Privacy policy - RSA Insurance

Your privacy is important to us and we are committed to keeping it protected. We have created this Privacy Notice which explains how we use the information we collect about you and how you can exercise your data protection rights in accordance with data protection laws.

Who are we?

In this Privacy Notice, references to “we” “us” “our” mean RSA Luxembourg S.A. a company incorporated under the laws of the Grand-Duchy of Luxembourg, with a French branch (“RSAL”) registered in the French Commercial Court Registry under number 843 452 061. We provide commercial insurance products and services. We also provide insurance services in partnership with other companies.

Who will watch over your data?

The Data Protection Officer (DPO) of RSAL, will be the guarantor within RSAL of compliance with fee data protection regulations. The DPO will have enough resources to carry out his / her duties and attend to our clients within the Company.

What information do we collect about you?

The personal information we hold about you will often come directly from you when you make a claim or when you visit our website. This information may include the following:

Your personal details (for example, your name, date of birth and gender)
Your contact details (for example, your postal address, phone number and email address)
Payment/financial details (for example, direct debit or card payments)
Information relating to your health (for example, when making a claim for personal injury)
Information from your digital devices, such as IP address, where the device is located, use of websites (usually via cookies), the type of device being used, operating system and how you interact with us.

If you need to claim against an insurance policy taken out on your behalf, or if you make a claim against an insured party insured at RSAL, we will need to collect information about the incident and this may be shared with other selected companies to help process the claim. If other people are involved in the incident, we may also need to collect additional information about them which can include special categories of personal data (e.g. injury and health data). We may also need to share information about you with the representatives of other people involved in an accident with you to administer their claim, or to commence recovery action against them on your behalf.

Where do we collect information we hold about you?

Where possible, we’ll collect your personal information directly from you. However, on occasion we may collect or receive details about you from other people or companies. For example:

Joint policy holders
Insurance brokers
Where a company has applied for an insurance product on your behalf (e.g. employer)
It was supplied to us when you purchased an insurance product or service that is provided by us in partnership with other companies
Insurance related sources (e.g. fraud prevention databases; or sanctions lists).
Organisations which assist with claims handling, for example suppliers; medical professionals and hospitals; loss adjustors; or lawyers
Where your employer is our commercial customer or business partner
Publicly available sources, such as online registers
Third party organisations who provide information for marketing purposes

We request those third parties providing us with information to comply with data protection laws and act in a transparent manner in respect of any such disclosures.

Why do we collect your personal information and what is the legal basis for doing so?

As an insurer, we need your personal information to provide our services. We must have a legal basis (lawful reason) before we are allowed to use your personal information in the manner described in this Privacy Notice. In most cases, the legal basis will be one of the following:

Performance of contract: We need to use your personal information in order to provide you with the policy (which is a contract of insurance between you and us) and perform our obligations under it, such as investigating and making payments to you in respect of a claim made under the policy.
Consent: In some limited circumstances, we may need your permission or consent to use personal information about you.
Necessity to establish, exercise or defend a legal claim: If you, or we, bring a legal claim (e.g. a court action) against the other, we may use your information in either establishing our position, or defending ourselves in relation to that legal claim. We may also use your information in either establishing our position, or defending a claim brought against you pursuant to a peril insured by your policy of insurance, or pursuing a claim in your name against any other party for recovery of any monies paid out under your policy of insurance.
Compliance with a legal obligation: Where laws or regulations require us to use your personal information in certain ways.
Legitimate Interests: We will also process your personal information where this processing is in our "legitimate interests". When relying on this condition, we are required to carry out a balancing test of our interests in using your personal information (for example, carrying out market research, protecting ourselves from fraud, developing new products and services, etc), against the interests you have as a citizen and the rights you have under data protection legislation. The outcome of this balancing test will determine whether we can use your personal information in the ways described in this Privacy Notice. We will always act reasonably and give full and proper consideration to your interests in carrying out this balancing test.
Legal exemption to process special personal information for insurance purposes: when servicing a claim for personal injury, we may need to process information regarding your health. For this purpose, we have a legal exemption to be allowed to process this kind of special category of personal data.

The table below sets out what we use your personal information for and our legal basis for doing so.

What we use your information for	The legal basis for doing so
The administration of your insurance policy. Including the communication for legal, regulatory and servicing purposes and claims handling.	Contract Legitimate Interests
The processing of payment information	Contract Legitimate Interests
To personalise the marketing messages delivered to you about our products, services, news and offers. We may share some information (in a secure format) with social media companies so that they can match this to information they already hold. This does not allow us access to your accounts or provide us with any confidential information relating to your accounts. It allows us to provide you with appropriate marketing advertisements via these social media channels. If you do not want us to share this information with social media companies for this purpose, you can tell us not to.	Consent (for the placement of cookies) Legitimate Interests (for the subsequent processing of personal data)
To develop and improve our products, services and pricing including market research and statistical analysis	Legitimate Interests
To ensure the integrity and safety of our services and the insurance branch	Legitimate Interests Legal obligation
Share information with relevant industry bodies, external companies/organisations to help prevent and detect fraud/financial crime, and where necessary verify information you have submitted	Legal obligation Legitimate Interests
To comply with all necessary legal and regulatory requirements that apply to us, and co-operate with regulators and law enforcement organisations	Legal obligation
To provide training, development and security, for example the recording or live monitoring of calls.	Legitimate Interests

Who will we share your personal information with?

We will keep your personal information confidential at all times and only process it in accordance with this Privacy Notice. We will share your information with our employees and contractors for the purpose of providing our service to you and for exercising our legitimate interests.

We do not disclose your information outside of RSAL except:

Where we need to check the information you gave to us with a third party organisation before we can service an insurance product;
Where we are required or permitted to do so by law or relevant regulatory authority (e.g. financial crime/sanction screening, fraud detection/prevention);
In the event that we may be taken over, or sell any business or assets, in which case we will disclose your personal information to the prospective buyer of such business or assets. They will only be able to use the data for the same purposes for which it was originally provided;
As required to enforce the contract of insurance itself;
Within the RSA group for administrative and research purposes;
As required in order to give effect to contractual arrangements we have in place with any insurance broker and/or intermediary through which you have arranged a policy including where we provide insurance services in partnership with other companies
With healthcare providers in the context of any relevant claim being made against a policy;
If we appoint a third party to process and settle claims under the policy on our behalf, in which case we will make your personal information available to them for the purposes of processing and settling such claims;
With our third party service/assistance providers (including hosting/storage providers, research agencies, technology suppliers etc.);
With our reinsurers (and brokers of reinsurers) in connection with the normal operation of our business;
With our claims suppliers for the purpose of providing you with claims services pursuant to the contract of insurance;
With databases such as fraud prevention databases for the purposes of fraud detection and prevention or sanctions lists;
Your advisors (such as lawyers or professional advisors), who you have given authority for us to share your personal information with or given authorisation to deal with us directly for example a power of attorney; and
Social media companies (in a secure format) so they can display messages to you about our products and services, or to make sure you do not get irrelevant messages (for example, we will we not show messages about products / services you already have).

Sometimes your personal information may be sent to other parties outside the European Economic Area (EEA) in connection with the purposes set out above. We will take all reasonable steps to ensure that your personal information is treated securely and in accordance with this Privacy Notice, and in doing so may rely on certain "transfer mechanisms" such as the standard contractual clauses approved by the European Commission. If you would like further information please contact us.

How long will we keep your information?

We will retain your personal information for as long as we have a relationship with you. Once our relationship has ended we will only retain your personal data for as long as is necessary to satisfy any legal, accounting or reporting obligations, or as necessary to resolve disputes. To assist with the determination of the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes we process your personal information for and whether we can achieve those purposes through other means.

In addition, your personal information will be retained under one or more of the following:

To maintain business records for analysis, auditing or for a limited period of time, using some of your personal information to improve the products or services we provide.
For as long as your personal information is required to allow us to conduct fraud and/or criminal checks and investigations.
To deal with any future complaints about the products and services we provide.
For as long as is required by statutory authorities to meet our obligations for accounting, legal, tax and regulatory purposes.
For as long as is required to defend or take legal action.

If you would like more information about how long we will keep your personal information for, please contact us at rsa.dp@eu.rsagroup.com

Will you be contacted for marketing purposes?

RSAL will only contact you for marketing purposes if you have previously agreed or if RSAL is permitted under applicable law. This could be via any channel we hold contact information for you. Where that’s the case:

We will let you know about offers and services we think you’ll like and any special offers available to you. Where appropriate these messages may be personalised using information you have previously provided us.
We will only contact you for marketing purposes if we collected your information directly or when authorised and instructed by a third-party acting on your behalf.
We may use the information which we collect about you to show you relevant advertising on third-party websites (e.g. Facebook or Google). This could involve showing you an advertising message where through the use of cookies, we know you have browsed our products and services. If you don’t want to be shown targeted online advertising messages from us, you can change the advertising setting on some third-party sites and some browsers to block our adverts.
In some circumstances we may share some of your information (in a secure format) with social media companies so that they can match this to information they already hold to display messages to you about our products and services.

You can ask us at any point to stop sending you marketing, and request that your personal information is not processed for the purposes of marketing.

What are your rights over the information that is held by us?

We understand that your personal information is important to you, therefore, in accordance with your rights under data protection laws, you may request that we:

1. Provide a copy of the personal information we hold about you. This is known as the right of subject access and is an entitlement to a copy of the information only, you are not entitled to documents.

2. Delete your personal information. This is known as the right of erasure. Please note, we may not be able to comply with this request in full where, for example, you are still insured with us and the information is required to fulfil the conditions of the insurance contract.

3. Give you (or a third party) an electronic copy of the personal information you have given us. This is known as the right of data portability. We would provide the information in a commonly used electronic format.

4. Restrict how we use your personal information under the following circumstances:

a) If you believe that the information we hold about you is inaccurate, or;

b) If you believe that our processing activities are unlawful but you do not want your information to be deleted.

c) Where we no longer need to use your information for the purposes set out in this Privacy Notice, but it is required for the establishment, exercise or defence of a legal claim.

d) Where you have made an objection to us (in accordance with point 5 below), pending the outcome of any assessment we make regarding your objection.

5. Enable you to object to the ways in which we are using your personal information, under the following circumstances

a) Where we believe it is in the public interest to use your information in a particular way, but you disagree.

b) Where we have told you we are using your data for our legitimate business interests and you believe we shouldn’t be (e.g. you were in the background of a promotional video but you did not agree to be in it).

6. Correct any personal information we hold. Please contact us if any information is incorrect, or any of your personal information has changed.

For points 5.a and 5.b above, we will stop using your information unless we can reasonably demonstrate legitimate grounds for continuing to use it in the manner you are objecting to.

For certain limited uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Please note in some cases we may not be able to provide our services if you withdraw your consent. Also, please note that withdrawing your consent does not affect the lawfulness of the processing already performed and we are not under any obligation to undo any previous processing of your personal data.

If you would like to request any of the above, please contact us via our email address

rsa.dp@eu.rsagroup.com or write to us at:

The Data Protection Officer

RSA Luxembourg, S.A., Sucursal en España

Edif. Torre Europa, Pº de la Castellana, 95 – Planta 19

28046 Madrid (SPAIN)

To ensure that we do not disclose your personal information to someone who is not entitled to it, when you are making the request we may ask you to provide us with:

Your name;
Address(es);
Date of birth; and
Any policy IDs, claim numbers, or reference numbers that you have along with.
A copy of your photo identification, such as your photocard driving licence or passport; and
A copy of a utility bill showing your name and address dated within 3 months of your request.

If you appoint a third party to act on your behalf, for example, a solicitor, we will ask them to provide your signed authority for them to act on your behalf AND the identity information and documents listed above.

All rights requests are free of charge, although in exceptional circumstances permitted by regulation, we reserve the right to charge a reasonable administrative fee.

Wherever possible, we will respond within one month from receipt of the request, but if we don’t, we will notify you of anticipated timelines ahead of the one month deadline together with brief explanation as to why we are unable to respond within the initial one month deadline. If your request relates to the erasing of personal data and due to the complexity of the situation, we are not able to respond with one month, we will inform you that we will respond in full within two months.

Please note that simply submitting a request doesn’t necessarily mean we will be able to fulfill it in full on every occasion – we are sometimes bound by law which can prevent us fulfilling some requests in their entirety, but when this is the case we will explain this to you in our response.

Cookies

Cookies and similar technologies are small text files that are placed on your device (computer, mobile phone or tablet) when you visit a website, use an app or they can be included within emails.

Strictly Necessary cookies are fundamental to the running of our website and cannot be switched off, they ensure that the website works correctly and in a secure manner. Without these cookies, services you may ask for such as obtaining an insurance quote, utilising online discounts, logging into your account, paying for and renewing your policy cannot be provided. Other essential cookies are considered strictly necessary on the basis that they enable the transmission of communications over a network. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

As we only use strictly necessary and communications cookies on this website, we are not required to gain your consent to place these on your devices.

For more information on our cookie use visit our Cookie Policy or for more general information about cookies visit www.allaboutcookies.org

Our Privacy Notice

If you have any queries regarding our Privacy Notice, please contact us at the address below and we will be happy to discuss any query with you. Our Privacy Notice will be updated from time to time, so please check it each time you submit personal information to us or renew your insurance policy.

The Data Protection Officer

RSA Luxembourg, S.A., Sucursal en España

Edif. Torre Europa, Pº de la Castellana, 95 – Planta 19

28046 Madrid (SPAIN)

You may also email us at rsa.dp@eu.rsagroup.com

Additionally, we inform you that you have the right to make a complaint to your local privacy supervisory authority, the Commission nationale de l'informatique et des libertés (CNIL) or to the Commission Nationale de la Protection des Données (CNPD) in Luxembourg, when you consider that we have not treated your data in accordance with the regulations, through the web page enabled for such purposes by the corresponding Control Authority.

Who we are

Products and services

Claims

News and resources

Careers

Privacy Notice