- Euclid Insurance Services, Inc. and its affiliates recognize and respect applicable privacy and data protection laws.
- Euclid Transactional UK Limited (“Euclid UK”) complies with applicable Data Privacy Requirements. For purposes of this Policy, “Data Privacy Requirements” shall include: (a) the EU General Data Protection Regulation (“GDPR”) as implemented by countries within the European Economic Area (“EEA”) and the UK; (b) the EU e-Privacy Directive 2002/58/EC as implemented by countries within the EEA and the UK; and/or (c) other laws that are similar, equivalent to, successors to, or that are intended to or implement the laws that are identified in (a) and (b); and
- The Euclid Group affiliates listed at Schedule 1 comply with the obligations of a data importer as set out in the Euclid intra-group EU Standard Contractual Clauses (“Model Contracts”). This Policy applies equally to the Euclid Group affiliates listed at Schedule 1 other than in respect of the legal grounds for processing Personal Data (see Sections 3.2 – 3.4) and all references in this Policy to the same; (collectively, the “Euclid Group”).
- This Policy applies to Personal Data (i.e. any information that directly or indirectly identifies an individual), acquired from employees, agents, consultants, contractors, vendors, service providers, customers, brokers, beneficiaries, dependents, policyholders and others, and processed by the Euclid Group in connection with its business operations.
- This Policy must be implemented and followed by all employees of the Euclid Group. This Policy must also be followed by the Euclid Group’s temporary staff, agents, consultants, contractors, vendors and service providers in their processing of Personal Data on behalf of the Euclid Group.
- This Policy is supplemented by additional Euclid Group policies and guidance dealing with specific aspects of Data Privacy Requirements.
- It is the responsibility of each Euclid Group affiliate to ensure compliance with all applicable Data Privacy Requirements in the country in which it operates and to train employees in the application of this Policy.
- Where any employee becomes aware of any laws or regulations that prevent them from complying with this Policy or any breach of this Policy, including any personal data breach (see Section 4.9 below), they must inform the Compliance Officer immediately upon becoming aware of such laws, regulations or breaches.
- This Policy may be revised at any time. Notice of significant revisions shall be provided through appropriate mechanisms.
DATA PRIVACY REQUIREMENTS
Data Privacy Principles
- The Euclid Group has adopted the following principles to govern its processing of Personal Data:
- Personal Data shall be processed fairly and lawfully in compliance with Data Privacy Requirements and/or the Model Contracts. See Section 3.2 (Legal Grounds for Processing) and Section 3.3 (Data Privacy Notices) below.
- Personal Data shall be processed only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes except: (i) with the valid consent of the individual to whom the Personal Data relates (a “Data Subject”); or (ii) where allowed by Data Privacy Requirements and/or the Model Contracts.
- Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which the Personal Data are processed.
- Personal Data shall be accurate, complete and kept up to date as appropriate to the purposes for which the Personal Data are processed.
- Personal Data shall not be kept in a form which permits identification of the Data Subject for longer than necessary for the permitted purposes.
- Personal Data shall be collected and processed in accordance with the rights of Data Subjects. See Section 3.6 of this Policy.
- Appropriate technical and organizational measures shall be taken in relation to Personal Data. See Section 5 of this Policy.
- Personal Data must not be transferred from the European Economic Area (“EEA”) to a country outside the EEA unless the country is deemed to provide an adequate level of data privacy or unless one of the circumstances described in Section 3.5.3 of this Policy applies.
Legal Grounds for Processing
- Personal Data of Data Subjects must be processed lawfully. In order to do so, the processing must be based on one or more specific legal grounds. The most relevant legal grounds, for processing Personal Data, include:
- The Data Subject having unambiguously given his or her consent.
- The processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract.
- The the processing is necessary for Euclid UK to comply with an EU/UK legal obligation that is applicable to Euclid UK.
- The processing is necessary for the purposes of the legitimate interests pursued by Euclid UK, unless such interests are overridden by the rights of the Data Subject.
- Where consent is the ground being relied on this must be a freely given, specific, informed and unambiguous indication of the Data Subject’s wishes. The Data Subject must provide an active indication that he or she agrees to the processing of his or her Personal Data. The consent shall be in writing or other legally permissible means. The Data Subject has the right to withdraw consent at any time and must be informed of this right. For these reasons Euclid UK should generally rely where possible on the alternative grounds identified above when processing Personal Data other than in those limited circumstances where consent is absolutely required.
- Where Euclid UK processes criminal records or offences data (e.g., in the context of background checks for job applicants), Euclid UK must ensure it does this only where permitted pursuant to specific legislation and where applicable Euclid UK maintains a policy with respect to such processing.
- Where Euclid UK processes special categories of personal data (e.g., employee health data), the most relevant legal ground will be where such processing is necessary so Euclid UK can comply with employment law and such processing is specifically authorized or required by law. The processing of special categories of personal data will be kept to a minimum and in any event only as strictly necessary.
Data Privacy Notices
- A data privacy notice setting out the information in Section 3.3.2 must be provided to a Data Subject before processing their Personal Data, or where received from a third party as soon as possible after receiving the Personal Data, unless the Data Subject already has the information.
- The data privacy notice must be communicated in a clear manner and shall include the following information:
- the identity and contact details of the relevant Euclid Group affiliate;
- the purposes and legal ground for the processing, including the legitimate interest(s) pursued by the Euclid Group affiliate if this is the legal ground for processing;
- the recipients or categories of recipients of the Personal Data;
- the details of any international transfers outside of the EEA and how to obtain a copy of the relevant safeguards;
- the retention period for the Personal Data, or where this is not possible the criteria used to determine this period;
- the existence of the Data Subjects’ rights and the right to withdraw consent;
- the right to lodge a complaint with the data protection authority (“DPA”);
- whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failure to provide such information; and
- the existence of automated decision-making including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.
- The data privacy notice must be communicated in a clear manner and shall include the following information:
Disclosure of Personal Data to Data Processors and other Third Parties
- A data processor processes Personal Data on behalf of and in accordance with instructions from a controller, for example a vendor hosting Personal Data for the Euclid Group. Personal Data may not be provided to any data processor by the Euclid Group unless a written data processing agreement has been entered into containing specific data processing provisions. Template data processing provisions that all data processors must agree to comply with can be obtained from the Compliance Officer.
- As part of the Euclid Group’s internal auditing process, the relevant Euclid Group affiliate shall conduct regular checks on processing of Personal Data by data processors.
- To the extent the Euclid Group discloses Personal Data to third parties who are acting as controllers (for example, disclosures in response to a request made by a regulator or a potential buyer in a contemplated transaction), the Euclid Group will take reasonable and appropriate steps to maintain the required level of data privacy as required in this Policy and the Compliance Officer should be consulted prior to making any such disclosures to determine that any legal requirements have been dealt with.
Transfers of Personal Data from the EEA
- Personal Data must not be transferred from the EEA to a country which is not considered to provide an adequate level of protection unless an exemption applies, for example:
- the Data Subject has given consent to the proposed transfer;
- the data exporter in the EEA and the data importer outside the EEA have entered into Model Contracts; or
- the data importer in the US is self-certified under the US Privacy Shield framework (“Privacy Shield”).
- The Euclid Group has entered into Model Contracts for intra-group transfers of Personal Data. International transfers made by the Euclid Group to third parties outside the EEA will be made in accordance with Data Privacy Requirements. A copy of these safeguards are made available to Data Subjects on request from the Compliance Officer.
Data Subject Rights
- Data Subjects have certain rights under Data Privacy Requirements which may be subject to limitations and/or restrictions. These rights include the right to:
- request access to and rectification or erasure of Personal Data;
- obtain restriction of processing or to object to processing of Personal Data;
- the right to data portability; and
- the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the Data Subject or significantly affects the Data Subject.
- Appropriate physical, technical, and organizational measures are adopted by the Euclid Group to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, having regard to the cost of implementation, the nature of the data, and the risks to which they are exposed.
- Employees who are required as part of their job description to process Personal Data will receive training and guidance on the security of data. However, the Euclid Group expects all of its employees to be aware of the basic security principles as set out in this Policy and the Euclid Group’s Information Technology Security Policy.
- It is the responsibility of all employees to report all (suspected) personal data breaches (i.e., a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed), to the Compliance Officer and the IT Department immediately in accordance with the Personal Data Breach Response Plan.
- Where the Euclid Group considers that a personal data breach is required to be notified to a DPA, the Euclid Group will notify the appropriate DPA without undue delay and no later than 72 hours after becoming aware of the personal data breach.
- The Euclid Group will notify Data Subjects affected by a personal data breach without undue delay where the Euclid Group considers that the breach is likely to result in a high risk to the rights and freedoms of the Data Subjects, unless:
- appropriate technical and organizational protection measures have been implemented with regard to the Personal Data affected by the personal data breach;
- the Euclid Group has taken subsequent measures which ensure that the high risk to the Data Subjects is no longer likely to materialize; or
- notification would involve a disproportionate effort. In such case, Data Subjects will be informed in an equally effective manner.
Questions and Complaints
- This Policy is enforced by the Human Resources Department, and Information Security Department.
- Any queries or complaints in relation to this Policy, application of the Data Privacy Requirements or the processing of Personal Data may be addressed to Human Resources Department.
Schedule 1 – Euclid Group Affiliates Outside of Scope of GDPR but Data Importers under Intra-Group
|Euclid Group Affiliate||Jurisdiction||Contact Details|
|Euclid Insurance Services, Inc.||US||Maureen Dunn, [email protected]|