Privacy Policy - Aurinko Re

Data Protection Policy

General information regarding the processing of personal data by Aurinko Re.

Aurinko Re, with registered office in Madrid, at Calle Averroes 11, 28224, Madrid, Spain, Tax ID No.: B26677229, operates as a specialized reinsurance MGA.

At Aurinko Re ("Aurinko Re", "we", "us", "our"), we regularly receive and use information that can identify individuals ("personal data"), including policyholders, insureds, cedants, claimants and other persons connected with reinsurance placements, underwriting administration, portfolio management and claims-related processes. We understand that it is our responsibility to process the personal data provided to us diligently, safeguard its security, and comply strictly with applicable personal data protection legislation.

The purpose of this document is to provide you with a clear and simple explanation of how and when personal data is collected and used, as well as the purpose of such processing (the "Data Protection Policy"). This Data Protection Policy consists of several clearly labelled sections allowing you to access directly the information that is most relevant or useful to you.

Please read our Data Protection Policy carefully, as it provides important information about how we use personal data and explains the legal rights of the individuals whose information we process. This Data Protection Policy is not intended to replace or override the terms of any insurance, reinsurance or commercial agreements that may apply, nor the rights available to you under applicable data protection laws.

This Data Protection Policy may be amended from time to time in order to update it or adapt it to legal requirements or changes in the way we carry out our activity. Please review this Data Protection Policy periodically.

1. Who Is the Controller of the Personal Data?

In some cases, Aurinko Re receives personal data from third parties, and in others you may have provided your personal data directly to Aurinko Re, in which case Aurinko Re acts as the controller of that data.

Please note that, where relevant and lawfully permitted, such data may also be accessed by affiliated entities, service providers or counterparties involved in reinsurance placements, underwriting administration, portfolio management or compliance processes.

2. What Personal Data Do We Collect?

Below is a description of the most common types of data we collect.

Insured Persons / Policyholders / Related Parties

In order to provide advice on reinsurance arrangements and to support the negotiation, placement, underwriting administration and portfolio management of reinsurance business, we collect information about cedants, insured parties, policyholders, counterparties and any other related persons. This information may include claims history, contact details of the policyholder or its representative, and other matters relevant to the administration of reinsurance business and risk assessment. The policyholder may be a natural person, a legal entity or a representative.

The level and nature of the personal information we obtain depends on the type of business involved. In some cases, we need to collect and use Special Categories of Data, referring for example to health matters or past convictions. We will only process Special Categories of Data where we have confirmed that there is a lawful basis to do so.

Occasionally, we need to collect personal data relating to third parties, for example in the case of persons affected by an event or claim where their statements or information are relevant to claims-related administration.

Whenever possible, you should take the necessary steps to inform such third parties that they may need to provide us with information, letting them know that Aurinko Re is involved in the relevant reinsurance process and providing them with a copy of this Data Protection Policy.

Claimants / Injured Third Parties

When a claim or claims-related matter is notified, we may need to collect basic contact details, as well as all information related to the event, its nature and, where applicable, the details of previous claims or relevant incidents.

We may also need to verify policy or coverage information and claims history. Depending on the nature of the matter, we may need to collect and use Special Categories of Data, particularly details regarding injuries or medical matters. We will only process such data where we have confirmed that there is a lawful basis to do so.

3. When Do We Collect Personal Data?

Insured Persons / Policyholders / Related Parties

Sometimes you provide us directly with personal data when you engage us in connection with reinsurance advice, reinsurance placement, underwriting administration, delegated authority operations, portfolio oversight or related services.

Cedants, insurers, reinsurers, brokers, employers, family members or other third parties involved in the underlying risk or transaction may also provide us with personal data relating to persons connected with the relevant business.

We may also obtain information from other sources where we consider it necessary in order to support compliance, anti-fraud, sanctions or financial crime prevention processes. Such sources may include public records, other online sources and reputable organisations.

Claimants / Injured Third Parties

We collect information about individuals when a claim or claims-related matter is notified to us; in turn, we may pass this information to cedants, insurers, reinsurers or third parties such as loss adjusters, experts, advisers, third-party administrators and claims handlers.

We may also collect personal data in relation to matters notified by persons who have a close relationship with the claimant or are otherwise connected with the claim.

In some cases, insured persons, counterparties or other parties may provide us with third-party data as part of the information submitted in relation to risk, coverage or claims history.

We may also receive information from lawyers or other professional advisers.

4. What Do We Use Personal Data For?

Below is a description of the most common processing purposes.

Insured Persons / Policyholders / Related Parties

We may use personal data to provide risk advice, support reinsurance placements, perform underwriting administration, portfolio oversight, bordereaux administration, business reporting and claims-related support. We may also need such data in order to comply with our legal and regulatory obligations in connection with reinsurance distribution and delegated authority arrangements, where applicable.

Claimants / Injured Third Parties

We process personal data as part of claims-related procedures and may need such data in order to assess the risk of potential fraud, evaluate claims-related matters, support renewals and future transactions, or assist counterparties involved in the relevant reinsurance process.

5. What Is the Legal Basis for Processing Personal Data?

We will ensure that personal data is used only for the purposes described above and always on the basis that:

the use of such personal data is necessary to perform a contract or to take steps prior to entering into a contract;
the use of the personal data is necessary in order to comply with our legal or regulatory obligations;
we have received the necessary consent to use personal data for the purpose for which we do so; or
the use of such information is necessary to pursue our legitimate interests as a business, always in a proportionate manner and respecting your privacy rights.

Before collecting and/or using Special Categories of Data, we will confirm that there is a lawful basis to do so. Generally, that lawful basis will relate to:

the explicit consent of the data subject;
the establishment, exercise or defence — by us or by third parties — of legal or contractual claims; or
an applicable legal or regulatory basis under Spanish, EU or other applicable law.

Warning. Any explicit consent granted to allow us to process Special Categories of Data may be withdrawn at any time. However, withdrawing such consent may prevent us from continuing to provide services or support in relation to the relevant reinsurance transaction, portfolio administration or claims-related process.

6. With Whom Do We Share Personal Data?

We work with many external organisations that help us manage our business and provide services. Occasionally, those organisations need access to personal data.

Such third parties may include:

cedants, insurers, reinsurers, brokers and delegated authority counterparties with whom we work in connection with reinsurance business;
service providers, including IT, cloud hosting, administrative and operational support providers;
regulatory and supervisory authorities, where legally required;
anti-fraud, compliance and financial crime prevention organisations; and
lawyers, auditors, experts, claims professionals and other professional advisers.

In addition, under certain legal or regulatory obligations we may be required to share personal data with courts, regulators, law enforcement agencies or, in some cases, other market participants. If part of our business were sold or reorganised, personal data might also need to be transferred to the relevant purchaser or successor.

7. International Transfers

Occasionally, we may need to share personal data with recipients located outside the European Economic Area ("EEA"), including counterparties, insurers, reinsurers, brokers, service providers or assistance providers involved in international reinsurance business.

We will always take steps to ensure that any international transfer of information is managed carefully in order to protect the rights and interests of the individuals concerned. In any event:

we only transfer personal data to countries recognised as providing an adequate level of legal protection, or otherwise rely on lawful transfer mechanisms;
where required, transfers are protected by Standard Contractual Clauses or equivalent contractual safeguards;
where additional safeguards are required, we will implement them as appropriate under applicable law.

You have the right to request information about the safeguards we put in place as described above.

8. Data Analytics

We routinely analyse the information stored in our systems in order to improve the management of our business, provide better service, improve operational processes and enhance the accuracy of our risk and portfolio models. Before carrying out such analysis, we take steps to protect privacy by aggregating and, where appropriate, anonymising the data fields used.

9. How Long Do We Retain Personal Data?

We will retain personal data for as long as is reasonably necessary for the purposes described in this Privacy Policy. In certain circumstances, we will retain such information for longer periods, for example where required to do so by legal, regulatory, tax, accounting or compliance requirements.

We may also need to retain personal data for longer in order to maintain accurate records of transactions in the event of complaints, challenges or reasonably anticipated litigation.

When personal data is no longer required, we will ensure that it is securely deleted or stored in such a way that it will no longer be used in an identifiable form.

10. What Are Your Rights?

Individuals have a number of rights in relation to their personal data.

You may have the right to access your information, correct inaccurate data, request deletion of records that are no longer necessary, restrict the processing of your information, object to the processing of your data, request portability, withdraw your consent, and request information related to automated decision-making or international transfers. You also have the right to lodge a complaint with the competent Supervisory Authority.

Access

You may ask us to confirm whether we are processing your personal data, request a copy of the data we hold, and request further information about how we use it, with whom we share it, whether we transfer it internationally, how long we retain it, what safeguards we use and what rights you have.

Rectification

You may ask us to correct inaccurate or incomplete data. We may need to verify the accuracy of the data before correcting it.

Erasure

You may request that we delete your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, where you have successfully objected, where the data has been unlawfully processed, or where erasure is required by law.

Restriction of Processing

You may request restriction of processing in certain circumstances, for example where you contest the accuracy of the data, where the processing is unlawful but you do not want the data deleted, or where the data is needed for legal claims.

Portability

Where legally applicable, you may request your personal data in a structured, commonly used and machine-readable format, or request that it be transmitted to another controller.

Objection

You may object to the processing of your personal data where we process it on the basis of our legitimate interests, if you believe that your fundamental rights and freedoms override those interests.

Supervisory Authority

You have the right to lodge a complaint with the local Supervisory Authority regarding our processing of your personal data. In Spain, the competent Supervisory Authority is the Spanish Data Protection Agency (AEPD): https://www.aepd.es.

To exercise your rights, please contact the person responsible for privacy matters at Aurinko Re. We may request proof of identity before responding to your request.

11. Contact Details and Complaints

The contact person for any matters arising in connection with this Privacy Policy, including requests to exercise rights in relation to personal data, is the person responsible for privacy matters at Aurinko Re.

cristina.rivas@aurinkore.com
yamilet.morote@aurinkore.com
Privacy Matters Contact
Aurinko Re
Calle Averroes 11
28224 – Madrid – Spain

If you have any questions or complaints about the way we use your personal information, please contact us first. We will do our best to resolve any issue as quickly as possible. In any event, you may file a complaint at any time with the authority in your country responsible for supervising data protection.

Appendix 1: Categories of Personal Data

Insured Persons / Policyholders / Related Parties

Contact data / personal information: name, address, telephone number, email address, age or date of birth, identity document details, permits or licences where relevant.
Policy or transaction information: policy number, relationship with the policyholder, insured sums, exclusions, endorsements, amendments, previous claims, bordereaux-related data and similar records.
Risk and background information: gender, marital status, date of birth, claims history, work experience, CV, background and other underwriting-related information.
Special Categories of Data: health data, medical history, treatment information, relevant personal habits, and other data processed only where lawfully permitted.
Financial information: bank account details, payment details, salary information where relevant, insured sums and settlement-related information.
Marketing information: name, email address, marketing preferences, permissions or objections, website and online account data, including IP addresses where relevant.
Anti-fraud and compliance information: identity data, address, claims history, professional history, sanctions/compliance screening results and incident-related information.

Claimants / Injured Third Parties

Contact data / personal information: name, address, email address, identity document details, age or date of birth, marital status and similar records.
Policy and claims information: policy number, relationship with the insured or policyholder, claim details, prior claims and coverage-related information.
Claims evidence: incident reports, photographs, CCTV or video recordings, invoices, reports and supporting documentation.
Special Categories of Data: medical reports, injury information, test results and other sensitive data only where lawfully permitted.
Financial information: bank account details used for payments and settlement-related financial records.
Anti-fraud information: fraudulent claims history, work experience, incident details and related compliance information.

Appendix 2: Processing Activities

Setting up records in our systems: contact information, policy or transaction information, personal risk information and marketing data. Purpose: contract performance and legitimate interests in maintaining accurate records. Shared with: service providers.
Background, credit, sanctions and fraud checks: contact information, personal risk information and background information. Purpose: legal obligation, compliance and legitimate interests. Shared with: service providers, anti-fraud databases and compliance partners.
Supporting placement, underwriting administration and portfolio management: personal risk information, policy information, medical information where required by law, and background information. Purpose: steps prior to contract, contract performance, legitimate interests and consent where required. Shared with: service providers, cedants, insurers, reinsurers, brokers and counterparties.
Customer and counterparty service: contact information and policy or transaction information. Purpose: contract performance, legitimate interests and consent where required. Shared with: service providers and assistance providers where relevant.
Premium, settlement and payment administration: contact information and financial information. Purpose: contract performance and legitimate interests. Shared with: banks, cedants, insurers, reinsurers, service providers and relevant counterparties.
Marketing and communications: contact information and marketing information. Purpose: legitimate interests and consent where required. Shared with: service providers.
Compliance with legal and regulatory obligations: contact information, policy information, risk information, claims information, financial information and anti-fraud information. Purpose: legal obligation. Shared with: regulatory bodies, law enforcement agencies, courts and supervisory authorities.

Appendix 3: Glossary

Lawyers: legal advisers involved in contractual, claims-related, compliance or contentious matters.
Third-party administrators: companies outside Aurinko Re that support administration, underwriting or claims-related processes on our behalf.
Insured person / policyholder / related party: any person or entity connected with the relevant insured, underlying transaction or reinsurance arrangement.
Insurer / reinsurer: the relevant risk carrier or market counterparty participating in the placement or related process.
Special Categories of Data: personal data revealing health data, genetic or biometric data, criminal matters, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation.
Experts / loss adjusters / claims professionals: independent specialists engaged in connection with underwriting, valuation, claims review or disputes.
Service providers: third parties to whom we outsource certain functions, including cloud IT systems, operational support, data hosting, compliance or administration services.
Controller: the natural or legal person who determines the purposes and means of processing personal data.