Data Protection Notice

Who we are

Tokio Millennium Re AG is a Data Controller under the terms of Swiss data protection laws and the European Union's (EU) General Data Protection Regulation (GDPR) in that it is "a person or body which, alone or jointly with others, determines the purposes and means of the processing of personal data".

What we do

Tokio Millennium Re AG, its subsidiaries, branches and Tokio Millennium Re (UK) Ltd. (collectively referred to as "TMR"), recognise the importance of effective and secure protection when we collect, use and disclose "personal data". We have instituted a comprehensive, global data protection compliance framework in order to fulfil our responsibilities to protect personal data and to respect privacy rights in compliance with data protection and privacy laws and regulations around the world.

We are in the business of providing reinsurance to insurance companies and other (re)insurance-based forms of risk transfer. In providing these services to meet the needs of our business partners we collect information from them about their insureds to both underwrite reinsurance policies and to settle related claims. We work extensively with reinsurance brokers whose role is to help connect insurance companies with reinsurers for added reinsurance coverage to meet their insurance needs.

Our commitment to data protection is to handle personal data with the greatest care and use it only for legitimate and specified business purposes. We have a global data protection compliance framework, including policies, processes, information security measures, training and awareness programmes and business-relevant procedures to ensure that we comply with all applicable legal and regulatory requirements as well as the principles of the GDPR. As a Swiss company doing business in the EU and elsewhere, we comply with the GDPR where applicable to our global business operations.

What data do we collect?

We collect information when a business partner applies for a reinsurance contract. This generally includes company name, address and other relevant underwriting application information that is provided to us. For some classes of business, for example Motor, Employers' Liability and other classes of business, certain claims information is used to evaluate underwriting risk, to formulate policy and pricing terms and to assist in claims handling. Some of the information collected may, from time to time, depending on the business requirements, fall into what is deemed "personal data", which is data that identifies or has the potential to directly or indirectly identify a person taken alone or in combination with other information. Such data may include an individual's name, address, passport number, e-mail address, date of birth, or financial account numbers. It may also include health details associated with historic claims.

We also safeguard confidential business information that is provided to us by our business partners such as insurance companies and insurance brokers as to their own insurance business practices and related losses when pertinent.

In working with our reinsureds in the underwriting process we may collect information about their business(es) relevant to policy requirements and coverage, risks associated with it and such things as pricing, claim history and licence status. We may also ask for information concerning past claims history. In the event of a claim or anticipated claim, we collect related claim information to help evaluate and complete the claims process. This may include information as to the nature of the claim, the parties involved, and documentation to support the underlying claim.

The purposes of holding your personal data

As a reinsurer we will not generally hold your personal data except in terms of:

1. Claims Processing:

The legal grounds for holding this data is the legitimate interest to assess the veracity and quantum of claims.

2. Renewals:

The legal grounds for holding this data is the legitimate interest to determine the appropriate reinsurance product and premium.

3. Other purposes outside of the (re)insurance lifecycle but necessary for the provision of (re)insurance throughout the (re)insurance lifecycle period:

The legal grounds for holding this data is the legitimate interest to build risk models that allow accepting of risk with appropriate premiums.

Who sees this data?

TMR business information may be shared with business contacts such as programme administrators, managing general agents, reinsurance brokers, actuaries, accountants, application or IT services providers and legal counsel to facilitate TMR's business objectives. Regulators may also view application or other business information in carrying out their regulatory or legal duties. Other information may be used in for routine business activities, including evaluating and underwriting policies, auditing, establishing pricing and other underwriting criteria, evaluating, processing, paying or rejecting claims and other purposes authorised by law.

We may also share personal information with other companies or individuals outside of TMR for the following limited purposes: (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable terms and conditions, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of its users, or the public as required or permitted by law.

Retention of your personal data

We will keep your personal data only for so long as is necessary and for the purpose for which it was originally collected. In particular, only for so long as there is any possibility that either you or we may wish to bring a legal claim under (re)insurance placed with us, or where we are required to keep your personal data due to legal or regulatory reasons.

International transfers

We may need to transfer your data to insurance market participants or their affiliates or sub-contractors which are located outside of the European Economic Area (EEA). Those transfers would always be made in compliance with the GDPR.

Information security

To assure the confidentiality, integrity and availability of personal data within our care, we have a comprehensive, risk-based information security programme. We recognise the impact on individuals from the increasing volume, variety and pace of information that is controlled and processed via various business channels and communication media.

Even though we take precautions to secure our business partner's information and apply commercially reasonable and appropriate safeguards, we cannot guarantee information cybersecurity. To the extent you or others in your company access information on TMR systems through the use of a password, we ask that you keep your password confidential and secure because we cannot be responsible for acts resulting from the unauthorized use of your password or compromises to the security of your computers, networks or systems.

Annually, we review our information security policies. We also conduct regular risk assessments of TMR's cyber security resilience, benchmarked against best practice security standards. The process includes stakeholders throughout the company and results in mitigation measures and the revision of controls to respond to technological developments and evolving threats. It considers particular risks of TMR's business operations related to cyber security, our business information collected or stored, our IT landscape and the availability and effectiveness of controls to protect information.

Third parties

We take particular care when working with third parties. We only share personal data with affiliates, business partners, third party service providers or vendors when we have a legitimate business purpose for doing so and when permissible by law. We require third parties to maintain similar standards to ours for the protection of personal data, as verified by our due diligence process.

Incident response

In the event of security or privacy incidents that may implicate unauthorised access to personal data, we have in place global and local incident response procedures, including appropriate reporting channels as well as a whistleblowing hotline. Our breach detection and response procedures consider the potential business, reputational, legal and regulatory impact on our company. They also entail assessing whether the breach could have consequences for individuals and determining who needs to be notified of the breach, including regulatory authorities, individual data subjects or other stakeholders.

Your rights and contact details of the ICO

In certain circumstances, you may have the right to require us to:

In certain circumstances, we may need to restrict the above rights in order to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege).

Your right to complain to the ICO

If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights, or if you think that we have breached the GDPR, then you have the right to complain to the ICO. Please see below for contact details of the ICO:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

Email: casework@ico.org.uk