General Fair Processing Notice

GCube Underwriting Limited (“GCube”, “we”, “our” or “us”) regularly collect and use information which may identify individuals (“you”, “your”). We collect your Personal Information when:

You visit our websites, sign up to any of our newsletters, sign up to use any of our client portals, request to and attend any GCube events, take part in any of our competitions or surveys or send/communicate a request to us; or
We communicate with you as a prospective or current Client, Introducer or supplier of GCube.

We take your data protection rights and our legal obligations seriously. Your Personal Information will be treated in a secure and confidential manner and only as set out in this Fair Processing Notice.

This Fair Processing Notice describes the categories of your Personal Information we process, how your Personal Information may be processed and how your privacy is safeguarded in the course of our relationship with you. It is intended to comply with our obligations to provide you with information about GCube’s processing of your Personal Information under applicable European privacy laws. It does not form part of any contract you may have with GCube.

If you have any questions regarding the processing of your Personal Information or if you believe your privacy rights have been violated, please contact our Data Protection Officer at [email protected].

We may amend this Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. Please regularly check this Notice for updates.

1. Who is responsible for looking after your Personal Information?

GCube collects and processes your Personal Information when you visit our website or in your correspondence with us for the purposes described in this Fair Processing Notice.

The relevant Associated Companies of GCube with whom you have dealings as identified by your visits to their website or in your correspondence with them (whether issued by GCube or a third party) will be the Data Controller of your Personal Information. In addition, where processing of Personal Information is undertaken by other Associated Companies of GCube for their own independent purposes, these Associated Companies may also be Data Controllers of your Personal Information.

2. What Personal Information are we collecting?

We may collect, use, store and transfer the following Personal Information about you for the purposes described in this Fair Processing Notice:

Contact Details which include names, email addresses, billing and home addresses, telephone numbers, marital status, title and gender;
Identification Details which include date of birth and passport information;

Profile Data which includes your username and password, your interests, preferences, feedback and survey responses and access made to our client portals;
Marketing and Communications Data which includes your preferences in receiving marketing from us and our third parties, your communication preferences and other marketing and communication related data;
Images which includes your images contained in photographs and/or video recordings;
Technical Data which includes internet protocol (IP) addresses, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website; and

Monitoring Data (to the extent permitted by applicable laws) which include telephone recordings and website/portal usage data containing information about how you use our websites/portals.

Please note that the only Special Categories of Data we may process about you is any dietary requirements that you may have. We do not collect any information about criminal convictions or offences.

Our website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy notices. When you leave our website, we encourage you to read the privacy notice of every website you visit.

3. How do we use your Personal Information?

We will only use your Personal information when the law allows us to. We usually use your Personal Information for the following purposes:

where we need to perform the contract we are about to enter into or have entered into with you;
where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
where we are required to comply with a legal or regulatory obligation or requirement.

We have set out below a description of the ways in which we may use your Personal Information and which of the legal bases we rely on to do so.

Activity	Type of information collected	The basis on which we may the information
To register you as a new or prospective client or supplier and to conduct Know Your Client checks	Contact Details Identification Data Marketing and Communications Data	Performance of a contract with you Legitimate interests (to set up our records with you as a prospective or current client or supplier)
To manage our relationship with you as a prospective or current Client or supplier which will include: notifying you about changes to our terms or Fair Processing Notice providing you with access to our client portals asking you to leave a review or take a survey communicating with you conducting on-going KYC checks	Contact Details Identification Data Profile Data Marketing and Communications Data Technical Data Monitoring Data	Performance of a contract with you Necessary to comply with a legal obligation Legitimate interests (to keep our records updated, to communicate with you as a prospective or current client or supplier and to analyse your use of our services and products)
To inform you of news and updates concerning industry specific matters and more specifically, about GCube products and services including renewal quotations for existing services that we provide to you To disseminate information about GCube’s activities	Contact Details Marketing and Communications Data Images, photographs and video recordings	Your consent, where applicable to provide direct marketing Legitimate interests (to set up our records and keep our records updated, to provide direct marketing) Legitimate interests (to keep records of GCube’s activities and GCube events, and for marketing and publicity related purposes) Your consent, where applicable to use your image or feedback in GCube marketing literature
To enable you to partake in a prize draw, competition or complete a survey or a feedback form	Contact Details Identification Data Profile Data Marketing and Communications Data Monitoring Data	Performance of a contract with you Legitimate interests (to analyse how clients and prospective clients use our services, to develop them and to grow our business and to inform our business strategy)
To enable us to book you onto seminars, conferences and workshops, to make travel and accommodation arrangements for you and to plan and organise your travel itinerary as part of managing and developing our client relationship with you	Contact Details Profile Data Marketing and Communications Data	Performance of a contract with you Legitimate interests (to grow our business, to enhance business relationship and management and to inform our business development strategy)
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you	Contact Details Profile Data Marketing and Communications Data Technical Data Monitoring Data	Legitimate interests (to analyse how clients and prospective clients use our services, to develop them and to grow our business and to inform our business development strategy)
To maintain records of our telephone conversations with you	Monitoring Data	Necessary to comply with a legal obligation Legitimate interests (for training and monitoring purposes, for dealing with any queries, complaints or enquiries and for evidence in any civil or criminal legal proceedings)
To maintain the security of our premises, members of the public, our staff and equipment	Images	Legitimate interests (to maintain the security of our premises, members of the public, our staff and our equipment)
To promote GCube’s or other third parties services to you	Contact Details Marketing and Communications Data	Legitimate interests to develop and grow your business Your consent, where applicable to share your contact details with a third party
To fulfil all purposes of personal data processing for which we have obtained your express consent to collect and use your Personal Information	Contact Details Identification Details Profile Data Marketing and Communications Data Images Technical Data Monitoring Data	Consent to process your Personal Information for the purposes defined in our consent notice to you
To respond to data subject rights requests – please see section 8 of this Notice.	Contact Details Identification Details	Necessary to comply with legal obligation
To respond to your application for employment or request for work placements	Contact Details Identification Details Other personal data which you send to us on an unsolicited basis	Legitimate interests to respond to your application or request
To provide general back office and administration support and services	Contact Details Identification Data Profile Data Marketing and Communications Data Images Technical Data Monitoring Data Other personal data which you send to us on an unsolicited basis	Legitimate interests to support any of the purposes set out above

4. How is your Personal Information collected?

We may collect Personal Information from and about you through the following:

Direct interactions where you may give us your Personal Information by filling in forms or by corresponding with us by post, phone, email, by coming within the recording field of vision of any of GCube’s CCTV systems maintained at our offices or otherwise. This includes Personal Information you provide when you:
- visit our websites,
- create an account and subscribe to access our client portals;
- subscribe to our publications;
- request for information and other materials to be sent to you;
- speak to someone within GCube to make a request or;
- speak to someone within GCube about one of our products or services or a service of a third party that we feel you might benefit from;
- enter a competition, promotion or survey;
- request for us to book you onto seminars, workshops and conferences and to make travel and accommodation arrangements;
- attend a GCube event or participate in any GCube activities;
- come within the recording field of vision of any of GCube’s CCTV systems maintained at our offices; and
- give us some feedback.
Automated technologies or interactions where we may automatically collect Technical Data about your equipment, browsing actions and patterns as you interact with our websites or when you use one of our client portals. We collect this Personal Information by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy on our website for further details.
Third parties or publicly available sources which may include the receipt of Contact Details and marketing preferences from marketing or mailing list data providers, Technical Data from analytics providers such as Google based in or outside of the EU and/or the UK and from publicly available sources such as Companies House.

5. Who do we share your Personal Information with?

We may share your Personal Information with GCube Group entities for the purposes set out in section 3 of this notice.

We work with many third parties to help administer, maintain and provide our websites and client portals, facilitate our marketing strategies, campaigns, competition and surveys, to book travel and accommodation and to collect and maintain telephone call recordings and CCTV images. These third parties may from time to time need to have access to your Personal Information and may include:

- service providers such as those who help manage our IT and back office systems and processes, those who help maintain and manage our website and those that assist us in the provision of travel and accommodation services.
- Brokers, insurers, reinsurers and Third Party Administrators who work with us to help manage the underwriting process and administer our policies;
- Specific third parties whose details can be made available upon request;
- Police and other law enforcement agencies to help assist investigations, trace missing people and investigate alleged criminal activities;
- Security services where relevant for matters of national security;
- People who have been injured, attacked or had property damaged or stolen and their insurance providers to assist them with any criminal or civil investigations or legal proceedings;
- our regulators which may include the Information Commissioner’s Office, the Financial Conduct Authority, national Supervisory Authorities as well as other regulators and law enforcement agencies in the EU and around the world;
- Organisations working to prevent fraud in financial services

We may be under legal or regulatory obligations to share your Personal Information with courts, regulators, law enforcement or in certain cases insurers. Also, if we were to sell part of our businesses we would need to transfer your Personal Information to the purchaser of such businesses.

6. International Transfers

From time to time we may need to share your Personal Information with GCube entities and third parties who may be located in another jurisdiction.

We will always take steps to ensure that any International Transfer of information is carefully managed to protect your rights and interests:

we will only transfer your Personal Information to countries which are recognised as providing an adequate level of legal protection,

transfers within the GCube of companies will be covered by the Standard Contractual Clauses which gives specific contractual protections designed to ensure that your Personal Information receives an adequate and consistent level of protection wherever it is transferred within the GCube; or

where your Personal Information is processed by:
- a GCube office located in the United Kingdom (“UK”) and we transfer your Personal Information to third parties located in countries other than the UK or EEA; or
- a GCube office located in the EEA and we transfer your Personal Information to third parties outside the EEA,

we will protect your Personal Information by contractual commitments and where appropriate, further assurances, such as the Standard Contractual Clauses or the certification schemes – for example, the EU – U.S. Privacy Shield for the protection of Personal Information transferred to the US.

7. How long do we keep your Personal Information?

We will retain your Personal Information for as long as is reasonably necessary for the purposes set out in this Fair Processing Notice. In some circumstances we may retain your Personal Information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.

We will generally retain your Personal Information within our CCTV systems for approximately 31 days. After this time, the recording stored on the hard drive of our CCTV systems will usually be overwritten. However, if we receive an enquiry about a particular recording on our CCTV systems, we will generally then retain that recording until it is no longer required. This period can vary as it will depend upon the circumstances of the particular case, but for criminal or civil legal proceedings this could mean that the recording is retained until after the legal case and any appeals have been concluded, which may be many years. We will then delete the recording as soon as it is no longer required.

We will generally retain telephone call recordings for up to 12 months or longer where we are required to do so for legal or regulatory purposes.

In specific circumstances we may also retain your Personal Information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your Personal Information or dealings.

Where your Personal Information is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.

8. What are your rights?

You have a number of rights in relation to your Personal Information.

You may request access to your data, correction or rectification of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making and Profiling or the basis for International Transfers. You may also exercise a right to complain to your Supervisory Authority. These are set out in more detail as follows:

RIGHT	WHAT THIS MEANS
Access	You can ask us to: confirm whether we are processing your Personal Information; give you a copy of Personal Information; provide you with other information about your Personal Information such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any Automated Decision Making or Profiling, to the extent that information has not already been provided to you in this Fair Processing Notice.
Rectification	You can ask us to rectify inaccurate Personal Information. We may seek to verify the accuracy of the data before rectifying it.
Erasure	You can ask us to erase your Personal Information, but only where: it is no longer needed for the purposes for which it was collected; or you have withdrawn your consent (where the data processing was based on consent); or following a successful right to object (see ‘Objection’ below); or it has been processed unlawfully; or to comply with a legal obligation to which we are subject. We are not required to comply with your request to erase your Personal Information if the processing of your Personal Information is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims. There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances where we would deny that request.
Restriction	You can ask us to restrict (i.e. keep but not use) your Personal Information, but only where: its accuracy is contested (see Rectification), to allow us to verify its accuracy; or the processing is unlawful, but you do not want it erased; or it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your Personal Information following a request for restriction, where: we have your consent (for example to process a claim); or to establish, exercise or defend legal claims; or to protect the rights of another natural or legal person; or to comply with a legal obligations to which we are subject.
Portability	You can ask us to provide your Personal Information to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another Data Controller, but in each case only where: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.
Objection	You can object to any processing of your Personal Information which has our ‘legitimate interests’ as its legal basis (see Section 3) if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
International transfers	You can ask to obtain a copy of, or reference to, the safeguards under which your Personal Information is transferred outside of the EEA. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
Supervisory Authority	You have a right to lodge a complaint with your local Supervisory Authority about our processing of your Personal Information. In the UK, the Supervisory Authority for data protection is the ICO (https://ico.org.uk/). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your Supervisory Authority at any time.

To exercise your rights you may contact us as set out in Section 9. Please note the following if you do wish to exercise these rights:

Identity. We take the confidentiality of all records containing Personal Information seriously, and reserve the right to ask you for proof of your identity if you make a request.
Fees. We will not ask for a fee to exercise any of your rights in relation to your Personal Information, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
Timescales. We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
Exemptions. Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby Personal Information can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
Third Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.

9. Contact and complaints

The primary point of contact for all issues arising from this Notice, including requests to exercise data subject rights, is our Data Protection Officer:
[email protected]

Data Protection Officer
GCube Underwriting Insurance Limited
155 Fenchurch Street
London
EC3M 6AL

If you have a complaint or concern about how we use your Personal Information, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.

GLOSSARY OF TERMS

Associated Companies means the companies listed here who are incorporated in the UK or the EU.

Client means a client, insurer, broker, introducer, intermediary or other third party that we conduct business with.

Data Controller means a natural or legal person (such as a company) which determines the means and purposes of processing of Personal Information.

EEA means the European Economic Area, which includes all countries in the EU and also Iceland, Liechtenstein and Norway.

EU means countries within the European Union.

GCube means GCube Underwriting Limited and in the event that GCube Underwriting Limited is acquired by a purchasing firm, GCube shall include all companies within the purchasing firm.

KYC checks means Know Your Client checks conducted for the purposes of enabling us to identify and verify our prospective or current Clients or suppliers and to company with regulatory requirements.

Personal Information means information that relates to a living individual. It includes information that may identify a person by name and contact details, or refer to associated information such as account activity, or personal preferences that can directly or indirectly identify an individual.

Process/Processing/Processed means any and all actions we take with respect to your Personal Information, including (without limitation) managing, viewing, holding, storing, deleting, changing, using and saving.

Profiling means using automated processes without human intervention (such as computer programmes) to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile.

Special Category of Data means any Personal Information relating to your health, genetic or biometric data, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.

Supervisory Authority means the supervisory authority for data protection, which in the United Kingdom is the ICO (https://ico.org.uk/).