Gallagher Re Global Privacy Notice

This Privacy Notice is intended to provide privacy information for those individuals (past, current and prospective) whose personal data we process, including:

• Business contacts e.g. Brokers, (re)insurers, experts instructed in relation to claims, suppliers, professional services, conference attendees, visitors to our offices, regulators, state officials and authorities;
• Those in respect of (re)insurance policies we place as part of our core (re)insurance business activities e.g. Parties covered under the policies, potential beneficiaries of the policies, claimants and other parties involved in a claim in respect of the policies;
• Users of our websites and portals; and
• Other individuals such as those entering competitions & promotions, requesting marketing information, making general enquiries, whose images we use in marketing and individuals captured on CCTV.

▲ Back to Our processing of your personal data

We may collect your personal data when you provide your personal data directly to us, including from any of our websites, portals, customer satisfaction surveys and market research. We may also collect your personal data indirectly from:

• Our clients, such as (re)insurers, network partners and third-party service providers;
• Publicly available sources such as social media platforms, property and assets registers, and claims and convictions records;
• Other companies within the Arthur J. Gallagher group;
• Government authorities, police and regulators;
• Insurance industry fraud prevention and detection databases, credit reference agencies and sanctions screening tools; and
• Selected third parties who provide us with details of potential clients.

▲ Back to Our processing of your personal data

We typically collect the following types of personal data:

• General information such as name, title, marital status, date of birth, age, gender, nationality, identification information such as signature or national identifier;
• Contact information including address, telephone number and email address;
• Employment information such as job title, business description, education, employment history and professional certifications;
• Consent and marketing preferences;
• Due diligence information including sanction checks, which may include criminal offences and alleged offences and cautions, court sentences or criminal convictions; and
• Day-to day business operations information such as information about visits to our offices (including CCTV), attendance at meetings and events hosted by us, preferences, photographic images and information offered up in communication and captured during recordings of telephone calls.

Sometimes we collect special category data, for example when we complete due diligence checks or when you offer this in information in communication. Special category data may include data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership.

Please see below for other types of personal data we may collect, which vary according to the type of service we provide and the relationship between us, or between you and our client.

We may collect the following personal data:

• Information about your finances, such as bank account numbers, credit card numbers, transaction information; brokerage account number, tax information, salary and remuneration, details of your income, property, assets, investments, pension and benefits, debts, creditworthiness, tax status, and existing (re)insurance arrangements;
• Statements made by or about you;
• Information relating to any professional disciplinary action that you are or have been the subject of;
• Personal data related to the provision of the services, such as policy information (e.g. start & end dates, cover, premium, individual terms), claims history, mid-term adjustments, reasons for cancellation and risk profile; and
• Special category data relevant to the policy and / or claim such as details of your current or former physical or mental health. We will only process such data to the extent necessary in connection with the (re)insurance policy or where in connection with legal proceedings.

▲ Back to Our processing of your personal data

We may collect the following personal data:

• Username, password, history of usage of information and communications devices, services and systems; and
• Your IP address, online identifier, cookies related information, website history, browsing time, social media account/history/contact.

▲ Back to Our processing of your personal data

We typically use your personal data to:

• Provide general client care, communicate with you and respond to any enquiries you have including the delivery of service information and sending invitations for events;
• Advertise, market and promote our services, including by email, post or telephone, and to evaluate, measure and improve the effectiveness of our advertising campaigns; to send you newsletters, offers or other information we think may interest you; to contact you about our services or information we think may interest you; and to administer promotions;
• Enter into business relationships, including carrying out due diligence and background checks such as fraud, sanctions, credit and anti-money laundering checks;
• Provide the services and fulfil our contractual obligations to clients including work necessary for business transactions such as arrangement of (re)insurance modelling;
• Enhance our internal or external communications and / or publicity material, including via social media;
• Manage our business operations including maintaining accounting records, analysing financial results, complying with internal audit requirements, receiving professional advice, and applying for and claiming on our own insurance.
• Comply with legal and professional obligations (including without limitation to meet national security or law enforcement requirements), discovery requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities;
• Ensure business continuity by preventing or detecting criminal conduct or other wrongdoing, or otherwise as reasonably necessary to protect our rights or the rights of any third party. This includes monitoring the safety and security of premises, employees and visitors;
• Monitor and prevent fraud;
• Develop, enhance, expand or modify our services through research and development including surveys, and risk modelling and data analysis by understanding risk exposures, crafting solutions with appropriate (re)insurance coverage, limits, deductibles based on historical datasets;
• Improve quality, training and security (for example, with respect to recorded calls);
• Facilitate commercial transactions, including a reorganisation, merger, sale of all or a portion of our assets, a joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). Should such a sale or transfer occur, we will use reasonable efforts to ensure the entity to which we transfer your personal data uses it in a manner consistent with this Privacy Notice; and
• Exercise, defend or protect our legal rights, including tracing and recovering debt.

Please see below for other uses of personal data, which vary according to the type of service we provide and the relationship between us, or between you and our client.

▲ Back to How we use your personal data

• Facilitate and enable placement of (re)insurance policies for our clients and to assist in the ongoing management of such policies, including premium management, renewals, adjustments, cancellations and claims;
• Advise our clients on the management of their business risks, affairs and (re)insurance arrangements;
• Provide services which you did not personally request but were requested by our client(s) and require us to interact, directly or indirectly, with you; and
• Exercise, defend or protect the legal rights of our clients or third parties.

▲ Back to How we use your personal data

• Monitor usage of our website and present relevant information to you based upon your browsing habits;
• Monitor, review, assess and improve our websites and portals; and
• Manage and change digital access permissions.

▲ Back to How we use your personal data

We operate as a global business and hence your personal data will be transferred across geographical borders to fulfil the purposes set out in this Privacy Notice. The laws that apply to the country where the data is transferred may not be equivalent to that in your local jurisdiction (or in the jurisdiction in which we provide the services). Transfers of personal data will be subject to suitable safeguards where appropriate to ensure they have an adequate level of protection e.g. the use of Standard Contractual Clauses.

Please contact us using the details provided under the Contacting Us section if you would like further information regarding the steps we take to protect your personal data when sending it abroad.

▲ Back to Top

From time to time we may provide you with information about our products or services or those of our partners that we think will be of interest to you. We may send you this information by email, post or we may contact you by telephone.

We ensure that our marketing activities comply with all applicable legal requirements. In some cases, this may mean that we ask for your consent in advance of sending you marketing materials.

You can opt out of receiving marketing communications at any time. For example, you can click on the "unsubscribe" link in our marketing emails to unsubscribe from those emails. Alternatively, please contact us using the details provided under the Contacting Us section. In such circumstances, we will continue to send you service-related communications where necessary.

▲ Back to Top

Insurance market participants benchmark insured, beneficiary and claimant attributes and insured event likelihoods in order to determine insurance limits, insurance premiums and fraud patterns. This means that we may compile and analyse data in respect of insureds, beneficiaries and claimants to model such likelihoods. In doing so, we may use personal and commercial data in order to create the models and/or match that data against the models (profiling) to determine both the risk and the premium price based on similar exposures and risks. We also use this information to help us advise insurance companies about the typical levels of insurance coverage that our clients may have in place.

We do not make decisions solely based on automated decision making which produce legal effects or similarly significantly impacts you.

▲ Back to Top

We will only keep your personal data for as long as reasonably necessary to fulfil the purposes set out in this Privacy Notice.

When we no longer need your personal data, we de-identify or aggregate the data (in which case we may retain this de-identified or aggregated data for analytics purposes) or securely destroy it. Please note that anonymised data is not treated as personal data under this Privacy Notice.

We have a detailed retention policy that governs how long we hold different types of information. Please contact us using the details provided under the Contacting Us section for further information regarding how long we keep your personal data.

▲ Back to Top

We use a range of organisational and technical security measures to protect your personal data. For example within Gallagher Re:

• We restrict access to your personal data to those who need to know that information for the purposes set out in this Privacy Notice;
• We use firewalls to block unauthorised traffic to the servers;
• Our physical servers are located in secure locations, which can only be accessed by authorised personnel; and
• Our internal procedures cover the storage, access and disclosure of your personal data.

Please note that where we have given you (or you have chosen) a password, you are responsible for keeping the password confidential. Please do not share your password with anyone.

▲ Back to Top

We are committed to respecting your personal data rights arising from the applicable data protection laws. Some countries also require us to provide specific information about your personal data rights, which we have provided in Appendix A (other than in respect of the United Kingdom (UK) and the European Economic Area (EEA), for which see below). Please contact us using the details provided in the Contacting Us section if you wish to exercise your rights.

We will not usually charge you for dealing with these requests. There may be cases where we may not be able to comply with your request (such as where this would conflict with our obligation to comply with other regulatory and/or legal requirements). We will tell you the reason if we cannot comply with your request and we will always respond to any request you make. This will not affect any other legal rights or remedies that you have.

We would always encourage you to contact us if you have any concerns with how we use your personal data and we will do our best to resolve your concerns. Where you feel that we have not addressed your concerns, please contact us using the details provided in the Contacting Us section. However, you may have a right to complain to a local data protection authority if you believe that any use of your personal data by us is in breach of data protection laws and/or regulations. See Appendix A for the contact details of local data protection authorities. This will not affect any other legal rights or remedies that you have.

Personal data rights in the UK, EEA and certain other locations include, subject to certain limitations:

The right to access your personal data

You are entitled to a copy of the personal data we hold about you and certain details of how we use it. We will usually provide you with your personal data in writing, unless you request otherwise, or where you have made the request using electronic means, in which case where possible we will provide the information to you by electronic means.

The right to rectification

We take reasonable steps to ensure that information we hold about you is accurate and complete. However, you can ask us to amend or update it if you do not believe this is the case.

The right to erasure

You have the right to ask us to erase your personal data in certain circumstances, for example where you withdraw your consent or where the personal data we collected is no longer necessary for the original purpose. This will need to be balanced against other factors however. For example, we may have regulatory and/or legal obligations which mean we cannot comply with your request.

The right to restriction of processing

In certain circumstances, you are entitled to ask us to stop using your personal data, for example where you think that we no longer need to use your personal data or where you think that the personal data we hold about you may be inaccurate.

The right to data portability

You have the right, under certain circumstances, to ask that we transfer personal data that you have provided to us to another third party of your choice.

The right to object to marketing

You can ask us to stop sending you marketing messages at any time. You can do this either by clicking on the "unsubscribe" link which is contained in emails that we send to you or you can use the details set out in the Contacting Us section to contact us. If you opt out of receiving marketing messages, we may still send you service related communications where necessary.

Rights relating to automated decision-making

You can ask us to review the decision if you have been subject to an automated decision using your personal data.

The right to withdraw consent

If we ask for your consent for certain uses of your personal data then you have the right to withdraw your consent to further use of your personal data.

The right to lodge a complaint with the data protection authority

You have a right to complain to the regulatory authority if you believe that any use of your personal data by us is in breach of applicable data protection laws and/or regulations.

▲ Back to Top

Please contact us if you have any questions about how we collect, store or use your personal data. You may contact us by writing to GlobalPrivacyOffice@ajg.com.

There is a legal requirement to provide the name of an individual and/or contact point for the individual in some countries:

Country	Role and name
Bermuda	Privacy Officer: Aaron Lutkin
Brazil	Data Protection Officer: Samantha Alfonzo
Canada	Privacy Officer: GlobalPrivacyOffice@ajg.com
Malaysia	Privacy Contact: DPO@ajg.com +44 (0)207 204 6000
South Africa	Information Officer: Amanda Lightfoot
South Korea	Privacy Officer: Stella Yoon, DPO@ajg.com +82 (0)2 3782 4994
Spain	Data Protection Officer: Daniel Lousqui +44 (0)207 204 6000

▲ Back to Top

This United States of America Addendum supplements the terms of Gallagher Re’s Global Privacy Notice and applies to individuals who are residents of the United States, as specified below.

1. California Privacy Policy

The section (California Privacy Policy) relates solely to residents of the State of California, and for purposes of this section, “you” means residents of the State of California. This section will provide you with information about our Information Practices and your privacy rights under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) and applicable regulations (collectively referred to as “CPRA”). Any terms defined in the CPRA have the same meaning when used in this section.

Personal Information we collect

Gallagher collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household (“CPRA Covered Personal Information” or “personal information”). CPRA Covered Personal Information does not include personal information that has been de-identified or aggregated, or that is publicly available information from government records.

In particular, we have collected the following categories of CPRA Covered Personal Information from consumers (as that term is defined in the CPRA) within the last twelve (12) months:

Category	Examples	Collected
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.	Yes
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, medical information, or health insurance information. Some CCPA Covered Personal Information included in this category may overlap with other categories.	Yes
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status.	Yes
D. Commercial information.	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	Yes
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	No
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	Yes
G. Geolocation data.	Physical location or movements.	No
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	No
I. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	No
J. Inferences drawn from other personal information.	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	No
L. Sensitive Personal Information.	Social security, driver’s license, state identification or passport numbers; account log-in, financial account, debit or credit card number in combination with any required security or access code, password or credentials allowing access to an account; precise geolocation data; racial or ethnic origin, religious or philosophical beliefs or union membership, content of mail, email and text messages unless business is the intended recipient; genetic data; processing of biometric information for the purposes of uniquely identifying a consumer; personal information collected and analysed concerning your health.	Yes

Categories of sources from which we collect personal information

You have the right to know the categories of sources from which we collect your personal information. We make this information available to you in the How we Collect Your Personal Data section of our Global Privacy Notice.

Our processing of your personal information

You have the right to know how we process and use your personal information. We make this information available to you in the How We Use Your Personal Data section of our Global Privacy Notice.

Disclosure of Personal Information

You have the right to know if we share your personal information with any third parties and the categories of those third parties. We make this information available to you in the Who we Share Your Personal Data With section of our Global Privacy Notice.

No Sales or Sharing of Personal Information

We do not sell personal information for monetary or other consideration, and we do not share your personal information for cross-context behavioural advertising (as defined in the CPRA). We have also not sold or shared the personal information of consumers under 16 years of age.

Use of Sensitive Personal Information

We do not use or disclose sensitive personal information for purposes other than those specified in section 7027, subsection (m) of the CPRA regulations and we do not collect or process sensitive personal information for purposes of inferring characteristics about you.

Your CPRA Consumer Rights

Where we are acting as a business (as opposed to a service provider as those terms are defined in the CPRA), you have the following rights:

Your right to Access

You have the right to request that we disclose the categories of personal information we collected about you, the categories of sources for the personal information we collected about you, our business or commercial purpose for collecting your personal information, the categories of third parties with whom we share your personal information; and the specific pieces of personal information we collected about you.

Your right to data portability

You have the right to obtain a copy of your data in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to a third party.

Your right to delete

You may have the right to request that we delete your personal information where we act as a business. This right is subject to several exceptions and we may deny your deletion request if retaining the information is necessary for us or our service providers to:

1. Complete the transaction for which we collected the personal information and take actions reasonably anticipated within the context of our ongoing business relationship with you or our client;
2. Detect bugs or errors in our Sites, detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
3. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
4. Comply with a legal obligation; or
5. Make other internal and lawful uses of that information as permitted by law or that are compatible with the context in which we collected it.

Your right to correct

We will not discriminate or retaliate against you for exercising any of your rights under the CCPA, including we will not deny you goods or services, charge you different prices for goods or services, provide you a different level or quality of goods or services, or suggest that you will receive a different price for goods or services or a different level of quality of goods and services.

Your right to non-discrimination and no retaliation

We will not discriminate or retaliate against you for exercising any of your rights under the CCPA, including we will not deny you goods or services, charge you different prices for goods or services, provide you a different level or quality of goods or services, or suggest that you will receive a different price for goods or services or a different level of quality of goods and services.

a) Exercising Your Rights

You may exercise your rights to know, delete and correct as described above by submitting a verifiable request to us by either:

Emailing us at GlobalPrivacyOffice@ajg.com
Completing the Privacy Rights Request Form at https://cloud.info.ajg.com/privacy-rights-request-form
Calling us at 1-833-208-9359

b) Verification Process

We are only required to fulfill verifiable requests. Only you, you as a parent or a legal guardian on behalf of a minor child, or your authorized agent, may make a verifiable request related to personal information.

If you submit your request through an authorized agent, we may require you to provide your agent with written permission to do so and verify your identity. We may deny any request by an authorized agent that does not submit proof that the agent has been authorized by you to act on your behalf.

• For requests for access to categories of personal information, we will verify your request to a “reasonable degree of certainty.” This may include matching at least two data points that you would need to provide with data points we maintain about you and that we have determined to be reliable for the purposes of verification.
• For requests for specific pieces of personal information (portability request), we will verify your request to a “reasonably high degree of certainty.” This may include matching at least three data points that you would need to provide with the data points we maintain about you and that we have determined to be reliable for the purposes of verification. We will also require you to submit a signed declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.
• For requests to delete, we will verify your request to a “reasonable degree” or a “reasonably high degree of certainty” depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.

We will use the personal information you provide in a request only for purposes of verifying your identity or authority to make the request.

c) Response Timing and Format

We will respond to a verifiable request within forty- five (45) days of its receipt, and will notify you within those forty-five (45) days if we require more time to respond and the reasons for the additional time.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any information we provide in response to a verified request to know will include information we have collected about you on or after January 1, 2022, including beyond the 12-month period preceding our receipt of the request, unless doing so proves impossible or would involve disproportionate effort, or you request data for a specific time period. (Note that the law prohibits us from disclosing at any time a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or any unique biometric data.)

If we cannot comply with a request or a portion of the request, we will include the reasons in our response. If we deny your request on the basis that it is impossible or would involve a disproportionate effort, we will explain our reasons, such as the data is not in a searchable or readily accessible format, is maintained for only legal or compliance purposes, or is not sold or used for any commercial purpose and our inability to disclose it, delete or correct it would not impact you in any material manner.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

*Please note that in certain cases we may collect your personal information as a service provider (as opposed to a business, as those terms are defined in the CPRA) pursuant to a contract we have with a commercial client (the CPRA business) to provide a service. In such a case, we are required to collect and process your information only based on the instructions received from the business. Should you direct your requests to exercise your rights to us, we may be required to share your request with the business, who is the party responsible under the CPRA for receiving, verifying and responding to your requests, or we may direct you to make your request directly to the business.

CPRA exemptions

This section (California Privacy Policy) does not apply to the following data which is exempt from the CPRA, including but not limited to: medical information governed by the California Confidentiality of Medical Information Act (CMIA); protected health information collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or personal information collected, processed, sold, or disclosed pursuant to certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994 (DPPA).

Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Sites who are California residents to request certain information regarding our disclosure of personal information to affiliates and other third parties for their direct marketing purposes. To make such a request, please send an email to GlobalPrivacyOffice@ajg.com.

2. Notice Of Colorado, Connecticut, Virginia And Utah Privacy Rights

The section (Notice of Colorado, Connecticut, Virginia and Utah Privacy Rights) relates solely to residents of the States of Colorado, Connecticut, Virginia and Utah, and provides you with information about your privacy rights under the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act and the Utah Consumer Privacy Act.

This section shall be effective for the residents of those States on the dates set forth below:

• Effective January 1, 2023, for residents of the State of Virginia
• Effective July 1, 2023, for residents of the States of Colorado and Connecticut
• Effective December 31, 2023, for residents of the State of Utah

For purposes of this section, “residents”, “consumers” or “you” means individuals of those states who are acting in their individual or household context. This section does not apply to individuals acting in their commercial or employment context.

Personal Information we collect

You have a right to know the categories and types of personal information we collect about you. We make this information available to you in the Personal Data We Collect section of our Global Privacy Notice.

Categories of sources from which we collect personal information

You have a right to know the categories of sources from which we collect your personal information. We make this information available to you in the How we Collect Your Personal Data section of our Global Privacy Notice.

Our processing of your personal information

You have the right to know how we process and use your personal information. We make this information available to you in the How We Use Your Personal Data section of our Global Privacy Notice.

For residents of the State of Virginia, to the extent that we maintain de-identified data, we take reasonable measures to ensure that de-identified data cannot be associated with a natural person, we publicly commit to maintaining and using de-identified data without attempting to re-identify the data, and we contractually obligate any recipient of the data to comply with the same obligations.

Disclosure of Personal Information

You have the right to know if we share your personal information with any third parties. We make this information available to you in the Who we Share Your Personal Data With section of our Privacy Notice.

No Sale of Data or Use of Data for Targeted Advertising

We do not sell your personal information and we do not use your data for targeted advertising (as that term is defined by your applicable state law). We may send you advertising in response to your request for information or feedback or based on your activities with our Sites, including your search queries and visits to our Sites. However, we will not send you targeted advertising based on your activities across non-affiliated Sites to predict your preferences or interests.

Your Rights

Where we act as the Controller of your personal information (as opposed to a Processor as those terms are defined in your applicable State law), you have the right to submit a request to us for the following:

Your right to access

You have the right to know if we process your personal information and have access to such information and certain details of how we use it.

Your right to correct

We take reasonable steps to ensure that information we hold about you is accurate and complete. However, you have the right to request that we correct any inaccurate personal information that we have about you.

Your right to delete

You may have the right to request that we delete your personal information where we act as a controller. This right is subject to several exceptions and we may deny your deletion request if retaining the information is necessary for us or our processors to:

1. Complete the transaction for which we collected the personal information and take actions reasonably anticipated within the context of our ongoing business relationship with you or our client;
2. Detect bugs or errors in our Sites, detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
3. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
4. Comply with a legal obligation; or
5. Make other internal and lawful uses of that information as permitted by law or that are compatible with the context in which we collected it.

Your right to restriction of processing (opt-out)

You have the right to opt-out of processing your personal information for purposes of profiling in furtherance of any automated processing of your data that produce legal or similarly significant effects concerning you. (This right only applies to residents of the States of Colorado, Connecticut and Virginia.)

Your right to data portability

You have the right to obtain a copy of your data in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to a third party.

Your right to non-discrimination and no retaliation

We will not discriminate or retaliate against you for exercising any of your rights, including but not limited to, by denying you goods or services, charging you different prices for goods or services, or providing you a different level or quality of goods or services.

Your right to restrict the processing of sensitive information

Unless we are processing your sensitive information pursuant to any of the legal exemptions listed in Section 7 below or as otherwise allowed by law:

• For residents of the States of Connecticut, Virginia and Colorado, we will not process your sensitive information without first obtaining your consent; and
• o For residents of the State of Utah, we will not process your sensitive personal information without providing you with notice and an opportunity to opt out.

a) Exercising Your Rights

You may exercise your rights described above by submitting a request to us by either:

Emailing us at GlobalPrivacyOffice@ajg.com
Completing the Privacy Rights Request Form at https://cloud.info.ajg.com/privacy-rights-request-form
Calling us at 1-833-208-9359

b. Authentication Process

We will only fulfill request when we can verify your identify and confirm that you are authority to make such a request.

Only you, you as the parent or legal guardian on behalf of your minor child, or your authorized agent, guardian or conservator may make a request related to personal information. If an authorized agent, legal guardian or conservator submits the request, we may require your written permission to do so and may require additional information to authenticate your identity. We may deny a request by an authorized agent, legal guardian or conservator who does not submit proof of authorization to act on your behalf.

We will only use the personal information you provide in a request to verify your identity or authority to make the request.

c. Response Timing and Format

We will respond to an authenticated request within forty- five (45) days of its receipt, and will notify you within those forty-five (45) days if we require more time to respond and the reasons for the additional time.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

If we cannot comply with a request or a portion of the request, we will include the reasons in our response.

For residents of the States of Colorado, Connecticut and Utah, you may make one request within a twelve-month period at no charge. For residents of the State of Virginia, you may make a request up to two (2) times within a twelve (12) month period at no charge. We reserve the right to charge a fee to process or respond to any request that we consider excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Right to Appeal

You have the right to appeal our decision within a reasonable period of time after receipt of our response. You may appeal our decision by sending us an email at GlobalPrivacyOffice@ajg.com. We will respond to your appeal within 60 days of receipt (45 days of receipt for residents of Colorado) and will inform you of any decisions and the reasons for such decisions.

* Please note that in certain cases we may collect your personal information as a processor (as opposed to a controller, as those terms are defined in your applicable state privacy law) pursuant to a contract we have with a commercial client (the controller) to provide a service. In such a case, we are required to collect and process your information only based on the instructions received from the controller. Should you direct your requests to exercise your rights to us, we may be required to share your request with the controller, who is the party responsible under your applicable state privacy law for receiving, authenticating and responding to your requests.

Exemptions

This section (Notice of Colorado, Connecticut, Virginia and Utah Privacy Rights) does not apply to certain entities and data that are exempt from your applicable state privacy law, including but not limited to the following: covered entities, business associates and protected health information governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH); financial institutions and personal information subject to the Gramm-Leach-Bliley Act (GLBA); and personal information collected, processed, sold, or disclosed pursuant to certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act, the Farm Credit Act and the Driver’s Privacy Protection Act of 1994 (DPPA).

▲ Back to Top