On this page you'll find:
- A description of the actions we've taken to safeguard our customers' and employees' personal data
- Frequently asked questions for customers
RSA takes its responsibilities to safeguard the personal data of its customers and employees seriously. This page describes the actions we're taking to do that and to meet the requirements of GDPR
On this page you'll find:
On the 25 May 2018, the GDPR (General Data Protection Regulation) reforms and replaces the previous Data Protection Directive. It provides a set of standards regarding the treatment and protection of personal data.
Royal & Sun Alliance (RSA) Insurance plc takes its responsibilities to safeguard the personal data of its customers and employees seriously. To ensure that RSA would meet the requirements of GDPR we established projects in each of our impacted regions. These projects have been responsible for ensuring delivery of the requirements and as such, our data practices have been updated throughout the business. After Brexit, GDPR standards will continue to apply in the UK. For the purposes of this page, we continue to use the term GDPR.
As an insurer, we need personal information to understand the level of insurance cover required. We use this information (e.g. name, address, telephone number and email address) to communicate with customers and if agreed, to send news and offers related to our products and services.
We need to use personal information to create quotes, allowing customers to buy insurance products from us. When buying a product from us, the information is needed to provide us with details about the items to be covered by the insurance policy (e.g. car make and model, your home).
We may need to check information submitted with external companies/organisations (e.g. the DVLA, the Motor Insurance Database, credit reference agencies and criminal conviction checks). When buying certain products, we will sometimes need to ask for special categories of personal data (e.g. driving offences for motor insurance, medical records in case of injury).
For claims against an insurance policy, we must collect information about the incident and this may be shared with other selected companies to help process the claim. If other people are involved in the incident, we may also need to collect additional information about them, which can include special categories of personal data (e.g. injury or health data).
GDPR requires us to meet certain conditions before we are allowed to use personal data. We may rely on one or more of the following grounds:
RSA has a central record of personal data processing activities including information on storage and flows to internal and external systems where personal information is used. We have established processes to keep this record up to date.
In anticipation of GDPR, we reviewed our internal rules on how long we can keep different categories of personal data. Our approach to retention of personal data helps us comply with the requirement to process data lawfully and not keep more personal data than we should.
We have processes to satisfy data subject rights.
All data subject rights (access, erasure, portability, rectification, objection, restriction) have been considered with the updating of our processes and policies and now form part of our standard customer relationship framework.
For individuals who want to exercise their rights, the following process applies:
The main points of contacts for customer rights are:
The Data Protection Officer
RSA Bowling Mill
Dean Clough Industrial Park
Halifax HX3 5WA
We have policies, standards and procedures in place which support the GDPR principles in relation to the protection of customer and employee data.
Requirements for incident reporting have been issued across our organisation. These include steps to take in the event of a data breach, and the appropriate parties to be notified.
Our processes are designed to ensure we are able to notify all required third parties as quickly as possible following the identification of a reportable data breach.
Any external information on a breach or suspected breach should be sent to:
Our Fair Processing Notice details how we process personal data.
In certain cases an individual’s personal information may be sent to other parties outside of the European Economic Area (EEA) in connection with the purposes necessary to deliver our insurance services. We take all reasonable steps to ensure that individual personal information is treated appropriately, and in doing so may rely on applicable transfer mechanisms such as the EU-US Privacy Shield and the standard contractual clauses approved by the European Commission.
RSA has appointed a Data Protection Officer. All non-customer queries in relation to data protection should be emailed to firstname.lastname@example.org.
Royal & Sun Alliance Insurance PLC
St Marks Court
West Sussex RH12 1XL
ICO Registration Number: Z7619834
All queries from partners, brokers and suppliers should continue to be directed as per the existing communication channels and relationship managers.
Under GDPR the rights are:
Personal data is information relating to an identifiable living individual. Whenever personal data is processed, collected, recorded, stored or disposed of it must be done within the terms of GDPR. To find out more information about your rights please go to https://ico.org.uk/for-the-public
As an insurer we are allowed to use personal data where it is necessary for the contract of insurance. This contract acts as an alternative to customer consent.
We only rely on consent for marketing activities. Customers will be given an explicit opportunity to opt in or opt out of marketing consent and can change their mind at any time.
The regulator for GDPR is the Information Commissioner’s Office (ICO). To find out more, go to https://ico.org.uk/concerns/ or contact them by calling 0303 123 1113.
If a customer feels they have not received a full and satisfactory response from RSA, they have the right to lodge a complaint to the ICO.