Privacy Notice

Privacy Policy

Introduction

HWI France (HWIF), a wholly owned subsidiary of Steadfast Group Holdings (UK) Limited strives to protect the privacy and the confidentiality of Personal Data that the company processes in connection with the services it provides to its clients. HWIF’s services consist primarily of risk management and insurance broking, which enable the consideration of, access to, administration of, and making of claims on, insurance.

To arrange insurance cover and handle insurance claims, HWIF and other participants in the insurance industry are required to use and share Personal Data.

During the insurance lifecycle, HWIF will receive Personal Data relating to potential or actual policyholders, beneficiaries under a policy, their family members, claimants and other parties involved in a claim. Therefore references to “individuals” in this notice include any living person from the preceding list, whose Personal Data HWIF receives in connection with the services it provides under its engagements with its clients. This notice sets out HWIF’s uses of this Personal Data and the disclosures it makes to other insurance market participants and other third parties.

Identity of the Data Controller and Contact Details

HWI France of 73 Boulevard Haussmann, 75008 Paris (HWIF or We) is the controller in respect of the Personal Data it receives in connection with the services provided under the relevant engagement with its client.

Personal Information that We Process

Individual Details – name, address (and proof of address), other contact details (eg email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant);

Identification Details – identification numbers issued by government bodies or agencies (eg depending on the country you are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s licence number);

Financial Information – payment card number, bank account number and account details, income and other financial information;

Insured Risk – information about the insured risk, which contains Personal Data and may include, only to the extent relevant to the risk being insured:

• Health Data: current or formal physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (eg smoking or consumption of alcohol), prescription information, medical history;
• Criminal Records Data: criminal convictions, including driving offences; and
• Other Special Categories of Personal Data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning an individual’s sex life or orientation.

Policy Information – information about the quotes individuals receive and the policies they obtain;

Credit and Anti-Fraud Data – credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agen

Previous Claims – information about previous claims, which may include health data, criminal records data and other special categories of Personal Data (as described in the Insured Risk definition above);

Current Claims – information about current claims, which may include health data, criminal records data and other special categories of Personal Data (as described in the Insured Risk definition above);

Marketing Data – whether or not the individual has consented to receive marketing from us and/or from third parties; and

Website and Communication Usage – details of your visits to our website and information collected through cookie and other tracking technologies, including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.

Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.

Sources of Personal Data

We collect and receive Personal Data from various sources, including (depending on the service provided and country you are in):

• Individuals and their family members by telephone or in written correspondence, including email;
• Individuals’ employers or trade or professional associations of which they are a member;
• In the event of claim, third parties including the other party to the claim (claimant/defendant), witnesses, experts (including medical experts), loss adjusters, lawyers and claims handlers;
• Other insurance market participants, such as insurers, reinsurers and other intermediaries;
• Credit reference agencies (to the extent HWIF is taking any credit risk);
• Anti-fraud databases and other third party databases, including sanctions lists;
• Government agencies, such as vehicle registration authorities and tax authorities;
• Claim forms;
• Open electoral registers and other publicly available information;
• Business information and research tools; and
• Third parties who introduce business to us

How We Use and Disclose Your Personal Data

In Appendix 1, we set out the purposes for which we use Personal Data, explain how we share the information and identify the “legal grounds” on which we rely to process the information.

These “legal grounds” are set out in the General Data Protection Regulation (GDPR) which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the GDPR. The full description of each of the grounds are as follows:

For processing personal data and special categories of personal data

Below you find the legal grounds with details that we can use to process your personal data.

• Performance of our contract with you – Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
• Compliance with a legal obligation – Processing is necessary for compliance with a legal obligation to which we are subject.
• For our legitimate business interests – Processing is necessary for the purposes of legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data. These legitimate interests are set out next to each purpose.

For processing personal data and special categories of personal data

• Your explicit consent – You have given your explicit consent to the processing of those personal data for one or more specified purposes.
  You are free to withdraw your consent, by contacting our Data Protection Officer, however, withdrawal of this consent may impact our ability to provide the services. For more detail see the Consent section below.
• For legal claims – Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  Substantial public interest – Processing is necessary for reasons of substantial public interest, on the basis of EU or French law.

Please note that in addition to the disclosures, we have identified in the table at Appendix 1, we will disclose Personal Data for the purposes we explain in this notice to service providers, contractors, advisers, agents and HWI group companies that perform activities on our behalf.

Consent

In order to facilitate the provision of insurance cover and administer insurance claims, unless another legal ground applies, we rely on the data subject’s consent to process special categories of Personal Data and criminal records data, such as medical and criminal convictions records, as set out in the table above. This consent allows us to share the information with other insurers, intermediaries and reinsurers that need to process the information in order to undertake their role in the insurance market (which in turns allows for the pooling and pricing of risk in a sustainable manner).

The affected individual’s consent to this processing of special categories of Personal Data and criminal records data may be necessary for HWIF to be able to provide the services the client requests.

Where you are providing us with information about a person other than yourself, you agree to notify them of our use of their Personal Data and to obtain such consent for us.

Individuals may withdraw their consent to such processing at any time by contacting the Gerante using the contact details at the Accuracy, Accountability, Openness and Your Rights section below. However, doing so may prevent HWIF from continuing to provide the services to the relevant client. In addition, if an individual withdraws consent to an insurer’s or reinsurer’s processing of their special categories of Personal Data and criminal records data, it may not be possible for in the insurance cover to continue.

Safeguards

We have in place physical, electronic and procedural safeguards appropriate to the sensitivity of the information we maintain. These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data and include measures designed to keep Personal Data protected from unauthorised access. If appropriate, the safeguards include the encryption of communications, encryption of information during storage, firewalls, access controls, separation of duties and similar security protocols. We must restrict access to Personal Data to personnel and third parties that require access to such information for legitimate and relevant business purposes.

Limiting Collection and Retention of Personal Information

We collect, use, disclose and otherwise process Personal Data that is necessary for the purposes identified in this Privacy Notice or as permitted by law. If we require Personal Data for a purpose inconsistent with the purposes we consent (or ask other parties to do so on HWIF’s behalf) to process Personal Data for the new purposes.

Our retention periods for Personal Data are based on business needs and legal requirements. We retain Personal Data for as long as it is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, we retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When Personal Data is no longer needed, we either irreversibly anonymise the data (in which case we may further retain and use the anonymised information) or securely destroy the data.

Cross-Border Transfer of Personal Information

HWIF transfers Personal Data to, or permits access to Personal Data from, countries outside the European Economic Area (EEA). These countries’ data protection laws do not always offer the same level of protection for Personal Data as offered in the EEA. We will, in all circumstances, safeguard Personal Data as set out in this Privacy Notice.

Certain countries (insert link to EU website) have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. EU data protection laws allow HWIF to freely transfer Personal Data to such countries.

If we transfer Personal Data to other countries outside the EEA, we will establish legal grounds justifying such transfer, model contractual clauses, individuals’ consent or other legal grounds permitted by applicable legal requirements.

Individuals can request additional information about the specific safeguards applied to the export of their Personal Data.

Accuracy, Accountability, Openness and Your Rights

We strive to maintain Personal Data that is accurate, complete and current. Individuals should write to HWIF’s Gerante as follows to update their information. Questions regarding HWIFs privacy practices should also be directed to the Gerante:

Mme Amanda HINDMAN
HWI France
73 Boulevard Haussmann
75008 Paris

Under certain conditions, individuals have the right to request that HWIF:

• Provide further details on how we use and process their Personal Data;
• Provide a copy of the Personal Data we maintain about the individual;
• Update any inaccuracies in the Personal Data we hold;
• Delete Personal Data that we no longer have a legal ground to process; and
• Restrict how we process the Personal Data while we consider the individual’s enquiry.

In addition, under certain conditions, individuals have the right to:

• Where processing is based on consent, withdraw the consent;
• Object to any processing of Personal Data that HWIF justifies on the “legitimate interests” legal grounds unless our reasons for undertaking that processing outweigh any prejudice to the individual’s privacy rights; and
• Object to direct marketing at any time.

These rights are subject to certain exemptions to safeguard the public interest (eg the prevention or detection of crime) and our interests, (eg the maintenance of legal privilege). We will respond to most requests within 30 days.

If we are unable to resolve an enquiry or a complaint, individuals have the right to refer to the financial ombudsman. More information on the financial ombudsman can be found at: www.mediationassurance.org

Links to Third-Party Websites

Our website may contain links to other third party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites.

Changes to this Privacy Notice

This Privacy Notice is subject to change at any time. It was last changed on 28 February 2025. If we make changes to this Privacy Notice, we will update the date on which it was last changed. Where we have an engagement with you, we will notify you of any changes we make to this Privacy Notice in accordance with the notice provisions in the terms of our engagement. In other circumstances, we will publish the revised Privacy Notice on our website.

Read our full Privacy Notice including Appendix 1 here.

Privacy Policy

In this privacy policy, 'we', 'us' and 'our' means HWS Specialty Pty Ltd (ABN 21 165 322 485).

What is Personal Information

‘Personal Information’ is any information or an opinion about an identified individual or an individual who is reasonably identifiable, whether or not the information or opinion is true, and whether or not it is recorded in a material form.

‘Sensitive Information’ is a subset of Personal Information which may need to be afforded a higher level of protection. Sensitive Information may include Personal Information and is defined more specifically in the Act, including, amongst other things, health information, criminal history, racial or ethnic origin and sexual orientation.

What Personal Information do we collect, hold and use?

The Personal Information we collect, hold and use generally includes your name and contact information (including telephone numbers and email addresses), information relating to the insured risk, other reference information and information about third parties that you may conduct, or are interested in conducting business with.

As we act as underwriting agencies on behalf of insurers, providing and administering insurance- related products and services, we may also collect and hold other Personal Information required to provide and administer such products and services and to assist you, including details of your previous insurances and Sensitive Information.

You may be able to deal with us without identifying yourself (i.e. anonymously or by using a pseudonym) in certain circumstances, such as when making a general inquiry relating to the products and services we offer. If you wish to do so, please contact us to find out if this is practicable in your circumstances.

However, if you do not provide us with the Personal Information and other information that we need, we or any of our third-party providers may not be able to provide you with the appropriate insurance products and services. You may also risk breaching your duty of disclosure or having your policy cancelled pursuant to the Insurance Contracts Act 1984 (Cth) or otherwise.

How we collect your Personal Information

We may collect Personal Information in a number of ways depending on the nature of the insurance products and services being provided and administered, including:

• directly from you via our website;
• through any insurance-related portal;
• by telephone;
• in writing;
• by email; and/or
• from third parties (such as your insurance broker, premium funders, claims managers, other service providers or publicly from available sources). Each third party is also obliged to comply with the applicable privacy principles.

When collecting Personal Information, we will do everything we reasonably can to let you know:

• how to contact us;
• why we are collecting the Personal Information;
• how the Personal Information is collected;
• the organisations or types of organisations to which we disclose the Personal Information (if any);
• if we are required by law to collect the Personal Information;
• whether disclosure overseas is likely; and
• the consequences should you choose not to provide the Personal Information.

We also automatically collect certain information when you visit our website, some of which may be capable of personally identifying you. Please see the ‘Cookies’ section below for more details.

Our purposes for collecting, holding and using your Personal Information

We collect and hold your Personal Information for the primary purpose of providing and administering our insurance products and services to you. When we collect Personal Information from you, the collection statement may provide a more specific or broader purpose. Such purposes for collection may include:

• helping us assess risks, to assess your request for insurance, to write and administer your insurance policy and any claim you may have and to clarify or assess information that you have provided;
• to help us improve our products and services;
• providing insurance brokers’ customers, potential customers and others with our
• products and services;
• helping to develop and identify products and services that may interest insurance brokers, their customers, potential customers or others;
• conducting market or customer research;
• developing, establishing and administering alliances and other arrangements with organisations not related to us in relation to the promotion, administration and use of our products and services;
• telling you about promotions and our other product and service offerings which we believe may be relevant to you;
• sale of our assets or shares to a buyer; and
• any other purpose notified to you at the time your Personal Information is collected.

If you are an individual who is either based in or a resident of the European Union or the United Kingdom, we will only collect, use and share your personal data where we are satisfied that we have an appropriate legal basis to do so.

We will ensure that we only use your personal data for the purposes set out above and where we are satisfied:

• we need to use your personal data to perform a contract or take steps to enter into a contract with you;
• we need to use your personal data to comply with a relevant legal or regulatory obligation that we have;
• we have your consent to use your personal data for a particular activity; or
• the use of your personal data is necessary for our legitimate interests or the legitimate interests of a third party.

Disclosure of your Personal Information

We will only disclose your Personal Information where it is required or reasonable to providing or administering a product or service that you have requested, or for any of the purposes outlined in this privacy policy. Where appropriate, we will disclose your Personal Information to:

• our related body corporates, your insurance broker or third parties as is required in order to provide our products and services, including our external service providers, such as payment system operators, lawyers, accountants, other advisers, financial institutions and information technology providers;
• to agents, Lloyd’s underwriters, insurers, reinsurers, other insurance intermediaries,
• insurance reference bureaus and industry bodies and groups;
• claims management and related service providers;
• the Australian Financial Complaints Authority or other alternative dispute resolution schemes;
• Insurance and Financial Services Ombudsman;
• administrative service providers;
• any government organisation or agency; and/or
• any other entities notified to you at the time of collection.

You authorise us to contact such third parties for the purposes of providing you with the products and services that you have requested.

Other than when required or permitted by law, as specified in this privacy policy or where you have provided your consent, we will not disclose your Personal Information for any other purpose.

Nothing in this privacy policy prevents us from using and disclosing to others de-personalised aggregated data.

Disclosure of Personal Information overseas

We may disclose your Personal Information overseas (such as United Kingdom, Greece, France, United States of America, Malaysia, the Philippines and Vietnam) where it is required or reasonable in relation to providing or administering a product or service that you have requested, or for any of the purposes outlined in this privacy policy.

If we wish to disclose your Personal Information overseas, we will inform you of this and we will take reasonable steps to ensure that the overseas recipient does not breach the applicable privacy principles. We may also gain your consent to disclose your Sensitive Information overseas, if required. If you are an individual who is either based in or a resident of the European Union or the United Kingdom, we will take appropriate steps to ensure that transfers of your personal data are in accordance with applicable legislation and carefully managed to protect your privacy rights. We will also ensure that transfers of your personal data are limited to countries which are either recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy. To this end:

• we will ensure transfers within our group of companies will be covered by an agreement entered into by members of our group of companies (intra-group agreement) which contractually obliges each member to ensure that personal data receives an adequate and consistent level of protection wherever it is transferred within our group of companies;
• we will ensure that where we transfer your personal data outside our group of companies to third parties who assist in providing our services, we obtain contractual commitments from the third parties to protect your personal data; and
• where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal data is disclosed.

Direct marketing and how to opt out

When we collect your Personal Information, we may use this information to provide you with information about our other products and services. If you no longer wish to receive such information, or you do not want us to disclose your Personal Information to any other organisation (including any related body corporates), you can opt out by contacting us using our contact details below.

We will not sell or trade your Personal Information for marketing purposes.

Your obligations when you provide Personal Information of others

You must not provide us with Personal Information (including any Sensitive Information) of any other individual (including any of your employees or clients if you are an insurance broker) unless you have the express consent of that individual to do so. If you do provide us with such information about another individual, before doing so you:

• must tell that individual, via a collection statement, that you will be providing their information to us and that we will handle their information in accordance with this privacy policy;
• must provide that individual with a copy of (or refer them to) this privacy policy; and
• warrant that you have that individual's consent to provide their information to us. If you have not done this, you must tell us before you provide any third party information.

Your obligations when we provide you with Personal Information

If we give you, or provide you access to the Personal Information of any individual, as authorised under this privacy policy, you must only use it:

• for the purposes we have agreed to; and
• in compliance with applicable privacy laws, including any applicable privacy principles and this privacy policy.

You must also ensure that your agents, employees and contractors meet the above requirements.

Accuracy, Access and Correction of your Personal Information

We take reasonable steps to ensure that your Personal Information is accurate, complete and up to date whenever we collect, use or disclose it. However, we also rely on you to advise us of any changes to your Personal Information. All Personal Information identified as being incorrect is updated in our database.

Please contact us using our contact details below as soon as possible if there are any changes to your Personal Information or if you believe the Personal Information, we hold about you is not accurate or complete. We may refuse to correct Personal Information if the correction would not improve the accuracy, completeness, relevance or would make the information misleading. If we refuse to correct your Personal Information, we will record that a request was made and advise you why the request was refused.

You can make a request to access your Personal Information by contacting us using the contact details below. If you make an access request, we will provide you with access to the Personal Information we hold about you, unless otherwise required or permitted by law, within a reasonable time after the request is made. We will notify you of the basis for any denial of access to your Personal Information. No fee will be charged for an access request. However, we may charge you the reasonable cost of complying with the access request, with such costs notified to you before they are incurred.

Security of your Personal Information

We take reasonable steps to protect any Personal Information that we hold from misuse, interference and loss and from unauthorised access, alteration and disclosure.

For example, we maintain physical security over our paper and electronic data stores and premises, such as locks and security systems. We also maintain computer and network security. For example, we use firewalls (security measures for the Internet) and other security systems such as user identifiers and passwords to control access to computer systems.

However, data protection measures are never completely secure and despite the measures we have put in place, we cannot guarantee the security of your Personal Information.

You must take care to ensure you protect your Personal Information (for example, by protecting any usernames and passwords). You should notify us as soon as possible if you become aware of any security breaches.

How long do we retain your Personal Information

We will retain your Personal Information for no longer than is required for any purpose under this privacy policy unless we are required by law to retain the information for a longer period. We will make reasonable efforts to destroy or de-identify your Personal Information after this time in accordance with any Records Management Policy and procedures.

Links to third party sites

Our website may contain links to other third-party websites. We do not endorse or otherwise accept responsibility for the content or privacy practices of those websites, or any products or services offered on them. We recommend that you check the privacy policies of these third- party websites to find out how these third parties may collect and deal with your Personal Information.

Cookies

Like many website operators, we may use standard technology called cookies on our website. Cookies are small data files that are downloaded onto your computer when you visit a particular website. Cookies help provide additional functionality to the website or to help us analyse website usage more accurately. For instance, our server may set a cookie that keeps you from having to enter a password more than once during a visit to one of our websites. In all cases in which cookies are used, the cookie will not collect Personal Information except with your consent. You can disable cookies by turning them off in your browser; however our website may not function properly if you do so.

Your Rights under the GDPR

If you are an individual who is either based in or a resident of the European Union or the United Kingdom, subject to applicable data privacy laws, we will not process sensitive data about you unless we have received your explicit consent to the processing of this information.

If you are an individual who is either based in or a resident of the European Union or the United Kingdom, you also have the right to:

• be informed as to how we are collecting and using your personal data;
• obtain confirmation from us as to whether or not your personal data is being processed, where and for what purpose. If requested, we will provide you with a copy of your personal data, free of charge in an electronic format;
• request that we erase your personal data if we no longer have a legitimate interest to continue holding or processing the data;
• object to the processing of your personal data, including for direct marketing and processing based on a legitimate interest; and
• request that we restrict the processing of your personal data in certain circumstances, including in the case of unlawful processing.

How to make a complaint

If you wish to make a complaint about how we have handled your Personal Information, you can lodge a complaint by using the contact details below. You will need to provide us with sufficient details regarding your complaint together with any supporting evidence and information.

We will refer your complaint to our Privacy Officer who will investigate the issue and determine the steps that we will undertake to resolve your complaint. We will contact you if we require any additional information and will notify you in writing of the outcome of the investigation. We will try to resolve any complaint within 14 business days. If this is not possible, you will be contacted within that time to let you know how long it is likely to take us to resolve your complaint.

If you are not satisfied with our determination, you can contact us to discuss your concerns or complain to:

• The Australian Privacy Commissioner via www.oaic.gov.au
• The New Zealand Privacy Commissioner in New Zealand via www.privacy.org.nz
• The European Data Protection Supervisor via edps.europa.eu

The Information Commissioner’s Office in the United Kingdom via ico.org.uk

Privacy Policy changes

We may make changes to this policy as a result of operational or legislative changes. When changes are made to this policy, the updated policy will be uploaded to our website and the effective date updated accordingly.

How to contact us

If you wish to gain access to your Personal Information, want us to correct or update it, have a complaint about how we have handled your Personal Information or any other query relating to our privacy policy, please contact our Privacy Officer during business hours in Sydney, NSW Australia on:

The Privacy Officer

T: +61 2 9307 6656

E: privacyofficer@steadfastagencies.com.au

Alternatively, you can contact us via:

Steadfast Underwriting Agencies

Level 5

97-99 Bathurst St

Sydney NSW 2000 PO Box A2016

Sydney South NSW 1235

T: +61 2 9495 6500

E: privacyofficer@steadfastagencies.com.au

W: www.steadfastagencies.com.au

In Australia, for further information on privacy, visit the Australian Government Office, Office of the Australian Information Commissioner website.

In New Zealand, for further information on privacy, visit the New Zealand Privacy Commissioner website.

Effective Date: 15 March 2025