É«¶à¶àÊÓƵ

Privacy Notice - É«¶à¶àÊÓƵSwitzerland

By means of this privacy notice, we inform you about the processing of your personal data by É«¶à¶àÊÓƵand the rights to which you are entitled in accordance with data protection law.

The information contained in this notice describes how É«¶à¶àÊÓƵcollects, uses, shares and protects your personal data and informs about the rights you have in terms of use, access and rectification of your data.

The information in this notice applies to all natural persons affected by the processing of their personal data by AXA XL. If those are not identical to a policyholder, it shall be his obligation to ensure the communication of this notice to the individuals affected by it.

Data Controller within the Meaning of Art. 5 (j) FADP and Art. 4 No 7 GDPR

XL É«¶à¶àÊÓƵ Company SE
XL Catlin Services SE
XL Re Europe SE

Wolfe Tone House
Wolfe Tone Street
Dublin 1
D01 HP90
Ireland

XL É«¶à¶àÊÓƵ Company, Dublin, SE (Zurich Branch)
XL Catlin Services, Dublin, SE (Zurich Branch)
XL Re Europe SE, Dublin (Zurich Branch)
XL É«¶à¶àÊÓƵ Switzerland Ltd
Catlin Re Schweiz AG

Ernst-Nobs-Platz 7
8004 Zurich - Switzerland

Data Protection Advisor

If you have questions about your rights or concerns regarding the way in which your personal information has been used, please contact our data protection advisor by mail at one of the aforementioned addresses or by email at ComplianceSwitzerland@axaxl.com.

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the relevant data protection authority.

Data and Data Categories that May be Processed

We process your personal data in compliance with the Swiss Federal Act on Data Protection (FDAP), the Swiss Data Protection Ordinance (DPO), the EU General Data Protection Regulation (GDPR), the applicable provisions affecting or ensuring data privacy within the Federal Act on É«¶à¶àÊÓƵ Contracts ("Versicherungsvertragsgesetz" - VVG) as well as all other applicable laws. This data is collected either directly from you or indirectly via an intermediary who is bound to É«¶à¶àÊÓƵby means of a contractual relationship and that has informed you about it.

We process personal data that has been made available to us as part of the application and/or conclusion of the insurance contract and that is required for the proper performance of the contractual relationship (including complaint handling).

In the event of a claim notification or the assertion of an indemnification, we require the personal data to assess our obligation to pay and to determine the amount of the indemnification to be paid.

During the contractual conclusion, the response to certain questions is mandatory. Without this information, neither the conclusion nor the fulfilment of the contract or the processing of a claim is possible.

In particular, we process the following data and data categories:

• Master and contract data (e.g. name, address, contact details, marital status, occupation, start and expiry dates, details of the risk to be insured)
• Sensitive personal data (e.g. health data)
• Information about personal situations (e.g. creditworthiness data, material assets)
• Data on your claims and other data arising from the fulfilment of our legal obligations
• Data on contacts to you and on transaction processing
• Circumstances of the involvement of the data subjects (e.g. policyholder, insured person, injured party, witness)
• Powers of attorney
• Data of prospects
• Video footage in case of on-premises CCTV

The necessity to process sensitive personal data depends on the requirements of the insurance contract or arises from other circumstances in connection with our insurance services (e.g., claims settlement). Any consents that may be required in those case, in particular pursuant to Art. 6 (6) and (7) FADP or Article 9 (2) (a) and Article 7 GDPR, will be collected separately when necessary.

Additionally, É«¶à¶àÊÓƵalso processes personal data on criminal convictions and criminal offenses in certain cases. This applies in particular to claims that are rooted in an illegal behaviour on the part of the insured, the injured, or a third party. Further processing activities may result from the legal obligations to prevent money laundering and terrorist financing according to the provi-sions of the Federal Act on Combating Money Laundering and Terrorist Financing (Anti-Money Laundering Act, AMLA).

Purposes and Legal Bases of the Data Processing

We process the personal data collected for the purpose of managing and fulfilling the insurance contracts for which É«¶à¶àÊÓƵis the insurer. Your data will be processed in particular for the following purposes:

1. The performance of an insurance contract with É«¶à¶àÊÓƵand/or the associated precontractual measures, including the processing and profiling required for risk assessments as well as customer satisfaction or opinion surveys. The lawfulness is determined according to the articles 6 (1) and 31 (2) (a) FADP as well as Art. 6 (1) (b) GDPR, to the extent the processing activities are also subject to the law of the European Union. This includes in particular the following purposes:

• The engrossment, management (including commercial purposes) and fulfilment of your insurance contract, in the event of a claim in which you are the injured party, the assessment and settlement of the same, as well as the processing of complaints and reclamations.
• The performance of statistical and actuarial studies and drafting of risk assessments, selections, tests, and ratings for the purpose of calculating the insurance premium.
• The collection and processing of data relating to criminal offences, convictions, or security measures insofar as those can be attributed to the insured risk and/or the processing of which is required by insurance law.
• Advice on possible contract adjustments or supplements, fulfilment of information requests and goodwill decisions.

2. Furthermore, we process your personal data in fulfilment of legal obligations to which we as data controller are subject according. The lawfulness is determined according to articles 6 (1) and 31 (1) FADP as well as Art. 6 (1) (c) GDPR. These include in particular:

• the processing of claims in which the claimant is not a party to the insurance contract, for example as a third-party beneficiary or injured;
• the performance of sanction and money laundering checks - particularly regarding the identification of the beneficial ownership - in accordance with the applicable money laundering legislation and sanction regimes;
• The performance of statistical and actuarial studies and drafting of risk assessments, selections, tests, and ratings within the framework of the legal obligations affecting us from Art. 23 of the Federal Act on the Supervision of É«¶à¶àÊÓƵ Undertakings (É«¶à¶àÊÓƵ Supervision Act) as well as Art. 48 of Directive 138/2009/EC ("Solvency II") and the implementing laws of the EU member states and the EEA derived therefrom;
• compliance with regulatory requirements, including retention obligations set forth in commercial and tax legislation, and our advisory obligations;
• Video surveillance/CCTV in cases where it constitutes a technical and organizational legal measure as per Art. 8 FADP in conjunction with Art. 3 (1) (b) Data Protection Ordinance and Art. 32 (1) GDPR.

3. Finally, we also process your data for the purposes of the legitimate interests pursued by us or by a third party. This processing is based on Art. 6 (2) and 31 (1) FDAP and Art. 6 (1) (f) GDPR and concerns, among others, the following cases:

• to ensure IT security and operations, including tests (insofar it is not already required in the context of the performance of the contract or the fulfilment of a legal obligation);
• subject to your objection, to advertise our own insurance products and the products of the AXA group and its cooperation partners as well as for market and opinion surveys;
• to prevent and investigate criminal offenses, insofar as it is not already prescribed by a statutory or regulatory obligation; in particular, we use analyses and research (also in publicly accessible sources) to detect indications of insurance fraud;
• for risk management within É«¶à¶àÊÓƵand the AXA Group as a whole;
• for business management and the development of processes, services and products.
• Video surveillance/CCTV in those cases of where they do not serve the purpose of a technical and organisational measure.

4. In certain cases, we also process your personal data for the purpose of the development and/or improvement of statistical learning models using machine learning and other artificial intelligence (AI) technologies. These models are subsequently being used productively in our various automation processes, namely in the area of automated categorisation of unstructured data, the management of our business processes (such as the automated allocation of incoming correspondence) as well as for purposes of statistical actuarial calculations and pricing models.

• The processing of your personal data for the development and/or improvement of our statistical learning models is based on our legitimate interest in optimising our internal business processes. Here, we particularly undertake to work towards complete or partial anonymisation and/or pseudonymisation of your data within the scope of our technical possibilities. This applies particularly to the processing of special categories of personal data, which also necessitates an applicable permitting statute as referred to in Art. 9 (2) (a) - (j) GDPR and is subject to particular proportionality and transparency requirements as per Art. 21 FADP.
• Where we process your personal data in our existing AI systems (for instance, to correctly allocate an incoming mail in a claim), such processing would be based on the applicable legal ground associated with the purpose pursued by that activity.

To ensure lawfulness and processing in good faith as well as the existence of a legitimate interest, we ensure by means of internal control and assessment procedures their compliance with the applicable statutory and legal situation and that the interests or fundamental rights and freedoms of the data subject do not outweigh them.

Disclosure and Recipients of the Data

The personal data collected may be disclosed to contractual partners of É«¶à¶àÊÓƵwho are involved in the conclusion, management and performance of the contract as well as the other aforementioned processing activities. These include, among others:

• other insurance and reinsurance companies;
• É«¶à¶àÊÓƵ intermediaries (e.g., insurance brokers, agents, ...);
• physicians, experts, and appraisers (e.g., for claims settlement, assessing risks, and compensation obligations);
• credit agencies and private investigators (for credit checks and/or to prevent and investigate insurance fraud);
• lawyers (advisory and in case of representation in litigation) and
• other service providers (e.g. external consultants, administrators, IT service providers, etc.)

Data Processing Within the AXA Group:

Additionally, certain processing tasks and functions within our group are performed centrally by specialised companies or departments. In case of an insurance contract between you and one or more group companies, your data may be processed centrally by a company in our group, such as for the central management of your contact details, telephone customer service, contract processing including service and claims handling, for encashment and disbursements, or for mail processing.

Other Recipients:

Furthermore, our legal obligations may require us in certain cases to disclose your data to other recipients, in particular authorities (e.g., social security institutions, tax authorities, and supervisory or judicial authorities), credit institutions, tax consultants and statutory auditors.

Finally, it may also be necessary to share your personal data with potential buyers or selected partners in connection with extraordinary business transactions (including the analysis of economic, legal, tax and financial conditions – “due diligence”), such as mergers, company sales and other transactions.

Cross-Border Disclosure of Personal Data

Insofar personal data is disclosed to recipients outside the territory of the Swiss Confederation, we ensure that this is done exclusively in accordance with the applicable legal provisions:

Disclosures to third countries for which both the Swiss Federal Council (Art. 16 (1) FADP in conjunction with Annex 1 DPO) and the EU Commission (Art. 45 GDPR) have determined that those provide for an adequate level of protection do not require special authorisation. This currently includes Andorra, Argentina, Canada (commercial entities only), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, South Korea, Uruguay and the United Kingdom (until further notice until June 27th, 2025 only) as well according to Annex 1 of the DPO the member states of the European Union (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden), Iceland, Liechtenstein, and Norway.

Transfers to companies within AXA group are also based on – BCR) in accordance with Art. 16 (2) (e) FADP and Art. 47 GDPR.

Where disclosures are not covered by one of the aforementioned legal instruments, É«¶à¶àÊÓƵundertakes, pursuant to Art. 16 (2) (d) FADP), that an adequate level of data protection is ensured by means of standard data protection clauses previously approved, established, or recognised by the Federal Data Protection and Information Commissioner (FDPIC). É«¶à¶àÊÓƵuses (Art. 46 GDPR) which have been accordingly recognised by the FDPIC with decision of the FDPIC of 27.08.2021.

In addition, É«¶à¶àÊÓƵhas implemented additional contractual, organisational, and technical measures to ensure that recipients meet their obligations under the binding corporate rules and the EU standard contractual clauses, which also includes their enforceability.

These measures include modern encryption of personal data (in transit and at rest), pseudonymisation of data, restriction of access to personal data, and contractual and organisational transparency and information obligations.

With regard to all recipients, É«¶à¶àÊÓƵhas evaluated the risks associated with the transfer to the respective third countries and has documented them accordingly in a report (“Transfer Risk Assessment” - TIA).

For further questions, information, and documentation on our international data transfers, please contact our data protection advisor.

Data Retention

Generally, we store and process your personal data only for as long as is necessary for the purposes for which they are being processed.

If we store your data beyond this period, we do so either for compliance with an applicable statutory retention period (e.g., due to tax, commercial or social law regulations) or because your data may be required for the establishment, exercise, or defence of legal claims. In the latter case, the retention period is determined by the applicable statute of limitations.

In Switzerland, the retention periods under tax, commercial, and social laws are 10 years. The general statute of limitations for civil law claims is also at 10 years, although indemnification claims may also be subject to shorter (particularly when becoming aware of the loss and the obligation to indemnify) or longer periods (for instance in case of tort).

CCTV footage is generally not retained for longer than 30 days, provided a security incident does not require their processing beyond this period.

Since the retention periods may vary considerably depending on the processing and the respective situation, we kindly ask you to contact our data protection advisor in case of specific inquiries.

Data Subject Rights

You may exercise the following rights against us at one of the aforementioned addresses:

• Confirmation and access to the personal data concerning you (Art. 25 FADP, Art. 15 GDPR);
• Rectification or completion of inaccurate or incomplete data (Art. 32 (1) FADP, Art. 16 GDPR);
• Immediate erasure of data concerning you (Art. 6 (4) and 30 (2) (a) & (b) FADP, Art. 17 GDPR), or the restriction of the processing in accordance with Art. 18 GDPR, provided the processing of your personal data is subject to the law of the European Union and the deletion has not yet to be considered for reasons pursuant to Art. 17 (3) GDPR;
• Reception of the data concerning you, and which have been provided by you, in a structured, common and machine-readable format as well as transmission of those data to other providers/controllers (Art. 28 FADP, Art. 20 GDPR).

If we should process your data on the basis of consent as referred to in Art. 6 (6) and (7) FADP, Art. 7 GDPR, you also have the right to withdraw this consent at any given time and without providing any justification. Any consent is generally obtained by means of a separate written declaration, in which you are again expressly informed about your right of withdrawal and the processing activities performed on the basis of this consent.

Furthermore, you have the right to lodge a notification/complaint with the supervisory authorities listed below, if you are of the opinion that the processing of personal data relating to you infringes any of the data protection regulations (Art. 49 (1), 58 (1) (d) FADP, Art. 77 GDPR).

Finally, we would like to inform you that none of the processes used in the course of the processing of your personal data makes you subject to a solely automated individual decision-making. To the extent automated decisions are made through our processes - especially when using AI technologies - these are exclusively upstream administrative processes serving the preparation of a final decision made by a natural person. Thereby, we ensure by means of appropriate internal control procedures, training, and guidelines that the final decision-making processes are not adversely affected by the automated upstream processing and that they remain transparent and auditable at any time.

Data protection authority for AXA XL's activities in the terri-tory of the Swiss Confederation (Art. 49 FADP, Art. 55 GDPR):

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Berne
Lead Data Protection Authority regarding AXA XL's activities in the territory of the European Economic Area (Art. 55 FADP, Art. 56 (1) GDPR):

Data Protection Commission
(An Coimisiún um Chosaint Sonraí)

21 Fitzwilliam Square South
Dublin 2
D02 RD28
Eire

Regarding the activities of XL É«¶à¶àÊÓƵ Company SE, XL Catlin Services SE or XL RE Europe SE, a notification/complaint can be lodged with either of these authorities. Please note, however, that notifications/complaints in German, French, Italian, or Romansh should be addressed exclusively to the FDPIC. Depending on the subject matter of your complaint, it is also possible that it may be transferred between the two authorities according to their differ-ent competences under Art. 55 and 56 GDPR and Art. 49, 55 FADP).

February 2025