esure Privacy Notice

This section will apply to you if: you apply for and obtain a quote for any of our insurance products (and either choose not to take up the policy or are not offered an insurance policy by us) or are named as a beneficiary under a policy which we have been asked to quote for (for example you are a named driver on a motor insurance policy which someone is applying for).

a) What personal data do we collect about you?

• name, date of birth and gender;
• identity documents such as your passport or driving licence;
• contact details including your address and address history, telephone numbers and email address;
• financial information, including credit/debit card details (although we do not retain complete payment card information);
• information obtained from credit checks such as credit account performance information, credit and claims history data, bankruptcy records, any county court judgments made against you and information about credit searches on you. For more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks";
• Information obtained from carrying out sanctions checks such as checking whether you are subject to any UK or foreign sanctions;
• details about your family and dependents (e.g. your marital status and number of children);
• information about your lifestyle and living circumstances (e.g. your employment status and information about your job title and work industry);
• information obtained through our use of cookies and similar technologies such as IP address, device identification and fraud detection data (e.g. to check whether the device you are using to contact us has been used before for fraudulent purposes). Please see our cookies policy here for more information;
• any information about previous insurance policies or claims made;
• any information which is relevant to the insurance policy, for example:
  • for car insurance policies, we additionally collect information about your driving history including points/endorsements on your licence; information about the relevant vehicle including registration number, mileage, where it is parked during the day and details about ownership and data as to your eligibility for a no claims discount;
  • for home insurance policies, we additionally collect information about relationship status, number of occupants, home ownership status such as tenant/homeowner;
• information captured during any correspondence with you such as telephone calls, live chats through our websites and/or other written or email correspondence; and
• information about your marketing preferences.

b) What special category data do we collect about you?

We typically process the following types of special category data:

• information about any criminal convictions you may have including offences and alleged offences and any court sentence or unspent criminal conviction; and
• information about your current or former physical and/or mental health and medical history.

c) How will we collect personal data?

Most personal data is collected directly from you, for example:

• when you apply for an insurance policy and we provide you with a quote;
• when you register to receive information from us;
• each time you interact with us (e.g. via email), respond to communications or surveys, or enter competitions; and
• when you make enquiries or raise concerns with our Customer Relations team.
   

We will also collect personal data from:

• the applicant (where you are a beneficiary or named under an insurance policy);
• aggregators which provide comparison insurance quotes and direct you to us;
• publicly available sources, e.g. the electoral register;
• third parties that hold information about any criminal history, e.g. courts and criminal records databases; and
• credit reference agencies such as Experian. For more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks".
   

For car insurance policies, we will also collect personal data from:

• the Driver and Vehicle Licensing Agency ("DVLA"). To find out more information, and to see what’s held on your record, you can visit the DVLA's online View Driving Licence Service at: www.gov.uk/view-driving-licence;
• third parties that hold information about your vehicle, including for example, HPI Ltd and Carweb;
• the Motor Insurers’ Bureau. For more information, see section ‎7;
• third parties that hold information about your driving history, e.g. Lexis Nexis Solutions UK Limited for your no-claims discount; and
• data generated by your vehicle systems and/or technology connected to your vehicle such as a car's on-board computer, dashcams (integrated or connected) or telematics related sources (such as a black box installed in your vehicle).

For home insurance policies, we will also collect personal data from:

• publicly available sources about the housing market in your area, e.g. the Census - Office for National Statistics; and
• third parties such as Experian to gather information as to the likelihood of storms and floods in your area, and soil data.

d) What will we use your personal data for?

We only process personal data for the purposes described in this privacy notice. Data Protection Legislation requires companies to have a "lawful basis" to collect and use personal data. We rely on the following 'lawful bases' when processing your personal data:

• it is necessary to provide you with a quote and take steps to enter into the insurance contract with you;
• it is necessary to comply with our legal or regulatory obligations;
• it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interests; and/or
• in limited circumstances, where you have given consent, for example for marketing purposes.
   

We need to have a further processing condition when we process your special category data and we will rely on the following:

• in limited circumstances, we need your explicit written consent;
• we need to use your special category data for an insurance purpose and this use is in the substantial public interest. Such insurance purposes include assessing and administering an insurance application;
• we need to use your special category data to comply with or help someone else comply with a regulatory requirement relating to unlawful acts and dishonesty and there is a substantial public interest in such use.
• we need to use your special category data to prevent or detect unlawful acts and this use is in the substantial public interest;
• it is necessary for the safeguarding of economic well-being of individuals; and/or
• it is necessary in connection with any existing/prospective legal claims, to obtain legal advice or for the establishment, exercise or defence of legal claims.

e) Who will we share your personal data with?

We share data with:

• other esure group companies;
• other insurance market participants such as reinsurers;
• our third party service providers who support the operation of our business, such as IT and marketing suppliers, financial service providers; document management providers, software providers and information security providers (including providers who undertake sanctions checks);
• credit reference agencies. For more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks";
• fraud prevention agencies (For more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks") and associations and other third parties who operate and maintain fraud detection registers including the Claims Underwriting Exchange;
• the Motor Insurers’ Bureau. For more information, see section ‎7;
• regulators and law enforcement agencies including the police, the Financial Conduct Authority and the Prudential Regulation Authority and the UK's Information Commissioner's Office;
• HM Revenue and Customs or any other relevant authority who may have jurisdiction (as is necessary for compliance with our legal obligations);
• any person to whom we may assign or transfer our rights and/or obligations under our agreement with you or any third party as a result of a restructuring or re-organisation, merger, sale or acquisition; and/or
• any companies that are in the process of joining the esure Group, for example due to a merger, restructuring/re-organisation, sale of a business or business strategies or an acquisition and their legal and technical advisers in order to manage such transactions.

This section will apply to you if you: (i) take out an insurance policy with us, (ii) are listed as an applicant on a policy with us; or (iii) are a beneficiary under an insurance policy with us (for example you are a named driver on a motor insurance policy which is taken out by someone else)

a) What personal data do we collect about you?

• name, date of birth and gender;
• identity documents (e.g. passport or driving licence);
• contact details, including address and address history, telephone numbers and email address;
• financial information, including credit/debit card details (although we do not retain complete payment card information) and bank details;
• information obtained from credit checks such as credit account performance information, credit and claims history data, bankruptcy records, any county court judgments made against you and information about credit searches on you. For more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks";
• information obtained from carrying out sanctions checks (e.g. checking whether you are subject to any UK or foreign sanctions);
• details about your family and dependents (e.g. your marital status and number of children);
• information about your lifestyle and living circumstances (e.g. your employment details and home ownership);
• information obtained through our use of cookies (which tracks online behaviour) and similar technologies such as IP address, device identification and fraud detection data (e.g. to check whether the device you are using to contact us has been used before for fraudulent purposes). Please see our cookies policy here for more information;
• any information about previous insurance policies or claims made;
• any information which is relevant to the insurance policy, for example:
  • for car insurance policies, we additionally collect information about your driving history including points/endorsements on your licence; information about the relevant vehicle including registration number, mileage, where it is parked during the day and details about ownership and data as to your eligibility for a no claims discount;
  • for home insurance policies, we additionally collect information about relationship status, number of occupants, home ownership status such as tenant/homeowner;
• any information which is relevant to a claim you make under the policy; this can include but not be limited to: statements and photographic evidence; For car insurance claims: vehicle data (e.g. vehicle registration number) will be collected;
• information we obtain as a result of our own searches (or searches made by our suppliers at our request) of publicly available sources such as social media sites and newspapers in the event that we suspect fraudulent activity;
• information captured during any correspondence with you such as telephone calls, live chats through our websites and/or other written or email correspondence; and
• information about your marketing preferences.

b) What special category data do we collect about you?

We typically process the following types of special category data:

• information about any criminal convictions you may have including offences and alleged offences and any court sentence or unspent criminal conviction; and
• information about your current or former physical and/or mental health and medical history and any medical details which relate to a claim being made.

c) How will we collect personal data?

Most personal data is collected directly from you, for example:

• when you apply for an insurance policy and we provide you with a quote;
• when you register to receive information from us;
• each time you interact with us (e.g. via email), respond to communications or surveys, or enter competitions;
• when you make enquiries or raise concerns with our Customer Relations team; and
• when you make a claim under a policy.
   

We will also collect personal data from:

• the applicant (where you are a beneficiary or named under an insurance policy);
• aggregators which provide comparison insurance quotes and direct you to us;
• other third parties who may be involved in the claim such as a beneficiary, witness, third party claimant, other insurer or defendant or the police;
• third parties appointed in relation to a claim such as investigators; claims handlers, loss adjusters and medical experts;
• publicly available sources, e.g. the electoral register;
• third parties that hold information about any criminal history, e.g. courts and criminal records databases;
• credit reference agencies such as Experian. For more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks".

For car insurance policies, we will also collect personal data from:

• the Driver and Vehicle Licensing Agency ("DVLA"). To find out more information, and to see what’s held on your record, you can visit the DVLA's online View Driving Licence Service at: www.gov.uk/view-driving-licence;
• third parties that hold information about your vehicle, including for example, HPI Ltd and Carweb;
• the Motor Insurers’ Bureau. For more information, see section ‎7;
• third parties that hold information about your driving history, e.g. Lexis Nexis Solutions UK Limited for your no-claims discount;
• third parties operating automated number plate recognition systems (when a vehicle is used on public roads in the UK); and
• data generated by your vehicle systems and/or technology connected to your vehicle such as a car's on-board computer, dashcams (integrated or connected) or telematics related sources (such as a black box installed in your vehicle).

For home insurance policies, we will also collect personal data from:

• publicly available sources about the housing market in your area, e.g. the Census - Office for National Statistics;
• third parties such as Experian to gather information as to the likelihood of storms and floods in your area, and soil data; and
• data from any other sources where we believe this is necessary to administer or validate policies or claims; investigate fraud; or assist with settlement/claim negotiations. This may include consulting publicly available online information such as public registers, social media and other online sources.

d) What will we use your personal data for?

We only process personal data for the purposes described in this privacy notice. Data Protection Legislation requires companies to have a "lawful basis" to collect and use personal data. We rely on the following 'lawful bases' when processing your personal data:

• it is necessary to provide you with an insurance policy and perform our insurance contract with you;
• it is necessary to comply with our legal or regulatory obligations;
• it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interests; and/or
• in limited circumstances, where you have given consent, for example for marketing purposes.
   

We need to have a further processing condition when we process your special category data and we will rely on the following:

• in limited circumstances, we need your explicit written consent;
• we need to use your special category data for an insurance purpose and this use is in the substantial public interest. Such insurance purposes include assessing and administering an insurance application;
• we need to use your special category data to comply with or help someone else comply with a regulatory requirement relating to unlawful acts and dishonesty and there is a substantial public interest in such use.
• we need to use your special category data to prevent or detect unlawful acts and this use is in the substantial public interest;
• it is necessary for the safeguarding of economic well-being of individuals; and/or
• it is necessary in connection with any existing/prospective legal claims, to obtain legal advice or for the establishment, exercise or defence of legal claims.

e) Who will we share your personal data with?

We share data with:

• other esure group companies;
• other insurance market participants such as reinsurers;
• third parties we instruct to handle claims such as investigators; claims handlers, loss adjusters and medical experts and operators of claims related databases;
• our third party service providers who support the operation of our business, such as IT and marketing suppliers, financial service providers; and document management providers, software providers and information security providers;
• third party product providers who provide products or services (alongside the products and services provided by us e.g. optional cover that you obtained a quote for and/or purchased alongside your insurance product). These companies act as data controllers with respect to the data you provide to us and when we share it with them; if you would like to see a copy of their privacy notice, please refer to the terms and conditions of the relevant add-on in the optional extras section of your policy documents. There is more detail on the types of companies we engage with in Appendix 2;
• debt collection agencies;
• credit reference agencies ("CRAs"). Where you pay for your insurance policy by instalment, we will exchange information about you with CRAs on an ongoing basis, including your settled accounts and any debts not fully repaid on time. For more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks".
• fraud prevention agencies (for more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks") and associations and other third parties who operate and maintain fraud detection registers including the Claims Underwriting Exchange;
• the Motor Insurers’ Bureau. For more information, see section ‎7;
• regulators and law enforcement agencies including the police, the Financial Conduct Authority and the Prudential Regulation Authority and the UK's Information Commissioner's Office;
• HM Revenue and Customs or any other relevant authority who may have jurisdiction (as is necessary for compliance with our legal obligations);
• any person to whom we may assign or transfer our rights and/or obligations under our agreement with you or any third party as a result of a restructuring or re-organisation, merger, sale or acquisition; and/or
• any companies that are in the process of joining the esure Group, for example due to a merger, restructuring/re-organisation, sale of a business or business strategies or an acquisition and their legal and technical advisers in order to manage such transactions.

This section will apply to you if you are involved in a claim but you do not hold a direct contractual relationship with us (e.g. where you have been involved in a claim with one of our insurance policyholders).

a) What personal data do we collect about you?

• name, date of birth and gender;
• identity documents (e.g. driving licence);
• contact details, including address and address history, telephone numbers and email address;
• financial information, including credit/debit card details (although we do not retain complete payment card information);
• relationship data (i.e. details about family and dependents such as marital status and number of children);
• information about your lifestyle and living circumstances (e.g. your employment status and information about your job title and work industry);
• any information which is relevant to a claim you make; this can include but not be limited to: statements and photographic evidence. For car insurance claims: vehicle data (e.g. vehicle registration number) will be collected;
• information we obtain as a result of our own searches of publicly available sources such as social media sites and newspapers in the event that we suspect fraudulent activity;
• information obtained through our use of cookies and similar technologies such as IP address, device identification and fraud detection data (e.g. to check whether the device you are using to contact us has been used before for fraudulent purposes). Please see our cookies policy here for more information; and
• information captured during any correspondence with you such as telephone calls, live chats through our websites and/or other written or email correspondence.

b) What special category data do we collect about you?

We typically process the following types of special category data:

• information about any criminal convictions you may have including offences and alleged offences and any court sentence or unspent criminal conviction; and
• information about your current or former physical and/or mental health and medical history and any medical details which relate to a claim being made.

c) How will we collect personal data?

• Directly from you when you make a claim or make enquiries or raise concerns with our Customer Relations team.
• From third parties including:
  • the policyholder;
  • the DVLA and the Motor Insurers’ Bureau (for more information, see section ‎7) where it relates to a motor claim;
  • third parties appointed in relation to a claim such as investigators; claims handlers, loss adjusters and medical experts;
  • the police;
  • witnesses;
  • your insurers and/or representatives;
  • financial crime detection agencies and databases including the Claims Underwriting Exchange and the Motor Insurance Database; and
  • publicly available sources such as social media.

d) What will we use your personal data for?

We only process personal data for the purposes described in this privacy notice. Data Protection Legislation requires companies to have a "lawful basis" to collect and use personal data. We rely on the following 'lawful bases' when processing your personal data:

• it is necessary to comply with our legal or regulatory obligations;
• it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interests;
   

We need to have a further processing condition when we process your special category data and we will rely on the following:

• in limited circumstances, we need your explicit written consent;
• we need to use your special category data for an insurance purpose and this use is in the substantial public interest. Such insurance purposes include handling claims under an insurance policy;
• we need to use your special category data to comply with or help someone else comply with a regulatory requirement relating to unlawful acts and dishonesty and there is a substantial public interest in such use;
• we need to use your special category data to prevent or detect unlawful acts and this use is in the substantial public interest and/or
• it is necessary in connection with any existing/prospective legal claims, to obtain legal advice or for the establishment, exercise or defence of legal claims.

e) Who will we share your personal data with?

We share data with:

• other esure group companies;
• our policyholder;
• other insurance market participants such as reinsurers and your insurers;
• third parties involved in your claims such as investigators; claims handlers, loss adjusters and medical experts and operators of claims related databases;
• your representative or solicitors;
• the Motor Insurers’ Bureau. For more information, see section ‎7;
• our third party service providers who support the operation of our business, such as IT and marketing suppliers, financial service providers; document management providers, software providers and information security providers;
• fraud prevention agencies (for more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks") and associations and other third parties who operate and maintain fraud detection registers including the Claims Underwriting Exchange;
• regulators and law enforcement agencies including the police, the Financial Conduct Authority and the Prudential Regulation Authority and the UK's Information Commissioner's Office;
• any person to whom we may assign or transfer our rights and/or obligations under our agreement with you or any third party as a result of a restructuring or re-organisation, merger, sale or acquisition; and/or
• any companies that are in the process of joining the esure Group, for example due to a merger, restructuring/re-organisation, sale of a business or business strategies or an acquisition and their legal and technical advisers in order to manage such transactions.

This section will apply to you if you are a witness to an incident/accident that becomes the subject of an insurance claim made by a policyholder or a third party claimant.

a) What personal data do we collect about you?

• name, date of birth and gender;
• identity documents (e.g. driving licence);
• contact details, including address and address history, telephone numbers and email address;
• any information which is relevant to the incident/accident you witnessed; and
• information captured during any correspondence with you such as telephone calls, live chats through our websites and/or other written or email correspondence.

b) What special category data do we collect about you?

We would not routinely collect or process special category data about witnesses. However, if certain special category of data of yours is relevant and pertinent to the claim (such as your medical status for example), we may collect it.

c) How will we collect personal data?

• Directly from you when you make a claim or make enquiries or raise concerns with our Customer Relations team.
• From third parties including:
  • the policyholder or any third party claimant;
  • the DVLA where it relates to a motor claim;
  • third parties appointed in relation to a claim such as investigators; claims handlers, loss adjusters and medical experts;
  • the police;
  • witnesses;
  • third party claimant's insurers and/or representatives;
  • financial crime detection agencies and databases including the Claims Underwriting Exchange and the Motor Insurance Database; and
  • publicly available sources such as social media and newspapers.

d) What will we use your personal data for?

We only process personal data for the purposes described in this privacy notice. Data Protection Legislation requires companies to have a "lawful basis" to collect and use personal data. Our 'lawful bases' will be:

• it is necessary to comply with our legal or regulatory obligations; and/or
• it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interests.
   

We need to have a further processing condition in the event that we process your special category data. In those limited circumstances, we will rely on the following:

• in limited circumstances, we have your explicit written consent;
• we need to use your special category data for an insurance purpose and this use is in the substantial public interest. Such insurance purposes include handling claims under an insurance policy;
• we need to use your special category data to comply with or help someone else comply with a regulatory requirement relating to unlawful acts and dishonesty and there is a substantial public interest in such use;
• we need to use your special category data to prevent or detect unlawful acts and this use is in the substantial public interest and/or
• it is necessary in connection with any existing/prospective legal claims, to obtain legal advice or for the establishment, exercise or defence of legal claims.

e) Who will we share your personal data with?

We share data with:

• other esure group companies;
• our policyholder;
• other insurance market participants such as reinsurers and your insurers;
• third parties involved in your claims such as investigators; claims handlers, loss adjusters and medical experts and operators of claims related databases;
• fraud prevention agencies (for more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks") and associations and other third parties who operate and maintain fraud detection registers including the Claims Underwriting Exchange;
• regulators and law enforcement agencies including the police, the Financial Conduct Authority and the Prudential Regulation Authority and the UK's Information Commissioner's Office;
• any person to whom we may assign or transfer our rights and/or obligations under our agreement with you or any third party as a result of a restructuring or re-organisation, merger, sale or acquisition; and/or
• any companies that are in the process of joining the esure Group, for example due to a merger, restructuring/re-organisation, sale of a business or business strategies or an acquisition and their legal and technical advisers in order to manage such transactions.

This section will apply to individuals applying to work at esure and is applicable to all current and former candidates for job roles with us. You should also show this privacy notice to anyone else whose details you provide to us, for example your family members, emergency contacts etc.

a) What personal data do we collect about you?

• name, date of birth and gender;
• contact details, including address and address history, telephone numbers and email address;
• National Insurance Number;
• bank statements or any other official documents (where provided by you as proof of address);
• employment data (e.g. skills and experience, training and performance records, professional memberships, details of employment, references, employment history; disciplinary and grievance information);
• identity documents (e.g. passport or driving licence);
• information relevant to the recruitment process such as your job title, information about your job role, your CV or cover letter and any other information which you have shared with us as part of the recruitment process and any notes taken from an interview with you;
• bank account details, salary, pension and benefits;
• financial and credit references;
• details about your family and dependents (e.g. your marital status and number of children);
• vehicle registration number (e.g. if you are using our car parking facilities);
• CCTV footage (e.g. if you visit our offices); and
• information about your use of our premises, access to data and communications systems (access to and use of our premises, systems and data held within these systems, including but not limited to what is accessed, when and by whom).

b) What special category data do we collect about you?

We typically process the following types of special category data:

• information about any criminal convictions (including offences and alleged offences and any court sentence or unspent criminal conviction);
• information about your current or former physical and/or mental health and medical history;
• information about your religious beliefs;
• information about your race or ethnic origin;
• information about your gender or sexual orientation.

c) How will we collect personal data?

• directly from you when you apply to work at esure or during any form of communications such as face to face, written and phone correspondence or interviews during the recruitment process;
• from correspondence with you on LinkedIn;
• from recruitment talent management and employment agencies;
• background check providers such as Disclosure and Barring Service; and/or
• (if your application is successful) credit reference agencies such as Experian. For more information, see section ‎6 headed "Credit Reference and Fraud Prevention Checks".

d) What will we use your personal data for?

We only process personal data for the purposes described in this privacy notice. Data Protection Legislation requires companies to have a "lawful basis" to collect and use personal data. Our 'lawful bases' will be:

• it is necessary in order to take steps to enter into a contract with you; and/or
• it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interests.

We need to have a further processing condition in the event that we process your special category data. In those limited circumstances, we will rely on the following:

• in limited circumstances, we have your explicit written consent;

e) Who will we share your personal data with?

We share data with:

• other esure group companies;
• recruiters, former employers and your referees;
• fraud prevention agencies or other background check agencies;
• our third party service providers who support the operation of our business, such as IT suppliers; and document management providers, software providers and information security providers;
• the Financial Conduct Authority, the Prudential Regulation Authority and other regulatory bodies where this is required by rules/regulations. This would be, for example, where the role you applied for is subject to regulatory pre-approval and/or regulatory notification, or through reporting staff conduct rule breaches;
• other regulators and law enforcement agencies including the police and the UK's Information Commissioner's Office;
• any person to whom we may assign or transfer our rights and/or obligations under our agreement with you or any third party as a result of a restructuring or re-organisation, merger, sale or acquisition; and/or
• any companies that are in the process of joining the esure Group, for example due to a merger, restructuring/re-organisation, sale of a business or business strategies or an acquisition and their legal and technical advisers in order to manage such transactions.

This section will apply to you if you are a broker, insurer, business partner or supplier or third party with whom we do business with.

a) What personal data do we collect about you?

• name, date of birth and gender;
• contact details, including address and address history, telephone numbers and email address;
• financial information, including bank details for making payments;
• information we collect about your employment status, job title and work industry;
• information we collect about you as a result of our onboarding, procurement or due diligence checks; and
• information captured during any correspondence with you such as telephone calls, live chats through our websites and/or other written or email correspondence.

b) What special category data do we collect about you?

We typically process the following types of special category data: information about any criminal convictions you may have including offences and alleged offences and any court sentence or unspent criminal conviction.

c) How will we collect personal data?

• Directly from you
• From third parties including:
  • Referees or introducers; and
  • publicly available sources.

d) What will we use your personal data for?

We only process personal data for the purposes described in this privacy notice. Data Protection Legislation requires companies to have a "lawful basis" to collect and use personal data. We rely on the following 'lawful bases' when processing your personal data:

• it is necessary to perform our contract with you;
• it is necessary to comply with our legal or regulatory obligations;
• it is necessary for legitimate business interests pursued by us or a third party and your interests and fundamental rights do not override those interests. In each case we will always consider your interests and undertake a balancing exercise to ensure that our business interest does not cause you harm or override your own interests.
   

We need to have a further processing condition when we process your special category data and we will rely on the following:

• we need to use your special category data for an insurance purpose and this use is in the substantial public interest. Such insurance purposes include administering insurance and handling claims under an insurance policy;
• we need to use your special category data to comply with or help someone else comply with a regulatory requirement relating to unlawful acts and dishonesty and there is a substantial public interest in such use; and/or
• it is necessary in connection with any existing/prospective legal claims, to obtain legal advice or for the establishment, exercise or defence of legal claims.

e) Who will we share your personal data with?

We share data with:

• other esure group companies;
• other insurance market participants such as reinsurers and your insurers;
• third parties involved in your claims such as investigators; claims handlers, loss adjusters and medical experts and operators of claims related databases;
• your representative or solicitors;
• our third party service providers who support the operation of our business, such as IT and marketing suppliers, financial service providers; and document management providers, software providers and information security providers;
• regulators and law enforcement agencies including the police, the Financial Conduct Authority and the Prudential Regulation Authority and the UK's Information Commissioner's Office;
• any person to whom we may assign or transfer our rights and/or obligations under our agreement with you or any third party as a result of a restructuring or re-organisation, merger, sale or acquisition; and/or
• any companies that are in the process of joining the esure Group, for example due to a merger, restructuring/re-organisation, sale of a business or business strategies or an acquisition and their legal and technical advisers in order to manage such transactions.

5.1. From time to time, we will send you marketing about our products and services by post, telephone, email, SMS and through digital channels such as social media and similar such digital marketing channels which we think will be of interest to you or which you have asked us to provide you with. We may upload and match the personal data you provide to us with the data you provide to social media and similar such digital marketing channels. This allows us to improve our knowledge of you and, in return, serve you with relevant marketing messages. For this, we use cookies, which you can read about in our cookies policy.

5.2. If you wish to unsubscribe from marketing emails sent by us, you may do so at any time by following the unsubscribe link that appears on our marketing emails. Otherwise, you can always contact us on [email protected]

Credit Reference Agencies (CRAs)

6.1. CRAs will share your information with other organisations. Your data will be linked to the data of your spouse, any joint applicants or other financial associates. For more information on how CRAs process your personal data, please visit the Credit Reference Agency Information Notice ("CRAIN") at https://www.equifax.co.uk/privacy-hub/crain. In particular, please note that CRAs may retain your personal data for a different time period than we do, so visit the CRAIN for more information.

Fraud prevention

6.2. Before we provide you with our products, we use your personal data to conduct checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

6.3. The personal data we have collected from you or we have received from third parties will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity.

6.4. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

6.5. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found here: www.cifas.org.uk/fpn, and for candidates here: https://www.esuregroup.com/careers/privacy-notice-cifas-supplement-for-candidates/

6.6. Fraud prevention agencies can hold your personal data for different periods of time and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

7.1. We work in partnership with the Motor Insurers’ Bureau ("MIB") and associated not-for-profit companies who provide several services on behalf of the insurance industry. At every stage of your insurance journey, the MIB will be processing your personal information and more details about this can be found via their website: https://www.mib.org.uk/.

7.2. Set out below are brief details of the sorts of activity the MIB undertake:
a) Checking your driving licence number against the DVLA driver database to obtain driving licence data (including driving conviction data) to help calculate your insurance quote and prevent fraud
b) Checking your ‘No Claims Bonus’ entitlement and claims history.
c) Preventing, detecting and investigating fraud and other crime, including, by carrying out fraud checks.
d) Maintaining databases of:

• Insured vehicles (Motor Insurance Database)
• Vehicles which are stolen or not legally permitted on the road (MIAFTR)
• Motor, personal injury and home claims (CUE)
• Employers’ Liability Insurance Policies (Employers’ Liability Database)
   

e) Managing insurance claims relating to untraced and uninsured drivers in the UK and abroad.
f) Working with law enforcement to prevent uninsured vehicles being used on the roads.
g) Supporting insurance claims processes.

8.1. We use the personal data you provide to us, information about you provided by third parties, and aggregated data of other individuals who match your risk profile, to enable us to evaluate and predict your behaviour when asking for a quote or processing a claim. We use automated (computer based) decision making/ algorithms for:
a) pricing and underwriting
b) claims;
c) detecting fraud;
d) credit history;
e) tailoring products and services
f) Profiling for other non-marketing purposes
g) data about your local area and the vehicle or home you wish to have insured; and
h) whether your conduct accessing our products or services suggests a risk of fraud.

8.2. You may automatically be considered to pose a fraud or money laundering risk if our processing of your personal data reveals:
a) your behaviour to be consistent with that of known fraudsters or money launderers; or
b) inconsistent with your previous submissions; or
c) you appear to have deliberately hidden your true identity.

8.3. This activity is essential to allow us to decide whether to offer you a quote, the appropriate insurance premium to offer to you, and whether there is a risk of fraud.

8.4. These decisions may be made by entirely automated means (that is, without human intervention) and/or through profiling. As with all insurers, where we are taking on more risk in terms of the likelihood of damage to your vehicle or home and the cost of fixing, replacing it or dealing with third party claims and/or there is a higher risk of our being defrauded, we will charge a higher insurance premium, and in some circumstances may refuse to offer a quote or continue to provide services.

8.5. We consider that, to the extent our decisions based solely on automated processing produce legal or similarly significant effects for you, those decisions are necessary for entering into, or performance of, our contract of insurance with you. However, you have the right to contact us to express your point of view (including providing any additional information that you want us to consider) and to contest such decisions. A member of our team will then reconsider it. If you wish to exercise these rights, please contact us by contacting the Data Protection Officer using the contact details set out in section 14.

Consequences of processing

8.6. If we, or a fraud prevention agency, determine that you pose a risk of fraud or money laundering, we may refuse to provide the products, services and financing you have requested. We may also stop providing existing services to you. A record of any fraud or money laundering risk will be retained by us and the fraud prevention agencies. It may also result in others refusing to provide products, services, financing or employment to you. If you have any questions about our processing of your data for fraud purposes, please contact our Data Protection Officer at the details provided in section 14.

9.1. The personal data that we collect from you, and which is shared with third parties including fraud prevention agencies, may be transferred to and processed in a destination outside of the UK and the European Economic Area (which means all the European Union (EU) countries plus Norway, Iceland and Liechtenstein, together "EEA"). It may also be processed by one of our third party suppliers who work for us operating outside the UK and the EEA.

9.2. Examples of our regular transfers include:

• to suppliers in India and/or in the United States for marketing, IT development and IT testing purposes;
• to South Africa for claims handling, services and complaints handling - In the event that your personal data is transferred outside the UK and EEA, we take steps to ensure that your personal data is adequately protected and in compliance with data protection laws such as:
• transferring personal data to a country or jurisdiction which has been deemed 'adequate' by the UK government i.e. that country or jurisdiction provides an adequate level of protection to that of UK;
• entering into the UK Addendum to the EU Standard Contractual Clauses or the UK's International Data Transfer Agreement with the recipient to whom we are transferring personal data to. (these are sets of contractual wording which has been issued by the UK's data protection regulator to safeguard transfers compliantly in accordance with Data Protection Legislation); or
• the recipient of personal data in the United States has self-certified with the UK Data Bridge to the EU-US Privacy Framework).

9.3. To find out more about how your personal data is protected when it is transferred outside the UK and the EEA (and if you wish to obtain a copy of the appropriate and suitable safeguards), please contact our Data Protection Officer using the details provided in section 14.

We take the protection of your personal data seriously.

We implement a range of technical, physical and organisational measures to ensure that your personal data is kept confidential and secure; these include but are not limited to:

• implementing access controls so that personal data is restricted to those who need to access or process it for the purposes set out in this Privacy Notice;
• maintaining our internal data protection and security policies which govern the use, storage, protection and general processing of personal data;
• implementing firewalls, password protections and encryption; and
• providing employees with regular data protection training.

Please note that where we have provided you with or you have created a password or a link to your account or to retrieve a quote, you are responsible for keeping this password and link safe and confidential. Please do not share them with anyone.

11.1. We will only keep your personal data for as long as is necessary to fulfil the purposes set out in this Privacy Notice and to comply with our legal and regulatory obligations.

11.2. The retention period for which we keep your personal data will therefore depend on your relationship with us and the type of personal data. For example: records created for fraud prevention purposes will be deleted 7 years after creation.

11.3. If you have any questions in relation to the retention of your personal data, please contact our Data Protection Officer using the details provided in section 14.

12.1. It is important that any personal data we hold about you is both accurate and up to date. Please keep us informed if your personal data changes.

12.2. Data Protection Legislation gives you a number of the rights (as set out below) which you can exercise at any time by contacting our Data Protection Officer using the details provided in section 14:

• the right to access your personal data: you are entitled to a copy of the personal data we hold about you and certain details of how we use it;
• the right to rectification: you can ask us to correct any information about you that may be out of date, incorrect or incomplete;
• the right to restrict processing: in certain circumstances, you are entitled to ask us to stop using your personal data, for example where you think that we no longer need to use your personal data or where you think that the personal data we hold about you may be inaccurate;
• right to erasure: you have the right to ask us to erase your personal data in certain circumstances, for example where you withdraw your consent or where the personal data we obtained is no longer necessary for the original purpose; this right, will, however, need to be balanced against other factors (for example, we may have legal obligations which mean we cannot comply with your request);
• right to data portability: you have the right, under certain circumstances, to ask that we transfer personal data that you have provided to us to another third party of your choice;
• the right to object to marketing: you can ask us to stop sending you marketing messages at any time. You can exercise this right by clicking on the "unsubscribe" link which is contained in any marketing email that we send to you. Please note that exercise of this right does not extend to service-related communications about your insurance policy which, where necessary, we will continue to send;
• the right to object to processing: where we process your personal data based on our legitimate business interests (indicated in this Privacy Notice), you can object to our processing. We will consider your objection and determine whether or not our legitimate business interests prejudice your privacy rights;
• the right to withdraw consent: we may ask for your consent for certain uses of your personal data – we have indicated in this Privacy Notice where we do need your consent. You have the right to withdraw your consent at any time;
• rights related to automated decision-making: you can ask us to review automated decisions we make about you and you can ask us to not hold you to a decision that’s been made solely in an automated way; and
• to the right to lodge a complaint with the Information Commissioner's Office: you can find out more information at the Information Commissioner’s Office website: https://ico.org.uk/ Please note that lodging a complaint will not affect any other legal rights or remedies that you have.

12.3. Please note that not all of your data subject rights will be absolute; this means that there may be some circumstances where we may not be able to comply with your request (such as where this would conflict with our obligation to comply with other regulatory and/or legal requirements). However, if we cannot comply with your request, we will tell you the reason and we will always respond to any request you make.

12.4. There may also be circumstances where exercising some of these rights (such as the right to erasure, the right to restrict processing and the right to withdraw consent) will mean we can no longer provide you with our services and it may therefore result in the cancellation of our insurance contract with you. We will inform you of these consequences when you exercise your right.

13.1. Artificial Intelligence ("otherwise known as AI") is a commonly used term for a range of technologies which use computer systems to perform tasks that would usually have been carried out by humans and this extends to more complex tasks. We use forms of AI to assist with capturing data during digital conversations with you for the purposes of record keeping, providing services, managing complaints and communication purposes. For example, when you contact us by live chat on our websites, we may use AI to record, document and summarise your conversations with us and may capture personal data you declare about yourself during those exchanges or where you are prompted for certain personal data to better manage the issue.

13.2. We may use personal data to assist with the training of AI systems that are implemented if it is not possible to anonymise data so that an individual can no longer be identified.

13.3. The following principles guide our use of AI:
a) Responsible use: AI is used in a way that is safe, fair and equitable.
b) Confidentiality: Your confidentiality is protected at all times.
c) Compliance: We use AI in compliance with all applicable laws and regulations, including Data Protection Legislation.
d) Training: We provide information, training and support to all staff that use AI to ensure they are doing so in a responsible manner.

If you have a question about this privacy notice, how we use your personal data, or if you’re not happy with how we process your personal data, please contact the Data Protection Officer:
• By email - [email protected]
• By post - Data Protection Officer, esure, The Observatory, Reigate RH2 0SG

The below table is a sample of key third party intermediaries and underwriters outside esure Group acting as data controllers but is not an exhaustive list.
This list is correct as at the date in section 1 (Introduction) of this privacy notice and may change from time-to-time. We review and update this list periodically. For a current list of other data controllers, please contact our data protection officer