Data Privacy and Compliance
AIR is committed to data privacy so that our clients can meet regulatory requirements and conduct business with confidence.
GDPR created a new data privacy landscape
The General Data Protection Regulation (GDPR) is the most important change in data protection regulation in decades. It came into effect on May 25, 2018, creating one set of data protection rules for all companies handling personal data originating in the European Union (EU). GDPR gives people more control over their personal data and requires businesses to adjust their data privacy practices to ensure compliance.
Key concepts under GDPR
Information that can be used on its own, or with other information, to identify, contact, or locate a single person is regarded as personal data, even if the entity that holds those data cannot make the connection. The data AIR gathers on its clients’ employees, and the detailed exposure data routinely analyzed in Touchstone®, fall under this definition (note: aggregated exposure data do not qualify).
Organizations that determine the purpose of the processing of personal information are considered controllers. Organizations that process personal data under the direction of a controller—such as AIR—are considered processors.
GDPR’s impact on AIR products and services
AIR appreciates that our clients have requirements under GDPR that are directly impacted by their use of AIR products and services, and we are committed to helping our clients fulfill these requirements. We may have access to two forms of personal data as defined under EU law because of our relationship with you.
Client Contact Data
While conducting business, AIR may capture the contact information of your EU-based employees. As the controller of these data under GDPR, AIR must provide notice of subjects’ rights and implement policies and procedures to honor them. The nature of these notices will vary depending upon the nature of your interaction with AIR:
Detailed Exposure Data
As an AIR client, you may provide us with address data on EU properties for consulting or troubleshooting purposes, or if you use the AIR Cloud. Because AIR is the processor of these data under GDPR, your company must ensure that we are able to honor GDPR requirements. Our Data Protection Addendum outlines the commitments we make to you in order to comply with the new law. If your company does not already have a signed Addendum in place, please reach out to your AIR Account Executive or to the AIR Privacy Team at firstname.lastname@example.org.
AIR is GDPR-ready
Prior to May 25, 2018, AIR completed a two-year GDPR compliance program under the guidance of our parent company, Verisk, during which our legal and data privacy teams analyzed GDPR and took the necessary steps to identify where we need to comply and where changes need to be made. This regularly audited program spanned all aspects of our practices related to personal data, including marketing practices, data security, vendor management, and our website. As a result, AIR has implemented a program that complies with GDPR.
As a U.S.-based company, AIR also participates in the EU–U.S. and Swiss–U.S. Privacy Shield frameworks, which govern transfers of personal data between the EU or Switzerland and the U.S. Our Privacy Shield Certification is an important part of our strategy to satisfy the data transfer component of GDPR.
This information is provided to help you understand AIR’s role under GDPR, the rights of individuals with whom we conduct business, and the responsibilities you may hold under GDPR. It is not comprehensive and does not constitute legal advice. For more information on AIR’s commitment to data privacy, please contact us at email@example.com.