1. Scope

1.1 This Fair Processing Notice tells you what personal information Charles Taylor Group ((“Charles Taylor”, “we”, “us” or “our”) collects, why we collect it, what we do with it and who we share it with, as well as the choices and rights individuals have regarding this personal information.

1.2 This Notice does not apply to the personal information that we process about our employees, which is subject to different respective employee privacy notices.

1.3 Please see our Privacy Policy which sets out how we ensure that we look after your personal information when we collect and use it.

2. About Charles Taylor

2.1 Charles Taylor Group is a group of companies operating across the globe. We provide claims management solutions, providing integrated claims services, business process outsourcing and consulting services worldwide to the risk management and insurance industry, as well as to self-insured entities (our “Services”).

2.2 This Notice explains how Charles Taylor Group companies handle the personal information that is subject to the GDPR, which we collect about individuals:

  • that use our websites and associated services
  • who are our former, current and prospective clients
  • who communicate with us
  • who otherwise use our products or engage with us regarding our Services
  • other individuals whose personal information we receive in providing the Services

2.3 For the purposes of the UK and EU GDPR, and unless you are explicitly notified otherwise, Charles Taylor Limited is the controller of your personal information, and where the processing of personal information is also undertaken by other Charles Taylor Group companies with whom you engage, they are joint controllers with Charles Taylor Limited of your personal information.

3. Our Processing of your Personal Data

3.1 Our primary business is to provide claims management and related services globally, including third party claims administrator services, loss adjusting and associated risk, consulting and other services. Generally, we provide these services to entities that provide insurance cover, issue or underwrite the policies or are otherwise responsible for payment of the claims that we handle. We refer to these entities as “insurers”. Other parties in the insurance market with whom we may exchange your personal information include insurance brokers, agents, underwriters, self-insured companies and other companies or entities that issue or underwrite policies, provide coverage for or otherwise make decisions regarding the claims we handle.

3.2 As a part of our claims management services, we process claims and handle administrative functions for insurers, such as receiving notices of claims, administering forms and documentation requests and providing support-related services to policyholders and claimants. We also help insurers evaluate, assess and establish their liability for claims and make recommendations related to the settlement of claims, including payments, repairs and replacements. We process personal information during the course of providing our claims management activities to insurers.

3.3 Our insurer clients are data controllers of the claims data that we process on their behalf and our processing of personal information is subject to the instructions of our respective clients. Our role depends upon the relevant circumstances, including the type of services we provide to our clients. We may be acting as a data controller for the personal data processed as part of the claims handling services or as a data processor engaged to perform claims handling services on behalf of, and subject to, the instructions of our client, depending on the nature of the services we provide to them. If you are not sure whether we are a data controller for the relevant processing, please contact us at DPO@charlestaylor.com.

4. Personal information we collect

4.1 The types of personal information we collect and how we use it depend on your relationship with us. For example, we will collect different personal information depending on whether you are a policyholder, a beneficiary or a third party covered by an insurance policy we provide, a website user, a claimant, a witness, an intermediary, an expert or another third party.

4.2 When you are making a claim under a policy, we will collect basic contact details together with information about the nature of your claim and any previous claims. If you are an insured person, we will need to check details of the policy you are insured under and your claims history.

4.3 We will only use your information in ways we are allowed to by law, which includes only collecting as much information as we need. In processing the claim and as part of our claims handling services, we may collect personal data directly from you and from other sources where we believe this is necessary to manage the claim (such as public registers, databases managed by credit reference agencies, government agencies and other reputable organisations).

4.4 We may also collect information from third parties related to you or linked to the claim such as witnesses and persons representing you, where you are involved in a third-party claim.  In addition, we may collect information to enable us to carry out background checks or to verify your identity or the identity of people related to you and others to the extent permitted by law and to investigate and protect ourselves and our clients from fraud.  We also perform sanctions screening and anti-money laundering checks, as required and permitted by applicable law.

5. Purposes and legal grounds for our use of personal information

5.1 The information we collect and process is required by us to open, review, adjust, assess, validate, settle and otherwise administer your claim on behalf of your insurer.

5.2 For personal information to be processed lawfully in most countries, it must be processed on one of bases set out in the relevant applicable law. These include, among other things, the consent of the individual whose data we are processing, that the processing is necessary for the performance of a contract with the data subject, for compliance with a legal obligation to which the data controller is subject, or for the legitimate interests of the data controller or the party to whom the data is disclosed. When we process sensitive personal information (including health information, financial information, information about your political views), additional conditions must be met. When processing your personal information as data controllers in the course of our business, we will ensure that those requirements are met.

5.3 Depending on your relationship with us, the legal basis for us processing your personal information is one of the following:

  • You have given consent to us or the party for whom we are acting
  • The processing is necessary for the performance of a contract or legal duty
  • Processing is necessary for a legitimate interest pursued by us or a third party.

5.4 Where we rely on our legitimate interests, we will always balance them against the rights and freedoms of the people whose personal information we process. Where their rights override our legitimate interests and there are no other legal bases for processing, we will cease to process personal data. Where we rely on legitimate interest as our grounds for processing your data you have the right to object at any time.

5.5 We have set out more information about the legal bases for processing in the table below.

Purpose of processing Types of personal data Lawful basis
To open, handle, review, investigate, assess, validate, settle, finalise and otherwise administer insurance claims, which can include provision of medical assistance abroad Contact details, insurance policy details, information about the nature of your claim and any previous claims Processing is necessary to prepare for or perform a contract with the data subject (e.g. at the data subject’s request, in preparation for a claim settlement agreement)
Medical screening

 

Contact details, previous medical history, current medical conditions or disabilities
To communicate with claimants

and related third parties regarding claims

Contact details, including email address
To verify the identity of claimants

 

 

Contact details, including email address, responses to security questions or password

Record keeping and retention of claim data in accordance with applicable legal and regulatory requirements, completing regulatory reporting or similar obligations  

Contact details, details captured as part of anti-money laundering checks, sanctions checks and any additional compliance checks required

 

 

Processing is necessary to comply with our legal obligations

Fraud detection and identity and other verification purposes and protecting others from fraud, error and other harm
Responding to audits and fraud investigations
Responding to requests made by individuals in respect of their personal data Contact details and all personal information held in relation to any claim made by an individual or in respect of a company

 

Checking criminal convictions Criminal records checks
Otherwise complying with legal obligations under UK and EU law, such as responding to regulatory obligations, judicial proceedings, court orders, law enforcement requests, or other legal process

 

Contact details, details captured as part of anti-money laundering checks, sanctions checks and any additional compliance checks required

 

Contact details and all information held in relation to any claim made by an individual or in respect of a company, where such information includes personal data

To open, handle, review, investigate, assess, validate, settle, finalise and otherwise administer insurance claims  

 

Any of the above data

 

 

 

 

 

 

 

 

 

 

Processing is necessary for our legitimate interests (or those of third parties) where these are not outweighed by the interests of the data subjects

To communicate with claimants and related third parties regarding claim
For reporting, auditing and analytics purposes, for ourselves and our clients to improve services including to manage and administer our contracts with our clients and business partners including the provision of reports on claims and for quality control and auditing of our services
To verify the identity of claimants and related third parties
Establishing, exercise or defence of legal claims
Loss adjusting, expert appraisal services
To improve the claims handling services we provide
To improve and develop our operations
For business forecasting and modelling and market trend analysis
To provide training to relevant personnel and business partners

6. Sensitive personal information (or Special Category Personal Data)

6.1 We may process sensitive personal data about you which includes “special categories” of personal data, including:

  • Health information, including details about illness and disability, and medical treatment you have received or that you may require;
  • Information about your sex, gender, sexual orientation or marital status;
  • Information about your religious or political beliefs, or trade union membership;
  • Information about your criminal record data, where necessary for the processing and handling of your claim.

6.2 We will only process such data:

  • Where we need to for the purposes of establishing, exercising or defending our or our client’s legal rights;
  • Where you have provided your consent;
  • Where it is necessary to protect your vital interests (or those of another person) where you are physically or legally incapable of giving consent;
  • Where it is necessary in the substantial public interest, for insurance purposes (which includes the administration of insurance claims); or
  • Where it is in the substantial public interest for preventing and detecting fraud.

6.3 If we rely on your explicit consent to permit the processing of sensitive personal data, you may withdraw your consent at any time. However, if you do so, we may not be able to continue to process your claim.

6.4 Where Charles Taylor provides services to clients as a data processor of personal information, we only process such personal information on behalf of, and under the instructions of our clients, or where otherwise required by the relevant applicable data protection laws.

7. With whom might we share your personal information?

Sale of our business or part of our business

7.1 Your personal information may be shared with a company (the buyer) which acquires any part of Charles Taylor’s business. Where this is the case, we will ensure that your personal information is transferred to the buyer securely.

7.2 We may need to retain your personal information for our own purposes beyond the date of the acquisition. This means that the lawful basis we rely on for processing your personal information will change. Depending on the information we retain, we may process it for the purposes of our legitimate interests, provided these interests are not overridden by your interests.

7.3 If the part of our business which is being acquired is regulated, for example, by the Financial Conduct Authority in the UK, we may be required to retain certain business records which may include your personal information. In this event, we can rely on compliance with a legal obligation to process your personal information.

7.4 We may consider that we need to retain copies of your personal information in order to defend ourselves against possible future legal claims. This consideration will be made carefully and, if we do retain your personal information, it will be held in line with our Group Document Retention Policy.

The provision of services to our clients

7.5 From time to time, we may need to disclose your personal information to third parties. Sometimes, these will be companies who process it on our behalf and only act upon our instructions. Sometimes, these will be individuals and companies such as: clinics and hospitals; air ambulances; taxi services; consultants; doctors; experts; lawyers; and other professionals within or connected to the insurance industry. Your information may be shared with insurance participants, including the policyholder.

7.6 Any organisation or business which has access to your personal data in connection with provision of our Services should be governed by contractual restrictions and/or technical limitations to ensure that they protect your personal data and meet with the appropriate data protection legislation.

7.7 We have set out more detail in the table below about the types of businesses with whom we may share your personal information:

 

Category of personal information recipient

 

Reason for sharing your personal information
Consultant loss adjusters To handle, review, investigate, assess, validate, settle, finalise and otherwise administer your insurance claim
Repair services (for example, vehicle repairs) To provide repairs or quotes for repairs in respect of damage to your property
Surveyors To provide information about your property or claim.
Fraud prevention database supported by and or regulated by insurers or the FCA For example, personal data may be put on registers of claims and shared with other insurers
Law enforcement, courts or others In response to a subpoena or court order
Our bank Where we operate fund payment arrangements on behalf of our instructing principal
Legal advisors

 

Where you have made or are involved in a claim and we require legal advice to deal with that claim effectively
Hospitals, clinics and doctors Where your claim is related to your health or an injury relating to an accident and you require medical treatment or advice. This can include provision of medical assistance abroad under a travel insurance policy
Taxi services, ambulance services and airlines Where we instruct such services to assist you per the terms of your insurance policy
Our technology providers In order to support our business, providing the IT infrastructure and applications we rely on to continue to provide services

7.8 Any personal information we collect related to handling claims on behalf of our clients may be disclosed to such organisations or persons as directed by our clients; such disclosures are subject to our clients’ privacy policies.

7.9 Where these organisations or businesses are based in a country that is not considered to provide adequate protection for your personal information by the data supervisory authority in the country from which we are exporting personal information, we will put in place an appropriate safeguard for your personal information or we will rely on one of the exemptions provided by the relevant law to permit export of your personal information.

7.10 For example, where we need to transfer personal data to countries outside of the UK or EEA (or from one country outside of the EEA to another country outside of the EEA), we will do so where we have implemented safeguards so that your data continues to be protected to the standards set out in this Fair Processing Notice or rely on an exception under the UK or EU GDPR.

7.11 You should be aware that if your personal information is transferred to another country, it may be subject to access requests from foreign governments, courts, law enforcement officials and national security authorities.

7.12 We will keep records of where your data has been sent outside of the UK and EEA and you can have access to these records if you wish.

Full details of all Charles Taylor Group offices can be found here.

8. Social media

8.1 We use a third-party provider, Agorapulse, to manage our social media interactions. If you send us a private or direct message via social media, it will be stored by Agorapulse for up to 12 months.

8.2 We see all this information and decide how we manage it. For example, if you send a message via social media that needs a response from us, we may process it as an enquiry or a complaint. When contacting Charles Taylor through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform.

8.3 Agorapulse provides us with analytics information on engagement with our social media presence.

9. How long do we keep records for?

9.1 We will keep personal information in line with our Document Retention Policy, a copy of which is available on application. In the context of an insurance claim, this will usually be 7 years from the date of the last activity on the claim.

10. Automated decision taking

10.1 There are some very limited circumstances where we, on behalf of our clients, use computer questionnaires to give you a quick decision on whether or not they can provide you with insurance cover. In some cases, this is done to generate a quote based on your individual circumstances, including things which may involve your sensitive personal data (for example, your health data). Where we do this, the software we use compares your answers against our insurance client’s criteria and makes a ‘decision’ about whether to provide cover and, at times, how much that might cost. If there is no human decision-maker involved in generating the decision based on such a questionnaire, this is a form of ‘automated decision-making’.

10.2 We will not use automatic decision making without:

  1. either your explicit consent;
  2. it being necessary for entering into, or performance of, a contract between yourself and a data controller (such as ourselves or an insurance company whom we are supporting) or
  3. your being told by a data controller that a decision has been taken solely on automated processing.

10.3 If you are not happy with the result of an automated decision, you can request human intervention, express your own views, and/or contest the automated decision by writing to:

DPO@charlestaylor.com (please type ‘Automated Decision Making’ in the email subject line).

11. Your rights

11.1 You have certain rights under many data protection laws around the world to receive written information about the personal information that we hold about you: 

Right of Access You can ask us to confirm whether we are processing your personal information and provide you with a copy of that information together with certain other details.

 

 

Correction You can ask us to correct inaccurate personal information, in which case we may seek to verify the accuracy of the information before correcting it.

 

Erasure You can ask us to delete your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable).
Restriction You can ask us to restrict (to store but not use) your personal data in certain circumstances, such as where its accuracy is contested and we are taking steps to review or verify its accuracy. We can continue to use your personal information following a request for restriction, where necessary to establish, exercise or defend legal claims, or to protect the rights of another natural or legal person.
Portability You have the right, in certain circumstances to obtain your personal information you have provided to us in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another data controller, but only where our processing is based on your consent and the processing is carried out by automated means.
Objection You can object to any processing of your personal information which has our ‘legitimate interests’ as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal information for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing without providing any reason. We will then stop processing of your personal information for direct marketing purposes.

 

Withdrawal of Consent Where processing is based on your consent, you may withdraw your consent however we may not be able to process your claim if you do so.

 

 

11.2 You may exercise any of the rights described above by contacting our Data Protection Officer using the details set out below.

11.3 We will respond to your request within one month and will usually be able to fulfil your request within that time unless your request is complicated. If it is complicated, we may need to extend the deadline for responding to you to three months in total from the date of your initial request. In that case, we will let you know when you should expect our response. Generally, there is no fee for making these requests.

11.4 You should keep in mind that, depending on the right you want to exercise, and the type of personal data involved, there may be legal reasons why we cannot meet your request.

12. What Security measures we take

12.1 We take information security seriously. We have implemented appropriate safeguards and technical measures to protect the security, confidentiality and integrity of the personal information we collect and maintain. Please see our Privacy Policy for more details.

13. How do I contact the Data Protection Officer?

13.1 We are committed to processing all personal data fairly, lawfully, and transparently. To make things simpler, Charles Taylor has nominated one data controller, Charles Taylor Limited, to handle all requests or queries you might have about our processing of your personal data.

13.2 We have appointed a Data Protection Officer (“DPO”) to oversee compliance with data protection law.

13.3 If you have any questions about this Notice, please contact our DPO.

Their contact details are:
The Minster Building,
21 Mincing Lane,
London,
EC3R 7AG;
dpo@charlestaylor.com

13.4 We also have a European Representative who will act on our behalf in relation to data protection compliance matters, including dealing with supervisory authorities and data subjects in the European Union. Our European Representative will work closely with our Data Protection Officer, their contact details are:

CEGA GSL SPAIN SLU
Calle Joan Maregall 36, Loc B
07006 Palma de Mallorca
Islas Baleares
Spain
DPOSpain@cegagroup.com

14. Your right to complain to our supervisory authority

14.1 We work conscientiously to handle your personal data responsibly. If you are unhappy with the way we are doing this, please contact our DPO, who will try to address your concerns.

14.2 You have a right to complain to the UK’s data protection supervisory authority:

The Information Commissioner
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

4.3 If you are a European resident you have the right to complain to the Spanish Data Protection Agency:

Agencia Española de Protección de Datos
C/ Jorge Juan, 6,
28001, Madrid,
Spain

14.4 We may update this Fair Processing Notice from time to time and will post changes by updating it together with the effective date on this page. We encourage you to review this website and our Fair Processing Notice periodically to understand how we process your personal information.

14.5 This Fair Processing Notice comes into effect on 1st July 2023 replacing our previous Notice. Once effective, the revised Notice will apply to you and your personal information.

14.6 Further details can be found in our Cookie Policy, Terms and Conditions and Privacy Policy.

14.7 For those who work at Charles Taylor, the Charles Taylor Fair Processing Notice for Employees and our Privacy Policy Notice are accessible online via our intranet. Our Candidate Fair Processing Notice is also available on this website.

Our other data protection policies are available upon request.

 

Last updated: June 2023
This site and all content are copyright © Charles Taylor Ltd
All rights reserved.