EU General Data Protection Regulation Privacy Notice
This Privacy Notice was updated on 11/18/2022.
EMC Insurance Companies and all its affiliated insurance companies* (collectively, “EMC,” “we,” “us” or “our”) adopt this Privacy Notice to comply with the European General Data Protection Regulation ("GDPR").This Privacy Notice applies solely to the residents of the European Union and European Economic Area. It applies only to personal data processed in the course of providing assumed reinsurance products and services to underlying insurance policies subject to GDPR. This Privacy Notice does not apply to information collected or processed in the course of providing property and casualty insurance coverage or related products and services, which are covered by separate privacy notices and can be found here: https://www.emcins.com/misc/privacypolicy.aspx.Any terms defined in the GDPR have the same meaning used in this Privacy Notice.
This Privacy Notice describes the categories of personal data that we collect, how we use personal data, how we secure personal data, when we may disclose personal data to third parties, and when we may transfer personal data outside of the data subject's home jurisdiction. This Privacy Notice also describes rights regarding the personal data that we hold, including how an individual can access, correct, and request erasure their personal data.
We will only process personal data in accordance with this Privacy Notice unless otherwise required by applicable law.
Personal Data We Receive
For purposes of this Privacy Notice, "personal data" means any information about an identified or identifiable natural person. Personal data excludes anonymous or de-identified data that is not associated with a particular individual.
We may receive the personal data from insurance brokers, insurance agents, and insurance carriers.
The personal data we receive may include the following categories. We do not necessarily collect all types of information identified under "Examples" below.
Possible Examples (non-exclusive)
Underlying Policyholder Identifiers
Address, country, zip code, account name, telephone number or other similar identifiers.
Latitude/longitude coordinates, building construction type, year built, value, occupancy type, county, country, and address
Medical information and health insurance information relating to underlying insurance claims
Underlying Insurance Claimant Information
Name, physical characteristics or descriptions, address, insurance policy number, educational information, employment information (such as place of employment and employment history), financial information, medical information, and health insurance information
Underlying Insurance Claim Information
Loss type, incurred losses, LAE, line of business, liability limits, claim number, policy number, cat/non-cat status, DOL, loss description, incident address, date of policy
Use of Personal Data
We do not monetize personal data. We need the personal data we receive to improve or carry out the services we provide or make available to individuals, insurance carriers, insurance brokers, and insurance beneficiaries and claimants. We receive the personal data in order to perform our contractual and legal obligations as a reinsurance carrier. Without the personal data, we would not be able to provide services.
We may use or disclose the personal data we collect for one or more of the following legitimate business purposes:
- To provide services, products, and features to our clients, including for example:
- To evaluate ceding insurance companies and establish pricing.
- For risk accumulation and exposure management.
- To evaluate premium, expense, and loss data.
- To evaluate and settle claims
- To audit policies for alignment to underwriting guidelines.
- To audit ceding insurance companies' claims handling processes and procedures.
- To operate, evaluate, and improve our business.
- To respond to lawsuits or law enforcement requests or otherwise as required by applicable law, court order, or governmental regulations or governmental regulator.
- For security purposes. For example, to detect and respond to security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.
- To debug or identify and repair errors that impair service functionality.
- To verify, maintain, enhance, or upgrade the quality or safety of a service or device that is owned or controlled by us.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, in which personal data held by us about our customers is among the assets transferred.
- For other notified purposes as reasonably necessary to achieve the operational purposes for which the information was collected or processed.
- Medical information will be processed only as needed to carry out our legal or contractual obligations, or otherwise as applicable law permits, or for the operations purposes described above.
- To undertake internal research.
We will not use personal data for materially different, unrelated, or incompatible purposes than those set out in this Privacy Notice, nor will we collect additional categories of personal data without providing further notice.
We process personal data only for lawful purposes, including:
- Processing necessary for the performance of a contract.
You will not be subject to decisions based solely on automated data processing.
Under some circumstances we may anonymize or aggregate personal data so that it can no longer be associated with an individual. We reserve the right to use such aggregated, anonymous, and de-identified data for any legitimate business purpose without further notice or consent.
We have implemented appropriate physical, technical, and organizational security measures designed to secure personal data against accidental loss and unauthorized access, use, alteration, or disclosure.
Except as otherwise permitted or required by applicable law or regulation, we will retain personal data for as long as necessary to fulfill the purposes for which we collected it, as required to satisfy any legal, accounting, or reporting requirements, or as required to satisfy contractual or servicing obligations. To determine the appropriate retention period for personal data, we consider our statutory and regulatory obligations, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of personal data, the purposes for which we process personal data, and whether we can achieve those purposes through other means. We specify the retention periods for personal data in our data retention policy.
Sharing Personal Data
We will only disclose personal data to third parties where required by law or to our employees, contractors, designated agents, or third-party service providers who provide services to us or on our behalf. These third-party service providers may be located outside of the country in which a data subject lives or the country where the insured property or business is located.
We require all our third-party service providers, by written contract, to implement appropriate security measures to protect personal data consistent with our policies and any data security obligations applicable to us. We do not permit our third-party service providers to process personal data for their own purposes. We only permit them to process personal data for specified purposes in accordance with our instructions.
We may also disclose personal data for additional purposes where permitted or required by applicable law:
- To any of our affiliated insurance companies.
- To insurance agents and brokers.
- To comply with legal obligations or valid legal processes such as search warrants, subpoenas, or court orders.
- Government entities.
- Third parties to whom an individual authorizes us to disclose personal data.
- Other insurance companies, agents, and consumer reporting agencies.
Where permitted by applicable law, we may transfer the personal data we collect to the United States and other jurisdictions that may not be deemed to provide the same level of data protection as an individual's home country for the purposes set out in this Privacy Notice. For individuals located in the EU, we have implemented standard contractual clauses to secure the transfer of personal data to the United States and other jurisdictions.
Your Rights and Choices
The GDPR provides data subjects with specific rights regarding their personal data. This section describes those GDPR rights and explains how to exercise them.
By law individuals may have the right to request access to, correct, and erase the personal data that we hold about them, or object to or restrict the processing of personal data under certain circumstances. Individuals may also have the right to receive copies of their personal data or request that we transfer their personal data to another party. If an individual wants to review, verify, correct, or request erasure of their personal data, object to the processing of their personal data, or request that we transfer a copy of their personal data to another party, please contact us at the contact information below. Any such communication must be in writing.We may request specific information from a requestor to help us confirm their identity and right to access, and to provide them with the personal data that we hold about them or make the requested changes. Applicable law may allow or require us to refuse to provide access to some or all of the personal data that we hold, or we may have destroyed, erased, or anonymized personal data in accordance with our record retention obligations and practices. If we cannot provide access to personal data, we will inform the requestor of the reasons why, subject to any legal or regulatory restrictions.
If a requestor is unsatisfied with our response to any issues, they may have the right to make a complaint with the data protection authority in their jurisdiction by contacting the data protection authority.
How to Contact Us
To exercise the rights described above, please contact us through one of the following methods:
Mailing Address: EMC Insurance Companies
Attn: Privacy Coordinator
P.O. Box 712Des Moines, IA 50306
Changes to Our Privacy Notice
We reserve the right to amend this Privacy Notice in our discretion and at any time. A copy will be posted to our webpage along with the amended effective date.
* EMC Insurance Companies is the trade name used by the following affiliated insurance and insurance service companies of which Employers Mutual Casualty Company is the lead company:
- Employers Mutual Casualty Company
- EMC Insurance Group Inc.
- EMC National Life Company
- EMC Property & Casualty Company
- EMC Reinsurance Company
- EMC Risk Services, LLC
- EMC Underwriters, LLC
- EMCASCO Insurance Company
- Dakota Fire Insurance Company
- Illinois EMCASCO Insurance Company
- Union Insurance Company of Providence
- EMC National Life Marketing Services, LLC
Any reference to "EMC" or "affiliated insurance companies" in this Privacy Notice shall mean the above companies collectively except for EMC National Life Company and EMC National Life Marketing Services, LLC.