We are committed to protecting your privacy. In this Privacy Notice we set out the information that we may collect about you (your personal data), how we may use that information and what control you have over it, in accordance with privacy laws and regulations. This notice applies solely to data collected by wwww.ace-gallagherre.com. Please take your time to read this Privacy Notice carefully.

 When using our website, you should read this Privacy Notice alongside the Cookie Policy and website terms and conditions. This notice will define the following:

1. Who we are
2. About the insurance broking, reinsurance and insurance consultancy market
3. Our processing of your personal data
4. How we protect your personal data when sending it abroad
5. Marketing activities
6. Profiling and automated decision-making
7. How long we keep your personal data
8. How we protect your personal data
9. Your personal data rights
10. Obligations to provide your personal data
11. Use of Cookies
12. Updates to your personal information
13. External Links
14. Contact us
15. Updates to this Privacy Notice

1. Who we are

ACE Gallagher holding group of companies and affiliates are engaged in insurance broking, reinsurance and consultancy activities in the Middle East servicing clients in KSA, UAE, Kuwait, Oman, Bahrain, Lebanon and Greece

This Privacy Notice describes how we collect and process and use data about individuals in relation to our insurance broking, reinsurance and consultancy services. For the purposes of this notice, we act as the “data controller.” We take on this role as we determine how your personal data is used and processed. We have appointed a Data Protection Officer /Privacy Officer for assisting with questions, requests, and complaints in regards to this privacy notice and the collection and processing of your personal data. For details on how to contact us, see the Contact Us information section at the end of this notice.

If you provide personal data to us about other people, you must provide them with a copy of this Privacy Notice and obtain any relevant consents as required under applicable law for the processing of that person’s data in accordance with this Privacy Notice.

2. About the insurance broking, reinsurance and insurance consultancy market

Personal data that we collect and process for the purpose of insurance broking, reinsurance and consultancy activities is shared with other participants in the insurance broking, reinsurance and consultancy market, including those located overseas. Contact us if you would like to know the identities of the insurance broking, reinsurance and consultancy market participants with whom we share your personal data.

3. Our processing of your personal data

3.1 Individuals in scope of this Privacy Notice

This Privacy Notice is intended to provide privacy information for individuals (past, current and prospective) whose personal data we process, including:

• Business contacts e.g. Brokers, (re)insurers, experts instructed in relation to claims, suppliers, professional services, conference attendees, visitors to our offices, regulators, government officials and authorities;
• Those in respect of the insurance, reinsurance policies we place and/or the consultant agreements we offer as part of our core insurance, reinsurance and consulting business activities e.g. Parties covered under the policies, potential beneficiaries of the policies, claimants and other parties involved in a claim in respect of the policies;
• Other individuals such as those entering competitions & promotions, requesting marketing information, making general enquiries and individuals captured on CCTV.

3.2 How we collect your personal data

We may collect your personal data when you provide your personal data directly to us. We may also collect your personal data indirectly from:

• Our clients
• Publicly available sources such as social media platforms, property and assets registers, and claims and conviction records;
• Government authorities, law enforcement officials and regulators;
• Credit reference agencies and sanctions screening tools
• Information provided by other members of our Group;
• Businesses you own or associated with as well as the directors, partners, trustees, authorised officers or agents of those businesses; and
• Third parties who provide us with details of potential clients.

3.3 Personal data we collect

We typically collect the following types of personal data:

• General information such as name, title, marital status, date of birth, age, gender, nationality, identification information such as signature or national identifier;
• Contact information including address, telephone number and email address;
• Employment information such as job title, business description, education, employment history and professional certifications;
• Consent and marketing preferences;
• Due diligence information including sanction checks, which may include criminal offences and alleged offences and cautions, court sentences or criminal convictions; and
• Day-to day business operations information such as information about visits to our offices (including CCTV), attendance at meetings and events hosted by us, preferences, photographic images and information offered up in communication and captured during recordings of telephone calls.
• Electronic Identifying Data (such as, including but not limited to, IP addresses, geolocation data, online identifiers (including in relation to your device), cookies and Data relating to your use of our Sites, such as browsing activity or transaction logs)
• Information relating to customer transactions
• In some circumstances, and only when it is permitted/required by applicable laws and regulations, We will record, monitor and retain communications (including, but not limited to, telephone conversations, email, and any other electronic communications) when it is permitted/required by applicable laws and regulations. Such records are made and maintained to ensure compliance with legal and regulatory obligations and internal policies. Such records are and shall remain the sole property of ACE Gallagher Group of companies and affiliates and will be deemed by you as conclusive evidence of the recorded communications, if and when applicable

Sometimes we collect sensitive personal data, for example when we complete due diligence checks or when you offer this information in communication. Sensitive personal data may include data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership.

Please see below for other types of personal data we may collect, which vary according to the type of service we provide and the relationship between us, or between you and our client.

3.3.1 Core insurance broking, reinsurance and insurance consultancy business activities

We may collect the following personal data:

• Information about your finances, such as bank account numbers, transaction information; brokerage account number, tax information, salary and remuneration, details of your income, property, assets, investments, pension and benefits, debts, creditworthiness, tax status, and existing reinsurance arrangements;
• Statements made by or about you;
• Information relating to any professional disciplinary action that you are or have been the subject of;
• Personal data related to the provision of the services, such as policy information (e.g. start & end dates, cover, premium, individual terms), claims history, mid-term adjustments, reasons for cancellation and risk profile; and
• Sensitive personal data relevant to the policy and / or claim such as details of your current or former physical or mental health. We will only process such data to the extent necessary in connection with the insurance, reinsurance policy and/or consultancy agreement, or in accordance with legal proceedings.

3.4 How we use your personal data

We typically use your personal data to/for:

• The specific, explicit and legitimate purposes determined at the time of collection the data. In addition, if the processing is intended to cover multiple purposes, consent must be obtained for each purpose in a manner that is clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language;

• Provide general client care, communicate with you and respond to any enquiries you have including the delivery of service information and sending invitations for events;

• Advertise, market and promote our services, including but not limited to the means of email, post or telephone, and to evaluate, measure and improve the effectiveness of our advertising campaigns; to send you newsletters, offers or other information we think may interest you; to contact you about our services or information we think may interest you; and to administer promotions;

• Enter into business relationships, including carrying out due diligence and background checks such as fraud, sanctions, credit and anti-money laundering checks;

• Provide the services and fulfil our contractual obligations to clients including work necessary for business transactions such as arrangement of reinsurance modelling;

• Enhance our internal or external communications and / or publicity material, including via social media;

• Manage our business operations including maintaining accounting records, analyzing financial results, complying with internal audit requirements, receiving professional advice, and applying for and claiming on our own insurance.

• Comply with legal and professional obligations (including without limitation to meet national security or law enforcement requirements), discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities;

• Ensure business continuity by preventing or detecting criminal conduct or other wrongdoing, or otherwise as reasonably necessary to protect our rights or the rights of any third party. This includes monitoring the safety and security of premises, employees, visitors and data;

• Monitor and prevent fraud;

• Develop, enhance, expand or modify our services through research and development including surveys, and risk modelling and data analysis by understanding risk exposures, crafting solutions with appropriate reinsurance coverage, limits, deductibles based on historical datasets;

• Improve quality, training and security (for example, with respect to recorded calls);

• Facilitate commercial transactions, including a reorganization, merger, sale of all or a portion of our assets, a joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). Should such a sale or transfer occur, we will use reasonable efforts to ensure the entity to which we transfer your personal data uses it in a manner consistent with this Privacy Notice; and

• Exercise, defend or protect our legal rights, including tracing and recovering debt.

Please see below for other uses of personal data, which vary according to the type of service we provide and the relationship between us, or between you and our client.

3.4.1 Core insurance broking, reinsurance and insurance consultancy business activities

Facilitate and enable placement of insurance, reinsurance policies and/or  consultancy  agreements for our clients and to assist in the ongoing management of such policies, including premium management, renewals, adjustments, cancellations and claims;

• Advise our clients on the management of their business risks, affairs and insurance, reinsurance and consultancy arrangements;
• Provide services which you did not personally request but were requested by our client(s) and require us to interact, directly or indirectly, with you; and
• Exercise, defend or protect the legal rights of our clients or third parties.

3.5 Legal basis for processing personal data

Where we are required by local law to have a legal basis to process your personal data, in most cases our legal basis for processing your personal data will be one of the following:

• Data Subject has given consent, which complies with applicable rules of Data Protection Regulations to the Processing of that Personal Data for specific purposes;
• Processing is necessary for the performance of a contract to which a data subject is a party, or in order to take steps at the request of a Data Subject prior to entering into such contract;
• Processing is necessary for compliance with applicable law that a controller is subject to;
• Processing is necessary in order to protect the vital interests of a data subject or of another natural person;
• Processing is necessary for enforcing or defending our rights, or those of a member of the Group or a third party employed by us;
• Processing is necessary for:
  • performance of a task carried out by a competent relevant regulatory body in every country we operate in
  • exercise of a competent relevant regulatory body’s powers and functions in every country we operate in; or
  • the exercise of powers or functions vested by a competent relevant regulatory body in every country we operate in, and the third party to whom personal data is disclosed by the competent relevant regulatory body in every country we operate in; or
• Processing is necessary for the purpose of legitimate interest(s) pursued by a controller or a third party to whom the personal data has been made available, subject to the applicable laws, except where such interests are overridden by your interests or rights.

When we process Special Categories of personal data we will only do so with an appropriate legal basis, where:

• You have given explicit consent that complies with the applicable laws, to the processing of those Special Categories of personal data for one or more specified purposes;
• Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of a controller or a data subject in the context of the data subject’s employment, including but not limited to recruitment, visa or work permit processing, the performance of an employment contract, termination of employment, the conduct of proceedings relating to employment and the administration of a pension, retirement or employee money purchase benefit scheme;
• Processing is necessary to protect the vital interests of a data subject or of another natural person, where the data subject is physically or legally incapable of giving consent;
• Processing is carried out by a foundation, association or any other non-profit-seeking body in the course of its legitimate activities, subject to appropriate assurances and provided that the processing relates:
  • solely to the members or former members of such an entity; or
  • to other persons who have regular contact with such a body in connection with its purpose,
• Personal Data is not disclosed to a third party without the consent of a data subject;
• Processing relates to personal data that has been made public by a Data Subject;
• Processing is necessary for the establishment, exercise or defence of legal claims (including, without limitation, arbitration and other structured and commonly recognised alternative dispute resolution procedures, such as mediation) or is performed by a court acting in its judicial capacity;
• Processing is necessary for compliance with a specific requirement of applicable law to which a controller is subject, and in such circumstances the controller must provide a data subject with clear notice of such processing as soon as reasonably practicable unless the obligation in question prohibits such notice being given;
• Processing is necessary to comply with applicable law that applies to a controller in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime;
• Processing is required for protecting members of the public against dishonesty, malpractice, incompetence or other improper conduct of persons providing banking, insurance, investment, management consultancy, information technology services, accounting or other services or commercial activities (either in person or indirectly by means of outsourcing), including any resulting financial loss; or
• Processing is proportional and necessary to protect a data subject from potential bias or inaccurate decision making, where such risk would be increased regardless of whether Special Category personal data is processed.
• Processing is necessary for substantial public interest reasons that are proportionate to the aim(s) pursued, respect the principles of data protection and provide for suitable and specific measures to safeguard the rights of the Data Subject.

3.6 Who we share your personal data with

We may share your personal data for any of the purposes described in this Privacy Notice with companies in our group and the following third parties:

• Professional Advisors e.g. underwriters, actuaries, claims handlers, surveyors, loss adjustors/assessors, accident investigators, specialist risk advisors, pension providers, banks and other lenders (including premium finance providers), health professionals, lawyers, accountants, auditors, tax advisors, consultants;
• Insurance partners;
• Providers of insurance platforms;
• Service providers e.g. IT software, security and cloud suppliers, finance and payment providers, marketing agencies, document management providers, telephony providers, debt collection agencies, credit reference agencies;
• Third party service providers and their sub-contractors/delegates.
• Industry bodies;
• Regulators;
• Law enforcement agencies e.g. police, judicial bodies, governments, quasi-governmental authorities; and
• Asset purchasers e.g. those who may purchase or to whom we may transfer, all of our assets and business.
• Any other third parties to the extent necessary for establishing and exercising any legal right.

Where required, when we share your personal data with corporate third parties we will ensure that those third parties maintain a comparable level of protection of your personal data as set out in this Privacy Notice by using contractual requirements or other means. To the fullest extent permitted by applicable law, we are not liable for the use of your personal data by third parties.

4. How we protect your personal data when sending it abroad

Due to the international nature of our business operations and the insurance market we operate your personal data will be transferred across geographical borders to fulfil the purposes set out in this Privacy Notice.

5. Marketing activities

From time to time, we may provide you with information about our products or services or those of our partners that we think will be of interest to you. We may send you this information by email, post or we may contact you by telephone.

We ensure that our marketing activities comply with all applicable legal requirements.

You can opt out of receiving marketing communications at any time. Please contact us using the details provided under the Contact Us – ACE Gallagher (ace-gallagherbrokers.com) section. In such circumstances, we will continue to send you service-related communications where necessary.

6. Profiling and automated decision-making

Insurance market participants benchmark insured, beneficiary and claimant attributes and insured event likelihoods in order to determine insurance limits, insurance premiums and fraud patterns. This means that we may compile and analyse data in respect of insureds, beneficiaries and claimants to model such likelihoods. In doing so, we may use personal and commercial data in order to create the models and/or match that data against the models (profiling) to determine both the risk and the premium price based on similar exposures and risks. We also use this information to help us about the typical levels of insurance coverage that our clients may have in place.

We do not make decisions solely based on automated decision making which produce legal effects or similarly significantly impacts you.

7. How long we keep your personal data

We will only keep your personal data for as long as reasonably necessary to fulfil the purposes set out in this Privacy Notice. It can also be kept when:

• It is necessary for the establishment or defence of legal claims or must be retained for compliance with applicable laws; or
• It is being used in the public interest or in the interests of the competent relevant regulatory body in every country we operate in accordance with applicable laws in a manner that does not present risks to your rights. In such cases, a protection impact assessment shall be conducted; or
• It is part of a dataset used to lawfully train or refine an artificial intelligence system in a manger that does not present risks to your rights.

We assure you that your personal information will be maintained securely as ACE Gallagher Holding group of companies & affiliates shall apply security measures and that all of the rights disclosed in the Privacy Notice shall be in force until your personal information is deleted from our systems safely.

• In determining the retention of your personal information, ACE Gallagher Holding group of companies & affiliates shall take into consideration the requirements in relation to addressing any inquiries that you may have, the period in which a customer might raise a legal case against us and the legal and regulatory requirements in relation to record retention.

When we no longer need your personal data or when other grounds for retention no longer apply, we shall securely and permanently delete, anonymise, pseudonymise, encrypt personal data or put it beyond further use. Please note that anonymised data is not treated as personal data under this Privacy Notice.

Please contact us using the details provided under the Contact Us – ACE Gallagher (ace-gallagher.com) section for further information regarding how long we keep your personal data.

8. How we protect your personal data

We use a range of organisational and technical security measures to protect your personal data. If you would like more information on how we protect your personal data, please contact us using the details provided under the Contacting Us section.

9. Your personal data rights

We are committed to respecting personal data rights arising from the applicable data protection laws. Please contact us using the details provided in the https://www.ace-gallagher.com/contact-us/  section to exercise any such rights under applicable data protection laws. Such rights, may include (depending on the applicable laws), but not limited to:

• Right to withdraw consent
• Rights to access, rectification and erasure of personal data
• Right to object to processing
• Right to restriction of processing
• Controller’s obligation to notify
• Right to data portability
• Automated individual decision-making, including Profiling
• Non-discrimination
• Methods of exercising Data Subject rights
• Right to be informed regarding the processing of your personal information.

We would always encourage you to contact us if you have any concerns with how we use your personal data and we will do our best to resolve your concerns. Where you feel that we have not addressed your concerns, please contact us using the details provided in the Contact Us – ACE Gallagher (ace-gallagher.com) section. However, you may have a right to complain to a local data protection authority if you believe that any use of your personal data by us is in breach of data protection laws and/or regulations. This will not affect any other legal rights or remedies that you have with us.

10. Obligations to provide personal information

Personal information is required to enter into a new relationship and/or manage an existing one with our clients.

In instances where providing personal information is rather optional, we will explicitly make it clear. In addition, we shall also make it explicitly clear when your consent is required to process your personal information.

11. Use of Cookies on our sites

Cookies are small pieces of data containing text sent from a website to your computer or mobile device, where they are stored locally. They can uniquely identify your internet browser (like Google Chrome or Apple Safari) or device to help us enhance your user experience and provide additional functionality. They can be used for storing preferences, protecting your data, tracking geolocation, and targeting advertising. We use cookies on our website(s) and may process your personal data using cookies in accordance with our Cookie Policy .

Therefore, we urge you to read our Cookie policy carefully.

12. Updates to your personal information

Should any of the personal information provided by you change and/or the personal information collected by us to be inaccurate, you are kindly requested to inform us immediately.

In addition, should an authorised user leaves your organisation (in case you are a corporate client), you are also required to inform us in order for his/her access to digital platforms to be terminated.

Such notifications shall be immediate and using the contact details disclosed below.

13. External Links

On our website, you may encounter links to other websites. Be aware that we are not responsible for the content or privacy practices of these other sites. We encourage all users to read the privacy notices of any other sites that collect your personal data.

14. Contact us

For any questions, concerns, or requests to exercise your rights outlined in this privacy notice, please contact us via email at dpo@ace-gallagher.com or call us on (+973) 17562551.

15. Updates to this Privacy Notice

We may update this policy from time to time by posting a revised version on our Website. The revised Privacy Notice will be effective as of the date of posting.