This Privacy Notice will help you understand the following:
- Who are we?
- Why do we collect and use your personal information?
- Where else do we collect information about you?
- Will we share your personal information with anyone else?
- Which decisions made about you will be automated?
- For how long will we keep your information?
- Will you be contacted for marketing purposes?
- Your information is incorrect what should you do?
- What are your rights over the information that is held by RSA?
- Our Privacy Notice
- How you can contact us about this Privacy Notice
- How you can lodge a complaint
Who are we?
We are Royal & Sun Alliance (RSA) Insurance plc, we provide commercial and consumer insurance products and services under a number of brands. We also provide insurance services in partnership with other companies.
Why do we collect and use your personal information?
As an insurer, we need your personal information to understand the level of insurance cover you require. We’ll use this information (e.g. your name, address, telephone number and email address) to communicate with you and if you have agreed, to send you news and offers related to our products and services.
We need to use your information to create a quote for you, allowing you to buy insurance products from us. When buying a product from us, you’ll also need to provide us with details about the items you wish to be covered by the insurance (e.g. car make and model, your home).
We may need to check information you have submitted with external companies/organisations (e.g. the DVLA, the Motor Insurance Database, credit reference agencies and criminal conviction checks.) When buying certain products, sometimes we will ask for special categories of personal data (e.g. driving offences for motor insurance, medical records in case of injury).
Once you become a customer, we’ll need to take your payment details to set up your cover. This could be direct debit, credit or debit card information. To service your policy, we might contact you via our website, emails, telephone calls or post. When using these services we might record additional information, such as passwords, online identifiers and call recordings.
For some of our products, we may collect information through smart sensors to assess your insurance needs (e.g. a black box installed in your vehicle when you buy a telematics driving product, which collects and uses geo-location and driving behaviour data).
If you need to claim against your insurance policy, we will need to collect information about the incident and this may be shared with other selected companies to help process the claim. If other people are involved in the incident, we may also need to collect additional information about them which can include special categories of personal data (e.g. injury and health data).
In submitting an application to us, you may provide us with equivalent or substantially similar information relating to other proposed beneficiaries under the policy. You agree that you will bring this Privacy Notice to the attention of each beneficiary at the earliest possible opportunity.
Data protection laws require us to meet certain conditions before we are allowed to use your personal information in the manner described in this Privacy Notice. To use your personal information, we will rely on one or more of the following grounds:
- Performance of contract: We need to use your personal information in order to provide you with the policy (which is a contract of insurance between you and us), and perform our obligations under it (such as making payments to you in respect of a claim made under the policy)
- Consent: In certain circumstances, we may need your consent unless authorised by law in order to use personal information about you which is classed as "special categories of personal data".
For marketing, you will always be given a choice over the use of your data.
- Necessity to establish, exercise or defend legal claim: If you, or we, bring a legal claim (e.g. a court action) against the other, we may use your information in either establishing our position, or defending ourselves in relation to that legal claim.
- Compliance with a legal obligation: Where laws or regulations may require us to use your personal information in certain ways.
- Legitimate Interests: We will also process your personal information where this processing is in our "legitimate interests". When relying on this condition, we are required to carry out a balancing test of our interests in using your personal information (for example, carrying out market research), against the interests you have as a citizen and the rights you have under data protection laws. The outcome of this balancing test will determine whether we can use your personal information in the ways described in this Privacy Notice. We will always act reasonably and give full and proper consideration to your interests in carrying out this balancing test.
Where else do we collect information about you?
Where possible, we’ll collect your personal information directly from you. However, on occasion we may receive details about you from other people or companies. For example, this might happen if:
- It was given to us by someone who applied for an insurance product on your behalf (e.g. an insurance broker, a family member) where you have given them the permission to do so; or
- It was supplied to us when you purchased an insurance product or service that is provided by us in partnership with other companies; or
- It was lawfully collected from other sources (e.g. Motor Insurance Database, Claims and Underwriting Exchange or fraud prevention databases) to validate the information you have provided to us.
We request those third parties to comply with data protection laws and to be transparent about any such disclosures. If you would like some further information, please contact us.
Will we share your personal information with anyone else?
We do not disclose your information outside of RSA except:
- Where we need to check the information you gave to us before we can offer you an insurance product (e.g. reference agencies);
- Where we are required or permitted to do so by law or relevant regulatory authority (e.g. financial crime screening, fraud detection/prevention);
- Where we provide insurance services in partnership with other companies (e.g. building societies, large retailers);
- In the event that we are bought or we sell any business or assets, in which case we will disclose your personal information to the prospective buyer of such business or assets;
- As required to enforce or apply this Privacy Notice, or the contract of insurance itself;
- Within our group for administrative purposes;
- As required in order to give effect to contractual arrangements we have in place with any insurance broker and/or intermediary through which you have arranged this policy;
- With healthcare providers in the context of any relevant claim being made against your policy;
- If we appoint a third party to process and settle claims under the policy on our behalf, in which case we will make your personal information available to them for the purposes of processing and settling such claims;
- With our third party service providers (including hosting/storage providers, research agencies, technology suppliers etc.);
- With our reinsurers (and brokers of reinsurers) in connection with the normal operation of our business;
Sometimes your personal information may be sent to other parties outside of the European Economic Area (EEA) in connection with the purposes set out above. We will take all reasonable steps to ensure that your personal information is treated securely and in accordance with this Privacy Notice, and in doing so may rely on certain "transfer mechanisms" such as the EU-US Privacy Shield, and the standard contractual clauses approved by the European Commission. If you would like further information please contact us.
Which decisions made about you will be automated?
Before we can offer you an insurance product or service, we may need to conduct the following activities, which involve automated (computer based) decision-making:
- Pricing and Underwriting – this process calculates the insurance risks based on the information that you have supplied. This will be used to calculate the premium you will have to pay.
- Credit Referencing – using the information given, calculations are performed to evaluate your credit rating. This rating will help us to evaluate your ability to pay for the quoted products and services.
- Smart Sensor Data Analytics – an insurance product that collects your information using smart sensors (e.g. in car black box) to calculate your insurance risk (e.g. driving score). This may then be used to determine your policy rewards (e.g. cash back for safe driving) and to calculate your policy renewal premium.
- Automated Claims – some small claims may qualify for automated processing, which will check the information you provide, resulting in a settlement or rejection of your claim.
The results of these automated decision-making processes may limit the products and services we can offer you. If you do not agree with the result, you have the right to request that we perform a manual reassessment using the same information that you originally provided. If you wish to do so please contact us.
For how long will we keep your information?
Your personal information will be retained under one or more of the following criteria:
- Where the personal information is used to provide you with the correct insurance cover, which will be kept as long as it is required to fulfil the conditions of the insurance contract.
- Where the use of your personal information for a specific purpose is based on your consent, it will be kept for as long as we continue to have your consent (e.g. we would stop contacting you for marketing purposes once you have asked us to).
- Where, for a limited period of time, we are using some of your information to improve the products or services we provide.
- For as long as your information is required to allow us to conduct fraud and/or criminal checks and investigations.
Will you be contacted for marketing purposes?
If you have agreed, we might contact you by post, email, phone and text message to let you know about offers and services we think you’ll like. The messages may be personalised using information you have previously provided us.
You can ask us to stop contacting you for marketing purposes at any point.
We will only contact you for marketing purposes if we collected your information directly, except when authorised and instructed by the third-party acting on your behalf.
Your information is incorrect what should you do?
If you hold a product or service with us and think that the information we hold about you is incorrect or incomplete, please contact us and we will be happy to update it for you.
What are your rights over the information that is held by RSA?
We understand that your personal information is important to you, therefore you may request the following from us to:
- Provide you with details about the personal information we hold about you, as well as a copy of the information itself in a commonly used format. [Request Ref: DSR 1]
- Request your personal information be deleted where you believe it is no longer required. Please note however, we may not be able to comply with this request in full where, for example, you are still insured with us and the information is required to fulfil the conditions of the insurance contract. [Request Ref: DSR 2]
- Request the electronic version of the personal information you have supplied to us, so it can be provided to another company. We would provide the information in a commonly used electronic format. [Request Ref: DSR 3]
- Request to restrict the use of your information by us, under the following circumstances [Request Ref: DSR 4]:
- If you believe that the information we hold about you is inaccurate, or;
- If you believe that our processing activities are unlawful and you do not want your information to be deleted.
- Where we no longer need to use your information for the purposes set out in this Privacy Notice, but it is required for the establishment, exercise or defence of a legal claim.
- Where you have made an objection to us (in accordance with section 5 below), pending the outcome of any assessment we make regarding your objection.
- Object to the processing of your data under the following circumstances [Request Ref: DSR 5]:
- Where we believe it is in the public interest to use your information in a particular way, but you disagree.
- Where we have told you we are using your data for our legitimate business interests and you believe we shouldn’t be (e.g. you were in the background of a promotional video but you did not agree to be in it.)
In each case under section 5 above, we will stop using your information unless we can reasonably demonstrate legitimate grounds for continuing to use it in the manner you are objecting to.
If you would like to request any of the above, please contact us and submit a written request, including the request reference (e.g. DSR 1), as this will speed up your request. To ensure that we do not disclose your personal information to someone who is not entitled to it, when you are making the request we may ask you to provide us with:
- Your name;
- Date of birth;
- Any policy IDs or reference numbers that you have along with a copy of your photo identification.
All requests are free of charge, although for requests for the provision of personal information we hold about you (DSR1) we reserve the right to charge a reasonable administrative fee where, we believe an excessive number of requests are being made. Wherever possible, we will respond within one month from receipt of the request, but if we don’t, we will notify you of anticipated timelines ahead of the one month deadline.
Please note that simply submitting a request doesn’t necessarily mean we will be able to fulfil it in full on every occasion – we are sometimes bound by law which can prevent us fulfilling some requests in their entirety, but when this is the case we will explain this to you in our response.
Our Privacy Notice
If you have any queries regarding our Privacy Notice please contact us and we will be happy to discuss any query with you. Our Privacy Notice will be updated from time to time so please check it each time you submit personal information to us or renew your insurance policy.
How you can contact us about this Privacy Notice
If you have any questions or comments about this Privacy Notice please contact:
The Data Protection Officer
Dean Clough Industrial Park
You may also email us at firstname.lastname@example.org.
How you can lodge a complaint
If you wish to raise a complaint on how we have handled your personal information, please send an email to email@example.com or write to us using the address provided. Our Data Protection Officer will investigate your complaint and will give you additional information about how it will be handled. We aim to respond in a reasonable time, normally 30 days.
If you are not satisfied with our response or believe we are not processing your personal information in compliance with UK Data Protection laws, you may lodge a complaint to the Information Commissioner’s Office, whose contact details are;
Information Commissioner’s Office