Fair Processing Notice

Overview of GCube Underwriting Limited’s Commitments to Privacy

At GCube (“we“, “us“, “our“), we regularly collect and use information which may identify individuals (“personal data“), including Insured Persons or Claimants (“you“, “your“). We understand our responsibilities to handle personal data with care, to keep it secure and to comply with applicable data protection laws.

The purpose of this Fair Processing Notice (“Notice”) is to provide a clear explanation of when, why and how we collect and use the personal data of Insured Persons and Claimants. We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to navigate to the information that may be most relevant to you and to allow you to click on a topic to find out more. Please note that where we act as Coverholder for Insurers, we shall provide you with the privacy notices and the contact details of these Insurers at the first opportunity.

Do read this Notice with care. It provides important information about how we use personal data and explains your legal rights. This Notice is not intended to override the terms of any insurance policy you have with Insurers or contract you have with us or any rights you might have available under applicable data protection laws.

We may amend this Fair Processing Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. Please regularly check this Notice for updates.

Who is responsible for looking after your personal data?
What personal data do we collect?
When do we collect your personal data?
What do we use your personal data for?
How do we use personal data?
Who do we share your personal data with?
International transfers
Data analytics
How long do we keep your personal data?
What are your rights?
Contact and complaints

APPENDIX 1 – CATEGORIES OF PERSONAL DATA

APPENDIX 2 – LEGAL BASIS FOR PROCESSING

APPENDIX 3 – GLOSSARY

1. Who is responsible for looking after your personal data?

GCube is a Controller in respect of your personal data, whether your information is provided to us or we collect it directly from you, and we process it for the purposes described in this Notice.

2. What personal data do we collect?

Insured Persons. In order to advise, arrange, place and administer insurance policies, we collect information about the Policyholder and related parties. This may include background and contact information on the Policyholder or their representative, and matters relevant to the management of the insurance policy and assessment of risk. The Policyholder may be an individual, company or their representative. The level and type of personal data we collect varies depending on the type of policy that you have. In some instances, it is necessary for us to collect and use Special Categories of Data, such as information about a past criminal conviction or health details. We are required to establish a legal exemption to use your Special Categories of Data – see Section 5 for further details. From time to time, you may need to provide us with the personal data of third parties, for example an injured third party relevant to a claim under a liability policy. Wherever possible, you should take steps to inform the third party that you need to disclose their details to us, identifying GCube as your broker and providing them with a copy of this Fair Processing Notice.

Claimants. If you are making a claim under a policy, we will collect your basic contact details, together with information about the nature of your claim and any previous claims. If you are an Insured Person we will need to check details of the policy you are insured under and your claims history. Depending on the nature of your claim, it may be necessary for us to collect and use Special Categories of Data, such as details of a personal injury you may have suffered during an accident. We are required to establish a legal exemption to use your Special Categories of Data – see Section 5 for further details.

For more information on what information we collect, please see Appendix 1

3. When do we collect your personal data?

Insured Persons

We will collect information from you directly when you engage us to advise you on your risks and to arrange, place and manage mid-term amendments and changes to insurance policies for you.
Information about you may also be provided to us by other parties such as the Insurers, other brokers, your employer, a family member or any other third person who may be applying for a policy which names you as the insured.
We may collect information from other sources where we believe this is necessary to assist in validating claims and/or fighting financial crime. This may include consulting public registers, social media and other online sources, credit reference agencies and other reputable organisations.

Claimant

We may collect information about individuals when we are notified of a claim and shall disclose such information to Insurers and other third parties such as a Loss Adjuster, assessors, Third Party Administrators and claims handlers.
We may also collect information about you if or when the claim is made by another person who has a close relationship with you or is otherwise linked to the claim – for example if the Policyholder is your employer.
We may also be provided with information by your solicitors.
We may collect information from other sources where we believe this is necessary to assist in validating claims and/or fighting financial crime. This may include consulting public registers, social media and other online sources, credit reference agencies and other reputable organisations.

4. What do we use your personal data for?

Insured Persons. If you are an insured person we will use your personal data to advise you of your risks and arrange your insurance policies for you. The underwriting process may include Profiling, details of which would be available from your Insurer. Once we have provided you with your policy, we will use your personal data to administer your policy, deal with your queries, manage mid-term amendments and changes to policies and manage the renewal process. We may also send you marketing materials (where we have appropriate permissions or where it is in our legitimate interests to do so). We will also need to use your personal data for purposes associated with our legal and regulatory obligations as an insurance intermediary.

Claimants. If you are a Claimant we will use your personal data to assess the merits of your claim, and potentially to pay out a settlement. We may also need to use your personal data to evaluate the risk of potential fraud. We may use personal data related to your claim to inform the renewal process and potentially any future policy applications.

5. How do we use personal data?

We will make sure that we only use your personal data for the purposes set out in Section 4 and in Appendix 2 where we are satisfied that:

our use of your personal data is necessary to perform a contract or take steps to enter into a contract withyou (e.g. to manage your insurance policy), or
our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that weare subject to (e.g. to comply with FCA / PRA requirements), or
you have provided your consent to us using the data in that way (e.g. to send you marketing materials), or
our use of your personal data is necessary to support ‘legitimate interests’ that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights.

Before collecting and/or using any Special Categories of Data we will establish a lawful exemption which will allow us to use that information. This exemption will typically be:

your explicit consent,
the establishment, exercise or defence by us or third parties of legal claims, or
an insurance specific exemption provided under English law, local laws of EU Member States and other countries implementing the GDPR, such as in relation to the processing of health data of an Insured Person’s family members or the Special Categories of Data of individuals on a group policy.

PLEASE NOTE. If you provide your explicit consent to permit us to process your Special Categories of Data, you may withdraw your consent to such processing at any time. However, you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and it may not be possible for the insurance cover to continue). This may mean that we will not be able to arrange and place your policies, advise you on your risks, assist you with any policy enquiries or assist you with claims you have made against the policies. If you choose to withdraw your consent we will tell you more about the possible consequences, including the effects of cancellation, (which may include that you have difficulties finding other cover), as well as any associated cancellation fees.

Please see Appendix 2 to find out more about the information we collect and use about you and why.

6. Who do we share your personal data with?

We may share your personal data with other entities for the purposes of providing services to our clients and such services may include general back office and administration support and services.

We work with many third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data.

For Insured Persons these third parties may include:

Brokers, Insurers, Reinsurers and Third Party Administrators who work with us to help manage the underwriting process and administer our policies,
Service Providers, who help manage our IT and back office systems and processes,
our regulators, which may include the FCA and ICO as well as other regulators and law enforcement agencies in the EU and around the world,
credit reference agencies and organisations working to prevent fraud in financial services, and
solicitors and other professional services firms.

For Claimants this may include:

Third Party Administrators who work with us to help manage the claims process,
Loss Adjusters and claims experts and other professionals who help us assess and manage claims,
Service Providers, who help manage our IT and back office systems and processes,
Assistance Providers, who can help provide you with assistance in the event of a claim,
credit reference agencies and organisations working to prevent fraud in financial services, and
Solicitors, who may be legal representatives for you, us or a third party cCaimant.

We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other Insurers. Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses.

7. International transfers

From time to time, we may need to share your personal data with other entities, Insurers, Reinsurers, our Service Providers or Assistance Providers, who may be located outside the UK. We will always take steps to ensure that any International Transfer of information is carefully managed to protect your rights and interests:

- we will only transfer your personal data to countries which are recognised as providing an adequate level of legal protection, or
- transfers within GCube will be covered by the Standard Contractual Clauses or an intra-group agreement which gives specific contractual protections designed to ensure that your personal data receives an adequate and consistent level of protection wherever it is transferred within GCube, or
- transfers to third parties outside the UK are protected by contractual commitments such as signing the Standard Contractual Clauses with them or where appropriate further assurances, such as certification schemes.

You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 11 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).

8. Data analytics

We routinely analyse information in our various systems and databases to help improve the way we run our business, to provide a better service and to enhance the accuracy of our risk models. We take steps to protect privacy by aggregating and where appropriate anonymising data fields (particularly in relation to policy information and claim details) before allowing information to be available for analysis.

9. How long do we keep your personal data?

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Notice. In some circumstances, we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.

In specific circumstances, we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required, we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.

10. What are your rights?

You have a number of rights in relation to your personal data.

Where you are a data subject, you may request access to your data, correction or rectification of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making and Profiling or the basis for International Transfers. You may also exercise a right to complain to your Supervisory Authority. These are set out in more detail as follows:

RIGHT	WHAT THIS MEANS
Access	You can ask us to: confirm whether we are processing your personal data, give you a copy of that data, provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any Automated Decision Making or Profiling, to the extent that information has not already been provided to you in this Notice.
Rectification	You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
Erasure	You can ask us to erase your personal data, but only where: it is no longer needed for the purposes for which it was collected, or you have withdrawn your consent (where the data processing was based on consent), or following a successful right to object (see ‘Objection’ below), or it has been processed unlawfully, or to comply with a legal obligation to which GCube is subject. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: for compliance with a legal obligation, or for the establishment, exercise or defence of legal claims. There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances where we would deny that request.
Restriction	You can ask us to restrict (i.e. keep but not use) your personal data, but only where: its accuracy is contested (see Rectification), to allow us to verify its accuracy, or the processing is unlawful, but you do not want it erased, or it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims, or you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal data following a request for restriction, where: we have your consent (for example to process a claim), or to establish, exercise or defend legal claims, or to protect the rights of another natural or legal person, or to comply with legal obligations to which GCube is subject.
Portability	You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another Controller, but in each case only where: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.
Objection	You can object to any processing of your personal data which has our ‘legitimate interests’ as its legal basis (see Section 5), if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
International Transfers	You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Economic Area. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
Supervisory Authority	You have a right to lodge a complaint with your local Supervisory Authority about our processing of your personal data. In the UK, the Supervisory Authority for data protection is the ICO (https://ico.org.uk/). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your Supervisory Authority at any time.

To exercise your rights you may contact us as set out in Section 11. Please note the following if you do wish to exercise these rights:

Identity. We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
Fees. We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
Timescales. We aim to respond to any valid requests within one (1) month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three (3) months. We will let you know if we are going to take longer than one (1) month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
Exemptions. Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
Third Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.

11. Contact and complaints

The primary point of contact for all issues arising from this Notice, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following ways:

[email protected]

Data Protection Officer
155 Fenchurch Street
London
EC3M 6AL

If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.

APPENDIX 1 – CATEGORIES OF PERSONAL DATA

INFORMATION TYPE	EXAMPLES OF DETAILS OF INFORMATION THAT WE TYPICALLY CAPTURE
Insured person
Contact Details / Personal Attributes / Personal Directory	Name, address, telephone number, email, age or date of birth, National Identifier, licences e.g. driver or pilot
Policy Information	Policy number, relationship to the policyholder, details of policy including insured amount, exceptions etc., previous claims
Personal Risk Information/Background Checks	Gender, marital status, date of birth, claims history, professional history, CV, background/vetting information, claims history Special Categories of Data Health Data – e.g. physical and mental conditions, medical history and procedures, relevant personal habits (e.g. smoking), drug test results Criminal Data – e.g. driving offences, unspent convictions
Financial Information	Bank account details (where you are the payer of the policy premium) or card data used for billing, salary or wage details, insured amounts
Marketing	Name, email address, interests/marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address)
Anti-fraud Data	Name, address, history of fraudulent claims, employment history, details of incident giving rise to claim Special Categories of Data Criminal Data – e.g. unspent convictions
Claimant
Contact Details / Personal Attributes / Personal Directory	Name, address, passport, age or date of birth, National Identifier, email, marital status, birth certificate, death certificate, passport
Policy Information (excluding third party claimants)	Policy number, relationship to the policyholder/insured person, details of policy including insured amount, exceptions etc., previous claims
Claim Details	Details of incident giving rise to claim, CCTV and video footage, utility bills Special Categories of Data Health Data – e.g. details of injury, medical report, drug test results Criminal Data – e.g. driving offences, police reports Trade Union Membership
Financial Information	Bank account details used for payment, salary details
Anti-fraud Data	Name, address, history of fraudulent claims, employment history, details of incident giving rise to claim Special Categories of Data Criminal Data – e.g. unspent convictions

APPENDIX 2 – LEGAL BASIS FOR PROCESSING

Activity	Type of information	The basis on which we use the information	Who we may disclose the information to
Insured person
Set up a record on our systems	Contact Details Policy Information Personal Risk Information Marketing	Performance of a contract to which the data subject is a party Legitimate interests (to ensure we have an accurate record of all Insured Persons we cover)	Service Providers
Carry out background, sanction, fraud and credit checks	Contact Details Personal Risk Information Criminal Data	Legal obligation	Service Providers Credit reference agencies Anti-fraud databases
Consider the underwriting submission, assess risk and write policy	Personal Risk Information Health Data Criminal Data	Take steps to enter into a contract with a data subject Legitimate interests (to determine the likely risk profile and appropriate level, cost and type of cover to extend, if any and to place the policy on behalf of the insured) Consent, where required by law Local law exemptions	Insurers Reinsurers Service Providers
Manage renewals	Contact Details Policy Information Personal Risk Information Health Data Criminal Data	Performance of a contract to which the data subject is a party Legitimate Interests (to determine whether to extend cover for a renewal period, and if so, on what terms and to extend the cover on behalf of the insured) Consent, where required by law	Insurer Service Providers
Provide client care, assistance and support	Contact Details Policy Information	Performance of a contract to which the data subject is a party Legitimate interests (to provide support, assistance and advice to customers in respect of their policy) Consent, where required by law	Assistance Providers Service Providers
Receive and return premiums and payments	Contact Details Financial Information	Performance of a contract to which the data subject is a party Legitimate interests (to enable the placing of cover with the insurer)	Banks Insurers Insured/Client Service Providers
Marketing	Contact Details Marketing	Legitimate interests (to provide information about insurance products or services which may be of interest) Consent	Service Providers
Comply with legal and regulatory obligations	Contact Details Policy Information Personal Risk Information Financial Information	Legal obligation	Regulators (e.g. FCA, ICO) Law enforcement bodies Courts
Claimant
Receive notification of claim	Contact Details Policy Information Claim Details	Performance of a contract to which the data subject is a party Legitimate interests (third party claimants) (to maintain an accurate record of all claims received and the identity of claimants)	Third Party Administrators Assistance providers Service providers
Assess claim	Claim Details Anti-Fraud Details Policy Information Health Data Criminal Data	Performance of a contract to which the data subject is a party Legitimate interests (to assess the circumstances and validity of a claim) Consent, where required by law Establish, exercise or defend legal claims	Third Party Administrators Loss Adjusters Solicitors Claims Experts Insurers Assistance Providers Service Providers
Monitor and detect fraud	Contact Details Claim Details Anti-fraud Data	Legal Obligations	Law enforcement bodies Service Providers
Settle claim	Contact Details Financial Information	Performance of a contract to which the data subject is a party Legitimate interests (third party claimants) (to settle claims to successful third party claimants)	Solicitors Third Party Administrators Claimants
Comply with legal and regulatory obligations	Contact Details Policy Information Claim Details Financial Information Anti-fraud Data	Legal obligation	Regulators (e.g. FCA, PRA, ICO) Law enforcement bodies Courts

APPENDIX 3 – GLOSSARY

Assistance Providers: these are a special category of service provider, which we use to help provide you with emergency or other assistance in connection with certain policies.

Claims Experts: these are experts in a particular field which is relevant to a claim, for example medicine, forensic accountancy, mediation or rehabilitation, who are engaged to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants.

Controller: means a natural or legal person (which determines the means and purposes of processing of personal data).

Coverholder: means a company authorised by insurers to enter into a contract or contracts of insurance.

FCA: the Financial Conduct Authority, which is a financial regulatory body in the UK.

ICO: the Information Commissioner’s Office regulates the processing of personal data by all organisations within the UK.

Insured Person: we use this term to refer to both individual policyholders, as well as any individual who benefits from insurance coverage under one of our policies (for example, where an employee benefits from coverage taken out by their employer).

Insurer: a company that underwrites an insurance risk.

GCube: GCube Underwriting Limited and in the event that GCube Underwriting Limited is acquired by a purchasing firm, GCube shall include all companies within the purchasing firm.

Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf.

Policyholder: means the original insured, assured, insured and reinsured.

PRA: the Prudential Regulation Authority, which is a financial regulatory body in the UK. The PRA focuses on the prudential regulation of financial services firms. When discharging its general functions, the PRA is responsible for contributing to the securing of an appropriate degree of protection for policyholders.

Profiling: means using automated processes without human intervention (such as computer programmes) to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile.

Reinsurer: an insurer who insures the risks of other insurance companies.

Service Providers: these include a range of third parties to whom we outsource certain functions of our business or with whom we have engaged to provide certain services. For example, we have service providers who provide/support ‘cloud based’ IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.

Solicitors: we frequently use solicitors to advise on complex or contentious claims or to provide us with non-claims related legal advice. In addition, if you are a claimant you may be represented by your own solicitor(s).

Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.

Third Party Administrators (or TPAs): these are companies outside the GCube Group which administer the underwriting of policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions.

CONTENTS