data may also be transferred to third-parties such as governmental or regulatory agencies, including tax authorities, in accordance with applicable laws and regulations. In particular, Personal Data may be disclosed to the Luxembourg tax authorities, which in turn may acting as data controller, disclose the same to foreign tax authorities.
Retaining your Personal Information
Retention of the Personal Data will depend on our obligations:
- to fulfil our commitments to the Data Subjects,
- to fulfil any statutory or regulatory requirements,
- to evidence events/agreements in case of disputes,
- to meet our operational needs.
Personal Data shall not be retained for periods longer than those required for the purpose of their processing subject to any limitation periods imposed by law.
Controlling the Personal Data
The Data Subjects have the following rights in relation to their Personal Data:
the right to access his/her Personal Data,
- the right to request the rectification of inaccurate or incomplete Personal Data,
- the right to request the erasure of the Personal Data if there is no compelling reason for us to continue processing it;
- the right to object to the processing of their Personal Data,
- the right to restrict the use of their Personal Data,
- the right to ask for erasure of their Personal Data,
- the right to ask for Personal Data portability.
Please help us to ensure your personal information is accurate by telling us as soon as reasonably possible in the event of a change of address, contact details or other circumstances.
The Data Subjects also have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (the “CNPD”) at the following address: 15, Boulevard du Jazz, L-4370 Belvaux, Grand-Duchy of Luxembourg; or with any competent data protection supervisory authority of their EU Member State of residence.
Data Integrity and Security
The security measures in place on our website and computer systems are designed to protect the loss, misuse or alteration of the Personal Data.
Other Websites
Please note that we are not responsible for the privacy policies or content of any websites linked to our website.
Professional secrecy
The Members expressly acknowledge and accept that the Data Controllers may be required, in the interest of the Members and in order to comply with their obligations and efforts to provide services of the highest level, to outsource or entrust certain tasks, activities, functions and/or services related to the performance of the insurance policies (the “Activities”), to external service providers, (including the subsidiaries of West of England Insurance Services (Luxembourg) S.A., group affiliates, reinsurers, brokers, legal counsels, auditors, IT service providers, credit institutions) or other service providers, who may or may not be regulated (the “Service Providers”).
Activities include, among others, policy administration, claims management, surveyors, IT services including data storage, internal audit, actuarial.
The Members acknowledge and accept that the Data Controllers (including their directors, managers, employees, agents and other person in their service) may, in the context of the Activities, share, transmit and disclose to the Service Providers certain data concerning the Members, their authorised representative(s), the insured and/or the beneficiary(ies) of the insurance policies, which have been provided by the Members (the “Confidential Data”).
The Confidential Data that the Data Controllers may share, transmit and disclose with the Service Providers include in particular the Member's name, registered office, date of incorporation and description of activities; personal data of the Member's staff (e.g. first name, surname, date and place of birth, passport or ID card number and contact details; the beneficial owner(s); the authorised representative); and general information relating to the Members’ assets and funds that have been provided by the Member to the Association.
The Members acknowledge and accept that the Service Providers are established in countries both inside and outside the European Economic Area (the “Countries”), as listed below:
- Germany
- Greece
- Hong Kong
- Ireland
- Netherlands
- Norway
- Singapore
- Sweden
- U.A.E
- United Kingdom
- U.S.A.
The Members acknowledge and accept that the above lists of Activities, Confidential Data and Countries may be amended and/or supplemented from time to time and expressly undertake to consult it regularly on its web site.
Changes
If we change our privacy and professional secrecy policy in any way, we will post these changes on this website and the changes will become effective as soon as we publish them.
Any changes to the lists included in the Professional Secrecy section of this policy will be notified to the Members in writing and will be deemed to have been approved by each Member unless the latter sends a written objection to the Data Controllers by registered letter within sixty (60) working days of the notification at “The West of England Ship Owners Mutual Insurance Association (Luxembourg)”, 31 Grand Rue, L-1661 Luxembourg, G.D. Luxembourg.
This authorisation/consent shall remain in force until the end of the business relationship between each Member and the Club or the Manager.
It is your responsibility to check this privacy and professional secrecy policy whenever you access the website and we encourage you to review this periodically.
Contact and supervisors
If you have any questions about this policy or if you wish to exercise any of your rights in relation to the personal information we hold about you, please contact us at mail@westpandi.com or at The West of England Ship Owners Mutual Insurance Association (Luxembourg), 31 Grand Rue, L-1661 Luxembourg, G.D. Luxembourg.
In addition, you may refer to the data protection authorities in the jurisdictions in which the Data Controllers operate:
• The Commission Nationale pour la protection des données (“CNPD”), Luxembourg ;
• The Information Commissioner’s Office (“ICO”), United Kingdom;
• The Office of the Privacy Commissioner for Personal Data (“PCPD”), Hong Kong;
• The Personal Data Protection Commission (“PDPC”), Singapore.