Assigned Data Protection Officer: Andrew Sladdin
The Data Protection Officer is responsible for data protection compliance. Any data requests or suspected data breaches should be notified to the Data Protection Officer immediately.
You can contact our Data Protection Officer at:
Address: 17 Clare Road, Halifax HX1 2HZ
Telephone Number: 01422 339147
Email: Andrew@sladdininsurance.com
Privacy Notice
Your Personal Data
What we need
G J Sladdin & Co Ltd will be what’s known as the ‘Controller’ of the personal data you provide to us. We may need to collect both Personal Data, such as your name, address, date of birth and contact details, and Sensitive Data such as details of your medical, financial and criminal information and history.
Why we need it
We need to know your personal and sensitive data in order to provide you with an insurance quotation, to issue a policy, to manage and administer the policy and to deal with any claims you may have. We will not collect any personal or sensitive data from you that we do not need in order to provide and oversee this service to you.
What we do with it
All the personal and sensitive data we process is processed by our staff in the UK, for the purposes of IT hosting and maintenance this information is located on servers outside of our main office but within the UK. The information we hold on you will only be shared with our insurance partners and their authorised claims companies for the purpose of fulfilling the insurance contract. We may also need to share your information with public bodies, such as the police, in order to prevent fraudulent claims; and regulators such as the FCA in order to respond to any complaints. If you agree to the use of a Third Party Finance provider, such as Close they will be provided with certain personal and sensitive data in order for them to provide a loan. No other 3rd parties have access to your personal data unless the law allows them to do so. We will never sell your personal data.
How long we keep it
We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after a policy sale, and in addition we must keep any data relative to Lloyd’s policy for a minimum of 7years. After this time your data will be destroyed unless you have given us specific permission to hold the data in order to contact you about our products and offers. The information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information.
If at any point you believe the information we process on you is incorrect, you can request to see this information and even have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO). Our Data Protection Officer is Mr Andrew Sladdin and you can contact them at Andrew@sladdininsurance.com.
Individual Rights
In the event that we suffer a Data Breach of any sensitive data, or data which is likely to risk your freedoms and rights (this includes damage to reputation, financial loss, loss of confidentiality etc) then in addition to informing the ICO (Information Commissioner’s Office) we shall let you know within 72hours. E.g. if details of a home address and travel dates are lost in conjunction as this could put you at risk of burglary; or if we lost card/bank details sufficient for someone to start making transaction on your account.
You have the right to request copies of all of the Data we hold on you. We will not charge for any request to provide a copy of the data we hold on you. Your request for data should be directed, in writing to the Data Protection Officer who will arrange for a copy of the data to be sent to you securely and without delay. We may need to verify that you are who you say you are before sending the data, as such we may ask various questions to authenticate your identity. All subject access requests will be provided within one month of your request.
In the event that any of the data we hold is incorrect and out of date, please contact us and let us know as this will be rectified upon your instruction. We will follow our internal Data Flow Chart to ensure that all parties in the Data Chain relative to your policy are notified of the correction.
All clients have the ‘Right to be Forgotten’, unless we are obliged to hold the information for legitimate/contractual means. Any request for erasure should be referred to the Data Protection Officer Andrew Sladdin who will review the request and ensure there is no further legitimate reason for us to store the data. If the data can be deleted then all parties within the Data Chain will be notified.
We are required to stop processing your data in the event of any of the following:
Should you request it, the data we hold on you should be in a format that we are easily able to provide information to other parties. This should be done securely and without delay. We may need to verify that you are who you say you are before sending the data, and as such we may ask various questions to authenticate your identity.
You have the right to object to:
You can request that your data is not subject to automated decision making and profiling. “Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
The restriction does not apply if the decision is:
Subject access requests
We will have the right to refuse subject access requests but only if they are manifestly unfounded or excessive, and we must tell you our reason for a refusal In the event of refusal you have the right to complain to the supervisory authority. All requests, whether accepted or refused, must be dealt with within 1month of the initial request.
Lawful Basis for processing data
We only collect data that we need for the purpose of quoting, issuing, managing and administering, and dealing with claims for the insurance product you are enquire about. We may also request your consent to contact you about other insurance products we offer.
Consent
Any information we request will be necessary to form a legal contract of insurance, or at least provide a quotation service precedent to a possible contract. Consent for any other use of your data must be freely given, specific, informed and unambiguous. There must be a positive opt-in; consent cannot be inferred from silence, pre-ticked boxes or inactivity. We will therefore ask you to confirm vocally over a recorded telephone call, or physically by tick box and signature if we wish to use your personal data for any other purpose. This may be so that we can contact you in future about other insurance products that we offer. You can withdraw your consent for us to hold your data at anytime provided we do not need it for the purposes of fulfilling a contract with you.
Telephone recording
We record all telephone calls as this protects the interest of our company and staff as well as our clients. We are also obliged under FCA guidelines to record calls leading up to a transaction. We may at certain points turn off the call recording to prevent collection of sensitive data such as bank card details. Our telephone recordings are retained on a secure server and can only be accessed by secure logins which are restricted to certain members of staff and management.
Data Breach Procedure
If we discover a Data Breach then this must be reported to the Data Protection Officer, Andrew Sladdin, immediately. If the Data Protection Officer is unavailable for any reason then the breach should be notified to another senior member of staff.
The ICO need to be contacted with 72 hours of the breach, even if we have very little information at this stage.
The extent of the breach will be investigated to find out what data has been affected, how it has been accessed/leaked, and the risk of the data breach to individuals.
Privacy Impact Assessment
The implementation of any new systems, procedures, or business relationships we will be subject to a Privacy Impact Assessment.
A Privacy Impact Assessment will address the following:
Your Right to Complain to the ICO (Information Commissioner’s Office)
If you are not satisfied with our use of your personal data, our response to any request by you to exercise any of your Individual Rights, or if you think we have breached GDPR, then you have the right to complain to the ICO:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Email: casework@ico.org.uk