Munich Re US P&C Companies CCPA/CPRA Vendor Requirements
Last Updated: March 21, 2023
The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code Sec. 1798.100 et seq.) (the “CCPA/CPRA”), and its implementing regulations require Munich Re to ensure that its Service Providers and Contractors, including Third-Party Administrators, (collectively, hereinafter referred to as “Vendors”) adhere to certain additional legal obligations when handling California residents’ Personal Information and Sensitive Personal Information (collectively, “Personal Information”) on behalf of Munich Re, effective as of January 1, 2023.
Munich Re expects and Vendors shall follow all CCPA/CPRA Vendor Requirements when handling California resident Personal Information on its or its affiliates behalf. If a Vendor fails to follow these requirements, the Vendor may be interpreted to be a Third Party under the CCPA/CPRA, which has regulatory compliance implications for Munich Re. In particular, Munich Re would have to provide California residents the right to opt-out of Munich Re sharing their Personal Information with that Vendor and ensure that we effectuate such requests.
Personal Information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household and includes, but is not limited to, the following categories and data elements:
- Identifiers: real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- Personal Records: name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information
- Characteristics of Protected Classifications under California or Federal Law: age (40 years or older), race, national ancestry, national origin, citizenship, religion, marital status, pregnancy, medical condition, physical or mental disability, sex, sexual orientation, and veteran or military status
- Non-Public Education Information: education records directly related to a student maintained by an educational or institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes and student disciplinary records
- Professional or Employment-Related Information: includes employment history, qualifications, licensing, and disciplinary record
- Commercial Information: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric Information: an individual’s physiological, biological, or behavioral characteristics, including DNA information that can be used to establish individual identity as well as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template such as a faceprint, voiceprint can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data containing identifying information
- Geolocation Data: physical location or movements
- Internet or Other Electronic Network Activity Information: including but not limited to browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement
- Audio, Electronic, Visual, Thermal, Olfactory or Similar Information: includes call recordings, video and photographs
- Inferences Drawn from Personal Information: inferences drawn from any personal information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- Sensitive Personal Information (as defined below)
PI does not include:
- Aggregate Consumer Information, which means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. Aggregate Consumer Information does not mean one or more individual consumer records that have been deidentified.
- Deidentified Information, which means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer provided that the business that possesses the information:
- Takes reasonable measures to ensure that the information cannot be associated with a consumer or household;
- Publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information; and
- Contractually obligates any recipients of the information to comply with the above requirements.
- Publicly Available Information or lawfully obtained, truthful information that is a matter of public concern. Publicly Available means information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. Biometric information collected by a business about a consumer without the consumer’s knowledge is not “publicly available.”
The CCPA/CPRA defines Sensitive Personal Information as personal information that reveals the following data elements of a consumer:
- Social Security number
- Driver’s license number
- State identification card number
- Passport number
- Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- Precise geolocation data (any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations)
- Personal information from a known child
- Racial or ethnic origin
- Citizenship or immigration status
- Religious or philosophical beliefs
- Union membership
- Contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
- Genetic data
- Biometric information (as described above) for the purpose of uniquely identifying a consumer
- Mental health or physical health history, condition, diagnosis or treatment information including health insurance information
- Sex life or sexual orientation
Munich Re’s CCPA/CPRA Vendor Requirements apply only to the handling of California residents’ Personal Information, when handled as part of a commercial insurance product or service or a non-insurance product or service. The following Personal Information is not covered by the CCPA/CPRA and does not include:
- Publicly information lawfully made available from government records.
- De-identified or aggregated consumer information.
- Information excluded from the CCPA/CPRA's scope, like:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA);
- Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994. Please note in particular that the CCPA/CPRA does not apply to the handling of Personal Information in connection with personal lines insurance products and services because of the GLBA exemption.
Nothing contained herein is intended to abrogate or otherwise limit any data privacy and/or confidentiality obligations between Vendors and Munich Re under applicable agreements for services. Moreover, the information contained in this communication is not intended to be and does not constitute legal advice. Please consult your own legal counsel.
The Vendors’ failure to agree and comply with the CCPA/CPRA Vendor Requirements set forth hereunder may impact the Vendors’ ability to continue to provide services to Munich Re. If you have questions regarding this communication, please contact MunichReUSPCPrivacy@munichre.com.
CCPA/CPRA Vendor Requirements
- Limited and Specified Purpose(s) and Use of Personal Information. Munich Re is disclosing or otherwise permitting access to Personal Information to Vendor only for the limited purposes specified in the agreement between the parties. Vendor’s obligations pertain to Personal Information that is provided by or on behalf of Munich Re or otherwise collected by Vendor in connection with its services provided under the parties’ agreement. Vendor is prohibited from retaining, using or further disclosing Personal Information disclosed or accessed pursuant to the parties’ agreement for its own purposes. This requirement does not apply to Personal Information the vendor already had in its possession or obtained independently from a source other than Munich Re that was not obtained at Munich Re’s direction. (Cal. Civ. Code Sec. 1798.100(d)(1) and 1798.140(ag)(1).)
- Vendor Compliance with CCPA/CPRA. Vendor must comply with applicable obligations under CCPA/CPRA when handling personal information that is subject to the law and must provide the level of privacy protection required by the law. (Cal. Civ. Code Sec. 1798.100(d)(2).)
- Munich Re’s Right to Ensure Vendor’s Compliance with CCPA/CPRA. Munich Re may take reasonable and appropriate steps to ensure Vendor uses Personal Information disclosed by Munich Re consistent with Munich Re’s obligations under CCPA/CPRA. (Cal. Civ. Code Sec. 1798.100(d)(3).
- Notice if CCPA/CPRA Compliance is Not Possible. Vendor shall promptly notify Munich Re if Vendor determines it cannot meet its obligations under the CCPA/CPRA . (Cal. Civ. Code Sec. 1798.100(d)(4).)
- Munich Re’s Right to Stop and Remediate Unauthorized Use of Personal Information. Munich Re has the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by Vendor including, for example, Munich Re ceasing any further sharing of Personal Information, or requiring Vendor to provide documentation verifying it no longer retains or uses Personal Information of consumers that have requested deletion. (Cal. Civ. Code Sec. 1798.100(d)(5).)
- Sale and Sharing of Personal Information. Vendor shall not use or disclose Personal Information received from or on Munich Re’s behalf for advertising purposes (defined as “sharing” under CCPA/CPRA) unless the parties have explicitly agreed to this use and the use complies with CCPA/CPRA requirements. Vendor also must not disclose Personal Information to other companies in exchange for money or other valuable consideration (defined as a “sale” under CCPA/CPRA). (Cal. Civ. Code Sec. 1798.140(ag)(1)(A).)
- Notice of and Use of Subcontractors. Vendors are permitted under CCPA/CPRA to share Personal Information received from Munich Re with other companies or individuals to process Personal Information on Vendor’s behalf but, before doing so, Vendor must have an agreement in place with that company or individual requiring the company or individual to protect the Personal Information and comply with any applicable CCPA/CPRA requirements. (Cal. Civ. Code Sec. 1798.140(ag)(2).) Vendor must also notify Munich Re of all other companies Vendor uses to handle Personal Information on behalf of Munich Re. (Cal. Civ. Code Sec. 1798.140(ag)(2).)
- Security Measures regarding Personal Information. Vendor is required to implement and maintain reasonable and appropriate measures to protect Personal Information. The measures should be appropriate in consideration of the volume and nature of the Personal Information. (Cal. Civ. Code Sec. 1798.130(a)(3)(A).)
- Combining Personal Information. Vendor shall not combine the Personal Information it receives from or on behalf of Munich Re with any Personal Information it receives from or on behalf of another person or collects from its own interactions with a consumer, except that Vendor may combine Personal Information as expressly permitted under CCPA/CPRA. (Cal. Civ. Code Sec. 1798.140(ag)(1)(D).)
- Assistance with Consumer Rights Requests. Vendors shall reasonably cooperate and assist Munich Re in complying privacy requests from individuals and from regulators. If Vendor receives a consumer request relating to personal information it handles on behalf of Munich Re, Vendor shall notify Munich Re promptly so that Munich Re can respond to the request. Vendors shall notify any its own vendors steps they need to take following a privacy request. (Cal. Civ. Code Sec. 1798.105(c)(3).) stopped here
- Retention of Personal Information. When personal information is no longer needed by Vendor to provide the services under the agreement between the parties, Vendor will promptly and securely delete or return the Personal Information, unless otherwise agreed to by the parties or the retention of the Personal Information is required by applicable law. (Cal. Civ. Code Sec. 1798.140(ag)(1)(B) and (C).)
- Deidentification of Personal Information. If Munich Re provides Vendor with Personal Information that has been deidentified, Vendor will take reasonable measures to ensure the deidentified data cannot be associated with a consumer; contractually obligate any other recipients of the deidentified data to comply with CCPA/CPRA. (Cal. Civ. Code Sec. 1798.140(m)(C).)
- Munich Re’s Right to Audit. Vendor shall make information in its possession available to Munich Re necessary to demonstrate compliance with CCPA/CPRA obligations. Munich Re may audit Vendor or undertake assessments to determine Vendor’s CCPA/CPRA compliance once every 12 months. (Cal. Civ. Code Sec. 1798.140(ag)(1)(D).)