Personal Data Protection Policy

Zurich Insurance Company Ltd . (Singapore Branch) (“Zurich Insurance” / “we” / “us” / “our”) take our responsibilities under Singapore’s Personal Data Protection Act 2012 (“PDPA”) seriously. This Personal Data Protection Policy (“Policy”) outlines as well as assists you in understanding how we collect, use, and process your personal data, and in what circumstances we may disclose your personal data. It also assists you in making an informed decision before providing us with any of your personal data.

This version of Policy is effective from 03 August 2023 and shall form an integral part of your contractual relationship with us. If you have provided your consent to us to collect, use, process and disclose your personal data (as defined in the PDPA) before, on and/or after 2 July 2014 (“Personal Data Agreement”), this Policy shall supplement but shall not replace or supersede the Personal Data Agreement. In the event of any inconsistencies between the Personal Data Agreement and this Policy, this Policy shall prevail.

Introduction to the PDPA

“Personal Data” is defined under the PDPA as data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which we have or are likely to have access. Personal data includes names, identification numbers, contact information, medical records, photographs and video images.

We will collect, use and disclose your personal data in accordance with the PDPA and any other legislation applicable to the collection, use, processing and storage of your personal data.

In Singapore, there is a national Do Not Call Registry (“DNC Registry”). The DNC Registry allows you to opt out of receiving marketing phone calls, mobile text messages such as SMS and MMS, and faxes, by registering your Singapore telephone number on the DNC Registry.

For more information about the PDPA and DNC Registry, please visit the PDPC website. The PDPC website also has FAQs for individuals here.

COLLECTION USE AND DISCLOSURE OF PERSONAL DATA

What Personal Data may we collect

The personal data we collect will depend upon why we need collect it, and your relationship with us. Examples of personal data we may collect are highlighted below. Please note that this list is not exhaustive.

  • Name, address and telephone number.
  • NRIC number, passport number, identification number given to you by your country of birth and work permit number.
  • Date of birth, gender, nationality, age, occupation and country of residence.
  • Medical records and information in relation to your health or any medical conditions you may have.
  • Source of wealth where required.

Zurich protects each individual’s privacy by:

  • Collecting information fairly and only collecting information that we need to provide insurance services
  • Explaining why we are collecting personal information and how we will be using it
  • Using personal information only for our business operations and to comply with the law
  • Ensuring the personal information we collect and hold is accurate
  • Holding personal information only for so long as necessary and keeping it secure
  • Sharing personal information only with companies and organisations that will keep it secure
  • Not sending personal information abroad without ensuring its security
  • Ensuring that all individual rights can be exercised under the data protection legislation
  • Ensuring that we comply with the Zurich Data Commitment Pledge

The Purpose of collecting your Personal Data

We may collect, use, process and disclose your personal data which is reasonably appropriate for the following purposes:

  • Process your application for insurance, including the carrying out of any necessary due diligence and determining whether to provide you with insurance.
  • Handle, process and investigate any claims you may submit under a policy of insurance held with us or held with another insurer where we act as a reinsurer or are a participating insurer under a policy issued by another insurer.
  • Investigate potential fraud in relation to an application for insurance, or claim you make or is made on your behalf.
  • Comply with all applicable laws in relation to the management of your relationship with us.
  • Comply with an order of the court or direction of a regulatory or industry authority – including, but not limited to the reporting, compliance and auditing obligations set by regulatory and industry associations, including but not limited to the Monetary Authority of Singapore (MAS).
  • Provide you with information in relation to products and services.
  • Arrange reinsurance.
  • Responding to enquiries raised by you and administering, servicing, maintaining and/or managing your relationship with us, including the mailing of correspondence, statements, invoices, reports and notices to you and communicating with you via voice call, text message, fax and email.
  • Managing any actions or proceedings, protecting or enforcing our contractual and legal rights and remedies arising out of the policy(ies) issued by us, or under a policy which we reinsure or are a participating insurer (including but not limited to obtaining legal advice and facilitating dispute resolution.
  • Conducting compliance monitoring and audit reviews by us and our related corporations, or service providers, including but not limited to external auditors, banks and reinsurers.
  • Carrying out on-going due diligence or screening activities - including background due diligence for the purposes of anti-money laundering and “know-your-client” checks. Undertaking investigations in relation to your creditworthiness, financial and medical conditions and to review whether to continue insuring you.
  • Performing transactions under your policy(ies) held with us, including making and obtaining payments.
  • The storage, hosting, or backing up (whether for disaster recovery or otherwise) of your personal data, whether within or outside Singapore.
  • Transferring, acquisition or sales, merger, joint venture, reorganisation or an assignment involving us, our related corporations and/or related third parties;
  • Conducting market research, survey, statistical and profiling analysis.
  • Employee training and quality assurance programs.
  • Any other purposes relating to any of the above, (collectively, the “Purposes”)

Disclosure

To facilitate our business operations and carry out one or more of the Purposes detailed at “The purpose of collecting your Personal Data” above, we may disclose your personal data to third parties whether located in or outside Singapore. These include:

  • Our associated and related corporations (collectively, “Group Companies”);
  • Financial advisers, brokers, agents or distribution intermediaries;
  • Contractors or service providers who supply services to us, such as information technology, telecommunication, actuarial, data entry, data storage, data recovery, mail distribution, claim assessment, adjudication and administration, payment, cheque printing, marketing, emergency assistance services, auditors, lawyers, medical and professional services; credit reference agencies, debt collection agencies, reinsurers, other insurers and financial institutions.
  • Governmental / regulatory authorities, courts, dispute resolution forums (which have jurisdiction over us or our Group Companies) or legal process participants and their advisor.

Consent

If you submit your personal data to us, or such information is submitted to us through another source (including another insurer, broker, insurance agent, medical or financial institution), whether in writing or orally us , you agree and consent that we may:

  • Collect, use and process your personal data provided to us, or which is publicly available, for the Purposes detailed at “The purpose of collecting your Personal Data” above.
  • Disclose your personal data to the third parties (whether located in or outside Singapore), in order to carry out one or more of the Purposes detailed at “The purpose of collecting your Personal Data” above.

If you provide to us the personal data of a third party, you represent and warrant to us that the prior consent of that third party has been obtained for the collection, disclosure, use and processing of their personal data in the manner as set out above. 

Marketing Materials

If you consent to us collecting, using, processing and disclosing your personal data for the purpose of marketing, advertising and providing promotional information or material about insurance products, financial or investment products or services that we consider may be of interest or benefit to you (“Marketing Materials”), you may, where available, indicate as such when you make an application to us. If you wish to withdraw your consent for marketing purpose, please Contact Us  to do so.

REQUEST FOR ACCESS AND CORRECTION OF PERSONAL DATA

You may seek access to and request that we correct your personal data held in our possession or control, by submitting a written request to our Data Protection Officer, whose contact details are available at Contact Us page.  When you submit your request, you will need to provide to us your identity and address information - for example a copy of your NRIC and utility bill showing your address in order for us to ascertain your identity. You must also set out in detail, the nature of your request.

We will endeavor to provide you with the relevant information within 30 days from the date of receiving your request. If we are unable to respond to your request, we will notify you before the expiry of the said 30 days, of the earliest time when we can provide you with the requested information.

We may charge you a reasonable fee to process your request. Depending on the nature and complexity of your request, we will set out the details of the fee payable, prior to providing you with the requested information. We will not respond to your request unless you have agreed to pay the reasonable fee.

We will correct your personal data within 30 days from the date of receiving a valid correction request. If we are unable to correct our records within 30 days, we will notify you before the expiry of the said 30 days, as to the earliest time when we are able to make the correction.

Please note that the PDPA exempts certain types of personal data from being subject to your correction request.  It also specifies the situations where a correction may not be made by us despite your request.

Where your personal data has been corrected, we will send your corrected personal data to every organisation to which the personal data was disclosed by us in the calendar year prior to the date the correction was made, unless that other organisation no longer requires your corrected personal data for any legal or business purpose.

REQUEST TO WITHDRAW CONSENT

You may withdraw your consent for the collection, use and/or disclosure of your personal data in our possession or under our control by contacting us. When you submit your request, you will need to provide to us your identity and address information - for example a copy of your NRIC and utility bill showing your address in order for us to ascertain your identity.

A withdrawal of consent for Marketing Materials will not affect us collecting, using, processing and disclosing personal data – as per the Purposes detailed at “The purpose of collecting your Personal Data” above. If you have withdrawn consent for us to collect, use and disclose your personal data for any one or more of the Purposes, this may affect or prevent us from continuing our existing relationship with you and/or any contracts and/or policies you have with us may have to be cancelled or surrendered, as applicable. In this case, you may lose benefits from the terminated or surrendered policy(ies) and it may not be possible for you to obtain a similar level of insurance or protection on the same terms in the future.

ADMINISTRATION AND MANAGEMENT OF PERSONAL DATA

We make all reasonable efforts to ensure that your personal data is accurate and complete. In order to ensure that we hold accurate personal data, you must update us in a timely manner as and when required if there are any changes to your personal data that you have provided to us. If you fail to do so, we will not be responsible to you for relying on inaccurate or incomplete personal data provided to us and in relation to which you have not notified us of any required amendments.

We put in place commercially reasonable security arrangements to ensure that your personal data is protected to prevent unauthorised access, collection, use, disclosure, copying, modification, leakage, loss, damage and/or alteration of your personal data (“Data Issue”). However, we cannot assume responsibility for any unauthorised use of your personal data by third parties or Data Issue which is attributable to factors beyond our control.

We put in place commercially reasonable measures such that your personal data in our possession or under our control is destroyed and/or anonymised as soon as it is reasonable to assume that (i) the purpose for which that personal data was collected is no longer being served by the retention of such personal data; and (ii) retention is no longer necessary for any legal or business purposes, including adherence to the PDPA.

If your personal data is to be transferred out of Singapore, we will take appropriate steps to ensure that the overseas recipient organisations of the personal data provide the standard of protection that is at least comparable to the protection under the PDPA.

COMPLAINT PROCESS

If you have any complaint or grievance in respect of the use, collection, processing, storage and protection of your personal data, you may contact our Data Protection Officer using information available on the Contact Us page. Kindly use “PDPA complaint” or “PDPA Matter” in the subject header of your email or letter to us to assist us in attending to your complaint as quickly as possible. We will endeavor to respond to you within 14 working days.

COOKIES

Whenever you interact with us on our websites, we may receive and store certain types of information via “cookies”. The “cookies” are small text files placed on your computer or electronic devices by our website.

Through the “cookies”, we are able to collect and analyse non personal data such as your IP address, browser type, domain names, access times, pages browsed, time spent per webpage, traffic monitoring, user experience, website performance and to remember your preferences.

If we collect your personal data through cookies, we will notify you and seek your consent to the same.

You may choose to disable the cookies by altering the browser settings on your computer. However, by doing so, you may not be able to use certain services, perform certain transactions or browse certain parts of our website.

Your use of our website constitutes consent by you to our use of cookies.

THIRD PARTY WEBSITES

Our website may contain links to websites operated by third parties. We will not be responsible for the data protection practices of the third parties’ websites even though such websites may be co-branded with our logo or trademark.

You should refer to and understand the third-party website operators’ data protection policies and procedures.

PERSONAL DATA PROTECTION UNDERTAKING BY CORPORATE POLICYHOLDER CORPORATE PROSPECT

"You" / "Your” / "Yours” wherever mentioned in this Policy shall include the corporate policyholder / corporate prospect (“Company”) of Zurich Insurance.

The Company represents to, undertakes and warrants with Zurich Insurance that:

  • It shall observe all terms and conditions of this Policy;
  • Where personal data of an individual is disclosed to us by the Company,  whether directly or through an intermediary, the Company has prior to disclosing such personal data to us, obtained the appropriate consent from each of the individuals, allowing us (i) collect, use, disclose and/or process their personal data for one or more of the Purposes; and (ii) disclose their personal data to the third parties in the manner as set out in this Policy;
  • The personal data of an individual disclosed to us by the Company is accurate, true and complete. The Company shall give us notice in writing as soon as reasonably practicable should it become aware that any such personal data is no longer accurate or has been updated and/or changed;
  • It shall give us notice in writing as soon as reasonably practicable should it become aware that an individual for whom personal data has been disclosed to us, has withdrawn such consent as is required in accordance with the terms of this Policy
  • It shall ensure that it complies with the prevailing PDPA and any related subsidiary legislation, and corresponding regulations and guidelines.  The Company shall not do anything and shall not omit to do anything that may cause us and/or our Group Companies to be in breach of any of our obligations under the PDPA;
  • It shall at our request, promptly assist us to comply with the PDPA and all subsidiary legislation and corresponding regulations and guidelines related thereto. This includes, but is not limited to, the Company executing such further documents as we may require and/or the Company making arrangements for additional form(s) and consent(s) to be completed and signed by individuals whose personal data are provided by the Company to us; and
  • It shall notify and make each of the individuals whose personal data has been disclosed to us, aware of this Policy before disclosing their personal data to us.
  • It undertakes to indemnify and at all times hereafter keep us and our Group Companies (together with their respective directors, officers, employees, contractors and agents) (each an “Injured Party”) indemnified against any and all losses, damages, actions, proceedings, costs, claims, demands, expenses and liabilities (including full legal costs on a solicitor and own client basis) which may be suffered or incurred by the Injured Party or asserted against the Injured Party by any person or entity whatsoever, in respect of any matter or event whatsoever arising out of, in the course of, by reason of or in respect of any breach of any of the provisions in this Policy by the Company, and/or any action or omission by the Company, that causes us or any Injured Party to be in breach of the PDPA.

Contact Information

If you have any queries in relation to the collection, use, storage and disclosure of your personal data, wish to request access to or a correction of your personal data held by us, or wish to withdraw your consent for us to collect, use and disclose your personal data, you may contact our Data Protection Officer at Contact Us page.

UPDATES ON PERSONAL DATA PROTECTION POLICY & GOVERNING LAW

As part of our efforts to ensure that we correctly use, protect, and process your personal data, or if there are any changes to the legal and regulatory environment, or our business activities which impact on the collection, use and protection of your personal data, we may review and amend this Policy from time to time without any prior notice to you.

Our most updated Policy will always be set out on our website at: http://www.zurich.com.sg/services/Personal Data Protection Policy.

Please visit our website for our latest Policy.

This Policy is governed by the laws of Singapore and the courts in Singapore have exclusive jurisdiction over it.