Privacy & data protection policy
Overview of this Policy and Commitments to Privacy within DUAL
At DUAL Group (“DUAL”, "we", "us", "our"), we regularly collect and use information which may identify individuals ("personaldata"), including insured persons or claimants ("you", "your"). We understand our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable data protection laws.
Do read this policy with care. It provides important information about how we look after your personal data and explains your legal rights and how the law protects you. This Policy is not intended to override any terms of business agreement which you have with us or any rights you might have available under applicable data protection laws.
We may amend this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify you about material changes by prominently posting a notice on our website. We encourage you to periodically check back and review this policy so that you always will always know what information we collect, how we use it, and with whom we share it. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
1. WHO is responsible for looking after your personal data?. 2
2. WHAT personal data do we collect?. 2
3. LEGAL BASIS to process personal data.. 2
4. WHEN do we collect your personal data?. 3
5. What PURPOSES do we USE your personal data for?. 3
6. Who do we SHARE your personal data with?. 4
9. Automated Decision Making and Profiling.. 5
10. How long do we keep your personal data?. 6
APPENDIX 1 CATEGORIES OF PERSONAL DATA.. 9
APPENDIX 2 - LEGAL BASIS FOR PROCESSING.. 10
WHO is responsible for looking after your personal data?
DUAL is part of the Hyperion Insurance Group (HIG) and we are a Managing General Agent, authorised and regulated by the FCA with firm reference number 312593. Our registered office is One Creechurch Place London EC3A 5AF. DUAL uses several trading/brand names and has a number of appointed representatives which are listed on https://register.fca.org.uk.
DUAL and your Broker are jointly responsible for your personal data and are therefore Joint Data Controllers. You should be aware that DUAL may hold your personal data in databases which can be accessed by HIG for insurance purposes only.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
WHAT personal data do we collect?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you as follows:
Insured Persons. In order to arrange, administer and underwrite insurance policies, we collect information about the policyholder and related parties. The policyholder may be an individual, company or their representative. The level and type of personal data we collect varies depending on the type of policy that you have. In general, this is likely to include background and contact information on the policyholder or their representative, and matters relevant to the management of the insurance policy and assessment of risk. In some instances, it is necessary for us to collect and use Special Categories of Data, such as information about a past criminal conviction or health details potentially including information about children’s health. For more information on what information we collect see Appendix 1.
Claimants. If a policy holder seeks to rely on the insurance cover, we will collect information about the individual making a claim under a policy. This will include the collection of basic contact details, together with information about the nature of your claim and any previous claims. If the claimant is an Insured Person, we will also need to check details of the policy you are insured under and your claims history. , And, depending on the nature of your claim, it may be necessary for us to collect and use Special Categories of Data, such as details of a personal injury you may have suffered during an accident or potentially information about children’s health. For more information on what information we collect, see Appendix 1.
We also obtain information about you from credit reference agencies and similar third parties.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.
LEGAL BASIS to process personal data
We are required to establish a legal exemption to use your Personal Data - see Section 5 and Appendix 2 for further details. From time to time, you may need to provide us with the personal data of third parties, for example if you suspect that someone has unlawfully taken possession of fine arts, or in relation to a sports injury of a third party relevant to a claim under a policy. You should take steps to inform the third party that you need to disclose their details to us, identifying DUAL Group as your insurer.
WHEN do we collect your personal data?
- We will collect information from your Broker or other intermediaries when you request a quote for a policy.
- To the extent permitted by law, we may also monitor and record telephone calls for training and quality assurance purposes when you call us directly in connection with a claim or complaint.
- Information about you may also be provided to us by an insurance broker, your employer, family member or any other third person who may be applying for a policy which names you.
- We may collect information about you from other sources where we believe this is necessary to manage the risk associated with a policy or to help fight financial crime or for the purposes of trade credit checks. These other sources may include public registers and databases managed by credit reference agencies.
- We will collect information from you when you notify us of a claim or a complaint. You might make a claim or a complaint to us directly, through your representative or through a broker who manages claims or complaints on our behalf.
- To the extent permitted by law, we may also monitor and record telephone calls for training and quality assurance purposes when you call us directly including in connection with a claim or complaint.
- We may also collect information about you if the claim is made by another person who has a close relationship with you or is otherwise linked to the claim - for example if the policyholder is your employer or if the representative of a third party claimant contacts us in connection with a claim.
- We may also be provided with information by your solicitors, family members, legal advisors and medical and other professional advisors.
- We may collect information from other sources where we believe this is necessary to assist in validating claims, complaints and/or fighting financial crime. This may include consulting public registers, social media and other online sources, credit reference agencies and other reputable organisations.
Insured Persons. If you are an insured person we will use your personal data to consider an application for an insurance policy, verify your identity and carry out fraud checks, assess and evaluate risk. Once we have provided you with your policy we will use your personal data to administer your policy, deal with your queries, manage the renewal process and deal with complaints. We may also send you marketing materials and share your personal data with other HIG Group companies in order to identify products and other services which the HIG Group offers which may be of interest to you (where we have appropriate permissions). We will also need to use your personal data for purposes associated with our legal and regulatory obligations as an insurance intermediary.
Claimants. If you are a claimant we will use your personal data to assess the merits of, and validate, your claim, potentially to pay out a settlement and deal with complaints. We may also need to use your personal data to evaluate the risk of potential fraud, a process which uses automated processes. If you are also an Insured Person, we will use personal data related to your claim to inform the renewal process and potentially any future policy applications.
We will make sure that we only use your personal data for the purposes set out in this Section 5 and in Appendix 2 where we are satisfied that:
- our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your insurance policy), or
- our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we are subject to (e.g. to comply with FCA requirements), or
- you have opted in to us using the data in that way (e.g. to send you marketing materials), or
- our use of your personal data is necessary to support 'legitimate interests' that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights. Please see Appendix 2 to find out more about our legitimate interests.
Before collecting and/or using any Special Categories of Data we will establish an additional lawful exemption to the grounds set out above which will allow us to use that information. This additional exemption will typically be:
- your explicit consent;
- the establishment, exercise or defence by us or third parties of legal claims; or
- an insurance specific exemption provided under local laws of EU Member States and other countries implementing the GDPR, such as in relation to the processing of health data of an Insured Person's family members or the Special Categories of Data of individuals on a group policy.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
PLEASE NOTE: If we have previously advised that we are relying on consent as the basis of our processing activities, going forward we will not be relying on that legal basis save where otherwise explicitly stated.
PLEASE NOTE. If you provide your explicit consent to permit us to process your Special Categories of Data, you may withdraw your consent to such processing at any time. However, you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and it may not be possible for the insurance cover to continue). This may mean that your policy needs to be cancelled. If you choose to withdraw your consent we will tell you more about the possible consequences, including that we may no longer be able to act as your broker of record or place your policy and that you may have difficulties finding other cover. Further we may not be able to further or process your claim.
Please see Appendix 2 to find out more about the information we collect and use about you and why.
As flagged above, we may share data with other HIG companies (including those in in run-off but who may still carry out certain regulated entities) and our Appointed Representatives.
We may also share the data with third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data.
For Insured Persons these third parties may include:
- Brokers, Other Insurers, intermediaries including but not limited to other insurance brokers and managing general agencies, Risk Management Assessors, Uninsured Loss Recovery Agencies and Third Party Administrators who work with us to help manage the process and administer our policies,
- Service Providers, who help manage our IT and back office systems,
- our regulators, which may include the FCA and ICO, as well as other regulators and law enforcement agencies in the E.U. and around the world,
- credit reference agencies, Premium Finance Providers, and organisations working to prevent fraud in financial services, and
- solicitors and other professional services firms (including our auditors).
For Claimants this may include:
- Third Party Administrators who work with us to help manage the claims process,
- Loss Adjusters and Claims Experts who help us assess and manage claims,
- Service Providers, who help manage our IT and back office systems,
- credit reference agencies and organisations working to prevent fraud in financial services, and
- solicitors, who may be legal representatives for you, us or a third party claimant.
We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other insurers. Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses. Some of these third parties will also be data controllers, and will handle your personal data in accordance with their own privacy policies. For further information, please contact us.
Our Service Providers or Assistance Providers and HIG Group Companies, who have access to your personal data may be located outside the EEA. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests:
- we will only transfer your personal data to countries which are recognised as providing an adequate level of legal protection; and
- transfers to Service Providers and other third parties will always be protected by contractual commitments and where appropriate further assurances, such as certification schemes - for example, the EU - U.S. Privacy Shield for the protection of personal data transferred to the US.
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 12 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).
'Automated Decision Making' refers to a decision which is taken solely on the basis of automated processing of your personal data - this means processing using, for example, software code or an algorithm, which does not involve any human intervention.
If you are an Insured Person, we may use automated decision making to carry out a credit check on you.
Please note. You have certain rights in respect of automated decision making, where that decision has significant effects on you, including where it produces a legal effect on you. See Sections 10 and 11 for more information about your rights.
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 5 of this Policy. In some circumstances, we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, reporting, tax or accounting requirements.
In specific circumstances, we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
We maintain a data retention policy which we apply to records in our care, and which you can request from us by contacting us. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.
You have a number of rights in relation to your personal data.
You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making or the basis for international transfers. You may also exercise a right to complain to your Supervisory Authority. These are set out in more detail as follows:
WHAT THIS MEANS
You can ask us to:
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
You can ask us to erase your personal data, but only where:
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances where we would deny that request.
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
We can continue to use your personal data following a request for restriction, where:
You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where:
You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis (see Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our legitimate interests.
Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Automated Decision Making
You can ask not to be subject to a decision which is based solely on automated processing (see Section 9), but only where that decision:
In such situations, you can obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision. Your right to obtain human intervention or to contest a decision does not apply where the decision which is made following automated decision making:
You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Economic Area. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
You have a right to lodge a complaint with your local supervisory authority about our processing of your personal data. In the UK, the supervisory authority for data protection is the Information Commissioner’s Office (ICO) (https://ico.org.uk/). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
DUAL does not use Profiling.
To exercise your rights you may contact us as set out in Section 12. Please note the following if you do wish to exercise these rights:
- Identity. We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
- Fees. We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
- Timescales. We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
- Exemptions. Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
- Third Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following ways:
DUAL GroupThe Data Protection Officer
One Creechurch Place
If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.
APPENDIX 1 CATEGORIES OF PERSONAL DATA
DETAILS OF INFORMATION THAT WE TYPICALLY CAPTURE
Name, address, telephone number, email address.
Policy number, relationship to the policyholder, details of policy including insured amount, exceptions etc., previous claims, payment history, quotes history, voice recordings
Personal Risk Information
Gender, date of birth, claims history, marital status, additional information about your lifestyle and insurance requirements, information about your employment
Special Categories of Data
Health Data - e.g. physical and mental conditions, medical history and procedures, relevant personal habits (e.g. smoking)
Criminal Data - e.g. driving offences, unspent convictions
Data relating to children
Bank account details (where you are the payer of the policy premium)
Name, email address, interests / marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address)
(excluding third party claimants)
Policy number, relationship to the policyholder/insured person, details of policy including insured amount, exceptions etc., previous claims, voice recordings
Details of incident giving rise to claim, including
Health Data - e.g. details of injury, medical report
Criminal Data - e.g. driving offences, police reports
Data relating to minors
Bank account details used for payment
Address, history of fraudulent claims, details of incident giving rise to claim
Criminal Data - e.g. unspent convictions
APPENDIX 2 - LEGAL BASIS FOR PROCESSING
Type of information collected
The basis on which we use the information
Set up a record on our systems
Carry out background, sanction, fraud and credit checks
Assess risk and provide information to your Broker in order to place policy
Provide client care and support
Receive premiums and payments
Comply with legal and regulatory obligations
Receive notification of claim
Monitor and detect fraud
Comply with legal and regulatory obligations
APPENDIX 3 - GLOSSARY
Claims Experts: these are experts in a particular field which is relevant to a claim, for example forensic accountancy, who are engaged to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants.
Data Controller: means a natural or legal person (which determines the means and purposes of processing of personal data.
FCA: the FCA is the Financial Conduct Authority, which is a financial regulatory body.
HIG Group: Hyperion Insurance Group (HIG) and any other company which is for the time being a subsidiary or holding company of the HIG and any subsidiary of any such holding company and for the purposes of this contract, the terms “subsidiary” and “holding company” shall have the meanings ascribed to them by section 1159 Companies Act 2006 or any statutory re-enactment of those provisions.
ICO: the Information Commissioner's Office regulates the processing of personal data by all organisations within the UK.
Insured Person: we use this term to refer to both individual policyholders, as well as any individual who benefits from insurance coverage under an insurance policy (for example, where an employee benefits from coverage taken out by their employer).
Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf or on behalf of a relevant insurer.
Other Insurers: some policies are insured on a joint or "syndicate" basis. This means that a group of insurers (including us) will join together to write a policy. Policies may also be reinsured, which means that the insurer will purchase its own insurance, e.g. from a reinsurer, to cover some of the risk in your policy.
Premium Finance Providers: means a regulated entity which lends funds to a person or company to cover the cost of an insurance premium.
Profiling: means using automated processes without human intervention (such as computer programmes) to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile.
Risk Management Assessors: Any internal or external auditor or assessor who may have access to your personal data for the sole purpose of assessing risk to DUAL Corporate Risks Ltd.
Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.
Solicitors: we frequently use solicitors to advise on complex or contentious claims or to provide us with non-claims related legal advice. In addition, if you are a claimant you may be represented by your own solicitor(s).
Third-Party Administrators (or TPAs): these are companies outside the HIG Group which administer the policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions.
Uninsured Loss Recovery Agencies means an entity that recovers uninsured losses.