PRIVACY NOTICE - UK/EU
United Kingdom and European Economic Area Data Protection
Customer Privacy Notice
1. Introduction
This Privacy Notice is issued on behalf of all R&Q Insurance Holdings Ltd group companies (referred to as “R&Q”, “we”, “us” or “our” in this notice) registered in the United Kingdom (UK) and the European Economic Area (EEA). Each R&Q UK & EEA entity that processes Personal Information is responsible for treating it in accordance with this Privacy Notice.
As a Data Controller R&Q is required to comply UK and European Data Protection legislation and regulations when processing your personal information. This Privacy Notice explains why we are collecting personal information from you, how we will use it, how long we will keep it and make sure it’s kept safe, plus situations where we may need to share it with other organisations.
2. Personal Information We Collect
Information we collect from you
The Personal Information we hold depends on the nature of your relationship with R&Q. In most cases, we process a combination of the following:
- Information about you, including name, age, gender, date of birth, nationality, marital status, occupation, passport number, driving license number
- Contact information including home address, phone number, email address
- Financial information such as your bank account details
- Insurance history including details of any claims you have made, accidents you’ve been involved in
Information on your immediate family will also be collected if they are to be included in the policy or a claim.
We may need to collect information that is sensitive, such as:
- Health information, including details on medical related issues that are relevant to a policy you hold or are taking out. To handle a claim involving injury or death, we may collect information about injuries and treatments.
We may collect information about children where the child is a beneficiary under a policy or if required to process a claim.
Information we collect from third parties
We also obtain Personal Information from third parties, including:
- Details about your vehicle such as registration number, mileage, licencing
- Information about your insurance history and claims details
- Information on possible fraud and criminal convictions or offences.
The third parties we use include:
- Insurance brokers, agents, and our business partners
- Financial crime, fraud, and law enforcement agencie
- Insurance industry bodies, such as the Association of British Insurers and the Motor Insurers' Bureau
- Governmental and regulatory bodies including the Driver and Vehicle Licensing Agency and Driver and Vehicle Standards Agency.
When we buy or reinsure in a book of existing insurance business (what we call Legacy business), we may obtain your Personal Information direct from the third-party company involved in the transaction.
3. Uses of Personal Information
Normal insurance processes
R&Q uses Personal information in its normal course of business for the following insurance purposes:
- advising on, arranging, and administering non-life insurance business
- administering or defending a claim under an insurance policy
- exercising a legal right or obligation arising from an insurance policy. For example the right to seek reimbursement from a third party for an insurance loss.
The Insurance Market Process
Insurance involves the use and disclosure of your Personal Information by various insurance market participants such as intermediaries, insurers and reinsurers. The London Market Core Uses Information Notice sets out those core necessary personal data uses and disclosures. We recommend that you review this notice - (https://lmg.london/document/data-protection-insurance-market-core-uses-information-notice/).
Our core uses are consistent with the London Market Core Uses Information Notice. Our policy is to restrict the amount of Personal Information requested / disclosed to the minimum required to achieve the stated purpose of the processing, as set out in the London Market Core Uses Information Notice.
4. Lawful Basis for Uses of Personal Information
We are committed to using Personal Information in accordance with applicable data protection laws. We need a legal justification, known as a lawful basis, to process your Personal Information.
The lawful basis we rely on are presented below:
| Purpose | Lawful Basis |
|---|---|
| Managing policy applications and renewals | Performance of a contract Compliance with a legal obligation Substantial public interest, necessary for insurance purposes |
| Policy administration | Performance of a contract Compliance with a legal obligation Substantial public interest, necessary for insurance purposes |
| Complaints handling | Performance of a contract Compliance with a legal obligation Substantial public interest, necessary for insurance purposes |
| Managing third party relationships e.g., brokers, agents | Performance of a contract Substantial public interest, necessary for insurance purposes Legitimate interests |
| Claims management | Performance of a contract Compliance with a legal obligation Substantial public interest, necessary for insurance purposes |
| Fraud and crime prevention | Performance of a contract Compliance with a legal obligation Substantial public interest, necessary for insurance purposes |
| Compliance, legal and regulatory obligations | Compliance with a legal obligation Substantial public interest, necessary for insurance purposes |
| Buy, sell, transfer or dispose of a business | Compliance with a legal obligation Substantial public interest, necessary for insurance purposes |
| Marketing and subscriptions | Consent |
| Data modelling and analysis | Legitimate interests |
Where we rely on legitimate interests as our lawful basis, we carry out a balancing test to ensure that our interests, or those of a third party, do not override the rights and freedoms that you have as an individual. The outcome of this balancing test will determine whether we can use your Personal Information for the purposes described in this Privacy Notice.
5. Disclosure of Information to Others
We may pass your Personal Information to third parties such as intermediaries, insurers, reinsurers, claims managers, loss adjusters, sub-contractors, our affiliates and to certain regulatory bodies who may require your Personal Information themselves and process it for the purposes described in this Privacy Notice. We will provide the names of such third parties upon request from you.
We may share your Personal Information with fraud prevention agencies and law enforcement agencies if mandated to do so. If false or inaccurate information is provided and fraud is identified, details of this fraud will be passed to these agencies to prevent fraud and money laundering.
We do not disclose any of your Personal Information to any third parties except as set out in our Privacy Notice or as permitted by law or authorised by you.
6. Profiling and Automated Decision Making
R&Q’s operations do not include automated decision making or profiling.
7. Data Retention Periods
The retention period for your Personal Information will depend on the nature of your relationship with us. If you need specific information about the retention of your Personal Information, please contact us using the details provided at the end of this notice.
8. Security of your Personal Information
We have implemented appropriate technical and organisational controls to protect your Personal Information against unauthorised processing and against accidental loss, damage or destruction.
Any third parties we use to process your Personal Information to support our business operation are mandated to implement security standards as instructed by us.
9. International Transfers
As a global organisation, R&Q may transfer your Personal Information outside of the UK and EEA to manage your insurance policy. The protections given to your Personal Information in other countries may not be as strong as in the UK. We will put in place agreements with organisations (or entities within the R&Q Group), to make sure they put appropriate safeguards to manage your personal information with the same protections as required in the UK and EEA.
Our agreements include standard terms called Standard Contractual Clauses or International Data Transfer Agreements approved by the UK Information Commissioner’s Office (ICO) and other European regulatory bodies. It is possible that, regardless of what is set out in these agreements, a national government agency may still have power to overrule and access your Personal Information for crime prevention and national security purposes.
10. Your Data Protection Rights
You have rights under the General Data Protection Regulation and UK/EEA country-specific legislation in relation to your Personal Information. Read below to learn more about each right you may have.
1. The Right to be Informed: Individuals have a right be informed how their Personal Information is being used, we do this through this Privacy Notice, which is displayed on our website and provided when policy documentation is distributed.
2. The Right of Access: Individuals have a right to obtain a copy of the Personal Information that is being held and an explanation how their information is being used. This is commonly known as a ‘subject access request’.
3. The Right to Rectification: Individuals have a right to have Personal Information updated if it is inaccurate or incomplete. If the information in question has been disclosed to third parties, they must be informed of the updates required. Individuals must then be informed that the corrections have been made.
4. The Right to Erasure (Right to be Forgotten): Individuals have a right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
5. The Right to Restrict Processing: Individuals have a right to stop or suppress the processing of Personal Information. For example, if you have contacted us about the accuracy of your Personal Information.
6. The Right to Data Portability: Individuals have a right to obtain and re-use their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
7. The Right to Object: Individuals have a right to object to processing based on legitimate interests or by withdrawing consent. If we rely on your consent to collect and process your personal information, you can ask us to stop using your personal information at any time by withdrawing that consent and we will stop using your personal information for those purposes. Where legitimate interest is our lawful basis for processing, we may continue to use your Personal Information where there are other compelling legitimate grounds for us to do so.
If we rely on other lawful basis to process your personal data, and you instruct us to cease, this may impact upon our ability to provide insurance or to pay claims. We may contact you to advise you that the cessation of processing or the deletion of your Personal Information is not possible because the processing is necessary and lawful as required for performance or a contract or compliance with a legal obligation.
8. Rights in relation to Automated Decision-making and Profiling: Individuals have a right of protection against the risk that a potentially damaging decision is taken without human intervention. At R&Q we do not perform automated decision-making in our profiling.
It is important that the Personal Information we hold about you is accurate, complete and up-to-date. As noted above, you have the Right of Access to your personal data and to request the amendment of any element of it that may be incorrect, and to assert your Rights listed above.
To ensure the Rights requests are authentic, we will ask you for proof of identity when you make a request to disclose, amend or cease processing information.
We aim to respond to all valid requests within one calendar month of validating your identity, although it may take longer if the request is complicated. We will always acknowledge your request and let you know if we think a response will take longer than one month. We may also ask you to provide more details about what you want to help us locate the information you require.
In some cases, we may not be able to do what you have requested because your rights may not always apply; for example, where information relates to another data subject, where the information is part of an on-going investigation, or where the data has passed its retention period and has been deleted.
If any of your details change you can update us through your normal business contact at R&Q.
11. Questions, Requests, or Complaints
If you have any questions about this Privacy Notice, or how to exercise your rights, please contact our Data Protection Officer:
Group Data Protection Officer
R&Q Insurance Holdings Ltd
71 Fenchurch Street
London EC3M 4BS
Email: dpo@rqih.com
If you are not satisfied with our response or believe that we are not handling your Personal Information in accordance with the law you can complain to the Information Commissioner’s Office (https://ico.org.uk/) in the UK or the relevant regulatory body in the EEA (https://edpb.europa.eu/about-edpb/about-edpb/members_en#member-mt).
12. Updates
This Privacy Notice is updated periodically to take account of changes in our business activities, legal requirements and to make sure it’s as transparent as possible.
This Privacy Notice was last updated on 3 October 2023.
