Click here for the German version.
Protecting your privacy is very important to us.
We are committed to:
- protecting personal data that we receive when we provide our services to clients,
- maintaining transparent practices and explaining how we collect, process, and share that data.
General Privacy Notice
Who are "We"?
We are Swiss Re. Swiss Re is a leading wholesale provider of reinsurance, insurance and other insurance-based forms of risk transfer. We operate in over 80 offices located in more than 30 countries. As a global reinsurance and insurance provider, we receive and process the personal data of individuals. We have instituted a comprehensive, global data protection compliance framework in order to fulfill our responsibilities to protect personal data and to respect privacy rights in compliance with data protection and privacy laws and regulations around the world, including but not limited to the Swiss Data Protection Act, the European Union’s General Data Protection Regulation (GDPR), UK Data Protection Act, California Consumer Privacy Act (CCPA), Canada’s Digital Charter Implementation Act (DCIA), Singapore Personal Data Protection Act (PDPA) or China Personal Information Protection Law (PIPL).
This privacy notice explains how and why Swiss Re, its subsidiaries and affiliates collect and use personal data when we provide our services as a reinsurance and insurance business and other insurance-based forms of risk transfer. Swiss Re group is structured in different legal entities, in case of any specific question please contact us.
This privacy notice is addressed to:
- the individual whose personal data is being processed by us (e.g. the insured/policy holder, beneficiary, claimant or other person involved in a claim or relevant to a policy).
- the individual acting as or working for a Swiss Re business partner
Swiss Re keeps this notice under regular review to make sure it is up to date and accurate. The most recent version will govern our use of your information and will always be available on the Swiss Re sites. By continuing to access or use this Swiss Re site after any changes become effective, you agree to accept the revised privacy notice. Please visit this privacy notice on a regular basis to ensure that you have read the latest version; it was updated the last time on the date indicated below.
What kind of personal data we process?
The precise nature of the personal data we process depends on your relationship with Swiss Re. However, in most cases, we may process a combination of the following:
- Information about you – for example name, age, gender, date of birth, nationality, marital status, social security number, passport number or tax number. Even though in some instances we do not receive your name, we need enough information to help us identify you and your policy so that we can provide services to our clients.
- Contact information – in some cases, for example, we may receive your email, address, or phone number.
- Payment information – we may process information related to payments you make or receive in the context of an insurance policy or claim.
- Contractual information – for example details about the policies you hold and with whom you hold them.
- Health information – for example smoker status, weight, sports and leisure activities, family health or morbidity history, or medical related issues relevant to a policy you hold or a claim you have made.
- Financial information – for example bank account or payment card details, income, investment/savings or other financial information including household income, home valuation and household demographics.
- Risk, fraud and credit related data – for example credit history, sanctions and criminal offences, and information received from various anti-fraud databases.
- Employment history – for example information on previous or current employer, job role, salary, employment benefit options, educational background or professional licenses and qualifications.
Why do we process this data?
We use your personal data primarily only to the extent that it is necessary for the purposes of conducting our business, and only for the purpose for which it was originally collected and any other permissible, related purpose. We may use your personal data for a number of reasons:
- Providing our services and fulfilling our contractual obligations to clients and other third parties
- Underwriting our business with clients
- Conducting data analysis, which helps us assess risks, price our products appropriately and improve our services
- Reviewing, managing and processing claims
- Assessing, improving and developing our services
- Enhancing our knowledge of risk and insurance markets in general
- Marketing purposes (e.g. newsletters, surveys, client events, etc.)
- Fulfilling legal or regulatory obligations and protecting ourselves and our clients against fraud, money laundering, terrorism and other crimes.
Is there further processing of this data?
Swiss Re adheres to the principle of purpose limitation and only processes data for purposes related to those specified when personal data were collected. Processing for secondary purposes only takes place where we have a legal basis such as the consent of the data subject. To assess our adherence to this principle, Swiss Re considers the relationship between the purposes for which the data have been collected and the purposes of further processing, the context in which the data have been collected, the reasonable expectations of the data subjects, the nature of the data and the impact of the further processing on the data subjects.
Where do we get personal data from?
In most cases, we receive personal data from third parties such as our corporate clients; that can be your insurer, agent or broker or other insurance market participants. On occasion, such as when you register for an event or receive information directly from us, we may receive personal data directly from you. We may receive your data also from other parties to a claim (claimant / defendant), witnesses, experts (including medical experts), loss adjustors, solicitors, and claims handlers, health care service providers or anti-fraud databases, sanctions lists, court judgements and other authorised official public databases as for example commercial registers, regulator's databases, beneficial owner registers, KYC service providers.
Who do we share personal data with, or do we sell personal data?
Our employees have access to and process personal data based upon the "need to know" principle. In other words they have access to personal data where this is necessary in order to do their job. We regularly check who has access to our systems and data.
We may also share your personal data with the following categories of third parties:
- Our service providers and agents e.g. IT companies who support our technology. As for example, we process personal data (i.e. within our email system or other applications) with Microsoft`s Azure and Office 365. This externally hosted environment was found to be consistent with our privacy and security programmes and is regularly assessed so it continuously meets our standards.
- Our professional advisers, auditors, reinsurers, medical agencies and legal advisers, law enforcement agencies, regulators, government authorities.
- The client who provided us with your data.
- Contractors, brokers, external managers, other insurance market participants or financial institutions.
We might transfer your personal data to certain countries outside the EEA which have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. In such cases, EU data protection laws allow Swiss Re to freely transfer your personal data to such countries.
When we transfer your personal data to other countries outside the EEA (except in case where we send your personal data back to the third party who first shared it with us as part of the same contractual relationship), we establish legal grounds for such a transfer, mainly in the form of standard contractual clauses or other legal grounds permitted by applicable legal requirements. These countries include for example, United States of America, China, South Korea.
To regulate intra group personal data transfers, Swiss Re has executed service level agreements. For more information on the appropriate safeguards in place, please contact us.
We do not sell personal data.
How long do we keep personal data?
We keep your personal information in compliance with applicable legal retention periods, in accordance with the purpose and the legal ground it was collected, and to comply with our legal and regulatory requirements. This may include keeping your information for a reasonable period of time after your relationship with us or our client has ended. We securely destroy personal data when they are no longer needed for the relevant purposes and its retention period has expired. In some circumstances we retain aggregated or anonymised data which can no longer be associated with you and is therefore not considered personal data. If you need more information about the retention or deletion of your personal data, please see also the section on your privacy rights below and contact us using the details provided at the end of this document.
What about information security?
We take particular care when working with third parties. We only share personal data with affiliates, business partners, third party service providers or vendors when we have a legitimate business purpose for doing so and when permissible by law. We require third parties to maintain similar standards to ours for the protection of personal data, as verified by our due diligence process.
Further information can be found here: Information Security at Swiss Re.
How do we manage incident response?
In the event of security or privacy incidents that may implicate unauthorised access to personal data, we have in place global and regional incident response procedures, including appropriate reporting channels such as 24/7 contact lines as well as a whistleblowing hotline. Our breach detection and containment procedures consider the potential business, reputational, legal and regulatory impact on our company. They also entail assessing whether the incident is an actual data breach which could have consequences for individuals and determining who needs to be notified, such as regulatory authorities, individual data subjects, or other stakeholders. To this end, we use the most effective communication channels depending on the severity and scale of the breach, including our public website when appropriate. We involve all relevant internal and external stakeholders in our attempt to minimise the harm to Swiss Re and affected individuals. We are constantly monitoring the threat environment and have prepared lines of communication both internally and externally with information-sharing centers, law enforcement and regulators. Our plans aim to mitigate and resolve such incidents in order to minimise harm to the company and to data subjects.
What are our legal grounds for processing personal data?
We only process personal data for legitimate business purposes and when a legal ground as set out in data protection law is applicable. There are a number of legal grounds that may apply of which the table below describes the ones most likely to be relevant to you.
We may process your personal data when we obtain your consent or when our client obtains consent from you. Consent can be withdrawn at any time.
We take steps to ensure our clients only provide us with personal data when they are allowed to do so. Often this means our clients will obtain your consent to disclose personal data to reinsurers.
Performance of a contract
If you have a contract with Swiss Re, the personal data may be processed when it is necessary in order to enter into or perform a contract.
This could include discharging our obligations in relation to a claim you have made.
Compliance with a legal obligation
Your personal information may be processed where we have a legal obligation to perform such processing, such as where we share information with our regulators, law enforcement agencies or the courts.
If we receive an order from the authorities in relation to an investigation, we may be required to disclose personal data as part of that process.
Necessary for an insurance purpose
In some locations, local laws include legal grounds for processing your medical and other sensitive personal data when it is necessary to do so in connection with an insurance product.
In some cases, we receive personal data from our clients who seek opinion on complex claims.
Another legal basis for processing personal data is when we have a legitimate interest in so doing and we can demonstrate that our interests are not outweighed by your rights or interests. Where we rely on legitimate interest as grounds for processing, we make sure we only process the minimum amount of data necessary and for the minimum amount of time necessary to achieve our objectives. We also make sure that our processing is not unnecessarily intrusive.
The table below sets out some examples of when we might rely on our legitimate interests to process personal data.
|Use of personal data||Our legitimate interest|
Our products are developed with our clients' needs in mind.
We process personal data to make sure we provide the service our clients expect and our products are working as we intended.
We also use data to ensure our business is operating effectively - where we can we remove identifying information.
We need to be able to identify whether our products or services are operating effectively.
We need to develop new products and services, and make sure what we offer is fair.
We need to make sure we are treating clients and policy holders fairly.
We process personal data in a range of applications and use a variety of technological means and processes to understand how those applications are working.
We need to make sure that our systems are secure and work properly.
Your privacy rights
We recognise that you may have rights with regard to our processing of your data. While the nature and extent of these rights will differ from location to location, we have processes in place that allow us to respond in a timely manner to any valid request to:
- Access - You may have the right to find out what personal information we hold about you (this includes what category of personal data and/or specific personal data)
- Rectification - If any of your details are incorrect, inaccurate or incomplete you can ask us to correct them or to add information.
- Portability - In some circumstances you can ask us to send an electronic copy of the personal information you have provided to us, either to you or to another organisation.
- Object - You have the right to object to any processing done under legitimate interests. We will then re-assess the balance between our interests and yours, considering your particular circumstances. If we have a compelling reason, we may still continue to use your information.
- Prevent marketing - You have a specific right to object to our use of your information for direct marketing purposes, which we will always act upon.
- Restrict processing - If you are uncertain about the accuracy or our use of your information, you can ask us to stop using your information until your query is resolved. We will inform you of the outcome before we take any further action in relation to this information.
- Erase - You can ask us to delete your personal information if deleting your data is not in conflict with our legal and regulatory obligations. If we are using consent to process your information and you withdraw it, you can ask us to erase your information.
In any case where we use your data to make decisions solely by automated means (including using your data to build a profile about you), we will inform you that we are doing this and make sure that you are able to contest any such decision. Any new profiling activity or automated decision-making activity we carry out is subject to a robust assessment aimed at mitigating any risks to you. This assessment is carried out before the processing commences.
The easiest way to exercise your rights is to contact the data protection team using the contact details below. We will respond promptly and we do not normally charge for providing a response. Please note that, before we can process your request, we may need to verify your identity by asking you to provide a copy of an official identification document and/or a copy of an evidence of your residency address or similar.
If you are unhappy with how we process your personal data, you may have the right to complain to a data protection regulator or supervisory authority. We encourage you to contact us first so we can address your concerns.
Swiss Re Data Ethics
The digital transformation of the insurance industry is one of the key challenges facing all its players. Digital technology is being implemented across the whole value chain, from distribution through underwriting to claims. This raises crucial questions concerning market dynamics and competitors, customer behaviour, data use, artificial intelligence and more. Swiss Re continues to promote a sound ethical base for processing and does so in part via the Digital Governance Framework we have developed (DGF). The DGF incorporates assessments of the ethical implications of personal data processing as well as compliance risk. It aims to balance the needs for fast business innovation and effective risk management.
If you have questions about this topic, or if you wish to exercise your privacy rights, please contact our Global Data Protection Officer, David Evans, and his team at [email protected].
For US residents you can find the relevant contact telephone number here.
For any data protection enquiries related to Elips Insurance Ltd. please contact [email protected].
You can also ask us to remove you from marketing communications, and we will do so. We will respond to your requests in a timely manner and in compliance with relevant legal or regulatory requirements. We ask that corporate clients contact us through the usual business channels.
Our Policies and Standards
Our commitment to data protection and privacy is stated in the Swiss Re Code of Conduct: "We handle personal data with the greatest care and use it only for legitimate and specified business purposes". Furthermore, our global data protection compliance framework – including policies, standards, information security measures, appointed Data Protection Officers, training and awareness programmes and business-relevant procedures – sets forth the following key principles:
- We respect the privacy rights of Swiss Re's employees, customers, clients, business partners and other individuals whose personal data we have and use.
- We protect personal data by implementing appropriate technical and organisational measures in our data processing operations.
- We obtain personal data fairly and only use it for legitimate business purposes.
- We hold ourselves accountable for demonstrating compliance with applicable legal and regulatory requirements and understanding of our roles and responsibilities.
These principles, stated in our Data Protection Policy, are applicable to all of Swiss Re's entities worldwide and are derived from internationally recognized privacy principles.
In addition, whenever there are local laws or particular business units where the type of data processing calls for more elaborate guidance or heightened scrutiny, we establish governing standards and adopt tailored safeguards appropriate for the situation in question. Finally, we recognise that today's digital reality is one where data circulates globally, and risks may present themselves in unprecedented ways. Consequently, we take care to understand relevant laws and regulations and assess the risks that arise as personal data is processed in our global operations.
Our measures to implement policies and standards
Data protection policies and standards form part of Swiss Re’s governance and are brought to the attention of all staff, contractors, partners and vendors, for whom they are binding. Our compliance training programme ensures that the key data protection concepts are understood and applied, and that all persons are aware of their roles and responsibilities. We design our training programme to be relevant to risks arising out of our role as an insurer. We mandate a global eLearning training for all employees and supplement with bespoke trainings for particular regions, business units, and employee functions. In addition, we run regular data protection and information security awareness campaigns with executive sponsorship. We also share with our employees other knowledge resources on data protection and privacy topics, including guidance on ways that they can better protect and safeguard their own personal privacy.
A team of full-time Data Protection Officers (DPOs) covers all of our business units, group functions and regions. They are leading professionals and leaders in the international profession of data protection and privacy. They speak at global conferences, engage in industry knowledge sharing and collaboration initiatives, and monitor regulatory developments in the areas of data protection and privacy. In addition, our Data Protection Officers regularly engage in an internal global network of subject-matter experts to support compliance needs by business units, group functions, and by region or jurisdiction. We coordinate with our internal operational risk management, audit, and information security colleagues so that we can optimise the implementation of the data protection compliance framework, identify and address gaps, further mitigate risks and monitor compliance.
Supervision and monitoring through line managers and control functions allows detection of non-adherence, and an anonymous whistleblowing hotline is available for any internal or external report which gets independently investigated. Of course, data protection is also subject to scrutiny by independent auditors and regulators.
Online Privacy Notice
This Online Privacy Notice concerns the online collection of personal data on Swiss Re Sites (i.e. all websites, micro-sites, blogging sites and other online client tools and dialogue platforms owned or managed by or on behalf of Swiss Re and accessible via Swiss Re's corporate website). “Personal data” means information relating to an identified or identifiable person.
By accessing the Swiss Re Site you agree this Privacy Notice. If you do not agree to this Statement, do not proceed to further web pages of Swiss Re and do not send us your personal data.
Additional local information
Please note that, in addition to this Online Privacy Notice, Swiss Re sites may include additional information security or data protection requirements specific to the Swiss Re Site's data processing purposes and context or specific to one or several jurisdictions.
Who are "We"?
We are Swiss Re. Swiss Re Ltd (group holding company), Mythenquai 50/60, 8022 Zurich, Switzerland, incorporated under the laws of Switzerland is responsible as data controller for the processing of your personal data on this Swiss Re website.
When we mention "Swiss Re", we are referring to the relevant company in the Swiss Re Group responsible for processing your data which will be clear to you when you use our Sites.
What kind of personal data we process and how do we collect it?
a. Connection data
Our web servers automatically log every visit in a temporary log file. User-specific data (e.g. the IP address of the requesting computer, identification data of the used browser, the operating system of the requesting computer, the volume of data transferred, the name of the Internet service provider, the date and time of access) and technical data (e.g. the name and URL of the referring website if the website was accessed via a link and, additionally, the search term if it was accessed via a search engine) are collected and logged by our servers and / or through cookies. Such data may be analyzed on an anonymous basis. The data is also required to enable the use of our content (connection set-up) and is also used for system-related purposes, including technical administration and system security.
b. Data provided by you
If you register to use certain online services or products which we offer we will ask you to provide us with certain information about yourself, in particular your contact data like name, e-mail address, and company name, by using the various functionalities of Swiss Re Sites and online tools (e.g. login/register, commenting, subscription, download, ordering, event or newsletter registration) or by sending information to a Swiss Re e-mail address given on a Swiss Re Site. You have always the possibility to unsubscribe from the registered newsletters and / or other services.
c. Special categories of personal data
We do not intentionally collect any special categories of personal data (sensitive personal information) via a Swiss Re site. In no event, however, are you requested to provide sensitive personal data about you or other persons, therefore please avoid sending us such types of data.
Why do we process this data?
We will use your connection data:
- To enable you to use our digital presence (establishment of a connection).
- For the internal management of the website (e.g. technical administration and the maintenance of system security).
- To optimize user-friendliness, we collect statistics about user behavior on the Swiss Re Sites. This data is analysed on an anonymous basis.
- To provide the login function, other online services and the contractually-compliant processing of these services.
- To tailor our Swiss Re Sites to specific target groups (with targeted content or information on the website that may be of interest to you).
- To prevent fraud and improve the website's security.
- For statistical purposes and to manage and improve the usability of the Swiss Re Sites by means of particular software or cookies (see About Cookies).
We will use your provided data to:
- Answer any queries you have about Swiss Re Sites and to notify you of any changes to Swiss Re Sites;
- Provide you with information you have requested (subscriptions, event registration confirmation and further details on a registered event, forgotten password); and
- Inform you about Swiss Re, events hosted by Swiss Re and other related events.
We will collect and use the information about your personal newsletter subscriptions and your personal "interaction" data (the articles and topics you are interested in or read) to learn about your preferences and improve the knowledge provided to you via our newsletters and communication. We will not use your personal interaction data for any other purpose except for improving our services.
We will include comments that you provide through commenting functionality on Swiss Re Sites or otherwise in anonymous reports, statistics, surveys and pools which we make available on Swiss Re Sites. However, these types of information will not enable readers to identify individuals or individual businesses. Your comments are made available on Swiss Re Sites in anonymous form, unless you have expressly agreed otherwise using dialogue and sharing functionality.
Who do we share personal data with?
Your data is processed according to applicable data protection and privacy laws. Any data you send over the Internet to the Swiss Re Site swissre.com is processed and stored on servers of Swiss Re or third party service providers some of whom may be based outside of Switzerland.
Accordingly, your personal data will be transferred to and processed in locations outside the country in which you are viewing the Swiss Re Site (the “User Country”). Any data or material sent or uploaded by you will therefore be accessible in countries outside the User Country. If your User Country is within the European Economic Area (“EEA”) or is Switzerland or another country providing an adequate level of data protection, please note that your personal data will also be accessible and processed in countries with a lower level of data protection. In these situations Swiss Re will ensure (by entering into a written agreement or otherwise) that an adequate level of data protection is maintained by the recipients of your data in accordance with applicable data protection law.
How long do we keep personal data?
Swiss Re retains the personal data collected over Swiss Re Sites only for as long as required or permitted by law and regulations.
What are your rights?
What web analytics services do we use?
What about social media platforms?
You may wish to participate in the various blogs, forums, wikis and other social media platforms hosted by Swiss Re (“Social Media Platforms") which we make available to you. The main aim of these Social Media Platforms is to facilitate and allow you to share content. However, we cannot be held responsible if you share personal information on Social Media Platforms that is subsequently used, misused or otherwise appropriated by another user. Please consult the Privacy Statements of such services before using them.
What about third party links?
Updated: January 2022