Data privacy

The processing of Personal Data is governed by local applicable laws and regulations; in most legislations the following privacy principles represent regulatory standards:

• Lawfulness, Fairness and Transparency: Personal data is obtained and processed based on an appropriate lawful basis and in a manner that is reasonable and does not unjustly harm data subjects. We are transparent regarding the disclosure of how individuals’ personal data is collected, used, shared and retained.
• Purpose Limitation: We only process personal data when necessary and for legitimate purposes.
• Data Minimization: We collect the smallest amount of data necessary for its intended purposes.
• Privacy by Design and Default: Data privacy is integrated into Zurich’s business operations from start to finish, and we apply proper information governance and records management practices throughout the data lifecycle.
• Storage Limitation: We retain personal data only as long as required in line with the relevant retention schedules.
• Accuracy: We ensure that personal data – to the extent it’s reasonably possible and necessary – is kept accurate and up to date.
• Data Protection: Zurich protects and safeguards personal data with adequate technical and organizational measures.

The high level Summary of the Data Privacy and Records Management Framework supports Zurich’s aspiration to be a responsible and impactful company. The Policy applies to Zurich Insurance Group Ltd and all its direct and indirect subsidiaries, including their employees.

Where Business Units are governed by requirements stricter than those outlined in Zurich’s Data Privacy and Records Management Policy, these are adhered to through supplementary local policy documents, processes, and controls.

Zurich’s Group Chief Information and Digital Officer, Ericson Chan, is responsible for the Data Privacy and Records Management strategy, which is underpinned by Zurich’s Data and Responsible AI Commitment to keep customer data secure and to use it in an ethical, transparent manner.

Zurich uses a three-lines-of-defense model. Each line informs the Group CEO and other executives through regular reports, with established processes in place for escalating issues as appropriate. Group Compliance is responsible for providing assurance to management that data privacy and records management risks are appropriately identified and managed. The Group Chief Compliance Officer regularly provides reports to the Audit Committee and has an additional reporting line to the Chairman of the Audit Committee and appropriate access to the Chairman of the Board. More information can be found in the Governance section of our Annual Report.

Furthermore, data privacy officers play a key role in ensuring that business units fulfil their legal requirements and handle data subject requests appropriately and in a timely manner. The officers also act as a key contact for regulatory authorities and data subjects.

We ensure that any third parties processing personal data on our behalf have data privacy and information security practices in place that align with our stringent requirements. This is also underpinned by our Supplier Code of Conduct. Together, we build a resilient and secure ecosystem that prioritizes the protection of personal data.

In line with our Group Third-Party Risk Policy Manual, we ensure that all necessary written agreements are in place before working with any third-party service providers. Due diligence is conducted, documented and approved to confirm that these partners meet our high standards from the outset.

Personal data is disclosed to third parties only if this is allowed in accordance with laws and regulations and is made transparent to the data subject. Third parties may only use this data for the purposes agreed with Zurich and must notify Zurich promptly of any suspected or actual breach.

As part of Zurich’s Data and Responsible AI Commitment, personal data from customers must not be sold, rented or provided to third parties outside the Zurich Group.

We have strong Information Security practices and technical and organizational measures to protect personal data in place.

However, even with our best efforts, there is always a residual risk of an incident. At Zurich, we take impacts of incidents and breaches impacting personal data very seriously. Proactive and reactive measures are in place to handle data privacy incidents. In line with Zurich’s Group Policy on Data Privacy and Records Management, any identified or suspected personal data incidents or breaches must be reported immediately through local and, if necessary, Group processes. Experts from the relevant business areas assess these cases in a timely manner, and take the necessary actions, which may include informing affected individuals and the appropriate authorities.

This proactive approach ensures that data privacy is treated with the utmost importance and that any issues are addressed swiftly and effectively.

Zurich employees are trained yearly about data privacy and information security, maintaining our high standards. The training highlights the importance of observing privacy rights and using personal data in a legal and transparent manner. Information on training completion rates can be found in our Annual Report. Our global privacy team is a diverse and dynamic group that includes colleagues from Compliance, Information Governance and Legal. This multidisciplinary approach enables us to develop and implement effective solutions to address the many challenges of privacy management.

Zurich’s extended Information Governance Network involves representatives from all business functions. We believe that by embracing diverse perspectives and scrutinizing our choices, we can uphold the highest standards of integrity and transparency in all our operations.

Our annual Data Privacy Conference brings together experts and internal teams to explore the latest in data privacy through keynote speeches and workshops. Similarly, our Information Governance and Data Compliance Network calls provide a continuous forum for sharing experiences, discussing case studies and developing collaborative solutions.

We use data and AI responsibly to help provide better products and services for our customers. We apply high-standard security controls and are transparent about how we use AI with our customers. Our approach is based on these guiding principles:

• Safety: Our use of AI is governed by our risk management framework including data privacy and protection, and taking into consideration industry best practices. We operate AI models and its data in safe and protected environments.
• Transparency: We disclose to our customers when they are interacting with AI, with clear labels or disclaimers, and can explain AI outcomes.
• Accountability: In line with our Code of Conduct, we are committed to acting with integrity and doing the right thing, including appropriate Customer Facing Conduct and responsible use of AI.
• Reliability: Our use of AI is subject to human oversight that identifies and mitigates potential risks, including the prevention of harmful biases.

We honor our customers’ long-standing trust with our Data and Responsible AI Commitment and prioritize the protection and safeguarding of information about our stakeholders.

We respect the privacy rights and preferences of the individuals whose data we process. These include the rights to access, correct, complete, delete and restrict its processing. This is underlined in our Code of Conduct and Group Data Privacy and Records Management Policy.

Understanding these rights empowers stakeholders to make informed decisions about how their information is used and protected. Click here to learn more about data subject rights and how to exercise these.

For any further data privacy related question, you may have in connection with zurich.com please contact privacy@zurich.com.