The Swedish Club Privacy Policy for handling of Claims
Summary
This Privacy Policy describes how The Swedish Club, a legal entity incorporated in Sweden with company registration number 557206-5265 and address Box 171, 401 22 Göteborg (“The Club”, “us”, “our” or “we”) handle your personal data, what your rights are and how you can contact us.
We at The Club provide marine insurance to companies (our “Members”). This Privacy Policy applies if you suffer an injury, sickness or other health issue which is covered by your employer’s (our Member’s) insurance with The Club (“Injury cases”). This Privacy Policy also applies if you are involved in an insurance claim in any other capacity (for example as a witness or expert), if you are an individual who travels onboard a Member’s vessel without permission, or if you are a next of kin or other contact person to a person involved in an insurance matter. We will process your personal data for the following purposes:
- To handle our Member’s insurance matters and comply with insurance regulation,
- To improve our business and help our Members to reduce their insured risks, and
- To detect, prevent and manage unclear insurance claims and potential insurance fraud.
When we process your personal data, you have certain rights. In short you have the following rights:
- The right to complain
- The right to access
- The right to object
- The right to rectification
- The right to erasure
- The right to restriction of processing
We commit ourselves to being as transparent as possible regarding our processing of your personal data. Do not hesitate to contact us with any questions you might have regarding this Privacy Policy, such as questions about your rights.
Below you can read more about:
- How to contact The Club or competent supervisor authorities
- Description of how we process your personal data per processing activity
- From where do we collect your personal data?
- How long will we store your personal data?
- How long will we store your personal data?
- Balancing of interests’ assessments when processing personal data based on the legal basis “legitimate interests”
- Who has access to your personal data?
- Where is your personal data processed?
- What are your rights when we process your personal data?
You may contact The Club by sending an email to dataprivacy@swedishclub.com, or sending a mail to The Swedish Club, Box 171, 401 22 Göteborg should you have any data privacy related questions or should you wish to exercise any of your rights according to GDPR, including but not limited to rectification, restriction of processing and deletion. You may also lodge a complaint with Integritetsskyddsmyndigheten or other relevant authorities.
If relevant, you may also contact the Swedish Club’s data privacy officer for Singapore, Annica Nordberg, at telephone +46 31 638 412, mobile +46 768 661 569 or email annica.nordberg@swedishclub.com.
In the table below we describe in detail why we process your personal data, what personal data we process and the legal basis for our processing according to the GDPR.
| To handle our Member’s insurance matters and comply with insurance regulation |
| What processing we perform | What personal data we process | Our legal basis for the processing |
| If you suffer an injury, sickness or other health issue onboard a vessel covered by The Club´s insurance (“Injury cases”) To handle the Injury case and comply with insurance regulations. | Information that is included in the Injury case concerning you, this is typically the following information: – Your first and last name – Contact details – Information about your job role – Employment contract – Salary and employment benefits – Date of birth – Your home address – Your passport (which can include information about your ethnicity) – Your national identification number – Next of kin contact details – Medical records (historical and current injury/sickness) | Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed because the processing is necessary for our legitimate interest to handle our Member’s insurance in accordance with insurance legislation and codes. Establishment, exercise or defence of legal claims Article 9.2 f in the GDPR The processing of sensitive personal data in the form of information regarding your health is necessary for the establishment, exercise or defence of legal claims. The processing of personal identification number is necessary for the purpose of securely identifying you. |
| If you are involved in a claim for other reasons, e.g. as a witness To handle the insurance matter and comply with insurance regulations. | Information that is included in the insurance claim concerning you, this is typically the following information: – Your first and last name – Contact details – Information about your job role – Employment contract -Your passport (which can include information about your ethnicity) – Your national identification number | Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed because the processing is necessary for our legitimate interest to handle our Member’s insurance in accordance with insurance legislation and codes. Establishment, exercise or defence of legal claims Article 9.2 f in the GDPR The processing of sensitive personal data in the form of information regarding your health is necessary for the establishment, exercise or defence of legal claims. The processing of personal identification number is necessary for the purpose of securely identifying you. |
| If you are an individual who travel onboard our Member’s vessel without permission To handle the insurance matter and comply with insurance regulations. | Information that is included in the insurance matter concerning you, this is typically the following information: – Your first and last name – Your contact details, if applicable – Your passport (which can include information about your ethnicity) – Other documents or information provided by you relevant for handling the claim | Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed because the processing is necessary for our legitimate interest to handle our Member’s insurance in accordance with insurance legislation and codes. Establishment, exercise or defence of legal claims Article 9.2 f in the GDPR The processing of sensitive personal data in the form of information regarding your health is necessary for the establishment, exercise or defence of legal claims. |
| If you are listed as the next of kin to a person involved in an insurance matter To be able to handle any claims relating to your status as a next of kin or contact person in the event of an insurance matter or emergency affecting a person who has listed you as their next of kin or contact person. | – Your first and last name – Your contact information – Your relationship with the person involved in the insurance matter, if provided | Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed because the processing is necessary for our legitimate interest in contacting you in the event of an insurance matter or emergency involving a person who has added you as their next of kin or contact person. |
| To improve our business and help our Members reduce their risks |
| To detect, prevent and manage unclear insurance claims and potential insurance fraud |
| What processing we perform | What personal data we process | Our legal basis for the processing |
| To investigate unclear insurance claims and potential insurance fraud and report suspected crimes to law enforcement authorities and other affected parties. To do this we may need to collect information from other insurance companies, emergency services, law enforcement agencies, public registers and previous court judgments where relevant to our investigation. | The data processed during an investigation depends on the circumstances that need to be clarified. Information that is included in the investigations may typically be the information that has been provided during the claims process (as stated above) and other information and circumstances included in the claim, such as potential damages In unclear insurance cases, we also process data that has already been collected for claims settlement, as well as any information obtained from other insurance companies, emergency services, law enforcement authorities, the joint insurance industry claims register, and publicly available information | Legitimate interest Article 6.1 f in the GDPR Your personal data will be processed because the processing is necessary for our legitimate interest to investigate unclear insurance claims and potential insurance fraud Establishment, exercise or defence of legal claims Article 9.2 f in the GDPR The processing of sensitive personal data in the form of information regarding your health is necessary for the establishment, exercise or defence of legal claims. The processing of personal identification number is necessary for the purpose of securely identifying you. |
Our Member provides us with your personal data. We may also, in cases where we need to investigate the insurance matter further or suspect insurance fraud, receive personal data from other insurance companies, emergency services, law enforcement authorities, the joint insurance industry claims register, and publicly available information.
We retain files containing personal data related to Injury cases for four years from when the insurance case was closed by us. For all other claims we retain files containing personal data for a period of 10 years from when the insurance case was closed by us. This longer retention period is needed to give us sufficient data to be able to draw good and relevant conclusions from previous cases.
As stated above, we process your personal data based on our ”legitimate interest”. Through a balancing of interests assessment regarding our processing of your personal data, we have concluded that our legitimate interest for the processing outweighs your interests or rights which would otherwise require the protection of your personal data.
To handle the claim that you are involved in, we will process your personal data. This means your personal data will be handled by our employees, but only by those personnel who need such access to conduct their work. We have limited which employees can access the information in a claims matter; not all employees can see information in the matter that you are involved in. Specifically, in Injury cases only staff employed in the local office to which the Injury case belongs have access, together with persons centrally who have access to all claims. In addition, we will share your personal data with the following recipients:
- Our IT suppliers will get access to the personal data and other information when developing and supporting our IT system to ensure good and secure IT operations. These IT supporters only process personal data on our behalf and never on their own behalf.
- During our operations and handling of any claims we may use correspondents, surveyors, lawyers, and others (“Service Providers”) who assist us. We will share your personal data with any Service Providers needing access to your information to be able to handle the claim. These Service Providers act as data controllers and provide you with separate information about how your personal data will be processed by them.
If you have any questions regarding how we share your personal data or want to know more about who we share your personal data with, please feel free to contact us at the contact details stated at the beginning of this Privacy Policy.
We are an international marine insurance company which means that we handle insurance cases all around the world. Therefore, we cannot avoid transferring your personal data outside the EU/EEA in the course of our processing activities. We use Service Providers outside the EU/EEA and handle claims outside the EU/EEA, including where we cooperate with colleagues at our offices in Hong Kong, Singapore and the United Kingdom.
If your personal data will be processed outside the EU/EEA, then we will ensure that such processing is either based on a decision from the European Commission establishing that the country in question ensures an adequate level of protection or appropriate safeguards that ensure that your rights are protected or based on another ground or derogation for such transfer in accordance with GDPR.
Your personal data will be transferred outside the EU/EEA in the following cases:
- The Club collaborates with Service Providers located outside the EU/EEA, for example, if the insurance matter has happened outside the EU/EEA or concerns an individual outside the EU/EEA. This can be the case, for example, if you are injured onboard a vessel and our Service Providers helps facilitate your transfer to a hospital, in which case they need information about at least your name and injury to make sure that the helicopter and hospital staff will handle your case in the best way possible. In these instances, your personal data is transferred outside the EU/EEA to such Service Providers.
- We will also transfer your personal data outside of the EU/EEA to our IT suppliers that process personal data as our data processors and according to our instructions. Such transfer only takes place in accordance with applicable data protection legislation, meaning that we will transfer your personal data outside the EU/EEA when we can ensure an appropriate level of protection of your personal data.
- The Club employs staff in its offices located outside the EU/EEA, namely our UK, Hong Kong and Singapore offices. As we collaborate closely within our organization at The Club, our offices outside the EU/EEA will also have access to your personal data if necessary to handle the insurance case. We have implemented limitations on the amount of personal data that employees at our offices can access, as described above under “Who has access to your personal data?”
When transferring personal data to Swedish Club Hong Kong and Swedish Club Singapore, we do so based upon the European Commission’s standard contractual clauses Module II (Article 46.2 c GDPR) together with additional safeguards. You can find the standard contractual clauses here.
When your personal data is transferred to the UK, we rely on an adequacy decision regarding the UK recognized by the European Commission for the transfer of personal data outside of the EU/EEA. An adequacy decision means that the European Commission has assessed that a particular country has an adequate level of protection for your personal data under Article 45 GDPR. You can find the adequacy decision for the UK here.
We and our Service Providers will rely on Standard Contractual Clauses (Article 46.2 c GDPR), module 1 and module 2, and supplementary security measures for the transfer of personal data outside of the EU/EEA, if our Service Provider is not covered by an adequacy decision. The use of Standard Contractual Clauses is an effort to provide a safe transfer of your personal data. You can find the Standard Contractual Clauses here. In some situations we are unable to rely on adequacy decision or appropriate safeguard for the transfer of personal data, such as in Injury cases where we need to act quickly to aid you. In those situations, we will ensure that we have other grounds for the transfer of your personal data, such as that the transfer is necessary to protect your vital interests where you are physically incapable of giving consent (article 49.1 f in the GDPR), or another relevant provision in article 49.
If you want to know more about where your personal data will be processed, please feel free to contact us.
You have certain rights that you can exercise to affect how we process your personal data. You can read a more detailed description about what those rights are below. In addition to below, you can also find more detailed information about your rights and when they apply at the Swedish Authority for Privacy Protection (IMY).
Right to complain – Article 77 in the GDPR
You have the right to lodge a complaint with the competent supervisory authority if you consider that the processing of your personal data violates the GDPR. In Sweden, the competent supervisory authority is The Swedish Authority for Privacy Protection (IMY).
Right of access – Article 15 in the GDPR
You have the right to obtain confirmation as to whether we are processing your personal data or not. You can make a request by contacting us. If we are processing your personal data, you also have the right to obtain a copy of the personal data processed by us as well as information about our processing, such as the purposes of the processing and for how long your personal data is stored.
Right to object – Article 21 in the GDPR
You have the right to at any time object to our processing of your personal data that is based on a legitimate interest.
Right to rectification of processing – Article 16 in the GDPR
You have the right to have inaccurate personal data concerning you rectified without undue delay. You also have the right to have incomplete personal data completed.
Right to erasure (“the right to be forgotten”) – Article 17 in the GDPR
Under certain conditions, you have the right to have your personal data erased by us without undue delay. For example, if the personal data is no longer necessary for the purposes for which they were collected or processed.
Right to restriction of processing – Article 18 in the GDPR
Under certain conditions, you have the right to request that we restrict our processing of your personal data. For example, if you contest the accuracy of the personal data, or if the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction on the use of the personal data.
This Privacy Policy was last updated: 18 June 2025