In general, any information and data which you provide to the Data Controller over the Website, acquired in the use of services such as the registration procedure, the request for products and services, information or estimates, the possibility to access to the registration procedure, which is reserved for users who have the quality of insurance brokers or intermediaries or otherwise filling out the forms provided in order to notify a claim or to request any of the insurance services provided through the Website (“Forms”), or which is otherwise gathered via the Website by the Data Controller, in the context of the use of the Data Controller’s services (“Services”), will be processed by the Data Controller in a lawful, fair and transparent manner. To this end, and as further described below, the Data Controller takes into consideration internationally recognised principles governing the processing of personal data, such as purpose limitation, storage limitation, data minimisation, data quality and confidentiality.
- Data controller and Data Protection Officer
- Personal Data processed
- Name, contact details and other Personal Data
- Job applications
- Special categories of Personal Data
- Other persons’ Personal Data
- Browsing data
- Purposes of processing
- Grounds for processing and mandatory or discretionary nature of processing
- Recipients of Personal Data
- Transfer of Personal Data
- Retention of Personal Data
- Data subjects’ rights
1. Data controller and Data Protection Officer
To get in touch with the Data Controller’s Data Protection Officer, please contact: firstname.lastname@example.org
2. Personal Data processed
When you use the Website, the Data Controller will collect and process information regarding you (as an individual) which allows you to be identified either by itself, or together with other information which has been collected. The Data Controller may also be able to collect and process information regarding other persons in this same manner, if you choose to provide it to the Data Controller.
This information may be classified as “Personal Data” and can be collected by the Data Controller both when you choose to provide it (e.g., when you sign up for an account, in order to receive the Data Controller’s Services) or simply by analysing your behaviour on the Website.
Personal Data which can be processed by the Data Controller through the Website are as follows:
a. Name, contact details and other Personal Data
In various sections of the Website – including, in particular, if you decide to create an account on the Website or when you fill out a Form – you will be asked to submit information such as your name, phone / mobile numbers, e-mail address, gender, date of birth, country of residence and address, as well as, in certain cases, information related to the company you currently work for and your position in that company.
In addition, whenever you participate in surveys and other promotions which may be available on the Website, as well as whenever you communicate with the Data Controller through the contact details provided in the Website, the Data Controller may collect additional information which you choose to provide. This is also the case regarding any information you choose to disclose in certain sections of the Website which allow you to fill out a Form or to contact the Data Controller directly.
b. Job applications
When registering to apply for a position within the Data Controller, in the “Careers” section of the Website (where available), you will also be asked to provide various types of Personal Data, including professional / employment details (e.g., resume, cover letter, professional qualifications, availability to start, professional social media URLs, etc.).
You are also asked to provide other job-specific information, which includes your marital status, gender and date of birth, which may help to give more insight into you as a candidate – however, this is entirely optional and not mandatory.
c. Special categories of Personal Data
Certain areas of the Website provide you with some free text fields where you can describe to the Data Controller some information that you need to communicate to the Data Controller as required in the Forms, or otherwise allow you to post various types of content on the Website, which may contain Personal Data.
You may use such areas to disclose (inadvertently or not) some sensitive categories of Personal Data, such as data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. The content you upload in these fields may also (inadvertently or not) include other types of sensitive information relating to you, such as your genetic data, biometric data or data concerning your health, sex life or sexual orientation.
The Data Controller asks that you do not disclose any sensitive Personal Data in these free text fields on the Website, unless it is strictly necessary. If you do, please mind that the Data Controller needs your explicit consent to process this sort of Personal Data (e.g., by declaring that you consent to processing in the message you write in the free text fields or posts), if you decide, nonetheless, to share it.
When registering to apply for a position within the Data Controller, in the “Careers” section of the Website (where available), you are also asked to submit (optionally) additional Personal Data, identified as “job-specific information”. Here, you may choose to share information, e.g., regarding any disabilities you may have. As it is totally optional to provide this information, if you do, then please mind that the Data Controller needs your explicit consent to process this sort of Personal Data (e.g., by declaring that you consent to processing in the message you write in the free text fields or posts), if you decide, nonetheless, to share it.
d. Other persons’ Personal Data
As mentioned in the previous section, certain areas of the Website and of the Forms include specific fields as well as free text fields where you can write messages to the Data Controller, or otherwise allow you to insert various types of data on the Website. These messages and content may (inadvertently or on purpose) include Personal Data related to other persons.
In other sections of the Website, you are asked to submit Personal Data related to third parties, such as other contact persons in your company, colleagues, clients, proposers, policyholders, claimants, counterparties and/or insurers.
In any situation where you decide to share Personal Data related to other persons, you will be considered as an independent data controller regarding that Personal Data, and must assume all inherent legal obligations and responsibilities. This means, among other things, that you must fully indemnify the Data Controller against any complaints, claims or demands for compensation for damages which may arise from the processing of this Personal Data, brought by the third parties whose information you provide through the Website.
As the Data Controller does not collect this information directly from these third parties (but rather collects them, indirectly, from you), you must make sure that you have these third parties’ consent before providing any information regarding them to the Data Controller; if not, then you must make sure there is some other appropriate grounds on which you can rely to lawfully give the Data Controller this information.
e. Browsing data
The Websites operation, as is standard with any websites on the Internet, involves the use of computer systems and software procedures, which collect information about the Websitès users as part of their routine operation. While the Data Controller does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information must also be considered Personal Data.
This information includes several parameters related to your operating system and IT environment, including your IP address, location (country), the domain names of your computer, the URI (Uniform Resource Identifier) addresses of resources you request on the Website, the time of requests made, the method used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.), and so on.
These data are used to compile statistical information on the use of the Website, as well as to ensure its correct operation and identify any faults and/or abuse of the Website.
Definitions, characteristics, and application of standards
Cookies are small text files that may be sent to and registered on your computer by the websites you visit, to then be re-sent to those same sites when you visit them again. It is thanks to these cookies that those websites can “remember” your actions and preferences (e.g., login data, language, font size, other display settings, etc.), so that you do not need to configure them again when you next visit the website, or when you change pages within a website.
When browsing a website, you may also receive cookies from websites or web servers other than the website being visited (i.e., “third-party cookies”).
There are various types of cookies, depending on their characteristics and functions, which may be stored on your computer for different periods of time: “session cookies”, which are automatically deleted when you close your browser, and “persistent cookies”, which will remain on your device until their pre-set expiration period passes.
According to the law which may be applicable to you, your consent may not always be necessary for cookies to be used on a website. In particular, “technical cookies” – i.e. cookies which are only used to send messages through an electronic communications network, or which are needed to provide services you request – typically do not require this consent. This includes browsing or session cookies (used to allow users to login) and functional cookies (used to remember choices made by a user when accessing the website, such as language or products selected for purchase).
On the other hand, “profiling cookies” – i.e., cookies used to create profiles on users and to send advertising messages in line with the preferences revealed by users while browsing websites – typically require specific consent from users, although this may vary according to the applicable law.
Types of cookies used by the Website
The Website use the following types of cookies:
- Browsing or session cookies, which are strictly necessary for the website operation, and/or to allow you to use the website content and Services.
- Analytics cookies, which allow the Data Controller to understand how users make use of the Website, and to track traffic to and from the Website.
- Functional cookies, which are used to activate specific Website functions and to configure the Website according to your choices (e.g., language), in order to improve your experience.
- Profiling cookies, which are used to observe the preferences you reveal through your use of the Website and to send you advertising messages in line with those preferences.
The Data Controller also uses third-party cookies – i.e. cookies from websites / web servers other than the Website, owned by third parties. These third parties will either act as independent data controllers from the Data Controller regarding their own cookies (using the data they collect for their own purposes and under terms defined by them) or as data processors for the Data Controller (processing personal data on the Data Controller’s behalf). For further information on how these third parties may use your information, please refer to their privacy policies.
Cookies present on the Website
In detail, the cookies present on the Group’s Websites are as follows:
|Technical name||Cookie type, function and purpose||Expires after|
|.AspNet.Cookies||Functional cookie. General storage for log in session information.||a session ends|
|.AspNet.TempCookie||Functional cookie. Stores temporary log in information while authentication is being authorised.||authentication success|
|__livechat||Functional cookie. Remembers the info of the visitor entering your website.||3 years|
|__livechat_lastvisit||Functional cookie. Checks visitor’s last visit.||3 years|
|3rdparty||Functional cookie. Checks if the browser’s settings will allow to work on not yet visited pages.||a session ends|
|ASP.NET_SessionId||Session cookie. Stored the ASP.Net Session ID (Created by ASP.Net).||a session ends|
|common_iwcs_0||Functional cookie. Synchronises the communication between opened chat tabs.||a session ends|
|ContextClientSessionID||Functional cookie. Stores the Client ID of the machine that is connected to the server.||a session ends|
|ContextDisplayType||Functional cookie. Stores the preferred Portal Type for the User (i.e. Mobile/Desktop/Tablet etc).||a session ends|
|DecisionsSessionID||Functional cookie. Stores the SessionID for the signed in User.||a session ends|
|DecisionsUsername||Functional cookie. Stores the Username for the Login Page if remember me was selected.||a session ends|
|DisplayTypeCookie||Functional cookie. Stores the display type of the user.||a session ends|
|ForceStudio||Functional cookie. Stores if the User is in Studio Mode or Not.||a session ends|
|furness_cookieWarningDismissed||Functional cookie. Remembers the cookie message display status.||after 1 day|
|Id_token||Functional cookie. Used for login/authentication.||a session ends|
|idsrv||Functional cookie. This cookie is the authentication cookie.||end of authentication|
|idsrv.xsrf||Functional cookie. This cookie ensures single-sign-on cross site request forgery protection.||a session ends|
|idsvr.clients||Functional cookie. This is the single sign on session cookie associated with the client (application) that is requesting authentication.||a session ends|
|idsvr.external||Functional cookie. Used for login/authentication.||1 year|
|idsvr.session||Session cookie. Unique key of current user, used to verify logged in.||a session ends|
|incap_ses_||Functional cookie. Livechat DDoS protection.||a session ends|
|InSession||Functional cookie. Stores if the User has a valid ASP.Net Session.||a session ends|
|InstanceName||Functional cookie. Stores the Instance Name (for Decisions Multi Tenancy Mode) that the user has signed into.||a session ends|
|languageSelected||Functional cookie. Remembers the selected language.||a session ends|
|lc_window_state||Functional cookie. Checks the chat window state (minimized/maximized).||a session ends|
|Logged_in||Functional cookie. Used for login/authentication.||1 day|
|LoginPageContextDisplayType||Functional cookie. Stores the Login Portal Type for the User (i.e. Mobile/Desktop/Tablet etc) – i.e. from where the login was initiated.||a session ends|
|main_window_timestamp||Functional cookie. Synchronises the communication between opened chat tabs.||a session ends|
|main_window_timestamp_0||Functional cookie. Synchronises the communication between opened chat tabs.||a session ends|
|message_text||Functional cookie. Keeps text that is written in textbox.||a session ends|
|newsletterSubscribed||Functional cookie. Used to hide newsletter subscription window to those who have already subscribed.||1 year|
|notification[new_messages]||Functional cookie. Informs about the pending messages.||a session ends|
|notification[predicted_agent]||Functional cookie. Assign the visitor to the specific agent.||a session ends|
|OpenIdConnect.nonce.[HASH]||Functional cookie. Authentication with single-sign on-service.||a session ends|
|recent_window||Functional cookie. Informs about the last page that the visitor was on.||a session ends|
|secret_token_LICENCENUMBER||Functional cookie. Keeps number of license.||a session ends|
|SERVERID_L||Functional cookie. Haproxy – it is used by our load balancer.||a session ends|
|SF-TokenId||Functional cookie. Used for login/authentication||2 hours|
|SignInMessage.[HASH]||Functional cookie. Remembers the sign in message.||a session ends|
|SignOutMessage.[HASH]||Functional cookie. Remembers the sign out Message.||a session ends|
|sub||Functional cookie. Used for login/authentication.||a session ends|
|WFAuthCookie||Functional cookie. ASP.NET Authentication cookie.||a session ends|
You can block or delete cookies used on the Website via your browser options. Your cookie preferences will be reset if different browsers are used to access the Website. For more information on how to set the preferences for cookies via your browser, please refer to the following instructions:
CAUTION: If you block or delete technical and/or functional cookies used by the Website, the Website may become impossible to browse, certain services or functions of the Website may become unavailable or other malfunctions may occur. In this case, you may have to modify or manually enter some information or preferences every time you visit the Website.
3. Purposes of processing
The Data Controller intends to use your Personal Data, collected through the Website, for the following purposes:
- To verify your identity and assist you, in case you lose or forget your login / password details for any of the Data Controller’s registration services, by maintaining a registered user profile and to provide any other Services which you may request (“Service Provision”);
- To examine applicant’s resumes / CVs and to get in contact with applicants who have submitted their application via the Website (“Recruitment”);
- For future marketing, promotional and publicity purposes, including to carry out direct marketing, market research and surveys, via e-mail, SMS, over the phone, through an operator, through the Data Controller’s official social media pages etc. (“Marketing”);
- For future marketing, promotional and publicity purposes, by sending you direct e-mail marketing communication regarding products and services similar to those you have purchased through the use of the Website (“Soft Spam”);
- To create a profile of you as a Website user, through the use of profiling cookies and by collecting and analysing information on the preferences you select and choices you make in the Website, as well as your general activities on the Website. This profile will be used to give you information about other websites / services which the Data Controller believes you may be interested in, and to show you information and advertisements which may be relevant to you and your interests. All algorithms involved in this processing are regularly tested, to ensure the processing’s fairness and control for bias (“Profiling”);
- For compliance with laws which impose upon the Data Controller the collection and/or further processing of certain kinds of Personal Data and to prevent and detect any misuse of the Website, or any fraudulent activities carried out through the Website (“Compliance”).
4. Grounds for processing and mandatory / discretionary nature of processing
The Data Controller’s legal bases to process your Personal Data, according to the purposes identified in Section 3, are as follows:
- Service Provision: processing for these purposes is necessary to provide the Services and, therefore, is necessary for the performance of a contract with you. It is not mandatory for you to give the Data Controller your Personal Data for these purposes; however, if you do not, the Data Controller will not be able to provide any Services to you;
- Recruitment: processing for this purpose is needed in order for the Data Controller to be able to consider offering you a position and, therefore, is necessary to take steps at your request before (potentially) entering into a contract. It is not mandatory for you to give the Data Controller your Personal Data for these purposes; however, if you do not, the Data Controller will not be able to consider your candidacies. In this regard please mind that providing the Data Controller with sensitive information (e.g., disabilities, religion) is not compulsory but, if you do, the Data Controller will need your explicit consent to process such Personal Data;
- Marketing: processing for these purposes is based on your consent. It is not mandatory for you to give consent to the Data Controller for use of your Personal Data for these purposes, and you will suffer no consequence if you choose not to (aside from not being able to receive further marketing communications from the Data Controller). Any consent given may also be withdrawn at a later stage (please see Section 8 for more information);
- Soft Spam: processing for these purposes is based on the legitimate interest of the Data Controller of sending you direct e-mail marketing communication (DEM) regarding products and services similar to those you have purchased through the use of the Website. You can block these DEM, and you will suffer no consequence if you do so (aside from not being able to receive further DEM from the Data Controller), by opposing through the link provided in all such DEM;
- Profiling: processing for this purpose is based on your consent, given by accepting the use of profiling cookies. It is not mandatory for you to give consent to the Data Controller for use of your Personal Data for this purpose, and you will suffer no consequence if you choose not to (aside from not being able to benefit from greater personalisation of your user experience regarding the Website). Any consent given may also be withdrawn at a later stage (please see Section 8 for more information);
- Compliance: processing for this purpose is necessary for the Data Controller to comply with its legal obligations. When you provide any Personal Data to the Data Controller, the Data Controller must process it in accordance with the laws applicable to it, which may include retaining and reporting your Personal Data to official authorities for compliance with tax, customs or other legal obligations;
- Analytics: Information collected for this purpose is used to allow the Data Controller to understand how users interact with the Website and to improve the Website accordingly, with the aim to providing a better user experience;
- Misuse/Fraud: Information collected for this purpose is used exclusively to prevent and detect fraudulent activities or misuse of the Website (for potentially criminal purposes).
5. Recipients of Personal Data
Your Personal Data may be shared with the following list of persons / entities (“Recipients”):
- Persons, companies or professional firms providing the Data Controller with advice and consultancy regarding accounting, administrative, legal, tax, financial and debt collection matters related to the provision of the Services;
- Entities engaged in order to provide the Services (e.g., hosting providers or e-mail platform providers);
- Persons authorised to perform technical maintenance (including maintenance of network equipment and electronic communications networks);
- Persons authorised by the Data Controller to process Personal Data needed to carry out activities strictly related to the provision of the Services, who have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality (e.g., employees of the Data Controller);
- Other companies within the Data Controller Group; and
- Public entities, bodies or authorities to whom your Personal Data may be disclosed, in accordance with the applicable law or binding orders of those entities, bodies or authorities;
6. Transfer of Personal Data
Your Personal Data may be transferred to Recipients located in several different countries. the Data Controller implements appropriate safeguards to ensure the lawfulness and security of these Personal Data transfers, such as by relying on adequacy decisions from the European Commission, standard data protection clauses adopted by the European Commission, or other safeguards or conditions considered adequate to the transfer at hand.
7. Retention of Personal Data
Personal Data processed for Service Provision will be kept by the Data Controller for the period deemed strictly necessary to fulfil such purposes – in any case, as these Personal Data are processed for the provision of the Services, the Data Controller may continue to store this Personal Data for a longer period, as may be necessary to protect the Data Controller’s interests related to potential liability related to the provision of the Services.
Personal Data processed for Recruitment will be kept by the Data Controller for as long as the vacancy for which the CV was submitted is still available or, in case of open positions, for up to 1 year. the Data Controller may contact applicants before the expiration of this period to request an extension of the retention period.
Personal Data processed for Marketing and Profiling will be kept by the Data Controller from the moment you give consent until the moment you withdraw the consent given. Once consent is withdrawn, Personal Data will no longer be used for these purposes, although it may still be kept by the Data Controller, in particular as may be necessary to protect the Data Controller’s interests related to potential liability related to this processing.
Personal Data processed for Compliance will be kept by the Data Controller for the period required by the specific legal obligation or by the applicable law.
Personal Data processed for Analytics and Misuse/Fraud will be kept by the Data Controller for as long as deemed strictly necessary to fulfil the purposes for which it was collected, unless you validly object to the processing of your Personal Data for these purposes (please see Section 8 for further information).
8. Data subjects’ rights
Under the Regulation, you, as a data subject, are entitled to exercise the following rights before the Data Controller, at any time:
- Access your Personal Data being processed by the Data Controller (and/or a copy of that Personal Data), as well as information on the processing of your Personal Data;
- Correct or update your Personal Data processed by the Data Controller, where it may be inaccurate or incomplete;
- Request erasure of your Personal Data being processed by the Data Controller, where you feel that the processing is unnecessary or otherwise unlawful;
- Request the restriction of the processing of your Personal Data, where you feel that the Personal Data processed is inaccurate, unnecessary or unlawfully processed, or where you have objected to the processing;
- Exercise your right to portability: the right to obtain a copy of your Personal Data provided to the Data Controller, in a structured, commonly used and machine-readable format, as well as the transmission of that Personal Data to another data controller;
- Object to the processing of your Personal Data, based on relevant grounds related to your particular situation, which you believe must prevent the Data Controller from processing your Personal Data; or
- Withdraw your consent to processing (for Marketing and Profiling).
Please note that most of the personal information you provide to the Data Controller can be changed at any time, including your e-mail preferences, by accessing the user profile you can create on the Website.
You can withdraw consent regarding processing for Marketing by selecting the appropriate link included at the bottom of every marketing e-mail message received.
Aside from the above means, you can also exercise your rights described above by sending a written request to the Data Controller at the following address: email@example.com
In any case, please note that, as a data subject, you are entitled to file a complaint with the competent supervisory authorities for the protection of Personal Data, if you believe that the processing of your Personal Data carried out through the Website is unlawful.