At Dual ("we", "us", "our"), we regularly collect and use information which may identify individuals ("personal data"), including insured persons or claimants ("you", "your"). We understand our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable data protection laws.
Do read this policy with care. It provides important information about how we look after your personal data and explains your legal rights and how the law protects you. This Policy is not intended to override any terms of business agreement which you have with us or any rights you might have available under applicable data protection laws.
We may amend this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify you about material changes by prominently posting a notice on our website. We encourage you to periodically check back and review this policy so that you always will always know what information we collect, how we use it, and with whom we share it. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Dual Corporate Risks Limited (“Dual Corporate Risks Ltd") is a Managing General Agent, authorised and regulated by the FCA with firm reference number . Our registered office is First Floor Bankside House, 107-112 Leadenhall Street, London, EC3A 4AF. Dual Corporate Risks Ltd uses several trading/brand names, has a number of appointed representatives which are listed on https://register.fca.org.uk.
Dual Corporate Risks Ltd and your Broker are jointly responsible for your personal data and are therefore Joint Data Controllers. You should be aware that Dual Corporate Risks Ltd may hold your personal data in databases which can be accessed by its Group company Hyperion Insurance Group (HIG) for insurance purposes only.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you as follows:
Insured Persons. In order to arrange, administer and underwrite insurance policies, we collect information about the policyholder and related parties. The policyholder may be an individual, company or their representative. The level and type of personal data we collect varies depending on the type of policy that you have. In general, this is likely to include background and contact information on the policyholder or their representative, and matters relevant to the management of the insurance policy and assessment of risk. In some instances, it is necessary for us to collect and use Special Categories of Data, such as information about a past criminal conviction or health details potentially including information about children’s health. For more information on what information we collect, please see Appendix 1.
Claimants. If a policy holder seeks to rely on the insurance cover, we will collect information about the individual making a claim under a policy. This will include the collection of basic contact details, together with information about the nature of your claim and any previous claims. If the claimant is an Insured Person, we will also need to check details of the policy you are insured under and your claims history. , And, depending on the nature of your claim, it may be necessary for us to collect and use Special Categories of Data, such as details of a personal injury you may have suffered during an accident or potentially information about children’s health. For more information on what information we collect, please see Appendix 1.
We also obtain information about you from credit reference agencies and similar third parties.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.
We are required to establish a legal exemption to use your Personal Data - see Section 5 and Appendix 2 for further details. From time to time, you may need to provide us with the personal data of third parties, for example if you suspect that someone has unlawfully taken possession of fine arts, or in relation to a sports injury of a third party relevant to a claim under a policy. You should take steps to inform the third party that you need to disclose their details to us, identifying Dual Corporate Risks Ltd as your insurer.
Insured Persons. If you are an insured person we will use your personal data to consider an application for an insurance policy, verify your identity and carry out fraud checks, assess and evaluate risk. Once we have provided you with your policy we will use your personal data to administer your policy, deal with your queries, manage the renewal process and deal with complaints. We may also send you marketing materials and share your personal data with other HIG Group companies in order to identify products and other services which the HIG Group offers which may be of interest to you (where we have appropriate permissions). We will also need to use your personal data for purposes associated with our legal and regulatory obligations as an insurance intermediary.
Claimants. If you are a claimant we will use your personal data to assess the merits of, and validate, your claim, potentially to pay out a settlement and deal with complaints. We may also need to use your personal data to evaluate the risk of potential fraud, a process which uses automated processes. If you are also an Insured Person, we will use personal data related to your claim to inform the renewal process and potentially any future policy applications.
We will make sure that we only use your personal data for the purposes set out in this Section 5 and in Appendix 2 where we are satisfied that:
Before collecting and/or using any Special Categories of Data we will establish an additional lawful exemption to the grounds set out above which will allow us to use that information. This additional exemption will typically be:
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
PLEASE NOTE: If we have previously advised that we are relying on consent as the basis of our processing activities, going forward we will not be relying on that legal basis save where otherwise explicitly stated.
PLEASE NOTE: If you provide your explicit consent to permit us to process your Special Categories of Data, you may withdraw your consent to such processing at any time. However, you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and it may not be possible for the insurance cover to continue). This may mean that your policy needs to be cancelled. If you choose to withdraw your consent we will tell you more about the possible consequences, including that we may no longer be able to act as your insurance intermediary. Further we may not be able to process any possible claims.
Please see Appendix 2 to find out more about the information we collect and use about you and why.
As flagged above, we may share data with other HIG Group companies, [a number of which are in run-off, and also our Appointed Representatives].
We may also share the data with third parties, to help manage our business and deliver services. These third parties may from time to time need to have access to your personal data.
For Insured Persons these third parties may include:
For Claimants this may include:
We may be under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases other insurers. Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses.
We may use your personal data to send you direct marketing communications about our insurance products or our related services. This may be in the form of email, post, SMS, telephone or targeted online advertisements. We limit direct marketing to a reasonable and proportionate level, and to send you communications which we believe may be of interest or relevance to you, based on the information we have about you.
For the purposes of The General Data Protection Regulation (GDPR) (EU) 2016/679 our processing of your personal data for direct marketing purposes is based on our legitimate interests as further detailed in Appendix 2, but where opt-in consent is required by The Privacy and Electronic Communications (EC Directive) Regulations 2003 we may seek your consent where this required. You have a right to prevent direct marketing of any form at any time - this can be exercised by following the opt-out links in electronic communications, or by contacting us using the details in Section 12.
PLEASE NOTE: We will get your express opt-in consent before we share your personal data with any company outside the HIG group of companies for marketing purposes.
Our Service Providers or Assistance Providers and HIG Group Companies, who have access to your personal data may be located outside the EEA. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests:
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 12 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).
'Automated Decision Making' refers to a decision which is taken solely on the basis of automated processing of your personal data - this means processing using, for example, software code or an algorithm, which does not involve any human intervention.
If you are an Insured Person, we may use automated decision making to carry out a credit check on you.
PLEASE NOTE: You have certain rights in respect of automated decision making, where that decision has significant effects on you, including where it produces a legal effect on you. See Sections 10 and 11 for more information about your rights.
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 5 of this Policy. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, reporting, tax or accounting requirements.
In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
We maintain a data retention policy which we apply to records in our care, and which you can request from us by contacting us. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.
You have a number of rights in relation to your personal data.
You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any Automated Decision Making or the basis for international transfers. You may also exercise a right to complain to your Supervisory Authority. These are set out in more detail as follows:
|RIGHT||WHAT THIS MEANS|
You can ask us to:
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
You can ask us to erase your personal data, but only where:
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances where we would deny that request.
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
We can continue to use your personal data following a request for restriction, where:
You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where:
You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis (see Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our legitimate interests.
Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
|Automated Decision Making||
You can ask not to be subject to a decision which is based solely on automated processing (see Section 9), but only where that decision:
In such situations, you can obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision. Your right to obtain human intervention or to contest a decision does not apply where the decision which is made following automated decision making:
You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Economic Area. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
You have a right to lodge a complaint with your local supervisory authority about our processing of your personal data. In the UK, the supervisory authority for data protection is the ICO (https://ico.org.uk/). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
Dual Corporate Risks Ltd do not use Profiling.
To exercise your rights you may contact us as set out in Section 12. Please note the following if you do wish to exercise these rights:
The primary point of contact for all issues arising from this Policy, including requests to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following ways:
Dual Corporate Risks Limited
The Data Protection Officer
First Floor Bankside House
107-112 Leadenhall Street
If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority at any time.
|INFORMATION TYPE||DETAILS OF INFORMATION THAT WE TYPICALLY CAPTURE|
Name, address, telephone number, email address.
Policy number, relationship to the policyholder, details of policy including insured amount, exceptions etc., previous claims, payment history, quotes history, voice recordings.
|Personal Risk Information||
Gender, date of birth, claims history, marital status, additional information about your lifestyle and insurance requirements, information about your employment.
Special Categories of Data
Health Data - e.g. physical and mental conditions, medical history and procedures, relevant personal habits (e.g. smoking)
Criminal Data - e.g. driving offences, unspent convictions
Data relating to children
Bank account details (where you are the payer of the policy premium).
Name, email address, interests / marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address).
|Policy Information (excluding third party claimants)||
Policy number, relationship to the policyholder/insured person, details of policy including insured amount, exceptions etc., previous claims, voice recordings.
Details of incident giving rise to claim, including
Health Data - e.g. details of injury, medical report
Criminal Data - e.g. driving offences, police reports
Data relating to minors
Bank account details used for payment.
Address, history of fraudulent claims, details of incident giving rise to claim
Criminal Data - e.g. unspent convictions
|Activity||Type of information collected||The basis on which we use the information|
|Set up a record on our systems||
|Carry out background, sanction, fraud and credit checks||
|Assess risk and provide information to your Broker in order to place policy||
|Provide client care and support||
|Receive premiums and payments||
|Comply with legal and regulatory obligations||
|Receive notification of claim||
|Monitor and detect fraud||
|Comply with legal and regulatory obligations||
Claims Experts: these are experts in a particular field which is relevant to a claim, for example forensic accountancy, who are engaged to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants.
Data Controller: means a natural or legal person (which determines the means and purposes of processing of personal data.
FCA: the FCA is the Financial Conduct Authority, which is a financial regulatory body.
HIG Group: Hyperion Insurance Group (HIG) and any other company which is for the time being a subsidiary or holding company of the HIG and any subsidiary of any such holding company and for the purposes of this contract, the terms “subsidiary” and “holding company” shall have the meanings ascribed to them by section 1159 Companies Act 2006 or any statutory re-enactment of those provisions.
ICO: the Information Commissioner's Office regulates the processing of personal data by all organisations within the UK.
Insured Person: we use this term to refer to both individual policyholders, as well as any individual who benefits from insurance coverage under an insurance policy (for example, where an employee benefits from coverage taken out by their employer).
Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf or on behalf of a relevant insurer.
Other Insurers: some policies are insured on a joint or "syndicate" basis. This means that a group of insurers (including us) will join together to write a policy. Policies may also be reinsured, which means that the insurer will purchase its own insurance, e.g. from a reinsurer, to cover some of the risk in your policy.
Premium Finance Providers: means a regulated entity which lends funds to a person or company to cover the cost of an insurance premium.
Profiling: means using automated processes without human intervention (such as computer programmes) to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile.
Risk Management Assessors: Any internal or external auditor or assessor who may have access to your personal data for the sole purpose of assessing risk to Dual Corporate Risks Ltd.
Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data.
Solicitors: we frequently use solicitors to advise on complex or contentious claims or to provide us with non-claims related legal advice. In addition, if you are a claimant you may be represented by your own solicitor(s).
Third Party Administrators (or TPAs): these are companies outside the HIG Group which administer the policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions.
Uninsured Loss Recovery Agencies means an entity that recovers uninsured losses.