skip to main content

Privacy at Chubb

At Chubb, we collect and process personal data from natural persons on a daily basis, including policyholders, claimants or business partners. Chubb is aware of its responsibility to treat personal data entrusted to it with care and to keep it safe, always in accordance with the provisions of applicable law.

How this Policy applies

The purpose of this Policy is to provide a clear explanation of when, why and how we collect and use information from a data subject ("personal data").

Chubb has developed this policy in order to facilitate its understanding. To find out more or explore an individual item that interests you, click on one of the following titles in the Index.

Important

We recommend that you read this Policy carefully. It provides important information about how we use the personal data that is provided to us and explains the rights that data subjects have in accordance with applicable law. This Policy is not intended to replace the terms of any insurance policy or contract entered into with Chubb, nor any rights that assist the data subject in accordance with data protection legislation.

Updated May 2020

Chubb is an insurance group, which includes the brands Combined Insurance and ACE Europe Life. The Chubb Group, originally responsible for the collection of personal data, is the controller of your personal data (it is the controller responsible for processing the data). If you have taken out an insurance policy with Chubb, it will be Chubb’s name that will appear on Your policy.

The data subject will be able to obtain information about the identity of all the companies that process the personal data that concern him, under the insurance contract signed with Chubb in the following terms:

When the insurance policy has been subscribed directly by the policyholder: Chubb and/or its broker, if there has been intermediation by an insurance broker, your name, address, ITIN and contact details will be collected.

When your employer or a third party has underwritten an insurance policy for your benefit: you should contact your employer to provide you with information regarding Chubb.

When your personal data has been communicated to another data controller (for example, a reinsurer): the first data controller will inform you about the identity of the other data controllers with whom you have shared your personal data, who can be contacted by the data subject if he wishes to obtain information on the use of his personal data, as described in Item 6 of this Policy.

A description of the entities that are part of the Chubb Group is available at [https://www2.chubb.com/uk-en/about-us/business-structure.aspx].

The data subject must be aware that, although the main data controller is a Chubb Group company, there is information that can be kept in databases that can be accessed by other Chubb Group companies. In any case, when other Chubb Group companies access your personal data, all the rules stipulated in this Policy are complied with.

Insured. For the underwriting and management of insurance policies, we collect information from the policyholder and other parties to the contract. This information may include information and contact details of the policyholder or his representative and other data relevant to the assessment of risk and the management of insurance policies. The policyholder or stipulator can be a natural person, a legal entity or a representative. The level and type of personal data that we collect and process varies depending on the type of policy contracted and may include information about other natural persons that have to be considered covered by the policy. In some cases, Chubb may need to collect and process sensitive personal data, such as information about the insured's health status. To that end, Chubb must ensure that there is a legal provision that authorizes the processing of such data - see Item 5.

If you are an insured, during the contract, it is possible that you will have to provide us with personal data of third parties, for example, data of injured third parties in the context of a claim covered by a civil liability policy. Whenever possible, it must be ensured that appropriate measures are taken to inform the injured third parties of the need to communicate their data to Chubb, as an insurer. The respective personal data of the injured third parties will be treated in accordance with this Policy.

Claimants. If a claim is made in connection with a policy, we will collect your basic contact details, along with information about the nature of the claim and any claims previously filed. If you are an insured, Chubb will need to check certain information on the policy that you are listed as an insured, as well as your claim history. Depending on the nature of your claim, Chubb may have to collect and process sensitive personal data, such as information about injuries you have suffered during an accident.

Business partners.  As a business partner, we will collect your professional contacts. We may also collect information about your qualifications and your professional experience.

For more information on the data we collect, click here

Policyholders

  • We will collect information directly from the subject in an insurance proposal.
  • Information about the subject may also be provided to Chubb through an insurance broker, his employer, family members or third parties who subscribe to an insurance policy in which he is designated or in which he is a beneficiary.
  • Within the legally authorized scope, Chubb may collect information from the subject from other sources, when necessary to effectively manage the acceptance of the risk associated with a policy and/or assist in the fight against financial crime. These other sources may include public records and databases managed by credit reporting agencies and other reputable organizations.

Claimants

  • We will collect information about the data subject when they file a claim with Chubb. The claim may be reported directly by the data subject or through his representative, insurance broker or Chubb representatives who manage claims on his behalf.
  • Chubb may also collect information about the data subject if the claim is filed by another person who has a close relationship with the data subject or is related to the claim for other reasons - for example, if the policyholder is your employer or if is involved in a third party claim.
  • Information may also be provided to us by your lawyers (or by lawyers representing your employer).
  • To the extent legally authorized, Chubb may collect information from other sources when necessary to help validate claims and/in the fight against financial crime. These other sources may include public records, social communication and other online sources, credit reporting agencies and other reputable organizations.

Business partners

  • We will collect information about the subject if he or his company provides us with their contact details or other information in the context of our collaboration, either directly as a business partner or as a representative of your company.
  • We may also collect information about the subject if he participates in meetings, events or conferences that we organize or if he subscribes to one of our newsletters or information services.
  • We may collect information from other public sources (for example, the subject's employer website), when we deem it necessary to help manage relationships with our business partners.
  • If you contact Chubb by phone (for example, to file a claim or discuss that claim with us) or if Chubb calls you (for example, to offer you an insurance policy), we must record the phone call, as required by law. We can also use Interactive Voice Response technology (IVR) to automate responses to voice commands and to analyze call recording data. We use call recordings as proof of your agreement to subscribe to an insurance policy or claim, to train our staff and to provide an accurate call record in case of complaints or questions. We can also analyze call recordings using automated technology in order to detect customer service failures (and thus resolve those failures) or to detect potential evidence of fraud.

Policyholders.If you are an insured, we will use your personal data to evaluate the application for subscription of an insurance policy, consider and evaluate risks for contracting and issuing a policy. The risk assessment process may involve profiling. After a policy is issued, Chubb will use your personal data to manage your policy, which includes answering your questions and managing the renewal process. As an insurer, Chubb will also use your personal data for the purpose of fulfilling its legal obligations.

Claimants.If you are a claimant, we will use your personal data to assess the merit of your claim and eventually pay compensation. Chubb may also have to use your personal data to assess the potential risk of fraud, a process that may involve profiling, which is based on automated processes. If you are also an insured, we will use personal data related to your claim to set up the renewal process and evaluate any future requests for contracting new policies.

Business partners. If you are a business partner, Chubb will use your personal data for the management of the contractual relationship, which includes sending marketing materials (when appropriate authorization is given for this purpose) and sending invitations to participate in events. When relevant, we will use your personal data to provide or request the provision of services, manage and administer your contract or with your employer.

Data analysis. Chubb regularly analyzes information in different systems and databases to help improve the way it develops its activity, provide a better service and improve the accuracy of our risk models and other actuarial models. We take steps to protect privacy by aggregating and, where appropriate, to anonymize data fields (especially policy information and claim data, as defined in Appendix 1) before making information available for review.

Chubb guarantees that it only uses your personal data for the purposes described in Item 4 and Appendix 2 when it is sure that:

  1. gave us your consent to use the data for this purpose; or
  2. the use of your personal data by Chubb is necessary to execute a contract or take steps to conclude a contract with the data subject (for example, to manage your insurance policy); or
  3. the use of your personal data by Chubb is necessary to comply with a legal or regulatory obligation (for example, to comply with obligations under the ANPD (National Data Protection Authority), SUSEP (Insurance Regulator), BACEN (Central Bank), among others); or
  4. the use of your personal data by Chubb is necessary to pursue "legitimate interests" that we have as a company (for example, to improve our products or carry out analyzes on our various data sets), provided that we always do so in a way that is balanced and respect your right to privacy; or
  5. the use of your personal data by Chubb is necessary for the regular exercise of rights, including in contract and in judicial, administrative and arbitration proceedings.

Before collecting and/or using sensitive personal data, Chubb must ensure that it is authorized, by legal provision or authorization to proceed with the respective treatment, and that it can benefit from a lawful legal basis that allows it to use that information. This legal basis typically refers to:

  1. your specific and outstanding consent;
  2. the declaration, exercise or defense of a contractual right, in a judicial, administrative or arbitration proceeding, by us or by third parties; or
  3. compliance with regulatory or legal obligation;
  4. the protection of the life or physical safety of the subject or third party;
  5. the guarantee of fraud prevention and security of the subject, in the identification and authentication processes of registration in electronic systems.

ATTENTION.Even if the data subject provides his specific and highlighted consent to allow Chubb to process his sensitive personal data, if this is the appropriate legal basis, he can withdraw his consent at any time. However, the data subject should be aware that if he/she chooses to do so, Chubb may be unable to ensure the continuity of his provision of insurance services (and, when withdrawing his consent for use by an insurer or reinsurer, he may coverage cannot be maintained). This may mean that your policy has to be canceled. If the subject chooses to withdraw his consent, more information will be provided on the potential consequences, including the effects of the cancellation (which may mean that subject may have difficulties in finding coverage with other insurers), as well as on the amounts associated with the cancellation.

Click here to learn more about the information about you that we collect and use and why we think it is appropriate to use that information for the activities in question.

Chubb works with several service providers, who help to manage its activity and the provision of services. These third parties may have access to your personal data.  

For  Policyholders, these third parties may include:

  • insurance brokers and agents, other insurers/reinsurers and external claims managers who work with Chubb to help manage the risk assessment process and administer our policies;
  • service providers  who help manage our IT and administrative systems;
  • our regulators, which may include the ANPD (National Data Protection Authority), SUSEP, BACEN, among others, as well as other regulators and police authorities in Brazil and other countries;
  • credit information agencies and organizations whose mission is to prevent fraud in financial services.
  • lawyers and other equivalent professional firms.

For Claimants, it may include:

  • external claims managers  who work with us to help manage claims processes;
  • adjuster and claims experts  who can help us evaluate and manage claims;
  • service providers  who help using our IT and administrative systems;
  • assistance service providers  that help us assist you in the event of a claim;
  • lawyers representing a self, us or an injured party;
  • credit information agencies and organizations whose mission is to prevent fraud in financial services.

Chubb may also have to comply with legal or regulatory obligations to share your personal data with courts, regulators, law enforcement authorities and, in certain cases, with other insurers and reinsurers. If we sell part of our activities, we will have to transfer your personal data to the buyer.

 

Support service providers:  this is a special category of service providers, which we use to help provide you with emergency services or other assistance associated with certain policies (for example, certain travel insurance policies). 

Brokers: insurance brokers deal and negotiate insurance coverage for individuals or groups and deal directly with insurers, such as Chubb, on behalf of individuals or groups seeking insurance.

Claims experts: a specialist in a specific matter relevant to the assessment of a claim, for example medicine, forensic accounting, mediation or rehabilitation, and who are hired by Chubb to help properly assess the merit and value of a claim, advise on the resolution and the appropriate treatment of the victims.  

Controller responsible for data processing: individuals or groups (for example, a company) that defines the means and purposes of the processing of personal data. For example, a Chubb company that sells you an insurance policy will be responsible for processing the data, since it will define how it will collect the personal data of the subject, the scope of the data that will be collected and the purposes for which they will be used.  

SUSEP: SUSEP, the Superintendence of Private Insurance, is the organ responsible for the control and inspection of the insurance, open private pension, capitalization and reinsurance markets.

ANPD: the National Data Protection Authority regulates the processing of personal data by all organizations in Brazil

Insured: we use this term to designate both the natural person taking out the insurance and the natural person who benefits from insurance coverage in relation to one of our policies (for example, when an employee benefits from the coverage contracted by his employer). 

Adjuster experts: independent claims experts investigating on behalf of Chubb complex claims or that are in litigation. 

Other insurers/reinsurers: some policies are insured on a joint or "coinsurance" basis. This means that a group of insurers (including Chubb) will take out a policy together. Policies can also be reinsured, which means that the insurer will buy your own insurance from a reinsurer, to cover part of the risk that you accepted when you underwrote your policy. Chubb buys reinsurance and also acts as a reinsurer for other insurance companies.  

 

Profiling: it means using automated processes without human intervention (such as computer programs) to analyze your personal data, in order to assess your behavior or predict aspects about you that are relevant in an insurance context, such as your probable risk profile.

Sensitive personal data: it means personal data related to your racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data. At Chubb (other than in the context of its employees, which is outside the scope of this Policy), we only regularly handle sensitive personal data relating to health. 

Service providers:  these are several third parties, to whom we subcontract certain functions of our activity. For example, we have service providers that help us manage the creation of a new policy register. Some of these providers use cloud-based applications or computer systems, which means that your personal data is hosted on their servers, but under our control and subject to our instructions. We require that all of our service providers respect the confidentiality and security of personal data. 

Lawyers: we often turn to lawyers to advise us on complex or litigious claims or to provide us with non-claim legal advice. In addition, if you are a claimant, you can be represented by your own lawyer(s).

Telemetric data:  they allow more personalized renewal proposals through data that is automatically provided to us by a device that monitors their behavior. An example of this data is data collected through a device installed in a vehicle and which reflects the driver's behavior.

External claims managers: these are companies outside the Chubb Group that manage the risk assessment of policies, the handling of claims or both, on our own. We require all external claims managers to ensure that your personal data is treated lawfully and in accordance with this Policy and its instructions.     

We may use your personal data to send you direct marketing communications (direct marketing) about our insurance products or related services. It can be in the form of emails, postal correspondence, SMSs, phone calls or targeted online advertisements.

In most cases, the processing of your personal data by Chubb for marketing purposes is based on our legitimate interests, although in some cases (for example, when required by law), it may be based on your consent. You have the right to prevent direct marketing in any form and at any time - this right can be exercised by following the cancellation link contained in electronic communications or by contacting us using the data indicated in Item 12.

We take steps to limit direct marketing to a reasonable and balanced level and send you communications that we believe are of interest or relevance to you, based on the information we have about you.

Chubb may have to share your personal data with members of the Chubb Group, who may be located outside of Brazil. We may also allow our service providers or assistance service providers, who may be located outside Brazil, to access your personal data. We may also disclose your personal data abroad, for example if we receive an official request from a foreign authority.

Chubb will always take steps to ensure that international transfers of information are carefully managed to protect the rights and interests of the data subject:

  • we will only transfer your personal data to countries recognized as offering an adequate level of legal protection or when we are convinced that alternative mechanisms exist to protect your rights to the protection of privacy or with your specific consent;
  • transfers within the Chubb Group are provided for in an intra-group agreement, which provides for specific contractual protection mechanisms, designed to ensure that your personal data receive an adequate and uniform level of protection whenever they are transferred within the Chubb Group, as well as in the adoption of contractual clauses (specific or standard), global corporate norms or stamps, certificates and codes of conduct regularly issued;
  • transfers to service providers and other third parties will always be protected by contractual commitments such as contractual clauses (specific or standard);
  • for the purpose of complying with legal or regulatory obligations, when necessary for the execution of contracts or preliminary procedures or for the regular exercise of rights in judicial, administrative or arbitration proceedings. Requests for information that we receive from law enforcement authorities or regulators will always be carefully checked before the disclosure of personal data.

In the absence of regulation by the National Authority, Chubb will adopt the European legislation clause models conservatively and for the purpose of protecting data subjects. The data subject has the right to ask Chubb for more information on the safeguards it has put in place as mentioned above. If you would like more information, please contact us as indicated in Item [12].

"Automated decisions" means decisions made solely on the basis of the automated processing of your personal data. This means a treatment that uses, for example, computer code or an algorithm that does not require human intervention.  

Since profiling uses automated processing, it is sometimes related to automated decisions. Not all profile definitions lead to automated decisions, although some can. 

If you are an insured, we can use automated decisions or manual surveys to check your credit in the market. In a context of risk assessment, profiling is regularly performed in relation to your personal risk information (as defined in Appendix 1) to assess your individual risk (or the impact it may have on the cumulative risk of a group of policyholders ), with a view to calculating insurance premiums or making a decision on whether to accept or renew coverage. We can also apply automated decisions to telemetric data to make decisions about renewal proposals.

If you are a claimant, we can use profiling or other forms of automated treatment to assess the likelihood of a claim being fraudulent or suspect in some way.  

When sensitive personal data is relevant for profiling, such as the medical history for life insurance, your sensitive personal data can also be used in the models.

The data subject has certain rights with respect to automated decisions, when the decision affects his interests. For more information about your rights, see Items 10 and 11.

We will retain your personal data as long as they are reasonably necessary for the purposes indicated in Item 4 of this Policy. In some cases, we may retain your personal data for longer periods, for example when we are required to do so in accordance with legal, regulatory, tax or accounting obligations.

In certain cases, we may also retain your personal data for longer periods of time to keep an accurate record of our interactions in the event of a complaint or claim or if we are convinced that there is a possibility of potential litigation regarding your personal data or ours interactions.

Chubb has a document conservation policy that applies to the management of all documents, including records, which are under your responsibility and care. When the personal data of the data subject is no longer needed, Chubb guarantees that it is erased or kept safe so that it is no longer used for business purposes.

The Data subject has several rights in relation to his/her personal data.

You can request confirmation, access to your data, correction of errors, incomplete or outdated data in our files, anonymization, blocking or deleting unnecessary, excessive or treated data in non-compliance with the provisions of this Law, the elimination of data or revocation based on consent or the consequences if you do not provide consent, opposition to the processing of your data in case of non-compliance with the provisions of applicable law (provided that the collection takes place by other legal bases than consent), information from public and private entities with which Chubb has shared data use, data portability and the review of decisions made based on automated processing or the basis for international transfers. You can also exercise a right to petition in relation to your national authority or consumer protection bodies. For more information on each of these rights, click on the relevant link or consult the table below.

To exercise your rights, you can contact us as indicated in Item 12. If you wish to exercise these rights, you must take into account the following:

Identity. Chubb takes the confidentiality of all records very seriously and reserves the right to request proof of identity from anyone submitting a request regarding those records.

Values. Chubb will not charge you for the exercise of your rights in relation to your personal data, unless your request is unfounded or excessive, in which case you may be charged a reasonable amount, taking into account the circumstances and provided that it is authorized by applicable law and/or the national authority. The amount, if applied, will be communicated to you before Chubb fulfills your order.

Deadlines. Chubb's goal is to respond to requests considered valid within the appropriate timeframe and immediately. In the event that it is impossible to adopt the requested measures immediately, Chubb must communicate that it is not a data processing agent and indicate, whenever possible, the responsible agent, or else indicate the factual or legal reasons that prevent the immediate adoption of the data providence. In this same sense, in the case of exercising the right of confirmation or access, Chubb must provide the answer in a simplified format, immediately, or by means of a clear and complete declaration, indicating the source of the data, the lack of registration, the criteria used and the purpose of the treatment, observing the business and industrial secrets, provided within up to 15 (fifteen) days, counted from the date of the subject's request. In no case, data belonging to third parties will be disclosed, even if they may be linked by the requesting party.

Chubb may request information about the exact type of information that the data subject wants to access or information about what his concerns are. This information will help Chubb to fulfill your request in an appropriate and faster way. 

Third party rights. Chubb is under no obligation to respond to requests that may adversely affect the rights and freedoms of other data subjects.  

Right

What does it mean

ou Access

The data subject an request the following:

• confirm that we are processing your personal data;

• provide a copy of that data;

• provide other information about your personal data, such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, for how long we retain them, what rights do you have, how can you file complaints, where did we obtain your data and whether we resort to automated decisions or; profiling, to the extent that this information has not yet been given in this Policy.

Correction

The data subject may request the correction of incomplete, inaccurate or outdated data. 

Chubb can take steps to verify the accuracy of the data before correction.

The data subject can request the deletion, blocking or anonymization of his personal data, but only when:

 they are no longer needed for the purposes that motivated their collection or treatment; or

 are excessive for the treatment in question; or

 have been treated in breach of the law; or

Chubb may not comply with your request if the processing of your personal data is necessary: 

 the fulfillment of a legal obligation; 

 for the purpose of declaring, exercising or defending a right in a judicial proceeding; or

 compliance with a data retention period imposed by law.

There are other cases where Chubb may not comply with your request to block, delete or anonymize, although the three cases described above correspond to the most likely grounds for responding negatively to a request for deletion.

The data subject can request data deletion or revocation based on consent or receives information on the consequences if the data subject does not provide consent.

Chubb may not comply with your request if the processing of your personal data is necessary: 

• compliance with a legal obligation; 

 for the purpose of declaring, exercising or defending a right in a judicial proceeding; or

 compliance with a data retention period imposed by law.

There are other cases in which Chubb may not comply with its request to block, eliminate or anonymize, although the three cases described above correspond to the most likely grounds for responding negatively to a request elimination or revocation.

Portability

The data subject may request that they be transferred directly to another data controller, but it will be necessary to:

• observe the ANPD and SUSEP regulations on the subject; and

• observe the ANPD and SUSEP regulations on the subject; and 

The data portability right covers only the data provided by you and does not include data that has already been anonymized by Chubb. 

Opposition

The data subject may object to the processing of his personal data using treatment carried out based on one of the hypotheses of waiver of consent, in case of non-compliance with the provisions of the applicable law. 

After opposing it, we can demonstrate that there was no breach of the provisions of applicable law.

Automated decisions

The data subject may request a review of decisions taken solely on the basis of automated processing of personal data that affect his interests, including decisions designed to define his personal, professional, consumer and credit profile or aspects of his personality (see Item 9), observing the business and industrial secrets. 

Sharing Information The data subject may request information from public and private entities with which we use data in a shared manner.

International transfers

The data subject may request a copy or an indication of the safeguards under which their personal data are transferred outside of Brazil. 

Chubb may edit data transfer contracts or related documents (that is, hide certain information contained in those documents) based on commercial and industrial secrecy. 

The data subject has the right to petition complaints to his national authority regarding the handling of his personal data by Chubb. In Brazil, the control authority for data protection is the ANPD (National Data Protection Agency).

Chubb may ask the data subject to try to resolve any problems directly with Chubb first, although it has the right to contact the supervisory authority at any time.  

The main point of contact for handling all issues arising from this Policy, including requests to exercise data subjects' rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following ways:

encarregadoprotecaodedados.Brasil@Chubb.com

Data Protection OfficerAv. Leandro N Alem 855 piso 19, CP 1001, Buenos Aires, Argentina

Chubb is grateful to be contacted immediately if a data subject has a complaint or question regarding the way we use and treat your personal data. Chubb will make every effort to resolve the situation as soon as possible. The data subject also has the right to file a complaint at any time with his national data protection authority.