What is this notice?

This is the “AXIS EU/UK/SWITZERLAND Privacy Notice”. The notice applies to all individuals purchasing a policy with AXIS Capital Group (“AXIS”) or benefitting from an insurance policy purchased by an employer or third party on their behalf and to all AXIS business partners.

At AXIS, we routinely collect and use personal information about individuals, including insured persons, claimants or business partners. We take our responsibilities to handle your personal data with care very seriously and protecting the privacy of your personal data is of great importance to us. In this Privacy Notice, we want you to understand when, why and how we collect and use personal information about you, your rights regarding this information, the conditions under which we may disclose it to others and how we keep it secure.

We may amend this notice at any time, but we shall ensure that the most recent version of the document will always be available on our website.

Important: This Privacy Notice does not supersede the terms of any insurance policy or contract you have with AXIS, nor does it limit or affect any rights you have under applicable data protection regulations.

Who collects your personal data?

AXIS is a group of companies that operate in various jurisdictions around the world. The AXIS entity that originally collected data from you will be principally responsible for managing your personal data (“Data Controller”) and will be responsible for deciding how your personal data will be held and used.

To find out the identity of the AXIS company or companies that collect personal data about you as part of providing insurance coverage, check:

  • If you purchased the policy yourself, the AXIS company you contracted with or your broker (if purchased through a broker) will provide you with the details of the AXIS company.
  • If your employer or other third party purchased the insurance for your benefit, your employer or the third party will provide you with the details of the AXIS company.
  • If you are an AXIS business partner, your contact at AXIS will provide you with the details of the AXIS company.
  • If your personal data is transferred to another entity (for example, a reinsurer or third-party claims administrator), your AXIS insurer will provide you with the details of the other entity.

AXIS companies that receive your personal data each constitute a separate Data Controller, each of which is responsible for deciding how it holds and uses your personal data.

AXIS is subject to different European data protection laws in the various jurisdictions in which it operates.

  • The EU GDPR applies to data collected by an AXIS entity located within the EU and/or data held by an AXIS entity located outside the EU, where that entity has collected data from or about you while you were located within the EU.
  • The UK GDPR applies to data collected by an AXIS entity located within the UK and/or data held by an AXIS entity located outside the UK, where that entity has collected data from or about you while you were located within the UK.
  • The Swiss Federal Act on Data Protection (FADP) applies to data collected by an AXIS entity located within Switzerland and/or data held by an AXIS entity located outside Switzerland, where that entity has collected data from or about you while you were located within Switzerland.

What type of personal data do we collect about you?

We shall process your personal data in order to provide you with the insurance coverage related to the policy you purchased or are benefitting from. The types of personal data we collect about you depend on your relationship with AXIS.

  • If you are an Insured Person or Potential Insured, we collect your personal data in order to determine eligibility for, underwrite, and administer insurance policies. In some instances, we may need to collect “special category personal data”, such as data about your medical and criminal history.
  • If you are a claimant making a claim under an AXIS policy, we may need to collect your contact information, as well as data about your claim and previous claims. We may also need to collect special category personal data, depending on the nature of your claim.
  • If you are a business partner, we will collect your business contact details.

We process personal data you provide to us, which may include the following categories of information:

  • Anti-fraud information
  • Banking Information
  • Claims/Policy Numbers
  • Credit History and Credit Score
  • Date and Place of Birth
  • Gender
  • Family Information
  • Government identification numbers - National Insurance, Social Security, Passport, Tax, Driver’s License
  • Marital Status
  • Name, Address, Phone Number, Email
  • Risk information

and the following categories of special category personal data:

  • Criminal History
  • Health Data / Medical History
  • Racial or ethnic origin

Where we will process special category personal data about you, we shall apply safeguards in accordance with the applicable data protection legislation.

How do we collect data about you?

If you are an insured or potential insured, we collect data from you or your representative through the policy application process. We may also collect data about you from your family members or employer, credit reference agencies, anti-fraud databases, sanctions lists, and relevant government agencies, including public registers or databases.

If you are a claimant, we collect data about you when you notify us of a claim, or if the claim is made by someone with a close relationship to you or who otherwise has authority to make a claim on your behalf. We may also collect personal data about you from others who are involved in the claim, including lawyers, witnesses, experts, and adjusters. Finally, we may consult other public sources to validate the claim or protect against fraud or other financial crime.

If you are a business partner, we collect data about you when you or your company provides that data to us as part of the business relationship.

If you decide not to supply personal data that we have requested and as a result we are unable to comply with our professional, legal or regulatory obligations, then we may be unable to enter into a relevant contract with you. Where were already have a contractual relationship with you, a decision by you not to provide the requested personal data may cause delay in fulfilment of our contractual obligations or may result in our being unable to continue the relationship.

Why do we collect data about you?

We collect your personal data for the following purposes.

If you are an insured or potential insured:

  • Account setup, including background checks
  • Complying with legal or regulatory obligations
  • Customer service communications
  • Direct marketing activities
  • Evaluating risks to be covered
  • Managing insurance or reinsurance claims
  • Payments to/from individuals
  • Risk modelling and underwriting

If you are a claimant:

  • Complying with legal or regulatory obligations
  • Defending or prosecuting legal claims
  • Investigating or prosecuting fraud
  • Managing insurance or reinsurance claims

If you are a business partner:

  • Managing our business relationship with business partners
  • Marketing purposes

Our legal basis for processing your personal data

Where we process your personal data for the purposes set out above, we generally rely on one or more of the following legal bases.

For all personal information:

  • Performance of a contract – we must use your personal data to perform a contract with you – for example, to perform your insurance policy with us
  • Legitimate interests – as an insurance business, we have a legitimate interest in using your personal data to provide your insurance cover, manage our business relationship with you and protect ourselves from fraud
  • Legal obligation – we must use your personal data to comply with our legal or regulatory obligations – for example, in relation to carrying out background checks or reporting financial crime

It may be necessary for us to process some special category personal data in order to comply with legal or regulatory obligations (such as making reasonable adjustments for clients with disabilities), or if we need to do so in order to seek confidential legal advice or establish or defend legal claims. We shall also use your special category personal data, where appropriate, on the following specific bases:

  • Insurance purpose - it is necessary for us to use your special category personal data for an insurance purpose
  • Legal claims - it is necessary for us to use your special category personal data to establish, exercise or defend legal claims
  • Fraud prevention - it is necessary for us to use your special category personal data to prevent fraud or a particular kind of fraud
  • Preventing or detecting unlawful acts - it is necessary for us to use your special category personal data to prevent or detect an unlawful act

In some instances, we may use your personal data, including special category personal data, on the basis of your express consent. Where we rely on your consent as a legal basis for processing your personal data, we shall expressly inform you that we are doing so at the time that we request your consent. You do not have to give your consent and you may withdraw your consent at any time. However, if you do not give your consent, or you withdraw your consent, this may affect our ability to provide you with certain services. If you choose to withdraw your consent, we shall inform you of the consequences of withdrawal.

Further information on the purpose for processing your personal data and the legal bases we rely on are included in the table at the bottom of this Privacy Notice.

How long do we keep your personal data?

We shall retain your personal data in accordance with our retention policies and, in any case, for no longer than necessary to provide the services agreed in your contract with us or to comply with legal or regulatory requirements. Retention periods for personal data are reviewed periodically and the periods for storage specified in it may alter depending on changes to law and regulation, client relationship requirements, best practice and similar matters.

Where we process personal data on the basis of consent, withdrawal of consent will result in deletion of the relevant data within a reasonable period.

It may be necessary for AXIS to suspend any planned destruction or deletion of personal data where legal or regulatory rules require that we preserve the data, or where proceedings are underway which require the data to be retained until those proceedings have finished. For example, data that relates to litigation or is reasonably foreseeable to be relevant for litigation purposes must be retained until that litigation is completed.

Where does your personal data go?

We may need to transfer your personal data to third parties or to other AXIS group companies, to help manage our business and delivery of services to you. The third parties may include:

If you are an insured or potential insured:

  • Anti-fraud agencies
  • Brokers
  • Banks or financial services providers
  • Credit reference agencies
  • Courts
  • Customer service providers
  • Legal counsel
  • Law enforcement authorities (domestic or foreign)
  • Other insurers or reinsurers
  • Service providers who supply back-office support
  • Regulators, including the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Central Bank of Ireland (CBI), Information Commissioners’ Office (ICO) or the Irish Data Protection Commissioner (DPC)
  • Third party administrators

If you are a claimant:

  • Adjusters and other claims experts
  • Anti-fraud agencies
  • Back-office service providers
  • Courts
  • Credit reference agencies
  • Law enforcement authorities (domestic or foreign)
  • Legal counsel
  • Outside legal counsel
  • Ombudsmen, including Financial Services and Pensions Ombudsman Office (FSPO) and Financial Ombudsmen Service (FOS)
  • Other insurers or reinsurers
  • Regulators, including the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), Central Bank of Ireland (CBI), Information Commissioners’ Office (ICO), or the Irish Data Protection Commissioner (DPC)
  • Service providers who supply back-office support
  • Third-Party Administrators

If you are a business partner:

  • Back-office service providers

Transferring your personal data outside the EU

We may transfer your personal data to other companies in our group and our suppliers in the United States, Canada, Bermuda, India, Singapore, Dubai, and the Philippines. We do this for management purposes, reporting activities on company performance for regulatory or statutory purposes, in the context of a business reorganisation or group restructuring exercise, and for system maintenance support and hosting of data.

Whenever it is necessary to transfer your personal data to other companied of the group, agents or contractors located outside of the EEA, we shall take appropriate steps to ensure that such transfer adequately protects your rights and interests.

We shall only transfer your personal data to countries recognized as providing an adequate level of legal protection, or where we are satisfied that protections are in place to properly protect your privacy rights.

Transfers between AXIS companies are covered by intra-organizational agreements that provide specific requirements designed to ensure your personal data receives adequate protection whenever it is transferred within AXIS.

Transfers to our service providers and business partners are protected by contractual agreements approved by the European Commission or by the UK Information Commissioner’s Office (ICO). Before transferring your data to our service providers, we ensure they can provide adequate level of data protection.

Automated decision-making

We do not make any decisions about you which have a legal or similarly significant effect on you based solely on automated processing (i.e. without human intervention).

Your Rights

You have certain rights in relation to how AXIS collects and uses your personal data. To exercise any of these rights, please contact in the first instance the AXIS entity that originally collected the data from you. Your rights include:

Right to access – you may:

  • Confirm whether we are collecting and using your personal data
  • Obtain a copy of your personal data from AXIS
  • Obtain additional information about your personal data, including:
  • What data we have
  • How we collect your data
  • How we use it
  • To whom we disclose it
  • Whether we transfer it outside the EEA, and how we protect it
  • How long we keep it
  • Your rights
  • how you can make a complaint

Right to Rectify – you may ask us to correct personal data that is inaccurate.

Right to Erasure – you may ask us to erase your personal data only where:

  • It is no longer needed for the purposes for which it was collected
  • You have withdrawn consent that you explicitly provided
  • It was unlawfully processed
  • You have an appropriate Right to Object (see below)
  • AXIS must comply with a legal obligation to erase the personal data
  • AXIS is not required to erase your personal data if continued collection and use of it is necessary
  • To comply with a legal obligation
  • To establish, exercise or defend legal claims of the company or our insureds.

Right to Restrict Use – you may ask us to restrict the use of your personal data only where:

  • You contest its accuracy, in order to give us the opportunity to verify and correct it
  • Its collection and use is unlawful, but you do not want it erased
  • It is no longer needed for the purposes for which it was collected, but is still needed to establish, exercise, or defend legal claims
  • You have exercised the right to object and that decision is pending.
  • We may continue to use your personal data where:
  • You have consented to its use, and have not withdrawn that consent
  • We must use it to establish, exercise, or defend legal claims
  • We must use it to protect the rights of another person.

Right to Data Portability – you may ask that we provide your personal data to you in a structured, portable format, or that your personal data be directly transferred to another company, but only if our collection and use of that information:

  • Is based on your consent, or on the performance of a contract with you
  • Is carried out by automated means.

Right to Object– you may object to the collection and use of your personal data for which AXIS uses “legitimate interest” as its basis for collection, if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you object, we have the opportunity to demonstrate that our legitimate interests are compelling enough to override your rights and freedoms.

Right to Information About Automated Processing – you may ask for information regarding the logic involved, as well as the significance and the envisaged consequences of such processing.

Right to File Complaints – you may file a complaint with your local supervisory authority regarding our collection and use of your personal data.

Local supervisory authorities for AXIS companies are set out below. We also provide below details of the EU representatives (for UK-based AXIS companies), UK representative (for EU -based AXIS companies) and Swiss representative:

AXIS CompanyLocal Supervisory AuthorityEU Representative
AXIS Managing Agency LimitedICOAXIS Specialty Europe SE (ASE SE) – EU Representative: Email: [email protected] or Phone: +353 1 632 5937
AXIS UK Services Limited (formerly Novae Management Limited)ICONot applicable
AXIS Underwriting Limited (formerly Novae Underwriting Limited)ICONot applicable
AXIS Corporate Capital UK II Limited (formerly Novae Corporate Underwriting Limited)ICONot applicable
AXIS Re SEDPCFDPIC online form: https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt/anzeigeformular_dritte.html
AXIS Specialty Europe SEDPCNot applicable

International Transfers – you may ask for information on the protections under which your personal data is transferred outside of the EEA. We might redact certain portions of this data for reasons of commercial sensitivity.

The following may apply to your request regarding your personal data:

  • We shall respond to all valid requests within one month of receipt.
  • You will generally not be charged a fee when we process your request.

We reserve the right to charge a reasonable fee if your request is manifestly unfounded or excessive or you ask us for further copies of information already provided.

How to Contact Us

Please address all inquiries, requests, and other communications regarding your personal data or this Privacy Notice to:

Contact: Data Protection Officer Email: [email protected] Address: 52 Lime Street, London EC3M 7AF Phone: +44-20-7877-3800

Appendix to AXIS Privacy Notice – UK/EU

Data marked * in the table below is ‘special category personal data’

PURPOSEPERSONAL DATA PROCESSEDLEGAL BASIS FOR PROCESSINGWE MAY DISCLOSE TO OR SHARE WITH
Insured or potential insured   
Account setup, including background checks
  • Banking information
  • Credit history and credit score
  • Date and place of birth
  • Gender
  • Government identification numbers - national insurance, social security, passport, tax, driver’s license)
  • Marital status
  • Name, address, phone number, email
  • Risk information
  •  
  • Criminal history*
  • Legitimate interest (to ensure we keep accurate data about you, ensure you are within our acceptable risk profile, and prevent crime/fraud
  • Legal obligation
  • Performance of a contract
  •  
  • For special category personal data:
  • Legal obligation
  • Prevent or detect unlawful acts
  • Prevent fraud
  • Anti-fraud agencies
  • Background check agencies
  • Back-office service providers
  • Brokers
  • Credit reference agencies
  • Foreign law enforcement authorities
  • Other insurers/reinsurers
  • Regulators
Complying with legal or regulatory obligations
  • Claims/policy numbers
  • Date and place of birth
  • Gender
  • Marital status
  • Government identification numbers - national insurance, social security, passport, tax, driver’s license)
  • Name, address, phone number, email
  • Risk information
  • Legal obligation
  • Regulators, including CBI, PRA, FCA, ICO, DPC
  • Ombudsmen, including FSPO and FOS
  • Law enforcement authorities (domestic or foreign)
  • Legal counsel
  • Courts
  • Other insurers
Customer Service Communications
  • Claims/policy numbers
  • Name, address, phone number, email
Performance of a contractCustomer service providers
Direct marketingName, address, phone number, email
  • Consent
  • Legitimate interest (to provide insureds with information on products/services of interest)
Service providers
Evaluating risks to be covered
  • Credit history and credit score
  • Gender
  • Name, address, phone number, email
  •  
  • Criminal history*
  • Health data / medical history*
  • Legitimate interests (to determine risk profile and appropriate type cost of cover)
  • Performance of a contract
  •  
  • For special category personal data:
  • Insurance purposes under statutory provision
  • Background check agencies
  • Brokers
  • Other insurers/reinsurers
  • Third party administrators
Managing insurance or reinsurance claims
  • Claims/policy numbers
  • Date and place of birth
  • Gender
  • Government identification numbers - national insurance, social security, passport, tax, driver’s license)
  • Name, address, phone number, email
  •  
  • Criminal history*
  • Health data / medical history*
  • Legitimate interest (to maintain accurate records of all claims; to assess circumstances of a claim)
  • Performance of a contract
  •  
  • For special category personal data:
  • Insurance purposes under statutory provision
  • Adjusters / claims experts
  • Back-office service providers
  • Credit reference agencies
  • Foreign law enforcement
  • Outside legal counsel
  • Third-party administrators
  • Payments to/from individuals
  • Claims/policy numbers
  • Banking Information
  • Name, address, phone number, email
  • Performance of a contract
  • Banks or financial services providers
Risk modelling and underwriting
  • Credit history and credit score
  • Gender
  • Name, address, phone number, email
  •  
  • Criminal history*
  • Health data / medical history*
  • Legitimate interests (to determine risk profile and appropriate type cost of cover)
  • Performance of a contract
  •  
  • For special category personal data:
  • Insurance purposes under statutory provision
  • Background check agencies
  • Brokers
  • Other insurers/reinsurers
  • Third party administrators
Claimants   
Complying with legal or regulatory obligations
  • Claims/policy numbers
  • Date and place of birth
  • Gender
  • Government identification numbers - national insurance, social security, passport, tax, driver’s license)
  • Name, address, phone number, email
  •  
  • Criminal history*
  • Health data / medical history*
  • Legal obligation
  •  
  • For special category personal data:
  • Insurance purposes under statutory provision
  • Courts
  • Law enforcement authorities (domestic or foreign)
  • Legal counsel
  • Ombudsmen, including FSPO and FOS
  • Other insurers
  • Regulators, including CBI, Data Protection Commissioner, PRA, FCA, ICO, DPC
Defending or prosecuting legal claims
  • Banking information
  • Claims/policy numbers
  • Date and place of birth
  • Gender
  • Government identification numbers - national insurance, social security, passport, tax, driver’s license)
  • Family information
  • Marital status
  • Name, address, phone number, email
  •  
  • Criminal history*
  • Health data / medical history*
  • Establish, exercise or defend legal claims
  •  
  • For special category personal data:
  • Establishing, exercising or defending legal right
  • Courts
  • Law enforcement authorities (domestic or foreign)
  • Outside legal counsel
  • Regulators including FCA, PRA, ICO, DPC
Investigating or prosecuting fraud
  • Anti-fraud information
  • Claims/policy numbers
  • Date and place of birth
  • Gender
  • Government identification numbers - national insurance, social security, passport, tax, driver’s license)
  • Name, address, phone number, email
  • Risk information
  •  
  • Criminal history*
  • Health data / medical history*
  • Establish, exercise or defend legal claims
  • Legitimate Interests (to determine whether a claim is legitimate or is a fraud)
  •  
  • For special category personal data:
  • Legal obligation
  • Prevent or detect unlawful acts
  • Prevent fraud
  • Courts
  • Law enforcement authorities (domestic or foreign)
  • Outside legal counsel
Managing insurance or reinsurance claims
  • Claims/policy numbers
  • Date and place of birth
  • Gender
  • Government identification numbers - national insurance, social security, passport, tax, driver’s license)
  • Name, address, phone number, email
  •  
  • Criminal history*
  • Health data / medical history*
  • Establish, exercise or defend legal claims Statutory provision
  • Legitimate interest (to maintain accurate records of all claims; to assess circumstances of a claim)
  • Performance of a Contract
  •  
  • For special category personal data:
  • Insurance purposes under statutory provision
  • Adjusters / claims experts
  • Administrators
  • Back-office service providers
  • Credit reference agencies
  • Foreign law enforcement
  • Outside legal counsel
  • Third-Party
Business Partners   
Managing our business relationship with business partners
  • Gender
  • Name, address, phone number, email
  • Legitimate interest (to maintain accurate data on business partners)
  • Performance of a contract
  • Back-office service providers

Effective date: 18 March 2024 v2.1