Privacy Notice

This Privacy Notice is intended to explain when and how information about you ("Personal Data") is collected or processed (i.e. used), the reasons why we do so, the legal basis we rely on and the rights available to you in relation to your Personal Data.

This Privacy Notice is updated, when needed, to remain accurate and in compliance with the applicable legislation and regulation. This Privacy Notice is accessible on our website available at www.everestglobalcom (“Website”). Our contractual documents and external communications may contain a reference to this Privacy Notice too.

Everest Group, Ltd. (NYSE:EG) and its subsidiaries and affiliates including Everest Advisors (UK), Ltd., Everest Insurance (Ireland), DAC, Everest Reinsurance Company (Ireland), DAC, Everest Corporate Member Limited and Everest Service Company (UK), Ltd. (together, “Everest Group”, "we", "us" and "our") and, on our behalf by our third-party service providers, collect and process your Personal Data. Each entity of Everest Group is responsible for its own collection and processing in its capacity as a data controller.

Much of the information we collect will have been provided by you, or, where legally permitted to, from other sources. These include:

• From your representative(s) through the policy application process and renewals;
• From your family members, employers, professional associations or representatives;
• From other (re)insurance market participants including brokers, agents, managing general agents (MGAs), other reinsurers and retrocessionaires;
• From financial institutions and credit reference agencies;
• From public sources including public databases such as websites and print media;
• Where permitted by law, from government agencies, administrative authorities, regulators, anti-fraud databases, sanctions lists, court judgments and other databases;
• From healthcare service providers or benefits providers including pension and social security organisations;
• In the event of an (re)insurance claim, from third parties involved including the other party to the claim (claimant/defendant), witnesses, experts (including medical experts), loss adjustors, lawyers and claims handlers;
• In the course of navigation of our Website (see below).

Where we receive your Personal Data from third party sources, we ensure that those third parties either received your prior consent or are otherwise legally permitted or required to disclose your Personal Data to us.

Personal Data we collect on our Website.

When you visit our Website, we seek your consent to collect certain information from your device by automated means such as cookies, web server logs and web beacons.  In some countries, including the European Economic Area (EEA) and the United Kingdom (UK), this information may be considered Personal Data under applicable data protection laws and regulations.  Further information about our use of cookies can be found in our Cookies Policy.

Personal Data that we request depends on each situation (please see the below list of purposes). For instance, if you are a policyholder or an insured, the Personal Data collected depends on the type of insurance that was signed with us and the risks covered.

This includes:

• Background data including title, gender, name, phone numbers, email address, home address, date of birth, marital status, government identification numbers, national insurance numbers, social security numbers, membership of a professional association, tax numbers, copy of passport and driver’s license, emergency contact name and mobile/home numbers;
• Family information including name of spouse/partner, name of children, date of birth in respect of spouse/partner/children, phone numbers;
• Financial data including bank information, tax information, credit history and credit score;
• Technical data collected when you access our Website including your internet protocol (IP) address or domain names of the devices utilised, your login data, browser type and version, and geolocation address ;
• Data concerning your health and/or wellbeing (where appropriate) – please see more details on “Sensitive Personal Data” below;
• Data relating to criminal convictions (“Criminal Convictions Data”), offences and related security measures (additional protections apply to Criminal Conviction Data);
• Claims data including previous claims data (claims histories) and previous policy numbers (insurance records); and
• Compensation data including salaries, benefits, pension etc.

In the event that certain required Personal Data is not provided to us, this may result in us being unable to sign a contract nor able to fully or partially perform our services. This could also generate delays in processing claims and/or in performing other obligations under a contract.

Special Category Data:

We may collect Personal Data including health and wellbeing records including medical treatment and prescription histories, test results, medical diagnoses, trade union memberships (when local regulation considers it to be Special Category Data), family medical history, or any other personal data considered as such according to local legislation (hereinafter “Special Category Data”).

Special Category Data is subject to special protections. We will only collect this category of Personal Data when authorised and/or carried out under the control of an official authority.

Where we collect and process Special Category Data, we will ensure that it is done in accordance with applicable laws and regulations, which may include obtaining your explicit consent prior to collection (please see below on “How & Why We Process Personal Data?”). If you refuse or decide to withdraw your consent, we would potentially not be able to sign a contract, nor perform, fully or partially, our services. This could also delay the processing of claims and/or the performance of our contractual obligations.

Recipients listed on “How & Why We Process Personal Data?” are subject to the condition that they meet the requirements to be qualified as professionals legally authorised to access Special Category Data.

We collect, process and use Personal Data of policyholders, insureds, beneficiaries, payers or business partners in respect of contractual or commercial relationships. Accordingly, there are mainly three reasons for that:

• The underwriting, management and performance of contracts signed with us;
• The compliance with our legal and regulatory duties as professional services providers; and
• Our legitimate interest in relation to our commercial operations.

We do not sell (or exchange) your Personal Data for monetary compensation.

The following details the legal basis and purpose for which we collect, process and use Personal Data and lists the third parties with whom we may share Personal Data.

A. Personal Data necessary for performance of a contract

Legal Basis	It is necessary to process Personal Data to enter into and perform a contract, including (re)insurance contracts and the handling of (re)insurance claims. In this context, we may also collect and process Criminal Convictions Data, when appropriate and allowed under domestic law providing for appropriate safeguards for the rights and freedoms of data subjects, and in compliance with local regulation.
Purposes	We may collect your Personal Data, on this legal basis, for the following purposes: Quotation/Inception Setting you up as a client Analysing the needs of clients/policyholders to offer products/services Evaluating our exposure under a contract (i.e. the risks to be covered and matching the appropriate policy/premium) Payment of price/premium where the (re)insured/policyholder or contractor is an individual Verifying your identity and verifying the accuracy of the information we receive Policy Administration Client care, including communicating with you and sending you updates Payments to and from individuals Claims and Disputes Processing Managing claims, disputes, actions and recourses in relation to a contract Defending or prosecuting claims, disputes, actions and recourses in relation to a contract Complaints handling Making claim payments by processing your bank account details Renewals Contacting you to renew a contract, Evaluating the risks to be covered and matching to appropriate policy/premium Payment of price/premium where the (re)insured/policyholder or contractor is an individual
Recipients	Recipients include: Brokers Managing General Agents Third Party Claim Administrators Everest Group affiliates Partners who provide data processing services (for example data hosting and storage companies) Legal advisors or counsel, loss adjusters and claims investigators, expert appraisers and other firms used as part of the claims handling process including private investigators when we need to further investigate certain claims Medical professionals Property and risk surveyors Regulatory authorities Tax advisers Law enforcement agencies Internal and external auditors Third party claimants and/or their legal representatives during the administration of a claim being made against you
IMPORTANT:	You are obliged to provide us with your Personal Data insofar as it is necessary for the performance of a contract. Failure to do so could affect or delay the processing of claims or the performance of other obligations under a contract.

B. Personal Data necessary for compliance with a legal obligation

Legal Basis	It is necessary to process Personal Data in order to comply with legal obligations which apply to us as professionals and, in particular, as (re)insurance providers. In that respect, your consent is not required.
Purposes	We may collect your Personal Data, on this legal basis, for the following purposes: Complying with anti-money laundering and financing of terrorism regulations Complying with our tax duties including pay as you earn obligations Considering international economic, financial and trade sanctions prohibitions and restrictions Assisting the courts in acting in their judicial capacity Complying with regulatory reporting obligations
Recipients	Recipients include: Regulatory authorities and government departments Legal, financial and tax advisers and counsel Law enforcement agencies Public bodies Insurance providers Other parties in the course of legal proceedings

C. Personal Data necessary based on our legitimate interests

Legal Basis	It is necessary for the purposes of our legitimate business interest to process Personal Data. We therefore rely on this Legal Basis to collect and otherwise use your Personal Data. In that respect, your consent is not required. Where we rely on this Legal Basis to collect and use your Personal Data, we take appropriate steps to ensure the processing does not infringe the rights and freedoms conferred to you under applicable data privacy laws.
Purposes	We may collect your Personal Data, on this legal basis, for the following purposes: Identifying and preventing fraud, including the management of amicable litigation and disciplinary procedures Facilitating corporate reorganisations and/or the acquisition or sale of some or all of the Everest Group or the Everest Group’s assets in the event such is contemplated General risk modelling of the Everest Group, statistics and actuarial studies Research and development activities Conduct data analytics, benchmarking activities, create insight and reports Improving our services Operating our business, managing and developing our relationships with clients and suppliers Understanding how our clients use our services and Website Investigating, establishing, exercising or defending a legal claim Maintaining information technology services, network and data security, fraud prevention and improving our Website
Recipients	Recipients include: Prospective sellers or buyers of business assets Professional advisers or counsel Service providers who provide information technology and system administration services to us

D. Special Category Data

• Special Category Data based on your prior and explicit consent

Legal Basis	In relation to the entering into and performance of our contracts or services, we may need to process Special Category Data based on your prior and explicit consent (unless local law permits otherwise).
Purposes	We may collect your Personal Data, on this legal basis, for the following purposes: Quotation/Inception Analysing the needs of clients/policyholders to offer products/services Evaluating our exposure under a contract (i.e. the risks to be covered and matching the appropriate policy/premium) Claims and Disputes Processing Managing claims, disputes, actions and recourses in relation to a contract Defending or prosecuting claims, disputes, actions and recourses in relation to a contract Renewals Evaluating the risks to be covered and matching the appropriate policy/premium
Recipients	Recipients, under the condition that they meet the requirements to be qualified as professionals legally authorised to access such Sensitive Personal Data, include: Brokers Managing General Agents Third Party Claim Administrators Everest Group affiliates Partners who provide data processing services (for example data hosting and storage companies) Professional advisors or counsel, loss adjusters and claims investigators, expert appraisers and other firms as part of the claims handling process including private investigators when we need to further investigate certain claims Medical professionals Property and risk surveyors Regulatory authorities and government departments Tax advisers Law enforcement agencies Internal and external auditors Prospective sellers or buyers of business assets Service providers who provide information technology and system administration services to us Third party claimants and/or their legal representatives during the administration of a claim being made against you

• Special Category Data necessary for the establishment, exercise or defence of legal claims

Legal Basis	When it is necessary to establish, exercise or defend legal claims, we may collect and process your Special Category Data. In such circumstances, your prior consent is not required.
Purposes	We may collect and process your Sensitive Data, on this legal basis, for the following purposes: Investigating, establishing, exercising or defending a legal claim Assisting the courts when acting in their judicial capacity
Recipients	Legal advisors or counsel, technical experts Medical professionals Third Party Administrators Regulatory authorities and government departments Law enforcement agencies Competent jurisdictions

As we are a global organisation, your Personal Data may be accessed by our staff, affiliates or suppliers in, transferred to, and/or stored at, a destination outside the country in which you are located, whose data protection law may be of a lower standard than those in your country. We will, in all circumstances, safeguard your Personal Data as set out in this Privacy Notice.

Where we transfer Personal Data from inside the EEA, UK or Switzerland outside the EEA, UK or Switzerland, we are required to take specific measures to safeguard the relevant Personal Data. Certain countries outside the EEA, the UK and Switzerland have been approved by the European Commission, the UK Government or the Swiss Government as providing essentially equivalent protections to EEA, UK or Switzerland data protection laws and therefore no additional safeguards are required to export Personal Data to these jurisdictions. In countries which are not subject to this approval, we will establish legal grounds justifying such transfer, such as model contractual clauses or any other legal grounds permitted by applicable legal requirements.

In particular:

• We ensure that transfers between Everest Group entities are covered by agreements that incorporate prescribed contractual wording, such as the EU Commission's or UK or Swiss standard contractual clauses (hereinafter “SCCs”) when such entities are based outside the EEA, Switzerland or the UK, in countries which are not recognised as providing adequate level of protection by the European Commission, Switzerland or the UK. These SCCs oblige each party to ensure that your Personal Data receives an adequate and consistent level of protection.
• Where we transfer to or receive your Personal Data from third parties who help provide our products and services, we obtain contractual commitments from them to protect your Personal Data, which may also incorporate SCCs where required (i.e. when such third parties are based outside the EEA, Switzerland or the UK, in countries which are not recognised as providing adequate level of protection by the European Commission, Switzerland or the UK).
• Where we receive requests for information from law enforcement or regulators, we carefully review and validate these requests before any Personal Data is disclosed.

To address any queries you may have in relation to data transfers please see Section “Contact Us”

We maintain commercially reasonable physical, electronic and procedural safeguards to protect your Personal Data in accordance with data protection laws and regulations. 

Personal data that we hold is stored on our or our third party suppliers’ secure servers and is subject to our security policies and standards.

We will retain your Personal Data only for as long as is necessary for the processing purpose(s) for which it was collected and any other permitted linked purpose (for example where we are required to retain Personal Data for longer than the purpose for which we originally collected it in order to comply with certain regulatory requirements, to defend legal claims, respond to complaints or to ensure that we have an accurate record of the service that we have provided). Our retention periods are based on business needs, statutory requirements and industry guidelines.

As a data subject, you have a number of rights with regard to your Personal Data and the table below sets out the rights which you have to address any concerns or queries with us about the processing of your Personal Data.

Subject to local laws and regulations, you can exercise any of these rights by submitting a request to: DataPrivacy@Everestglobal.com

Right of Access:	You have the right under certain circumstances to obtain confirmation of whether we are processing Personal Data, access to Personal Data and information regarding how Personal Data is being used by us and to request a copy of your Personal Data.
Right of Rectification:	You have the right to request that we amend any inaccurate Personal Data that we have about you. You also have the right to ask us to complete information you think is incomplete.
Right to Erasure:	You have the right under certain circumstances to have your Personal Data erased. Please note that your Personal Data can be erased if your Personal Data is no longer necessary for the purposes for which it was collected, and we have no other Legal Basis for processing your Personal Data.
Right to Restriction of Processing:	You have the right under certain circumstances to ask us to restrict the processing of your Personal Data including if you contest the accuracy of your Personal Data for a period enabling us to verify its accuracy.
Right to Data Portability:	You have the right under certain circumstances to data portability, which requires us to provide you with your Personal Data in a structured, commonly used and machine-readable format and you have the right to transmit your Personal Data to another data controller in particular when the processing is based on your prior consent, or based on the performance of a contract that you wish to terminate.
Right to Withdraw Consent:	If you have provided consent for the processing of your Personal Data, you have the right under certain circumstances to withdraw that consent at any time which will not affect the lawfulness of the processing carried out before your consent was withdrawn.
Right to Object:	You have the right to object to the processing of your Personal Data at any time in certain circumstances. If you raise an objection, we have the right to refuse it if we can demonstrate that we have compelling legitimate grounds for the processing which override your rights and freedoms or that the processing of your Personal Data is necessary for the establishment, exercise or defence of legal claims.

In certain circumstances, where we are authorised to do so, we may need to restrict the above rights in order to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. to maintain legal privilege).

We may ask you to provide us with a copy of documents verifying your identity as a data subject. With regards to your right of access, the first access request will be complied with free of charge, but additional copies may be subject to a reasonable fee based on administrative costs.

You can exercise these rights by contacting us as set out in the “Contacting us” section below. If you exercise any of these rights, we will check your entitlement and respond in most cases within a month.

If you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, you have the right to complain to the data protection regulator in your country.

Additional local rights

Pursuant to certain local laws and regulations, you may have additional rights. The following list is not exhaustive - should you wish to have more information please see Section “Contacting Us”.

For France

In certain circumstances, you may be allowed to provide general or specific directives on the processing of your Personal Data upon your death regarding the conservation, erasure and communication of your Personal Data. Hence, you may anticipate and define directives regarding the manner you wish your rights to be exercised upon your death, and if applicable, the identity of the trusted third party who may exercise such rights after your death. Moreover, you may or may not consent to the exercise of your rights by your heirs after your death. Please note that you can change or revoke your directives at any time if you change your mind.

In the absence of directives or of a contrary provision in such directives, your heirs may exercise your rights upon your death in relation to the organisation and settlement of your estate, closing of accounts, objecting to the continuation of the processing of your Personal Data or having them updated.

Should you wish to provide us with specific directives regarding the processing of your Personal Data, or change or revoke such directives, or the exercise of your rights upon your death, please see Section “Contacting Us”.

For Spain

In certain circumstances, relatives and heirs of a deceased data subject have the right to contact the data controller or its processor in order to request access to the Personal Data of the deceased and, where appropriate, request its rectification or deletion.

Please note that in Spain, Personal Data shall be blocked by the controller after rectification or erasure. Blocked personal data shall remain available to courts, public prosecutors or any other competent public authorities for the purpose of attending to potential liabilities and legal claims arising from data processing activities carried out with the blocked Personal Data.