General Data Protection Regulation
Cactus Cover Privacy Notice
Cactus Cover (and other members of our corporate group) believe in protecting the personal information that you provide us with. The privacy and security of your personal data is very important to us and we want to assure you that your personal data will be properly managed and protected.
This notice is designed to help you understand how we process your personal data through the Insurance Lifecycle. It is important that you read this notice.
This notice may be updated from time: this version is dated 25/05/2018 but historic versions are available on request.
If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our data protection contact using the details set out below:
80 Leadenhall Street
Please see below a glossary of key insurance and data protection terms used in this notice for your ease. These defined words are shown in bold throughout this notice:
Beneficiary means an individual or a company that an insurance policy states may receive payment under the insurance policy if an insured event occurs. A beneficiary does not have to be the insured/policyholder and there may be more than one beneficiary under an insurance policy.
Claimant means either a beneficiary who is making a claim under an insurance policy or an individual or a company who is making a claim against a beneficiary where that claim is covered by the insurance policy.
Claims processing means the process of handling a claim that is made under an insurance policy.
Data controller(s) means an entity which collects and holds personal data. It decides what personal data it collects about you and how that personal data is used. Any of the insurance market participants when using your personal data for the purposes set out in “Purposes, categories, legal grounds and recipients of our processing your personal data” on page 7 of this Notice could be data controllers.
Data protection contact means the person named by the relevant insurance market participant who you should contact if you have any queries or requests regarding your personal data or how we are using it. In many cases (although not all), this person will the Data Protection Officer of the relevant insurance market participant.
GDPR means the EU General Data Protection Regulation and the new UK Data Protection Act, which replaces the UK Data Protection Act 1998 from 25th May 2018.
Inception means the start date of the insurance policy.
Information Commissioner’s Office (ICO) means the regulator (or National Competent Authority/Data Protection Authority) for data protection matters in the UK.
Insurance means the pooling and transfer of risk in order to provide financial protection against a possible eventuality. There are many types of insurance.
Insurance policy(ies) means a contract of insurance between the insurer and the insured/policyholder.
Insurance market participant(s) or participant(s) means an insurer or reinsurer.
Insured(s)/policyholder(s) means the individual or company in whose name the insurance policy is issued.
Insurer(s)/underwriter(s) means a company who provide insurance cover to insured/policyholder in return for premium. An insurer may also be a reinsurer.
Lloyd’s means a specialist insurance market place where insurance policies are underwritten.
Policy administration means the process of administering and managing an insurance policy following its inception.
Personal data means any data from which you can be identified and which relates to you. It may include data about any claims you make. Personal data does not include any data where the identity of a natural person has been removed (anonymous data).
Processing of personal data means collecting, using, storing, disclosing or erasing your personal data.
Premium means the amount of money to be paid by the insured/policyholder to the insurer/underwriter for the insurance policy.
Quotation means the process of providing a quote to a potential insured/policyholder for an insurance policy.
Reinsurance means insurance purchased by an insurer from a reinsurer.
Reinsurer(s) means a company who provide insurance cover to another insurer/underwriter or reinsurer.
Renewal means the process of the insurer under an insurance policy providing a quotation to the insured/policyholder for a new insurance policy to replace the existing one on its’ expiry.
We, us, our means Cactus Cover.
You or your means the individual whose personal data may be processed by an insurance market participant. You may be the insured/policyholder, beneficiary, claimant or other person involved in a claim or relevant to an insurance policy.
To view the Insurance Lifecycle please select – Insurance Lifecycle
Flow of personal data through insurance lifecycle
To view the Flow of personal data through insurance lifecycle please select – Flow of personal data through insurance lifecycle
The data we may collect about you (your personal data)
The types of personal data that are processed are defined below and have the same meaning when used throughout this notice:
|Type of personal data||Details|
|Individual details||Your name, address (including proof of address), other contact details e.g. email and telephone numbers), gender, marital status, date and place of birth, nationality, employer, job title and employment history, individual family details (including their relationship to you|
|Identification details||Your national insurance number, passport number, tax identification number, driving license number|
|Financial information||Your bank account and/or payment card details, income and other financial information|
|Risk details||Information about you which we need to collect in order to assess the risk to be insured and provide a quotation. This may include data relating to your health, criminal convictions and other special categories of personal data. For certain types of insurance, this could include telematics data|
|Policy information||Information about the quotations you receive and insurance policies you take out|
|Credit and anti-fraud data||Your credit history, credit score, sanctions and criminal offences and information received from various anti-fraud databases relating to you|
|Current / previous claims||Information about previous and current claims (including other unrelated insurance), your health, criminal convictions and other special categories of personal data and in some cases, surveillance reports|
|Special categories of personal data||Certain categories of personal data which have additional protection under the GDPR. The categories are health, criminal convictions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data or data concerning sex life or orientation|
In order for us to obtain insurance quotations, administer insurance policies and/or deal with any claims or complaints, we need to collect and process personal data about you. Where we need to collect personal data by law or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the services we have provided or are trying to provide to you (for example, to obtain insurance for you).
We also collect, use and share aggregated data such as statistical or demographic data for our legitimate business interests. Aggregated data may be derived from your personal data but does not reveal your identity. However, any data which can identify you will be treated as personal data and used in accordance with this privacy notice.
Where we might collect your personal data from
We might collect your personal data from various sources depending on your particular circumstances including;
- Your family members, employer, insurance broker or representative;
- Other insurance market participants;
- Credit reference agencies;
- Anti-fraud databases, sanction lists, court judgements and other databases;
- Government agencies such as DVLA and HMRC;
- Open electoral register;
- Data held in the public domain
- In the event of a claim:
- Third parties (including administrators and suppliers);
- Claimant / defendant
- Experts (including medical experts)
- Loss Adjusters / loss assessors
- Claims handlers
Legal grounds we rely on to process your personal data
|Legal ground for processing personal data||Details|
|Performance of our contract with you||Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.|
|Compliance with a legal obligation||Processing is necessary for compliance with a legal obligation to which we are subject.|
|Protection of vital interests||Processing is necessary in order to protect the vital interests of you or another natural person.|
|In the public interest||Processing is necessary for the performance of a task carried out in the public interest.|
|For our legitimate business interests||Processing is necessary for the purpose of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child. These legitimate interests are set out next to each purpose.|
|Legal ground for processing special category personal data||Details|
|Your explicit consent||You have given your explicit consent to the processing of those personal data for one or more specified purposes, where we are unable to procure, provide or administer insurance without this consent.You are free to withdraw your consent by contacting our data protection contact. However withdrawal of your consent will impact our ability to provide insurance or pay claims.|
|Protection of vital interests where you are unable to give consent||Processing is necessary to protect the vital interests of you or of another natural person where you are physically or legally incapable of giving consent.|
|In the substantial public interest||Processing is necessary for reasons of substantial public interest, on the basis of EU or UK law.|
Purposes, categories, legal grounds and recipients of our processing your personal data
To view the purposes we might use your personal data for please select – Purposes, categories, legal grounds and recipients of our processing your personal data
Identities of data controllers and data protection contacts
The Insurance Lifecycle involves the sharing of your personal data between us and other insurance market participants, some of which you will not have direct contact with. In addition, your personal data may not have been collected directly by an insurance market participant.
You can find out the identity of the initial data controller of your personal data within the Insurance Lifecycle in the following ways:
- Where you took out the insurance policy yourself
The insurer/underwriter and, if purchased through an intermediary, the intermediary will be the initial data controller and their data protection contact can advise you on the identities of other insurance market participants that they have passed your personal data to.
- Where your employer or another organisation took out the insurance policy for your benefit
You should contact your employer or the organisation that took out the insurance policy. Your employer or other organisation should provide you with details of the insurer/underwriter or intermediary that they provided your personal data to. You should then contact the insurer’s/underwriter’s data protection contact who can advise you on the identities of other insurance market participants that they have passed your personal data to.
- Where you are not a policyholder or an insured
You should contact the organisation that collected your personal data who should provide you with details of the relevant insurance market participant’s data protection contact.
Consent to process your personal data
In order to provide insurance quotations and deal with insurance policy administration (including claims assistance), we and other insurance market participants may need to process your special categories of personal data, such as medical and criminal conviction records, as set out above against the relevant purpose.
Your consent to this processing may be necessary for us and the insurance market participants to achieve this.
You may withdraw your consent to such processing at any time. However, if you withdraw your consent this will impact our ability to provide our services to you.
Marketing communications from us
We may use your individual details and policy information to evaluate the products and services which we think will be of interest and relevant to you.
Unless you have told us not to, you may receive marketing communications from us if you have requested information from us or purchased services from us. Such marketing communications may include risk or insurance related information or details of products or services which we think, may be of interest to you.
Third party marketing
We will not share your personal data with any third party for their own marketing purposes without your express permission.
You can ask us or third parties to stop sending you marketing communications at any time by contacting our data protection contact at firstname.lastname@example.org.
Retention of your personal data
We will keep your personal data including aggregated data for so long as is necessary and for our legitimate business interests (e.g. transferring books of business). In addition, for so long as there is any possibility that either you or we may wish to bring a legal claim under this insurance, or where we are required to retain your personal data due to legal or regulatory reasons.
We may need to transfer your personal data to insurance market participants or their affiliates or sub-contractors which are located outside of the European Economic Area (EEA). Those transfers would always be made in compliance with the GDPR.
If you would like further details of how your personal data would be protected if transferred outside of the EEA, please contact the data protection contact of the relevant insurance market participant.
Your rights and contact details for the ICO
If you have any questions in relation to our use of your personal data, you should first contact the data protection contact of the relevant insurance market participant. Under certain conditions, you may have the right to require us to:
- provide you with further details on the use we make of your personal data including special categories of data;
- provide you with a copy of the personal data including special category data that you have provided to us;
- update any inaccuracies in the personal data including special category data we hold;
- delete any personal data including special category data that we no longer have a lawful ground to use;
- where processing is based on consent, to withdraw your consent so that we stop that particular processing;
- object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and
- restrict how we use your personal data whilst a complaint is being investigated.
In certain circumstances, we may need to restrict the above rights in order to safeguard the public interest e.g. the detection and prevention of crime and our interests e.g. the maintenance of legal privilege.
Your right to complain to the ICO
If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights above, or if you think we have breached the GDPR then you have the right to complain to the ICO.
Please see below contact details of the ICO: