Privacy & data protection policy

1. Introduction

This Privacy Policy (the “Policy”) describes how DUAL Europe GmbH, with registered address at Shanzenstrasse 36 / Gebäude 197, 51063 Cologne, Germany and operating in Sweden through its branch DUAL Nordics (reg. no. 516413-3778) with address Olof Palmes gata 11 Stockholm 111 37, Sweden, (referred to as ”DUAL” below), processes personal data as a data controller in connection with insurance underwriting as an insurance agency,  website visits and other business relationships or arrangements.

Questions regarding DUAL’s processing of personal data can be sent to DUAL’s address in Sweden as set out above, or by email to: [email protected].

2. How DUAL collects personal data

DUAL may collect personal information from individuals:

  • when they provide their details to DUAL either online or offline;
  • when they fill out a survey or a form on DUAL’s website;
  • via cookies;
  • via telephone call, email or letter; and
  • when they provide a service to DUAL.

DUAL may also collect personal information from other sources, including:

  • directly from an individual’s employer (or such employer’s service provider or insurance broker) who has obtained an insurance policy through DUAL;
  • directly from policyholders, or our policyholder’s broker, if an individual is a beneficiary of a policy and/or named within the policy;
  • directly from policyholders when an individual may have been involved in a claim with that policyholder;
  • third parties who handle claims on behalf of an insurance company;
  • third parties who advise insurance companies or policyholders;
  • databases we use to carry out sanctions or financial crime checks; and
  • government and regulatory agencies such as the Swedish transport agency, the Swedish Companies Registration Office and the Swedish Tax Agency.

3. Which personal data DUAL collects and processes

DUAL may collect the following about individuals:

  • contact details such as name, email address, postal address and telephone number;
  • professional and honorary titles;
  • personal identification or passport numbers;
  • employment history;
  • financial information such as bank details;
  • information obtained through our use of cookies;
  • relationships to other people on a policy;
  • identification information such as date of birth or driving licence;
  • information relevant to an individual’s claims or their involvement in the matter giving rise to a claim;
  • information about an individual’s business and commercial assets;
  • details of bankruptcies and other adverse financial events;
  • details of an individual’s current or former physical condition (special category personal data); and
  • details regarding criminal offences, including alleged offences, criminal proceedings and outcomes.

4. How DUAL processes personal data

DUAL only processes personal data to the extent permitted under applicable data protection legislation. This requires DUAL to have a legal basis for processing personal data, which in relation to DUAL’s role as an insurance agency can be:

Consent – where DUAL has an individual’s consent to do so and consent is the only legal basis DUAL has.  Where DUAL relies on an individual’s consent, the individual has the right to withdraw it at any time.

Performance of a contract – where the processing is necessary in order for DUAL to enter into or perform a contract, such as a contract of insurance/reinsurance, a contract between DUAL and an insurer or with any other third party.

Performance of legal obligations – where the processing is necessary in order to fulfil DUAL’s legal obligations under law or regulation, or to comply with orders or decisions by courts or other authorities.

Legitimate interests – where DUAL has a legitimate interest to process personal data provided that your interests or fundamental rights or freedoms do not override DUAL’s legitimate interests.

Where DUAL processes special category data and/or criminal conviction date, it is necessary that DUAL has additional legal grounds for processing such data.  DUAL relies on such processing being in the substantial public interest and necessary for the purpose of underwriting, administering and performing insurance or reinsurance contracts.

Below, DUAL provides further details on the legal bases DUAL relies on for the various forms of processing of personal data:

Nature of Processing

Category of Personal Data

Grounds for Processing

Storage Period

Reviewing insurance applications which include personal data, and providing quotes.

Contact details together with information such as age and occupation, professional or honorary titles.

 

Information about an individual’s possessions such as property and vehicles.

 

Details as to past claims and recent damage.

 

Information about an individual’s business, their business premises and vehicles, and their directorships.

 

Special category data such as health information and criminal convictions and/or penalties.

In order to enter into or perform a contract of insurance.

 

DUAL has a legitimate interest in reviewing and providing a quote in respect of an application of insurance where the individual whose data are being processed is not a policyholder.

 

For special category data, DUAL relies on the processing of such data being in the substantial public interest.

Personal data in an insurance application is stored from the date of application and for a period of at least one year thereafter.

 

If insurance is granted, DUAL stores personal data included in an insurance application as described below under “Administering, providing and servicing insurance policies”.

 

 

Administering, providing and servicing insurance policies.

Contact details together with information such as age and occupation, professional or honorary titles.

 

Information about an individual’s possessions such as property and vehicles.

 

Details as to past claims and recent damage.

 

Information about an individual’s business, their business premises and vehicles, and their directorships.

 

Special category data such as health information and criminal convictions and/or penalties.

In order to perform a contract of insurance.

 

DUAL has a legitimate interest in performing the data processing where the individual whose data are being processed is not a policyholder, for example when it is necessary to cooperate with DUAL’s partners to provide services related to insurance contracts.

 

For special category data, DUAL relies on the processing of such data being in the substantial public interest.

Personal data will be stored for the period in which claims can be asserted against DUAL. This period varies depending on the policy taken out and the relevant statute of limitation but is at least 10 years after the expiry of the insurance policy.

 

Handling and paying claims.

Contact details together with information such as age and occupation, professional or honorary titles.

 

Information about an individual’s possessions such as property and vehicles.

 

Details as to past claims and recent damage.

 

Information about an individual’s business, their business premises and vehicles, and their directorships.

 

Bank account details.

 

Special category data such as health information and criminal convictions and/or penalties.

In order to perform a contract of insurance, i.e., to process claims under the insurance contact.

 

DUAL has a legitimate interest in performing the data processing where the individual whose data are being processed is not a policyholder.

 

For special category data, DUAL relies on the processing of such data being in the substantial public interest.

Personal data will be stored for the period in which claims can be asserted against DUAL. This period varies depending on the policy taken out and the relevant statute of limitation but is at least 10 years after the expiry of the insurance policy.

 

Communicating with clients, policyholders, and other third parties, and resolving complaints.

Contact details together with information such as age and occupation, professional or honorary titles.

 

 

In order to perform a contract of insurance.

 

DUAL has a legitimate interest in communicating with clients, policyholders and other third parties and in resolving complaints.

 

Personal data will be stored for the period in which claims can be asserted against DUAL. This period varies depending on the policy taken out and the relevant statute of limitation but is at least 10 years after the expiry of the insurance policy.

 

Taking measures to prevent, detect and investigate fraud.

Contact details together with information such as age and occupation, professional or honorary titles.

 

Information about an individual’s possessions such as property and vehicles.

 

Details as to past claims and recent damage.

 

Information about an individual’s business, their business premises and vehicles, and their directorships.

 

Special category data such as health information and criminal convictions and/or penalties.

DUAL has a legitimate interest in preventing fraud.

 

For special category data, DUAL relies on the processing of such data being in the substantial public interest for the purpose of preventing or detecting unlawful acts and/or to establishing, exercising or defending legal rights.

Investigations are part of the claim and may therefore be stored during the insurance contract or as long as DUAL have any kind of obligations towards the policyholder or any third party under the insurance contract. This period may vary depending on the type of insurance taken out and the applicable statute of limitation but is at least 10 years after the expiry of the insurance policy.

Managing DUAL’s business operations including producing management information, maintaining accounting records, analysing financial results, performing internal and external audits, receiving professional advice, making regulatory filings and securing its systems.

Contact details together with information such as age and occupation, professional or honorary titles.

 

Information about an individual’s possessions such as property and vehicles.

 

Information about an individual’s business, their business premises and vehicles, and their directorships.

 

Special category data such as health information and criminal convictions and/or penalties.

DUAL has a legitimate interest in monitoring its business performance, maintaining appropriate records, analysing its financial results, performing internal and external audits and securing its systems.

 

For special category data, DUAL relies on the processing of such data being in the substantial public interest for the purpose of operating its business in a manner which ensures that it is able provide services in insurance.

DUAL stores personal data for as long as DUAL has any kind of obligation to the policyholder or any third party under an insurance contract, or until any other purpose related to DUAL´s business operations persists. Personal information processed for this purpose will, as far as possible, be used in an aggregated format and anonymised.

 

Complying with DUAL’s legal and regulatory obligation such as performing anti-money laundering and sanctions checks.

Contact details together with information such as age and occupation, professional or honorary titles.

 

Information about an individual’s possessions such as property and vehicles.

 

Information about an individual’s business, their business premises and vehicles, and their directorships.

 

Special category data such as health information and criminal convictions and/or penalties.

The processing is necessary for DUAL to comply with its legal obligations. 

 

For special category and criminal conviction data, DUAL relies on the processing of such data being in the substantial public interest for insurance purposes and to prevent or detect unlawful acts.

 

 

DUAL stores personal data for as long as necessary to comply with applicable legislation, for example 5 years for-anti money laundering and 7 years for accounting purposes, calculated in both cases from the end of the year in which the information was registered. The personal data may be stored for even longer if it is necessary to establish and defend a legal right.

Reviewing potential employee’s applications for employment by DUAL.

Contact details together with information such as age and occupation, professional or honorary titles, and education history.

The processing is necessary to assess a candidate’s suitability to enter into a contract of employment with DUAL.

DUAL stores personal data related to a potential employee during the recruitment process and up to two years thereafter in order to defend DUAL against claims regarding discrimination.

5. Security measures

DUAL takes measures to ensure that personal data is collected and processed in a safe way. DUAL maintains appropriate safeguards and security standards to protect personal data against unauthorized access, unauthorized disclosure or misuse.  DUAL also monitors its systems to discover vulnerabilities.

6. Who DUAL shares personal data with

DUAL may share personal data with the following categories of third party recipients when it has a valid reason to do so:  

  • Other companies in the group of companies of which DUAL is a part.
  • The relatives or representatives of an individual, their employer, insurance broker, lawyer and/or other persons or organisations associated with them.
  • DUAL’s insurance partners such as brokers, managing agents, insurers, reinsurers or other insurance distributors.
  • Third parties who assist DUAL in the administration of insurance policies.
  • Third parties who perform claims administration on DUAL’s or insurers’ behalf.
  • Third parties who provide products provided alongside or in conjunction with an insurance or reinsurance contract.
  • Government agencies and regulators.
  • Third party suppliers DUAL uses to support it in its day to day business activities including IT suppliers, actuaries, auditors, lawyers and tax advisers.
  • Third parties connected with the sale, transfer or disposal of DUAL’s business.

7. Where personal data is processed

DUAL routinely collects and/or processes personal data within the European Economic Area and the United Kingdom where personal data is protected in accordance with the data protection laws and regulations of the European Union and the United Kingdom.

On occasion, DUAL may transfer personal data to countries outside of an individual’s home territory, the United Kingdom and/or the European Economic Area, in which case it will ensure that such data is afforded the same level of protection as in such individual’s home territory.  DUAL will achieve this by:

  • Transferring data to countries that are deemed by such individual’s home territory to have adequate privacy legislation.  The European Union maintains a list of jurisdictions that it has deemed to be “adequate” in that regard.
  • Entering into appropriate contracts governing the data transfer, using a set of standard clauses approved by data protection authorities in the European Union.
  • Utilising an approved transfer mechanism.

8. Retention of personal data

DUAL will retain personal data for as long as is reasonably necessary for the purposes listed in Section 4.  The retention period of personal information is, inter alia, dependent on the law for the particular type of potential claim, accounting law requirements and other factors for example where necessary to establish and defend a legal right.

The collected personal information will be retained as set out in the table in section 4.

9. The data subject’s rights

Data protection law gives individuals (“data subjects”) rights in relation to their personal data.  This section provides an overview of these rights and how they relate to the information gives to DUAL. 

Right of access
Data subjects have the right to obtain a confirmation as to whether or not DUAL processes personal data concerning them.  If that is the case, the data subject also has the right to receive copies of the personal data that is processed as well as additional information about the processing, such as for what purposes the processing occurs, the relevant categories of personal data and the recipients of such personal data.

Right to rectification
Data subjects have the right to, without undue delay, have incorrect personal data rectified. The data subject may also have the right to have incomplete personal data completed.

Right to erasure
Data subjects can demand that DUAL without undue delay erase personal data if:

  • the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • DUAL’s processing is based on consent which has been withdrawn;
  • the data subject objects to the processing that DUAL carries out based on a legitimate interest, and where the objection overrides DUAL’s or another party’s legitimate interest of the processing;
  • the personal data has been unlawfully processed; or
  • the personal data has to be erased for compliance with a legal obligations.

Right to restrict processing
Data subjects can request that the processing of personal data is restricted in certain circumstances.

Right to object
Data subjects have a right to object to processing of their personal data when it is based on DUAL’s or another party’s legitimate interest.  If this happens, in order to be allowed to continue with the processing DUAL must demonstrate compelling legitimate grounds for the processing which override the data subject’s interests, rights and freedoms.

Right to data portability
In certain circumstances, data subjects have the right to request that their personal data be compiled into a common, machine readable format and either provided directly to them or sent to a third party they nominate.

Right to withdraw consent  
If DUAL’s processing of a data subject’s personal data is based on consent, the data subject has the right to withdraw its consent at any time. A withdrawal of consent does not affect the lawfulness of the processing that took place based on the consent before the withdrawal.

10. Complaints to the supervisory authority

In Sweden, the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) www.imy.se is the authority responsible for supervising and enforcing compliance with current data protection legislation.

If an individual believes that Howden processes personal data in a wrongful manner, DUAL can be contacted in order to express these concerns. However, individuals may also file a complaint with the Swedish Authority for Privacy Protection at any time.

11. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time.

If the Privacy Policy is changed, the new version will apply when published on DUAL’s website.

When the latest update occurred is indicated by the date specified at the top of the Privacy Policy.