Privacy Policy (Hong Kong Branch)

Effective date: 02 February 2026

1. Who we are

This policy explains how Berkley Insurance Company (“we”, “us”, “our”) handles personal data in Hong Kong under the Personal Data (Privacy) Ordinance (Cap. 486) (the ‘PDPO’) in connection with policy placement and administration, claims and related insurance activities.

2. What personal data we collect

We collect a limited set of personal data that is relevant to our (re)insurance activities from individuals, cedants, via brokers or other intermediaries, from parties involved in a claim (e.g., claimants, witnesses, experts), from public sources or from our service providers acting on our behalf. This may include:

• Identity and contact details of individuals who act for, with or on behalf of policyholders, insureds, beneficiaries or applicants (e.g., directors, officers, authorised signatories or contact persons named on proposal forms, schedules or endorsements or, in some cases, (re)insurance policies).
• Claim‑related information about individuals relevant to a claim (e.g., claimants, witnesses, employees or other persons whose information is needed to evaluate coverage, handle defence, settlement or recovery).
• Personal identifiers (e.g., HKID) collected only if authorised by law or strictly necessary after considering less intrusive alternatives (e.g., passport) (note that paper copies, where permitted, are marked “COPY”, access is restricted and identifiers are erased when no longer required).

3. Purposes for which we collect and use personal data

We collect and use personal data only for lawful purposes directly related to our functions and activities as a (re)insurer, and only where the collection is necessary and not excessive. Our primary purposes include:

• Underwriting and evaluating proposals, policy administration and servicing (including endorsements, renewals and audits).
• Claims management (notification, investigation, defence, negotiation, settlement, subrogation/recovery and fraud prevention).
• Insurance and reinsurance placement and administration.
• Legal and regulatory compliance, including anti‑money laundering/counter‑terrorist financing (AML/CTF), sanctions screening, statutory reporting and responding to regulators or law enforcement.
• IT, security and operational support, including vendor hosting, cybersecurity safeguards and incident response.

We will inform individuals of these purposes and the classes of transferees (see section 5 of this policy) on or before collection through our Personal Information Collection Statement (PICS).

4. Use limitation and consent for new purposes

We use personal data only for the original purpose of collection or a directly related purpose. If we need to use personal data for any new purpose, we will first obtain the “prescribed consent” of the individual whose personal data is involved (this is express consent, given voluntarily and not withdrawn in writing).

5. Third parties to whom we may disclose or transfer personal data

Under the PDPO, “use” of personal data includes disclosure or transfer of that data. We may disclose or transfer personal data to:

• Policyholders, insureds and beneficiaries, and their brokers or other intermediaries, involved in placement and administration.
• Reinsurers, retrocessionaires and reinsurance brokers.
• Loss adjusters, third‑party administrators, forensic and other experts, medical or technical professionals, investigators (subject to lawful and fair means of collection and “adequate but not excessive” data handling).
• Panel lawyers, counsel, courts/tribunals.
• Regulators and public authorities (including law enforcement) where required or permitted by law.
• Service providers (data processors) providing IT hosting, cloud, cybersecurity, communications, document management or other operational support, under contracts that protect personal data.

Direct marketing: We do not generally conduct direct marketing to individuals. If we ever intend to use personal data for direct marketing, we will follow Part 6A of the PDPO regarding consent and an individual’s right to opt out of direct marketing at any time, free of charge.

6. Data accuracy and retention

We take practicable steps to keep personal data accurate and up‑to‑date and not keep it longer than is necessary for the purpose for which it is used. As guidance, and subject to case‑by‑case needs:

• Policy and placement records containing personal data (e.g., signatory or contact details) are typically retained up to seven (7) years after the end of the business relationship, to meet legal, regulatory and audit requirements and to manage potential claims.
• Claim files are retained for the life of the claim and then for a period that reflects limitation periods, regulatory requirements and potential disputes.
• Where we engage a data processor, we adopt contractual or other means to prevent personal data being kept longer than necessary.

If data is no longer required, we will erase it, unless erasure is legally prohibited or public‑interest considerations apply.

7. Information security

We implement practicable security safeguards (organisational, technical, physical and contractual) to protect personal data against unauthorised or accidental access, processing, erasure, loss or use. Where we use data processors, we impose security and confidentiality obligations contractually.

Our security programme reflects PCPD guidance on cyber and breach risks (e.g., multi‑factor authentication, patching, monitoring, retention hygiene) and we maintain a data breach response plan addressing containment, assessment, notifications and documentation in line with PCPD breach‑handling guidance.

8. Transfers outside Hong Kong

Where personal data is transferred or accessed from outside Hong Kong (e.g., by group entities, reinsurers or service providers), we make reasonable efforts to ensure the data will not be handled in a way that would contravene the PDPO if it occurred in Hong Kong.

9. Data access and correction rights

Individuals have the right to request access to personal data we hold about them and to request correction of any inaccurate data. We will respond within 40 days after receiving a request, and any fee (if charged) will not be excessive. Requests can be made in writing to the contact in section 12.

10. Fairness and lawful means

We collect personal data by lawful and fair means and ensure collection is necessary and not excessive for our purposes. This extends to any third parties acting on our behalf, who must also collect data lawfully, fairly and proportionately.

11. Use of AI tools (if any)

If we use AI when handling personal data (e.g., document classification or fraud analytics), we do so in line with PDPO requirements and PCPD’s AI guidance, maintaining human oversight, transparency where appropriate, data minimisation and robust security.

12. How to contact us

Privacy Compliance Officer: Chloe Huang, Regulatory Risk and Compliance Officer Asia
Address: Room 4407, 44/F, Hopewell Centre, 183 Queen’s Road East, Wan Chai, Hong Kong
Email: [email protected]
Phone: +852 3708 5000

Please indicate whether your request is a Data Access Request or a Data Correction Request. We may need to verify your identity and the scope and nature of your request so that we can respond properly.

13. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. We will make the updated policy available through this website, and the effective date will be shown at the top.

European Union General Data Protection Regulation (GDPR)

European Union customers can access our Privacy Notice under GDPR by clicking this link.