2. How we process your personal data
2.1 Individuals in scope of this Privacy Notice
This Privacy Notice provides information for those individuals whose personal data we process, including:
- Business contacts, such as brokers, (re)insurers, managing agents (MGAs), loss adjusters, experts instructed in relation to claims, service providers, suppliers, professional advisors, conference attendees, visitors to our offices, government officials and authorities.
- Customers, claimants and plan beneficiaries, such as those in respect of insurance policies we place as part of our core insurance business activities (e.g., parties covered under the policies, potential beneficiaries of the policies, claimants and other parties involved in claims in respect of the policies), and any other customers in relation to our various service offerings (e.g., employers sponsoring health and benefit plans, pension trustees, premium financing services, current, former and retired plan members, spouses and other beneficiaries entitled to payment from pension and/or benefit plans for whom we provide administrative services).
- Users of our Sites.
- Other individuals, such as those requesting or receiving our marketing information, making general inquiries, entering competitions or promotions, or whose images we use in marketing or are captured on CCTV.
2.2 How we collect your personal data
We collect your personal data in a number of ways, which vary based on how you interact with us and as allowed by applicable law. The following summarizes our various collection points:
- Directly from you or your authorized representative, such as when you provide your personal data to us, including from any of our Sites, surveys, live events, market research, and other direct communications and/or solicitations.
- From our clients and partners, such as commercial clients, (re)insurers, network partners, brokers, employers, benefit plan sponsors, benefit plan administrators, premium finance companies, health service providers, pension trustees, data/marketing list providers and third-party service providers.
- Publicly available sources, such as social media platforms, property and assets registers, and claims and convictions records.
- Gallagher affiliate companies.
- Government authorities, such as police and regulators.
- Background checks and screening tools, such as insurance industry fraud prevention and detection databases, credit agencies and sanctions screening tools.
- Other third parties.
2.3 Personal data we collect
We collect the following types of personal data depending on the purpose of your interaction with us (e.g., as business contact, customer, claimant, insured) and as allowed by applicable law:
- Basic personal and demographic information, such as your name, date of birth, age, gender and marital status.
- Contact information, such as your address, telephone number and email address.
- Unique identifiers, such as identification numbers issued by government bodies or agencies (e.g., your national identifier number or social security number, passport number, ID number, tax identification number, driver's license number, birth, death and marriage certificates, military passbook, and copies of official documents).
- Beneficiary information, such as details of relationships, family members and dependents.
- Employment information, such as your job title, employer, employment status, salary information, employment benefits, pensionable service periods, employment history and professional certifications and training.
- Financial information, such as your bank account numbers and statements, credit card numbers, brokerage account numbers, transaction information, tax information, details of your income, property, assets, investments and investment preferences, pension and benefits, debts, and creditworthiness.
- Policy information, such as your policy number, policy start and end dates, premiums, individual terms, mid-term adjustments, reasons for cancellation, risk profile, details of policy coverage, enrolment, eligibility for insurance or benefits, benefit amounts and underwriting history.
- Claim information, such as a claimant's relationship to a policyholder/insured, claims history and claims data, and the date and particulars of a claim, including causes of death, injury or disability and claim number.
- Plan information, such as contributions levels and benefit options
- Commercial information, such as records of your personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Events or meeting information, such as details about your visits to our offices (including CCTV), your interest in and attendance at events or meetings, audio recordings, photographs or videos captured during meetings, events or calls with you.
- Lifestyle information, such as travel history and plans and general health data.
- Special category data and sensitive personal data, such as data relating to your health (including protected health information), genetic or biometric data, sex life, sexual orientation, gender identity, racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership.
- Criminal records information, such as criminal charges or convictions, including driving offences, or confirmation of clean criminal records.
- Professional disciplinary information.
- Personal information received from background checks and sanctions screenings, including status as a politically exposed person.
- Marketing information, such as your consent to or opt out from receiving marketing communications from us and/or third parties, your marketing preferences, or your interactions with our marketing campaigns and surveys, including whether you open or click links in emails from us or complete our surveys.
- Sites and communication usage information, such as your username, your password, other information collected by visiting our Sites or collected through cookies and other tracking technologies as described in our cookie policy, including your IP address, domain name, your browser version and operating system, traffic data, location data, browsing time, and social media information, such as interactions with our social media presence.
2.4 How we use your personal data
Depending on the purpose of your interaction with us (e.g., as business contact, customer, claimant, insured, pension member), we use your personal data to:
- Perform services for you or our clients
- Provide services and fulfill our contractual obligations, including providing services that you may not have personally requested but were requested by our client(s) and require us to interact, directly or indirectly, with you.
- Facilitate and enable placement of policies and assist in the ongoing management of such policies, including premium management, renewals, adjustments, cancellations, claims management and settlement.
- Provide various consulting, administration, financial, pension and actuarial services and claims administration.
- Advise on the management of our clients' business risks and opportunities, affairs and insurance arrangements and on the administration of claims.
- Manage our business operations
- Enter into business relationships and perform due diligence and background checks, such as fraud, trade sanctions screening, and credit and anti-money laundering checks.
- Create, maintain, customize and secure your account with us.
- Maintain accounting records, analyze financial results, comply with internal audit requirements, receive professional advice, apply for and make claims on our own insurance policies, manage or dispute a claim and recover a debt.
- Conduct data analytics, surveys, benchmarking, and risk modelling to understand risk exposures and experience, for the purposes of creating de-identified and/or aggregate industry or sector-wide reports, to share within Gallagher's group of companies and with third parties.
- Communicate and market to you
- Communicate with you regarding your account or changes to our policies, terms and conditions, respond to any inquiries you may have, and send you invitations for events or meetings.
- Advertise, market and promote our services or the services of others, including by email, LinkedIn, SMS, post or telephone.
- Send you newsletters, offers or other information we think may interest you, as well as offer and administer promotions.
- Monitor usage of our Sites and personalize your experience with our Sites and the messages we send you to deliver content, product and service offerings relevant to your interests, including targeted offers and ads through our Sites, third-party Sites, and via email, SMS or text (with your consent, where required by law).
- Comply with legal obligations
- Comply with national security or law enforcement requirements, discovery requests, or where otherwise required or permitted by applicable laws or regulations, court orders or regulatory authorities.
- Exercise and defend ours, yours or third parties' legal rights.
- Monitor and prevent fraud or wrongdoing
- Maintain the safety, security, quality, integrity and availability of our products, services, systems and data, detect security incidents, protect against inadvertent data loss, malicious, deceptive, fraudulent, or illegal activity, and debug or identify and repair errors that impair existing intended functionality.
- Monitor and ensure the safety and security of our premises, property, employees and visitors.
- Improve our services
- Develop, enhance, expand or modify our services through research and development.
- Monitor, review, assess and improve our technology systems, including any Sites, and our content on social media platforms.
- Improve and develop systems and algorithms involving machine learning and artificial intelligence.
- Improve quality, training and security (for example, with respect to recorded calls).
- Mergers and acquisitions
- Facilitate commercial transactions, including a reorganization, merger, sale of all or a portion of our assets, a joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). Should such a sale or transfer occur, we will use reasonable efforts to ensure the entity to which we transfer your personal data agrees to use it in a manner consistent with this Privacy Notice.
If we intend to use your personal data for any other purpose not described in this Privacy Notice or which is not compatible with the purpose for which your personal data was collected, we will contact you and let you know of that purpose, which may include the need to satisfy our legal and regulatory obligations. Where we require your consent to the processing, we will request it in advance.
2.5 Legal basis for processing personal data
Local law and regulation may require us to have a legal basis to process your personal data. In most cases, our legal basis for processing your personal data will be one of the following:
- Legitimate Business Interest, such as seeking to and entering into or performing our contractual duties, maintaining our business records, keeping records of insurance policies or other products we place, and analyzing and improving our business model, services, systems and algorithms. When using your personal data for these purposes, we ensure our business need does not conflict with the rights afforded to you under applicable laws.
- For the performance of a contract with you or in order to take steps at your request prior to entering into that contract.
- Compliance with legal obligations, such as when you exercise your rights under data protection laws and make requests, for compliance with legal and regulatory requirements and related disclosures and for the establishment and defense of legal rights.
- Fraud detection or prevention.
- Consent, such as when we have to obtain your consent to process your personal data.
When we process sensitive personal data, sometimes referred to as special category data, in most cases our legal basis will be one of the following:
- As required to establish, exercise or defend legal claims.
- As necessary for insurance operations when it is in the substantial public interest, where applicable under local data protection laws.
- As necessary for the prevention or detection of an unlawful act and/or fraud when it is in the substantial public interest, where applicable under local data protection laws.
- You have given us your explicit consent-where we receive sensitive personal data or special category data indirectly, the third party is responsible for obtaining your explicit consent to enable us to collect and use your data for the purposes described in this Privacy Notice.
2.6 Who we share your personal data with
We share your personal data within Gallagher's group of companies for the purpose of your interaction with us, such as for the provision of our services, general business operations and controls, marketing, data analytics, systems and algorithm improvements, surveys, benchmarking, and compliance with applicable laws.
We may also share your personal data with the following third parties for the purpose of your interaction with us:
- Your employer, as part of our provision of the services to you or your employer.
- Professional Advisors, such as underwriters, actuaries, claims handlers and investigators, surveyors, loss adjustors/assessors, accident investigators, specialist risk advisors, pension providers or trustees, banks and other lenders (including premium finance providers), health professionals, health service providers, lawyers (including third party legal process participants), accountants, auditors, tax advisors, financial institutions, investment advisors and other fiduciaries and consultants.
- Business partners, such as customers, (re)insurance companies, MGAs, brokers, other insurance intermediaries, claims handlers or other companies who act as insurance distributors and premium financing companies.
- Providers of insurance broking and other platforms we use.
- Service providers, such as IT software, security and cloud suppliers, finance and payment providers, marketing agencies, external venue providers, address tracers, printers, document management providers, telephony providers, debt collection agencies, background check and credit reference agencies.
- Fraud detection agencies and credit bureaus which operate and maintain fraud detection or credit registers.
- Industry bodies.
- Insurers who provide you with insurance and us with our own insurance.
- Regulators, public authorities and law enforcement agencies, such as police, judicial bodies, governments, quasi-governmental authorities, financial and pension regulators and workers' compensation boards, where we are required or requested to do so by law.
- Asset purchasers, such as those who may purchase or to whom we may transfer our assets and business.
- Other third parties, where we have your consent or are required by law.
When required by applicable law, we will obtain your explicit consent before sharing your data with any third parties. We will also require third parties (where applicable) to maintain a comparable level of protection of personal data as set out in this Privacy Notice by the use of contractual requirements or other means. On request and where required by law, we will confirm the name of each third party to which your personal data has, or will be, transferred. To the extent permitted by applicable law, we disclaim all liability for the use of your personal data by third parties.
2.7 Children
Our Sites are not intended for children and we do not knowingly collect, use, or disclose information about children. If you are a minor, please do not provide any personal data even if prompted to do so. If you believe that you have inadvertently provided personal data, please ask your parent(s) or legal guardian(s) to notify us. In the event that we learn that we have inadvertently collected personal data via our Sites from a child, we will delete that information as quickly as possible.