GCube Underwriting Limited (“GCube”, “we”, “our” or “us”) regularly collect and use information which may identify individuals (“you”, “your”). We collect your Personal Information when:

  • You visit our websites, sign up to any of our newsletters, sign up to use any of our client portals, request to and attend any GCube events, take part in any of our competitions or surveys or send/communicate a request to us; or
  • We communicate with you as a prospective or current Client, Introducer or supplier of GCube.

We take your data protection rights and our legal obligations seriously. Your Personal Information will be treated in a secure and confidential manner and only as set out in this Fair Processing Notice.

This Fair Processing Notice describes the categories of your Personal Information we process, how your Personal Information may be processed and how your privacy is safeguarded in the course of our relationship with you. It is intended to comply with our obligations to provide you with information about GCube’s processing of your Personal Information under applicable European privacy laws. It does not form part of any contract you may have with GCube.

If you have any questions regarding the processing of your Personal Information or if you believe your privacy rights have been violated, please contact our Data Protection Officer at GCube_UKDPO@gcube-insurance.com.

We may amend this Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. Please regularly check this Notice for updates.

1. Who is responsible for looking after your Personal Information?

GCube collects and processes your Personal Information when you visit our website or in your correspondence with us for the purposes described in this Fair Processing Notice.

The relevant Associated Companies of GCube with whom you have dealings as identified by your visits to their website or in your correspondence with them (whether issued by GCube or a third party) will be the Data Controller of your Personal Information. In addition, where processing of Personal Information is undertaken by other Associated Companies of GCube for their own independent purposes, these Associated Companies may also be Data Controllers of your Personal Information.

2. What Personal Information are we collecting?

We may collect, use, store and transfer the following Personal Information about you for the purposes described in this Fair Processing Notice:

  • Contact Details which include names, email addresses, billing and home addresses, telephone numbers, marital status, title and gender;
  • Identification Details which include date of birth and passport information;
  • Monitoring Data (to the extent permitted by applicable laws) which include telephone recordings and website/portal usage data containing information about how you use our websites/portals.

Please note that the only Special Categories of Data we may process about you is any dietary requirements that you may have. We do not collect any information about criminal convictions or offences.

Our website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy notices. When you leave our website, we encourage you to read the privacy notice of every website you visit.

3. How do we use your Personal Information?

We will only use your Personal information when the law allows us to. We usually use your Personal Information for the following purposes:

We have set out below a description of the ways in which we may use your Personal Information and which of the legal bases we rely on to do so.

Activity Type of information collected The basis on which we may the information
To register you as a new or prospective client or supplier and to conduct Know Your Client checks
  • Contact Details
  • Identification Data
  • Marketing and Communications Data
  • Performance of a contract with you
  • Legitimate interests (to set up our records with you as a prospective or current client or supplier)
To manage our relationship with you as a prospective or current Client or supplier which will include:

  • notifying you about changes to our terms or Fair Processing Notice
  • providing you with access to our client portals
  • asking you to leave a review or take a survey
  • communicating with you
  • conducting on-going KYC checks
  • Contact Details
  • Identification Data
  • Profile Data
  • Marketing and Communications Data
  • Technical Data
  • Monitoring Data
  • Performance of a contract with you
  • Necessary to comply with a legal obligation
  • Legitimate interests (to keep our records updated, to communicate with you as a prospective or current client or supplier and to analyse your use of our services and products)
To inform you of news and updates concerning industry specific matters and more specifically, about GCube products and services including renewal quotations for existing services that we provide to you

To disseminate information about GCube’s activities

  • Contact Details
  • Marketing and Communications Data
  • Images, photographs and video recordings
  • Your consent, where applicable to provide direct marketing
  • Legitimate interests (to set up our records and keep our records updated, to provide direct marketing)
  • Legitimate interests (to keep records of GCube’s activities and GCube events, and for marketing and publicity related purposes)
  • Your consent, where applicable to use your image or feedback in GCube marketing literature
To enable you to partake in a prize draw, competition or complete a survey or a feedback form
  • Contact Details
  • Identification Data
  • Profile Data
  • Marketing and Communications Data
  • Monitoring Data
  • Performance of a contract with you
  • Legitimate interests (to analyse how clients and prospective clients use our services, to develop them and to grow our business and to inform our business strategy)
To enable us to book you onto seminars, conferences and workshops, to make travel and accommodation arrangements for you and to plan and organise your travel itinerary as part of managing and developing our client relationship with you
  • Contact Details
  • Profile Data
  • Marketing and Communications Data
  • Performance of a contract with you
  • Legitimate interests (to grow our business, to enhance business relationship and management and to inform our business development strategy)
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
  • Contact Details
  • Profile Data
  • Marketing and Communications Data
  • Technical Data
  • Monitoring Data
  • Legitimate interests (to analyse how clients and prospective clients use our services, to develop them and to grow our business and to inform our business development strategy)
To maintain records of our telephone conversations with you
  • Monitoring Data
  • Necessary to comply with a legal obligation
  • Legitimate interests (for training and monitoring purposes, for dealing with any queries, complaints or enquiries and for evidence in any civil or criminal legal proceedings)
To maintain the security of our premises, members of the public, our staff and equipment
  • Images
  • Legitimate interests (to maintain the security of our premises, members of the public, our staff and our equipment)
To promote GCube’s or other third parties services to you
  • Contact Details
  • Marketing and Communications Data
  • Legitimate interests to develop and grow your business
  • Your consent, where applicable to share your contact details with a third party
To fulfil all purposes of personal data processing for which we have obtained your express consent to collect and use your Personal Information
  • Contact Details
  • Identification Details
  • Profile Data
  • Marketing and Communications Data
  • Images
  • Technical Data
  • Monitoring Data
  • Consent to process your Personal Information for the purposes defined in our consent notice to you
To respond to data subject rights requests – please see section 8 of this Notice.
  • Contact Details
  • Identification Details
  • Necessary to comply with legal obligation
To respond to your application for employment or request for work placements
  • Contact Details
  • Identification Details
  • Other personal data which you send to us on an unsolicited basis
  • Legitimate interests to respond to your application or request
To provide general back office and administration support and services
  • Contact Details
  • Identification Data
  • Profile Data
  • Marketing and Communications Data
  • Images
  • Technical Data
  • Monitoring Data
  • Other personal data which you send to us on an unsolicited basis
  • Legitimate interests to support any of the purposes set out above

4. How is your Personal Information collected?

We may collect Personal Information from and about you through the following:

5. Who do we share your Personal Information with?

We may share your Personal Information with GCube Group entities for the purposes set out in section 3 of this notice.

We work with many third parties to help administer, maintain and provide our websites and client portals, facilitate our marketing strategies, campaigns, competition and surveys, to book travel and accommodation and to collect and maintain telephone call recordings and CCTV images. These third parties may from time to time need to have access to your Personal Information and may include:

We may be under legal or regulatory obligations to share your Personal Information with courts, regulators, law enforcement or in certain cases insurers. Also, if we were to sell part of our businesses we would need to transfer your Personal Information to the purchaser of such businesses.

 

6. International Transfers

From time to time we may need to share your Personal Information with GCube entities and third parties who may be located in another jurisdiction.

We will always take steps to ensure that any International Transfer of information is carefully managed to protect your rights and interests:

  • transfers within the GCube of companies will be covered by the Standard Contractual Clauses which gives specific contractual protections designed to ensure that your Personal Information receives an adequate and consistent level of protection wherever it is transferred within the GCube; or
  • where your Personal Information is processed by:
    • a GCube office located in the United Kingdom (“UK”) and we transfer your Personal Information to third parties located in countries other than the UK or EEA; or
    • a GCube office located in the EEA and we transfer your Personal Information to third parties outside the EEA,

we will protect your Personal Information by contractual commitments and where appropriate, further assurances, such as the Standard Contractual Clauses or the certification schemes – for example, the EU – U.S. Privacy Shield for the protection of Personal Information transferred to the US.

 

7. How long do we keep your Personal Information?

We will retain your Personal Information for as long as is reasonably necessary for the purposes set out in this Fair Processing Notice. In some circumstances we may retain your Personal Information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.

We will generally retain your Personal Information within our CCTV systems for approximately 31 days. After this time, the recording stored on the hard drive of our CCTV systems will usually be overwritten. However, if we receive an enquiry about a particular recording on our CCTV systems, we will generally then retain that recording until it is no longer required. This period can vary as it will depend upon the circumstances of the particular case, but for criminal or civil legal proceedings this could mean that the recording is retained until after the legal case and any appeals have been concluded, which may be many years. We will then delete the recording as soon as it is no longer required.

We will generally retain telephone call recordings for up to 12 months or longer where we are required to do so for legal or regulatory purposes.

In specific circumstances we may also retain your Personal Information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your Personal Information or dealings.

Where your Personal Information is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.

 

8. What are your rights?

You have a number of rights in relation to your Personal Information.

You may request access to your data, correction or rectification of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making and Profiling or the basis for International Transfers. You may also exercise a right to complain to your Supervisory Authority. These are set out in more detail as follows:

RIGHT WHAT THIS MEANS
Access You can ask us to:

  • confirm whether we are processing your Personal Information;
  • give you a copy of Personal Information;
  • provide you with other information about your Personal Information  such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any Automated Decision Making or Profiling, to the extent that information has not already been provided to you in this Fair Processing Notice.
Rectification You can ask us to rectify inaccurate Personal Information.  We may seek to verify the accuracy of the data before rectifying it.
Erasure You can ask us to erase your Personal Information, but only where:

  • it is no longer needed for the purposes for which it was collected; or
  • you have withdrawn your consent (where the data processing was based on consent); or
  • following a successful right to object (see ‘Objection’ below); or
  • it has been processed unlawfully; or
  • to comply with a legal obligation to which we are subject.

We are not required to comply with your request to erase your Personal Information if the processing of your Personal Information is necessary:

  • for compliance with a legal obligation; or
  • for the establishment, exercise or defence of legal claims.

There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances where we would deny that request.

Restriction You can ask us to restrict (i.e. keep but not use) your Personal Information, but only where:

  • its accuracy is contested (see Rectification), to allow us to verify its accuracy; or
  • the processing is unlawful, but you do not want it erased; or
  • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
  • you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your Personal Information following a request for restriction, where:

  • we have your consent (for example to process a claim); or
  • to establish, exercise or defend legal claims; or
  • to protect the rights of another natural or legal person; or
  • to comply with a legal obligations to which we are subject.
Portability You can ask us to provide your Personal Information to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another Data Controller, but in each case only where:

  • the processing is based on your consent or the performance of a contract with you; and
  • the processing is carried out by automated means.
Objection You can object to any processing of your Personal Information which has our ‘legitimate interests’ as its legal basis (see Section 3) if you believe your fundamental rights and freedoms outweigh our legitimate interests.

Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

International transfers You can ask to obtain a copy of, or reference to, the safeguards under which your Personal Information is transferred outside of the EEA. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
Supervisory Authority You have a right to lodge a complaint with your local Supervisory Authority about our processing of your Personal Information. In the UK, the Supervisory Authority for data protection is the ICO (https://ico.org.uk/). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your Supervisory Authority at any time.

To exercise your rights you may contact us as set out in Section 9. Please note the following if you do wish to exercise these rights:

9. Contact and complaints

The primary point of contact for all issues arising from this Notice, including requests to exercise data subject rights, is our Data Protection Officer:
GCube_UKDPO@gcube-insurance.com

Data Protection Officer
GCube Underwriting Insurance Limited
155 Fenchurch Street
London
EC3M 6AL

If you have a complaint or concern about how we use your Personal Information, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.

GLOSSARY OF TERMS

Associated Companies means the companies listed here who are incorporated in the UK or the EU.

Client means a client, insurer, broker, introducer, intermediary or other third party that we conduct business with.

Data Controller means a natural or legal person (such as a company) which determines the means and purposes of processing of Personal Information.

EEA means the European Economic Area, which includes all countries in the EU and also Iceland, Liechtenstein and Norway.

EU means countries within the European Union.

GCube means GCube Underwriting Limited and in the event that GCube Underwriting Limited is acquired by a purchasing firm, GCube shall include all companies within the purchasing firm.

KYC checks means Know Your Client checks conducted for the purposes of enabling us to identify and verify our prospective or current Clients or suppliers and to company with regulatory requirements.

Personal Information means information that relates to a living individual. It includes information that may identify a person by name and contact details, or refer to associated information such as account activity, or personal preferences that can directly or indirectly identify an individual.

Process/Processing/Processed means any and all actions we take with respect to your Personal Information, including (without limitation) managing, viewing, holding, storing, deleting, changing, using and saving.

Profiling means using automated processes without human intervention (such as computer programmes) to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile.

Special Category of Data means any Personal Information relating to your health, genetic or biometric data, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.

Supervisory Authority means the supervisory authority for data protection, which in the United Kingdom is the ICO (https://ico.org.uk/).