1. OUR APPROACH

1.1 This Privacy Policy (the “Policy”) sets out how we CFC Underwriting Limited (registered company number 03302887) headquartered at Second Floor, 85 Gracechurch Street, London EC3V 0AA and any of our subsidiaries or holding companies (together referred to as “CFC Underwriting”, “our” or “we”) process the personal data of our customers, brokers and website visitors in the European Union (“Users”).

1.2 If you have any questions about this Policy, please contact our data protection officer (“DPO”) by clicking here.


2. WHAT INFORMATION DO WE COLLECT

Personal Data

2.1 We will collect personal data when you obtain a quote for one of our products of services, or in the course of providing you with one of our products of services. We will also collect personal data when you register with us or provide your information through our website. The types of information we collect may include:

2.1.1 Information you provide us in your insurance application, including names, addresses, date of birth or other information provided by you in your application for insurance;

2.1.2 Information you provide us to help us carry out our obligations under any insurance contract in place between us and you;

2.1.3 Information you provide us relating to an insurance claim you make; and

2.1.4 Information you provide us through one of our mobile apps or customer portals.

2.2 We will use your personal data, and may share your personal data with other third parties acting on our behalf, for one or more of the following purposes:

2.2.1 To analyse your insurance needs;

2.2.2 To give you an estimate or provide you with a quote for one of our policies;

2.2.3 To administer or carry out our obligations under any insurance contract in place between us and you;

2.2.4 To assess and adjust any insurance claim you make;

2.2.5 To assess and respond to a complaint you might make relating to our products or services; and

2.2.6 To ensure the security of your account and our business, preventing or detecting fraud or abuses of our website, for example, by requesting verification information in order to reset your account password.

2.3 In certain circumstances, we may need to collect sensitive personal data about you, which may include information about:

2.3.1 Your physical or mental health condition, or the physical or mental health condition of members of your family, or the physical or mental health condition of one of your employees; and

2.3.2 Any criminal offence or alleged criminal offence committed by you, or members of your family, or one of your employees.

2.4 We will only use such sensitive personal data to:

2.4.1 To administer or carry out our obligations under any insurance contract in place between us and you;

2.4.2 To assess and adjust any insurance claim you make; and

2.4.3 To assess and respond to a complaint you might make relating to our products or services.

2.5 We may also collect non-personal data (i.e. information that has been sufficiently anonymised and aggregated such that you cannot be identified directly or indirectly from it). Further information about our use of non-personal data is included in paragraph 9 (below).


3. INFORMATION FOR MARKETING PURPOSES

3.1 Where you have consented to us using your personal data for marketing purposes, we may use your information as follows:

3.1.1 To provide you with information, products or services that you request from us or which we feel may interest you; and

3.1.2 For market research purposes, where we may contact you to ask for your feedback.

3.2 If at any time after you have consented to us using your information for marketing purposes you wish us to stop using your information for these purposes, please email us at optout@cfcunderwriting.com.


4. GROUNDS FOR PROCESSING

4.1 To process your data lawfully we need to rely on one or more valid legal grounds. Our primary legal ground is that we need the data to fulfil our contract with you or to take certain steps prior to entering our contract with you. However, there may be circumstances where we also rely on other valid legal grounds, such as:

4.1.1 your consent to particular processing activities. For example, where you have consented to us using your information for marketing purposes;

4.1.2 our legitimate interests as a business (except where your interests or fundamental rights override these). For example, it is within our legitimate interests to use your data to prevent or detect fraud or abuses of our website; or

4.1.3 our compliance with a legal obligation to which CFC Underwriting is subject. For example, we have a regulatory duty to investigate and respond to complaints made against us and may need to process your data as part of such investigation.


5. DISCLOSURE OF YOUR INFORMATION

5.1 There are circumstances where we may wish to disclose or are compelled to disclose your personal data to third parties. This will only take place in accordance with the applicable law and for the purposes listed above. These scenarios include disclosure:

5.1.1 to our subsidiaries, branches or associated offices;

5.1.2 to our outsourced service providers or suppliers to facilitate the provision of our services or products to our Users, for example, the disclosure to our data centre provider for the safe keeping of your personal data, webhosting provider through which your personal data may be collected, identity verification partners in order to verify your identity against public databases;

5.1.3 to third party service providers and consultants in order to protect the security or integrity of our business, including our databases and systems and for business continuity reasons;

5.1.4 to our carriers and/or our reinsurers, to facilitate the provision of our services or products to you;

5.1.5 to another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution or similar event. In the case of a merger or sale, your personal data will be permanently transferred to a successor company;

5.1.6 to legal advisors who may need to manage or litigate an insurance claim;

5.1.7 to public authorities where we are required by law to do so; and

5.1.8 to any other third party where you have provided your consent.


6. INTERNATIONAL TRANSFER OF PERSONAL DATA

6.1 We may transfer your personal data to a third party in countries outside the UK for further processing in accordance with the purposes set out in this policy. In particular, your personal data may be transferred throughout the CFC Underwriting group and to our outsourced service providers located abroad. In these circumstances we will, as required by applicable law, ensure that your privacy rights are adequately protected by appropriate technical, organisation, contractual or other lawful means. Please contact the data protection officer for a copy of the safeguards which we have put in place to protect your personal data and privacy rights in these circumstances.


7. RETENTION OF PERSONAL DATA

7.1 If you are, or have previously been, a customer of ours then we may continue to hold and process your information for the purpose of continuing to carry out our obligations in connection with the insurance contract between us and you. We will continue to hold and process your information for the duration of the insurance contract and for a reasonable period of time afterwards as required by law.

7.2 We may keep an anonymised form of your personal data, which will no longer refer to you, for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.


8. DATA SUBJECT RIGHTS

8.1 Data protection law provides individuals with numerous rights, including the right to: access, rectify, erase, restrict, transport, and object to the processing of, their personal data. Individuals also have the right to lodge a complaint with the relevant data protection authority if they believe that their personal data is not being processed in accordance with applicable data protection law.

8.1.1 Right to make subject access request (SAR). Where we are processing your personal data as a data controller you may, where permitted by applicable law, request copies of your personal data. If you would like to make a SAR, i.e. a request for copies of the personal data we hold about you, you may do so by writing to the data protection officer whose contact details are above. The request should make clear that a SAR is being made. You may also be required to submit a proof of your identity and a fee.

8.1.2 Right to rectification. You may request that we rectify any inaccurate and/or complete any incomplete personal data.

8.1.3 Right to withdraw consent. You may, as permitted by applicable law, withdraw your consent to the processing of your personal data at any time. Such withdrawal will not affect the lawfulness of processing based on your previous consent. Please note that if you withdraw your consent, you may not be able to benefit certain service features for which the processing of your personal data is essential.

8.1.4 Right to object to processing. You may, as permitted by applicable law, request that we stop processing your personal data.

8.1.5 Right to erasure. You may request that we erase your personal data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your personal data, such as a legal obligation that we have to comply with, or if retention is necessary for us to comply with our legal obligations.

8.1.6 Your right to lodge a complaint with the supervisory authority. We suggest that you contact us about any questions or if you have a complaint in relation to how we process your personal data. However, you do have the right to contact the relevant supervisory authority directly. To contact the Information Commissioner’s Office in the United Kingdom, please visit the ICO website for instructions.


9. NON-PERSONAL DATA

9.1 We collect and use the following types of non-personal information:

9.1.1 Internet Protocol (IP) addresses. When you visit our site, we log your IP address (the unique address which identifies your computer on the internet). We use IP addresses to collect broad geographic information on our site visitor, and to optimise our website. We do not link IP addresses to personally identifiable information.

9.1.2 Cookies. Cookies are small text files that are placed on your computer by the websites you visit. They are widely used in order to make websites works, or work more efficiently, as well as to provide information to the owners of the site. You may delete and block all cookies from this website, but if you choose to do so parts of this site may not work.

9.1.3 Session Cookies. Sections of this website use ‘session cookies’ which help us to improve our website, assist with the navigation through certain parts of the website and deliver a better and more personalised service. Session cookie specifically enable us to keep track of your movement from page to page within the website so you don’t get asked for the same information each time you navigate to a new page. They also allow us to recognise you so that any page changes.

9.1.4 Google analytics. These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve our website. The cookies collect information in an anonymous form, including the number of visitors, where visitors have come to our website from and which pages they visit. For more information on Google’s Privacy Policy click here.

9.1.5 Online surveys. From time to time we may invite our website visitor or our customers to participate in an online survey about our online services or our products and related services. Your participation is optional, and any information we collect is only used to improve the products and services we offer to our website users or customers. These online surveys are provided by Survey Monkey.


10. LINKED WEBSITES

Please note that any websites that may be linked to our websites are subject to their own privacy policy.