1. Scope
1.1 This Fair Processing Notice tells you what personal information Charles Taylor Group ((“Charles Taylor”, “we”, “us” or “our”) collects, why we collect it, what we do with it and who we share it with, as well as the choices and rights individuals have regarding this personal information.
1.2 This Notice does not apply to the personal information that we process about our employees, which is subject to different respective employee privacy notices.
1.3 Please see our Privacy Policy which sets out how we ensure that we look after your personal information when we collect and use it.
2. About Charles Taylor
2.1 Charles Taylor Group is a group of companies operating across the globe. We provide claims management solutions, providing integrated claims services, business process outsourcing and consulting services worldwide to the risk management and insurance industry, as well as to self-insured entities (our “Services”).
2.2 This Notice explains how Charles Taylor Group companies handle the personal information that is subject to the GDPR, which we collect about individuals:
2.3 For the purposes of the UK and EU GDPR, and unless you are explicitly notified otherwise, Charles Taylor Limited is the controller of your personal information, and where the processing of personal information is also undertaken by other Charles Taylor Group companies with whom you engage, they are joint controllers with Charles Taylor Limited of your personal information.
3. Our Processing of your Personal Data
3.1 Our primary business is to provide claims management and related services globally, including third party claims administrator services, loss adjusting and associated risk, consulting and other services. Generally, we provide these services to entities that provide insurance cover, issue or underwrite the policies or are otherwise responsible for payment of the claims that we handle. We refer to these entities as “insurers”. Other parties in the insurance market with whom we may exchange your personal information include insurance brokers, agents, underwriters, self-insured companies and other companies or entities that issue or underwrite policies, provide coverage for or otherwise make decisions regarding the claims we handle.
3.2 As a part of our claims management services, we process claims and handle administrative functions for insurers, such as receiving notices of claims, administering forms and documentation requests and providing support-related services to policyholders and claimants. We also help insurers evaluate, assess and establish their liability for claims and make recommendations related to the settlement of claims, including payments, repairs and replacements. We process personal information during the course of providing our claims management activities to insurers.
3.3 Our insurer clients are data controllers of the claims data that we process on their behalf and our processing of personal information is subject to the instructions of our respective clients. Our role depends upon the relevant circumstances, including the type of services we provide to our clients. We may be acting as a data controller for the personal data processed as part of the claims handling services or as a data processor engaged to perform claims handling services on behalf of, and subject to, the instructions of our client, depending on the nature of the services we provide to them. If you are not sure whether we are a data controller for the relevant processing, please contact us at DPO@charlestaylor.com.
4. Personal information we collect
4.1 The types of personal information we collect and how we use it depend on your relationship with us. For example, we will collect different personal information depending on whether you are a policyholder, a beneficiary or a third party covered by an insurance policy we provide, a website user, a claimant, a witness, an intermediary, an expert or another third party.
4.2 When you are making a claim under a policy, we will collect basic contact details together with information about the nature of your claim and any previous claims. If you are an insured person, we will need to check details of the policy you are insured under and your claims history.
4.3 We will only use your information in ways we are allowed to by law, which includes only collecting as much information as we need. In processing the claim and as part of our claims handling services, we may collect personal data directly from you and from other sources where we believe this is necessary to manage the claim (such as public registers, databases managed by credit reference agencies, government agencies and other reputable organisations).
4.4 We may also collect information from third parties related to you or linked to the claim such as witnesses and persons representing you, where you are involved in a third-party claim. In addition, we may collect information to enable us to carry out background checks or to verify your identity or the identity of people related to you and others to the extent permitted by law and to investigate and protect ourselves and our clients from fraud. We also perform sanctions screening and anti-money laundering checks, as required and permitted by applicable law.
5. Purposes and legal grounds for our use of personal information
5.1 The information we collect and process is required by us to open, review, adjust, assess, validate, settle and otherwise administer your claim on behalf of your insurer.
5.2 For personal information to be processed lawfully in most countries, it must be processed on one of bases set out in the relevant applicable law. These include, among other things, the consent of the individual whose data we are processing, that the processing is necessary for the performance of a contract with the data subject, for compliance with a legal obligation to which the data controller is subject, or for the legitimate interests of the data controller or the party to whom the data is disclosed. When we process sensitive personal information (including health information, financial information, information about your political views), additional conditions must be met. When processing your personal information as data controllers in the course of our business, we will ensure that those requirements are met.
5.3 Depending on your relationship with us, the legal basis for us processing your personal information is one of the following:
5.4 Where we rely on our legitimate interests, we will always balance them against the rights and freedoms of the people whose personal information we process. Where their rights override our legitimate interests and there are no other legal bases for processing, we will cease to process personal data. Where we rely on legitimate interest as our grounds for processing your data you have the right to object at any time.
5.5 We have set out more information about the legal bases for processing in the table below.
Purpose of processing | Types of personal data | Lawful basis |
To open, handle, review, investigate, assess, validate, settle, finalise and otherwise administer insurance claims, which can include provision of medical assistance abroad | Contact details, insurance policy details, information about the nature of your claim and any previous claims | Processing is necessary to prepare for or perform a contract with the data subject (e.g. at the data subject’s request, in preparation for a claim settlement agreement) |
Medical screening
|
Contact details, previous medical history, current medical conditions or disabilities | |
To communicate with claimants
and related third parties regarding claims |
Contact details, including email address | |
To verify the identity of claimants
|
Contact details, including email address, responses to security questions or password |
|
Record keeping and retention of claim data in accordance with applicable legal and regulatory requirements, completing regulatory reporting or similar obligations |
Contact details, details captured as part of anti-money laundering checks, sanctions checks and any additional compliance checks required |
Processing is necessary to comply with our legal obligations |
Fraud detection and identity and other verification purposes and protecting others from fraud, error and other harm | ||
Responding to audits and fraud investigations | ||
Responding to requests made by individuals in respect of their personal data | Contact details and all personal information held in relation to any claim made by an individual or in respect of a company
|
|
Checking criminal convictions | Criminal records checks | |
Otherwise complying with legal obligations under UK and EU law, such as responding to regulatory obligations, judicial proceedings, court orders, law enforcement requests, or other legal process
|
Contact details, details captured as part of anti-money laundering checks, sanctions checks and any additional compliance checks required
Contact details and all information held in relation to any claim made by an individual or in respect of a company, where such information includes personal data |
|
To open, handle, review, investigate, assess, validate, settle, finalise and otherwise administer insurance claims |
Any of the above data
|
Processing is necessary for our legitimate interests (or those of third parties) where these are not outweighed by the interests of the data subjects |
To communicate with claimants and related third parties regarding claim | ||
For reporting, auditing and analytics purposes, for ourselves and our clients to improve services including to manage and administer our contracts with our clients and business partners including the provision of reports on claims and for quality control and auditing of our services | ||
To verify the identity of claimants and related third parties | ||
Establishing, exercise or defence of legal claims | ||
Loss adjusting, expert appraisal services | ||
To improve the claims handling services we provide | ||
To improve and develop our operations | ||
For business forecasting and modelling and market trend analysis | ||
To provide training to relevant personnel and business partners |
6. Sensitive personal information (or Special Category Personal Data)
6.1 We may process sensitive personal data about you which includes “special categories” of personal data, including:
6.2 We will only process such data:
6.3 If we rely on your explicit consent to permit the processing of sensitive personal data, you may withdraw your consent at any time. However, if you do so, we may not be able to continue to process your claim.
6.4 Where Charles Taylor provides services to clients as a data processor of personal information, we only process such personal information on behalf of, and under the instructions of our clients, or where otherwise required by the relevant applicable data protection laws.
7. With whom might we share your personal information?
Sale of our business or part of our business
7.1 Your personal information may be shared with a company (the buyer) which acquires any part of Charles Taylor’s business. Where this is the case, we will ensure that your personal information is transferred to the buyer securely.
7.2 We may need to retain your personal information for our own purposes beyond the date of the acquisition. This means that the lawful basis we rely on for processing your personal information will change. Depending on the information we retain, we may process it for the purposes of our legitimate interests, provided these interests are not overridden by your interests.
7.3 If the part of our business which is being acquired is regulated, for example, by the Financial Conduct Authority in the UK, we may be required to retain certain business records which may include your personal information. In this event, we can rely on compliance with a legal obligation to process your personal information.
7.4 We may consider that we need to retain copies of your personal information in order to defend ourselves against possible future legal claims. This consideration will be made carefully and, if we do retain your personal information, it will be held in line with our Group Document Retention Policy.
The provision of services to our clients
7.5 From time to time, we may need to disclose your personal information to third parties. Sometimes, these will be companies who process it on our behalf and only act upon our instructions. Sometimes, these will be individuals and companies such as: clinics and hospitals; air ambulances; taxi services; consultants; doctors; experts; lawyers; and other professionals within or connected to the insurance industry. Your information may be shared with insurance participants, including the policyholder.
7.6 Any organisation or business which has access to your personal data in connection with provision of our Services should be governed by contractual restrictions and/or technical limitations to ensure that they protect your personal data and meet with the appropriate data protection legislation.
7.7 We have set out more detail in the table below about the types of businesses with whom we may share your personal information:
Category of personal information recipient
|
Reason for sharing your personal information |
Consultant loss adjusters | To handle, review, investigate, assess, validate, settle, finalise and otherwise administer your insurance claim |
Repair services (for example, vehicle repairs) | To provide repairs or quotes for repairs in respect of damage to your property |
Surveyors | To provide information about your property or claim. |
Fraud prevention database supported by and or regulated by insurers or the FCA | For example, personal data may be put on registers of claims and shared with other insurers |
Law enforcement, courts or others | In response to a subpoena or court order |
Our bank | Where we operate fund payment arrangements on behalf of our instructing principal |
Legal advisors
|
Where you have made or are involved in a claim and we require legal advice to deal with that claim effectively |
Hospitals, clinics and doctors | Where your claim is related to your health or an injury relating to an accident and you require medical treatment or advice. This can include provision of medical assistance abroad under a travel insurance policy |
Taxi services, ambulance services and airlines | Where we instruct such services to assist you per the terms of your insurance policy |
Our technology providers | In order to support our business, providing the IT infrastructure and applications we rely on to continue to provide services |
7.8 Any personal information we collect related to handling claims on behalf of our clients may be disclosed to such organisations or persons as directed by our clients; such disclosures are subject to our clients’ privacy policies.
7.9 Where these organisations or businesses are based in a country that is not considered to provide adequate protection for your personal information by the data supervisory authority in the country from which we are exporting personal information, we will put in place an appropriate safeguard for your personal information or we will rely on one of the exemptions provided by the relevant law to permit export of your personal information.
7.10 For example, where we need to transfer personal data to countries outside of the UK or EEA (or from one country outside of the EEA to another country outside of the EEA), we will do so where we have implemented safeguards so that your data continues to be protected to the standards set out in this Fair Processing Notice or rely on an exception under the UK or EU GDPR.
7.11 You should be aware that if your personal information is transferred to another country, it may be subject to access requests from foreign governments, courts, law enforcement officials and national security authorities.
7.12 We will keep records of where your data has been sent outside of the UK and EEA and you can have access to these records if you wish.
Full details of all Charles Taylor Group offices can be found here.
8. Social media
8.1 We use a third-party provider, Agorapulse, to manage our social media interactions. If you send us a private or direct message via social media, it will be stored by Agorapulse for up to 12 months.
8.2 We see all this information and decide how we manage it. For example, if you send a message via social media that needs a response from us, we may process it as an enquiry or a complaint. When contacting Charles Taylor through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform.
8.3 Agorapulse provides us with analytics information on engagement with our social media presence.
9. How long do we keep records for?
9.1 We will keep personal information in line with our Document Retention Policy, a copy of which is available on application. In the context of an insurance claim, this will usually be 7 years from the date of the last activity on the claim.
10. Automated decision taking
10.1 There are some very limited circumstances where we, on behalf of our clients, use computer questionnaires to give you a quick decision on whether or not they can provide you with insurance cover. In some cases, this is done to generate a quote based on your individual circumstances, including things which may involve your sensitive personal data (for example, your health data). Where we do this, the software we use compares your answers against our insurance client’s criteria and makes a ‘decision’ about whether to provide cover and, at times, how much that might cost. If there is no human decision-maker involved in generating the decision based on such a questionnaire, this is a form of ‘automated decision-making’.
10.2 We will not use automatic decision making without:
10.3 If you are not happy with the result of an automated decision, you can request human intervention, express your own views, and/or contest the automated decision by writing to:
DPO@charlestaylor.com (please type ‘Automated Decision Making’ in the email subject line).
11. Your rights
11.1 You have certain rights under many data protection laws around the world to receive written information about the personal information that we hold about you:
Right of Access | You can ask us to confirm whether we are processing your personal information and provide you with a copy of that information together with certain other details.
|
Correction | You can ask us to correct inaccurate personal information, in which case we may seek to verify the accuracy of the information before correcting it.
|
Erasure | You can ask us to delete your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). |
Restriction | You can ask us to restrict (to store but not use) your personal data in certain circumstances, such as where its accuracy is contested and we are taking steps to review or verify its accuracy. We can continue to use your personal information following a request for restriction, where necessary to establish, exercise or defend legal claims, or to protect the rights of another natural or legal person. |
Portability | You have the right, in certain circumstances to obtain your personal information you have provided to us in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another data controller, but only where our processing is based on your consent and the processing is carried out by automated means. |
Objection | You can object to any processing of your personal information which has our ‘legitimate interests’ as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal information for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing without providing any reason. We will then stop processing of your personal information for direct marketing purposes.
|
Withdrawal of Consent | Where processing is based on your consent, you may withdraw your consent however we may not be able to process your claim if you do so.
|
11.2 You may exercise any of the rights described above by contacting our Data Protection Officer using the details set out below.
11.3 We will respond to your request within one month and will usually be able to fulfil your request within that time unless your request is complicated. If it is complicated, we may need to extend the deadline for responding to you to three months in total from the date of your initial request. In that case, we will let you know when you should expect our response. Generally, there is no fee for making these requests.
11.4 You should keep in mind that, depending on the right you want to exercise, and the type of personal data involved, there may be legal reasons why we cannot meet your request.
12. What Security measures we take
12.1 We take information security seriously. We have implemented appropriate safeguards and technical measures to protect the security, confidentiality and integrity of the personal information we collect and maintain. Please see our Privacy Policy for more details.
13. How do I contact the Data Protection Officer?
13.1 We are committed to processing all personal data fairly, lawfully, and transparently. To make things simpler, Charles Taylor has nominated one data controller, Charles Taylor Limited, to handle all requests or queries you might have about our processing of your personal data.
13.2 We have appointed a Data Protection Officer (“DPO”) to oversee compliance with data protection law.
13.3 If you have any questions about this Notice, please contact our DPO.
Their contact details are:
The Minster Building,
21 Mincing Lane,
London,
EC3R 7AG;
dpo@charlestaylor.com
13.4 We also have a European Representative who will act on our behalf in relation to data protection compliance matters, including dealing with supervisory authorities and data subjects in the European Union. Our European Representative will work closely with our Data Protection Officer, their contact details are:
CEGA GSL SPAIN SLU
Calle Joan Maregall 36, Loc B
07006 Palma de Mallorca
Islas Baleares
Spain
DPOSpain@cegagroup.com
14. Your right to complain to our supervisory authority
14.1 We work conscientiously to handle your personal data responsibly. If you are unhappy with the way we are doing this, please contact our DPO, who will try to address your concerns.
14.2 You have a right to complain to the UK’s data protection supervisory authority:
The Information Commissioner
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
4.3 If you are a European resident you have the right to complain to the Spanish Data Protection Agency:
Agencia Española de Protección de Datos
C/ Jorge Juan, 6,
28001, Madrid,
Spain
14.4 We may update this Fair Processing Notice from time to time and will post changes by updating it together with the effective date on this page. We encourage you to review this website and our Fair Processing Notice periodically to understand how we process your personal information.
14.5 This Fair Processing Notice comes into effect on 1st July 2023 replacing our previous Notice. Once effective, the revised Notice will apply to you and your personal information.
14.6 Further details can be found in our Cookie Policy, Terms and Conditions and Privacy Policy.
14.7 For those who work at Charles Taylor, the Charles Taylor Fair Processing Notice for Employees and our Privacy Policy Notice are accessible online via our intranet. Our Candidate Fair Processing Notice is also available on this website.
Our other data protection policies are available upon request.
Last updated: June 2023 This site and all content are copyright © Charles Taylor Ltd All rights reserved.