Claims Data Protection Statement

This document is the full AXA Insurance Claims Department Data Protection Statement. It contains all the information you need to understand how we use your data in a claim situation. If you would prefer to read a summary of this document, please see a communication you received from us (either the reverse of the Claims Department letterhead or the attachment to an email from the Claims Department) or go to www.axa.ie or www.axani.co.uk. If you are an AXA policyholder, the Customer Data Protection Statement available at www.axa.ie/data-protection/ shall also apply. We reserve the right to change this Claims Data Protection Statement from time to time at our sole discretion.

Notice: While all of the information in this Data Protection Statement is important, certain details have been placed in boxes to highlight them. These boxes contain information that the data protection legislation (known as the General Data Protection Regulation) specifies as being information that should be brought to your attention.

1. General

References to “AXA”, “us”, “our” and “we” mean AXA Holdings Ireland Limited and its subsidiaries, including AXA Insurance dac (the ‘data controller’), and any associated companies from time to time.

Queries and Complaints:

If you would like to contact us in relation to any aspect of our use of your personal data, please contact:

Data Protection Officer

Compliance Department

AXA Insurance dac

Wolfe Tone House

Wolfe Tone Street

Dublin 1

Telephone: +353 (0)1 471 1812

Email: Compliance@AXA.ie

Alternatively, you have the right to lodge a complaint with a data protection regulator, such as the Data Protection Commission (in ROI) or the Information Commissioner’s Office (in NI). Their contact details are available at www.dataprotection.ie and www.ico.org.uk.

2. Collection

In order to gather the personal data we need for the purposes set out in this document, we may obtain personal data:

  1. directly from you or your broker, legal team or other representative;
  2. from other parties involved in an incident in which you are involved, including (without limitation) other drivers, passengers of your or any other vehicle, pedestrians, witnesses (whether independent or otherwise), other insurance companies, solicitors representing any relevant party (whether in civil or, where applicable, criminal proceedings), any other expert appointed by any party, any person at any relevant trial, inquest or any other hearing, or any other relevant person involved in the claims process;
  3. by carrying out searches, whether online (via websites with publicly available information and various industry websites), through various media outlets (including, without limitation, newspapers, television and radio) or in other ways (including, without limitation, State or government departments, bodies or agencies and/or industry registers or databases); and/or
  4. obtain personal data from the emergency services, such as the police, ambulance and fire services, and any other relevant investigatory body or authority.
Call Recording

We may record or monitor telephone calls for the purposes set out in this notice.

3. Use of Information

We may use the personal data we gather for any or all of the following purposes:

  1. to verify your (or your representative’s) identity in any interactions between AXA and you (or your representative);

    Legal Basis:

    • the processing is necessary for compliance with a legal obligation to which the controller is subject.
  2. to manage and investigate claim and complaints made by or against you, or where you are or may be a witness to an incident which may result in a claim;

    Legal Basis:

    • the processing is necessary for compliance with a legal obligation to which the controller is subject.
  3. for the detection and prevention of fraud, money laundering and other offences and to assist the police or any other authorised investigatory body or authority with any inquiries or investigations. Where permitted by law we also work with and share data with various bodies including other insurers, anti-fraud bodies (for example fraud whistleblowing services) and law enforcement agencies to help prevent fraudulent behaviour. In some cases we are required by law to report details of certain criminal activities and suspected criminal activities to the appropriate authorities;

    Legal Basis:

    • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. AXA’s legitimate interest is to investigate and prevent potential fraudulent and other illegal activity;
    • the processing is necessary for compliance with a legal obligation to which the controller is subject;
    • the processing is necessary for the performance of a task carried out in the public interest.
  4. for statistical analyses, either by us or the AXA Group, market research and the review and improvement of AXA’s processes and systems. Where possible we will anonymise the data we analyse;

    Legal Basis:

    • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. AXA’s legitimate interest is to engage in activities to improve and adapt the services we offer and to ensure that our systems and processes are effective and efficient.
  5. for training, performance reviews and discipline in relation to employees, agents and sub-contractors;

    Legal Basis:

    • the processing is necessary for compliance with a legal obligation to which the controller is subject;
    • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. AXA’s legitimate interest is to ensure that our systems and processes are effective, efficient and carried out in an appropriate manner.
  6. for reinsurance and AXA Group reporting purposes;

    Legal Basis:

    • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. AXA’s legitimate interest is the proper running of its business;
  7. in order to store personal data and make back-ups of that data in case of emergencies and for disaster recovery purposes.

    Legal Basis:

    • the processing is necessary for compliance with a legal obligation to which the controller is subject.
  8. for compliance with all relevant laws and regulations; and/or

    Legal Basis:

    • the processing is necessary for compliance with a legal obligation to which the controller is subject.
  9. as otherwise set out in this or any other relevant Data Protection Statement, the terms and conditions of any website or app or any other notice or documentation provided to you by or on behalf of AXA.

Sensitive Categories of Data

Where we process special categories of data (also known as sensitive personal data – for example health data, data revealing racial or ethnic origin or religious beliefs) or personal data relating to criminal convictions for any of the above purposes, we do so where the processing is:

  • necessary for legal claims and proceedings (whether actual or prospective), for giving or receiving legal advice or for the purposes of establishing, exercising or defending legal rights; or
  • otherwise authorised or required by law (such as relating to unlawful acts and dishonesty, fraud, terrorist financing and/or money laundering).

If you are asked to provide medical information at any time, please do not send us the results of any genetic tests unless specifically requested.

Effect of not providing information:

You may refuse to provide any personal data requested from you, unless otherwise stated in the request. However if you decide not to provide information that we have requested, we may reject your claim for not co-operating.

4. Sharing of Information

In carrying out the purposes set out in this document, we may share your personal data with various third parties. The list of third parties set out below is non-exhaustive and only indicative of the type of companies, agencies and individuals with whom we share data.

  1. Your representatives:
    any party you have given us permission to speak to (such as a relative or friend) and other people or companies associated with you (for example your lawyers or broker) and any agents, service providers and experts you engage (including but not limited to those relating to the assessment of liability; the assessment, repair and replacement of vehicles; the assessment and repair of property (including buildings, land and personal effects); medical and functional assessment of individuals; and lawyers);
  2. Our representatives/partners:
    our employees, agents and contractors, including companies that provide services in relation to telecommunications and postage, data storage, document destruction, IT and IT security, fraud detection, making and receiving payments, data analysis and management information, complaints handling, market research, and our claims related service providers and expert witnesses (including but not limited to those relating to the assessment of liability; the assessment, repair and replacement of vehicles; the assessment and repair of property (including buildings and personal property); medical and functional assessment of individuals; lawyers; private investigators (where we feel it is necessary); and translators) and other AXA Group companies;
  3. Other third parties:
    our policyholder(s), witnesses to incidents, reinsurers, other insurance companies, vehicle salvage and destruction operators, any agents, service providers and experts engaged by any relevant third party (including but not limited to those relating to the assessment of liability; the assessment, repair and replacement of vehicles; the assessment and repair of property (including buildings and personal property); medical and functional assessment of individuals; and lawyers); and
  4. iv) State or government departments, bodies or agencies, including regulators, emergency services, such as the police, ambulance and fire services, and any other relevant investigatory body or authority (such as the Department of Employment Affairs and Social Protection and the Department of Transport, Tourism and Sport).

We may also share your details (your name, address, vehicle registration number, insurance details and other relevant details), with our customers, their lawyers or other appropriate representatives of our customers to allow them to apply to the Injuries Board or to issue legal proceedings.

Please feel free to contact us (details in Section 1 'General' above) if you would like more details about the parties with whom we share your information.

AXA, as Data Controller, will use every effort to protect your personal data and we will not sell your personal information to any third party companies.

International Transfers

On occasion we or a service provider may transmit certain aspects of your personal data outside the European Economic Area. In such circumstances, we will ensure that such transmissions are carried out securely and in accordance with data protection law.

The non-European Economic Area countries to which we currently send personal data include i) Switzerland, ii) the United States of America and iii) to AXA Group companies in other non-EEA countries (where required). AXA complies with the law regarding international transfers of data by relying on the European Commission’s standard data protection contract clauses under Article 46.2 of the GDPR (in relation to item ii above), Binding Corporate Rules under Article 47 of the GDPR (in relation to item iii above) or the decisions of the European Commission stating that certain countries, such as Switzerland, ensure adequate levels of data protection in their law (Article 45 of the GDPR) (in relation to item i above).

If you would like more information about the relevant safeguards involved in the transfer of personal data to countries or companies outside the European Economic Area, please contact us using the details in Section 1 'General' above.

5. Data Collected

The table below contains examples of the types of data we collect for the purposes set out in this document:

CategoryExamples of the type of data collected
Claims information
  • Name, address (including Eircode), date of birth, contact details, telephone recordings, relevant pastimes and daily activities (generally for you to explain how they have been affected by an incident);
  • the circumstances of an incident, location information (if you were using the AXA Drivesave system at the time of the incident in question);
  • licence details, driving history, claims history and details of any relevant claims, driving disqualifications, penalty point information and criminal conviction information (where it results from or exists prior to an incident), health information (any injuries resulting from incidents, any relevant pre-existing health conditions and any subsequent injuries);
  • vehicle and/or property details (including relevant loan information), details of damaged property, employment and income details, estimates, costs, PPS Number/National Insurance Number, VAT and other relevant tax numbers;
  • bank and payment card details, records of payments made, details of services provided to you (for example car hire, vehicle repair and home repair), recoveries.
Information obtained from sources other than you or your representatives:
  • verification of the above categories of data;
  • CCTV footage;
  • claims history and vehicle details;
  • health information (any injuries resulting from incidents, any relevant pre-existing health conditions and any subsequent injuries);
  • driving disqualifications, penalty point information and criminal conviction information (where it results from or exists prior to an incident).

Please feel free to contact us (details in Section 1 'General' above) if you would like more information about the precise information we gather and use.

6. Retention of Data

How long we keep data is primarily determined by how long we need it for the purposes we use it for, time periods set out in law and the period we need to keep it to defend ourselves against legal action. Generally we keep information for the periods set out in the table below:

Type of InformationType of Data Collected
Claims information10 years from the date the claim is finalised (by settlement, court hearing, withdrawal of claim, etc.).
Claims information – where there is the potential for a child to make a claimUp to 3 years after the child in question turns 18 years of age or 10 years from the date the claim is finalised, whichever is longer.
Claims validation file25 years from when the claim is finalised (by settlement, court hearing, withdrawal of claim, etc.).

However in some cases we may need to keep personal data longer than the above periods. Examples of these situations include long-running disputes and system back-ups required for disaster recovery.

We also retain certain limited details beyond the above time periods for the validation of new claims made on old claim files. The aim of retaining data for this additional period is to ensure that policyholders and AXA are not the subject of fraudulent claims (by paying out under their policy for the same claim a second time).

In these circumstances we retain information such as claimant names, claim numbers and incident dates. We will hold this limited data for a period of up to 25 years from the date the claim is finalised (for example by settlement, court hearing or withdrawal of claim). This data will be kept apart from our other policy and claims data so that it will only be used in the event that a new claim is made.

Please feel free to contact us (details in Section 1 'General' above) if you would like more information about retention periods.

7. Your Rights

As a ‘data subject’, you have the rights set out in this section. However certain restrictions may apply in some cases.

  1. The right to withdraw consent where we are processing your information on the legal basis of consent. In a claims situation it is very rare that we would be relying on consent to process data.
  2. The right of access to the personal data concerning you that we hold and to be informed why and how we process that data.
  3. The right to require us to correct any inaccurate information about you (including missing details).
  4. The right of erasure/right to be forgotten. This is a right to have personal data concerning you erased. However this right shall not apply in certain situations, including where the processing of data is necessary for the establishment, exercise or defence of legal claims.
  5. The right to data portability. This is a right to request from us all personal data that you provided to us. You may also request that we send this data to another company or person. This right only applies to data where the processing carried out is based on consent or on a contract, neither of which are generally relied upon in the processing of data under this Claims Data Protection Statement (see Section 3 ‘Use of Information’ above).

    If you decide to transfer your personal data to us from another company, please note the contents of this Data Protection Statement before doing so, in order to make sure you do not provide us with excessive data.

    Where we do receive your personal data from you (or directly from another company at your request) we will review the contents of the transferred file and delete any information that is inappropriate, excessive, incorrect or otherwise not required. We may use any remaining information for the purposes set out in this document. We will not be responsible for the quality or accuracy of the data transferred to us.

    Where we receive data directly from you or from another company on your behalf, we will only hold your data for 10 business days before deleting it, unless you contact us during that period.

  6. The right to object to the processing of your personal data by us. This right only applies where we rely on the basis of a ‘legitimate interest’ (see Section 3 ‘Use of Information’ above) to process your data.

    Where you object to a particular type of processing we will stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your right or unless we need to use it in a legal claim.

    If you wish to exercise this right, we require that you explain the particular set of circumstances that you feel justifies your request for us to stop the processing activity in question. We will then evaluate whether your situation outweighs ours.

  7. The right to restrict processing of your personal data where you feel that it is inaccurate, that we are processing it unlawfully or that we no longer need it, or where you have invoked your right to object (as set out in Section 7 (f) above).

    When processing is restricted your personal data will only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of other people or for reasons of important public interest.

Please send all requests to us (details in Section 1 ‘General’ above) in writing (by post or email).

Please note that it may take up to 30 days to process your request, with the possibility of an extension of another two months.

We will not charge a fee for any of requests under this section, provided that we do not consider them to be unjustified or excessive. If we consider a request to be unjustified or excessive we may either deal with the request and charge a fee or refuse the request. We may also charge a fee if you ask us to send you further copies of the information in an access request.

8. Specific processing activities

In addition to the information set out above, we would also like to draw your attention to some additional information relating to a number of activities we carry out which involve the processing of your personal data:

  1. Insurance-Link in Republic of Ireland

    What is Insurance-Link?
    The Insurance-Link database was created to assist in the detection and defence of exaggerated and fraudulent claims. It contains details of claims made by individuals. For further information on Insurance-Link go to www.inslink.ie.

    How does AXA use the Insurance-Link database?
    When dealing with your claim, we will check the Insurance-Link database for information on any previous claims made by you. In the event that we find any claims we may then contact the relevant insurance company to obtain further details of such claims.

    If we find any claims that have not been disclosed at the appropriate time, AXA may rely on certain legal rights. These may include the refusal of claims.

    We will also pass details of claims made by you (including name, address, date of birth and type of injury or loss suffered) to Insurance-Link. This information will then be available to other insurers.

    If we receive a request from another insurance company in relation to a claim we have uploaded to Insurance-Link, we may provide certain limited information in relation to the claim to that insurance company.

  2. Anti-Fraud Registers in Northern Ireland

    In Northern Ireland Insurers pass information to the Claims and Underwriting Exchange Register and the Motor Insurance Anti-Fraud and Theft Register (“MIAFTR”). The main aims are to help insurers to verify information provided and to prevent fraudulent claims.

    In circumstances where you make a claim in relation to an incident (such as accident or theft), we will pass relevant information relating to the incident to the Claims and Underwriting Exchange Register, MIAFTR and any other official register set up for the purpose of checking information and preventing fraud.

    When dealing with your claim, we may search these registers. In the event that we find any claims we may then contact the relevant insurance company to obtain further details of such claims. If we find any claims that have not been disclosed at the appropriate time, AXA may rely on certain legal rights. These may include the refusal of claims.

    If we receive a request from another insurance company in relation to a claim we have uploaded to Claims and Underwriting Exchange Register, MIAFTR or any other official register, we may provide certain limited information in relation to the claim to that insurance company.

    Northern Irish law requires that certain information relating to insured vehicles must be entered on the Motor Insurance Database (“MID”). If you are involved in an accident, we may search the MID to obtain relevant information about you.