Crawford & Company
EU GDPR Privacy Notice
Effective Date: 25 May 2018
Who We Are
Crawford & Company is a global, independent provider of claims management solutions, providing integrated claims services, business process outsourcing and consulting services worldwide to the risk management and insurance industry, as well as to self-insured entities. We are committed to protecting the privacy of the personal information we collect and providing clear information about how we handle personal information. We encourage you to read this Policy carefully so that you understand how we treat your personal information and what rights you may have.
Your privacy is important to us. We have developed this EU GDPR Privacy Notice (the “EU Privacy Notice” or the “Notice”) to provide additional information about how the Crawford & Company group handles personal information that is subject to the GDPR. In this EU Privacy Notice we use the term “GDPR” to include the EU General Data Protection Regulation as well as associated national laws.
This EU Privacy Notice explains how Crawford & Company and its affiliates and subsidiary companies (together, “Crawford”, “we”, “us” or “our”) handle the personal information that is subject to the GDPR, which we collect from individuals through our websites and associate services, about our former, current and prospective clients, and about other individuals that use our products or engage with us regarding our claims management and related services (our “Services”) or communicate with us, as well as other personal information we receive in providing the Services. This EU Privacy Notice is intended to disclose the personal information that we collect that is subject to the GDPR, and to explain how we use and disclose this personal information, and the choices and rights individuals have regarding this personal information. This Notice does not apply to the personal information that we process about current and former employees, which is subject to a different privacy notice.
For the purposes of the GDPR, and unless you are explicitly notified otherwise, Crawford & Company International, Inc. is the controller of your personal information, and where the processing of personal information is also undertaken by other Crawford Group companies with whom you engage, they are joint controllers with Crawford & Company International, Inc. for your personal information. See the “Contact Us” section below for a list of affiliate controllers and their locations and for details on how to contact Crawford or exercise your rights with respect to your personal information.
Data Processor for Client Claims Data
We handle personal information as a result of providing our claims handling and related services to our clients. Crawford is generally a processor of the personal information that we process in the course of providing our claims handling services to clients; we only process such personal information on behalf of and under the instruction of our clients, or where otherwise required by EU data protection law. Our respective clients are the data controllers of the claims data that we process on their behalf; how we handle this personal information is subject to our client agreements and the privacy policies of our respective clients – not this EU Privacy Notice. This EU Privacy Notice also does not cover any third-party websites or services.
Information We Collect
We may collect personal information directly from you, such as when you register for news and information, contact us online or submit forms through the Sites. We may also collect personal information from third parties and automatically through your use of the Sites and Services. In this EU Privacy Notice, “personal information” means any information that identifies or could be used to identify an individual person, and includes other similar terms like personal information or personally identifiable information.
Where the personal information we collect is needed to comply with law, or to enter into or perform an agreement with you, we will inform you accordingly at the time of collection. If you decline to provide us any required personal information, we may be unable to provide products or services to you.
Information We Collect Directly
We may collect personal information about you in the course of operating our business, including through your use of our Site, when you contact or request information from us, when you engage or use our Services or as a result of your relationship with one or more of our staff and clients. For example when you:
- engage us to perform the Services
- request information from us or submit other enquiries
- participate in events we host or sponsor
- meet with us at our offices
- contact us for client relations or customer support purposes
- access Services we make available to you, whether online, through the Sites or otherwise
- enquire about or apply to job openings
- seek to work with us, or accept requests from us to provide professional, expert, consultant or contractor services
- receive or request customer support or other services
- contact or communicate with us online, by email, postal mail, fax or otherwise
Typically, the personal information you give us may include name, business affiliation, address, telephone number, email address and any personal details required to resolve any enquiries or complaints. If you are seeking to work with us, or accept requests from us to provide professional, expert, consultant or contractor services related to our provision of Services, we may collect additional information about your qualifications and experience, as well as (where permitted by applicable law) any criminal convictions. Where you are applying for employment with us, you will be asked to provide certain additional information, for example about your education, employment history and right to work, pursuant to a specific privacy notice for job candidates.
Information We Collect from Third Parties
We may also obtain information about you from third parties, including your employer, our clients and other parties, as well as publicly accessible sources. We may also collect information about how users interact with us or share content on our social media pages. The personal information we may receive as a result of providing the Services to clients may include a variety of different personal information depending on the Services provided. For example, we may receive names and relevant business contact information from our clients, which may be related to their employees, agents or other authorised parties. We also may conduct background checks or identity verifications related to applicants, suppliers, providers and other third parties, to the extent permitted by law and necessary to protect ourselves, clients and third parties from fraud and misconduct. We also perform sanctions screening and anti-money laundering checks, as required and permitted by applicable law.
If you request access to certain Services or restricted or protected information from us, we may need to contact third parties (such as your employer) to verify that you are authorised; we may take steps to verify your authorisation and identity, including by requesting additional information from you or third parties (such as the clients for whom we are acting).
Monitoring of Communications
Subject to applicable laws we may monitor and record calls, emails and other communications with us. We do this to protect the security of our communications systems and procedures, for quality control and staff training purposes, fraud detection and prevention, and when we need to see a record of what has been said between us. We will also monitor for regulatory compliance (where applicable) as well as crime prevention and detection purposes.
As noted, we handle personal information as a result of providing our claims handling and related Services to our clients. This information may include claims-related information, transactional details, health, disability and medical information, identification information, and other information; our handling of this personal information is subject to our client agreements and our clients’ respective policies – not this EU Privacy Notice – since we are acting on behalf of and under the instruction of our clients (i.e., as a data processor).
Purposes and Legal Bases for Our Use of Personal Information
In the course of conducting our business, we use personal information to provide and improve our services, to process job applications, to provide information about our products and services, to respond to requests and to otherwise communicate with you and others.
Please note: as explained, we collect certain personal information in the provision of our Services (including claims handling services), subject to our client agreements; we use such personal information only as a data processor, acting on behalf of and under the instructions of our clients or where otherwise required by applicable law. Our clients are responsible for determining and notifying individuals of the purposes and legal bases of our processing of personal information as their data processor.
In general, we use personal information for the purposes set out in the table below, under the following legal bases:
- Perform / Enter into Contract with You: as necessary to enter into or perform any contract with you.
- Comply with Law: for compliance with our legal obligations under EU law, including responding to legal and regulatory requests and court orders.
- Establish, Defend and Protect Legal Rights: as necessary to establish, defend and protect our legal rights and interests, or those of third parties.
- Legitimate Business Interests: Pursuant to our legitimate business interests (such as to ensure that we provide high quality, efficient and timely client service, to improve the way we deliver our Services, to develop new offerings and tools, for industry benchmarking and trend analysis, to deliver more relevant content and information, to secure our and our clients’ systems, and to prevent misconduct and fraud), which are not overridden by your interests and fundamental rights.
- Explicit Consent: for sensitive data, with your express consent, or where necessary to carry out our obligations under employment, social security and similar laws.
We may also create anonymous and aggregated data sets and reports in order to assess, improve and develop our business, products and services, prepare benchmarking reports on our industry, and for other research and analytics purposes; provided this data is not identifiable to, and cannot be linked or re-identified to a particular individual, it is no longer subject to the restrictions in this Notice.
|Purposes of Processing||Legal Bases of Processing|
|Verifying Identity and Authorisation
|Providing Support and Services
|Improving Services and Analytics
|Personalised Support and Services
|Marketing and Promotions
We do not use the information we collect from third parties in providing the Services or handling specific claims for marketing and promotional purposes
|Protecting Our Legal Rights and Prevent Misuse
|Complying with Legal Obligations
For example, in response to subpoenas, court orders and other lawful requests by regulators, courts and law enforcement agencies, including responding to national security or law enforcement disclosure requirements
|General Business Operations
Disclosure of Information
- Crawford Group. As a global company, your personal information may be shared amongst our affiliates and subsidiary companies, whose handling of your personal information is subject to this EU Privacy Notice.
- Providers. We may share your information with third party service providers who use this information to perform services for us, such as payment processors, hosting providers, auditors, advisors, law firms, consultants and customer service and support providers. We may also share information with third party providers as necessary to perform our services to you.
- Enterprise users. If you communicate with us or engage us to perform the Services on behalf of your company (our client), we may share with that client information about our interactions with you.
- Business Transfers. We may disclose or transfer information, including personal information, as part of any merger, sale and/or transfer of our assets, acquisition or restructuring of all or part of our business, bankruptcy or similar event, including related to due diligence conducted prior to such event where permitted by law.
- Legally Required. We may disclose your information if we are required to do so by law or regulation (e.g., to law enforcement, courts or others, e.g., in response to a subpoena or court order).
- Protect our Rights. We may disclose information where we believe it is necessary to respond to claims asserted against us, or to comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention and detection, risk assessment, investigation, and to protect the rights, property or safety of Crawford, our clients and customers, our staff or others.
- Anonymised and Aggregated Data. We may share aggregate or de-identified information with third parties for research, marketing, analytics and other purposes, provided such information does not identify a particular individual.
- Client Services and Claims-related Personal Information. As noted above, we are a service provider to our clients, and a data processor with respect to the personal information we collect in performing our Services (including claims handling services). Any personal information we collect related to handling claims on behalf of our clients may be disclosed to such clients or others as directed by our clients; such disclosures are subject to our clients’ policies.
Cookies, Analytics and Targeted Ads
We may send periodic promotional emails to you, and where required by law we will obtain your consent to do so. You may opt-out of such communications by following the opt-out instructions contained in the email. If you opt-out of receiving emails about recommendations or other information we think may interest you, we may still send you emails about your account or any Services you have requested or received from us.
We are a global company, and the data that we collect from you may be transferred to, accessed or stored in, and subject to requests from law enforcement in, jurisdictions outside of your home jurisdiction, including the United States, the Philippines, Australia, Canada, the European Union and other jurisdictions in which we or our service providers operate. Some of these jurisdictions, including the United States and the Philippines, may not provide equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements.
If you are in the European Economic Area (“EEA”) and we process your personal information in a jurisdiction that the European Commission has deemed to not provide an adequate level of data protection (a “third country”), we will implement measures to adequately protect your personal information, such as putting in place standard contractual clauses approved by the European Commission or another measure that has been approved by the EU Commission as adducing adequate safeguards for the protection of personal information when transferred to a third country. You have the right to obtain a copy with details of the mechanism under which your personal information is transferred outside of the EEA; you may request such details by contacting us as set forth in the “Contact Us” section below.
We take information security seriously. We have implemented appropriate safeguards and technical measures to protect the personal information that we have under our control from unauthorised access, use or disclosure. However, no data security measures can guarantee 100% security.
Retention of your Personal Data
As a general rule, we retain your personal information for as long as necessary to fulfil the purposes for which it was collected or as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records and enforce our agreements. In general, we will retain relevant personal information of Site visitors for at least three years from the date of our last interaction with you and in compliance with our obligations under applicable laws. With respect to the claims-related data and files we handle as a processor, we retain this personal information in accordance with our clients’ instructions. We may retain personal data for longer where required by our regulatory obligations, professional indemnity obligations, or where we believe it is necessary to establish, defend or protect our legal rights and interests or those of others.
We will take steps to maintain accurate and complete personal information about you. In order to do so, we need you to notify us of changes in your personal circumstances (for example, change of address) so that we can update our records. Subject to the conditions set out in the applicable law you have the following rights with regard to our processing of your personal information:
- Your right of access. If you ask us, we will confirm whether we are processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
- Your right to correction (rectification). If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it corrected. If you are entitled to have information corrected and if we have shared your personal information with others, we will let them know about the rectification where possible. If you ask us, we will also tell you, where possible and lawful to do so, with whom we have shared your personal information so that you can contact them directly.
- Your right to erasure. You can ask us to delete or remove your personal information in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal information with others, we will let them know about the erasure where possible. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information with so that you can contact them directly.
- Your right to restrict (block) processing. You can ask us to restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to our use or stated legal basis. If you are entitled to restriction and if we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information so that you can contact them directly.
- Your right to data portability. You have the right, in certain circumstances, to receive a copy of personal information we have obtained from you in a structured, commonly used and machine readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
- Right to object. You can ask us to stop processing your personal information, and we will do so, (i) to the extent that we are relying on our legitimate interests to use your personal information, in which case you have the right to object to such use, unless we can either demonstrate compelling legitimate grounds for the use that override your interests, fundamental rights and freedoms or where we need to process the data for the establishment, exercise or defence of legal claims, and (ii) where we are processing your personal information for direct marketing purposes.
- Your rights in relation to automated decision-making. You have the right not to be subject to a decision when it is based on automatic processing if it produces a legal effect or similarly significantly affects you, unless it is necessary for entering into or performing a contract between us.
- Your right to withdraw your consent. In the event your personal information is processed on the basis of your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Your right to lodge a complaint. You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal information infringes applicable law.
Please note that some of these rights may be limited, such as where we have an overriding interest or legal obligation to continue to process the data. Please contact us as indicated in the “Contact Us” section below if you wish to exercise any of your rights, or if you have any enquiries or complaints regarding the processing of your personal information by us.
Third-Party Sites and Services
Crawford’s Sites may contain links to third-party websites or services. We are not responsible for the data privacy practices of such third parties, whose practices are subject to their own privacy policies and procedures and not Crawford’s Privacy EU Privacy Notice.
Information About Children
Our Sites and Services are not directed towards children and we do not encourage children to participate in providing us with any personal information. We do not knowingly collect any personal information from children under the age of 16, without parental consent. If you have reason to believe that a child under the age of 16 has provided personal information to us through the Site or Services without a parent or guardian’s consent, please contact us at email@example.com.
Changes to this Privacy EU Privacy Notice
We may update this Privacy EU Privacy Notice from time to time to reflect changes, and will post changes by updating the privacy EU Privacy Notice (and effective date) on this page. If we make any material changes that affect how we treat your personal information, we will endeavour to notify you in advance, such as by prominently posting a notice on this website or by directly sending you a notification. We encourage you to periodically review this website and our EU Privacy Notice to understand how Crawford protects your personal information. Once effective, the revised EU Privacy Notice will apply to you and your personal information.
If you have questions or concerns regarding this EU Privacy Notice, please contact our EU Data Protection Officer at:
Crawford Global Privacy Office
Attn: EU Data Protection Officer
70 Mark Lane
London EC3R 7NQ UK
|Crawford & Company Adjusters (UK) Limited||Crawford & Company (Sweden) AB|
|70 Mark Lane||Gruvgatan 35 A,|
|London EC3R 7NQ UK||Gothenburg SE|
|Crawford Aviation Limited||BELGIUM|
|70 Mark Lane||Crawford & Company Belgium NV|
|London EC3R 7NQ UK||Jan Olieslagerslaan 41|
|–||B-1800 Vilvoorde, Brussels BE|
|Contractor Connection (Repairnet) UK Limited||POLAND|
|70 Mark Lane||Crawford Polska Sp z.o.o|
|London EC3R 7NQ UK||ul. Ciszewskeigo 15|
|Crawford (Denmark) A/S||GERMANY|
|Lergravsvej 59||Crawford & Company (Deutschland) GmbH|
|Kobenhavn S 2300 DK||Werdener Str. 4,|
|–||40227 Düsseldorf, Germany|
|Crawford & Company (Netherlands) BV||NORWAY|
|Warenarburg 1, 2907 CK Capelle aan den Ijssel||Crawford & Company(Norway) AS|
|Rotterdam NL||Kjorbokollen 30,|
|–||Sandvika 1337 NO|
|Crawford & Company (Espana)||ITALY|
|Calle Miguel Angel 14 1st Floor||Crawford & Company Italia SRL|
|Madrid 28010 ES||Via Desiderio da Settignano, 15|
|–||Milan 20149 IT|
|Crawford & Company||FINLAND|
|5909 Peachtree Dunwoody Rd Bldg. D, Ste. 1000||Crawford & Company (Sweden) AB|
|Atlanta, GA 30328-7275 USA||Finland branch|
|–||Rantatie Business Park,|
|Crawford & Company International, Inc.||Hermannin Rantatie 8|
|5909 Peachtree Dunwoody Rd Bldg. D, Ste. 1000||FI-00580 Helsinki|
|Atlanta, GA 30328-7275 USA|
|Broadspire Insurance Services, Inc.|
|5909 Peachtree Dunwoody Rd Bldg. D, Ste. 1000|
|Atlanta, GA 30328-7275 USA|