Privacy Policy

EXTERNAL PRIVACY NOTICE

Purpose of this privacy notice

Antilo UK Limited (Antilo) is committed to protecting the privacy and security of the personal information that we process in connection with everyone with whom we do business. This privacy notice describes how we may collect and use personal information about data subjects, in accordance with EU Regulation 2016/679 General Data Protection Regulation (GDPR) and the Data Protection Bill that is due to embed broadly the same principles into UK law.

Data protection principles and data sharing

We will comply with all applicable data protection law. This says that the personal information we hold about data subjects must be:

  1. Used lawfully, fairly and in a transparent way.
  1. Collected only for valid purposes that we have clearly explained to data subjects and not used in any way that is incompatible with those purposes.
  2. Relevant to the purposes we have told data subjects about and limited only to those purposes.
  3. Accurate and kept up to date.
  4. Kept only as long as necessary for the purposes we have told data subjects about.
  5. Kept securely.

To arrange insurance cover and handle insurance claims, Antilo and other participants in the insurance industry are required to use and share ‘personal data.’ For an overview of how and why the insurance industry is required to use and share ‘personal data,’ please refer to the Insurance Market Core Uses Information Notice hosted on the website of a UK insurance industry association, the Lloyd’s Market Association (the LMA Notice). This notice is supported by all the major UK insurance industry organisations.  Antilo’s use of ‘personal data’ is consistent with the LMA Notice: https://www.lmalloyds.com/LMA/NEWS/LMA_Bulletins/LMA_Bulletin_2013/LMA17_038_MS.aspx

The kind of information we hold about data subjects

Personal data, or personal information, means any information about data subjects from which data subjects can be identified. It does not include data where a data subject’s identity has been removed.

There are certain special categories of more sensitive personal data which require a higher level of protection (see below).

There may be ‘special categories’ of more sensitive personal data which require a higher level of protection.

We may collect, store, and use the following categories of personal information about data subjects:

  • individual details – name, address (and proof of address), other contact details (e.g. email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant;
  • identification details – identification numbers issued by government bodies or agencies depending on the country data subjects are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s license number;
  • financial information – bank account number and account details, income and other financial information.

We may also collect, store and use the following categories of sensitive personal information about data subjects, only to the extent relevant to the risk being insured:

  • information about the insured risk, which may contain personal data and may include health data, including but not limited to current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g. smoking or consumption of alcohol, prescription information, medical history);
  • criminal convictions, including driving offences;
  • information about the quotes individuals receive and the policies they obtain;
  • credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agencies;
  • information about previous claims, which may include health data, criminal records data and other ‘special categories’ of ‘personal data’;
  • information about current claims, which may include health data, criminal records data and other ‘special categories’ of ‘personal data’ (as described above).
  • marketing data; and
  • details of data subjects’ visits to our websites and information collected through cookies and other tracking technologies, including, but not limited to, data subjects IP address and domain name, data subjects’ browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that data subjects access.

How we will use information about data subjects

We will only use data subjects’ personal information when the law allows us to. Most commonly, we will use data subjects’ personal information in the following circumstances:

We may also use data subjects’ personal information in the following situations, which are likely to be rare:

Situations in which we will use data subjects’ personal information

We need the information in the lists above (see ‘The kind of information we hold about data subjects’) primarily to allow us to perform our contract with data subjects and to enable us to comply with legal obligations. In some cases we may use data subjects’ personal information to pursue legitimate interests of our own or those of others, provided data subjects’ interests and fundamental rights do not override those interests. The situations in which we will process data subjects’ personal information, how we share the information, and identify the “legal grounds” on which we rely to process the information is set out in the LMA Notice and in the table below.

Purpose Category of Data Legal Grounds for Processing Disclosures
QUOTATION/INCEPTION
Setting data subjects up as a client, including fraud, credit and anti-money laundering and sanctions checks
Personal data:
  • Individual details
  • Identification details
  • Financial information
Special categories of personal data:
  • Credit and anti-fraud data
Personal data:
  • Performance of our contract with data subjects
  • Compliance with a legal obligation
  • Legitimate interests (to ensure that the client is within our acceptable risk profile)
  • To assist with the prevention of crime and fraud
Special categories of personal data:
  • In the substantial public interest
  • Consent
  • Credit reference agencies
  • Anti-fraud databases
QUOTATION/INCEPTION
Evaluating the risks to be covered & matching to appropriate insurer, policy and premium
Personal data:
  • Individual details
  • Identification details
  • Policy information
Special categories of personal data:
  • Risk Details
  • Previous claims
  • Credit and anti-fraud data
Personal data:
  • Perform contract
  • Legitimate interests (to determine the likely risk profile and appropriate insurer and insurance product
Special categories of personal data:
  • Consent
  • Insurers
  • Insurance intermediaries
QUOTATION/INCEPTION
and
POLICY ADMINISTRATION
Collection or refunding of Premium
Personal data:
  • Individual details
  • Financial information
Personal data
  • Perform contract:
  • Legitimate interests (to recover debts due to us)
  • Banks
POLICY ADMINISTRATION
General client care, including communicating with data subjects regarding administration and requested changes to the insurance policy. Sending data subjects updates regarding data subjects’ insurance policy.
Personal data:
  • Individual details
  • Policy information
Special categories of personal data:
  • Risk Details
  • Previous claims
  • Current claim
Personal data:
  • Perform contract
  • Legitimate interests (to correspond with clients, beneficiaries and claimants in order to facilitate the placing of and claims under insurance policies) Consent
Special categories of personal data:
  • Consent
  • Insurers
  • Insurance intermediaries
CLAIMS PROCESSING
Managing insurance claims including fraud, credit and anti-money laundering and sanctions checks
Personal data:
  • Individual details
  • Identification details
  • Financial information
  • Policy information
Special categories of personal data:
  • Credit and anti-fraud data
  • Risk Details
  • Previous
  • claims
  • Current claims
Personal data:
  • Perform contract
  • Legitimate interests (to assist our clients in assessing and making claims
Special categories of personal data:
  • Consent
  • Legal Claims
Personal data:
  • Claims handlers
  • Solicitors
  • Loss adjustors
  • Experts
  • Third Parties involved in the claim
CLAIMS PROCESSING
Defending or prosecuting legal claims
Personal data:
  • Individual details
  • Identification details
  • Financial information
  • Policy information
Special categories of personal data:
  • Health data
  • Criminal records data
  • Other sensitive data
  • Credit and anti-fraud data
  • Risk Details
  • Previous claims
  • Current claims
Personal data:
  • Perform contract
  • Legitimate interests (to assist with the prevention and detection of fraud)
Special categories of personal data:
  • Consent
  • Legal claims
  • Substantial Public
  • Interest
  • Claims handlers
  • Solicitors
  • Loss adjustors
  • Experts
  • Third parties involved in the claim
CLAIMS PROCESSING
Investigating & prosecuting fraud
Personal data:
  • Individual details
  • Identification details
  • Financial information
  • Policy information
Special categories of personal data:
  • Health data
  • Criminal records data
  • Other sensitive data
  • Credit and anti-fraud data
  • Risk Details
  • Previous claims
  • Current claims
Personal data:
  • Perform contract
  • Legitimate interests (to assist with the prevention and detection of fraud)
Special categories of personal data:
  • Consent
  • Legal claims
  • Substantial Public Interest
  • Solicitors
  • Private Investigators
  • Police
  • Experts
  • Third parties involved in the investigation or prosecution
  • Other insurers
  • Anti-fraud databases
RENEWALS
Contacting data subjects in order to renew the insurance policy
Personal data:
  • Individual details
  • Policy information
Special categories of personal data:
  • Risk Details
  • Previous claims
  • Current claims
Personal data:
  • Perform contract
  • Legitimate interests (to correspond with clients, beneficiaries and claimants in order to facilitate the placing of and claims under insurance policies)
  • Consent
Special categories of personal data:
  • Consent
  • Insurers
  • Insurance intermediaries
THROUGHOUT THE INSURANCE LIFECYCLE
Transferring books of business, company sales and reorganisations
Personal data:
  • Individual details
  • Identification details
  • Financial information
  • Policy information
  • Marketing data
Special categories of personal data:
  • Credit and anti-fraud data
  • Risk
  • Details
  • Previous claims
  • Current claims
Personal data:
  • Legitimate interests (to structure our business appropriately)
  • Legal obligation
Special categories of personal data:
  • Consent
  • Substantial Public Interest
  • Group companies
  • Courts
  • Purchaser (potential and actual)
THROUGHOUT THE INSURANCE LIFECYCLE
General risk modelling & underwriting
Personal data:
  • Individual details
  • Identification details
  • Financial information
  • Policy information
Special categories of personal data:
  • Credit and anti-fraud data
  • Risk Details
  • Previous claims
  • Current claims
Personal data:
  • Legitimate interests (to build risk models that allow placing of risk with appropriate insurers)
Special categories of personal data:
  • Consent
 
THROUGHOUT THE INSURANCE LIFECYCLE
Complying with our legal or regulatory obligations
Personal data:
  • Individual details
  • Identification details
  • Financial information
  • Policy information
  • Marketing data
Special categories of personal data:
  • Credit and anti-fraud data
  • Risk Details
  • Previous claims
  • Current claims
Personal data:
  • Legal obligation
Special categories of personal data:
  • Consent
  • Substantial Public Interest
  • PRA, FCA, ICO and other regulators
  • Police
  • Other insurers (under court order)
  • Insurance Fraud database

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of data subjects’ personal information.

Change of purpose

We will only use data subjects’ personal information for the purposes for which we collected it as described above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use data subjects’ personal information for an unrelated purpose, we will notify data subjects and we will set out the legal basis which allows us to do so.

Please note that we may process data subjects’ personal information without data subjects’ knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

‘Special categories’ of particularly sensitive personal information

In order to facilitate the provision of insurance cover and administer insurance claims, unless another legal ground applies, we rely either on the data subject’s consent to process special categories of personal data which allows us to share the information with other Insurers, Intermediaries and Reinsurers that need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner); or we may rely on the following insurance purpose:

  • where the processing of certain special categories of personal data is:
    • necessary for an insurance purpose. “Insurance purpose” is defined to include advising, arranging, underwriting, administering, administering a claim under, exercising a right or complying with an obligation in connection with an insurance contract. The government has confirmed that “insurance” includes “reinsurance”;
    • is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data, data concerning health or criminal convictions; and
    • is necessary for reasons of substantial public interest. Risk basing pricing, detecting and investigating fraudulent claims and the efficient administration and payment of insurance claims have been given as examples of activities that are in the substantial public interest.

Where a third party provides us with sensitive personal information about a data subject, the third party agrees to notify the data subject of our use of their personal data and to obtain such consent or rely on the insurance purpose as required by all applicable data protection law.

Data subjects may withdraw their consent to such processing at any time by contacting our Data Protection Representative using the contact details in this notice, below. However, doing so may prevent us from continuing to provide the services to the relevant client. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Special Categories of Personal Data and Criminal Records Data, it may not be possible for the insurance cover to continue.

Do we need data subjects’ consent to use data subjects’ sensitive personal information?

We do not need data subjects’ consent if we use data subjects’ sensitive personal information as set out in this notice and in compliance with all applicable data protection law, to carry out our legal obligations, or in exercise of specific legal rights.

In limited circumstances, we may approach data subjects for written consent to allow us to process data subjects’ sensitive personal data. If we do so, we will provide data subjects with full details of the information that we would like and the reason we need it, so that the data subject can carefully consider whether they wish to consent.  Data subjects are not obliged to give consent and can withdraw consent if previously granted and we cannot make data subjects consent, or penalise if data subjects refuse to consent.

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.   A data subject has the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning him or her or significantly affects him or her (such as where underwriting risk is assessed or a claim is rejected), unless:

In addition, data subjects have the right to:

Data sharing

We may have to share your data with third parties, such as third-party service providers and other entities as set out in the LMA Notice.  We might do this when:

  • required by law
  • where it is necessary to administer the working relationship with you
  • or where we have another legitimate interest in doing so.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We may transfer your personal information outside the EU.  If we do, you can expect a similar degree of protection in respect of your personal information.

Data security

We have put in place appropriate security measures to prevent data subjects’ personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to data subjects’ personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process data subjects’ personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify data subjects and any applicable regulator of a suspected breach where we are legally required to do so.

Data subjects’ rights in connection with personal information

Data subjects have the right to:

  • Request access to data subjects’ personal information (known as a ‘data subject access request’). This enables data subjects to receive a copy of the personal information we hold about data subjects and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about data subjects. This enables data subjects to have any incomplete or inaccurate information we hold about data subjects corrected.
  • Request erasure of data subjects’ personal information. This enables data subjects to ask us to delete or remove personal information where there is no good reason for us continuing to process it. Data subjects also have the right to ask us to delete or remove data subjects’ personal information where data subjects have exercised data subjects’ right to object to processing (see below).
  • Object to processing of data subjects’ personal information where we are relying on a legitimate interest (or those of a third party) and there is something about data subjects’ particular situation which makes data subjects want to object to processing on this ground. Data subjects also have the right to object where we are processing data subjects’ personal information for direct marketing purposes.
  • Request the restriction of processing of data subjects’ personal information. This enables data subjects to ask us to suspend the processing of personal information about data subjects, for example if data subjects want us to establish its accuracy or the reason for processing it.
  • Request the transfer of data subjects’ personal information to another party.
  • In the limited circumstances where data subjects may have provided data subjects’ consent to the collection, processing and transfer of data subjects’ personal information for a specific purpose, data subjects have the right to withdraw data subjects’ consent for that specific processing at any time.
  • Make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues but data subjects would be expected to have first utilised the Company’s grievance procedures.

Data subjects will not have to pay a fee to access data subjects’ personal information (or to exercise any of the other rights listed above). However, we may charge a reasonable fee if data subjects’ request for access is clearly unfounded or excessive.  Alternatively, we may refuse to comply with the request in such circumstances.

Data Protection Designated Persons

We have designated certain managers to oversee the Company’s compliance with data protection requirements as set out in the GDPR. If data subjects have any questions about this privacy notice or how we handle data subjects’ personal information, please contact us either by email datatprotectionofficer@eisl.eu.com, or write to us at:

Data Protection Office
European Insurance Services Limited
EISL Suite
23 Mount Pleasant Road
Tunbridge Wells
Kent
TN1 1NT
United Kingdom

Changes to this privacy notice

We will update this privacy notice when necessary. We may also notify data subjects in other ways from time to time about the processing of data subjects’ personal information.