National Hole In One (We, Us, Our) is committed to protecting your privacy in accordance with their obligations under data protection legislation. Since 25th May 2018, the main data protection law will be the General Data Protection Regulation as supplemented by the Data Protection Act 2018 and related laws.
The privacy and security of your personal information is very important to us. We want to assure you that your information will be properly managed and protected whilst in our hands. This policy sets out what personal information we collect, what we collect it for and how we handle it.
SECTION 2 THE DATA WE MAY COLLECT ABOUT YOU (YOUR PERSONAL INFORMATION)
We will collect and process all or some of the following personal information about you:
- Information you provide to us (or which is provided to us on your behalf, by a Broker) ► basic personal details which may be collected via online or paper application and claims forms, emails and letters such as your name and job title, Company/ Organisation name, address, email address, telephone number, date of birth, demographic information such as post code; basic personal details of third parties (for example in the case of an insurance broker providing information about their insured).
- Financial information ► payment card number, bank account number and account details, income and other financial information.
- Insured risk ► information about the insured risk, which contains personal information and may include, only to the extent relevant to the risk being insured:
- Health data ► current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking or consumption of alcohol), prescription information, medical history;
- Criminal records data ► criminal convictions, including driving offences; and
- Other Special Categories of Personal Data ► racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning an individual’s sex life or sexual orientation.
- Information about your preferences and interests ► including any other information that is relevant to your enquiry which allows us to provide an appropriate response.
- Information about other policies, claims and records ►information about previous and current policies and claims, which may include health data, criminal records data and other Special Categories of Personal Data (as defined in the “Insured Risk” section above) and information collected from other insurance market participants.
- Our correspondence ► if you contact us in order to request or obtain a quote, telephone us, write to us by post or email, contact us in person, or communicate via online channels, we will typically keep a record of that correspondence.
Survey information ► we may also ask you to complete surveys that we use for research purposes. In such circumstances we shall collect the information provided in the completed survey.
- Credit and Anti-Fraud information ► credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agencies.
- Website and communication usage ► details of your visits to the websites and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.
- Marketing preference information ► details of your marketing preferences (e.g. communication preferences) and information relevant to selecting appropriate products and services to offer you.
We may receive personal information about you when you contact us for example by requesting or obtaining a quote or otherwise contacting us.
We may also receive your personal information from third party sources, including other insurance market participants, credit reference agencies, anti-fraud databases, crime prevention and government agencies such as vehicle registration authorities and tax authorities and, in the event of a claim, other parties to the claim.
SECTION 3 PURPOSES FOR WHICH WE USE YOUR PERSONAL INFORMATION
We require your personal information to understand your needs and provide you with a better service, and in particular, we may use or disclose it for the following purposes. Below each purpose we note the “legal ground” that allows that use of your personal information. An explanation of the scope of the “legal grounds” can be found at the end of this document.
- To conduct our business and to provide you with our services ►including to provide you with quotes, place cover, administer policies, manage and settle claims, collect premiums, administer complaints, process bordereaux and obtain renewals.
Legal bases: contract performance (if individual is the client), legitimate interests (to enable us to provide our services to you). For the processing of Special Categories of Personal Data (e.g. health information), substantial public interest and, in limited circumstances, consent, which will be obtained from you prior to our undertaking the processing.
- To conduct certain fraud and background checks ► we and other organisations may also access and use certain information to undertake anti-money laundering and sanctions checks and for fraud prevention purposes, as may be required by applicable law and regulation and best practice at any given time. If false or inaccurate information is provided and fraud is identified or suspected, details may be passed to fraud prevention agencies and may be recorded by us or by them.
Legal bases: legal obligations, performance of our contract with the individual (if individual is the client), legitimate interests (to ensure that you fall within our acceptable risk profile and to assist with the prevention of crime and fraud). For the processing of Special Categories of Personal Data (e.g. health information) and Criminal Records Data, substantial public interest and, in limited circumstances, consent.
- To communicate effectively with you and for internal record keeping ► including to respond to your queries, to otherwise communicate with you, or to carry out our obligations arising from any agreements entered into between you and us, and for internal management reporting purposes.
Legal bases: contract performance (if individual is the client), legitimate interests (to enable us to perform our obligations and provide our services to you).
- To improve our products and services and to understand our customers ►we may analyse the personal information we hold in order to better understand our clients’ services and marketing requirements, to better understand our business and develop our products and services.
Legal bases: legitimate interests (to ensure the quality and legality of our services, to allow us to improve our services and to allow us to provide you with the content and services on the website).
- To provide you with marketing materials ► We may periodically send promotional email about new products, special offers or other information which we think you may find interesting using the email address which you have provided. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us as set out “SECTION 9 CONTACTING US” below.
Legal bases: legitimate interests (to keep you updated with news in relation to our products and services).
- For research and development purposes ► from time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail.
Legal bases: legitimate interests (to allow us to improve our services).
- To ensure website content is relevant ► we may use the information to customise the website according to your interests and to ensure that content from our website is presented in the most effective manner for you and for your device, which may include passing your data to business partners, service providers and other insurance market participants.
Legal bases: legitimate interests (to allow us to provide you with the content and services on the websites).
- Defend or prosecute legal claims ► we may use your personal information to defend or prosecute and legal claims, including prosecuting any fraud.
Legal bases: legal obligations, legitimate interests (to ensure that the quality and legality of our services). For the processing of Special Categories of Personal Data (e.g. health information), substantial public interest and legal claims.
- In connection with legal or regulatory obligations ► we may process your personal information to comply with our regulatory requirements or dialogue with regulators as applicable which may include disclosing your personal information to third parties, the court service and/or regulators or law enforcement agencies in connection with enquiries, proceedings or investigations by such parties anywhere in the world or where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.
Legal bases: legal obligations, legitimate interests (to cooperate with law enforcement and regulatory authorities). For the processing of Special Categories of Personal Data (e.g. health information), substantial public interest and legal claims.
- To inform you of changes ► to notify you about changes to our services and products.
Legal bases: legitimate interests (to notify you about changes to our service).
- To reorganise or make changes to our business ►in the event that we: (i) are subject to negotiations for the sale of our business or part thereof to a third party; (ii) are sold to a third party; or (iii) undergo a re-organisation, we may need to transfer some or all of your personal information to the relevant third party (or its advisors) as part of any due diligence process for the purpose of analysing any proposed sale or re-organisation. We may also need to transfer your personal information to that re-organised entity or third party after the sale or reorganisation for them to use for the same purposes as set out in this policy.
Legal bases: legitimate interests (in order to allow us to change our business).
Consent: In order to facilitate the provision of insurance cover and administer insurance claims, unless another legal ground applies, we rely on data subjects’ consent to process Special Categories of Personal Data and Criminal Records Data, such as medical and criminal convictions records. This consent allows us to share the information with insurers, intermediaries and reinsurers and other insurance market participants that need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner). Individuals may withdraw their consent to such processing at any time by contacting us as set out in “SECTION 9 CONTACTING US” below. However, doing so may prevent us from continuing to provide the services to the relevant client. In some circumstances, the withdrawal of consent may mean that it may not be possible for the relevant insurance cover to continue.
SECTION 4 WHO WE MAY DISCLOSE YOUR PERSONAL INFORMATION TO
In addition to the third parties mentioned in section 4 above, we may disclose your personal information with:
- Our group companies based in the UK and US, for servicing you as our client;
- Insurance brokers who assist us with the placing of your insurance (based in the UK);
- Insurers and Reinsurers (and their appointed auditors or third party support companies), based in the UK, EU and US with whom we may place your insurance, so that they have a complete record of the insurance that they are bound to
- Loss adjusters and Third Party Administrators, which may be located within or outside the UK or EU as dictated by the location of your risk, which need the information to be able to assess and manage insurance claims;
- IT contractors, storage companies, software suppliers IT service providers and compliance software providers based in the UK, EU, US and India; and
- Regulators and the Ombudsman, based in the UK, EU or location of your risk who demand to receive your data.
SECTION 5 TRANSMISSION, STORAGE AND SECURITY OF YOUR PERSONAL INFORMATION
Security over the internet
No data transmission over the Internet or website can be guaranteed to be secure from intrusion. However, we maintain commercially reasonable physical, electronic and procedural safeguards to protect your personal information in accordance with data protection legislative requirements.
All information you provide to us is stored on our or our subcontractors’ secure servers and accessed and used subject to our security policies and standards. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share a password with anyone.
Export outside the EEA
Where we transfer personal information from inside the European Economic Area (the EEA) to outside the EEA, we may be required to take specific additional measures to safeguard the relevant personal information. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal information to these jurisdictions. In countries which have not had these approvals (see the full list here http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm), we will ensure that appropriate safeguards are put in place (such as EU approved “Model Clauses” to ensure that data protection safeguards equivalent to those required within the EEA are applied).
Please contact us as set out in “SECTION 9 CONTACTING US” below if you would like details of the specific safeguards applied to the export of your personal information.
Our retention periods for personal information are based on business needs and legal requirements. For annual general insurance policies, this will be a minimum of six years from the expiry of the policy. For multi-year or life policies this will be up to 25 years or 12 months following the last date a valid claim can be logged. For Employer’s Liability insurance we will retain records for the period defined by relevant legislation as a minimum.
We retain personal information for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, we may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When personal information is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the data.
SECTION 6 CONSENT AND MARKETING
Unless otherwise permitted under applicable law, we will only contact you by email or text message if you actively consent to this. By consenting to our emails or opting in to email communications, you grant us permission to use your email address to send you email marketing communication. At any stage you may choose to opt out of receiving any marketing communication from us by:
[contacting us at the details set out in “SECTION 9 CONTACTING US” below; or
opt out of our email marketing at any time by clicking the unsubscribe link at the bottom of any email from us, emailing Privacy@holeinoneinsurance.co.uk, calling +44 (0)20 7929 6814, Faxing +44 (0) 1727 855089 or writing to Privacy Department, National Hole In One, 21 Verulam Road, Harpenden, Herts, AL3 4DG, UK.
If you choose not to be contacted by us we will never send you personalised marketing communications, but we will keep your details on a ‘suppression list’ to ensure you aren’t contacted. We will also continue to send you service communications.
Please note that we will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
SECTION 7 PROFILING AND AUTOMATIC DECISION MAKING
We use certain automated decision-making processes in relation to your personal information, for example to assess and respond to quotes that you have requested online. For example, our online automated quote system will determine whether we are able to offer you a quotation and, if so, the pricing and terms of that quotation.
Where such decisions have a legal (or similarly significant effect) on data subjects, those data subjects have the right to challenge to such decisions under the GDPR, to request human intervention, to express their own point of view, and to obtain an explanation of the decision from the Company.
SECTION 8 YOUR RIGHTS
Under certain conditions, you may have the following specific rights in relation to the personal information we hold about you:
Where processing is based on consent, the right to withdraw consent at any time so that we stop that particular processing, where relevant noting that this may result in termination of the policy or policies;
To require us to provide you with further details on the use we make of your personal information;
To require us to provide you with a copy of the personal information that we hold about you;
To require us to update any inaccuracies in the personal information we hold;
To require us to delete any personal information the we no longer have a lawful ground to use;
To ask us to transmit the personal information you have provided to us and we still hold about you to a third party electronically;
To object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;
To object to direct marketing (including any profiling for such purposes) at any time;
To require us to restrict how we use your information whilst a complaint is being investigated;
The right to lodge a complaint with a supervisory authority, the ICO www.ico.org.uk
Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). If you exercise any of these rights we will check your entitlement and respond in most cases within a month.
If you are not satisfied with our use of your personal information or our response to any exercise of these rights you have the right to complain to the Information Commissioner’s Office.
SECTION 9 CONTACTING US
You can change your marketing details at any time by contacting us on the details given below. Please let us know if your information changes as it is important that the information we hold about you is accurate and up to date.
You can exercise your rights set out in section 9 by contacting us using any of the following methods:
By phone: +44 (0)20 79296814
By email: email@example.com
By post: National Hole In One, 21 Verulam Road, St Albans, Herts, AL3 4DG
We take any complaints about our collection and use of personal information very seriously. If you think that our collection or use of personal information is unfair, misleading or inappropriate or have any concern about data processing please raise this with us in the first instance on firstname.lastname@example.org. If you are not satisfied with the response you receive from us for any reason then you may wish to contact the Information Commissioner’s Office online www.ico.org.uk or write to:
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
SECTION 10 COOKIES POLICY
Use of personal information under EU data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the grounds in respect of each use in this policy. An explanation of the scope of the grounds available can be found within this document. We note the grounds we use to justify each use of your information next to the use in the “Uses of your personal information” section of this policy.
These are the principal legal grounds that justify our use of your personal information:
Consent: where you have consented to our use of your information (you will have been presented with a consent form in relation to any such use and may withdraw your consent by calling us on +44 (0)20 7929 6814, emailing Privacy@holeinoneinsurance.co.uk, Faxing +44 (0)1727 855089 or writing to us at 21 Verulam Road, St Albans, Herts, AL3 4DG, UK.
Contract performance: where your information is necessary to enter into or perform our contract with you.
Legal obligation: where we need to use your information to comply with our legal obligations.
Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.
These are the principal legal bases that justify our use of Special Categories of your Personal Data and Criminal Convictions Data:
Legal claims: where your information is necessary for us to establish, defend, prosecute or make a claim against you, us or a third party.
In the substantial public interest: Processing is necessary for reasons of substantial public interest, on the basis of EU or local law.
Explicit consent: You have given your explicit consent to the processing of those personal information for one or more specified purposes. You are free to withdraw your consent by contacting us as per “SECTION 9 CONTACTING US” in the above notice. If you do so, we may be unable to provide a service that requires the use of such data.