POLICYHOLDER PRIVACY NOTICE

This Privacy Notice explains the use and processing of Policy Personal Data (as this term is defined below) by Great American Europe Limited of 32 Queen Square, Bristol, BS1 4ND, UK

(“Great American“, “we”, “us” and “our”) pursuant to Great American insurance products.

IMPORTANT:

This Privacy Notice describes Great American’s data protection practices and data subjects’ rights in respect of personal data relating to (i) Policyholders; (ii) Insureds and (iii) Claimants (as each term is defined below).

IMPORTANT INFORMATION FOR COMMERCIAL POLICIES:

Great American only maintains a contractual relationship with Policyholder, so it is important that Policyholder ensures on its entering into its insurance contract with Great American, that all Insureds (where relevant) and all Claimants are promptly provided information of Great American’s control and processing of their personal data as is described in this Privacy Notice and as otherwise required pursuant to Articles 14 GDPR (as defined below), in order for Great American to comply with Article 14 including the timelines prescribed by Article 14(3) GDPR.

DEFINITIONS AND INTERPRETATION:

• For the purposes of this Privacy Notice,
  • Claimant means an incorporated or unincorporated body or natural person who makes a claim under and/or pursuant to a Policy.
  • Data Protection Law means the Data Protection Acts 1988 and 2003, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 and from 25 May 2018 the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) as implemented under applicable national law and as any of the foregoing may be amended, extended or re-enacted from time to time.
  • Insured means an incorporated or unincorporated body or natural person, other than a Policyholder, who is a beneficiary under a Policy,
  • Policy means an insurance contract between Great American and Policyholder.
  • Policyholder means an incorporated or unincorporated body or natural person who enters into a Policy with Great American.
  • Policy Personal Data means personal data relating to any Policyholder, Insured or Claimant processed by Great American pursuant to a Policy.
  • The terms “controller”; “data subject”; “personal data”; “processor” and “processing” (and any derivatives of this term) each have the meaning given under Data Protection Law. Please note that “personal data” does not include data where the identity has been removed (i.e. anonymous data).

PERSONAL DATA COLLECTED AND PROCESSED

As part of setting up and administering a Policy and assessing and processing any claims, Great American will collect and gather the following categories of personal data:

• Identity Data such as first name, surname, gender, date of birth, marital status, place of work, employment details, and insured property to the extent such property identifies a data subject.
• Contact Data such as address, e-mail address, telephone number, and workplace contact details.
• Regulatory Information, if applicable, such as ‘know your customer’ or anti-money laundering information required by law or regulation.
• Benefits Data concerning Policy benefits and coverage allocated to Insureds and/or property (to the extent such property may be associated with a data subject).
• Special Data consisting of data revealing health including details of personal injury (which is a special category of personal data under Data Protection Law) and details of loss or damage to property (each of the foregoing as necessary for claims management purposes).
• Financial Data consisting of credit related data of company directors in respect of certain Great American commercial bond products.

The type of Policy Personal Data collected and processed varies depending upon whether you are a Policyholder, Insured or Claimant, the kind of insurance cover provided, and the type of claim we are being asked to pay.

• Aggregated data: Great American collects, uses and shares aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from Policy Personal Data but is not considered personal data under Data Protection Law as this data does not directly or indirectly reveal data subjects’ identity.

If you fail to provide personal data: In some cases, providing personal data is necessary to enter into an insurance contract with Great American and/or to comply with applicable law. Where Great American needs to collect personal data: (a) by law; (b) under the terms of a Policy or other contract we have with a Policyholder; (c) in order to offer, underwrite, extend and administer Policy benefits to Insureds; or (d) to assess and process Policy claims by Claimants; and this personal data is not provided when requested (whether requested by Great American or by one or more third party intermediaries), Great American may not be able to perform its obligations under a Policy and the processing of any claims may be delayed, suspended or stopped.  The provision of false information may mean that a claim made under a Policy will not be paid and may possibly result in criminal prosecution for fraud.

HOW IS PERSONAL DATA COLLECTED?

Typically Great American receives Policy Personal Data relating to Policyholders, Insureds and Claimants indirectly from insurance brokers, third party agents, claims handlers, loss adjusters and third party intermediaries appointed by Great American. This Privacy Notice sets out Great American’s data protection practices and data subjects rights for:

• Policy Personal Data it receives directly from Policyholders in respect of Great American contract bond products; and
• Policy Personal Data it receives from insurance brokers, third party agents, claims handlers, loss adjusters, third party intermediaries and other sources.

The means by which Great American collects Policy Personal Data is by:

• Direct interactions: for contract bond products only, completion of Policy application and renewal documentation; or communications by post, telephone, email or otherwise. For example Great American will communicate with contract bond Policyholder and Insureds by post and electronic communications for Policy creation, administration and processing claims.
• Indirect interactions: Great American receives Policy Personal Data relating to Policyholder, Insureds and Claimants from insurance brokers, third party agents, claims handlers, loss adjusters, third party intermediaries, solicitors and other third parties involved in the creation and administration of a Policy and/or a Policy claim;
• Third parties or publicly available sources:
  • Identity Data and Contact Data from publicly available sources such as Companies Registration Office; and
  • Identity Data and Financial Data from credit agencies.

HOW GREAT AMERICAN USES POLICY PERSONAL DATA

Great American will only use Policy Personal Data in accordance with Data Protection Law and other applicable laws. Most commonly, Great American will use Policy Personal Data in the following circumstances:

• Where Great American needs to perform an insurance contract we are about to enter into or have entered into with Policyholder.
• Where it is necessary for Great American’s legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where Great American must comply with a legal or regulatory obligation.

Generally, Great American does not rely on consent as a legal basis for processing Policy Personal Data other than when we need to process Special Data of Claimants when assessing and processing a claim. Typically, such consent is obtained from Claimants by third party claims managers whom Great American engages to manage Policy claims.  You have the right to request the withdrawal of your consent by contacting us, using the details listed in Section 12 (Contact Us).

Purposes for which Policy Personal Data is used: Below, in a table format, is a description of the ways Great American use Policy Personal Data, and which of the legal bases it relies upon to do so.  Great American may process Policy Personal Data for more than one lawful ground depending on the specific purpose for which the Policy Personal Data is used.  Please contact us if you need details about the specific legal ground we rely on to process your personal data.

Great American will only process Policy Personal Data in a manner compatible with the purposes described in this Privacy Notice, unless required or authorised by law, where it is in your own vital interest or that of another person (e.g. in the case of an emergency), or where we issue a revised Privacy Notice.

RECIPIENTS OF PERSONAL DATA

Great American contracts with other entities that perform certain tasks on its behalf (“Service Providers”). This is required in order to provide and manage a Policy and any underwriting and claims made pursuant to a Policy.  Unless we tell Policyholder differently, the Service Providers do not have any rights to use Policy Personal Data or other information shared with them beyond what is necessary to assist Great American, as relevant.  Such categories of Service Providers are detailed in Section 2.

From time to time, Great American will need to make Policy Personal Data available to its group companies (i.e. a parent company, a subsidiary company and/or a parent of another subsidiary company) for the provision of and administration of a Policy or due to executive oversight by its parent company. From time to time, Great American will need to make Policy Personal Data available to unaffiliated third parties.  Such unaffiliated third parties may include the following:

• Professional advisors: Accountants, auditors, lawyers, bankers, insurers, and other outside professional advisors in all of the countries in which Great American operates.
• Service Providers: Companies that provide products and services to Great American such as reinsurance providers, loss adjusters, claims handlers, third party agents and intermediaries, IT systems suppliers and support, data storage, IT developers, insurance, credit card companies, payment processors, analytics companies, website hosting providers and other service providers.
• Public and Governmental Authorities: Entities that regulate or have jurisdiction over Great American and/or a Policy and/or a Policy claim such as regulatory authorities, law enforcement, public bodies and judicial bodies.
• Corporate transaction: A third party in connection with any proposed or actual reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of the Great American business, assets or stock (including in connection with any insolvency event or similar proceedings).

INTERNATIONAL DATA TRANSFERS

Policy Personal Data may be transferred, stored and accessed within the European Economic Area (“EEA”) or transferred to, stored in, and accessed from the United States of America in order to fulfil the purposes described in this Privacy Notice, including to provide information to its group companies. For transfers to the United States of America, the data protection regime may be different than in the country in which you are located, and will therefore, be based on a legally adequate transfer method.

Whenever Great American transfers Policy Personal Data out of the EEA to the United States of America, we ensure a similar degree of protection is given to it by using specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

You are entitled upon request to receive a copy of the EC model contractual clauses used to protect your Policy Personal Data during such transfer. Please send your request as indicated in Section 12 below (Contact Us).

SECURITY MEASURES

Great American is committed to maintaining the security of Policy Personal Data processed. Great American maintains appropriate physical, procedural, organisational and technical security measures intended to prevent loss, misuse, unauthorised access, disclosure, or modification of Policy Personal Data under its control.    If you have reason to believe that any of your Policy Personal Data is no longer secure, please notify Great American immediately using the contact information supplied in Section 12 below (Contact Us).

RETENTION PERIOD

Great American retains Policy Personal Data for no longer than is allowed under Data Protection Law and, in any case, no longer than such personal data is necessary for the purpose for which it was processed. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.  Typically (but not always) our retention period for Policy Personal Data will be for 6 years after Policy coverage ends, unless a longer retention period is required by applicable law or regulation (such as retention obligations arising under financial regulations and tax law or for litigation purposes) or is justified under applicable statutory limitation periods.

In some circumstances we may anonymise personal data (so that it can no longer be associated with data subjects) for research or statistical purposes in which case Great American may use this information indefinitely without further notice to you.

YOUR DATA PROTECTION RIGHTS

Under certain circumstances data subjects (including Policyholders, Insureds and Claimants) have rights under Data Protection Law in relation to personal data, namely:

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.  Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and you believe the processing impacts your fundamental rights and freedoms. However we may demonstrate that we have compelling legitimate grounds to process your information that override your objection.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it because you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.  Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time if and to the extent we are relying on consent as the legal basis to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.  If you withdraw your consent, we may not be able to provide certain products or services to you, or process a Policy claim.  We will advise you if this is the case at the time you withdraw your consent.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee, or refuse to comply, if your request is clearly unfounded, repetitive or excessive.  We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).  This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.  We may also contact you to ask you for further information in relation to your request to speed up our response.  We try to respond to all legitimate requests within one month.  Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests.  In this case, we will notify you and keep you updated.

In order to exercise one or more of your rights in respect of your personal data, please contact Great American using the information provided below under Section 12 (Contact Us). Great American will respond to your request(s) as soon as practicable, but in any case within the legally required period of time.

Data subjects have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) for data protection issues (https://ico.org.uk/ ). We would, however, appreciate the opportunity to respond to your concerns first, so please contact us using the information listed in Section 12 (Contact Us) below.

UPDATING YOUR PERSONAL DATA

It is important that the personal data Great American holds relating to Policyholders, Insureds and Claimants is accurate and current. Please keep Great American informed, using the contact details listed in Section 12 (Contact Us) below of any Policy Personal Data changes during your relationship with us.

CHANGES TO THIS PRIVACY STATEMENT

Great American reserves the right to change this Privacy Notice at any time in its sole discretion. If changes are made, they will be posted to our website and Policyholders will otherwise be informed. Policyholders, Insureds and Claimants may be asked to confirm that they have read the Privacy Notice as modified.

This version of Great American’s Privacy Notice was last updated on 25^th April 2019

CONTACT US

Great American has appointed a Head of Compliance who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact us using the following details:

Head of Compliance

Great American Europe Limited

32 Queen Square, Bristol, BS1 4ND, UK