Visit Arch Corporate
  • Affiliates
  • Media Center
  • Careers
  • Contact Us
ACGL $26.86 -0.19 (-0.70%)

PRIVACY AND DATA PROTECTION POLICY

Effective Date:  This Privacy and Data Protection Policy was last revised on April 24, 2018


You have arrived at a website that is owned and/or operated by Arch Capital Group Ltd. and its subsidiaries (collectively, “Arch” or “we,” “our” or “us”). The purpose of this Privacy and Data Protection Policy (this “Policy”) is to explain how, when and why we collect and use information that directly or indirectly identifies you (“personal data”) under the following circumstances:

  • When you access our website (the “Website”) regardless of how you access or use the Website, whether via personal computers, mobile devices or otherwise; or
  • When you purchase an insurance policy underwritten directly by us or from a third party insurance company that enters into a reinsurance arrangement with us, which is referred to as “reinsurance”.
It is therefore important that you read this Policy and show it to any other person who is insured under your insurance policy. This Policy is not intended to override the terms of any insurance policy or contract you have with us, nor rights you are afforded under applicable privacy and data protection laws.

If you are located in the European Economic Area (“EEA”), it is important you read, in particular, Section 9 of this Policy.

Arch is a group of companies which writes insurance, reinsurance and mortgage insurance on a worldwide basis through its principal operations in Bermuda, the United States, Canada, Europe, Australia and Hong Kong. The Arch company which was originally responsible for collecting information about you will be principally responsible for your personal data (“data controller”). For example, if you have an insurance policy with us, this will be the Arch company named on that policy. 

In addition, please review the Website’s Terms and Conditions of Use, which governs your use of the Website.

It is important that you read and understand the entire Policy before using the Website.  Please click on the headings in the table of contents to go directly to the full explanation of a specific issue or point.

 


Table of Contents

  1. What Personal Data do we Collect?
    1. Prospective Insureds and Insureds
    2. Claimants
    3. Business Partners and Website Users
  2. ​When do we Collect your Personal Data?
    1. Prospective Insureds and Insureds
    2. Claimants
    3. Business Partners and Website Users
  3. How Do We Use the Personal Data Collected?
    1. Prospective Insureds and Insureds
    2. Claimants
    3. Business Partners and Website Users
  4. How and When Do We Disclose Personal Data to Third Parties?
  5. Ads and Information About You
  6. Do Not Track Disclosures
  7. Does the Site include Third Party Content and Links to Third Party Websites?
  8. How Do I Change My Information and Communications Preferences?
  9. Additional information regarding individuals in the EEA
    1. Legal basis for processing personal data or of individuals in the EEA.
    2. Legal basis for processing personal data (including usage information) relating to Website users in the EEA.
    3. Criminal Convictions and Offenses Data and Special Categories of Personal Data of Individuals in the EEA.
    4. What additional rights do you have if you are in the EEA?
    5. Transfers of Personal Data out of the EEA.
  10. Children’s Privacy
  11. Security of Personal Data
  12. How Long Do We Retain Your Personal Data?
  13. Changes to Our Privacy Policy
  14. Contact Us

 


 

  1. What Personal Data do we Collect?
    1. Prospective Insureds and Insureds

      In order to provide insurance quotes and policies and administer your insurance, we need to collect and process personal data about you. If you do not provide the information we need, we may not be able to offer you a quote or provide our services to you. We also may have to cancel our services with you but in that case we will notify you and provide an explanation.

      The types of personal data may include:

      Category
      Types of Data Collected
      Individual details

      Name, address, gender, marital status, date of birth, nationality, marketing preferences, bank account details or payment card details, vehicle details, relevant criminal convictions and offenses, penalty points, employer, job title and family details, including their relationship to you.

      Identification details

      Identification numbers issued by government bodies or agencies, including your driving license number.

      Credit and anti-fraud data

      Credit and anti-fraud data such as credit history, credit score, sanctions and criminal offenses and convictions, and information from various anti-fraud databases related to you.

      Special categories of personal data and criminal convictions data

      In the EEA, certain categories of personal data may have additional protection under applicable data protection laws. These categories include data concerning your health and criminal convictions offenses and convictions.

      Risk details

      Information about you which we need to collect in order to assess the risk to be insured and provide a quote. This may include data relating to your health, relevant criminal offenses and convictions, or other special categories of personal data.


    2. Claimants

      In order to deal with any claims, we need to collect and process personal data about you. If you do not provide the information we need, we may not be able to handle the claim.

      The types of personal data may include:

      Category
      Types of Data Collected
      Individual details

      Name, address, bank account details, and vehicle details.

      Identification details

      Identification numbers issued by government bodies or agencies, including your driving license number.

      Credit and anti-fraud data

      Credit and anti-fraud data such as credit history, credit score, sanctions, criminal offenses and convictions, and information from various anti-fraud databases related to you.

      Special categories of personal data and criminal convictions data

      In the EEA, certain categories of personal may have additional protection under applicable data protection laws. These categories include data concerning your health and criminal offenses and convictions.

      Claims information

      Information about previous and current claims, (including other unrelated insurances), which may include data concerning your health (e.g., injuries and relevant pre-existing conditions), relevant criminal offenses and convictions, or other special categories of personal data.


    3. Business Partners and Website Users
      1. Business Partners: If you are a business partner, we will collect your business contact details. We may also collect information about your professional expertise and experience.
      2. Website Users: If you are a Website user:
        • You may voluntarily provide us with personal data (e.g., to contact us). You can visit the Website without revealing who you are or providing any personal data about yourself. However, there will be times, such as when you request information or a publication from us through the Website, when we will need to obtain personal data from you or about you. We may collect this personal data through various forms and in various places on the Website, including application forms, contact us forms or when you otherwise interact with the Website. Additionally, we may also make certain online services available, such as an online portal, that permits our customer account holders to access their business accounts.
        • We and our third-party service providers may use a variety of technologies that automatically (or passively) store or collect certain information whenever you visit or interact with the Website based on your use of the Website (“usage information”). This usage information may be stored or accessed using a variety of technologies that may be downloaded to your personal computer, browser, laptop, tablet, mobile phone or other device whenever you visit or interact with our Website. You may have other options regarding tracking and/or targeting. Please see our Cookie Policy for further information.
        • We may, from time to time, supplement the information we collect directly from you on the Website with outside records from third parties for various purposes, including to enhance our ability to serve you, to tailor our content to you and to offer you opportunities that may be of interest to you. We will apply this Policy to such supplemental information and where such supplemental information amounts to personal data (and/or the combined information amounts to personal data), it will be treated as personal data.

  2. When do we Collect your Personal Data?
    1. Prospective Insureds and Insureds

      We will collect your personal data: (1) directly from you when you apply for an insurance policy; (2) from third parties, such as an intermediary (e.g., an insurance broker), or other third party insurance companies (e.g., if you are a policyholder with an insurance company which has a reinsurance arrangement with an Arch company) or your employer where, for example, they apply for an insurance policy under which you will be a beneficiary; and (3) from other sources (e.g., credit reference agencies and government agencies) and other public sources where necessary to, for example, comply with applicable sanctions and anti-money laundering laws.

    2. Claimants

      We will collect your personal data: (1) when you or a third party (e.g., your employer or attorney) notify us of a claim either directly or through an intermediary (e.g., an insurance broker) or other third party insurance companies (e.g., if you are a policyholder with an insurance company which has reinsurance with an Arch company); and (2) from other sources (e.g., credit reference agencies and government agencies) and other public sources where necessary, for example, to validate the claim or comply with applicable anti-money laundering laws and sanctions.

    3. Business Partners and Website Users

      We will collect your personal data: (1) where you or your employer provides your contact or other information to us in the course of working with us, either directly as a business partner or as a representative of your company; (2) where you attend meetings, events or conferences that we organize or sponsor; and (3) where you visit and/or contact us through the Website or one of our online portals. For more information on how we collect technical data about your device and browsing activities, see our Cookie Policy.

  3. How Do We Use the Personal Data Collected?
    1. Prospective Insureds and Insureds

      In order to provide insurance quotes and policies and administer your insurance we may use your personal data for the following purposes:

      1. To consider an application for an insurance policy, assess and evaluate risk, and where applicable, provide you with insurance cover;
      2. To manage and administer insurance policies (including dealing with your queries) with you or your employer;
      3. For reinsurance purposes;
      4. For direct marketing;
      5. To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, company sales and reorganizations, and for statistical analyses; and
      6. For the prevention and detection of fraud, money laundering or other crimes.

      Additional information concerning the legal basis for processing personal data of individuals in the EEA is provided in Section 9.

    2. Claimants

      In order to deal with any claims, we may process your personal data for the following purposes:

      1. For claims processing including assessing and evaluating the merits of a claim and to pay a settlement;
      2. For statistical analyses; and
      3. For the prevention and detection of fraud, money laundering or other crimes.

      Additional information concerning the legal basis for processing personal data of individuals in the EEA is provided in Section 9.

    3. Business Partners and Website Users

      Business Partners:

      As part of our business activities, we may process your personal data for the following purposes:

      1. To manage our relationship with you and to, for example, invite you to events; and
      2. To administer our contract with you or your employer.

      Website Users:

      As part of our business activities, we may process your personal data for the following purposes:

      1. To improve the Website or our services, to customize your experience on the Website, or to serve you specific content that is relevant to you;
      2. To contact you with regard to your use of the Website and, in our discretion, changes to the Website or the Website policies;
      3. For internal business purposes, including to help us understand how our Website is navigated and used;
      4. For direct marketing; and
      5. Where you submit personal data in connection with a career opening or by submitting a resume through the Website, we will use that information in accordance with our Applicant Data Protection Notice on the Careers section of the Website and only for the purpose of evaluating your application.

  4. How and When Do We Disclose Personal Data to Third Parties?

    We may share usage data, such as aggregated user statistics, with third parties. In addition, we may share with third parties the information we have collected about you, including personal data, to provide our services and comply with legal obligations. We do not share your personal data with third parties for their marketing purposes unless you have consented to such sharing.

    These third parties may include:

    • Other Companies. We may share your personal data with other companies in the Arch group of companies. We also reserve the right to disclose and transfer such information: (1) to a subsequent owner, co-owner or operator of the Website; or (2) in connection with a merger, consolidation, restructuring, the sale of substantially all of our interests and/or assets or other corporate change, including, during the course of any due diligence process.
    • Third Party Intermediaries. We may disclose your personal data to intermediaries (e.g., brokers, managing general agents, third party administrators) and other (re)insurers.
    • Third Parties Providing Services on our Behalf. We may use third party vendors to perform certain services on our behalf, such as technical support and back-office services, loss adjustors and claims experts, hosting services and Website activity tracking and analytics. We may also disclose your personal data to our advisors (e.g., attorneys and other professional services firms).
    • Judicial, Regulatory and Law Enforcement Bodies. We may disclose your personal data to judicial, regulatory and law enforcement bodies, including, but not limited to: (1) satisfy any applicable law, regulation, subpoenas, governmental requests or legal process if in our good faith opinion such disclosure is required or permitted by law; (2) protect and/or defend our rights, property and/or interests (including, the Website’s Terms and Conditions of Use or other policies applicable to the Website) and investigation of potential violations thereof; (3) protect the safety, rights, property or security of Arch or any third party where we are legally required or advised to do so; and (4) detect, prevent or otherwise address fraud, security or technical issues. Further, we may use usage information or device identifiers to identify users, on our own or in cooperation with third parties and/or law enforcement agencies, including disclosing such information to third parties, all in our discretion and subject to applicable law. Such disclosures may be carried out without notice to you.

  5. Ads and Information About You

    In accordance with our Cookie Policy, data about your online activity may be collected on our Website for use in providing advertising tailored to your individual interests. This process also helps us track the effectiveness of our marketing efforts. We may also use tracking technologies, such as our own cookies, to provide you with further information about your interests. The information collected may include information about your visits to our Website, such as the pages you have viewed. These third-party tracking technologies may be set to, among other things: (1) help deliver advertisements to you that you might be interested in; (2) prevent you from seeing the same advertisements too many times; and (3) understand the usefulness to you of the advertisements that have been delivered to you. Note that any images (or any other parts of content) served by third parties in association with third-party ads or other content may act as web beacons, which enable third parties to carry out the previously described activities.

    We are not responsible for effectiveness of or compliance with any third-parties’ opt-out options. Third-party tracking technologies are not controlled by us, even if they use our technology to help store or collect data. Statements regarding our practices do not apply to the methods for collecting information used by these third-party advertisers and others or the use of the information that such third parties collect. The relevant third party’s terms of service, privacy policy, permissions, notices and choices should be reviewed regarding their collection, storage and sharing practices. We make no representations regarding the policies or practices of third-party advertisers or advertising networks or exchanges or related third parties.

    Our Cookie Policy provides additional details and explains how you can limit the collection of this information.

  6. Do Not Track Disclosures

    Various third parties are developing or have developed signals or other mechanisms for the expression of consumer choice regarding the collection of information about an individual consumer’s online activities over time and across third-party websites or online services (e.g., browser do not track signals). Currently, we do not monitor or take any action with respect to these signals or other mechanisms.

  7. Does the Website include Third Party Content and Links to Third Party Websites?

    The Website may contain content that is supplied by a third party, and those third parties may collect usage information and your device identifier when webpages from the Website are served to you. In addition, when you are on the Website you may be directed to other websites that are operated and controlled by third parties. We are not responsible for the data collection and privacy practices employed by any of these third parties or their websites. For example, if you “click” on a link, you may be directed away from our Website to a different website. These other websites may associate their tracking technologies with you, and independently collect data about you, including personal data. We encourage you to note when you leave our Website and to review the third party privacy policies and exercise caution in connection with them.

  8. How Do I Change My Information and Communications Preferences?
    1. You are responsible for maintaining the accuracy of the information you submit to us, such as your contact information provided through the Website. If you wish to access, update or review your data, please email: ArchDPO@archcapservices.com.
    2. You may cancel or modify the email marketing communications you receive from us by following the instructions contained in our promotional emails or in some cases by logging into your Website account and changing your communication preferences. This will not affect subsequent subscriptions and you may limit your opt-out to certain types of emails.
    3. Please note that we reserve the right to send you certain communications relating to your account or use of the Website, such as administrative and services announcements and you will continue to receive these transactional communications if you opt-out from receiving marketing communications.

  9. Additional information regarding individuals in the EEA
    1. Legal basis for processing personal data of individuals in the EEA.

      We will only use your personal data for the purposes for which we collect such personal data as outlined below and in Section 3, unless we need to use it at a later date for another purpose that is compatible with the original purpose. If we need to further process your personal data for a purpose that is not compatible with the original purpose for collection, we will notify you and provide an explanation of the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the applicable data protection laws.

      Purpose(s) for Processing
      Legal Basis for Processing
      To consider an application for an insurance policy, assess and evaluate risk, and where applicable, provide you with insurance cover

      • The processing of your personal data is necessary to perform a contract or enter into a contract with you (e.g., the insurance policy)

      • The processing of your personal data is necessary for us to comply with legal and regulatory obligations

      • The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights

         

        To manage and administer contracts including insurance policies (including dealing with your queries) with you or your employer
        For claims processing including, assessing and evaluating the merits of a claim and, where relevant to pay a settlement
        For reinsurance purposes

        • The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights

         

        For statistical analyses
        To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, company sales and reorganizations, and for statistical analyses
        Direct marketing

        • Where you have given consent to the processing of your personal data for direct marketing – which you may withdraw at any time

        For the prevention and detection of fraud, money laundering or other crimes

        • The processing of your personal data is necessary for us to comply with legal and regulatory obligations or as authorized by applicable law

        To manage our relationship with you

        • The processing of your personal data is necessary to perform a contract or enter into a contract with you

        • The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights


      1. Legal basis for processing personal data (including usage information) relating to Website users in the EEA.
        Purpose(s) for Processing
        Legal Basis for Processing
        To improve the Website or our services, to customize your experience on the Website, or to serve you specific content that is relevant to you

        • The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights

        To contact you with regard to your use of the Website and, in our discretion, changes to the Website or the Website policies
        For internal business purposes, including to help us understand how our Website is navigated and used
        Evaluate your application and qualifications where you submit personal data in connection with a career opening or by submitting a resume through this Website
        Direct marketing

        • Where you have given consent to the processing of your personal data for direct marketing – which you may withdraw at any time


      2. Criminal Offenses and Convictions Data and Special Categories of Personal Data of Individuals in the EEA.
        • Criminal Offenses and Convictions Data: We will only process personal data relating to criminal offenses and convictions for the following purposes: (i) in order to underwrite risk appropriately, calculate a quote or policy renewal and in the context of motor insurance, to risk assess any person who will be driving the insured vehicle (e.g., a risk assessment), (ii) for fraud detection or prevention or (iii) where required for claims handling. We will only carry out such processing where it is authorized by applicable law.
        • Special Categories of Personal Data: Where we process your special categories of personal data (e.g., health data) for any of the above purposes, we will only do so where: (1) you have given explicit consent to the processing of your special categories of personal data for these purposes – which you may withdraw at any time; (2) the processing is necessary to protect your vital interests (or those of a third party); (3) you have manifestly made your special categories of personal data public; (4) the processing is necessary for the establishment, exercise or defense of legal claims; or (5) the processing is necessary for reasons of substantial public interest on the basis of applicable law.

      3. What additional rights do you have if you are in the EEA?

        If you are located in the EEA, you have several rights in relation to your personal data under applicable privacy and data protection law, which may be subject to certain limitations and restrictions. We aim to respond to any valid requests within one month unless it is particularly complicated or you have made repeated requests in which case we aim to respond within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request. If you wish to exercise any of these rights, please contact us using the contact details set out in Section 14 below. We may request proof of identification to verify your request.

        Your Right
        What this Means
        Right to withdraw consent

        If we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time. Please see our contact details in Section 14 below. However, the withdrawal of your consent would not invalidate any processing we carried out prior to your withdrawal and based on your consent.

        Right of Access

        You can ask us to confirm whether we are processing your personal data and request a copy of that personal data. You can also ask that we provide additional information, including:
        • Description of the personal data we hold about you;
        • Why we have your personal data;
        • Identify any third parties to whom we disclose your personal data;
        • Transfers of your personal data to locations outside the EEA;
        • How long we keep your personal data;
        • More details about your rights related to your personal data and how you can make a complaint to the supervisory authority;
        • Where we obtained your personal data; and
        • Whether we have carried out any automated decision-making (see Automated Decision-Making below)

        Right to Rectification

        You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete.

        Right to Erasure (‘Right to be Forgotten’)

        You have the right to request that your personal data be deleted in certain circumstances including:
        • The personal data are no longer needed for the purpose for which they were collected;
        • You withdraw your consent (where the processing was based on consent);
        • You object to the processing and there are no overriding legitimate grounds justifying the processing of your personal data (see Right to Object below);
        • The personal data have been unlawfully processed; or
        • To comply with a legal obligation.

        However, this right does not apply where, for example, the processing is necessary:
        • To comply with a legal obligation; or
        • For the establishment, exercise or defense of legal claims.

        Right to Restriction of Processing

        You can ask that we restrict the processing of your personal data (i.e., keep but not use) where:
        • The accuracy of the personal data is contested;
        • The processing is unlawful but you do not want it erased;
        • We no longer need the personal data but you require it for the establishment, exercise or defense of legal claims; or
        • You have objected to the processing and verification as to our overriding legitimate grounds is pending.

        We can continue to use your personal data:
        • Where we have your consent to do so;
        • For the establishment, exercise or defense of legal claims;
        • To protect the rights of another; or
        • For reasons of important public interest.

        Right to Data Portability

        Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly-used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where:
        • The processing is carried out by automated means; and
        • The processing is based on your consent or on the performance of a contract with you.

        Right to Object

        You have a right to object where we are processing your personal data:
        • In reliance on our legitimate interests. In such a case we must stop processing your personal data unless we demonstrate compelling legitimate interests that override your interests. You also have a right to request information on the balancing test we use to make this determination; and
        • For direct marketing purposes.

        Automated Decision-Making

        You have a right not to be subject to decisions based solely on automated processing (including profiling) which produce legal effects concerning you or similarly significantly affects you other than where the decision is:
        • Necessary for entering into a contract, or for performing a contract with you (e.g., your insurance policy);
        • Based on your explicit consent – which you may withdraw at any time; or
        • Is authorized by applicable law.

        Where we base a decision solely on automated decision-making, you will always be entitled to have a person review the decision so that you can contest it and put your point of view and circumstances forward.

        Right to Complain

        If you are not satisfied with our use of your personal data or our response to any request made by you to exercise any of your rights, you have the right to lodge a complaint with the local data protection supervisory authority at any time.


      4. Transfers of Personal Data out of the EEA

        If you are located in the EEA, the personal data we collect from you may be transferred to, and stored at a destination outside of the EEA (including, Bermuda, Switzerland and the United States) for the purposes described above. The recipients may be located in countries which do not provide a similar or adequate level of protection to that provided by countries in the EEA.

        Transfers within the Arch group will be covered by data transfer agreements designed to ensure the protection of your personal data when it is transferred outside of the EEA, in accordance with Article 46(2) (c) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) ("Model Clauses").

        Transfers to service providers and other third parties will comply with applicable data protection laws (e.g., under Model Clauses or the EU/Swiss-U.S. Privacy Shield in accordance with Article 45 of the GDPR).

        The Website is hosted in the US.

        You may withdraw your consent at any time.

        We may also transfer your personal data outside of the EEA when required by law (e.g., if we receive a request from a foreign judicial, regulatory or law enforcement body). Such transfers will be made in accordance with applicable data protection laws.

        If you would like further information about the safeguards we have implemented please contact us using the contact details set out in Section 14 below.

    2. Children’s Privacy

      The Website is not targeted at children, as defined by local law, and we do not knowingly collect any personal data from children. We will delete any personal data we determine to have been collected from a child or user under the applicable age of consent. If you are a parent or guardian of a child under the relevant digital age of consent and believe he or she has disclosed personal data to us, please contact us at ArchDPO@archcapservices.com

    3. Security of Personal Data

      We implement appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

      Although we take appropriate measures to protect the security of the information communicated through the Website, no Internet-connected computer system can be made absolutely secure from intrusion. We, therefore, cannot and do not guarantee that information communicated by you to us via the Website will be received or that it will not be altered before or after its transmission to us. If you elect to use the Website to communicate with us or provide us with information, you do so at your own risk.

    4. How Long Do We Retain Your Personal Data?

      We retain your personal data only for as long as necessary in accordance with our document retention policy and in accordance with legal, regulatory, tax or accounting requirements, or for dealing with complaints, legal challenges or prospective litigation.

    5. Changes to Our Privacy Policy

      We reserve the right to change, update and/or modify this Policy at any time without notice to you. Any changes will be effective immediately upon the posting of the revised Policy. However, if we make material changes to this Policy we will notify you by means of a prominent notice on the Website prior to the change becoming effective. Please review the Policy whenever you access or use this Website.

      To the extent any provision of this Policy is found by a competent tribunal to be invalid, illegal or unenforceable, such provision shall be deemed to be severed to the extent necessary, but the remainder shall be valid and enforceable.

    6. Contact Us

      If you have any questions about our Policy or practices described in it, you should contact us in the following ways:

      •     Postal Mail: Arch Group Data Protection Officer, Arch Capital Services Inc., 360 Hamilton Avenue, Suite 600, White Plains, New York 10601
      •     By e-mail: ArchDPO@archcapservices.com.