Privacy & Data Protection policy
DUAL Group is part of Howden Group Holdings and we are a Managing General Agent.
DUAL International Limited is the overarching legal entity for the DUAL Group. In the UK, our main legal entity is DUAL Corporate Risks Limited, authorised and regulated by the FCA with firm reference number 312593.
DUAL is composed of a number of legal entities, uses several trading/brand names, including KGM Underwriting Services Ltd, and has a number of appointed representatives. The full details can be found here. KGM are authorised and regulated by the FCA with firm reference number 799643. Further details can also be checked on the FCA Financial Services Register by visiting https://register.fca.org.uk.
For the purpose of Data Protection, the Controller of your data is KGM Underwriting Services Ltd.
Clients of our KGM brand, snnug insurance, can find a separate privacy notice explaining how personal data is used for snnug insurance policies on the snnug website, available here.
We regularly collect and use information which may identify individuals ("personal data"), including insured persons or claimants ("you", "your"). We understand our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable data protection laws.
We may amend this Policy from time to time, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify you about material changes by prominently posting a notice on our website. We encourage you to periodically check back and review this policy so that you remain aware of the information we collect, how we use it, and with whom we share it. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
This policy sets out:
1. What personal data we may collect
2. When we may collect your personal data
3. Legal basis to process personal data
4. The purposes we use your personal data for
5. Who we may share your personal data with
6. International Data Transfers
7. Automated Decision Making
8. Retention of your personal data
9. Your data rights
10. How to contact us
APPENDIX 1 CATEGORIES OF PERSONAL DATA
APPENDIX 2 - LEGAL BASIS FOR PROCESSING
APPENDIX 3 - GLOSSARY
We may collect personal data directly from you, or from others, such as a price comparison websites, insurance brokers or from the policy holder where you are a beneficiary to a policy. The data we may collect includes, but is not limited to:
- Contact details: name, address, contact number, email address, date of birth;
- Identification details: identification numbers issued by government bodies or agencies including national insurance number, passport number, tax identification and driving licence number;
- Financial information: bank account or other financial information, such as information from credit reference agencies where applicable;
- Health data: medical/health information relevant to the product or service, or required in relation to a claim
- Criminal data: relevant criminal conviction data including data from fraud prevention, law enforcement or government agencies
In order to arrange, administer and underwrite insurance policies, we collect information about the policyholder and any related parties. The policyholder may be an individual, company or their representative. The level and type of personal data we collect varies depending on the type of policy. In general, this is likely to include background and contact information on the policyholder or their representative, and matters relevant to the management of the insurance policy and assessment of risk. In some instances, it is necessary for us to collect and use special categories of data, such as information about a past criminal conviction or health details potentially including information about children’s health.
Where a claim is initiated, we will collect information about the individual/s making a claim under a policy. This will include the collection of basic contact details, together with information about the nature of the claim and any claims history. It may also be necessary for us to collect and use special categories of data, such as health details in the event of a personal injury suffered during an accident or potentially information about children’s health.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data fully and honestly, to the best of your knowledge, when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.
For further details, please refer to Appendix 1 “Categories of personal data”.
- When we may collect your personal data
- We will collect your personal data when you request an insurance quote from us, either directly or via a third-party price comparison website where they have permission to share your information with us.
- Information about you may also be provided to us by an insurance broker, your employer, family member or any other third person who may be applying for a policy which names you.
- To the extent permitted by law, we may also monitor and record telephone calls for training and quality assurance purposes when you call us directly in connection with a claim or complaint.
- We will collect information from you when you notify us of a claim or a complaint. You might make a claim or a complaint to us directly, through your representative or through a broker who manages claims or complaints on our behalf.
- We may collect information about you if a claim is made by another person who has a close relationship with you or is otherwise linked to the claim - for example if the policyholder is your employer or if the representative of a third party claimant contacts us in connection with a claim.
- We may also be provided with information by your solicitors, family members, legal advisors and medical and other professional advisors.
- We may collect information from other third-party sources where we have legal grounds to do so. These sources may include anti-fraud and crime prevention agencies, social media and other online sources, credit reference and vetting agencies, and other reputable data providers.
- You take part in a competition, prize draw or survey.
- Legal basis to process personal data
We are required to establish a lawful basis to use your Personal Data - see Section 4 and Appendix 2 for further details. From time to time, you may need to provide us with the personal data of third parties, for example in relation to an injury of a third party relevant to a claim under a policy. Where possible, you should take steps to inform the third party that you need to disclose their details to us.
We will use your personal data to consider an application for an insurance policy, verify your identity and carry out fraud checks, assess and evaluate risk, including credit checks. Once we have provided you with your policy we will use your personal data to administer your policy, deal with your queries, manage the renewal process and deal with complaints. We may also send you marketing materials and share your personal data with other DUAL Group or the wider Howden Group companies in order to identify products and other services which may be of interest to you (where we have appropriate permissions). We will also need to use your personal data for purposes associated with our legal and regulatory obligations as an insurance intermediary.
We will also use your personal data to assess the merits of, validate and manage, any claims, including settlements and dealing with complaints. We may also need to use your personal data to evaluate the risk of potential fraud, a process which uses automated processes. If you are also an Insured Person, we will use personal data related to your claim to inform the renewal process and potentially any future policy applications.
We will make sure that we only use your personal data for the purposes set out in this Section 4 and in Appendix 2 where we are satisfied that:
- our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your insurance policy), or
- our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we are subject to (e.g. to comply with FCA requirements), or
- you have consented to us using the data in that way (e.g. to send you marketing materials), or
- to ensure we can make reasonable adjustments where necessary to improve your experience, or
- our use of your personal data is necessary to support 'legitimate interests' that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights. Please see Appendix 2 to find out more about our legitimate interests.
Before collecting and/or using any special categories of data we will establish an additional lawful exemption to the grounds set out above which will allow us to use that information. This additional exemption will typically be:
- your explicit consent;
- reasons of substantial interest (with a basis in law)
- the establishment, exercise or defence by us or third parties of legal claims; or
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We may share your personal data with the types of third parties noted below, where we have a valid reason to do so;
- Other companies within DUAL Group and/or the wider Howden Group;
- Brokers, business partners, insurers, intermediaries including but not limited to other insurance brokers and managing general agencies;
- Price comparison websites and other similar companies who offer ways to research and apply for financial products and services;
- Suppliers and agents involved in delivering products or services to you, such as risk management assessors, claims experts, loss adjusters, uninsured loss recovery agencies and third party administrators;
- Service Providers, who help manage our IT and back office systems;
- Our regulators, which may include the FCA and ICO, as well as other regulators and law enforcement agencies in the E.U. and around the world;
- Centralised insurance databases such as the Claims and Underwriting Exchange (CUE), the DVLA/DVA (NI), the Insurance Fraud Bureau (IFB) and the Motor Insurance Database (MID), Media agencies and other marketing organisations that we advertise with or conducting marketing activities through;
- Credit reference agencies, Premium Finance Providers, and organisations working to prevent fraud in financial services; and
- Personal representatives appointed by you to act on your behalf;
- Solicitors and other professional services firms (including our auditors).
We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other insurers. Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses. Some of these third parties will also be data controllers, and will handle your personal data in accordance with their own privacy policies. For further information, please contact us.
Additional information about some third parties we may share data with
Our websites may share information with Google via the use of internet cookies, where you have agreed to this. You can find out more information about how Google uses data collected by cookies on Google’s Privacy & Terms site here.
The Motor Insurance Bureau (MIB)
We work in partnership with the Motor Insurers’ Bureau (MIB) and associated not-for profit companies who provide several services on behalf of the insurance industry. At every stage of your insurance journey, the MIB will be processing your personal information and more details about this can be found via their website: mib.org.uk. Set out below are brief details of the sorts of activity the MIB undertake:
- Checking your driving licence number against the DVLA driver database to obtain driving licence data (including driving conviction data) to help calculate your insurance quote and prevent fraud;
- Checking your ‘No Claims Bonus’ entitlement and claims history;
- Prevent, detect and investigate fraud and other crime, including, by carrying out fraud checks;
- Maintaining databases of:
- Insured vehicles (Motor Insurance & Policy Data or Motor Insurance Database);
- Vehicles which are stolen or not legally permitted on the road (Vehicle Salvage & Theft Data or MIAFTR);
- Motor, personal injury and home claims (CUE), and;
- Employers’ Liability Insurance Policies (Employers’ Liability Database).
- Managing insurance claims relating to untraced and uninsured drivers in the UK and abroad;
- Working with law enforcement to prevent uninsured vehicles being used on the roads, and;
- Supporting insurance claims processes.
We share information concerning your request for a quotation and your insurance policy with LexisNexis, who help us check your identity and assess your insurance risk. They do this by collecting data about you from public sources and private databases, for example the electoral register, the Insolvency Service and insurer records. You can find out more about who LexisNexis are, how they obtain and use your data, who they share it with and your data rights relating to their activities in their own Privacy Notice, which is available here.
- International Data Transfers
We may need to transfer, or allow access to, your personal data to parties based overseas, such as service providers or other companies within DUAL Group or the wider Howden Group companies. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests.
If we have a genuine and valid business need to transfer your data to a country which is not recognised to have data protection laws that offer the same level of protection as those in your own country, we will ensure that this is carried out within the standards required by UK data protection laws.
You have the right to ask us for more information about the safeguards we use when sending your personal data overseas. You can request this by contacting us using the information set out in Section 10 “How to contact us”
'Automated Decision Making' refers to a decision which is taken solely on the basis of automated processing of your personal data - this means processing using, for example, software code or an algorithm, which does not involve any human intervention.
We may use automated decision making to assess whether we are able to offer you an insurance product and to determine the specifics of an insurance policy, for example the premium you pay and the compulsory excess applicable to any claim.
You have certain rights in respect of automated decision making, where that decision has significant effects on you, including where it produces a legal effect on you. See Sections 9 and 10 for more information about your rights.
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, reporting, tax or accounting requirements.
In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
We maintain a data retention policy which we apply to records in our care, and which you can request from us by contacting us. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.
Data Protection Law gives individuals certain rights in relation to the use of personal data. This section sets out these data rights in more detail:
Right of access
The right of access is commonly referred to as a subject access request (SAR). This right allows you to request a copy of the personal data we hold on you, along with supplementary information on how it is used and who we share it with.
There may be instances where we are unable to supply all personal data, such as where it may impact the rights and freedoms of other individuals or is subject to legal privilege, but we will provide a full explanation to you should this be necessary unless relevant laws or regulations prevent us from doing so.
Right to rectification
You have the right to ask us to rectify inaccurate personal data we hold on you, or update any incomplete data, where this has an impact on the way the data is used.
Right to erasure
This is commonly known as ‘the right to be forgotten’ and provides you with the right to request deletion of your personal data. This right is not absolute and only applies in certain circumstances such as where the data was not collected lawfully or is no longer required for the purpose that it was collected.
We retain data in order to meet legal and regulatory requirements, or legitimate business interests which may result in us being unable to meet your request. Where you exercise this right, we will either confirm that this has been done or provide you with reasons for retaining the data, including how long we will hold it.
Right to restrict processing
You can ask us to restrict the processing of your personal data in the following circumstances:
- the accuracy of the data is contested and is being verified;
- the processing is unlawful but you do not wish for it to be erased;
- it is no longer needed for the purposes which it was collected, but is still required for the establishment, exercise of defence of a legal claim;
- you have objected to the processing of your personal data and investigations are taking place
Right to data portability
In certain circumstances, you have the right to request your personal data to be provided in a common, machine-readable format and either provided to you or sent directly to a third-party you nominate.
We will act upon your instructions and confirm that we have done so, or if there is any reason this cannot be done, we will provide an explanation to you.
Right to object
You have the right to object to the processing of your personal data where the processing is carried out in the public interest or for our legitimate interests.
You also have the absolute right to object to processing for direct marketing purposes, which includes any profiling activities we undertake for marketing purposes. If you object, we will ensure that you do not receive future marketing from us unless you notify us otherwise.
Rights related to automated decision making, including profiling
You can object to decisions which are based solely on automated processing where the processing produces legal or other significant effects concerning you (such as the rejection of a claim).
In such situations, you can obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision. Your right to obtain human intervention or to contest a decision does not apply where the decision which is made following automated decision making:
- is necessary for entering into or performing a contract with you;
- is authorised by law and there are suitable safeguards for your rights and freedoms; or
- is based on your explicit consent.
DUAL does not conduct Profiling.
To exercise your rights you may contact us as set out in Section 10. Please note the following if you do wish to exercise these rights:
- We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
- We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
- We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
- Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
- Third Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted by email at DPO@dualgroup.com or by writing to our registered office:
Data Protection Officer
One Creechurch Place
Your right to complain
You have a right to lodge a complaint with your local supervisory authority about our processing of your personal data. In the UK, the supervisory authority for data protection is the Information Commissioner’s Office (ICO) (https://ico.org.uk/). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
APPENDIX 1 CATEGORIES OF PERSONAL DATA
DETAILS OF INFORMATION THAT WE TYPICALLY CAPTURE
Name, address, telephone number, email address.
Policy number, relationship to the policyholder, details of policy including insured amount, exceptions etc., previous claims, payment history, quotes history, voice recordings
Personal Risk Information
Gender, date of birth, claims history, marital status, additional information about your lifestyle and insurance requirements, information about your employment
Health Data - e.g. physical and mental conditions, medical history and procedures, relevant personal habits (e.g. smoking)
Criminal Data - e.g. driving offences, unspent convictions
Data relating to children
Details of incident giving rise to claim, including
Health Data - e.g. details of injury, medical report
Criminal Data - e.g. driving offences, police reports
Data relating to minors
Bank account details (where you are the payer of the policy premium), data received from credit reference agencies
Name, email address, interests / marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address)
APPENDIX 2 - LEGAL BASIS FOR PROCESSING
Type of information collected
Legal basis for processing
Set up a record on our systems
Carry out background, sanction, fraud and credit checks
Assess risk and provide information to your Broker in order to place policy
Provide client care and support
Receive premiums and payments
Prize draws and competitions
Comply with legal and regulatory obligations
Recording, managing and settlement of claims
Monitor and detect fraud
Comply with legal and regulatory obligations
APPENDIX 3 - GLOSSARY
Automated decision making: refers to a decision which is taken solely on the basis of automated processing of your personal data - this means processing using, for example, software code or an algorithm, which does not involve any human intervention.
Claims Experts: experts in a particular field which is relevant to a claim, such as forensic accounts, who are engaged to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants.
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
FCA: the FCA is the Financial Conduct Authority, which is a financial regulatory body.
GDPR: the EU General Data Protection Regulation was implemented in May 2018 and governs how the personal data of individuals is processed. The GDPR is retained in domestic law as the ‘UK GDPR’ and sits alongside the Data Protection Act (DPA 2018).
Howden Group: Howden Group Holdings Limited (“Howden Group”) is a holding company of insurance intermediaries, which needs to process and share information, including personal data, with certain third parties. Howden Group Services Limited (“HGS”) is wholly owned by Howden Group and provides services to the Howden Group of companies within the UK.
ICO: the Information Commissioner's Office is the Supervisory Authority which regulates the processing of personal data by all organisations within the UK.
Insured Person: we use this term to refer to both individual policyholders, as well as any individual who benefits from insurance coverage under an insurance policy (for example, where an employee benefits from coverage taken out by their employer).
Loss Adjuster: are independent claims specialists which investigate complex or contentious claims on our behalf or on behalf of a relevant insurer.
Other Insurers: some policies are insured on a joint or "syndicate" basis. This means that a group of insurers (including us) will join together to write a policy. Policies may also be reinsured, which means that the insurer will purchase its own insurance, e.g. from a reinsurer, to cover some of the risk in your policy.
Premium Finance Providers: means a regulated entity which lends funds to a person or company to cover the cost of an insurance premium.
Profiling: means using automated processes without human intervention (such as computer programmes) to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile.
Risk Management Assessors: Any internal or external auditor or assessor who may have access to your personal data for the sole purpose of assessing risk to DUAL Corporate Risks Ltd.
Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.
Solicitors: we frequently use solicitors to advise on complex or contentious claims or to provide us with non-claims related legal advice. In addition, if you are a claimant you may be represented by your own solicitor(s).
Third Party Administrators (or TPAs): these are companies outside the Howden Group which administer the policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions.
Uninsured Loss Recovery Agencies: means an entity that recovers uninsured losses.