Zurich Insurance Company Ltd (Canadian Branch) and World Travel Protection Canada Inc., (collectively, “Zurich”) are committed to protecting the privacy and security of the personal information we collect in the course of providing products and services to our customers.
We value the trust of our customers and others with whom we do business. This document provides an overview of our practices regarding the collection, use and disclosure of personal information.
Why does Zurich collect personal information?
We collect personal information for the purpose of administering and/or servicing an insurance policy, handling a claim or providing requested assistance services.
How does Zurich ensure that my personal information is accurate?
Zurich verifies the accuracy of your personal information whenever you contact the company with respect to a claim under an existing policy of insurance or to purchase additional insurance. Our staff ensures that your name, date of birth, address and contact information is accurate, up-to-date and complete. In the event that there is a change to be made to your personal information, this change is recorded and saved in our database, and the out-of-date or inaccurate information is expunged.
From whom is personal information collected?
Personal information may be collected from such sources as our affiliates, independent insurance brokers, other financial institutions, credit bureaus, government departments, claims organizations, a policyholder, a customer, a customer’s employee, a claimant, a claimant’s employer or a claimant’s employee. We may collect personal information from persons who witnessed incidents, or persons retained by a claimant or by us in the process of administering or servicing a policy or handling a claim. Such people might include physicians, lawyers, accountants, repair shops, consumer reporting agencies and appraisers as permitted or required by law.
What kind of personal information is collected?
Personal information that may be collected includes, but is not limited to: an individual’s name, address, telephone number, date of birth, family status, occupation, claims history, motor vehicle reports, driver’s license number, gender, policy number, premium and/or premium payment history, medical history and status. In the case of a claim, we may also collect the date of loss, type of loss, cause of loss and the value of the claim.
How is personal information used?
We use personal information to administer or service a policy; administer a claim; provide assistance services; comply with the law; and as otherwise permitted by law. The transfer of your personal information to an affiliate or third party for processing purposes is defined as a “use” of your personal information. Affiliated and non-affiliated third parties that may receive or have access to the personal information in our care are not authorized to use such information for any marketing purposes except as permitted by law. They may not copy or disclose personal information to any other party and may use it only for the purpose of performing their responsibilities to us, one of our policyholders or claimants and as otherwise permitted or required by law.
Do you limit the collection of my personal information?
Yes. We collect only the information that is necessary for us to process your policy of insurance or administer your claim for benefits. In the event of a claim for medical coverage, we only request medical records for the pre-existing and/or eligibility periods and do not ask for social insurance numbers. When we collect your credit card information to confirm coverage, only the BIN number (the first 6 digits) of the credit card is saved and the rest of the digits are masked to ensure your privacy.
To whom might personal information be disclosed?
Personal information may be shared with affiliated and non-affiliated third parties in Canada, the United States and abroad in order to provide services, administer or service an insurance policy or a claim, and as otherwise permitted or required by law. Our affiliates include insurance companies, third-party insurance administrators and other providers of financial products and services. Examples of unaffiliated third parties include independent insurance brokers, the policyholder, persons or organizations retained to assist in the administration of policies and/or claims (such as adjusters, appraisers, repair shops and medical service providers), insurance support organizations, companies with whom we have joint marketing agreements, information processing facilities and others as permitted or required by law.
Depending on the nature and sensitivity of your personal information, your consent to the collection, use and disclosure of personal information may be required. This consent can be express (oral or written) or implied and, subject to legal or contractual restrictions, may be withdrawn.
Transferring Personal Information Overseas
By contacting us, you are consenting to us sending your information to overseas parties if required to provide you with medical and non-medical assistance or to progress and assess your claim. The countries we typically disclose your personal information to under these circumstances are generally located in the geographic regions you travelled during the duration of your policy. We may also need to disclose information to service providers who are located overseas who assist us by managing and authenticating some customer data. Who those service providers are and where they are located may change from time to time. You can contact us for details.
While we are committed to protecting your information from misuse, loss or interference when your personal information is sent to third parties overseas, in some cases we may not be able to take reasonable steps to ensure that those third parties do not breach applicable privacy laws and the information may not be subject to the same level of protection as is provided for under Canada’s privacy laws. You may not be able to seek redress either under laws of Canada or under laws in the overseas jurisdiction in the event of any misuse, loss or interference with your personal information. When assessing your claim, we may refer to information provided by our third party medical and non-medical assistance providers, who include related entities.
What security features are in place to protect personal information?
Access to personal information is limited to those with a specific “need to know” in order to provide products and services to policyholders and to others as permitted or required by law. We maintain contractual, physical, electronic and procedural safeguards to protect against the misuse of personal information under our control.
Can I access or change my personal information?
Yes. To access your personal information on file, please send a request in writing to our Privacy Officer at the address provided below. Please specify the kind of information you are seeking. You will be contacted by our Privacy Officer and asked to provide some form of identification to confirm your right to access this information.
To change or correct any personal information, please contact our Privacy Officer.
How long do you retain my personal information?
It is Zurich’s policy to retain data pertaining to claimants for a period of seven (7) years, after which time it is destroyed/erased from our records.
What are the rights of data subjects under GDPR?
The European Union’s GDPR came into force on May 25, 2018. Under GDPR, residents and citizens of the EU (“data subjects”) have greater control over who collects their data, how the information is used, and for how long.
GDPR: Rights of Data Subjects
The rights of data subjects under GDPR are detailed in Chapter 3 – Articles 12 to 23. There are eight fundamental rights under GDPR.
- Right to Access Personal Data
Under GDPR, data subjects have the right to access the data collected on them by a data controller. The data controller must respond to that request within 30 days (Article 15).
- Right to Rectification
Data subjects have the right to request modification of their data, including the correction or errors and the updating of incomplete information (Article 16).
- Right to Erasure
The right to erasure – also referred to as the right to deletion or the right to be forgotten – allows a data subject to stop all processing of their data and request their personal data be erased (Article 17).
- Right to Restrict Data Processing
Data subjects, under certain circumstances, can request that all processing of their personal data be stopped (Article 18).
- Right to be Notified
Data subjects must be informed about the uses of their personal data in a clear manner and be told the actions that can be taken if they feel their rights are being impeded. Data subjects must also be informed of any rectification or erasure of their personal data under articles 16, 17, and 18 (Article 19).
- Right to Data Portability
A data subject can request that their personal data file be sent electronically to a third party. Data must be provided in a commonly used, machine readable format, if doing so is technically feasible (Article 20).
- Right to Object
If a request to stop data processing is rejected by a data controller, the data subject has the right to object to their Article 18 right being denied (Article 21).
- Right to Reject Automated Individual Decision-Making
Data subjects have the right to refuse the automated processing of their personal data to make decisions about them if that significantly affects the data subject or produces legal effects – profiling for example (Article 22).
Rights of Data Subjects under GDPR are Not Absolute
While data subjects have the above rights under GDPR, in certain situations those rights cannot be granted.
For example, the right to restrict data processing does not apply is when data are processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences. The same applies to the processing of personal data in the prevention of threats to public security.
Data subjects have the right to access their personal data file, although not if that access adversely affects the rights and freedoms of others.
While data controllers must be aware of the rights of data subjects, they should also be aware of the circumstances under which those rights can be denied, and when charges can be applied for granting data subjects’ rights.
What Privacy Rights Apply to Children?
We support the Children’s Online Privacy Protection Act (“COPPA”) and other frameworks like the General Data Protection Regulation and the “UK GDPR” (together, the “GDPR“). Our goal is to minimize the information gathered from and disseminated about Children while allowing us to provide the Services for which they are covered under policies of insurance.
A. How We Collect Personal Information About Children
We require parental consent to collect Personal Information about Children for the purposes of providing the Services. Children’s Personal Information is used for the same purposes as set out above.
B. How is Personal Information About Children Used?
We use personal information to administer or service a policy; administer a claim; provide assistance services; comply with the law; and as otherwise permitted by law. The transfer of Children’s personal information to an affiliate or third party for processing purposes is defined as a “use” of your personal information.
What Are My Privacy Rights as a California Resident?
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information; subject to exclusions from the rights granted under California law with respect to certain information governed by certain sector-specific privacy laws.
Subject to certain exceptions under California law, California residents may have the following rights with respect to their personal information collected by Zurich:
- The right to know and access. California residents have the right to request we disclose (i) a copy of the personal information that we collect about you; (ii) the categories of personal information that we collected about you in the preceding 12 months; (iii) the categories of purposes for which such personal information was disclosed in the preceding 12 months; (iv) the categories of sources such personal information was collected for; and (v) the categories of third parties such personal information may have been shared with.
- The right to deletion. California residents have the right to request that we delete the personal information that we or our vendors collected about you. There may be circumstances under which we will be unable to delete your personal information, such as if we need to comply with our legal obligations or complete a transaction for which your personal information was collected. If we are unable to comply with your request for deletion, we will let you know the reason why.
- The right to equal service. If a California resident chooses to exercise any of these rights, we will not discriminate against the California resident in anyway. However, if a California resident exercises certain rights, such California resident may be unable to use or access certain features of the Sites.
- Exercising California Resident Rights
To exercise any of these rights, contact us at email@example.com, 1-866-236-5009. In connection with submitting a request, you must provide the following information: name, email, phone number, state of residence, and policy number and you must state what type of request you are making.
We have the right to require you to provide written permission granting authority to your representative and for your agent to verify its identity directly with us, and we may deny a request from your representative who does not submit proof of authorization as we request.
A California resident may only make a verifiable consumer request for access or data portability twice within a 12-month period. The request must provide sufficient information that allows us to reasonably verify the requestor is the person about whom we collected personal information or an authorized representative and describe the request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to a request or provide personal information if we cannot verify the identity or authority to make the request.
We will endeavour to confirm receipt of a request within 10 days following submission and provide information about how we will process the request. We will endeavour to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to an additional 45 days), we will provide notice in writing explaining the reason for the extended time period. We may deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the request receipt date. If we deny a request, we will provide a response explaining the reasons we cannot comply with a request, if applicable.
- Sharing of California Resident Personal Information
We may have collected and disclosed the following categories of personal information from a California resident for a business purpose in the preceding 12 months:
- Various identifiers, including, name, address, online identifier, Internet Protocol (IP) address, email address, account name, or other similar identifiers.
- Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), including, telephone number or financial information.
Geolocation data, including, physical location or movements.
- Protected classification characteristics, including, race, colour, national origin, marital status, sex, veteran or military status.
- Personal records, such as, power of attorney, family history or power of attorney.
- Information received from a government entity or other third party.
We may collect the above categories of personal information directly from you, indirectly as you interact with our website, from or through other third-party sources, including our customers, or through email or other electronic messages between you and our website.
- Sale of California Resident Personal Information
In the prior 12 months, we have not sold personal information of a California resident.
- “Shine the Light” Law
California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California consumers asking about the business’ practices related to disclosing personal information to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to firstname.lastname@example.org.
How We Respond to “Do Not Track” Signals
Our website does not respond to DO NOT Track signals. Third parties cannot collect any other personally identifiable information from our website unless you provide it to them directly.
What Are My Privacy Rights as a Nevada Resident?
Nevada residents may have certain rights to opt-out of sales of their personal information under Nevada Revised Statutes Chapter 603A. However, please know Zurich does not sell data triggering this Nevada statute’s opt-out requirements. If you have questions with respect to this right, please contact email@example.com.
What Are My Choices?
- Location Information: With your consent, we may collect information about your actual location when you use our mobile applications and when you request or purchase products or services. You may stop the collection of this information at any time by changing the settings on your mobile device; but note that some features of our mobile applications may no longer function if you do so.
- Native Applications on Mobile Device: Some features of our mobile applications may require access to certain native applications on your mobile device, such as the camera, photo album and the address book applications. If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting associated information. Note that you can revoke your consent at any time by changing the settings on your device.
- Cookies: Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of the website.
- Push Notifications: With your consent, we may send push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device or within our mobile applications.
What if I have a question, concern or complaint?
If you have a question, concern or complaint about privacy or our personal information handling practices, our employees or service providers, please contact our Privacy Officer at the address or number listed below or visit our website for details on how to bring your concern to our attention.
Phone: (416) 977-4701
Toll Free: 1-866-236-5009
Fax: (416) 205-4676
World Travel Protection Canada Inc.
901 King Street West
Canada M5V 3H5
This Privacy Statement is stand-alone document. You may receive privacy statements or notices from other parties. The terms of this Privacy Statement do not modify, supersede, revise, or amend the terms of other privacy statements or notices received from other parties.
Office of the Privacy Commissioner of Canada
30 Victoria Street
Office of the Information and Privacy Commissioner for Alberta
410, 9925 – 109 Street
Edmonton, Alberta T5K 2J8
Inquiries: 1-888-878-4044 (toll-free)
Office of the Information and Privacy Commissioner for British Columbia
4th Floor, 947 Fort Street, Victoria BC V8W 9A4
PO Box 9038, Stn. Prov. Govt.
Victoria B.C. V8W 9A4
Inquiries: (250) 387-5629
Toll-free: 1 (800) 663-7867 (free within B.C.)
Office of the Ombudsman (Manitoba)
750 – 500 Portage Avenue
Winnipeg, MB R3C 3X1
Inquiries: 1-800-665-0531 (toll-free)
Commission d’accès à l’information du Québec
575, rue Saint-Amable, Suite 1.10
Québec (Québec) G1R 2G4
Inquiries: (418) 528 7741
Toll-free: 1 (888) 528-7741 (free within Québec)