Commercial privacy policy

Your privacy is important to us and we are committed to keeping it protected. We have created this Privacy Notice which will explain how we use the information we collect about you and how you can exercise your data protection rights.

This Privacy Notice will help you understand the following:

  • Who are we?
  • Why do we collect and use your personal information?
  • Where else do we collect information about you?
  • Will we share your personal information with anyone else?
  • For how long will we keep your information?
  • What are your rights over the information that is held by RSA?
  • Our Privacy Notice
  • How you can contact us about this Privacy Notice
  • How you can lodge a complaint

 

Who are we?

We are Royal & Sun Alliance (RSA) Insurance plc, we provide commercial and consumer insurance products and services under a number of brands. We also provide insurance services in partnership with other companies.

 

Why do we collect and use your personal information?

If you are the policy holder, we need your information to understand the level of insurance cover you require. We’ll use this information (e.g. your name, address, telephone number and email address) to communicate with you and provide you with our services. We may need to check information you have submitted with external companies/organisations (e.g. the Motor Insurance Database).

When a claim is made against an insurance policy, we will need to collect personal data relevant to the incident and this may be shared with other selected companies to help process the claim. If other people are involved in the incident, we may also need to collect additional information about them which can include special categories of personal data (e.g. injury and health data).

In submitting an application to us, you may provide us with equivalent or substantially similar information relating to other proposed beneficiaries under the policy.  You agree that you will bring this Privacy Notice to the attention of each beneficiary at the earliest possible opportunity.

Data protection laws require us to meet certain conditions before we are allowed to use your personal information in the manner described in this Privacy Notice.  To use your personal information, we will rely on one or more of the following grounds:

  • Performance of contract: We need to use your personal information in order to provide you with the policy (which is a contract of insurance between you and us), and perform our obligations under it (such as making payments to you in respect of a claim made under the policy).
  • Consent: In certain circumstances, we may need your consent unless authorised by law in order to use personal information about you which is classed as "special categories of personal data".

    When covering beneficiaries under your policy or your legal responsibility to third parties, we may need consent from these third parties unless authorised by law in order to use their personal information.
  • Necessity to establish, exercise or defend legal claim: If you, or we, bring a legal claim (e.g. a court action) against the other, we may use your information in either establishing our position, or defending ourselves in relation to that legal claim.  
  • Compliance with a legal obligation: Where laws or regulations may require us to use your personal information in certain ways.
  • Legitimate Interests: We will also process your personal information where this processing is in our "legitimate interests". When relying on this condition, we are required to carry out a balancing test of our interests in using your personal information (for example, carrying out market research), against the interests you have as a citizen and the rights you have under data protection laws. The outcome of this balancing test will determine whether we can use your personal information in the ways described in this Privacy Notice.  We will always act reasonably and give full and proper consideration to your interests in carrying out this balancing test.

 

Where else do we collect information about you?

Where possible, we’ll collect your personal information directly from you. However, on occasion we may receive details about you from other people or companies. For example, this might happen if:

  • It was given to us by someone who applied for an insurance product on your behalf (e.g. an insurance broker, a family member) where you have given them the permission to do so; or
  • It was supplied to us when you purchased an insurance product or service that is provided by us in partnership with other companies; or
  • It was lawfully collected from other sources (e.g. Motor Insurance Database, Claims and Underwriting Exchange or fraud prevention databases) to validate the information you have provided to us.

We request those third parties to comply with data protection laws and to be transparent about any such disclosures.  If you would like some further information, please contact us.

 

Will we share your personal information with anyone else?

We do not disclose your information outside of RSA except:

  • Where we need to check the information you gave to us before we can offer you an insurance product (e.g. reference agencies);
  • Where we are required or permitted to do so by law or relevant regulatory authority (e.g. financial crime screening, fraud detection/prevention);
  • Where we provide insurance services in partnership with other companies (e.g. building societies, large retailers);
  • In the event that we are bought or we sell any business or assets, in which case we will disclose your personal information to the prospective buyer of such business or assets;
  • As required to enforce or apply this Privacy Notice, or the contract of insurance itself;
  • Within our group for administrative purposes;
  • As required in order to give effect to contractual arrangements we have in place with any insurance broker and/or intermediary through which you have arranged this policy;
  • With healthcare providers in the context of any relevant claim being made against your policy;
  • If we appoint a third party to process and settle claims under the policy on our behalf, in which case we will make your personal information available to them for the purposes of processing and settling such claims;
  • With our third party service providers (including hosting/storage providers, research agencies, technology suppliers etc.);
  • With our reinsurers (and brokers of reinsurers) in connection with the normal operation of our business.

Sometimes your personal information may be sent to other parties outside of the European Economic Area (EEA) in connection with the purposes set out above.  We will take all reasonable steps to ensure that your personal information is treated securely and in accordance with this Privacy Notice, and in doing so may rely on certain "transfer mechanisms" such as the EU-US Privacy Shield, and the standard contractual clauses approved by the European Commission.  If you would like further information please contact us.

  

For how long will we keep your information?

Your personal information will be retained under one or more of the following criteria:

  • Where the personal information is used to provide you with the correct insurance cover, which will be kept as long as it is required to fulfil the conditions of the insurance contract.
  • Where the use of your personal information for a specific purpose is based on your consent, it will be kept for as long as we continue to have your consent (e.g. we would stop contacting you for marketing purposes once you have asked us to).
  • Where, for a limited period of time, we are using some of your information to improve the products or services we provide.
  • For as long as your information is required to allow us to conduct fraud and/or criminal checks and investigations.

 

What are your rights over the information that is held by RSA?

We understand that your personal information is important to you, therefore you may request the following from us to:

  1. Provide you with details about the personal information we hold about you, as a well as a copy of the information itself in a commonly used format. [Request Ref: DSR 1]
  2. Request your personal information be deleted where you believe it is no longer required. Please note however, we may not be able to comply with this request in full where, for example, you are still insured with us and the information is required to fulfil the conditions of the insurance contract. [Request Ref: DSR 2]
  3. Request the electronic version of the personal information you have supplied to us, so it can be provided to another company. We would provide the information in a commonly used electronic format. [Request Ref: DSR 3]
  4. Request to restrict the use of your information by us, under the following circumstances [Request Ref: DSR 4]:
    • If you believe that the information we hold about you is inaccurate, or;
    • If you believe that our processing activities are unlawful and you do not want your information to be deleted.
    • Where we no longer need to use your information for the purposes set out in this Privacy Notice, but it is required for the establishment, exercise or defence of a legal claim.
    • Where you have made an objection to us (in accordance with section 5 below), pending the outcome of any assessment we make regarding your objection.
  5. Object to the processing of your data under the following circumstances [Request Ref: DSR 5]:
    • Where we believe it is in the public interest to use your information in a particular way, but you disagree.
    • Where we have told you we are using your data for our legitimate business interests and you believe we shouldn’t be (e.g. you were in the background of a promotional video but you did not agree to be in it.)

In each case under section 5 above, we will stop using your information unless we can reasonably demonstrate legitimate grounds for continuing to use it in the manner you are objecting to.

If you would like to request any of the above, please contact us and submit a written request, including the request reference (e.g. DSR 1), as this will speed up your request. To ensure that we do not disclose your personal information to someone who is not entitled to it, when you are making the request we may ask you to provide us with:

  • Your name;
  • Address(es);
  • Date of birth;
  • Any policy IDs or reference numbers that you have along with a copy of your photo identification.

All requests are free of charge, although for requests for the provision of personal information we hold about you (DSR1) we reserve the right to charge a reasonable administrative fee where, we believe an excessive number of requests are being made. Wherever possible, we will respond within one month from receipt of the request, but if we don’t, we will notify you of anticipated timelines ahead of the one month deadline. 

Please note that simply submitting a request doesn’t necessarily mean we will be able to fulfil it in full on every occasion – we are sometimes bound by law which can prevent us fulfilling some requests in their entirety, but when this is the case we will explain this to you in our response.

 

Our Privacy Notice

If you have any queries regarding our Privacy Notice please contact us and we will be happy to discuss any query with you. Our Privacy Notice will be updated from time to time so please check it each time you submit personal information to us or renew your insurance policy.

 

How you can contact us about this Privacy Notice

If you have any questions or comments about this Privacy Notice please contact:

The Data Protection Officer
RSA
Bowling Mill
Dean Clough Industrial Park
Halifax
HX3 5WA

You may also email us at crt.halifax@uk.rsagroup.com

 

How you can lodge a complaint

If you wish to raise a complaint on how we have handled your personal information, please send an email to crt.halifax@uk.rsagroup.com or write to us using the address provided. Our Data Protection Officer will investigate your complaint and will give you additional information about how it will be handled. We aim to respond in a reasonable time, normally 30 days.

If you are not satisfied with our response or believe we are not processing your personal information in compliance with UK Data Protection laws, you may lodge a complaint to the Information Commissioner’s Office, whose contact details are;

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF