1. Who is responsible for looking after your personal data?
As a shareholder of Chubb Limited, your Data Controller is Chubb Limited.
Chubb is a group of companies and you should be aware that although Chubb Limited is principally responsible for looking after your personal data, information may be held in databases which can be accessed by other Chubb companies. When accessing your personal data, all Chubb companies will comply with the standards set out in this Policy. A description of the entities that make up the Chubb group is available here.
2. What personal data do we collect?
In order to comply with regulatory requirements and manage our interactions with you, we or our Service Providers collect information about you regarding your name, address(es), telephone number(s), e-mail address(es), the number of shares held by you, bank details (for dividend payments) and further related information regarding your shares and the execution of any related rights or obligations.
When registering as a shareholder, you may need to provide us with the personal data of third parties. Wherever possible, you should take steps to inform the third party that you need to disclose their details to us, identifying Chubb Limited as the relevant Data Controller. We will process their personal data in accordance with this Policy.
3. When do we collect your personal data?
We may collect information from you directly during the subscription and registration processes, in the course of the administration of your shareholding relationship, or in relation to any shareholder communication or meeting.
We may also collect information about you if you attend meetings that we organise, contact us through the Internet or sign up to one of our news or alert services.
4. What do we use your personal data for?
We will use your personal data to manage our relationship with you as a shareholder, including sending you shareholder communications and to comply with any legal, regulatory, or corporate governance requirements. Where relevant, we will also use your personal data to deliver or request the delivery of any specific shareholder related services (such as e.g. payment of dividends or delivery of proxy materials) or answer any of your inquiries.
5. Protecting your property
We will make sure that we only use your personal data for the purposes set out in Section 4 and here (as set out in the Section applicable to "Business Partners" or "All") where we are satisfied that:
- you have provided your consent to us using the data in that way, or
- our use of your personal data is necessary to perform a contract (including your shareholder subscription) or take steps to enter into a contract, or
- our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have, or
- our use of your personal data is necessary to support 'legitimate interests' that we have as a business (for example, to manage shareholder relationships), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights.
We do not collect and/or use any Sensitive Personal Data for the purpose of managing our relationship with you as a shareholder of Chubb Limited. "Sensitive Personal Data" means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
6. Who do we share your personal data with?
We work with members of the Chubb group (as set out in Section 1) as well as with third parties to help administer our shareholder relations. These third parties may from time to time need to have access to your personal data and may include:
- Our transfer agent, who is a Service Provider who help us manage the shareholder administration, organizing and carrying out of shareholder-related activities, and maintains our shareholder list and related details
- Credit reference agencies and organisations working to prevent fraud in financial services
We may be under legal or regulatory obligations to share your personal data with courts, regulators, or law enforcement.
7. International Transfers
From time to time we may need to share your personal data with members of the Chubb group who may be based outside Switzerland and Europe (outside of the European Economic Area). Our Service Providers, who may be located outside Switzerland and Europe, also may have access to your personal data. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body.
Transfers may be made to the countries listed here. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests:
- We will only transfer your personal data to countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights;
- Transfers within the Chubb group of companies will be covered by an intra-group agreement which gives specific contractual protections designed to ensure that your personal data receives an adequate and consistent level of protection wherever it is transferred within the Chubb group;
- Transfers to Service Providers and other third parties will always be protected by contractual commitments and where appropriate further assurances;
- Any requests for information we receive from law enforcement or regulators will be carefully checked before personal data is disclosed.
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 10 if you would like further information.
8. How long do we keep your personal data?
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.
In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which ensures it will no longer be used.
9. What are your rights
You have a number of rights in relation to your personal data.
You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and the basis for international transfers. You may also exercise a right to complain to your Supervisory Authority. More information about each of these rights can be found by referring to the table set out further below.
To exercise your rights you may contact us as set out in Section 10. Please note the following if you do wish to exercise these rights:
Right
|
What it means
|
Access
|
You can ask us to:
- confirm whether we are processing your personal data;
- give you a copy of that data;
- provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, and where we got your data from, to the extent that information has not already been provided to you in this Policy.
|
Rectification
|
You can ask us to rectify inaccurate personal data.
We may seek to verify the accuracy of the data before rectifying it.
|
Erasure
|
You can ask us to erase your personal data, but only where:
- It is no longer needed for the purposes for which it was collected; or
- You have withdrawn your consent (where the data processing was based on consent); or
- Following a successful right to object (see 'Objection' below); or
- It has been processed unlawfully; or
- To comply with a legal obligation to which we are subject.
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
- For compliance with a legal obligation; or
- For the establishment, exercise or defence of legal claims;
There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request
|
Restriction
|
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
- Its accuracy is contested (see Rectification), to allow us to verify its accuracy; or
- The processing is unlawful, but you do not want it erased; or
- it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
- You have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal data following a request for restriction, where:
- we have your consent; or
- to establish, exercise or defend legal claims; or
- To protect the rights of another natural or legal person.
|
Portability
|
You can ask us to provide the personal data you have provided to us to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where:
- The processing is based on your consent or on the performance of a contract with you; and
- The processing is carried out by automated means.
|
Objection
|
You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests.
Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
|
International Transfers
|
You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of Switzerland and the European Economic Area.
We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
|
Supervisory Authority
|
You have a right to lodge a complaint with your local supervisory authority about our processing of your personal data. You can find the supervisory authority for data protection for Chubb Limited here. Based on your residence, you may have the possibility to lodge a complaint with the appropriate data protection authority of your place of residence.
We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
|
Identity
|
We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request in respect of such records.
|
Fees
|
We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
|
Timescales
|
We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can tell us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
|
Third Party Rights
|
We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.
|
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following ways:
dataprotectionoffice.europe@chubb.com
or
Data Protection Officer,
Andreas Letsch
Bärengasse 32
8001 Zurich, Switzerland
If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.
Updated August 2023