Third Party Privacy Notice
Who we are: esure Services Limited (trading as esure) of The Observatory, Reigate, RH2 0SG is the ‘data controller’ under the General Data Protection Regulation (GDPR). This Privacy Notice will help you understand how we collect, use and protect your personal information in the event you are involved in, or are a witness to a claim, with one of our customers. For any queries, please contact the Data Protection Officer (DPO) at the address above or via email: [email protected].
What information we collect about you: The personal information we collect about you includes:
• information you provide when you are involved in or are a witness to an accident with our customer, such as your name and address. It may also include health details and medical history if we are handling your claim;
• information you provide to allow us to progress with the claim;
• identifiers assigned to your computer or other devices, including your Internet Protocol (IP) address.
How we collect information about you: The personal information we hold about you is collected directly from you or from a third party involved in a claim with one of our customers. We also supplement and combine it with data obtained from other sources, such as:
• claims history data, such as bankruptcy records and any county court judgments (which are publicly accessible) and information as to the number of credit searches that have been made about you and your individual claims history (which we may receive from companies such as Experian Limited)
• device identification and fraud detection data, which we may receive from companies having passed them your device details (in order to check whether the device you are using to contact us has been used before for fraudulent purposes) or your new claims data (in order to assess the risk to our business of fraudulent claims)
• electoral register data that confirms your identity and address (which is publicly accessible)
• vehicle data and ownership detail (which we receive from HPI Ltd and the DVLA).
What we use your information for and the legal bases for processing: We may store and use your personal information for the purposes of:
• carrying out anti-fraud and anti-money laundering checks and verifying your identity (as is necessary for compliance with our legal obligations and/or as is necessary for our legitimate interests);
• handling insurance claims, including by carrying out checks on claims related databases (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests);
• communicating with you about the claim, including responding to your enquiries (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests);
• fulfilling our obligations owed to a relevant regulator, tax authority or revenue service (as is necessary for compliance with our legal obligations and/or as is necessary for our legitimate interests).
Our "legitimate interests" include our legitimate business purposes and commercial interests in operating our business in a customer-focused, efficient and sustainable manner, in accordance with all applicable legal and regulatory requirements.
Using your data for fraud prevention: We use your personal data to conduct checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you. We may also share your details with fraud prevention and law enforcement agencies. We, and fraud prevention agencies, will use this information to prevent fraud and money laundering, and to verify your identity. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime. When we and fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest to process your data in such way, in order to protect our business and to comply with laws that apply to us. Such processing is a contractual requirement of the services we provide to you.
Automated decisions and profiling: We use the personal data you provide to us, information about you provided by third parties, and aggregated data of other individuals who match your risk profile, to enable us to evaluate and predict your behaviour when processing a claim. We use algorithms to check any claims and fraud history, and whether your conduct suggests a risk of fraud. You may automatically be considered to pose a fraud or money laundering risk if our processing of your personal data reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. This activity is essential to allow us to decide whether and how to offer you our services, and whether there is a risk of fraud. These decisions may be made by entirely automated means (that is, without human intervention) and through profiling. We consider that, to the extent our decisions based solely on automated processing produce legal or similarly significant effects for you, those decisions are necessary when providing our services to you. However, you have the right to contact us to express your point of view (including providing any additional information that you want us to consider) and to contest such decisions. A member of our team will then re-consider it. If you wish to exercise these rights, please contact our DPO at the details provided above.
Consequences of processing: If we, or a fraud prevention agency, determine that you pose a risk of fraud or money laundering, we may refuse to provide, or stop providing, you with our services, where applicable. A record of any fraud or money laundering risk will be retained by us and the fraud prevention agencies. It may also result in others refusing to provide products, services, financing or employment to you. If you have any questions about our processing of your data for fraud purposes, please contact our DPO at the details provided above.
Who we share your data with: We may share your information with the following categories of third parties:
• service providers who we instruct for the purposes of handling claims, including repairers, car hire companies, other insurers and medical agencies (as is necessary for the performance of a contract between you and us);
• data suppliers, as explained under “How we collect information about you” (as is necessary for our legitimate interests);
• service providers who support the operation of our business, such as IT suppliers and financial service providers and operators of claims related databases (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests);
• fraud prevention agencies and associations, (as is necessary for compliance with our legal obligations and/or as is necessary for our legitimate interests);
• regulators and law enforcement agencies, including the police, the Financial Conduct Authority, HM Revenue and Customs or any other relevant authority who may have jurisdiction (as is necessary for compliance with our legal obligations).
Other data controllers: As explained under “Using your data for fraud prevention”, the personal data you have provided, we have collected from you, or we have received from third parties, may be shared with fraud prevention agencies. Please contact our DPO if you would like details of the agencies we share your data with.
We may share your data with our panel of solicitors. As these often change, please contact our DPO at the details provided above for details of our current panel.
Where we process your information outside the European Economic Area (EEA): Your information may be transferred and processed outside of the EEA. In such case, we will ensure the country is approved by the European Commission (EC) as providing adequate levels of protection; or we have contractual protection, safeguarding the information, which is approved by the EC; or the transfer is permitted under applicable data protection legislation. To find out more about how your personal information is protected when it is transferred outside the EEA and if you wish to obtain a copy of the suitable safeguards, please contact our Data Protection Officer using the details above.
How long your information is kept: We may retain some of your personal information for a number of purposes, as necessary to allow us to carry our business. Your information will be kept for up to 7 years on our main systems after which time it will be archived, deleted or anonymised. Some of the archived information may be retained for up to 50 years for the processing of your existing or future claims. Records created for fraud prevention purposes will be deleted 7 years after creation. Fraud prevention agencies can hold your personal data for different periods of time, depending on how that data is being used. If you are considered to pose a risk of fraud or of money laundering, your data can be held by fraud prevention agencies for up to 6 years from its receipt by them. Please contact them for more information. Any retention of personal data will be done in compliance with legal and regulatory obligations and with industry standards. These data retention periods are subject to change without further notice as a result of changes to associated law or regulations. If you have any questions in relation to the retention of your personal data, please contact our Data Protection Officer at the details provided above.
Your rights: You have the following rights:
• to obtain access to, and copies of, the personal information that we hold about you;
• to require that we cease processing your personal information if the processing is causing you damage or distress; and
• to require us to erase your personal information;
• to require us to restrict our data processing activities;
• to receive from us the personal information we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal information to another data controller; and
• to require us to correct the personal information we hold about you if it is incorrect.
Please note that these rights may be limited by data protection legislation, and we may be entitled to refuse requests where exceptions apply. If you are not satisfied with how we are processing your personal information, you can make a complaint to the Information Commissioner. You can find out more about your rights under data protection legislation from the Information Commissioner's Office website: www.ico.org.uk.