HSIG Data Privacy Notice.

Your privacy is very important to us. This privacy notice (“Privacy Notice”) is provided by Harley Street Insurance Group (“HSIG”), which trades as both PMP (“PMP”) in respect of products underwritten by Berkshire Hathaway International Insurance Limited (“BHIIL”) and as MedPro in respect of products underwritten by Faraday Syndicate 435 (“Faraday”), with its registered office at 4th Floor, The St Botolph Building, 138 Houndsditch, London, EC3A 7AW in accordance with data protection law including the EU General Data Protection Regulation as it forms part of retained EU law in the UK (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

References to “we”, “our” and “us” in this Privacy Notice are references to HSIG. References to “you” or “your” refers to the individual whose personal data is being processed by HSIG (you may be the insured, beneficiary, claimant, or other person involved in a claim or relevant to the insurance policy).

Data controller

A data controller is the natural or legal person, public authority, agency, or other body which determines the purposes and means of the processing of personal data. Harley Street Insurance Group, registered office at 4th Floor, The St Botolph Building, 138 Houndsditch, London, EC3A 7AW, is the Data Controller as defined by the UK GDPR.

What is the purpose of this privacy notice?

In order to provide certain insurance products and services (including providing insurance quotes, insurance policies, and/or dealing with any claims or complaints), HSIG may collect information about you which constitutes personal data under the UK GDPR. This Privacy Notice explains how we collect, use, share and protect your personal data. Please read this Privacy Notice carefully to understand what we do with your personal data.

Personal data we may collect about you

In order for us to provide insurance quotes, insurance policies, and/or deal with any claims and complaints, we need to collect and process personal data about you.

The types of personal data we collect may include:

Types of Personal Data	Details
Individual details:	Name, address (including proof of address), other contact details (e.g., email and telephone numbers), gender, marital status, date and place of birth, nationality, employer, job title and employment history, academic and professional information, family details, including their relationship to you.
Identification details:	Identification numbers issued by government bodies or agencies, including your national insurance number or, passport number, tax identification number and driving licence number.
Financial information:	Bank account or payment card details, income, or other financial information .
Risk details:	Information about you which we need to collect in order to assess the risk to be insured and provide a quote. This may include data relating to your health, criminal convictions, or other special categories of personal data. For certain types of policy, this could also include telematics data.
Policy information:	Information about the quotes you receive and policies you take out .
Credit and Anti- Fraud Data:	Credit history, credit score, sanctions and criminal offences, and information received from various anti-fraud databases relating to you.
Previous and current claims:	Information about previous and current claims, (including other unrelated insurances), which may include data relating to your health, criminal convictions, or other special categories of personal data and in some cases, surveillance reports.
Special categories of personal data:	Certain categories of personal data which have additional protection under the UK GDPR. Special categories of personal data which may be collected by HSIG are as follows: Health, criminal convictions, racial or ethnic origin, genetic or biometric data.

Where we might collect your personal data from

We might collect your personal data from various sources, including:

• you;
• your family members, employer or representative(s);
• other insurance market partners;
• credit reference agencies;
• anti-fraud databases, sanctions lists, court judgements and other databases;
• government agencies;
• open electoral register; or
• in the event of a claim, third parties including the other party to the claim (claimant / defendant), witnesses, experts (including medical experts), loss adjustors, solicitors, and claims handlers

Which of the above sources apply will depend on your particular circumstances.

Who has access to your personal data?

The insurance life cycle may involve the sharing of your personal information between insurance market participants (an intermediary, insurer, reinsurer), some of which you will not have direct contact with. In addition, your personal data may not have been collected directly by us.

You can find out the identity of the initial data controller of your personal data within the insurance market life cycle in the following ways:

• Where you took out the insurance policy yourself: the insurer and, if purchased through an intermediary, the intermediary will be the initial data controller and their data protection contact can advise you on the identities of other insurance market participants that they have passed your personal data to.
• Where your employer or another organisation took out the policy for your benefit: b should contact your employer or the organisation that took out the policy who should provide you with details of the insurer or intermediary that they provided your personal data to and you should contact their data protection contact who can advise you on the identities of other insurance market participants that they have passed your personal data to.
• Where you are not a policyholder or an insured: You should contact the organisation that collected your personal data who should provide you with details of the relevant insurance market participant’s data protection contact.

You can find out more information about how the insurance industry uses personal data here.

The purposes, categories and legal bases for our processing of your personal data.

Data protection law says that we are only allowed to hold, use or share personal data if we need to do so, or we have a legal basis for doing so. HSIG relies on one or more of the following legal bases depending on the type of data and the purpose for using it:

• To fulfil a contract, we have with you
• When we are legally obliged to do so
• When it is necessary for reasons of substantial public interest
• When we need to establish, exercise, or defend legal claims
• When it is necessary to protect your vital interests
• When it is in our “legitimate interest” (i.e., we have a commercial or business reason)
• When your consent is required, and you consent to it.

We set out below the purposes and legal basis for which we may process your personal data during the lifecycle of providing insurance products and services to you.

Who we may share your personal data with

In order to undertake the activities listed above it may be necessary to share your data with third parties. Who we share this data with may depend on the insurance products and services we provide to you but may include:

• Other insurers that co-insure your policy
• Reinsurance intermediaries
• Reinsurance Companies
• Loss adjusters, solicitors and claims management companies
• Anti-Fraud agencies and private investigators
• Government departments and databases
• Outsourced service providers
• Regulators
• Our Berkshire Hathaway entities and affiliate entities
• Other persons providing auxiliary services on behalf of BHIIL, Faraday or HSIG.

Consent

In order to provide insurance cover and deal with insurance claims in certain circumstances we may need to process your special categories of personal data, such as medical and criminal convictions records, as set out against the relevant purpose.

Your consent to this processing may be necessary for HSIG to achieve this.

You may withdraw your consent to such processing at any time. However, if you withdraw your consent this will impact our ability to provide insurance and pay claims.

Profiling

When calculating insurance premiums, insurance market participants may compare your personal data against industry averages. Your personal data may also be used to create the industry averages going forward. This is known as profiling and is used to ensure premiums reflect risk.

Profiling may also be used by us to assess information you provide to protect against fraud.

Retention of your personal data

• We will keep your personal data only for so long as is necessary and for the purpose for which it was originally collected.

International transfers

• We may need to transfer your data to insurance market participants or their affiliates or sub-contractors and HSIG group affiliates which are located outside of the UK and/or the European Economic Area (EEA) where data privacy laws may not be the same as they are in the EEA. Those transfers are undertaken with the required UK GDPR safeguards in place.
• If you would like further details on how your personal data would be protected if transferred outside the UK and/or EEA, please contact the HSIG Data Protection Officer.

Your rights

• As set forth by the applicable data protection legislation, you have the right to:
• Be informed of what personal data (if any) we hold about you;
• Be informed about how we use your personal data;
• Be provided with a copy of the personal data that we hold about you;
• Request that any inaccuracies in the personal data we hold about you is corrected or updated;
• Request that any personal data, for which we no longer have a lawful basis to use, be deleted;
• Where our use of your personal data is based on your consent, to withdraw your consent so that we no longer use your personal data;
• Object to us using your personal data for our legitimate interests, however we will be entitled to continue that use if our interests outweigh any prejudice to your data protection rights;
• Request that we restrict how we use your personal data whilst a complaint is being investigated;
• Be provided with a copy of your personal data in an electronic machine-readable format for your own use or for the purpose of sharing with a new insurer; and
• File a complaint with us and/or the relevant data protection authority.
• In certain circumstances, we may need to restrict the above rights in order to safeguard the public interest (e.g. prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege).

Our contact details

PMP

If you have any questions in relation to our use of your personal data, you can contact HSIG by post or email using the following details:

• support@pmp-indmenity.com
• Data Protection Officer, 4th Floor, The St Botolph Building, 138 Houndsditch, London, EC3A 7AW

MedPro

If your concern relates to business underwritten by Faraday, via HSIG trading as MedPro, then please email complaints@medpro.international

Your right to complain to the data protection authority

If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights in section 12, or if you think we have breached the UK GDPR, then you have the right to complain to the ICO.

Please see below for the contact details:

England

• 0303 123 1113 (local rate) or 01625 545 745 (national rate)
• casework@ico.org.uk
• Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Scotland

• 0131 244 9001
• scotland@ico.org.uk
• Information Commissioner’s Office, 45 Melville Street, Edinburgh, EH3 7HL

Wales

• 029 2067 8400
• wales@ico.org.uk
• Information Commissioner’s Office, 2nd floor Churchill House, Churchill Way, Cardiff, CF10 2HH

Northern Ireland

• 0303 123 1114 (Local rate), 028 9027 8757 (national rate)
• ni@ico.org.uk
• Information Commissioner’s Office, 3rd Floor, 14 Cromac Place, Belfast, BT7 2JB