How we use your information
We are committed to protecting your privacy and complying with the provisions of the General Data Protection Regulation, the Data Protection Act 2018 and any subsequent data protection laws applicable within the jurisdiction of the United Kingdom of Great Britain and Northern Ireland (“Data Protection Legislation”).
We have created this Shareholder Privacy Notice which will explain how we use the information we collect about you and how you can exercise your data protection rights. This Privacy Notice is separate to any contractual provisions which exist between us and is not intended to replace those provisions. This Privacy Notice is subject to change on a regular basis and you are encouraged to check back for the latest updates.
If you are also a customer of any RSA group company, you should refer to the relevant Privacy Notices which govern the personal information we collect from you in relation to the provision of products and services which you purchase from us.
Who are we?
We are RSA Insurance Group plc (RSA), a public limited company registered in England under company number 02339826. We operate in the UK and we are the relevant Controller of your information. Any references to “RSA”, “we”, “us”, or “our” refer to the relevant RSA company within the RSA group that processes your personal data.
This Privacy Notice extends to the share registry services provided by Equiniti Limited (“Equiniti”). We have appointed Equiniti under the rules of the Companies Act to manage our register of shareholders. Equiniti’s role as registrar includes keeping an up to date record of shares held by shareholders, administration of dividends, managing share transfers, issuing share certificates, and supporting other functions. Equiniti, in carrying out our registry services will process information about you as a shareholder on behalf of RSA.
From time to time, RSA may appoint alternative organisations to act as our registrar for share registry services, and this Privacy Notice extends to the activities that those organisations may carry out on our behalf.
Why do we collect and use your personal information?
We will collect and use personal information such as (but not limited to) your name, contact details, your votes and the shareholder identification number which we have allocated to you as a shareholder of RSA.
We collect this personal information when you provide details to us directly or through your agents such as your stockbroker or share plan administrator. We will also collect your information when you register for products and/or services through our websites.
We use your personal information (with the support of our registrar, Equiniti) for the following purposes:
- Managing your shareholding in RSA which will include;
- Contacting you with shareholder information, details of our Annual General Meeting, Extraordinary General Meeting, dividend distributions, resolutions and reports;
- Administering your instructions as a shareholder and responding to issues raised;
- Providing you with information on shareholder benefits such as special offers and discounts; and
- Maintaining an up to date share register.
Data protection laws require us to meet certain conditions before we are allowed to use your personal information in the manner described in this Privacy Notice. To use your personal information, we will rely on one or more of the following grounds:
- Performance of contract: We need to use your personal information in order to provide you with services as a shareholder of our company.
- Consent: In certain circumstances, we may need your consent unless authorised by law in order to use personal information about you which is classed as "special categories of personal data".
- Necessity to establish, exercise or defend legal claim: If you, or we, bring a legal claim (e.g. a court action) against the other, we may use your information in either establishing our position, or defending ourselves in relation to that legal claim.
- Compliance with a legal obligation: Where laws or regulations may require us to use your personal information in certain ways. For example;
- Managing your shareholder rights and our obligations to you as a shareholder pursuant to our Articles of Association and all relevant laws; and
- Meeting our obligations to our regulators;
- Legitimate Interests: We will also process your personal information where this processing is in our "legitimate interests". When relying on this condition, we are required to carry out a balancing test of our interests in using your personal information (for example, carrying out market research), against the interests you have as a citizen and the rights you have under data protection laws. The outcome of this balancing test will determine whether we can use your personal information in the ways described in this Privacy Notice. We will always act reasonably and give full and proper consideration to your interests in carrying out this balancing test.
For marketing, you will always be given a choice over the use of your data.
Will we share your personal information with anyone else?
We do not disclose your information outside of RSA except to:
- Equiniti or any other organisation appointed as our registrar;
- Any organisation appointed by us or Equitini to trace shareholders;
- Payment providers assisting in the administration of dividend payments or other relevant payments to and from shareholders;
- Other members of the RSA group of companies as necessary to administer our businesses;
- Our regulators, which include the Financial Conduct Authority, the London Stock Exchange, HM Revenue and Customs, the Takeover Panel, and the Information Commissioner’s Office;
- Where we are required or permitted to do so by law or relevant regulatory authority (e.g. financial crime screening, fraud detection/prevention);
- As required to enforce or apply this Privacy Notice.
Sometimes your personal information may be sent to other parties outside of the United Kingdom (UK) and the European Economic Area (EEA) in connection with the purposes set out above. We will take all reasonable steps to ensure that your personal information is treated securely and in accordance with this Privacy Notice, and in doing so may rely on certain "transfer mechanisms" such as the standard contractual clauses approved by the European Commission. If you would like further information, please contact us.
For how long will we keep your information?
We store your personal data in accordance with the Data Protection Legislation, this Privacy Notice, and as determined by our data retention policy, as well as is required to satisfy any legal, accounting or reporting obligations, or as necessary to resolve disputes.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes we process your personal data for and whether we can achieve those purposes through other means, and applicable legal requirements.
Your personal information will be retained under one or more of the following criteria:
- Where the personal information is used to provide you with services as a shareholder, which will be kept as long as it is required to fulfil our obligations to you as a shareholder.
- Where you have sold your shareholding, we may retain your personal information for as long as required by statutory authorities to meet our obligations for accounting, legal, tax, and regulatory purposes.
- For as long as your information is required to allow us to conduct fraud and/or criminal checks and investigations.
- For as long as is required in the event that we have a reasonable expectation of litigation.
Will you be contacted for marketing purposes?
If you have agreed, we might contact you by post, email, phone and text message to let you know about offers and services we think you’ll like. The messages may be personalised using information you have previously provided us.
You can ask us to stop contacting you for marketing purposes at any point.
You will be given the opportunity to opt out of any direct marketing where we rely on our legitimate interests to market to you.
We will only contact you for marketing purposes if we collected your information directly, except when authorised and instructed by the third-party acting on your behalf.
Our registrar, Equiniti, will only use your information for direct marketing of their products and services where you have expressly consented to their marketing activities. You should refer to their Privacy Notice for further information which can be found here.
Your information is incorrect what should you do?
If think that the information we hold about you is incorrect or incomplete, please contact us and we will be happy to update it for you.
What are your rights over the information that is held by RSA?
We understand that your personal information is important to you, therefore, in accordance with your rights under the Data Protection Legislation, you may request the following from us to:
- Provide you with details about the personal information we hold about you, as well as a copy of the information itself in a commonly used format. This is known as the right of subject access and is an entitlement to a copy of the information only, you are not entitled to documents. Legislation may require or allow us to withhold certain information in some circumstances.
2. Request your personal information be deleted where you believe it is no longer required. This is known as the right of erasure. Please note however, we may not be able to comply with this request in full where we rely on our legitimate interests in retaining your personal data, for example, we are required to retain your information to comply with a legal obligation, or there is a reasonable expectation of litigation.
3. Request the electronic version of the personal information you have supplied to us, so it can be provided to another company. This is known as the right of data portability. We would provide the information in a commonly used electronic format.
- Request to restrict the use of your information by us, under the following circumstances:
- If you believe that the information we hold about you is inaccurate, or;
- If you believe that our processing activities are unlawful but you do not want your information to be deleted.
- Where we no longer need to use your information for the purposes set out in this Privacy Notice, but it is required for the establishment, exercise or defence of a legal claim.
- Where you have raised an objection with us (in accordance with section 5 below), pending the outcome of any assessment we make regarding your objection.
- Object to the processing of your data under the following circumstances:
- Where we believe it is in the public interest to use your information in a particular way, but you disagree.
- Where we have told you we are using your data for our legitimate business interests and you believe we shouldn’t be (e.g. you were in the background of a promotional video but you did not agree to be in it).
In each case under section 5 above, we will stop using your information unless we can reasonably demonstrate legitimate grounds for continuing to use it in the manner you are objecting to.
If you would like to request any of the above, please contact us to submit a request. To ensure that we do not disclose your personal information to someone who is not entitled to it, when you are making the request we may ask you to provide us with:
- Your name;
- Date of birth;
- Your shareholder reference number;
- A copy of your photo identification, such as your photocard driving licence or passport; and
- A copy of a utility bill showing your name and address dated within 3 months of your request.
If you appoint an agent to act on your behalf, for example, a friend or a solicitor, we will ask them to provide your signed authority for them to act on your behalf AND the identity information and documents listed above.
All requests are free of charge, although for requests for the provision of personal information we hold about you we reserve the right to charge a reasonable administrative fee where, we believe an excessive number of requests are being made. Wherever possible, we will respond within one month from receipt of the request, but if we don’t, we will notify you of anticipated timelines ahead of the one month deadline together with brief explanation as to why we are unable to respond within the initial one month deadline. Please note, that if any deadline for us responding to your rights as a data subject falls on a weekend or a bank holiday, we are permitted to roll the time for responding forward to the next working day.
Please note that simply submitting a request doesn’t necessarily mean we will be able to fulfil it in full on every occasion – we are sometimes bound by law which can prevent us fulfilling some requests in their entirety, but when this is the case we will explain this to you in our response.
Our Privacy Notice
If you have any queries regarding our Privacy Notice please contact us and we will be happy to discuss any query with you. Our Privacy Notice will be updated from time to time so please check it each time you submit personal information to us or renew your insurance policy.
If you have any questions or comments about this Privacy Notice please contact:
The Data Protection Officer
Dean Clough Industrial Park
You may also email us at email@example.com.
How you can lodge a complaint
If you wish to raise a complaint on how we have handled your personal information, please send an email to our Customer Relations Team using their email address firstname.lastname@example.org or write to us using the address provided.
You also have the right to lodge a complaint to the Information Commissioner’s Office, you can do this by accessing their website or by calling their helpline on 0303 123 1113, or writing to them at the address below. You also have the right to seek a judicial remedy.
Information Commissioner’s Office
Other helpful links
If you want to know more about how RSA is working to keep your personal information safe, you may also want to look at: