Data Protection Policy

elseco regards the lawful and correct treatment of personal information as very important to its successful operation and to maintaining confidence between itself and those with whom it carries out business. elseco ensures that it treats personal information lawfully, correctly and securely.

THE PRINCIPLES OF DATA PROTECTION

elseco is fully committed to ensuring the security and protection of the personal information that elseco processes, and to providing a compliant and consistent approach to data protection in accordance with the requirements of data protection laws [1], which stipulate that anyone processing personal data must comply with the following principles of good practice:

Lawfulness, fairness and transparency – personal data shall be processed lawfully, fairly and in a transparent manner.

Purpose limitation – personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimization – personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy – personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation – personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality – personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

ELSECO PRINCIPLES OF HANDLING OF PERSONAL DATA 

Through appropriate management and the use of strict criteria and controls, elseco:

  • fully observes conditions regarding the fair collection and use of personal information;

  • meets its legal obligations to specify the purpose for which information is collected and used;

  • collects and processes appropriate information only to the extent that is needed to fulfil operational needs or to comply with any legal requirements;

  • ensures the quality of information used is correct and up-to-date;

  • ensures that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes;

  • takes appropriate technical and organisational security measures to safeguard personal information; and

  • ensures that the rights of people about whom the information is held can be fully exercised under the data protection laws.

PROCESSING OF YOUR PERSONAL DATA

elseco processes the personal data as defined below.

For Employees and Candidates

A. Employees, including trainees

Purposes:

  • Performance of employment contracts.

  • Compliance with legal and regulatory obligations (work permits, visas, health insurance, pension plan, regulatory fitness and property verifications).

Lawful Basis:

  • Processing is necessary for performance of an employment contract.

  • Processing is based on data subject explicit consent.

  • Processing is necessary for elseco compliance with the applicable law.

  • Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of a Controller or a data subject in the context of the data subject’s employment.

B. Candidates

Purposes:

  • Performance recruitment process and assessment of a candidate.

  • Compliance with legal and regulatory obligations.

Lawful Basis:

  • Processing is based on data subject consent.

  • Processing is necessary for elseco compliance with the applicable law

C. Future employees (candidates who accepted a job offer)

Purposes:

  • Performance of the on-boarding process.

  • Preparation of employment contract.

  • Compliance with legal and regulatory obligations (work permits, visas, health insurance, pension plan, regulatory fitness and property verification).

Lawful Basis:

  • Processing is necessary prior to entering into an employment contract.

  • Processing is based on data subject explicit consent.

  • Processing is necessary for elseco compliance with the applicable law.

  • Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of a Controller or a data subject in the context of the data subject’s employment.

For Other Data Subjects (Third Parties Working with elseco)

A. Business Partners[2]

Purposes:

  • To manage business relationships and contractual relationships.

  • To perform all contractual obligations, especially within binders, agency agreements TOBAs.

Lawful Basis:

  • Processing is necessary for purpose of legitimate interest pursued by elseco (execution of contracts or contractual  obligations, entering into contractual relationships).

  • To fulfil all regulatory obligations (compliance verifications relevant to respect of anti-money laundering and sanctions regulations).

B. Policyholders

Purposes:

  • To manage policy subscription process, management of the cover and potential claim management process.

Lawful Basis:

  • To fulfil all regulatory and contractual obligations (compliance verifications relevant to respect of anti-money laundering and sanctions regulations).

  • Processing is necessary for purpose of legitimate interest pursued byelseco (execution of contracts or contractual obligations, entering into contractual obligations).

C. Service providers, vendors, consultants, contractors

Purposes:

  • To manage contractual and commercial relationships.

  • To manage services.

  • To manage purchase orders and invoicing.

Lawful Basis:

  • Processing is necessary for purpose of legitimate interest pursued by elseco (execution of contracts or contractual obligations, entering into contractual relationships).

Categories of personal data and recipients of those data are as identified in a relevant personal data processing record, which may be communicated to any concerned individual upon request. The personal data processed by elseco is accessible only to persons working within or with elseco organization who need to have access to it in accordance with processing purposes and a lawful basis as defined above.

Personal data may be transferred to some third parties, including third parties being located outside the DIFC. In such case, elseco ensures that the transferred data is adequately protected. For more details regarding protection and safeguard measures put in place by elseco with regard to personal data transfer, please contact elseco Data Protection Officer at: dpo@else.co

elseco retains processed personal data only for the period necessary for elseco to fulfill its legal and regulatory obligations.

DATA SUBJECT RIGHTS

elseco while processing personal data, observe and respect data subject rights.

Any concerned individuals can enforce their data protection rights, by contacting elseco Data Protection Officer, who can provide the following information:

  • type and categories of processed data;

  • purpose of the relevant processing;

  • recipients to whom the personal data has/will be disclosed;

  • duration of the retention of the concerned data;

  • source of data (if not collected directly from individual);

  • any automated processing of concerned personal data (when applicable).

Any concerned individual has a right to ask for:

  • correction and/or completion of their personal data in case of its incompleteness or inaccuracy;

  • erasure of its personal data (when applicable);

  • restrict the processing of its personal data.

IMPLEMENTATION

All elseco employees are fully aware of this notice and of their duties and responsibilities under the data protection laws.

All contractors, consultants, partners or other servants or agents of elseco must ensure that they and all of their staff who have access to personal data held or processed for or on behalf of elseco, are aware of this notice and are fully trained in and are aware of their duties and responsibilities under the data protection laws.

elseco has appointed a Data Protection Officer. The implementation of this notice will be led and monitored by the Data Protection Officer.  

The Data Protection Officer can be reached at elseco limited, Central Park Towers, Office Tower, Level 15, Unit 34+35, Dubai International Financial Centre, P.O. Box 506639, Dubai, UAE or by email at dpo@else.co.

VARIATION OF POLICY

elseco reserves the right to amend this policy from time to time in line with the applicable legislation and elseco business needs.

_______________________

[1] Includes capacity providers, brokers, potential capacity providers, any other partners with whom elseco group discuss and work, excluding service providers or vendors for services not strictly related to underwriting activity.

[2] Data Protection Law DIFC Law No. 1 of 2007 amended by DIFC Law No. 1 of 2018; Regulation (EU) No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data where applicable.