Data Protection at Chubb
At Chubb Insurance Vietnam Company Limited (“Chubb”, “we”, “us”, “our”), we routinely collect and use personal data about individuals, including the policyholders, insured person, beneficiaries, agencies, business partners or any individuals we collected personal data (collectively referred to “you”). We value your privacy and your personal data security and treating them as our top priority. Hence, we are aware of our responsibilities to handle your personal data with care, to keep it secure and comply with applicable personal data protection laws.
How this Policy Works
The purpose of this Policy is to provide a clear explanation of what, when, why and how we collect and use information relating to you, which enables the identification of you (“Personal Data”) whether directly or indirectly, who we share Personal Data with and retention of the Personal Data to keep it confidential and privileged, what you can do and how you can contact us.
Do read this Policy with care. It provides important information about how we use Personal Data and explains your statutory rights. This Policy is not intended to override the terms of any insurance policy or contract you have with us, nor rights you might have available under applicable data protection laws.
Data Protection Policy
1. Who is responsible for looking after your Personal Data?
Chubb Insurance Vietnam Company Limited will be principally responsible for looking after your Personal Data
Where your Personal Data has been passed to another Data Controller (e.g. a reinsurer, a governmental agency), Chubb will inform you of the Data Controllers with whom we have shared your Personal Data, who you can contact about their use of your personal data, as we do in Section 6 of this Policy.
You should be aware that although we are principally responsible for looking after your personal data, information may be held in databases which can be accessed by other companies in the Chubb Group of insurance companies, and our brands, affiliates, and subsidiaries (“Chubb companies”). When accessing your personal data, Chubb companies will comply with the standards set out in this Policy.
2. What personal data do we collect?
We collect and process Personal Data, including Basic Personal Data and Sensitive Personal Data as defined below.
2.1. Basic Personal Data includes the following:
a) Family name, middle name and first name, other names (if any);
b) Date of birth; date of death or missing;
d) Place of birth, registered place of birth; place of permanent residence; place of temporary residence; current place of residence; hometown; contact address;
e) Personal image;
g) Phone number; ID Card number, personal identification number, passport number, driver’s license number, license plate, personal tax code, social insurance number, health insurance card number;
h) Marital status;
i) Information on family relationship (parents, children);
j) Digital account information; personal data that reflects activities and activity history in cyberspace;
k) Information associated with an individual or used to identify an individual other than Sensitive Personal Data.
2.2 Sensitive Personal Data includes the following:
a) Political and religious opinions;
b) Information on health condition and private life stated in health record, excluding information on blood type;
c) Information about racial or ethnic origin;
d) Information about inherited or acquired genetic characteristics;
e) Information about biometric or biological characteristics;
f) Information about sex life or sexual orientation.
g) Data on crimes and criminal activities collected and stored by law enforcement agencies;
h) Information on customers received from credit institutions, foreign bank branches, payment service providers and other licensed institutions, including: customer identification as prescribed by law, accounts, deposits, deposited assets, transactions, organizations and individuals that are guarantors at credit institutions, bank branches, and payment service providers;
i) Personal location identified via location services;
j) Other specific personal data as prescribed by law that requires special protection.
Prospective Policyholders, Insured persons, Beneficiaries and related parties. In order to underwrite and administer insurance policies, we collect information about the prospective policyholders, insured persons, beneficiaries and related parties. This may include information about previous quotes obtained, background and contact information on the prospective policyholder, insured, beneficiaries and matters in relation to the assessment of risk and management of insurance policies. The level and type of personal data we collect and use varies depending on the type of policy that is applied for or held and may include information on other individuals who need to be considered as part of the policy. In some instances, it is necessary for us to collect and use Sensitive Personal Data, such as information about health condition or medical records. We are required to establish a legal exemption to use your Personal Data - see Section 5 for further details.
If you are an insured person, from time to time, you may need to provide us with the personal data of third parties, for example an injured third party in relation to a claim under a liability policy. Wherever possible, you should take steps to inform the third party that you need to disclose their details to us, identifying Chubb as your insurer and obtain their consent. We will process their personal data in accordance with this Policy.
Claimants. If you are making a claim under a policy, we will collect your basic contact details together with information about the nature of your claim and any previous claims. If you are an insured person we will need to check details of the policy you are insured under and your claims history. Depending on the nature of your claim, it may be necessary for us to collect and use Sensitive Personal Data, such as medical records and details of an insured event in which you may have suffered during an accident or disease.
Business Partners. If you are a business partner, we will collect your business contact details. We may also collect information about your professional expertise and experience.
Website Visitors. We may collect your contact details if you visit our website (including application and social media platforms), register for a newsletter or attend one of our events. If we collect personally identifiable information through our website, we will make it clear when we collect personal information and will explain what we intend to do with it.
In the event that you have provided personal data of other persons to Chubb, such as a prospective insured or beneficiary, you acknowledge and confirm that you have provided such persons with the details pertaining to this Policy, and have obtained consent where applicable or relied on appropriate legal basis to allow us to process personal data in accordance to this Policy.
For more information on what information we collect, please see Appendix 1.
3. When do we collect your personal data?
Prospective Policyholder, Insureds
· We will collect information from you directly when you apply for an insurance policy.
· Information about you may also be provided to us by an insurance agency, insurance broker, your employer, family member or any other third person who may be applying for an insurance policy which names or benefits you.
· We may collect information about you from other sources where we believe this is necessary to manage effective underwriting of the risk associated with a policy and/ or helping fight financial crime, insurance profiteering. These other sources may include public registers and databases managed by credit reference agencies, government agencies, and other reputable organizations.
· We will collect information from you when you notify us of a claim. You might make a claim to us directly or through your representative or through your broker or one of our representatives who manage claims on our behalf.
· We may also collect information about you if the claim is made by another person who has a close relationship with you or is otherwise linked to the claim - for example if the policyholder is your employer, or if you are the subject of a third party claim.
· We may also be provided with information by your lawyers (or acting on behalf of your employer).
· We may collect information from other sources where we believe this is necessary to assist in validating claims and/ or fighting financial crime. This may include consulting public registers, social media and other online sources, credit reference agencies and other reputable organizations.
Business Partners and Visitors
· We will collect information about you if you or your company provides your contact or other information to us in the course of working with us, either directly as a business partner or as a representative of your company.
· We may also collect information about you if you attend meetings, events or conferences that we organize, contact us through our website or sign up to one of our newsletters or bulletin services.
· We may collect information from other public sources (e.g. your employer's website) where we believe this is necessary to help manage our relationships with our business partners.
Applicable to all
· If you telephone Chubb (for example, when notifying a claim or discussing that claim with us) or if Chubb telephones you (for example, to sell an insurance policy), we may record the telephone call. We may also use Interactive Voice Response (“IVR”) technology to automate responses to voice commands, and to analyze call recording data. We use call recordings as an evidence of your agreement to purchase an insurance policy or submit a claim, to help train our staff and to provide an accurate record of the call in case of complaints or queries. We may also analyze call recordings using automated technology in order to detect where there may be customer service failings (and then to resolve these), or to detect potential evidence of fraud.
4. What do we use your personal data for?
We use your personal data for the purposes set out below. Please refer to Appendix 2 for more details, including in relation to the legal basis we rely upon in each case.
Prospective Policyholders and Insureds. If you are a prospective policyholder or insured, we will use your Personal Data to consider an application for an insurance policy, assess and evaluate risk, and subject to applicable terms and conditions, provide you with a policy. If we have provided you with your policy, we will use your personal data to administer your policy, deal with your queries, and manage the renewal process. We will also need to use your personal data for regulatory purposes associated with our legal and regulatory obligations as a provider of insurance.
Claimants. If you are a claimant, we will use your personal data to assess the merits of your claim and potentially to pay out a settlement. We may also need to use your personal data to evaluate the risk of potential fraud. If you are also an insured person, we will use personal data related to your claim to inform the renewal process and potentially future policy applications.
Business Partners and Visitors. If you are a business partner, we will use your personal data to manage our relationship with you, including sending you marketing materials (where we have appropriate permissions) and to invite you to events. Where relevant, we will use your personal data to deliver or
request the delivery of services, and to manage and administer our contract with you or with your employer. If you are a visitor, we will use your personal data; typically, to register for certain areas of our website, enquire for further information, distribute requested reference materials, or invite you to one of our events.
Data analytics. We routinely analyze information in our various systems and databases to help improve the way we run our business, to provide a better service and to enhance the accuracy of our risk and other actuarial models. We take steps to protect privacy by aggregating and where appropriate anonymizing data fields before allowing information to be available for analysis.
5. Protecting your privacy
We will make sure that we only use your personal data for the purposes set out in Section 4 of this Policy where we are satisfied that:
· Our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your insurance policy);
· Our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have (e.g. to comply with requirements of the State Bank of Vietnam);
· Our use of your personal data is necessary to support legitimate interests that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights; or
· You have provided your consent to us using the data in that way.
Before collecting and/ or using any Personal Data we will establish a lawful exemption which will allow us to use that information. If your Personal Data is collected on a form (including on a website) or over the telephone, further information about the exemption may be provided on that form. This exemption will typically be:
· Your explicit consent;
· The establishment, exercise or defense by us or third parties of legal claims; or
· A specific exemption provided by law which is relevant to the insurance industry.
PLEASE NOTE. If you provide your explicit consent to permit us to process your Personal Data, you may withdraw your consent to such processing at any time. However, you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and where you withdraw consent to an insurer’s or reinsurer’s use it may not be possible for the insurance cover to continue). This may mean that your policy needs to be cancelled. If you choose to withdraw your consent we will tell you more about the possible consequences, including the effects of cancellation, (which may include that you have difficulties finding cover elsewhere), as well as any fees associated with cancellation (if any). Please see Appendix 2 to find out more about the information we collect and use about you and why we believe it is appropriate to use that information for such activities.
6. Who do we share your personal data with?
We work with many third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data.
For Prospective Policyholders, Insureds these third parties may include:
· Insurance Agencies, Insurance Brokers, Other Insurers/Reinsurers and Third Party Administrators who work with us to help manage the underwriting process and administer our policies.
· Service Providers.
· Healthcare providers.
· Our regulators, which includes the MOF, MPS, as well as other regulators and law enforcement agencies in Vietnam and around the world.
· Agencies and organizations working to prevent fraud in financial services.
· Lawyers and other professional services firms and partners such as medical professions, accountants, actuaries, auditors, experts, consultants, banks and financial institutions that service our accounts.
· Your employer or company acting on your employer’s behalf to monitor, audit or otherwise administer our services and fulfil contractual obligations in relation to our services (in the case that you are entitled to our services because your employer has signed an agreement with us to provide you with insurance cover and other additional covers and services as it may apply).
We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other insurers. If we were to reorganize part of our businesses, we would need to transfer your personal data to the purchaser, transferee of such businesses or other third parties in connection with the sale, reorganization, transfer or disposal of our businesses. We may also share your personal data with any other persons acting for or on behalf of or jointly with Chubb in respect of a directly related purpose for which your personal data was required.
Descriptions of certain categories of third parties and defined terms are set out below.
Assistance Providers: these are a special category of service provider which we use to help provide you with emergency or other assistance in connection with certain policies (e.g. certain travel policies).
Insurance Agencies: insurance agencies introduce insurance products, arrange the insurance policies conclusion and assist Chubb in collecting claim requests.
Insurance Brokers: insurance brokers arrange and negotiate insurance coverage of individuals or companies and deal directly with insurers, such as Chubb.
MOF: is the Ministry of Finance, which is an insurance regulatory body. Chubb may disclose personal data to the MOF to support its supervision over, and promotion of, insurance businesses, in accordance with the insurance commission law, the non-life insurance law.
MPS: is the Ministry of Public Security which governs state management over personal data protection.
Department of Cybersecurity and High-tech Crime Prevention: the Department under MPS which regulates the processing of personal data by all organizations and individuals within Vietnam.
Prospective Insured and Life Assured: we use this term to refer to prospective, active or former individual policyholders, as well as any individual who benefits from insurance coverage under one of our policies (for example, where an employee benefits from coverage taken out by their employer).
Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf.
Other Insurers / Reinsurers: some policies are insured on a joint “syndicate” basis. This means that a group of insurers (including us) will join together to write a policy. Policies may also be reinsured, which means that the insurer will purchase its own insurance, from a reinsurer, to cover some of the risk the insurer has underwritten in your policy. Chubb purchases reinsurance, and also acts as a reinsurer to other insurance firms.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who help us manage our IT and back office systems. Some of these providers use “cloud based” IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data. We also use other services from service providers, such as website hosting, data analysis, payment processing, document and records management, order fulfilment, credit reference, delivery services, and similar third-party vendors and outsourced service providers that assist us in carrying out business activities.
Lawyers: we frequently use lawyers to advise on complex or contentious claims or to provide us with non-claims related legal advice.
Third Party Administrators (or TPAs): these are companies outside the Chubb group which administer the underwriting of policies, or the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions.
7. Direct Marketing
We may use your personal data to send you direct marketing communications about our insurance products or our related services. This may be in the form of email, post, SMS, telephone or targeted online advertisements.
In most cases our processing of your personal data for marketing purposes is based on our legitimate interests to provide information you might find helpful to manage your insured risks, insurance renewals and other products, services and offers that may be of interest to you, although in some cases (such as where required by law) it may be based on your consent. You have a right to prevent direct marketing of any form at any time – this can be exercised by following the opt-out links in electronic communications or by contacting us using the details set out in Section 14.
We take steps to limit direct marketing to a reasonable and proportionate level and to send you communications which we believe may be of interest or relevance to you, based on the information we have about you and within the scope consent you have provided.
8. Cross-border transfers
From time to time, we may need to share your personal data with member companies of the Chubb group who may be based outside Vietnam. We may also allow our Reinsurers, Third Parties or Service Providers, who may be located outside Vietnam, access to your personal data. We may also make other disclosures of your personal data overseas, for example, if we receive a legal or regulatory request from a foreign law enforcement body.
We will always take steps to ensure that any cross-border transfer of information is carefully managed to protect your rights and interests:
· We will only transfer your personal data to countries which are recognized as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights,
· Transfers within the Chubb group of companies will be covered by standards of protection designed to ensure that your personal data receives an adequate and consistent level of protection wherever it is transferred within the Chubb group,
· Transfers to reinsurers, Service Providers and other third parties will be protected by contractual commitments and where appropriate further assurances, such as certification schemes,
Any requests for information we receive from law enforcement or regulators will be carefully checked before personal data is disclosed.
9. How long do we keep your personal data?
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In some circumstances, we may retain your personal data for longer periods of time, for instance where we are required or permitted to do so in accordance with legal, regulator, tax or accounting requirements.
For example, if you are the holder of an insurance policy, your personal data will typically be retained for 10 years after the cancellation or termination of the policy, unless an exception applies.
In specific circumstances, we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
Where your personal data is no longer required, we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.
10. Importance Notice
If you: (i) do not or decline to provide certain personal data we inform you as necessary to provide for compliance with a law or contract, or where is it necessary to provide the personal data for the purpose of entering into contract; or (ii) do not or decline to consent us to collect, use or disclose certain personal data; or (iii) exercise your rights to withdraw your consent for our collection, use, disclose, transfer or process certain personal data which is necessary for us to make a relationship with you or provide our services and/or products to you, we may not be able to provide you with our products or services you request, enter into a contract with you or perform our obligations resulting from a contract entered with you nor may not be able to stay in contact with you.
In such circumstance, you will be informed about the consequences of your refusal to provide us personal data or grant us consent, or your withdrawal of consent, as the case may be.
We seek to use reasonable organizational, technical, and administrative including security measures to protect personal data from unauthorized or accidental access, processing, erasure, loss or use within our organization, which are consistent with the Law on Cybersecurity with implementing regulations and other applicable data protection legislations. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with Section 14 below.
12. What are your rights
You have a number of rights in relation to your personal data.
You may be informed, consent or not consent data process, access to your data, withdraw your consent, delete your data, restriction of data process, request provision of data, objection to data process, complain, denounce and/or initiate lawsuits, claim damages, self-defense in relation to process of your Personal Data. You may also exercise a right to notify the Ministry of Public Security of violations in relation to your Personal Data protection. More information about each of these rights can be found by referring to the table set out further below.
To exercise your rights, you may contact us as set out in Section 14. Please note the following if you do wish to exercise these rights:
What this means
Right to be informed
We shall inform you before we process your Personal Data, unless otherwise provided by law.
Right to consent
You can consent or not consent our process of your Personal Data. However, we may process your Personal Data under circumstances required by law:
· In case of emergency when the Personal Data needs to be processed immediately to protect the life and health of yours or others;
· The disclosure of Personal Data is required by law;
· Your Personal Data is processed by a state competent authority in relation to national defense, natural disaster, spread disease, terrorism and other circumstances required by law;
· For the performance of your contractual obligations with Chubb and relevant agencies, organizations and/or individuals in accordance with law;
· For the operations of state agencies as prescribed by specialized laws.
Right to access
You can either access to see and rectify inaccurate Personal Data by yourself or ask us to rectify inaccurate Personal Data. We may seek to verify the accuracy of the data before rectifying it.
Right to consent withdrawal
You can withdraw your consent at any time. The withdrawal of your consent shall not affect the lawfulness of processing based on consent before your withdrawal.
If you choose to withdraw your consent, that may affect our ability to provide you with services and have other consequences, about which we will tell you more if you so choose.
We value your right to consent withdraw. However, we may not solve your request where it is not permitted by law.
Right to data deletion
You can either delete your Personal Data by yourself or ask us to delete your Personal Data. We value your right to consent withdraw. However, we may not solve your request where it is not permitted by law.
Right to restrict data process
You can ask us to restrict the processing of your Personal Data, but only where:
· Its accuracy is contested, to allow us to verify its accuracy; or
· The processing is unlawful, but you do not want it erased; or
· It is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
· You have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal data following a request for restriction, where:
· We have your consent; or
· To establish, exercise or defend legal claims; or
· Where permitted by law.
Right to provision of data
You can ask us to:
· confirm whether we are processing your personal data; and
· give you a copy of that data.
We may not have to comply with a request where it is permitted by law or when the provision may harm the safety, physical or mental health of others.
Right to data deletion
You can ask us to delete your personal data, but only where:
· it is no longer needed for the purposes for which it was collected; or
· you have withdrawn your consent (where the data processing was based on consent); or
· following a successful right to object (see 'Objection' below); or
· it has been processed unlawfully; or
· other cases as prescribed by law
We are not required to comply with your request to erase your personal data in cases where:
· the deletion of Personal Data is prohibited by law; or
· the processing of your Personal Data is for compliance with a legal obligation or serving the request from an authorized government authority; or
· your Personal Data has been disclosed as prescribed by law; or
· a state of emergency on national defense, security, social order and safety, major disasters, or dangerous epidemics occurs; there is a risk of threatening security and national defense but not to the extent of declaring a state of emergency; prevention and combat against riots and terrorism, crimes and law violations according to regulations of law are required by law; or
· it is required to respond to emergent cases that threaten your or other person’s life, health and safety.
Right to object to data process
You can object to any processing of your personal data which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests.
Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
You can object to any processing of your personal data for the purpose of direct marketing including sending marketing communications.
Right to complain, denounce and/or initiate lawsuits
You may complain, denounce or initiate lawsuits in accordance with law.
Right to claim damages
You may claim damages in case of any violation of your Personal Data in accordance with law.
Right to self-defense
You may self-defense in law or may request state competent agencies or organizations to implement the measures for protection of your civil rights in accordance with law.
Department of Cybersecurity and Hi-tech Crime Prevention
You have a right to lodge a complaint with the Department of Cybersecurity and Hi-tech Crime Prevention about our processing of your personal data.
We ask that you please attempt to resolve any issues with us first although you have a right to contact the Department of Cybersecurity and Hi-tech Crime Prevention at any time.
We take the confidentiality of all records containing personal data seriously and reserve the right to ask you for proof of your identity if you make a request in respect of such records.
We aim to respond to any valid requests within 72 (seventy-two) hours unless it is particularly complicated or you have made several requests. We might ask you if you can tell us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
13. Changes to the Policy
We may modify or update this Policy at any time in order to address future developments of Chubb, or changes in industry or legal trends.
We will post the change on the home page of the website or app. You can determine when the Policy was revised by referring to the “Updated” legend on the below of this Policy. Where changes to the Policy will have a fundamental impact on the nature of our collection, use or disclosure of your Personal Data, or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you can exercise your rights in accordance with Section 14 of this Policy in relation to your personal data.
We ensure the latest Policy shall be always on this website. Hence, we recommend you should periodically access our website for your latest acknowledgement.
14.Contact and complaints
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer.
The Data Protection Officer can be contacted in the following ways:
Data Protection Officer,
Chubb Insurance Vietnam Company Limited, 9 Dinh Tien Hoang, District 1, Ho Chi Minh City, Vietnam.
Phone number: +84 28 3910 7227
If you have a complaint or concern about how we use your Personal Data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with the Ministry of Public Security at any time.