Privacy

Introduction

The purpose of this notice is to give you more information regarding the processing, collection and sharing of your personal information. We understand the importance of maintaining your privacy, keeping your personal information secure, and complying with data protection laws. We are the data controller of any personal information that we hold about you. This means that we are responsible for complying with data protection laws while this data is under our control. You should read this notice in conjunction with the Website Terms.

About us

For the purposes of the General Data Protection Regulation Thames Underwriting Limited (Thames) acts as the data controller when processing your personal information. Thames is a general insurance intermediary who underwrites insurance policies as an agent of insurers. The insurance contracts sold cover the commercial operations of your business, however we may need contact details, staff information, and other personal details to fully perform our duties.

If you require more information, please contact:

The Data Protection Manager
Thames Underwriting
Monometer House, Rectory Grove, Southend-on-Sea, Leigh-on-Sea SS9 2HN
01702 713 636
keith.syrett@thamesunderwriting.com

How we use and share personal information

Information, including your personal data, must be shared between different parties, including intermediaries, insurers, reinsurers, Lloyd’s, claims handlers, and loss adjusters (‘insurance market participants’). Sharing of data is only undertaken where necessary to fulfil the requirements under the insurance contracts, or when required by law. We will never re-sell data. There is no obligation to provide us with personal information, however if you refuse to provide it we may be unable to offer our products and services. We have a lawful basis for processing your information. We have outlined below the situations when each lawful basis is relied upon:


Lawful basisDetails
Performance of a contract with youProcessing is necessary for the performance of a contract to or to take steps at your request prior to entering into a contract. This could include issuing the quotations; claims; and issuing renewals.
Compliance with a legal obligationWe have a legal obligation to process your data, for example in relation sanctions and anti-fraud data.
For our legitimate interestsFor example, to aid debt recovery; assist in the claims process; to ensure policies are structured correctly; targeted industry marketing, risk modelling and aggregation data; preventing fraud; as well as the general administration of the insurance contract.
Explicit consentConsent may be used when special categories of personal data and details of criminal offenses are collected. Individuals may withdraw their consent to such processing at any time using the contact details at the start of this privacy notice. By withdrawing consent, you may prevent Thames from continuing to provide the services that are the subject of the original contract and insurers may no longer be able to offer the cover or respond in the event of a claim.

Your personal data is required at various stages of the insurance lifecycle as detailed below:


StageHow the data is used
QuotationSetting you up as a client, including possible fraud, sanctions, credit and anti-money laundering checks; evaluating the risks to be covered and matching to the appropriate policy and premium.
Policy administrationClient care, including communicating with you and sending you updates; payment of premium; and when arranging surveys.
Claims handlingManaging claims; defending or prosecuting legal claims; investigation or prosecuting fraud.
RenewalsContacting the insured, or their intermediary to renew the insurance policy; evaluating the risks to be covered and matching to appropriate policies; payment of premium.
OtherComplying with our legal or regulatory obligations; general risk modelling; transferring books of business, company sales & reorganisations.


The above is a summary of the uses of your information. Detailed guidance can be obtained from the London Insurance Market Core Uses Information Notice accessible here which includes details on how this information is shared between market participants. We recommend you review this notice.

Timing of collection

Personal Information may be collected at the time of the initial quotation, during the administration of the policy, during site surveys, and in the event of a claim.

Personal information that we may collect

We may collect data in relation to policy holders; directors and controllers of commercial policy holders, employee data from commercial insureds, claimants, including third party claimants who are not party to the original insurance contract, and potential policyholders.

Depending on the policy provided we may require:


Individual detailsName, address (and proof of address), other contact details (e.g. email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant.
Identification detailsIdentification numbers issued by government bodies or agencies, for example social security or national insurance number, passport number, tax identification number, and driver’s licence number.
Financial informationPayment card number, bank account number and account details, income and other financial information.
Insured riskInformation about the insured risk, which may contain Personal Data.
Health dataCurrent or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g. smoking or consumption of alcohol), prescription information, medical history.
Criminal records dataCriminal convictions, including driving offences.
Other Special Categories of Personal DataRacial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning an individual’s sex life or sexual orientation.
Policy informationInformation about the quotes individuals receive and the policies they obtain.
Credit and anti-fraud dataCredit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agencies.
Previous claimsInformation about previous claims, which may include photographs, video, health data, criminal records data and other special categories of Personal Data.
Current claimsInformation about current claims, which may include photographs, video, health data, criminal records data and other special categories of Personal Data.
Marketing dataThis may be based on our legitimate interests or consent. You can object or withdraw consent by contacting us.
Website and communication usagDetails of your visits to our websites and information collected through cookies and other tracking technologies, including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.


How we obtain your personal data

All policies sold by Thames are administered through other regulated insurance intermediaries. Most of your personal information is provided by you to these intermediaries who pass the information on to us. We may collect your personal information from 3rd party sources, for example credit reference agencies, sanctions search tools, due diligence providers, claims handlers, publicly available information, social media, survey companies who have visited your business, law enforcement, and other insurance market participants.

Marketing

It is in our legitimate interest to use information for marketing purposes which is limited to sending Thames company information to other regulated insurance intermediaries. Thames does not send marketing information to the insured. The information is limited in nature and is relevant to the business lines which are of interest to both Thames and the intermediary. Each marketing communication will be sent with an option to update your marketing preferences using the www.signupto.com service to allow the recipient to opt out at any time.

Protection of data

We have in place physical, electronic, and procedural safeguards appropriate to the sensitivity of the information to prevent unauthorised access or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to Personal Data. These protections will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data and may include encrypted communications, encrypted file storage, firewalls, access controls, and separation of duties. We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes.

Retention periods for data

We will keep your personal data only for so long as is necessary and for the purpose for which it was originally collected, to manage our business, or as required by law. If there is any possibility that either you or we may wish to bring a legal claim under the insurance contract, or where we are required to keep your personal data for legal or regulatory reasons, then the data will be retained to meet those needs. Generally, the limitation period for the commencement of a claim is 6 years and data will be retained to cover this period. When Personal Data is no longer needed, we will either anonymise the data or securely destroy.

International Transfers

During the normal course of business data is not transferred by Thames outside of the European Economic Area (EEA). If we do need to transfer your data to insurance market participants or their affiliates or sub-contractors which are located outside of the EEA, the transfers would always be made in compliance with the GDPR. We may also disclose your personal information to third parties in connection with the sale, transfer or disposal of our business, provided they continue to use your personal information substantially in accordance with the terms of this privacy policy. Details on international transfers can be found at https://ec.europa.eu/info/law/law-topic/data-protection_en.

Your rights

Under the General Data Protection Regulation (GDPR) you have several rights in respect of your personal data. Your rights will always be balanced against our lawful basis for processing and to safeguard the public interest. If you wish to exercise any of these rights, please contact us using the contact details in the ‘About Us’ section. We will respond to requests within 30 days.


CorrectionYou can request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
ErasureYou can request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
ObjectionYou can object to processing of your personal information where we are relying on a legitimate interest, unless our reasons for undertaking that processing outweigh any impact on your interests, rights and freedoms.
RestrictionYou can request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
TransferYou can request the transfer of your personal information to another party in certain formats, if practicable.
AccessYou can request details of information that we hold about you. Please provide any identifying information, the scope of the request, and your contact details. To protect your data, we will need to verify your identity before releasing the personal information.
ConsentIf processing is based on consent you may be able to withdraw this consent.
ComplaintsWe suggest that in the first instance you contact us to discuss any complaints, however you have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR in respect of your personal data. More details can be found here or by calling 0303 123 1113.


Changes to the privacy policy

We may revise this privacy policy from time to time and will place any updates on this webpage. We recommend that you review this regularly.

As explained in our privacy notice, we are required to pass your data to other insurance market participants during the administration of your insurance contract.

The privacy notices of other market participants that we work with can be found either in the Policy Wordings or otherwise here:

Pen Underwriting – https://www.penunderwriting.co.uk/Privacy-and-Cookies


Let's do Business

Talk through an enquiry with an Underwriter

01702 713636

Email your presentation