1. Our approach
1.1. This Canadian Privacy Policy Addendum (the “Policy”) supplements the information contained in the Privacy Notice, available at the following link: https://www.cfc.com/en-ca/support/privacy-policy/, and applies to all customers, brokers and website visitors (“Users”) in Canada. This Policy prevails over any conflicting provisions in the Privacy Notice to the extent required to comply with applicable Canadian and provincial privacy laws.
1.2. CFC is committed to protecting your privacy. This Policy sets out details of the information that we may collect and how we use, store, communicate and process the personal information of our Users.
1.3. In this Policy, references to “we”, “us” or “CFC” mean:
CFC Underwriting Limited, company number: 03302887, registered address: 8 Bishopsgate, London EC2N 4BQ, UK
CFC Claims Limited, company number: 13897666, registered address: 8 Bishopsgate, London EC2N 4BQ, UK
CFC Europe S.A, company number: 0711.818.068, registered address: Bastion Tower, 5 Place du Champs de Mars, 1050 Brussels, Belgium
CFC USA, Inc., DE file number: 7226403, registered address: Floor 16, 48 Wall Street, New York, NY 10005, United States
CFC Underwriting Inc, company number: 1000496243, registered address: 3 Bridgman Avenue, Suite 204, Toronto, ON M5R 3V4, Canada
CFC Claims Inc, company number: 1000756274, registered address: 3 Bridgman Avenue, Suite 204, Toronto, ON M5R 3V4, Canada
CFC Underwriting Pty Ltd, ABN 68 139 214 323, registered address: Level 18, 140 William Street, Melbourne VIC 3000
CFC Claims Pty Ltd, ABN 47 680 201 905, registered address: Level 18, 140 William Street, Melbourne VIC 3000
1.4. We collect your personal information on our own behalf and on behalf of our affiliated entities. Your personal information may also be collected on our behalf by third parties, such as our technology service providers, brokers, insurance claim handling intermediaries, claims counsel and loss adjusters.
1.5. If you have any questions about this Policy, please contact our Head of Compliance, who acts as our person in charge of the protection of personal information, otherwise known as our privacy officer, (“Privacy Officer”) by clicking here.
2. What personal information do we collect and how do we collect it?
2.1 We collect personal information directly from you when you provide it to us, including through our website or mobile applications, when you create a user account, email us, or call us. We also may collect personal information from you through our insurance brokers, claims adjusters and service providers for the purposes of delivering services to you, if you have provided us with prior consent to that effect.
2.2 For instance, we will collect your personal information when you request a quote for one of our products or services, in the course of providing you with one of our products or services, or when you register with us. We may also collect your personal information when you choose to subscribe to our newsletter or mailing list on our website, when you subscribe to receive notifications through our applications, when you enter a contest, or participate in a survey.
2.3 We may also collect personal information using cookies and other technologies, in accordance with our Cookie Notice, available here.
2.4 The type of personal information we collect depends on various factors and on the context. We only collect such personal information that we consider necessary for the conduct of our business and the fulfilment of identified purposes. The types of information we collect may include:
2.4.1 information you provide us in your insurance application, including names, addresses, date of birth or other information provided by you in your application for insurance;
2.4.2 information you provide us to help us carry out our obligations under any insurance contract in place between us and you;
2.4.3 information you provide us relating to a cyber incident, or an insurance claim you make or have made;
2.4.4 financial information such as bank account, income or other financial information in order to assess the risk and provide a quote, return premium or facilitate the payment of claims;
2.4.5 when you visit our website,your IP address to collect broad geographic information on our site visitors and to optimise our website;
2.4.6 information collected through cookies, for more information on how we use cookies, please click here;
2.4.7 information we obtain as a result of checking sanctions lists, such as those published by United Nations, European Union, UK Treasury, and the U.S. Office of Foreign Assets Control (OFAC); and
2.4.8 information you provide us through one of our mobile apps or customer portals.
2.5 In certain circumstances and when necessary, we may need to collect sensitive or special category personal information about you, which may include information about:
2.5.1 your physical or mental health condition, or the physical or mental health condition of members of your family, or the physical or mental health condition of one of your employees; and
2.5.2 any criminal offence or alleged criminal offence committed by you, or members of your family, or one of your employees.
2.6 We will only use such sensitive or special category personal information to:
2.6.1 administer or carry out our obligations under any insurance contract in place between us and you;
2.6.2 assess and adjust any insurance claim you make; and
2.6.3 assess and respond to a complaint you might make relating to our products or services.
2.7 Our mobile apps offer an optional login feature using facial recognition software that operates solely on your device. This login verification functionality is used solely for authentication purposes and to verify your identity securely. We do not collect, store or transmit any personal information obtained through any facial recognition technology software. Authentication tokens and credentials are handled entirely on your device and we do not access or use any personal information related to your device’s facial recognition software.
2.8 You may refuse to consent to the collection of your personal information. However, this may limit our ability to provide certain services or products. We will not deny you access to products or services unless they cannot be delivered without such information.
2.9 For clients who have opted to receive these services, CFC provides threat intelligence monitoring services to its insured clients and may from time to time, through its processing of threat intelligence databases, collect some limited personal information including names, email addresses, job titles or other similar business-related personal information. This data is used to deliver real time alerts and notifications to its clients about potential cyber threats. CFC processes this information to help clients manage cyber risk. Where applicable, such data is sourced from publicly available or third-party threat intelligence feeds in order to provide insured clients with threat intelligence monitoring services that they have opted to received.
3. For which purposes do we collect your personal information
3.1. We collect your personal information, use it, and may share it with other third parties acting on our behalf as set out in this Policy, for one or more of the following purposes, to:
3.1.1. analyse your insurance needs so that we can offer appropriate products;
3.1.2. give you an estimate or provide you with a quote for one of our policies;
3.1.3. perform money laundering checks or other checks required by law;
3.1.4. prevent or detect fraud and for threat monitoring purposes;
3.1.5. administer or carry out our obligations under any insurance contract in place between us and you;
3.1.6. register and adjust any insurance claim you make;
3.1.7. assess any insurance claim you make, including any liaison with third parties potentially involved in your claims, e.g. communications regarding health information, with your express consent where required;
3.1.8. assess and respond to a complaint you might make relating to our products or services;
3.1.9. ensure the security of your account and our business, preventing or detecting fraud or abuses of our website, for example, by requesting verification information in order to reset your account password;
3.1.10. to inform you of news, updates, information and special offers concerning our products and services, in accordance with anti-spam legislation and with your express consent as required;
3.1.11. if we have reasonable grounds to believe that it might be useful as part of the investigation of a violation of applicable federal, provincial or foreign law or to ensure the protection or defence of a legal interest;
3.1.12. to notify you of policy changes; and
3.1.13. as required or permitted by applicable laws.
In addition to the purposes described above, we will inform you of other purposes for which your personal information is collected when it is collected at the latest. If we intend to use the personal information we have collected for purposes not previously communicated, we will ask for your separate consent before doing so, unless applicable laws allow us to do so without your consent.
4. Information for marketing purposes
4.1. In compliance with anti-spam legislation, we may use your personal information for marketing purposes as follows:
4.1.1. to provide you with information, products or services that you request from us or which we feel may interest you; and
4.1.2. for market research purposes, where we may contact you to ask for your feedback.
If at any time you wish us to stop using your information for these purposes, you will always be able to unsubscribe by clicking on the unsubscribe link within the marketing emails you receive from us.
If you reside in Quebec, we will only use our personal information for marketing purposes with your express consent.
5. Disclosure of your information
5.1. Within CFC, your personal information is disclosed only to our authorized employees and contractors who have a business need to access it, for example: our customer service centre, billing department, personnel providing support functions, and personnel responsible for providing products and services to our customers. These employees and contractors can only access the personal information they require to perform their job functions.
5.2. There are circumstances where we may wish to disclose or are compelled to disclose your personal information to third parties. This will only take place in accordance with the applicable law and for the purposes listed above. These scenarios include disclosure to:
5.2.1. our subsidiaries, group companies, branches or associated offices;
5.2.2. third party service providers or suppliers to facilitate the provision of our services or products to our Users. This involves disclosure to our data centre provider for the safe keeping of your personal information, our webhosting provider through which your personal information may be collected, identity verification partners in order to verify your identity against public databases, credit and sanctions check databases, anti-fraud databases, threat intelligence databases for cyber risk monitoring and our marketing service provider to allow us to manage marketing communications;
5.2.3. third party service providers and consultants in order to protect the security or integrity of our business. This involves disclosure to data storage and backup service providers, cybersecurity specialists, disaster recovery vendors and business continuity consultants;
5.2.4. third party service providers in order to satisfy our legal obligations. This may involve disclosure to private investigators, accountants, legal consultants, anti-fraud databases, credit reference agencies, sanctions check agencies, police and law enforcement, regulators and supervisory authorities;
5.2.5. our brokers, carriers, claim handlers, other insurance companies and/or our reinsurers, to facilitate the provision of our services or products to you;
5.2.6. another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution or similar event. In the case of a merger or sale, your personal information will be permanently transferred to a successor company;
5.2.7. legal advisors who may need to manage or litigate an insurance claim;
5.2.8. public authorities where we are required by law to do so;
5.2.9. any other third party where you have provided your consent; and
5.2.10. otherwise as required or permitted by applicable laws.
6. International transfer of personal information
6.1. We may need to transfer your personal information outside of Quebec or Canada, including in: the United States, UK, the EU, Australia and Sri-Lanka, either within the CFC group of companies or to third parties, as set out in paragraph 5, for the purposes set out above including collection, use, disclosure and storage. The transferred personal information will be subject to the laws of the applicable jurisdiction and may be accessible by courts, law enforcement, and national security authorities of that foreign jurisdiction.
6.2. Where required by applicable law, we ensure that your privacy rights are adequately protected by appropriate technical, organisation, contractual or other lawful means, including by requiring third parties who are involved in providing you with services to provide contractual commitments that preserve your privacy rights by imposing standard contractual clauses and the completion of appropriate due diligence, where required.
If you would like to know more about how we protect your personal information and privacy rights, and for a copy of the safeguards we have in place, please contact our Privacy Officer at dataprotection@cfc.com.
7. International transfer of personal information
7.1. If you are, or have previously been, a customer of ours then we may continue to hold and process your information for the purpose of continuing to carry out our obligations in connection with the insurance contract between us and you. We will continue to hold and process your information for the duration of the insurance contract and for a reasonable period of time afterwards for as long as required for the fulfilment of identified purposes in accordance with CFC’s Data Retention and Destruction Policy and as required by the applicable law for each CFC entity listed in section 1.2 above.
7.2. In accordance with applicable law, we may keep an anonymised form of your personal information, which will no longer refer to you, for statistical purposes without time limits.
8. User rights
8.1. Privacy law provides individuals specific rights, which may include the right to: access, rectify, erase, restrict, transport, and object to the use of, their personal information. Individuals also have the right to lodge a complaint with the relevant privacy protection authority if they believe that their personal information is not being used in accordance with applicable data protection law.
8.2. The rights listed below do not apply in all circumstances, and not all of these will be available to you depending on where you reside and the privacy laws that are applicable. In certain circumstances, the rights listed below may be restricted if an appropriate exemption applies i.e. to prevent fraud or maintain privilege. If you have any questions about your rights please do contact us.
8.3. To exercise your rights, or if you have any queries regarding your rights, please make your request in writing to the DPO whose contact details are available in paragraph 1.2 above. Please make your request clear as to which right(s) you would like to exercise. You may also be required to submit a proof of your identity and a fee.
8.3.1. Right to access. You may, where permitted by applicable law, access and request copies of your personal information.
8.3.2. Right to rectification. You may request that we rectify any inaccurate and/or complete any incomplete personal information.
8.3.3. Right to withdraw consent. You may, as permitted by applicable law, withdraw your consent to the use of your personal information at any time. Such withdrawal will not affect the lawfulness of use based on your previous consent. In such a case, we will no longer be able to provide you a service that requires such consent and in some situations, you may not withdraw your consent because processing your personal information is necessary or mandatory. In some instances, we do need your consent to provide you with insurance services. If you withdraw your consent we may not be able to provide further services to you.
8.3.4. Right to object to use. You may, as permitted by applicable law, request that we stop using your personal information.
8.3.5. Right to data portability. You may request for us to transfer your personal information to a third party of your choice.
8.3.6. Right to erasure. You may request that we erase your personal information and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your personal information, such as a legal obligation that we must comply with, or if retention is necessary for us to comply with our legal obligations.
8.3.7. Your right to lodge a complaint with the supervisory authority. We suggest that you contact us about any questions or if you have a complaint in relation to how we use your personal information. However, you do have the right to contact the relevant supervisory authority directly, if you are unsure which supervisory authority to contact, please do let us know
You may file a complaint with our DPO if you believe that we are not complying with our obligations to protect personal information. We will confirm receipt of your complaint, contact you for more information as needed, conduct a confidential investigation and share its conclusions with you. If your complaint is justified, we will take appropriate measures to correct the situation.
8.3.8. If you are unsatisfied with our internal review of your complaint, you can contact the following organizations responsible for the protection of personal information: the Office of the Privacy Commissioner of Canada (federal), Québec’s Commission d’accès à l’information, the Office of the Information and Privacy Commissioner for British Columbia or the Office of the Information and Privacy Commissioner of Alberta.
9. Profiling
9.1. At CFC we are always looking to find ways of building efficiencies into our business, and in order to achieve this we do carry out some profiling using data analytic and matching technologies so that we can deliver and bind quotes accurately and quickly. It is not our intention to take decisions exclusively based on an automated processing of your personal information.
9.2. Where permitted by applicable law, we may process the data you provide to us against publicly available data sources to determine the accuracy of your insurance application and assist in preventing fraud as part of our underwriting processes.
9.3. We utilise these technologies responsibly to ensure that the technology supports our operations and does not lead to unfair or biased outcomes.
10. Linked websites
Please note that any websites that may be linked to our websites are subject to their own privacy policies. We provide these links as a convenience. We are not responsible for the privacy practices of third-party sites, which are not under our control. Consequently, any personal information transmitted through third-party sites is subject to the privacy policy of those third-party sites. It is your responsibility to review those policies to ensure your personal information is protected.
11. Changes to this policy
We may update this Policy from time to time to ensure that it remains accurate. Please do check our site regularly so you are fully aware of any changes.