Privacy Notice
1. Introduction
2. Collecting your personal data
3. Processing your personal data
4. Legal grounds for processing
5. Recipients of your personal data
6. Overseas transfers of your personal data
7. Retention of your personal data
8. Your information rights
9. Direct marketing
10. Automated decisions
11. Contact us
12. Complaints
13. Changes to this Notice
1. Introduction
Aon Baltic is committed to protecting your privacy. This commitment reflects the value we place on the trust we place in our customers, business partners and others who provide personal data.
This Privacy Notice (“Notice”) explains how Aon Baltic collects, uses and disclose personal data including the categories of personal data we process and the purposes for which we use it.
Throughout this Notice, “Aon Baltic” means Aon Baltic, UADBB, code 110591289, Karaliaus Mindaugo pr. 35, 44307, Kaunas, Lithuania including affiliated companies and subsidiaries (also “we”, “us”, or “our”). Aon Baltic is responsible for your personal data (and is a data controller for the purpose of the applicable data protection law) that we collect from or about you.
2. Collecting your personal data
a. Types of personal data we collect
The personal data we collect varies depending upon the nature of our services. Where we collect sensitive personal data (such as special category data or criminal offence data), this information is only collected where strictly relevant to the Services we provide and in accordance with applicable laws. Aon Baltic, as a data controller, may process the following personal data:
| a) | Contact details, unique identifier and employment information: name, surname, personal identification number such as passport number, national ID or national insurance number, job title, residential address, telephone number, e-mail address, website address, type and category of activity, customer status. |
| b) | Insurance policy details: type of insurance, series and number of the insurance policy, date of entry into force, expiry date of the insurance policy, expiry date of the authorisation granted by the client, amount of insurance, amount of premium, date of payment of premiums, amount of premiums received, number of the premium payment document, period of insurance, name of insurer. |
| c) | Premium payment and account details: name of the payer, purpose of the premium, due date, amount of the premium, date of payment, number of the payment order, whether the premium is paid directly to the insurer, credit or debit card number, bank account number, debt owed by the policyholder, whether the payment of the premium is deferred. |
| d) | Contact details of the insured and beneficiaries: name, surname, personal identification number, date of birth, age, residential address, telephone number, e-mail address, bank account number (to which the insurance benefit is to be paid), name of document. |
| e) | Information on your debt obligations: details of policies in force (in force/invalid/stopped/terminated) and amount of debt. |
| f) | Financial information: such as credit history and bankruptcy status, salary, tax code, third-party deductions, bonus payments, benefits and entitlement data, national insurance contributions details. |
| g) | Background checking information: such as inclusion on a sanctions list or a public list of disqualified directors, the existence of previous or alleged criminal offences, or confirmation of clean criminal records, information in relation to politically exposed persons. |
| h) | Health information: information about your health status, medical records and medical assessment outcomes. |
| i) | Driving history, certifications and insurance details: such as driving licence details, the period for which a licence has been held, existing and previous insurance policy details, previous accident and claims history and details of any motoring convictions. |
| j) | Claims details: information about any claims concerning your insurance policy. |
| k) | Marketing and communications preferences: such as interests and preferred language. |
| l) | Events information: such as information about your interest in and attendance at our events, including provision of feedback forms. |
| m) | Online information: such as computer, device and connection information (e.g. IP address, browser type, operating system, unique device identifier), usage data collected when visiting our websites, device location information. |
b. Sources of information
We collect personal data about you in the following ways:
| a) | Information you provide directly to us: we collect personal data about you when you request a service from us; visit an Aon website or attend an Aon event or seminar; through your use of our services; provide comments, feedback or communicate directly with us; contact our contact center either via telephone,r email, we may record the call and retain r email for quality and training purposes and query handling. |
| b) | Information from your organisation: we may obtain personal data about you from the organisation with which you are employed or affiliated, in order to provide services to them and/or manage your access to and use of the organisation’s service. |
| c) | Information we collect automatically: Our websites may utilise cookies and other tracking technologies, including to ensure basic functionality of our websites is maintained, which are called strictly necessary cookies. We may also want to set either first- or third-party optional cookies to improve the experience on our websites. To view the categories of cookies on each of our websites, please utilise our OneTrust Cookie Preference Center, which may be found as a footer of our websites and/or when you first visit our websites. We ensure that our use of cookies is in line with local legal and regulatory requirements, and as such have ensured that the behaviour and appearance of our OneTrust Cookie Preference Center is based on the geolocation of your IP address. |
| d) | Information from third parties: we may collect personal data about you from other third parties, such as insurers, underwriters, reinsurers, credit reference agencies, medical professionals, government bodies, claimants, sponsors, joint venture entities or business partners, as well as vetting and data validation agencies and other professional advisory service providers. |
c. Impact of failing to provide personal data
You are required to provide any personal data we reasonably require (in a form acceptable to us) to meet our obligations in connection with the services we provide to you, including any legal and regulatory obligations. Where you fail to provide or delay in providing information, we reasonably require to fulfil these obligations, we may be unable to offer the services to you and/or we may terminate the services provided with immediate effect.
d. Information you provide relating to third parties
Where you provide personal data to Aon about third-party individuals (e.g. information about your spouse, civil partner, child(ren), dependents or emergency contacts), where appropriate, you should provide these individuals with a copy of this Notice beforehand or ensure they are otherwise made aware of how their information will be used by Aon. Where you provide information to us about your beneficiaries, we may require you to provide explicit consent on their behalf.
e. Information relating to children
Our services are not directed to children, and we do not knowingly collect personal data from children. Certain Aon solution lines may process data related to children, such as their date of birth, address, and other identifiable information. This information is not collected directly from children, but from other parties such as from our client, the carrier, or directly from you as the parent or guardian of the child (e.g., so that the child may be named a beneficiary to an insurance policy).
3. Processing your personal data
Aon Baltic will collect and process your personal data for the following purposes:
| a) | to assess your application to receive the services; |
| b) | to offer, administer and manage the services provided to you, including providing initial and renewal quotations and client care information; |
| c) | to carry out due diligence, identity, credit reference, bankruptcy, sanctions, data validation, anti-money laundering, “Know Your Customer” and other business acceptance, vetting and risk management agency checks; |
| d) | to evaluate risks relating to your prospective or existing insurance policy; |
| e) | to process payments, including your payments for the insurance premium and any mid-term adjustments; |
| f) | to administer, investigate and settle claims or complaints in relation to the insurance policies and/or the services provided; |
| g) | to facilitate the prevention, detection and investigation of crime and the apprehension or prosecution of offenders; |
| h) | to enforce our agreements, trace debtors and recover any outstanding debt in connection with the services provided; |
| i) | to fulfil legal and regulatory obligations, resolve disputes and monitor compliance with the same; |
| j) | to transfer books of business to successors of the business in the event of a sale or reorganisation, including the planning and due diligence purposes both prior to closing and after a transaction has closed; |
| k) | to conduct market research and canvass your views about the services for the purpose of developing, creating and improving our products and service offerings generally including determining the effectiveness of our promotional campaigns and evaluating business performance; |
| l) | to offer other products and services that may be of interest to our clients, prospective clients and individual representatives of our corporate clients, including sending newsletters, know-how, promotional material and other communications; |
| m) | to communicate with you and to respond to your requests, inquiries, comments and concerns; |
| n) | to conduct research, audit, reporting and other business operations purposes; |
| o) | to perform benchmarking, modelling, market research and data analysis associated with the development of new and existing processes, products and services; and |
| p) | to invite you to events or seminars, including arranging and administering those events. |
4. Legal grounds for processing
All processing of your personal data is based on the lawful basis for processing this information. In most cases, processing is based on the following grounds:
| a) | Performance of the service contract: the processing is necessary for the performance of a contract to which you are a party or to take steps (at your request) to enter into a contract (e.g. for us to assist an employer in fulfilling an obligation to you) especially for the processing activities set out in sections 3(a), 3(b), 3(c), 3(d), 3(e) and 3(f) of this Notice. |
| b) | Legal and regulatory obligations: the processing is necessary to comply with our legal and regulatory requirements particularly for the processing activities set out in section 3(i) of this Notice. (e.g. where we are obliged to collect certain information about our customers for accounting or tax purposes, or where we are required to provide information to the courts or other authorities). |
| c) | Preventing and detecting fraud: We will use your personal data, including information relating to criminal convictions or alleged offences to prevent and detect fraud, other financial crime, and crime generally in the insurance and financial services industry particularly for the processing activities set out in section 3 (g) of this Notice. |
| d) | Legitimate interests: The collection and use of some aspects of your personal data is necessary to enable us to pursue our legitimate commercial interests, e.g. to operate our business, particularly where we offer other products and services that may be of interest to you or conduct market research to improve our products and services generally including for the processing activities set out in sections 3(c), 3(g), 3(h), 3(i), 3(j), 3(k), 3(l), m(3), 3(n), 3(o) and 3(p) of this Notice. Where we rely on this legal basis to collect and use your personal data we shall take appropriate steps to ensure the processing does not infringe the rights and freedoms conferred to you under the applicable data protection laws. |
| e) | Legal claims: the processing is necessary for the establishment, exercise or defence of legal claims by us or third parties particularly for the processing activities set out in section 3(f) of this Notice. |
| f) | Consent: We rely on your consent to collect and use personal data concerning any criminal convictions or alleged offences, specifically for the purpose of assessing risks relating to your prospective or existing insurance policy particularly for the processing activities set out in sections 3(d) and 3(f) of this Notice. We may also share this information with other insurance market participants and third parties where necessary to offer, administer and manage the services provided to you, such as insurers and insurance underwriters, reinsurers, brokers and vetting agencies.
Where we rely on your consent to collect and use your personal data, you are not obliged to provide your consent and you may choose to subsequently withdraw your consent at any stage once provided. However, where you refuse to provide information that we reasonably require to provide the services, we may be unable to offer you the services and/or we may terminate the services provided with immediate effect. Where you choose to receive the services from us you agree to the collection and use of your personal data in the way we describe in this section of this Notice. You also understand that such information may be collected and shared for the above purpose with the insurance underwriter named in your insurance policy documentation. You should refer to the insurer’s privacy notice on their website for further information about their privacy practices. |
5. Recipients of your personal data
We generally share your personal data with the following categories of recipients where necessary to offer, administer and manage the services provided to you:
| a) | within Aon: we may share your personal data with other Aon entities, brands, divisions, and subsidiaries for the processing purposes outlined in this Notice; |
| b) | insurance market participants: where necessary to offer, administer and manage the services provided to you such as insurers and insurance underwriters, reinsurers, brokers, intermediaries and loss adjusters. The insurance underwriter is the insurer that is underwriting your insurance policy and is named in your policy documentation. You should refer to the insurer’s privacy notice on their website for further information about their privacy practices; |
| c) | vetting and risk management agencies: such as credit reference, criminal record, fraud prevention, data validation and other professional advisory agencies, where necessary to prevent and detect fraud in the insurance industry and take steps to assess the risk in relation to prospective or existing insurance policies and/or the services; |
| d) | legal advisers, loss adjusters, and claims investigators: where necessary to investigate, exercise or defend legal claims, insurance claims or other claims of a similar nature; |
| e) | medical professionals: e.g. where you provide health information in connection with a claim against your insurance policy; |
| f) | law enforcement bodies: where necessary to facilitate the prevention or detection of crime or the apprehension or prosecution of offenders; |
| g) | public authorities, regulators and government bodies: where necessary for us to comply with our legal and regulatory obligations; |
| h) | third party suppliers: where we outsource our processing operations to suppliers that process personal data on our behalf. These processing operations shall remain under our control and will be carried out in accordance with our security standards and strict instructions; and |
| i) | successors of the business: where Aon or the services are sold to, acquired by or merged with another organization, in whole or in part. Where personal data is shared in these circumstances it will continue to be used in accordance with this Notice. |
| j) | business partners: such as joint venture entities, sponsors and/or other third-party business partners who collaborate or co-operate with Aon on projects, events, products or services. You should refer to their privacy notices for more information about their privacy practices; and |
| k) | internal and external auditors: where necessary for the conduct of company audits or to investigate a complaint or security threat. |
6. Overseas transfer of personal data
We operate on a global and worldwide basis, and we therefore reserve the right to transfer personal data about you to other countries to be processed for the purposes outlined in this Notice. In particular, we may make such transfers to offer, administer and manage the services provided to you and improve the efficiency of our business operations. We shallensure that such transfers comply with all applicable data protection laws and regulations and provide appropriate protection for the rights and freedoms conferred to individuals under such laws.
Where we collect personal data about you in the European Economic Area (the “EEA”) we may transfer the information to countries outside the EEA for the processing purposes outlined in this Notice. This may include transfers to countries that the European Commission (the “EC”) consider to provide adequate data privacy safeguards and to some countries that are not subject to an adequacy decision. Aon has an intra-group data transfer agreement in place which regulates cross-border transfers of your personal data within the Aon Group and which incorporates the European standard contractual clauses approved by the EC. Where we transfer personal data to third parties located in countries that are not subject to an adequacy decision we shall put in place appropriate safeguards, such as the aforementioned European standard contractual clauses approved by the EC as appropriate. Where necessary, we may implement additional technical, organizational or contractual measures to ensure an adequate level of protection for your personal data. Where required, further information concerning these safeguards can be obtained by contacting us.
7. Retention of your personal data
We retain appropriate records of your personal data to operate our business and comply with our legal and regulatory obligations. These records are retained for predefined retention periods that may extend beyond the period for which we provide the services to you. In most cases we shall retain your personal data for no longer than is required under the applicable laws. We have implemented appropriate measures to ensure your personal data is securely destroyed in a timely and consistent manner when no longer required.
8. Your information rights
| a) | Right to access: a right to access and inspect your personal data or be provided with a permanent copy of the information being held about you. |
| b) | Right to correction: a right to request the correction of your personal data or in cases where the accuracy of information is disputed, to supplement the information to give notice that you dispute its accuracy. |
| c) | Right to erasure: a right to request the erasure of your personal data, particularly where the continued use of the information is no longer necessary. |
| d) | Right to restrict processing: a right to request the restriction of your personal data from further use, e.g. where the accuracy of the information is disputed, and you request that the information not be used until its accuracy is confirmed. |
| e) | Right to portability: a right to request that some aspects of your personal data be provided to you or a third party of your choice in electronic form to enable its reuse. |
| f) | Right to object to processing: a right to object to the use of your personal data, particularly where you feel there are no longer sufficient legitimate grounds for us to continue processing the information. |
| g) | Right to object to direct marketing: a right to object to the use of your personal data for direct marketing purposes. See Section 9 below for further information. |
| h) | Right to withdraw your consent: where we rely on your consent to collect and use your personal data, you have the right to withdraw your consent at any stage once provided. |
| i) | Right to object to automated decision making: a right to object to decisions involving the use of your personal data, which have been taken solely by automated means. |
| j) | Right to lodge a complaint with a regulator: a right to complain to the relevant data protection regulator about our processing of your personal data. See Section 12 below for further information. |
It is important to note, however, that some of the rights described above in Section 8 can only be exercised in certain circumstances. We may also ask you to provide additional information to verify your identity and for other security reasons. If we are unable to fulfil a request from you to exercise one of your rights under applicable data protection laws, we will write to you to explain the reason for refusal (e.g., for compliance with a legal obligation, for the establishment, excercise or defence of legal claims or legal exemptions). You can exercise the above rights by contacting us using the contact details provided in this Notice. As far as possible, we will always endeavour to respond to requests and enquiries as soon as possible or to inform you of the need to provide additional information.
9. Direct marketing
We will use your personal data to send you direct marketing communications (e.g. by e-mail or SMS message) about our products and services that we feel may be of interest to you. We will give you the opportunity to choose whether you want to receive direct marketing communications at the point that you apply or register to receive the services. You can also change your marketing preferences at any stage by contacting us using the contact details set out in Section 11 below. Please note that, even if you opt out of receiving direct marketing communications, we may still send you service-related communications where necessary.
10. Automated Decisions
Where you apply or register to receive a service, we may carry out a real-time automated assessment to determine whether you are eligible to receive the service. An automated assessment is an assessment carried out automatically using technological means (e.g., computer systems) without human involvement. This assessment will analyse your personal data and comprise several checks, e.g., credit history and bankruptcy check, validation of your driving licence and motoring convictions, validation of your previous claims history and other fraud prevention checks. Where your application to receive the service does not appear to meet the eligible criteria, it may be automatically refused, and you will receive notification of this during the application process. However, where a decision is taken solely by automated means involving the use of your personal data, you have the right to challenge the decision and ask us to reconsider the matter, with human intervention. If you wish to exercise this right, you should contact us.
11. Contact us
If you have any questions about the content of this Notice or the rights conferred to you under the applicable data protection laws, requests or complaints, you should contact our Data Protection Officer at dpobaltic@aon.com or at the following address:
Aon Baltic
Karaliaus Mindaugo pr. 35,
44307, Kaunas
Lithuania.
12. Complaints
If you are not satisfied with the way we have handled your complaint you have the right to raise the matter with the relevant data protection regulator in your country:
Lithuania:
The State Data Protection Inspectorate,
Juozapavičiaus g. 6, 09310 Vilnius, Lithuania
Tel. (8 5) 271 2804, 279 1445,
Fax. (8 5) 261 9494,
E-mail ada@ada.lt
13. Changes to this Notice
This Notice is not contractual, and we reserve the right to reasonably amend it from time to time to ensure it continues to accurately reflect the way that we collect and use personal data about you. Any updates or changes to this Notice will be made available to you. You should periodically review this Notice to ensure you understand how we collect and use your personal data.
This Notice was updated 7 December 2023