PRIVACY NOTICE FOR BUSINESS PARTNERS, SERVICE PROVIDERS AND/OR THEIR CONTACT PERSONS
29 January 2021
Sirius International Insurance Corporation (publ) (“Sirius International”) is an international insurer and reinsurer based in Sweden focused on Property, Accident & Health and other short tail lines of business and part of SiriusPoint Ltd. Sirius International Managing Agency Ltd (SIMA) is a Lloyd’s Managing Agency response for Sirius International’s Syndicate 1945 It is crucial to Sirius International and SIMA to conduct its business in an honest and transparent manner and to process personal data in compliance with applicable legislation and with a high standard of care and protection.
In this notice, we will explain how your personal data will be processed, and inform you of your rights as a business partner, service provider and/or contact person of such a partner or service provider, e.g. as an employee working at an insurance company or a broker.
1. Responsible Data Controller
Sirius International and SIMA are the data controllers depending on which entity you are dealing with and are responsible for the processing of your personal data. Contact information for our Data Protections Officers can be found below under Contact details. We, us or our in the text below refers to Sirius International and SIMA.
2. The personal data we may process about you and the sources providing the data
We process the personal data that you provide to us in the course of our business relationship. We will also process, to the extent necessary, any personal data that we legitimately either obtain from public sources (e.g. company publications, media reports, internet) or receive from other companies in SiriusPoint Ltd. The respective personal data mainly includes your business contact information, your position, our business correspondence with you, and in the UK, coverholders’ CV.
3. The purposes and legal grounds for processing your personal data
We process your personal data in accordance with the European General Data Protection Regulation (“GDPR”) and other relevant data protection laws for the purposes and on the legal basis as set out below.
a. To fulfil (pre-)contractual duties
In those cases, where we have a contract directly with you (the data subject), we will process your personal data as far as the processing is necessary for the performance of our contract with you or in order to act at your request prior to entering into a contract with you. The processing will be performed in the context of preparing, executing and terminating our agreement. We will process your personal data mainly to contact you and to communicate with you.
b. For the purposes of pursuing our legitimate interests
Where you are acting on behalf of your company (for example as an employee at an insurance company, a broker, intermediary or a service provider) we will process your personal data based on our legitimate interest to pursue our business and to perform our contract with your company. The processing will be performed in the context of preparing, executing and terminating insurance and reinsurance arrangements in all lines of business or in connection with other services. We will process your personal data mainly to contact you and to communicate with you and/or your company.
Where necessary, we will process your data beyond the actual framework of our business relationship, based on our legitimate interests to communicate with you, keep you informed of our business and insurance products. Some examples of this would be:
i. Sending digital or postal greeting cards to business partners, for example at Christmas or on corporate anniversaries
ii. Sending press releases
iii. Invitations to events or sales activities
Where necessary, we will also process your personal data based on our legitimate interest to establish, exercise or defend legal claims, for example in the event of a dispute or controversy between us and you and/or your company.
c. Based on legal obligation
We may also process your personal data to fulfil our legal duties, e.g. based on tax, book-keeping or supervisory provisions.
4. Third parties we may disclose your data to
Only those staff within Sirius International / SIMA who need your data for the aforementioned purposes will have access to it.
External service providers
We may disclose your personal data to others for the purposes mentioned above under section 3, e.g. to other companies within our company group, tax authorities or external service providers such as IT-service providers or service providers that we engage to distribute your business information (such as brochures by mail and issuing electronic press releases). Where applicable, we have concluded data processing agreements with external service providers.
5. International transfers
If we would need to transfer your personal data to recipients in countries outside the EU/EEA-are, we will do so only if
a) the European Commission has confirmed that the respective country’s level of data protection is sufficient, or
b) data protection is otherwise sufficiently guaranteed (for example, through the European Commission’s standard contractual clauses, or
c) a derogation for a specific situation is applicable, such as obtaining your consent or necessity for the establishment, exercise or defense of legal claims. If so provided under applicable legislation, you are upon request entitled to receive a copy of any documentation demonstrating that appropriate safeguards have been taken in order to protect your personal data during a transfer outside the EU/EEA-area.
6. Retention of your personal data
We will delete your personal data when it is no longer necessary for the aforementioned purposes, unless a longer storage period is required for legitimate reasons or required by law. The methods and criteria used to determine the storage periods include: (i) as long as we have an ongoing business relationship with you or the company you work for, but sooner if the purpose has been fulfilled and no legitimate reasons exists for continuing to store the data; (ii) as required by a legal obligation to which Sirius International is subject (for example to retain book keeping materials); and (iii) to meet applicable statutes of limitations for example to exercise, establish or defend claims, litigation or investigations.
7. Your rights
If you have any questions in relation to our use of your personal data, you should first contact our Data Protection Officer – See section 12 for contact details. Under certain conditions, you may have the right to:
- Request access to your personal data, be provided with supplement information and be provided with a copy of your personal data.
- Request us to rectify the data, if you think any of your personal data is inaccurate or incomplete.
- Have your personal data erased. This does not apply if, for example, Sirius has a legal obligationto ke ep your personal data.
- Request that processing of your personal data is restricted. This means (with some exceptions) that your personal data will not be processed further (other than being stored in Sirius’ systems). In case you request restriction it might have adverse consequences for you in so far as we might be unable to fulfil the contract with you or your company as long as the processing is restricted.
- Receive a copy of your personal data in a structured, commonly used machine-readable format (data portability).
- Object to the processing of your personal data. Unless Sirius demonstrates compelling legitimate grounds that override your interest of integrity, we must no longer process the data.
8. Withdrawal of Consent
If consent is the legal basis of the processing of your personal data, you have the right to withdraw that consent at any time, for any future processing.
9. Automated individual decision-making
No automated individual decision-making or so called profiling occurs in relation to your personal data.
10. Further processing for other purposes
If in the future Sirius International intends to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information.
11. Your right to complain to a supervisory authority
If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights stated above, or if you think that we have breached the GDPR, then you have the right to complain to a local Data Protection supervisory authority, e.g. in the EU Member State of your habitual residence, place of work or place of the alleged infringement. Below are contact details of the supervisory authorities in Sweden, UK and Germany, from where Sirius International mainly conducts its business. Sweden – Datainspektionen, www.datainspektionen.se, telephone +46(0) 657 61 00.
UK – the Information Commissioner’s Office (ICO), www.ico.org.uk/concerns, telephone 0303 123 1113 or +44 1625 545 700 if you are calling from outside the UK.
Data Protection Officer
Sirius International Insurance Corporation
SE-113 96 Stockholm
Telephone: +46 (0)8 458 5500 (Switchboard)
E-mail: [email protected]
Data Protection Officer
Sirius International Insurance Corporation UK branch / Sirius International Managing Agency Limited
20 Fenchurch Street
London EC3M 3BY
Telephone: +44 (0)203 772 1000 (Switchboard)
E-mail: [email protected]