You can visit our websites without revealing who you are or providing any personal information about yourself.
We take care to protect the privacy of our clients and investors and for users of these websites. This policy explains how we process information about website visitors. Be aware that the Charles Taylor Group (CTG) is a combination of separate entities and each have their own Privacy Notices which should be read when dealing with a specific entity.
For example the CEGA Privacy Notice can be found at https://www.cegagroup.com/group_privacy and its Fair Processing Notice is at https://www.cegagroup.com/cega_fair_processing_notice ; if you cannot find the link to the entity you are dealing with, please contact our Data Protection Officer (see below) for assistance.
It sets out how we process
a) non-personal data in the form of information from Cookies, (see below under “Cookies”) and
b) personal data (that is, data which allow you to be identified, either on its own or with other data available to us or the public). We have set this section out for you under “Group Fair Processing Notice,” below.
For the purposes of Schedule 1 Part 4 of the Data Protection Act 2018, we set out below our procedures for securing compliance with the principles of Article 5 of the General Data Protection Regulation (GDPR).
1. CTG will keep and maintain a Data Inventory, listing the categories of all the Personal Data that it processes, including specifying the Special Category Personal Data.
3. CTG conducts Privacy Impact Assessments upon developing new procedures or processes,or entering into new forms of business which involve the processing of personal data. The CTG DPO shall be responsible for any prior consultation with the ICO within the meaning of Article 36 GDPR. CTG will act in accordance with all its legal and ethical obligations in respect of personal data, including (but not limited to) Applicable Data Protection Law.
4. CTG will give effect to Articles 12-14 GDPR and the Right to Information.
5. Any contracts in which both CTG and another entity are both Data Controllers shall where possible specify the division of responsibilities in a manner that maximises the transparency of approach to data subjects, especially with respect to their Data Subject Rights.
Processing personal data for Specified Purposes only
CTG maintain the Data Inventories which shall include:
-as against every type and category of Personal Data the lawful basis (or bases) for its processing, according to Article 6 GDPR;
-as against every type and category of Special Category Personal Data, the exemption (or exemptions) relied upon under Article 9(2) GDPR from the prohibition in Article 9(1) GDPR;
-as against every type and category of personal data relating to criminal convictions and the like (Article 10 GDPR), the provision of Applicable Data Protection Law which permits such processing (this type of personal data will normally only be processed if CTG are advised of, or discover, fraudulent conduct)
-a record of any circumstances in which CTG as a data controller relies on its own legitimate interests,
-where the processing of personal data is for different purposes than the original purposes for which the personal data was obtained, the new, different, purposes shall be recorded in the Data Inventory.
CTG will only process Personal Data insofar as is reasonably necessary to do so.
CTG will review its Data Inventory on a periodical basis, no less than once per annum,
CTG shall ensure, where reasonably practicable, that all personal data it processes shall be accurate and up-to-date.
CTG provides for the Right to Rectification, which shall be effected without undue delay on receipt of a written Request from, or on behalf of, a data subject seeking to rectify (including seeking to amplify) their Personal Data.
8. Data Retention
The CTG Data Retention Policy provides details as to the period for which types and categories of personal data shall be retained, and the lawful basis for that retention.
9. Appropriate Technical & Organisational Measures
CTG shall take all appropriate technical and organisational measures to keep Personal Data secure and processed only for the authorised purposes.
10. Audit and Review
This Policy shall be reviewed on an annual basis by the CTG DPO and the Boards of each of the CEGA Group Companies and the Senior Leadership Team.
The cookies placed on your device as a result of your accessing this website collect information about how visitors use the site, for instance which pages visitors go to most often, and whether they get error messages from web pages. These cookies do not collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. By using our website, you agree that we can place these types of cookies on your device.
GROUP FAIR PROCESSING NOTICE
This Fair Processing Notice tells you about processing of “personal data” by Charles Taylor Group.
What we hold
We may hold and process your personal data in order to provide professional Services to clients in the global insurance industry. Our activities (‘the Services) may include
- performing contacts of insurance,
- claims and funds handling,
- claims and fund management,
- claims administering,
- underwriting, loss
- the provision of medical assistance
(And we may also use Personal Data which is provided to us or generated by us to
- provide tailored Services for Clients and customers requirements and to treat them in a more personal way
- carry out analysis and market research
- carry out marketing
- undertake online advertising
- improve our websites and Services
- carry out administrative and management purposes).
When providing the Services, we may be the “data controller” of your personal data, though sometimes, in providing the Services on behalf of another party we may be operating as a “data processor.”
We may also sometimes be a joint data controller with a company. If you don’t know who the proper data controller for your personal data is, then you can contact us below, and we will check for you.
Your contact point
We are committed to processing all personal data fairly, lawfully, and transparently. To make things simpler, Charles Taylor Group have nominated one data controller, Charles Taylor Plc, to handle all requests or queries you might have about our processing of your personal data. We have appointed a Group Data Protection Officer (“DPO”) to oversee compliance with data protection law. The contact details are: Barry Proudfoot, The Minster Building, 21 Mincing Lane, London, EC3R 7AG; firstname.lastname@example.org.
What types of personal data do we collect and retain, and why?
The data we hold and process generally includes names, contact details, dates of birth, insurance policies, contracts, or claims in which you may have been or are currently involved. This may include special category personal data including, potentially, information about your medical history, race, ethnicity, sexual orientation, religious beliefs, trade union membership, genetic and biometric data, political opinions, and any other physical or mental health details. This personal data is held only for the purposes of performing the Services.
Charles Taylor Plc will almost always obtain your data from either you directly, or our clients, who include individuals, businesses, trusts, funds and insurance companies, who in turn will have obtained it from you or your employer or family member or a company close to you in relation to a contract, insurance policy or employment policy.
What are our legal bases for using your personal data?
Our lawful bases for processing personal data include:
- where you have given us your consent, we rely on that consent, including your explicit consent to process special category personal data;
- where you are party to a contract, and that contract requires your personal data to be processed;
- where we may have legal obligations that mean we have to process personal data, including anti-money laundering obligations, checking criminal convictions, checking international sanctions registers and fraud investigation and recovery;
- where we need to process it to establish, exercise or defend legal claims, or where we are involved or about to be involved with the Courts acting in their judicial capacity;
and some aspects of our processing may fall within the “public interest” lawful basis.
Where we rely on your consent to process your personal data you can withdraw that consent at any time. To exercise these data subject rights please contact the following email address: email@example.com Where the personal data is provided without it being required under a statutory or a contractual basis, there will be no adverse consequences as a result of withdrawal of consent, although it may make it more difficult to provide the same level of service as before the withdrawal of consent.
In all circumstances, however, we also rely on our legitimate interests, and those of our insurance industry clients’ or other clients’, to ensure that you and the other people who are named under your insurance policy are properly protected by the provision of adequate insurance against the risk of misfortune. Where we rely on our legitimate interests, we will always balance them against the rights and freedoms of the people whose personal data we process. Where their rights override our legitimate interests and there are no other legal bases for processing we will cease to process personal data.
Who do we share your personal data with?
From time to time, we may need to disclose personal data to third parties. Sometimes, these will be companies who process on our behalf and only act upon our instructions. Sometimes, these will be individuals and companies such as: consultants; doctors; experts; lawyers; and other professionals within or connected to the insurance industry.
From time to time we may need to transfer your personal data outside the European Union. Where your personal data is transferred outside of the European Union, we will only, save for exceptional circumstances, do so:
* to a county in the European Economic Area or that the European Commission has certified as having adequate data protection law; or
We will keep records of where your data has been sent outside of the EU and you can have access to these records if you wish. We will keep personal data for as long as we need it for the purpose it is being processed for or longer if there is a legal requirement to do so. We will review the information we hold and delete it or where appropriate pseudonymise it where there is no longer a legal, business or customer need for it to be retained.
Automated decision taking
There are some very limited circumstances where we, on behalf of our clients, use computer questionnaires to give you a quick decision on whether or not they can provide you with insurance cover, and in some cases to generate a quote based on your individual circumstances, including things which may involve your Special Category Personal Data (for example, your health data). This is a form of ‘automated decision-making’, because it compares your answers against our insurance client’s criteria and makes a ‘decision’ about whether to provide cover and, at times, how much that might cost.
There may be some very limited circumstances where we, on behalf of our clients, use automated decision making to provide decisions in relation to dealing with, progressing and settling insurance claims. Such processing will not generally involve your Special Category Personal Data, but nonetheless, is a form of ‘automated decision-making’ as it assists in our decision making about the progressing and settling of insurance claims.
We will not use automatic decision making without
(a) either your explicit consent; or
(b) it being necessary for entering into, or performance of, a contract between yourself and a data controller (such as ourselves or an insurance company who we are supporting) or
(c)) you being told by a data controller that a decision has been taken solely on automated processing.
However, if you are not happy with the result of an automated decision, you can request human intervention, express your own views, and/or contest the automated decision by writing to Barry.Proudfoot@ctplc.com (but please put ‘Automated Decision-Making’ in the email Subject line).
What Security measures we take
We have considered currently available technological and organizational tools, their costs and the nature, scope, context and purposes of the processing we are engaged in. We have implemented appropriate technical and organisational measures to
-help prevent unlawful or unauthorised processing, accidental or unlawful destruction, damage, loss, alteration, disclosure or access to Personal Data and
-help to ensure the security of Personal Data,
which we have received or generated ourselves.
Your legal rights
You have various legal rights in your personal data including the right of: information and access to your data, including a “portable” copy of your data; to request erasure and rectification of your data; and rights to restrict or object to processing of your personal data. Responses to your requests will be provided within one month unless your request is complicated in which case we may have to may extend the deadline for responding to three months, but we will let you know if this is the case. Generally, there is no fee for making these requests.
Responses to your requests in accordance with the applicable law. You should keep in mind that, depending on the right you want to exercise, and the type of personal data involved, there may be legal reasons why we cannot meet your request.
If you want to make a request- for example, if you want to receive a copy of the personal data which we hold about you- we suggest that you make a request in writing and include the following information with your request:
- Your name and postal address
- Details of your request (it will be easier to find the information if you can be specific as to what you want from us)
- Your signature and the date of your request
- If you are applying on behalf of another person, the signed original authority form that individual (a photocopy will not suffice).
We may need corroborating information to establish your identity, so when writing we suggest that you supply us with a copy of your passport or your driving licence. You should not send copies of these over the internet as it is not necessarily secure.
We ask for these details because we want to protect your personal data by being as sure as we reasonably can that you are not being impersonated.
How to contact us, and your right to complain to our supervisory authority
If you have any questions about this Notice, please contact our DPO.
We work conscientiously to handle your personal data responsibly. If you are unhappy with the way we are doing this, please contact our DPO, who will try to address your concerns.
However, you have a right to complain to the UK’s data protection supervisory authority; the Information Commissioner at:
Information Commissioner’s Officer
How do we tell you about future changes of this Notice?
If we change this Notice, we will let you know by publishing the updated version on our website. We aim to protect and respect your privacy, and that intention will carry on in any future changes to this Notice.
Last updated May 2019
This site and all content are copyright © Charles Taylor plc
All rights reserved