Privacy Policy (Singapore Branch)

Effective date: 02 February 2026

1. Who we are

This policy explains how Berkley Insurance Company (Singapore Branch) (“we”, “us”, “our”) handles personal data in Singapore under the Personal Data Protection Act 2012 (“PDPA”) in connection with insurance placement and administration, claims and related activities.

2. What personal data we collect and from whom

We collect personal data that is reasonable and appropriate for our (re)insurance activities from policyholders/insureds/beneficiaries, brokers and other intermediaries, claimants and witnesses, service providers acting on our behalf, and public sources. Depending on the product or claim, this can include:

• Identification and contact details.
• Policy and risk information.
• Finance/billing information.
• Claims information (including statements, reports, images and, where necessary, health information).
• IT usage data (e.g., logs to protect our systems).

We collect national identification numbers (e.g., NRIC/FIN) only where required by law or where necessary to accurately verify identity or assess a claim, and only after considering less intrusive alternatives.

Business contact information. Because we insure mainly corporate customers, most of what we handle is work contact details for people who act for those customers (for example, name, job title, work email address and office phone number). Under Singapore’s PDPA, this type of work contact detail is generally treated differently from other personal data and many of the PDPA’s core provisions do not apply to it. Even so, we handle it responsibly and keep it secure.

This special treatment applies only to work contact details; it does not cover other information about an individual (such as claim information), and it does not remove our obligations under the Do Not Call rules for any marketing to Singapore numbers.

3. Purposes for which we collect, use and disclose personal data

We collect, use and disclose personal data for purposes that are appropriate to our business, including:

• Underwriting, placement and policy administration (including endorsements and renewals).
• Claims management (notification, investigation, defence, negotiation, settlement, recovery/subrogation and fraud prevention).
• Reinsurance placement and administration.
• Handling enquiries and communications.
• Performing due diligence, sanctions and AML/CFT screening and other legal, regulatory and audit obligations.
• IT, security and business operations (including vendor hosting and support, cybersecurity safeguards and incident response).
• Other purposes notified at collection or directly related to the original purpose.

Where required, we will provide a Personal Information Collection Statement (PICS) at or before collection to explain the specific purposes and recipients.

4. Consent, deemed consent and PDPA exceptions we rely on

Where required, we obtain an individual’s consent to collect, use or disclose their personal data. In appropriate cases, we may rely on deemed consent (e.g., when data is voluntarily provided for a purpose), deemed consent by notification with an opt‑out window, or statutory exceptions such as for business improvement, legitimate interests (e.g., to detect and prevent fraud or security incidents), evaluative purposes, investigations or to comply with the law. We won’t ask for an individual’s agreement to uses of their data that aren’t needed to provide the product or service.

Sometimes we use personal data under the PDPA’s Legitimate Interests Exception (LIE) – for example, where we have a compelling business or security reason and the impact on individuals is limited. Where we rely on LIE or deemed consent by notification, we first assess and record why it’s needed and how any impact on individuals can be reduced. We can provide general information about this on request.

Withdrawal of consent. An individual may withdraw their consent at any time by contacting our DPO. We will explain any likely consequences of withdrawal and, unless an exception applies, we will cease the relevant collection, use or disclosure of relevant personal data.

5. Do Not Call (DNC) provisions and direct marketing

If we send marketing messages to a Singapore telephone number, we will either have clear and unambiguous consent in evidential form, or we will check the applicable Do Not Call Register(s) no earlier than 21 days before sending the message. Every message will include our contact details and a simple opt‑out. You may withdraw consent to marketing at any time.

6. NRIC/FIN handling

We do not routinely collect full NRIC/FIN numbers. We will do so only if required by law, or if necessary to accurately verify your identity or to assess/settle a claim. If we do collect NRIC/FIN numbers, we will protect them with heightened safeguards and erase them when no longer needed.

7. Who we share personal data with

For purposes appropriate to our business, we may disclose personal data to:

• Policyholders, insureds, beneficiaries and their brokers or intermediaries.
• Reinsurers, retrocessionaires and reinsurance brokers.
• Appointed loss adjusters, Third Party Administrators, investigators and other experts, medical or technical professionals, panel lawyers/counsel and courts and tribunals.
• Our group entities providing services.
• IT and other service providers (data intermediaries) under contracts that impose comparable safeguards to those mentioned in this privacy policy.
• Regulators and law‑enforcement authorities where required or permitted by law.

8. Overseas transfers

If personal data is transferred to or accessed from a country/territory outside Singapore, we ensure that the recipient is bound by legally enforceable obligations (e.g., contract clauses, binding corporate rules or recognised certifications) to provide a standard of protection that is at least comparable to the PDPA, or we will rely on other PDPA transfer mechanisms (including consent or data‑in‑transit provisions), as appropriate.

9. Data protection, retention and accuracy

We make reasonable security arrangements (organisational, technical, physical and contractual) to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, and against the loss of any storage medium or device on which personal data is stored.

We take reasonable steps to ensure data is accurate and complete where it is likely to be used to make decisions that affect individuals or to be disclosed.

We retain personal data only as long as necessary for legal, business or operational purposes (for example, policy/placement records are typically retained up to seven years after the end of the business relationship, claim files for the life of the claim and a further period reflecting limitation and regulatory requirements), after which we securely delete or anonymise it.

10. Data breach management

We maintain and test a data breach response plan. Where a data breach is likely to result in significant harm to affected individuals, or is of a significant scale, we will notify the Personal Data Protection Commission (PDPC) as soon as practicable and in any case no later than 3 calendar days after making that assessment, and we will notify affected individuals where required.

11. Access and correction requests

Individuals may request access to personal data that we hold about them and information about how it has been used or disclosed within the past year, and request corrections of any inaccuracies. We will respond to any request as soon as reasonably possible; if we need more than 30 days, we will provide details of the time by which we will respond.

We may, where appropriate, provide access by giving a copy or a reasonable opportunity to view the data, and we may mask or withhold third party personal data where required by law.
We may charge a reasonable fee to process an access request and will provide a written estimate before proceeding.

12. Use of automated tools/AI (if any)

If we use AI or automated tools (e.g., document classification or fraud analytics), we apply accountability, human oversight, data minimisation and appropriate safeguards.

13. How to contact our Data Protection Officer (DPO)

Please contact our DPO for any query or to exercise your rights:
Data Protection Officer
Address: #09 03 18 Cross, 18 Cross Street, Singapore 048423
Email: [email protected]
Phone: +65 6902 0601
14. Updates to this policy
We may update this policy from time to time and will make the latest version available on our website.

European Union General Data Protection Regulation (GDPR)

European Union customers can access our Privacy Notice under GDPR by clicking this link.