1. Processing personal data in Skuld
Skuld takes personal data protection seriously and wants to ensure business contacts and claimants that personal data is safe in Skuld. In this privacy notice we will inform claimants and contacts about what Skuld does to protect personal data and comply with the European "General Data Protection Regulation" (GDPR). Skuld has established a separate privacy notice which apply for applicants, members of Skuld bodies and staff.
Personal data is information relating to an identifiable natural person (the data subject), who can be identified directly or indirectly. Personal data is necessary to provide the insurance services we have agreed with Skuld's members.
Processing personal data means any operation or set of operations which is performed on personal data, such as collection, recording, storage, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction.
2. Contact details
"Skuld" means Assuranceforeningen Skuld (Gjensidig). The head office is in Oslo Norway, and contact details for all Skuld offices are available on https://www.skuld.com/contacts/.
3. Skuld is data controller ("controller")
Skuld is a mutual marine insurer. Membership in Skuld is open to shipowners, operators, managing owners, insurers and charterers of ships (members/customers). Skuld need to process personal data to manage insurance policies and settle claims.
As a controller Skuld determines the purposes and means of processing personal data in Skuld. The President & CEO is the ultimate responsible and the Head of respective Business Unit (BU) is the daily responsible in business units in Oslo (SMA, Skuld Western Europe and Americas and Skuld Nordics and Eastern Europe), Offshore, Bergen, London, Copenhagen, Hamburg, Piraeus, Hong Kong, Singapore and New York.
4. Data protection officer (DPA)
Skuld has appointed a DPO for the entire Skuld group, to advise and inform staff, to monitor compliance with GDPR and to be the first point of contact for relevant supervisory authorities and for individuals whose data is processed.
The DPO in Skuld group is:
Compliance Officer
Email: compliance@skuld.com
5. How we use personal data
Skuld processes personal information for the purposes of:
5.1 Providing and managing insurance policies
To maintain correct information in the insurance system and to communicate updates in covers, changes in conditions etc. we need to store contact information regarding members, brokers and other service providers which is relevant as part of the insurance administration.
Lawfulness of the processing
The processing is necessary for the performance of the insurance contract, (GDPR Art. 6,1 (b)).
5.2 Administering and paying claims
To pay claims as agreed in the insurance contract, we need to collect relevant contact information about the claimant and/or others involved in the claim (e.g. technical surveyors). For a personal injury/illness claim (crew, passengers e.g.), Skuld also needs to process health information.
Lawfulness of the processing
The processing of contact information will be necessary for the performance of the contract (GDPR Art. 6,1 (b)).
Processing of health information is necessary for the establishment, exercise or defence of legal claims, (GDPR Art. 9, 2 (f)).
5.3 Procedures to avoid financial crime and breach of sanctions
Skuld may process personal information to prevent and detect transactions related to dividends from criminal offenses and/or related to terrorist financing.
Lawfulness of the processing
Regulatory requirements concerning anti-money laundering impose insurance companies to perform regularly checks to identify suspicion of anti-money laundering, terrorist financing or breach of sanctions. The processing is necessary for compliance with a legal obligation (GDPR Art. 9, 2 (f)).
5.5 Marketing and events
Personal data is used to provide information, advice and for marketing of products and services. For non-customers, we ask for consent before sending electronic marketing, for example, in channels such as email or SMS. In such marketing, we make sure that the receiver can easily choose to unsubscribe from such electronic inquiries in the future.
Lawfulness of the processing
If contact information is processed as part of a contract (member/customer) the processing is necessary for the purposes of the legitimate interests pursued by Skuld (GDPR Art. 6,1 (f)).
Skuld will collect a consent before any electronic newsletters are sent. In addition, it is easy to unsubscribe from newsletters (GDPR Art. 6,1 (a)).
5.6 Handling of complaints
Complaints relating to Skuld insurance products are processed in accordance with regulatory requirements to which the controller must adhere.
Lawfulness of the processing
The processing is necessary for compliance with a legal obligation to which the controller is subject (GDPR Art. 6,1 (c)).
If it is necessary to process special categories of data, processing is necessary for the establishment, exercise or defence of legal claim (GDPR Art. 9, 2 (f)).
6. What kind of data is received/processed?
Skuld mainly collects contact data related to members (customers), brokers, correspondents, lawyers, service providers (e.g. technical surveyors) and other business contacts.
Contact data we process may be: Name, address, telephone, e-mail, workplace, position, domicile.
6.1 Special categories of personal data
Skuld processes health information as e.g. medical records, diagnosis and description of injury/illness when needed to handle personal injury/illness claims cases. This information will only be used for the specific purposes for which it was provided and to carry out agreed service.
Lawfulness of the processing
Processing of special categories of personal data is prohibited unless some specific conditions apply. This information is processed because it is necessary for the establishment, exercise of defence of legal claims or whenever courts are acting in their judicial capacity, (GDPR Art. 9, 2 (f)).
7. Where personal data is obtained from
What kind of personal information we receive depends on the relationship with Skuld. Personal data as staff and contact information are obtained from the data subject directly.
With respect of personal injury/illness claims, the personal information (inclusive health data) are obtained from members, assureds, crew/manning agencies, correspondents, lawyers and/or brokers.
8. Transfer of personal data
Customer information and personal data processed in Skuld is confidential information and shall only be available for staff who are authorised and need the information to perform their duties.
8.1 Within Skuld
All entities and branches in Skuld have a duty of confidentiality. All personal data processed in the Skuld group is received and stored in IT systems which are managed by the Head office in Oslo. All employees in Skuld worldwide have access to contact information stored in different IT systems.
Access to personal injury/illness cases are restricted which means that Skuld offices/business units have access to claims cases which are processed within their area of responsibility.
8.2 Transfer of special categories of data
Transfer via email within Skuld is encrypted by default. In some occasions we send emails with health information externally to correspondents, crew agencies, lawyers or brokers when handling claims cases. These transfers are encrypted.
8.3 Transfer of personal data to third countries
Skuld is an international marine insurer which operates (globally) through a worldwide office network. Skuld has offices in Hong-Kong, Singapore and US and shares contact information except personal injury/illness claims information between all Skuld offices. Skuld New York has access to all personal injury/illness cases in Skuld, as they provide claims service to all Skuld business units (offices).
Skuld has ensured adequate security within all offices and has also established needed agreements between offices to ensure adequate level of security.
Sometimes it is necessary to transfer personal data out of EU/EEC to members, correspondents (claims service providers), lawyers and brokers who are operating in third countries. This might be claims information and/or contact information. When transferring special categories of personal data as e.g. health information, additional security measures as encryption applies. Personal data in Skuld is stored in IT systems in Norway and/or EU. Personal data which is transferred out of EU/EEA is mainly data related to non-EU/EEA citizens, e.g. personal data related to claimants from or staff operation in third countries.
Transfers and access between Skuld business units are governed by specific agreements established pursuant to GDPR and measures to ensure an adequate level of security are established.
9. Recipients of personal data
When Skuld transfers personal data there will be different recipients depending on the purpose for transferring the personal data.
Contact data may be shared as part of the underwriting process or claims process to members, correspondents and brokers.
9.1 Lawyers as part of a litigation process
Occasionally we may share personal data with lawyers as part of claims handling and litigation.
9.2 Visa application service
In some occasions Skuld Oslo provides additional assistance related to participation in seminars, events and/or meetings in governance bodies held in Skuld Oslo. This service might include support to achieve visa and to provide required information to Norwegian authorities for attendees who need visa.
9.3 Reporting to the Norwegian National Authority for investigation and Prosecution of Economic and Environmental Crime (ØKOKRIM)
Skuld recognises that money-laundering and terrorist financing have an adverse effect on communities wherever they occur, therefore it is of utmost importance that we comply with regulatory requirements in all territories where Skuld and our members and clients as well as service providers operate.
This may lead to reporting from Skuld which also include personal data. Similar obligations also apply in other jurisdictions where Skuld operates.
In rare occasions personal information may be passed to other organizations to assist in fraud prevention and detection including, but not limited to, the police or any regulatory or government authority. For any further information about this, please contact DPO.
9.4 Use of data processors
Skuld has established data processor agreements with service providers who process personal data on Skuld's behalf, e.g. the IT service provider. This also includes cloud service providers. Skuld ensures that it enters in data processor agreements with service providers who are compliant with GDPR.
10. How long will personal data be retained
Retention of specific personal data may be necessary for one or more of the following reasons:
- To fulfil statutory or other regulatory requirements; e.g. book-keeping requirements
- To evidence claims/agreements in case of disputes
- To meet our operational needs as management of insurance policies and other relevant operations
Personal data processed in connection with claims will be retained if the case is not time barred. This may vary depending on what type of claims are processed and which jurisdiction applies.
11. The right to withdraw consent
In situations where Skuld requests and receives consent to perform processing, we are also obliged to stop such processing, if the data subject decides to withdraw the consent. Withdrawing consent is as straightforward as giving consent. Withdrawing consent cannot be back-dated so it has no effect on processing already performed during the period of consent.
12. Data subject's rights
The data subject has certain rights and Skuld has procedures in place to comply with the requirements within GDPR. The request from the data subject can be made verbally or in writing to the DPO. The data subject should receive responses as early as possible but in no case later than one month after request is received. Please see more detailed descriptions of the rights below.
12.1 Access
The data subject shall have the right to access their personal data stored in Skuld and to get a copy of the personal information.
12.2 Rectification
The data subject has the right to have inaccurate data rectified or completed if it is incomplete.
12.3 Erasure
The right to be forgotten is not absolute and only applies in certain circumstances:
- The personal data is no longer necessary for the purpose which it was originally collected or processed for
- We rely on consent as the lawful basis for holding the data, and the individual withdraws their consent
- We rely on legitimate interests as the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
- We process the personal data for direct marketing purposes and the individual objects to that processing
- We have processed the personal data unlawfully
- We process personal data to comply with a legal obligation
12.4 Data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
The right mainly applies to information the data subject has provided to a controller. Skuld does not provide consumer insurance hence these requirements will not be applicable very often and may only be relevant concerning HR information.
12.5 Right to object
Data subjects have the right to object to the processing of their personal data in certain circumstances, which e.g. includes an absolute right to stop their data being used for direct marketing. Skuld shall have procedures to handle such objections.
12.6 Complaint
If the data subject is unhappy with the way Skuld is processing the personal data, he/she may contact the DPO and/or have the right to file a complaint to the Norwegian Data Protection Authority or a relevant local supervisory authority.
13. Security
Skuld is committed to ensure that personal data is secure. In order to prevent unauthorized access or disclosure Skuld has put in place appropriate physical, electronic and administrative procedures to safeguard and secure the personal and confidential information we process.
14. Training of staff
We are committed to making staff aware of the requirements under relevant privacy legislation and GDPR. Our staff are aware that personal or sensitive data can only be disclosed in limited circumstances, including, but not limited to means of safeguarding information by correctly archiving it and encrypting outgoing personal information.
15. Compliance
We are committed to meeting our obligations under the applicable local privacy legislation in addition to the EU regulation (2016/679) on the protection of natural persons with regard to the processing of personal data (GDPR) which also applies for EEA countries as Norway.
This Privacy Notice will be reviewed regularly, at least annually and updated in case of any material changes.