Privacy policy for insurance products

"Personal data" (also "personal data") is data relating to an identified or identifiable person; in other words, the data or corresponding additional data can be used to make inferences about their identity. "Sensitive personal data" (also "special categories of personal data") is a category of personal data whose processing may be subject to special requirements. Sensitive personal data may include data from which ethnic origin can be discerned, data relating to health, data concerning religious or philosophical beliefs, biometric data for identification purposes and data concerning trade union membership. In sub-paragraph 3, you will find details of the data that we process within the scope of this Privacy Policy. 

For each data processing operation, there are one or more bodies who bear primary responsibility for ensuring that the data processing complies with the requirements of data protection law. This body is referred to as the "data controller" or “controller”. It is responsible, among other things, for responding to requests for information (sub-paragraph 10) or for ensuring that personal data is secure and not used in a way that deviates from what we tell you or from what is permitted by law. Details of third parties with whom we cooperate and who are responsible for their own processing can be found in sub-paragraph 3, sub-paragraph 4 and in sub-paragraph6.

Master data primarily includes information such as your name, address, email address, telephone number and other contact details, date and  place of birth, age, gender, nationality and hometown, details from identification documents (such as from your passport or ID card), your customer number and other details such as your tax number or tax country.

This data also includes information about relationships with third parties who are also affected by the data processing. In the case of motor vehicle insurance, for example, this would be information (such as name, date of birth or nationality) on the most frequent driver; in the case of collective personal insurance, this would be information about on the insured employees or, in the case of life insurance, this would be information on the beneficiary or the beneficial owner, as well as correspondence recipients, premium payers and other persons involved in the contract and, if applicable, information about family members.

In the case of customers and other contractual partners who are companies, we process data concerning our contact persons, this may include name and address, details of titles, position in the company, qualifications and, where applicable, details of supervisors and employees. Depending on the area of activity, we are also required to check the company in question and its employees more closely, for example, by carrying out a security audit. In this case, we collect and process additional data, if necessary also from third party providers. 

We often obtain master data from you, for example in application documents, but we may also obtain data from third parties such as providers of address updates or the commercial register. 

This data includes information about the conclusion of the contract (including consultations and our assessment of the risks), about your contracts, for example the type and date of contract conclusion and information stemming from the application process such as material risk factors and further information about the contract in question (such as insured risk, insured object, sum insured, salary amounts, premium, duration of contract, details of prior and additional insurance policies) as well as details of any previous claims and information stemming from the processing and administration of the contracts (such as details provided in the context of invoicing, advice and customer service). Contract data also includes information about complaints about and adjustments to a contract, as well as information about customer satisfaction, which we may collect, for example, by means of surveys.

When settling claims, we process additional data such as the notification of claims, claim number, amount of claims, details of third parties, for example, injured parties and persons involved such as co-drivers and other details in connection with the assessment of the claim, including particularly sensitive personal data such as health data. To do this, we cooperate with third parties such as experts, doctors and other service suppliers, from whom we also receive data – including health data – where applicable with your separate release declaration. We also participate in HIS, a notification and information system used by the insurance industry, and process information about certain circumstances in connection with claims reviews in the case of motor vehicle, personal liability and professional indemnity, building, contents, technical and other property insurance, which we may report to and retrieve from HIS. In the event of a positive query result, we may share related data with other insurers with your separate consent. Further information on HIS can be found under sub-paragraph 4.

Depending on the insurance product, we process additional data in connection with the insurance contract, for example

• in the case of security deposit insurance and, in particular, rental security deposit insurance, this may include information on the deposit, on coinsured persons, correspondence recipients, landlords, property managers, rented property, previous insurance policies, material risk factors, outstanding debt enforcement proceedings and the companies involved, as well as data from any documents that may be attached, such as rental agreements, liability policies, business reports and business plans, and also information on surety recipients; 
• in the case of construction insurance and contractor’s liability insurance, this may include details of the property under construction, material risk factors, the concerned activity, sureties, turnover, salary amounts, association memberships, as well as details of contact persons, correspondence recipients, surety and guarantee beneficiaries, joint venture partners and brokers; 
• in the case of buildings insurance, this may include details of financing and ownership of land and residential property, location, type of building, construction type, purchase price, further details of the property including photographic documentation, as well as details of new owner if applicable; 
• in the case of household contents insurance, this may include information concerning the livingand housing situation, such as number of rooms, canton of residence, value of household contents, ownership situation, number of persons in the same household; 
• in the case of property and technical insurance, this may include details of the type of business, make, model, value and age of the items to be insured, photographs and proof of purchase for these items, information about their location, previous insurance policies, material risk factors, NOGA code, legal form, annual turnover, business inventory, main and secondary place of insurance, AHV annual salary sum, fee sum, fire extinguishing conditions, construction class, security devices for fire and theft, as well as details of coinsured persons, operators, property owners, suppliers, auditing companies and clients entrusted with audits, guarantee beneficiaries, assignees and brokers; 
• in the case of personal liability insurance and professional indemnity insurance, this may include details of activity or event, previous insurances, material risk factors, living and residential situation and canton of residence. Where necessary, we also process company data such as salary amounts, turnover, turnover splits, personnel data and other data regarding operations, products and services, as well as information about contracts with customers, buyers and contractual partners, as well as data on training, coinsured persons, contact persons, operators, property owners and data from use, easement and cooperation contracts;
• in the case of accident and daily sickness benefits insurance, this may include information on the company, location, the persons to be insured, their workloads and salary amounts, information on their state of health and previous accidents or illnesses, as well as information on previous insurers, co-insurers and reinsurers, recipients of correspondence, involved doctors and brokers;
• in the case of motor vehicle insurance, this may include information on the license plate, vehicle and mileage (such as information on loss of driver's license), no-claims classes, events of a loss (bonus/penalty) and vehicle financing, as well as use in a private or commercial capacity. It may also include data from Car Claims Info, a system for combating abuse in the area of motor vehicle insurance (further information on Car Claims Info can be found under sub-paragraph 4), information about health status, date of birth, gender and nationality and information about the previous check as to whether a claim has already been paid by another insurance company; 
• in the case of guarantee insurance for motor vehicles and real estate warranty, this may include information on the make, model, motorization, license plate, type certificate and chassis number in the case of motor vehicles or type of property, year of construction, age of the individual components as well as further details about the real estate including photo documentation and, if applicable, details of the new owner in the case of real estate;
• in the case of transport insurance, this many include details of transported annual turnover, means and routes of transport, previous insurances and material risk factors; 
• in the case of life insurance, this may include information on family and financial situation (such as number of people in the same household, occupation and branch of activity), on health and capacity for work, as well as on material risk factors and previous insurance polices, information on the various parties involved in the contract, as well as contact details of attending physicians.

This data may include information on income from employment, pensions and income from capital investments, additional details about assets and information about your risk and investment profile, your risk tolerance and your knowledge and experience in relation to financial products. It may also include information used to determine creditworthiness (i.e. information which allows conclusions to be drawn about the likelihood that claims will be settled) and information concerning the origin of assets, as well as data regarding the payment of premiums (including bank details, account numbers and credit card details), payment reminders and the collection of claims (e.g. premium claims). 

We receive this data from you,  for example, in the context of payments that you make, as well as from credit agencies and from publicly accessible sources.

Behavioral data is information about certain actions, for example, payments, your use of electronic communications (such as whether and when you opened an email), your use of our websites (such as your location and other information when you use a website of ours; take note in this regard of the corresponding separate data privacy information), about the purchases of products and services from us, your interaction with our social media profiles, your contacts with sales partners and your participation in events, competitions, contests and similar events.

Preference data tells us, for example, what your likely needs are, what products or services might be of interest to you, or when and how you are likely to respond to messages from us; this helps us to get to know you better, tailor our advice and offers more accurately to you and generally improve our offers. We obtain this information from analysis of existing data such as behavioral data.... In order to improve the quality of our analyses, we may combine this data with other data that we also obtain from third parties such as address dealers, websites and government offices; this may include information on your household size, income class and purchasing power, shopping behavior, contact details of relatives and anonymous information from statistical offices.

Communication data includes your name and contact details, the manner, place and time of the communication and its content, such as details in emails or letters from you or to you or from third parties or to third parties, if the latter also relate to you. We collect communication data, for example, when you contact us via our Customer Service or a Customer Consultant or via a website or app, or chatbot on the internet.

For example, data (such as files or evidence) accrues in connection with official or judicial proceedings, and some of this may also relate to you. We may also collect data for health protection reasons (for example, in the context of protection concepts). We may obtain or produce photographs, videos and audio recordings in which you may be identifiable (for example, at events, via security cameras etc.). We may also collect data about who enters certain buildings and when (including in the case of access controls, on the basis of registration data or visitor lists, etc.), who participates in events or campaigns (such as competitions) and when or who uses our infrastructure and systems.

These bodies may, for instance, include other Zurich Group companies and distributors, credit reporting agencies, media monitoring companies, financial service providers and banks from which you transfer assets to us or make transfers to us, address data providers, internet analysis services, public authorities, other insurers, parties to proceedings and publicly available sources such as the commercial register, media and sources on the Internet, public registers, media, etc.

We only make certain offers available to you – such as the use of a Zurich online portal or that of one of our partners, online claims reporting or participation in a virtual event – when you provide us with registration data, because we or our contractual partners want to know who is using our services or has accepted an invitation to an event, because it is technically necessary or because we want to communicate with you. If you or someone you represent (such as your employer) wish to enter into or perform a contract with us, we need to collect relevant master, contract  and communication data from you, and we process technical data when you use our website or other electronic offers. If you do not provide us with the data required to conclude and perform the contract, you must expect that we will refuse to conclude the contract, that you will be in breach of contract or that we will not be able to perform a contract. Likewise, we can only send you a response to a request you have made if we process the relevant communication data and, if you communicate with us online, technical data as well. It is not possible to use our website without us receiving technical data. And when you interact with us or we interact with you, behavioral data is generated.

This includes, among other things, the legally regulated combating of money laundering and the terrorism financing. In certain cases, this may oblige us to make inquiries (Know Your Customer) or to file reports. The fulfillment of disclosure, information or reporting obligations – such as  in connection with supervisory and tax obligations – also presupposes or entails data processing, for example, in the context of automatic information exchange, fulfillment of archiving obligations and to support of the prevention, detection and clarification of criminal offenses and other violations. This includes receiving and processing complaints and other reports, monitoring communications, conducting internal investigations or disclosing records to a government agency when we have a material reason are legally required to do so. Your personal data may also be processed in the course of external investigations, for example by a regulatory authority. For these purposes, we process, in particular, your master data, your contract and claims data and financial data, communication data and, under certain circumstances, behavioral data. The legal obligations can stem from Swiss law as well as foreign provisions to which we are subject, as well as self-regulations, industry standards, our own corporate governance and official instructions and requests.

In the course of contract initiation and contract conclusion, personal data – in particular master data, contract data, financial data and communication data – are collected about potential customers for the purposes of consultations and risk assessment. We collect this data (e.g. using an application form) and in general via our sales organization. Our sales partners include e.g. independent general agencies, intermediaries and brokers. The information received during contract initiation and contract conclusion is reviewed for compliance with legal requirements (such as compliance with anti-money laundering and anti-fraud regulations). When initiating and concluding a contract, under certain circumstances we also process particularly sensitive data, such as health data for consultations, risk assessment and premium calculation .

When processing contractual relationships, we process data for the purposes of managing the customer relationship, to settle claims or benefits, to provide consultations and for customer care (including to measure and document the compensation of sales partners) This also includes reviewing claims and benefits. In particular, we also process claims data, including health data, data that we obtain from third parties such as external experts and doctors (for more information on this, please see sub-paragraph 3) and other data that arise in the context of these purposes or are required for them. In the event of a claim or benefit, in the event of regress to a liable third party (or its liability insurer), the data required for this purpose may be processed and transmitted. The enforcement of legal claims stemming from contracts (debt collection, court proceedings, etc.) also form part of the processing, as do accounting, termination of contracts and public communication.

In order to conclude contracts and process contractual relationships, we involve third parties, such as IT and logistics companies, advertising service suppliers, banks, other insurance companies or credit reference agencies, who may in turn provide us with data.

When cooperating with companies and business partners, such as partners in projects or cooperating with parties in legal disputes, we also process data to process and initiate contracts, for planning, for accounting purposes and other purposes related to the contract.

For these purposes, we process, in particular, master data, contract and claims data and financial data, as well as communication data and behavioral data. For example, we must take measures against insurance fraud. This includes clarifications in the event of a claim or benefit, which may also be made with third parties such as doctors and experts. In the case of policyholders with a registered office or place of residence in Switzerland, we can also handle queries in the HIS information systems and in motor vehicle insurance at CarClaims Info. HIS is a notification and information system operated by SVV Solution AG, Zurich. Participating insurers report certain circumstances that propose investigating an event of a loss in detail and can query corresponding reports from other participating insurers. In the event of a positive query result, we may also share the related data with other participating insurers with your separate consent. Information from HIS will only be used in connection with the claims investigation. For more information about HIS and your corresponding rights, please visit www.svv.ch/de/his. In order to combat fraud in motor vehicle insurance, we may forward vehicle claim information to SVV Solution AG for entry in the electronic Car Claims database. This makes it possible to check whether a registered vehicle claim has already been paid by another insurance company. In the event of a justified suspicion, a corresponding exchange of data may take place between the companies (such as vehicle expertise, compensation agreement). We may also create and process profiles (see sub-paragraph 5) for the above purposes and in order to protect you and us from illicit or abusive activities.

We strive to continuously improve our products and services and to be able to react quickly to changing needs. We therefore analyze, for example, which products are used by which groups of people in what way and design possibilities for new products and services. This gives us an indication of the market acceptance for existing products and services and the market potential of new ones. To this end, we process, in particular, your master data, behavioral data and preference data, as well as communication data and information from customer surveys, polls and studies and other information, such as from the media, from social media, from the Internet and from other public sources. As far as possible, however, we use pseudonymized or anonymized data for these purposes. We may also use media monitoring services or perform media monitoring ourselves, whereby we process personal data in order to carry out media work or to understand and respond to current developments and trends.

For example, we may send you information, advertising and product offers provided by us and third parties in the insurance and other sectors as well as newsletters and other periodic communications. Such communications may also be made as part of individual marketing campaigns (e.g. events, competitions, etc.). We personalize some of these communications in order to provide you with customized information and offers that meet your needs and interests. To do this, we link data that we process about you, determine preference data and use this data as the basis for personalization (see sub-paragraph 3). We may also carry out profiling for marketing purposes (see sub-paragraph 5). We also process data in connection with contests, competitions and similar events. Customer care also includes addressing existing customers – in a manner that may be personalized on the basis of behavioral and preference data or data from customer surveys – and organizing customer events (such as sponsoring , sports and cultural events and promotional events). In the case of customer events, we process personal data to carry out the events, as well as to inform the participants and to provide them with information and advertising before, during and after the event.

All of this processing is important to enable us to promote our offers in a way that is most relevant to your needs, to personalize our relationships with customers and other third parties and to use our resources efficiently. We adhere to the particular law applicable in the case of such processing and if necessary obtain your separate consent.

We continuously review and improve the appropriate security of facilities and buildings and our IT. In doing so, we process data, among other reasons, in connection with the surveillance of buildings and publicly accessible premises. Ensuring adequate security is also very important, especially for digitized products. Like all companies, we cannot rule out data breaches with absolute certainty, but we do our best to reduce the risks. We therefore process data, for purposes such as monitoring, control, analysis and testing of our networks and IT infrastructures, to carry out system and error checks, for documentation purposes and in the context of security copies.

These other purposes may include training and educational purposes, administrative purposes (such as the administration of master data, accounting and data archiving or the administration of real estate and the testing, administration and ongoing improvement of IT infrastructure), the protection of our rights (for example, to enforce claims in or out of court and before authorities in Switzerland and abroad or to defend ourselves against claims, for example by preserving evidence, through legal clarifications and by participating in judicial or official proceedings), the evaluation and improvement of internal processes and the general preparation of anonymous statistics and evaluations. In the course of developing our business, we may also sell or acquire businesses, operations or companies to or from other companies or enter into partnerships, which may also result in the exchange and processing of data (including from you, for example, as a customer or supplier or as a supplier representative). This also includes the protection of other legitimate interests, which cannot be named exhaustively.

Profiling is the automated processing of data for analysis and forecasting purposes. The most significant examples are profiling for the purpose of combating money laundering and terrorist financing, combating abuse, checking creditworthiness, individualized risk measurement and  assessment as a necessary basis for calculating the insurance contract, for customer care and possibly for marketing purposes For the same purposes, we may also create profiles, i.e. we may combine behavioral and preference data, as well as master, contract data and technical data assigned to you, in order to better understand you as a person and your different interests and personal needs. In both cases, we pay attention to the appropriateness and reliability of the results and take measures against misuse of these profiles or profiling.

In each individual case, we will inform you if an automated decision creates negative legal consequences or a comparable significant impairment. In this case, you shall have the rights set out in sub-paragraph 10 if you do not agree with the outcome of the decision.

When settling claims and making corresponding clarifications, personal data may be disclosed to, for example, doctors and other service suppliers, experts, information services such as SVV Solution AG (in connection with the Car Claims Info and HIS systems; see sub-paragraphs 3 and 4), authorities, courts, information clerks and lawyers.

In the interest of all policyholders, data is exchanged with previous insurers, co-insurers and reinsurers in Switzerland and abroad for the purpose of risk assessment and distribution. One example of this is previous insurers, whom we query as to whether a claim was insured with them and whether benefits were paid, under disclosure of your personal details (such as surname, first name, address and date of birth). We can also exchange data with social insurers or liability insurers, especially in the case of recourse. In connection with the settlement of claims, we may also – with your separate consent, if necessary – exchange related information with other insurers. You will find further information on this under sub-paragraphs 3 and 4.

In addition to master data, this may include information on the contractual term, performance and  termination of the contract, the sum insured and coverage, claims data, further information on the assessment of compensation and for the – also personalized – marketing of our products. Sales partners are legally and contractually obliged to observe the provisions of the Data Protection Act.

We may involve third parties to carry out address verification, credit checks and for debt collection purposes and disclose data, such as that concerning outstanding debts and your payment history, to them in the process.

Where necessary, we may share your information with other companies belonging to the Zurich Group, in particular for the purpose of risk measurement and  assessment and the provision of reinsurance solutions. In order to offer you the best possible insurance coverage and individualized financial solutions, we may disclose your data – in particular your master data, contract data and registration data as well as behavioral and preference data – to other companies belonging to the Zurich Group for the purpose of offering products and services tailored to your individual needs.

In the context of exercising of rights, defense of claims and fulfillment of legal requirements, we may disclose personal data to public authorities, agencies, courts and other public bodies, for example in the context of official, judicial and pre- and extra-judicial proceedings and in the context of legal obligations to provide information and to cooperate. Data is also disclosed if we obtain information from public bodies, for example, in connection with claims processing. Public authorities are responsible for processing data about you that they receive from us.

We may disclose data, for example, to individuals involved in proceedings before courts or authorities (for example, in the case of regress to the liable third party or its liability insurer), as well as potential purchasers of companies, receivables and other assets and, in the case of securitizations, to financing companies and to other third parties, about whom we will inform you separately where possible, for example, in declarations of consent or special privacy policies. Other individuals include, in particular, payment recipients, authorized representatives, correspondent banks, other financial institutions and other bodies involved in a legal transaction.

We procure services from third parties to ensure that we can deliver our products and services securely and cost-effectively and that we can concentrate on our core competencies. These services for example involve distribution by particular sales partners (on this, see sub-paragraph [3]),IT services, the dispatch of information, marketing, sales, communication or printing services, facility management, security and cleaning, the organization and holding of events and receptions, debt collection, credit agencies, anti-fraud measures and services provided by consulting firms, auditing firms and claims service suppliers. In each case, we provide service suppliers with the data necessaryfor their services. One example is hosting service suppliers who store electronic data on our behalf, which may include sensitive data such as health data. These service suppliers are each subject to contractual and/or statutory confidentiality and data protection obligations. They may exceptionally use such data for their own purposes in justified cases, for example, information on outstanding debts and your payment history in the case of credit agencies or anonymized information for the purpose of improving services.

In many cases, it is also necessary to disclose confidential data in order to process contracts or provide other services. Even non-disclosure agreements neither generally exclude this type of data disclosure, nor disclosure to service suppliers. However, given the sensitivity of the data and other circumstances, we take care to ensure that these third parties handle the data in an appropriate manner.

Many countries outside Switzerland or the EU and EEA currently do not have laws that guarantee an adequate level of data protection from the perspective of the Swiss Federal Acton Data Protection or the GDPR. The contractual arrangements mentioned above may partially compensate for this weaker or missing statutory protection. However, contractual precautions cannot eliminate all risks (with particular regard to state intervention abroad). You should be aware of these residual risks, even though the risk may be low in individual cases and we have taken additional measures (such as pseudonymization or anonymization) to minimize it. 

Therefore, the period for which we retain data depends on legal and internal regulations and on the purposes of processing (see sub-paragraph 4), which also include the protection of our interests (for example, to enforce or defend claims, for archiving purposes and to ensure IT security). 

Documentation and evidence purposes include our interest, processes, interactions and other facts in the event of legal claims and other discrepancies, for IT and infrastructure security purposes and to provide evidence of good corporate governance and compliance. Retention may be technically necessary if certain data cannot be separated from other data and we therefore need to retain it with this other data (such as in the case of backups or document management systems).

Our security measures include measures such as encrypting and pseudonymizing data, logging, access restrictions, storage of backup copies, instructions to our employees, confidentiality agreements, audits, etc. We also oblige our contracted data processors to take appropriate security measures. In general, however, security risks cannot be completely ruled out; certain residual risks are unavoidable. 

When your data is transmitted via our web pages, we protect it during transport using suitable encryption mechanisms. However, we can only secure areas that are under our control. 

If you contact us by email, you do so at your own risk and agree that we may respond to you to the sender's address via the same channel. If you send us emails via the Internet in unencrypted form, third parties may be able to access, view and manipulate them. 

In particular, we may need to process and store your personal data in order to perform a contract with you, to protect our legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard sensitive interests, we may therefore also reject a data subject’s request in whole or in part (for example, by blacking out certain content relating to third parties or our trade secrets).