The following section of this document relates solely to the provision of claims handling/loss adjusting services.
5.1 What we do
The use of your personal data depends on the type of service we are providing and your relationship with our organisation. It may also be governed by the contract we have with the party for whom we are acting.
Our principal business activity is handling claims under policies arranged with the insurance sector or organisations operating in a similar capacity, hereinafter referred to as the insurer. When acting for insurers, our primary function is to establish the extent of their liability for a particular claim. Once we have completed our enquiries, we either report back to the insurer concerned with our findings or make recommendations for payment, repair or replacement as appropriate. Under some arrangements, we may be able to conclude matters with the claimant without referring back to insurers, known as “Delegated authority.” In order to perform all these activities, we need to process personal data.
5.2 Personal Data
Personal data means information relating to an individual.
Processing personal data means operations (automatic or otherwise) such as collection, recording, adapting, altering, consulting, using, disseminating, transmitting, making available, storing, erasing or destroying the data.
5.4 Data Controller / Processor
A data controller is the organisation that alone or jointly with others determines the purposes, conditions and means of processing your personal data. A processor is a party that processes data on behalf of the controller.
Unless otherwise advised, Cunningham Lindsey will be a processor of your data. However, this may vary depending on our relationship with you and the contractual arrangements of the insurers we are working for. Please also note we sometimes act in the name of the insurer if required, regardless of whether we are a processor or controller.
5.5 Legal Basis for Processing
Depending on your relationship with our organisation the legal basis for us processing your personal data is one of the following:
- You have given consent to us or the party for whom we are acting
- The processing is necessary for the performance of a contract or legal duty
- Processing is necessary for a legitimate interest pursued by us or a third party. Where processing is based on legitimate interest only, it will be in relation to one of the following:
- Claim handling on behalf of another party
- Establishing, exercise or defence of legal claims
- Prevention, detection of crime
Where we use legitimate interest as our grounds for processing your data you have the right to object at any time.
5.7 Requirement for you to Provide Data
Generally, a contract of insurance will require your co-operation in providing information about your claim including any personal data. The precise wording will depend on your particular policy or contract.
If you are a third party claimant, there is no requirement on you to provide us with your personal data. However, failure to do so is likely to prejudice your right to claim either under a policy, under contract or in law.
If you do not provide us with your personal data we will not be able to provide you with our services.
5.8 Purpose of Processing
The intended purpose of processing your personal data is to determine the extent of any liability for a claim and where appropriate, arrange repairs, replacement or payment. The processing is generally needed to validate:
- Details of those involved with the claim
- Details that have been given to us, insurers or other parties
- The circumstances, cause and value of the claim
- Any matters that may be relevant to insurers acceptance of the claim
The manner in which we process data is generally governed by the contract under which we are appointed. We will not process your data for other purposes without obtaining your prior permission unless permitted or required by law.
5.9 Background Checks
The nature of our work is such that we may need to make background enquiries regarding individuals connected with a claim to validate information we are given, satisfy contractual obligations, comply with regulatory or legal requirement, to combat fraud, financial crime and money laundering. As part of the validation process we may check with other parties including credit reference agencies, data providers and other parties who may assist in validating the claim.
5.10 Sources of Personal Data
At the outset of a claim, we usually receive basic information about you/your claim direct from you, from insurers or the party we are representing. Depending on the type and nature of the claim, we might then have to gather additional information from other sources such as:
5.11 Types of Personal Data
The data we gather about you and others involved with the claim largely depends on the type and nature of the claim but may include: Name, address, age, occupation, employer, lifestyle, internet profile, social media, credit status, electoral data, CCJs, criminal record, security measures, health and financial information. We may also gather data relating to the circumstances, cause and value of the claim and any information that may be relevant to insurer’s acceptance of the claim or continuing cover if you are insured with them.
5.12 Recipients of your personal data
When acting for insurers or another party, we will only pass your personal data to them or their agents. However, we might also need to share personal data or at least some of it, with other parties involved with the servicing or validation of your claim as described in “Sources of Personal Data” above.
We are also obliged to combat financial crime and money laundering, which may necessitate us sharing your personal data with the Police or anti-fraud agencies, organisations, schemes and registers. We might also disclose certain data where this is needed to assist other parties involved with specific fraud/criminal investigations, tribunals, regulatory enforcement and litigation. We will also co-operate in such matters internationally where agreements are in place with the other countries in question.
5.13 Automated Profiling & Decision Making
As part of the services we provide, we may need to analyse or process your personal data automatically to indicate the best way of handling the claim. However, any such profiling or decision making that produces legal effects concerning you or similarly affects you, will not be relied on exclusively without human intervention or taking other factors into consideration.
5.14 Your Right to Rectification
You have the right at any time to correct any inaccurate personal data we hold about you. We also want our records to be as accurate as possible so please advise us of any errors. However, please note that a difference of opinion or view is not necessarily inaccurate data and changes might not be possible. However, should you wish to express your own views, please provide details or a statement and we will add them to our records. Where this is required, please communicate the corrections or supplements to those dealing with your claim.
5.15 Erasure and your “Right to be Forgotten”
You have the right to have your data deleted when it is no longer needed which is known as the “Right to be forgotten.” However, we have an obligation to keep records for audit, regulatory and legal purposes and to combat financial crime.
To meet these obligations, we keep claim records for 15 years or any lesser period specified by those we are acting for. Consequently, we cannot simply delete records when requested or when a claim has been finalised. However, in certain circumstances we may be able to “Restrict Processing”. We might also be able to delete specific data or a document, for example where it has been sent to us in error and this will be done without undue delay.
In the first instance, please speak to those handling your claim to see if they can assist.
5.16 Your Right to Withdraw Consent
You have a right to withdraw consent and object to processing your personal data in certain circumstances. However, to deal with your claim, we will require you to co-operate with our enquiries and withdrawal of consent may prevent your claim from being considered further. Should you wish to exercise your right, please put this in writing (email is also acceptable) to those handling your claim.
Please also note that if you object or withdraw consent, we might still need to process your data to resolve ongoing commitments and satisfy obligations detailed under “Erasure and your Right to be Forgotten.”
5.17 Your Right to Object to Processing
The law gives an individual the right to object according to their particular situation, where we are processing their data:
- For purposes of direct marketing. (We do not ordinarily do this so these grounds for objection do not generally apply)
- Solely on the basis of legitimate interests pursued by us or a third party or a task in the public interest (Please note that the right to object does not apply if we are processing your data for the performance of a contract e.g. an insurance policy. Consequently in most cases there will be no legal right to object)
- For scientific or historical research and statistics. (We do not ordinarily do this so these grounds for objection do not generally apply)
Any objection on the above grounds should be communicated to those handling your claim for referral to our data protection department.
5.18 Right to Restrict Processing
When requested we will restrict processing where:
- You contest the accuracy of the personal data that we are processing. However, please note that:
- a difference of opinion or view is not necessarily inaccurate data.
- the restriction will only apply to the personal data in dispute rather than all the information we hold regarding the claim. When a restriction is put in place, we will not process the data in question other than to resolve its accuracy during which time the restriction will be noted on our system.
- Processing is unlawful and to prevent erasure you demand a restriction on processing instead. If the processing is unlawful we will place a restriction on the record and if requested preserve the data.
- We are due to delete your personal data but you request that we preserve it for the establishment, exercise or defence of legal claims.
- You object to us processing your data where our only grounds for doing so are either a task in the public interest or a legitimate interest pursued by us or a third party. We will then restrict processing pending verification as to whether or not we have overriding grounds for processing.
In each case we will inform you before any restriction is lifted. However, please note the following:
- Even with a restriction in place, we are still allowed to store data and process it for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
- A restriction only applies to personal data or part of it and we are allowed to continue processing other data regarding your claim. For example we still have to conclude or stop tasks already instigated such as correspondence with other parties and payments to suppliers which you may then have to complete.
- We will not be responsible for any delay caused by unnecessary restrictions imposed by you
5.19 Your Right to Access Data
Under the GDPR, you have a right to receive your personal data by making what is known as a “Subject access request” or SAR. In most cases, the information you want should be available without the need for making a formal SAR by asking those handling your claim and you should approach them in the first instance. This will avoid possible delay of a formal SAR where the GDPR allows us a month to respond which may be extended by a further two months in complex cases.
Please also note that when responding to a SAR we are not obliged to provide data likely to prejudice your insurer’s position, is legally privileged or relates to a third party who has not given permission for it to be released. In certain circumstances, we might also be bound by confidentiality not to disclose information. Therefore, certain data might be withheld depending on the situation and nature of your claim.
Should you wish to pursue a formal SAR, please inform those handling your claim which will speed up your identification. Alternatively, the request can be directed to the relevant Data Protection Department at Cunningham Lindsey as above. In certain circumstances, your request may have to be redirected to an organisation we are acting for (where they are the data controller), in which case we will advise you their contact details.
If you submit a SAR, we will advise you of the next steps as soon as possible, and in no more than one month.
5.20 Telephone Call Recording
Please be aware that our organisation may record telephone calls for training and security purposes. However, we do not record telephone calls at all our offices and there may be no recording where our staff work remotely or use mobile phones.
Call recordings will be retained for limited periods depending on the service being provided, any particular contractual requirements with those we are working for and the technical facilities in place.
5.21 Right to Data Portability
You have the right to receive the personal data that you have provided to us in a machine-readable format or when requested, we can also send it to another data controller where this is technically feasible. However, please note:
- portability only applies to the data you have provided to us rather than your complete claim file.
- portability only applies to data capable of being converted into machine readable format which will may exclude images, scanned document, photographs etc. that you have provided
- portability is only available where:
- processing is based on consent or for the performance of a contract and
- the processing is carried out by automatic means
However, should you want to exercise your right under this option, please advise those handling your claim.
5.22 Transferring Data Outside European Union
We are a global business and may need to transfer, store or process your data on systems or in parts of our organisation outside the European Union. However, we will ensure that any such activity is subject to equivalent levels of security and data protection measures necessary to comply with the law applicable within the European Union.
5.23 Right to Complain
Should you consider that our organisation has not complied with relevant data protection law, you have a right to take legal action or complain to our Lead Supervisory Authority. Our organisation’s Lead Supervisory Authority is the Information Commissioners Office, based in the United Kingdom, details below:
Their website is: https://ico.org.uk
or you can call their helpline on 0303 123 1113
or write to them at:
Information Commissioner’s Office
5.24 Time frame for responding to requests
We will seek to respond to any request we receive in relation to your rights within one month. However, if this is not possible, we will advise you within one month that the time frame will be extended by up to a further two months and give an explanation why the extension is required.
Our response to and any actions necessary for us to comply with a request by you in respect of any of your rights will be handled free of any charge to you. The only exception to this will be if the request is excessive or repetitive. If we do intend making a charge we will inform you of this before proceeding with any actions that might incur that charge