Privacy & Data Protection Policy (groupwide)

At Howden Broking Group Limited ("Howden") ("we", "us", "our"), we regularly collect and use information which may identify individuals ("personal data"), including insured persons or claimants ("you", "your"). We understand our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable data protection laws.

The purpose of this privacy policy is to provide a clear explanation of when, why and how we collect and use personal data ("Policy"). We have designed it to be as user-friendly as possible, and have labelled sections to make it easy for you to navigate to the information that may be most relevant to you and to allow you to click on a topic to find out more.

Do read this Policy with care. It provides important information about how we use personal data and explains your legal rights. This Policy is not intended to override the terms of any terms of business agreement or other contracts which you have with us or any rights you might have available under applicable data protection laws.

We may amend this Policy from time to time, for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify you about material changes by prominently posting a notice on our website. We encourage you to periodically check back and review this policy so that you will always know what information we collect, how we use it, and with whom we share it.

Contents

WHO is responsible for looking after your personal data?
WHAT personal data do we collect?
LEGAL BASIS to process personal data
WHEN do we collect your personal data?
What PURPOSES do we USE your personal data for?
Who do we SHARE your personal data with?
Direct Marketing
International Transfers
Automated Decision Making and Profiling
How long do we keep your personal data?
What are your rights?
Contact and complaints

1. WHO is responsible for looking after your personal data?

Howden is a subsidiary of Hyperion Insurance Group Limited (“HIG”), and we are a Lloyd’s insurance broker authorised and regulated by FCA with firm reference number 309639. Our registered office is One Creechurch Place, London EC3A 5AF. Principally the HIG Group’s retail insurance broking business is carried out by Howden. Howden uses several trading/brand names and has Appointed Representatives, a list of which can be found at https://register.fca.org.uk.

Howden is the company which was originally responsible for collecting information about you, and will be the Data Controller. You should be aware that although Howden(as applicable) may be principally responsible for looking after your personal data, information may be held in databases which can be accessed by other HIG Group companies.

2. WHAT personal data do we collect?

Insured Persons. In order to arrange, place and administer insurance policies, we collect information about the policyholder and related parties. The policyholder may be an individual, company or their representative. The level and type of personal data we collect varies depending on the type of policy that you have. In general, this is likely to include background and contact information on the policyholder or their representative, and matters relevant to the management of the insurance policy and assessment of risk. In some instances, it is necessary for us to collect and use Special Categories of Data, such as information about a past criminal conviction or health details potentially including information about children’s health. For more information on what information we collect, see Appendix 1 at the bottom of this page

Claimants. If a policyholder seeks to rely on the insurance cover, we will collect information about the individual making a claim under a policy, or if an individual asks us to negotiate with insurers on behalf of an individual. This will include the collection of basic contact details, together with information about the nature of your claim and any previous claims. If the claimant is an Insured Person, we will also need to check details of the policy you are insured under and your claims history, and depending on the nature of your claim, it may be necessary for us to collect and use Special Categories of Data, such as details of a personal injury you may have suffered during an accident or potentially information about children’s health. For more information on what information we collect, see Appendix 1 at the bottom of this page

3. LEGAL BASIS to process personal data

We are required to establish a legal exemption to use your personal data - see Section 5 and Appendix 2 for further details. From time to time, you may need to provide us with the personal data of third parties, for example, if you suspect that someone has unlawfully taken possession of fine arts, or in relation to a sports injury of a third party relevant to a claim under a policy. You should take steps to inform the third party that you need to disclose their details to us, identifying Howden as your insurance intermediary.

4. WHEN do we collect your personal data?

Insured Persons

We will collect information from you directly when you request a quote for a policy. Alternatively, insurance brokers and other intermediaries may provide information to us about you
To the extent permitted by law, we may also monitor and record telephone calls for training and quality assurance purposes when you call us directly including in connection with a claim.
Information about you may also be provided to us by an insurance broker, your employer, family member or any other third person who may be applying for a policy which names you.
We may collect information about you from other sources where we believe this is necessary to manage the risk associated with a policy or to help fight financial crime or for the purposes of trade credit checks. These other sources may include public registers and databases managed by credit reference agencies.

Claimant

We will collect information from you when you notify us of a claim. You might make a claim to us directly, through your representative or through a broker who manages claims on our behalf.
To the extent permitted by law, we may also monitor and record telephone calls for training and quality assurance purposes when you call us directly including in connection with a claim.
We may also collect information about you if the claim is made by another person who has a close relationship with you or is otherwise linked to the claim - for example if the policyholder is your employer or if the representative of a third party claimant contacts us in connection with a claim.
We may also be provided with information by your solicitors, family members, legal advisors and medical and other professional advisors.
We may collect information from other sources where we believe this is necessary to assist in validating claims and/or fighting financial crime. This may include consulting public registers, social media and other online sources, credit reference agencies and other reputable organisations.

5. What PURPOSES do we USE your personal data for?

Insured Persons. If you are an Insured Person we will use your personal data to consider an application for an insurance policy and make an application on your behalf, assess and evaluate risk, and provide you with a policy. Once we have provided you with your policy we will use your personal data to administer your policy, deal with your queries, manage the renewal process. We may also send you marketing materials and share your personal data with other HIG Group companies in order to identify any other services which the HIG Group offers which may be of interest to you (where we have appropriate permissions). We will also need to use your personal data for purposes associated with our legal and regulatory obligations as an insurance intermediary.

Claimants. If you are a Claimant we will use your personal data to assess the merits of, and validate, your claim, communicate and negotiate with insurers in respect of your claim and potentially to pay out a settlement. We may also need to use your personal data to evaluate the risk of potential fraud, a process which uses automated processes. If you are also an Insured Person, we will use personal data related to your claim to inform the renewal process and potentially any future policy applications.

We will make sure that we only use your personal data for the purposes set out in this Section 5 and in Appendix 2 where we are satisfied that:

our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your insurance policy), or
our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we are subject to (e.g. to comply with FCA requirements), or
you have opted into us using the data in that way (e.g. to send you marketing materials), or
our use of your personal data is necessary to support 'legitimate interests' that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights. Such analytics may be carried out by Service Providers. Please see Appendix 2 to find out more about our legitimate interests.

Before collecting and/or using any Special Categories of Data we will establish an additional lawful exemption to the grounds set out above which will allow us to use that information. This additional exemption will typically be:

your explicit consent;
the establishment, exercise or defence by us or third parties of legal claims; or
an insurance specific exemption provided under local laws of EU Member States and other countries implementing the General Data Protection Requirements (“GDPR”), such as substantial public interest where it is necessary for insurance purposes.

PLEASE NOTE: If we have previously advised that we are relying on consent as the basis of our processing activities, going forward we will not be relying on that legal basis save where otherwise explicitly stated.

PLEASE NOTE. If you provide your explicit consent to permit us to process your Special Categories of Data, you may withdraw your consent to such processing at any time. However, you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and it may not be possible for the insurance cover to continue). This may mean that your policy needs to be cancelled. If you choose to withdraw your consent we will tell you more about the possible consequences, including that we may no longer be able to act as your broker of record or place your policy and that you may have difficulties finding other cover. Further, we may not be able to further or process your claim.

See Appendix 2 to find out more about the information we collect and use about you and why.

6. Who do we SHARE your personal data with?

As flagged above, we may share data with other HIG Group companies (including those who are in run-off but who may still carry out certain regulated activities) and our Appointed Representatives.

We may also share the data with third parties that we work with, to help manage our business and improve how we deliver services. These third parties may, from time to time, need to have access to your personal data.

For Insured Persons these third parties may include:

Other Insurers, intermediaries including but not limited to other insurance brokers and managing general agencies, Risk Management Assessors, Uninsured Loss Recovery Agencies and Third Party Administrators who work with us to help manage the process and administer our policies,
Service Providers, who help manage our IT and back-office systems,
our regulators, which may include the FCA and ICO, as well as other regulators and law enforcement agencies in the E.U. and around the world,
credit reference agencies, Premium Finance Providers, and organisations working to prevent fraud in financial services, and
solicitors and other professional services firms (including our auditors).

For Claimants this may include:

Third-Party Administrators who work with us to help manage the claims process,
Loss Adjusters and Claims Experts [Link to glossary] who help us assess and manage claims,
Service Providers, who help manage our IT and back-office systems,
credit reference agencies and organisations working to prevent fraud in financial services, and
solicitors, who may be legal representatives for you, us or a third party claimant.

We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other insurers. Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses.

7. Direct Marketing

We may use your personal data to send you direct marketing communications about our insurance products or our related services. This may be in the form of email, post, SMS, telephone or targeted online advertisements. We limit direct marketing to a reasonable and proportionate level, and to send you communications which we believe may be of interest or relevance to you, based on the information we have about you.

For the purposes of GDPR, our processing of your personal data for direct marketing purposes is based on our legitimate interests as further detailed in Appendix 2, but where opt-in consent is required by Privacy and Electronic Communications Regulations (“PECR”) we may seek your consent where this required. You have a right to prevent direct marketing of any form at any time - this can be exercised by following the opt-out links in electronic communications, or by contacting us using the details in Section 12.

8. InternationalTransfers

Our Service Providers or Assistance Providers and HIG Group Companies, who have access to your personal data may be located outside the EEA. We may also make other disclosures of your personal data overseas, for example, if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests:

we will only transfer your personal data to countries which are recognised as providing an adequate level of legal protection; and
transfers to Service Providers and other third parties will always be protected by contractual commitments and where appropriate further assurances, such as certification schemes - for example, the EU - U.S. Privacy Shield for the protection of personal data transferred to the US.

You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 12 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).

9. Automated Decision Making

If you are an Insured Person, we may use Automated Decision Making to carry out a credit check on you.

Please note. You have certain rights in respect of Automated Decision Making, where that decision has significant effects on you, including where it produces a legal effect on you. See Section 11 for more information about your rights.

10. How long do we keep your personal data?

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 5 of this Policy. In some circumstances, we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.

In specific circumstances, we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.

11. What are your rights?

You have a number of rights in relation to your personal data.

You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making or the basis for international transfers. You may also exercise a right to complain to your Supervisory Authority. These are set out in more detail as follows:

RIGHT	WHAT THIS MEANS
*Access*	You can ask us to: confirm whether we are processing your personal data; give you a copy of that data; provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any Automated Decision Making or Profiling, to the extent that information has not already been provided to you in this Policy.
*Rectification*	You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
*Erasure*	You can ask us to erase your personal data, but only where: it is no longer needed for the purposes for which it was collected; or you have withdrawn your consent (where the data processing was based on consent); or following a successful right to object (see 'Objection' below); or it has been processed unlawfully; or to comply with a legal obligation to which Howden is subject. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims; There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances where we would deny that request.
*Restriction*	You can ask us to restrict (i.e. keep but not use) your personal data, but only where: its accuracy is contested (see Rectification), to allow us to verify its accuracy; or the processing is unlawful, but you do not want it erased; or it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal data following a request for restriction, where: we have your consent; or to establish, exercise or defend legal claims; or to protect the rights of another natural or legal person.
*Portability*	You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.
*Objection*	You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis (see Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
*Automated Decision Making* [Link to glossary]	You can ask not to be subject to a decision which is based solely on automated processing (see Section 9), but only where that decision: produces legal effects concerning you (such as the rejection of a claim); or otherwise significantly affects you. In such situations, you can obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision. Your right to obtain human intervention or to contest a decision does not apply where the decision which is made following automated decision making: is necessary for entering into or performing a contract with you; is authorised by law and there are suitable safeguards for your rights and freedoms; or is based on your explicit consent.
*International Transfers*	You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Economic Area. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
*Supervisory Authority*	You have a right to lodge a complaint with your local supervisory authority about our processing of your personal data. In the UK, the supervisory authority for data protection is the ICO. We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.

Howden does not use Profiling.

To exercise your rights you may contact us as set out in Section 12. Please note the following if you do wish to exercise these rights:

We take the confidentiality of all records containing personal data seriously and reserve the right to ask you for proof of your identity if you make a request.
We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
Third-Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.

12. Contact and complaints

The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following ways:

Howden:

DPO@howdengroup.com

Owen Davies

Howden Broking Group Limited

One Creechurch Place

London

EC3A 5AF

If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.

APPENDIX 1 CATEGORIES OF PERSONAL DATA

INFORMATION TYPE	DETAILS OF INFORMATION THAT WE TYPICALLY CAPTURE
Insured Person
Contact Details	Name, address, telephone number, email address.
Policy Information	Policy number, relationship to the policyholder, details of policy including insured amount, exceptions etc., previous claims, voice recordings
Personal Risk Information	Gender, date of birth, claims history Special Categories of Data Health Data - e.g. physical and mental conditions, medical history and procedures, relevant personal habits (e.g. smoking) Criminal Data - e.g. driving offences, unspent convictions Data relating to children
Financial Information	Bank account details (where you are the payer of the policy premium)
Marketing	Name, email address, interests / marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address), company name, company address, phone number and job title
Claimant
Policy Information (excluding third-party claimants)	Policy number, relationship to the policyholder/Insured Person, details of policy including insured amount, exceptions etc., previous claims, voice recordings
Claim Details	Details of incident giving rise to claim, including Health Data - e.g. details of injury, medical report Criminal Data - e.g. driving offences, police reports Data relating to minors
Financial Information	Bank account details used for payment
Anti-fraud Data	Address, history of fraudulent claims, details of incident giving rise to claim Criminal Data - e.g. unspent convictions

APPENDIX 2 - LEGAL BASIS FOR PROCESSING

Activity	Type of information collected	The basis on which we use the information
Insured Person
Set up a record on our systems	Contact Details, Personal Risk Information, Policy Information	Performance of a contract Legitimate interests (to ensure we have an accurate record of all Insured Persons for whom we act as broker)
Carry out background, sanction, fraud and credit checks	Contact Details, Personal Risk Information, Criminal Data	Conditional consent Legitimate interests (to ensure that Insured Persons [Link to glossary] are within our acceptable risk profile and to assist with the prevention of fraud) Legal obligation Local law exemptions / substantial public interest exemption
Assess risk and provide information in order to place policy	Personal Risk Information, Health Data, Criminal Data	Take steps to enter into a contract Legitimate interests (to determine the likely risk profile and advise client on appropriate level, cost and type of cover to apply for]) Explicit consent Local law exemptions / substantial public interest exemption
Manage renewals	Contact Details, Policy Information, Personal Risk Information	Performance of a contract Legitimate Interests (to assist with placement of a renewal
Provide client care and support	Contact Details, Policy Information	Performance of a contract Conditional consent
Receive premiums and payments	Contact Details, Financial Information	Performance of a contract
Marketing	Contact Details, Marketing	Legitimate interests (to provide information about insurance products or services which may be of interest) Consent
Comply with legal and regulatory obligations	Contact Details, Policy Information, Personal Risk Information	Legal obligation
Claimant
Receive notification of claim	Policy Information, Claim Details	Performance of a contract Legitimate interests (third party claimants) (to maintain an accurate record of all claims received and the identity of claimants)
Assess claim	Claim Details, Health Data, Criminal Data, data relating to children	Performance of a contract Legitimate interests (to assess the circumstances of a claim) Explicit consent Local law exemptions / substantial public interest exemption Establish, exercise or defend legal claims
Monitor and detect fraud	Claim Details, Anti-fraud Data	Performance of a contract Legitimate interests (to monitor, assess and prevent fraud) Explicit consent Local law exemptions / substantial public interest exemption Establish, exercise or defend legal claims
Settle claim	Financial Information	Performance of a contract Legitimate interests (third party claimants) (to settle claims to successful third party claimants)
Comply with legal and regulatory obligations	Claim Details, Anti-fraud Data, Financial Information	Legal obligation