General Data Protection Regulation

APC Underwriting Privacy Notice

APC Underwriting (APC) believe in protecting the personal information that you provide us with. The privacy and security of your personal data is very important to us and we want to assure you that your personal data will be properly managed and protected.

This notice is designed to help you understand how we and other insurance market participants process your personal data through the Insurance Lifecycle. It is important that you read this notice.

This notice may be updated from time: this version is dated 25/05/2018 but historic versions are available on request.

Third Party Information Notice – The London Insurance Market Core Uses Information Notice

Insurance involves the use and disclosure of your personal data by various insurance market participants such as intermediaries, insurers and reinsurers. The London Insurance Market has produced a Core Uses Information Notice which sets out those core necessary personal data uses and disclosures throughout the insurance lifecycle, and in particular sets out how other insurance market participants process your personal data. Our core uses and disclosures are consistent with the London Market Core Uses Information Notice. In addition to reviewing our information notice, we recommend you review the London Insurance Market Core Uses Information Notice. Please follow the below link to The London Insurance Market Core Uses Information Notice at www.lmalloyds.com

http://www.lmalloyds.com/AsiCommon/Controls/BSA/Downloader.aspx?iDocumentStorageKey=9a276d99-df62-4bc2-9805-cd80c78daf20&iFileTypeCode=PDF&iFileName=LMA%20Guidance:%20GDPR%20Core%20Uses%20Information%20Notice

Please note that we do not control the LMA website and are not responsible for the London Insurance Market Core Uses Information Notice.

If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our data protection contact using the details set out below:

CONTACT DETAILS

APC Underwriting
80 Leadenhall Street
London
EC3A 3DH
Email: data@apcuw.com

Glossary

Please see below a glossary of key insurance and data protection terms used in this notice for your ease. These defined words are shown in bold throughout this notice:

Beneficiary means an individual or a company that an insurance policy states may receive payment under the insurance policy if an insured event occurs. A beneficiary does not have to be the insured/policyholder and there may be more than one beneficiary under an insurance policy.

Claimant means either a beneficiary who is making a claim under an insurance policy or an individual or a company who is making a claim against a beneficiary where that claim is covered by the insurance policy.

Claims processing means the process of handling a claim that is made under an insurance policy.

Data controller(s) means an entity which collects and holds personal data. It decides what personal data it collects about you and how that personal data is used. Any of the insurance market participants when using your personal data for the purposes set out in “Purposes, categories, legal grounds and recipients of our processing your personal data” on page 7 of this Notice could be data controllers.

Data protection contact means the person named by the relevant insurance market participant who you should contact if you have any queries or requests regarding your personal data or how we are using it. In many cases (although not all), this person will the Data Protection Officer of the relevant insurance market participant.

GDPR means the EU General Data Protection Regulation and the new UK Data Protection Act, which replaces the UK Data Protection Act 1998 from 25th May 2018.

Inception means the start date of the insurance policy.

Information Commissioner’s Office (ICO) means the regulator (or National Competent Authority/Data Protection Authority) for data protection matters in the UK.

Insurance means the pooling and transfer of risk in order to provide financial protection against a possible eventuality. There are many types of insurance.

Insurance policy(ies) means a contract of insurance between the insurer and the insured/policyholder.

Insurance market participant(s) or participant(s) means an intermediary, insurer or reinsurer.

Insured(s)/policyholder(s) means the individual or company in whose name the insurance policy is issued. A potential insured/policyholder may approach an intermediary to purchase an insurance policy or they may approach an insurer directly.

Insurer(s)/underwriter(s) means a company who provide insurance cover to insured/policyholder in return for premium. An insurer may also be a reinsurer.

Intermediary(ies) means a company(ies) who help insureds/policyholders and insurers/underwriters arrange insurance cover.

Lloyd’s means a specialist insurance market place where insurance policies are underwritten.

Policy administration means the process of administering and managing an insurance policy following its inception.

Personal data means any data from which you can be identified and which relates to you. It may include data about any claims you make. Personal data does not include any data where the identity of a natural person has been removed (anonymous data).

Processing of personal data means collecting, using, storing, disclosing or erasing your personal data.

Premium means the amount of money to be paid by the insured/policyholder to the insurer/underwriter for the insurance policy.

Quotation means the process of providing a quote to a potential insured/policyholder for an insurance policy.

Reinsurance means insurance purchased by an insurer from a reinsurer.

Reinsurer(s) means a company who provide insurance cover to another insurer/underwriter or reinsurer.

Renewal means the process of the insurer under an insurance policy providing a quotation to the insured/policyholder for a new insurance policy to replace the existing one on its’ expiry.

We, us, our means APC Underwriting.

You or your means the individual whose personal data may be processed by an insurance market participant. You may be the insured/policyholder, beneficiary, claimant or other person involved in a claim or relevant to an insurance policy.

Insurance Lifecycle

To view the Insurance Lifecycle please select Insurance Lifecycle

Flow of personal data through insurance lifecycle

To view the Flow of personal data through insurance lifecycle please select – APC – Flow of personal data through insurance lifecycle

The data we may collect about your (your personal data)

The types of personal data that are processed are defined below and have the same meaning when used throughout this notice:

Type of personal data Details
Individual details Your name, address (including proof of address), other contact details e.g. email and telephone numbers), gender, marital status, date and place of birth, nationality, employer, job title and employment history, individual family details (including their relationship to you
Identification details Your national insurance number, passport number, tax identification number, driving license number
Financial information Your bank account and/or payment card details, income and other financial information
Risk details Information about you which we need to collect in order to assess the risk to be insured and provide a quotation. This may include data relating to your health, criminal convictions and other special categories of personal data. For certain types of insurance, this could include telematics data
Policy information Information about the quotations you receive and insurance policies you take out
Credit and anti-fraud data Your credit history, credit score, sanctions and criminal offences and information received from various anti-fraud databases relating to you
Current / previous claims Information about previous and current claims (including other unrelated insurance), your health, criminal convictions and other special categories of personal data and in some cases, surveillance reports
Special categories of personal data Certain categories of personal data which have additional protection under the GDPR. The categories are health, criminal convictions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data or data concerning sex life or orientation

In order for us to obtain insurance quotations, administer insurance policies and/or deal with any claims or complaints, we need to collect and process personal data about you. Where we need to collect personal data by law or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the services we have provided or are trying to provide to you (for example, to obtain insurance for you).

We also collect, use and share aggregated data such as statistical or demographic data for our legitimate business interests. Aggregated data may be derived from your personal data but does not reveal your identity. However, any data which can identify you will be treated as personal data and used in accordance with this privacy notice.

Where we might collect your personal data from

We might collect your personal data from various sources depending on your particular circumstances including;

  • You;
  • Your family members, employer, insurance broker or representative;
  • Other insurance market participants;
  • Credit reference agencies;
  • Anti-fraud databases, sanction lists, court judgements and other databases;
  • Government agencies such as DVLA and HMRC;
  • Open electoral register;
  • Data held in the public domain
  • In the event of a claim:
    • Third parties (including administrators and suppliers);
    • Claimant / defendant
    • WitnessesDetails
    • Experts (including medical experts)
    • Loss Adjusters / loss assessors
    • Solicitors
    • Claims handlers

Legal grounds we rely on to process your personal data

Legal ground for processing personal data Details
Performance of our contract with you Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
Compliance with a legal obligation Processing is necessary for compliance with a legal obligation to which we are subject.
Protection of vital interests Processing is necessary in order to protect the vital interests of you or another natural person.
In the public interest Processing is necessary for the performance of a task carried out in the public interest.
For our legitimate business interests Processing is necessary for the purpose of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child. These legitimate interests are set out next to each purpose.
Legal ground for processing special category personal data Details
Your explicit consent You have given your explicit consent to the processing of those personal data for one or more specified purposes, where we are unable to procure, provide or administer insurance without this consent.

You are free to withdraw your consent by contacting our data protection contact. However withdrawal of your consent will impact our ability to provide insurance or pay claims

Protection of vital interests where you are unable to give consent Processing is necessary to protect the vital interests of you or of another natural person where you are physically or legally incapable of giving consent.
For legal claims Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
In the substantial public interest Processing is necessary for reasons of substantial public interest, on the basis of EU or UK law.

Purposes, categories, legal grounds and recipients of our processing your personal data

To view the purposes we might use your personal data for please select – APC Purposes, categories, legal grounds and recipients of our processing your personal data

Identities of data controllers and data protection contacts

The Insurance Lifecycle involves the sharing of your personal data between insurance market participants, some of which you will not have direct contact with. In addition, your personal data may not have been collected directly by an insurance market participant.

You can find out the identity of the initial data controller of your personal data within the Insurance Lifecycle in the following ways:

  • Where you took out the insurance policy yourself

The insurer/underwriter and, if purchased through an intermediary, the intermediary will be the initial data controller and their data protection contact can advise you on the identities of other insurance market participants that they have passed your personal data to.

  • Where your employer or another organisation took out the insurance policy for your benefit

You should contact your employer or the organisation that took out the insurance policy. Your employer or other organisation should provide you with details of the insurer/underwriter or intermediary that they provided your personal data to. You should then contact the insurer’s/underwriter’s data protection contact who can advise you on the identities of other insurance market participants that they have passed your personal data to.

  • Where you are not a policyholder or an insured

You should contact the organisation that collected your personal data who should provide you with details of the relevant insurance market participant’s data protection contact.

Consent to process your personal data

In order to provide insurance and deal with insurance claims, insurance market participants may need to process your special categories of personal data, such as medical and criminal conviction records, as set out above against the relevant purpose.

Your consent to this processing may be necessary for the insurance market participants to achieve this.

You may withdraw your consent to such processing at any time. However, if you withdraw your consent this will impact our ability to provide insurance or deal with claims.

Marketing

Marketing communications from us

We may use your individual details and policy information to evaluate the products and services which we think will be of interest and relevant to you.

Unless you have told us not to, you may receive marketing communications from us if you have requested information from us or purchased services from us. Such marketing communications may include risk or insurance related information or details of products or services which we think, may be of interest to you.

Third party marketing

We will not share your personal data with any third party for their own marketing purposes without your express permission.

Opting out

You can ask us or third parties to stop sending you marketing communications at any time by contacting our data protection contact at data@apcuw.com.

Profiling and automatic decision making

When calculating an insurance premium, we and other insurance market participants may compare your personal data against industry averages. Your personal data may also be used to create the industry averages going forward. This is known as profiling and is used to ensure the premium charged reflects the risk presented.

Profiling may also be used to assess information you provide to understand fraud patterns.

Where special categories of personal data are relevant, such as medical history for life insurance or past motoring convictions for motor insurance, your special categories of personal data may also be used for profiling.

We might make some decisions based on profiling and without staff intervention (known as automatic decision making). We will provide details of any automated decision making upon request including:

  • where we use such automated decision making
  • the logic involved
  • the consequences of the automated decision making
  • any facility for you to haver the logic explained to you and submit further information so the decision may be reconsidered

Retention of your personal data

We will keep your personal data including aggregated data for so long as is necessary and for our legitimate business interests (e.g. risk modelling and underwriting). In particular, for so long as there is any possibility that either you or we may wish to bring a legal claim under this insurance, or where we are required to retain your personal data due to legal or regulatory reasons.

International transfers

We may need to transfer your personal data to insurance market participants or their affiliates or sub-contractors which are located outside of the European Economic Area (EEA). Those transfers would always be made in compliance with the GDPR.

If you would like further details of how your personal data would be protected if transferred outside of the EEA, please contact the data protection contact of the relevant insurance market participant.

Your rights and contact details for the ICO

If you have any questions in relation to our use of your personal data, you should first contact the data protection contact of the relevant insurance market participant. Under certain conditions, you may have the right to require us to:

  • provide you with further details on the use we make of your personal data including special categories of data;
  • provide you with a copy of the personal data including special category data that you have provided to us;
  • update any inaccuracies in the personal data including special category data we hold;
  • delete any personal data including special category data that we no longer have a lawful ground to use;
  • where processing is based on consent, to withdraw your consent so that we stop that particular processing;
  • object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and
  • restrict how we use your personal data whilst a complaint is being investigated.

In certain circumstances, we may need to restrict the above rights in order to safeguard the public interest e.g. the detection and prevention of crime and our interests e.g. the maintenance of legal privilege.

Your right to complain to the ICO

If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights above, or if you think we have breached the GDPR then you have the right to complain to the ICO.

Please see below contact details of the ICO:

apc table