Use of Your Information by Irwell Insurance Company Limited
Irwell Insurance Company Limited (the Data Controller) is committed to protecting your privacy in accordance with the current Data Protection Legislation as per the terms set out in the General Data Protection Regulation (GDPR 2016) and the Data Protection Act (DPA 2018). This fair processing notice sets out the details of the information that we may collect from you, as well as the ways in which we may process data relating to you and your company. This notice should be read in conjunction with our products terms and conditions. The specific company also acting as a data controller of your personal information will be listed in the policy documentation we provide to you.
The Insurer (“we”, “us”, “it”) may process Personal Data in order to arrange the Insured’s insurance cover (including renewals and Claims), to comply with a legal requirement, to administer accounts, for research and statistical purposes, to provide customer service, to perform credit checks, to engage in fraud prevention and market our products and services and any other related purposes which may include underwriting decisions made via automated means. In addition, we may use it for the purposes more particularly described below.
Automated Decision Making
Profiling of individuals does not occur.
Who is Irwell Insurance?
Irwell Insurance Limited is an insurance business based in the UK. We offer insurance to limited companies, sole traders and partnerships for the purpose of insuring you for certain liabilities that may arise as a result of your day-to-day business activities.
What personal information do we collect and use?
For the provision of our products in some circumstances, we may need to obtain and process more sensitive personal information about you and your company, such as information relating to health, criminal convictions or civil offence data. We may also process other sensitive personal information including details of your race; ethnicity; religious or philosophical beliefs; political opinions; trade union membership; genetic or biometric data; or data concerning your sex life or sexual orientation if relevant to your policy or claim.
This information once gathered may form part the underwriting of the policy or form part of the claims handling process. The provision of such data is conditional for us to be able to provide insurance or manage a claim. Any such data will only be used for the specific purposes set out in our notice.
How long will we keep your data for?
Your data will not be retained for longer than is necessary and will be managed in accordance with our data retention policy. In most cases, the retention period will be for a period of ten years following the expiry of the insurance contract, the closure of your claim, or our business relationship with you, unless we are required to retain the data for a longer period due to business, legal or regulatory requirements.
Will your data leave the EEA?
We may store, process or transfer information we collect about you to destinations outside of the European Economic Area (“EEA”). Where this happens, we ensure that your information is treated securely using appropriate safeguards. For example, we would protect any transfer of data to another party with standard contractual clauses (SCC’s) built in as part of the contractual obligations in accordance with GDPR legislation.
Will we share your data?
Yes; If the law requires or allows us to, we will also share information as necessary with other organisations. These other organisations could include Credit Reference Agencies, Fraud Prevention Agencies, Government Bodies and Regulators, Law Enforcement Agencies, Insurance Reference Bureaus, Medical Service providers, Loss Adjusters, External Law Firms, External Actuaries, External Accountants and Auditors, our Agents, Third Party Administrators, Reinsurers, Other Insurance Intermediaries and others as may be required by law.
When we share your information with Credit Reference Agencies, a credit rating check may be undertaken along with other details you have supplied. Please be aware these checks form a part of most insurance application processes, which may leave a record on your credit file that other lenders can see. When we share your information with Fraud Prevention Agencies they will use the data to prevent fraud and money laundering and verify your identity. We may submit your personal data into an insurance industry wide fraud monitoring system to compare feedback from other members of the insurance industry in the UK. If we believe someone poses a fraud or money laundering risk, we may refuse to provide the product.
What is our Legal Basis for Processing?
The purpose of processing your data is to arrange insurance cover. When doing so, we will only use your information where we have a legal basis to do so, for example, for the performance of your contract with us or if we need to use your information to meet our legal obligations as stated in our terms and conditions. We may also use your information if necessary, to comply with the law or to carry out our legitimate business interests.
Legal Basis for Processing
Processing Activities Samples
The Processing is necessary for the performance of a contract or to take steps at your request prior to entering a contract
Prospect quotations, to complete new business and ongoing business, identity checks, underwriting, reinsurance arrangements, claims processing, legal helplines, processing of special categories of data and sensitive data, policy provision, account servicing, processing policy cancellations
The Processing is necessary for our legitimate interests
Claims processing, underwriting, handling complaints, processing of special categories of data and sensitive data, staff training and development, management forecasting, portfolio assessment, risk assessment, performance reporting, management reporting, data sharing to other legal entities or affiliated service providers
The Processing is necessary to comply with legal obligation
Data sharing to Enforcement/government bodies, industry requirements for fraud prevention and AML regulations, compilation of annual reports and benefit statements
What Safeguards do we use?
All data at rest and in transit is encrypted. All databases, software and hardware/devices used by Irwell are protected with high levels of encryption. Encryption keys are managed with strict policies and procedures. Data is backed up daily to redundant backup locations and all backups are encrypted. Measures are in place to ensure that the business can continue to function should a compromise occur. The data restore process is tested regularly. All networks used by Irwell have firewalls, antivirus and end point detection and response in place which is deployed on all endpoints to detect, alert and neutralise any threats. Any applications accessible from the internet are constantly safeguarded to prevent the existence and exploitation of web application vulnerabilities such as cross-scripting or SQL injection. External connections are protected with enterprise, resilient firewalls and dedicated security monitoring.
What are your Access Rights?
All data subjects have individual rights. On a case by case basis, Data Subjects have the following rights in relation to your personal data processed by Irwell Insurance Limited:
- The right to be informed about how your personal data is collected and used
- The right to request access to a copy of any personal data that we hold about you
- The right to rectify personal data we may hold which is identified as incorrect or misleading
- The right to erasure of any personal data; also known as ‘the right to be forgotten’
- The right to restrict further processing of your personal data
- The right to data portability where technology allows us to send personal data onto a new controller
- The right to object to the processing or certain processing activities
- Rights in relation to automated decision-making including profiling.
There will not usually be a charge for dealing with these requests. Please note that the rights set out above do not apply in all circumstances. In some cases, we may not be able to comply with your request (for example, where there is a conflict with our own obligations to comply with other legal or regulatory requirements). However, we will always respond to any request you make and if we can’t comply with your request, we will tell you why.
In some circumstances exercising some of these rights (such as the right to erasure or the right to restrict processing) will mean that we are unable to continue providing you with insurance and may therefore result in its cancellation. In this circumstance, you would lose the right to bring any claim or receive any benefit, including in relation to any event that occurred before you exercised your right of erasure, if our ability to handle the claim has been prejudiced. Your policy terms and conditions set out what will happen in the event your policy is cancelled.
You also have the right to approach the UK Supervisory Authority, The Information Commissioners Office, if you are unhappy about the way we have dealt with your data. Their address is: Wycliffe House, Water Lane, Wilmslow SK9 5AF.
If you have any questions relating to the use of your personal data by Irwell Insurance, please contact: The Data Protection Officer, Irwell Insurance Company Limited, 2 Cheetham Hill Road, Manchester, M4 4FB.