Privacy & data protection policy
Overview of this Policy and Commitments to Privacy within DUAL
DUAL Group (“DUAL”, "we", "us", "our") is a leading global underwriting agency. DUAL International Limited (“DIL”), registered office address at One Creechurch Place, London, United Kingdom, EC3A 5AF is the overarching legal entity for DUAL. In Sweden, our main legal entity is DUAL Nordics, with registered office Drottninggatan 33, 111 51 Stockholm, and registered with Bolagsverket under registration no: 516413-3778 is a branch of DUAL Europe GmbH with its registered address at Shanzenstrasse 36 / Gebäude 197, 51063 Cologne.
The purpose of this privacy policy is to provide a clear explanation of when, why and how we collect and use personal data ("Policy") and is applicable to any individual whose personal data is processed. It also explains who we may share your information with and provides details about your data rights and how you may use them. Please also use the Glossary to understand the meaning of some of the terms used in this privacy policy. We may amend this Policy from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify you about material changes by prominently posting a notice on our website. We encourage you to periodically check back and review this policy so that you will always know what information we collect, how we use it, and with whom we share it. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
This version of the privacy policy was published on 06 June 2024. The update is aimed to provide clearer information on how we collect and use your personal data, as well as changes to the names that we and the wider group of companies are known by. There are no significant changes to the way we process your information.
Contents
1. Who is responsible for looking after your personal data?
2. What personal data do we process?
3. Legal Basis to process personal data.
4. When do we collect your personal data?
5. What purposes do we process your personal data for?
6. Who do we share your personal data with?
9. How long do we keep your personal data?
APPENDIX 1 CATEGORIES OF PERSONAL DATA
APPENDIX 2 - LEGAL BASIS FOR PROCESSING
1. Who is responsible for looking after your personal data?
For the purpose of Data Protection DUAL Nordics is the Controller of your personal data.
DUAL Nordics
Drottninggatan 33
111 51 Stockholm
Sweden
Telephone: +46 (0) 70 814 33 74
Fax: +46 (0) 70 814 33 74
Email: [email protected]
Web: https://www.dualnordics.com/
2. What personal data do we process?
We regularly collect and use information which may identify individuals ("personal data"), including insured persons or claimants ("you", "your"). We understand our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable data protection laws.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
We may collect personal data directly from you, or from others, such as price comparison websites, insurance brokers or from the policy holder where you are a beneficiary to a policy. The data we may collect includes, but is not limited to:
- Contact details: name, address, contact number, email address, date of birth;
- Identification details: identification numbers issued by government bodies or agencies including national insurance number, passport number, tax identification and driving license number;
- Financial information: bank account or other financial information, such as information from credit reference agencies where applicable;
- Health data: medical/health information relevant to the product or service, or required in relation to a claim;
- Criminal data: relevant criminal conviction data including data from fraud prevention, law enforcement or government agencies.
In order to arrange, administer and underwrite insurance policies, we collect information about the policyholder and any related parties. The policyholder may be an individual, company, or their representative. The level and type of personal data we collect varies depending on the type of policy. In general, this is likely to include background and contact information on the policyholder or their representative and matters relevant to the management of the insurance policy and assessment of risk. In some instances, it is necessary for us to collect and use special categories of data, such as information about a past criminal conviction or health details potentially including information about children’s health.
Where a claim is initiated, we will collect information about the individual/s making a claim under a policy. This will include the collection of basic contact details, together with information about the nature of the claim and any claims history. It may also be necessary for us to collect and use special categories of data, such as health details in the event of a personal injury suffered during an accident or potentially information about children’s health.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data fully and honestly, to the best of your knowledge, when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.
For further details, please refer to Appendix 1 “Categories of personal data”.
3. Legal basis to process personal data
We are required to establish a legal basis to use your Personal Data - see Section 5 and Appendix 2 for further details. From time to time, you may need to provide us with the personal data of third parties, for example if you suspect that someone has unlawfully taken possession of fine arts, or in relation to a sports injury of a third party relevant to a claim under a policy. You should take appropriate steps to inform the third party that you need to disclose their details to us, identifying DUAL as your underwriting agency.
4. When do we collect your personal data?
We will collect your personal data when you request an insurance quote from us, either directly or via a third-party price comparison website where they have permission to share your information with us.
Information about you may also be provided to us by an insurance broker, your employer, family member or any other third person who may be applying for a policy which names you.
To the extent permitted by law, we may also monitor and record telephone calls for training and quality assurance purposes when you call us directly in connection with a claim or complaint.
We will collect information from you when you notify us of a claim or a complaint. You might make a claim or a complaint to us directly, through your representative or through a broker who manages claims or complaints on our behalf.
We may collect information about you if a claim is made by another person who has a close relationship with you or is otherwise linked to the claim - for example if the policyholder is your employer or if the representative of a third-party claimant contacts us in connection with a claim.
We may also be provided with information by your solicitors, family members, legal advisors and medical and other professional advisors.
We may collect information from other third-party sources where we have legal grounds to do so. These sources may include anti-fraud and crime prevention agencies, social media and other online sources, credit reference and vetting agencies, and other reputable data providers.
You take part in a competition, prize draw or survey, or complete our webform.
We use cookies (small text files stored in your web browser) and other techniques to monitor how you use our website. For more information on what these are and how to opt out of these, please refer to our cookies policy.
5. What purposes do we use your personal data for?
We will use your personal data to deal with your queries, including sharing the data where appropriate, with the relevant data controller within DUAL. We may also send you marketing materials and share your personal data with other DUAL Group companies to identify products and other services which we offer which may be of interest to you (where we have appropriate permissions). We will also need to use your personal data for purposes associated with our legal and regulatory obligations as an insurance intermediary.
We will make sure that we only use your personal data for the purposes set out in this Section 5 and in Appendix 2 where we are satisfied that:
- our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to manage your insurance policy), or
- our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we are subject to (e.g. to comply with Supervisory Authority requirements), or
- you have opted in to us using the data in that way (e.g. to send you marketing materials), or
- our use of your personal data is necessary to support 'legitimate interests' that we have as a business (for example, to improve our products, or to carry out analytics across our datasets), provided it is always conducted in a way that is proportionate, and that respects your privacy rights. Please see Appendix 2 to find out more about our legitimate interests.
We will not collect any Special Categories of Data via our webform.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Please see Appendix 2 to find out more about the information we collect and use about you and why.
6. Who do we share your personal data with?
We may share your personal data with the types of this parties noted below, where we have a valid reason to do so:
- Other companies within the DUAL Group;
- Brokers, business partners, insurers, intermediaries including but not limited to other insurance brokers and managing general agencies;
- Suppliers and agents involved in delivering products or services to you, such as risk management assessors, claims experts, loss adjusters, legal advisors, uninsured loss recovery agencies and third party administrators;
- Service Providers, who help manage our IT and back office systems,
- our regulators, which may include the Supervisory Authorities, as well as law enforcement agencies in the UK and the EU and around the world, when it is permitted by law
- credit reference agencies, Premium Finance Providers, and organizations working to prevent fraud in financial services, and
- solicitors and other professional services firms (including our auditors).
We may be required under legal or regulatory obligations to share your personal data with courts, regulators, law enforcement or in certain cases insurers. Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses. Some of these third parties will also be data controllers and will handle your personal data in accordance with their own privacy policies. For further information, please contact us.
Additional information about some third parties we may share data with
Our websites may share information with Google via the use of internet cookies, where you have agreed to this. You can find out more information about how Google uses data collected by cookies on Google’s Privacy & Terms site here.
7. International Transfers
We may need to transfer, or allow access to, your personal data to parties based overseas, such as service providers or other companies within DUAL Group.We may do this for business purposes such as internal audits and reporting, to help prevent/detect crime or where required by Law or Regulation. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests.
If the Data Protection laws of the country where we transfer your data are not recognised as being equivalent to those in the UK and/or the EU and Switzerland, we will ensure that this is carried out within the standards required by UK, EU and Switzerland’s data protection laws.
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 11 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).
8. Automated Decision Making
'Automated Decision Making' refers to a decision which is taken solely on the basis of automated processing of your personal data - this means processing or using, for example, software code or an algorithm, which does not involve any human intervention.
No automated decision-making is conducted from the personal information collected from our webform.
Please note. You have certain rights in respect of automated decision making, where that decision has significant effects on you, including where it produces a legal effect on you. See Sections 9 and 10 for more information about your rights.
9. How long do we keep your personal data?
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 5 of this Policy. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, reporting, tax or accounting requirements.
In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
We maintain a data retention policy which we apply to records in our care, for further information, please contact us. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used.
10. What are your rights?
Data Protection Law gives individuals certain rights in relation to the use of personal data. This section sets out these data rights in more detail:
Right of access
The right of access is commonly referred to as a subject access request (SAR). This right allows you to request a copy of the personal data we hold on you, along with supplementary information on how it is used and who we share it with.
There may be instances where we are unable to supply all personal data, such as where it may impact the rights and freedoms of other individuals or is subject to legal privilege, but we will provide a full explanation to you should this be necessary unless relevant laws or regulations prevent us from doing so.
Right to rectification
You have the right to ask us to rectify inaccurate personal data we hold on you, or update any incomplete data, where this has an impact on the way the data is used.
Right to erasure
This is commonly known as ‘the right to be forgotten’ and provides you with the right to request deletion of your personal data. This right is not absolute and only applies in certain circumstances such as where the data was not collected lawfully or is no longer required for the purpose that it was collected.
We retain data in order to meet legal and regulatory requirements, or legitimate business interests which may result in us being unable to meet your request. Where you exercise this right, we will either confirm that this has been done or provide you with reasons for retaining the data, including how long we will hold it.
Right to restrict processing
You can ask us to restrict the processing of your personal data in the following circumstances:
- the accuracy of the data is contested and is being verified;
- the processing is unlawful but you do not wish for it to be erased;
- it is no longer needed for the purposes which it was collected, but is still required for the establishment, exercise of defence of a legal claim;
- you have objected to the processing of your personal data and investigations are taking place
Right to data portability
In certain circumstances, you have the right to request your personal data to be provided in a common, machine-readable format and either provided to you or sent directly to a third-party you nominate.
We will act upon your instructions and confirm that we have done so, or if there is any reason this cannot be done, we will provide an explanation to you.
Right to object
You have the right to object to the processing of your personal data where the processing is carried out in the public interest or for our legitimate interests.
You also have the absolute right to object to processing for direct marketing purposes, which includes any profiling activities we undertake for marketing purposes. If you object, we will ensure that you do not receive future marketing from us unless you notify us otherwise.
Rights related to automated decision making, including profiling
You can object to decisions which are based solely on automated processing where the processing produces legal or other significant effects concerning you (such as the rejection of a claim).
In such situations, you can obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision. Your right to obtain human intervention or to contest a decision does not apply where the decision which is made following automated decision making:
- is necessary for entering into or performing a contract with you;
- is authorized by law and there are suitable safeguards for your rights and freedoms; or
- is based on your explicit consent.
To exercise your rights you may contact us as set out in Section 10. Please note the following if you do wish to exercise these rights:
- We take the confidentiality of all records containing personal data seriously and reserve the right to ask you for proof of your identity if you make a request.
- We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive, or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
- We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
- Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
- Third Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.
11. Contact and complaints
Should you have any queries related to this Policy, please direct these according to jurisdiction using the contact information below
DUAL Deutschland GmbH
Data Protection Officer
Schanzenstraße 36 / Gebäude 197
51063 Köln
Germany
Telephone: +49 (0)221 16 80 26 0
Fax: +49 (0)221 16 80 26 66
Email: [email protected]
Your right to complain
You have a right to lodge a complaint with your local supervisory authority about our processing of your personal data. We ask that you attempt to resolve any issues with us directly in the first instance, although you have a right to contact your supervisory authority at any time.
The data protection supervisory authority responsible for us is:
The Swedish Authority for Privacy Protection
Visiting address: Fleminggatan 14, 7th Floor, Stockholm
Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden
E-mail: [email protected]
Phone: +46 (0)8 657 61 00
In the EEA, please contact your local authority which you can find here
APPENDIX 1 CATEGORIES OF PERSONAL DATA
INFORMATION TYPE | DETAILS OF INFORMATION THAT WE TYPICALLY CAPTURE |
Contact Details | Name, address, telephone number, email address. |
Policy Information | Policy number, relationship to the policyholder, details of policy including insured amount, exceptions etc., previous claims, payment history, quotes history, voice recordings. |
Personal Risk Information | Gender, date of birth, claims history, marital status, additional information about your lifestyle and insurance requirements, information about your employment. Claims history. Health Data - e.g. physical and mental conditions, medical history and procedures, relevant personal habits (e.g. smoking). Criminal Data - e.g. driving offences, unspent convictions. Data relating to children. |
Financial Information | Bank account details (where you are the payer of the policy premium), data received from credit reference agencies. |
Marketing | Name, email address, interests / marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address). |
APPENDIX 2 - LEGAL BASIS FOR PROCESSING
Activity | Type of information collected | The basis on which we use the information |
Insured Person | ||
Set up a record on our systems |
|
|
Carry out background, sanction, fraud and credit checks |
|
|
Assess risk and provide information to your Broker in order to place policy |
|
|
Manage renewals |
|
|
Provide client care and support |
|
|
Receive premiums and payments |
|
|
Marketing |
|
|
Prize draws, competitions and webforms |
|
|
Comply with legal and regulatory obligations |
|
|
Claimant | ||
Recording, managing and settlement of claims
|
|
|
Monitor and detect fraud |
|
|
Comply with legal and regulatory obligations
|
|
|
APPENDIX 3 - GLOSSARY
Automated decision making: refers to a decision which is taken solely on the basis of automated processing of your personal data - this means processing using, for example, software code or an algorithm, which does not involve any human intervention. | ||
Claims Experts: these are experts in a particular field which is relevant to a claim, for example forensic accountancy, who are engaged to help us properly assess the merit and value of a claim, provide advice on its settlement, and advise on the proper treatment of claimants. | ||
Data Controller: means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. | ||
EDPB: the European Data Protection Board is an EU independent body whose purpose is to ensure consistent application of data protection regulation. | ||
EU/EEA Supervisory Authority: broad term referring to the data protection supervisor/local authority in EU/EEA states. Details for the relevant local authority can be located here: https://edpb.europa.eu/about-edpb/board/members_en | ||
GDPR: the EU General Data Protection Regulation was implemented in May 2018 and governs how the personal data of individuals is processed. The GDPR is retained in domestic law as the ‘UK GDPR’ and sits alongside the Data Protection Act (DPA 2018). |
| |
Insured Person: we use this term to refer to both individual policyholders, as well as any individual who benefits from insurance coverage under an insurance policy (for example, where an employee benefits from coverage taken out by their employer). | ||
Loss Adjuster: these are an independent claims specialist which investigates complex or contentious claims on our behalf or on behalf of a relevant insurer. | ||
Insurers: some policies are insured on a joint or "syndicate" basis. This means that a group of insurers will join together to write a policy. Policies may also be reinsured, which means that the insurer will purchase its own insurance, e.g. from a reinsurer, to cover some of the risk in your policy. | ||
Premium Finance Providers: means a regulated entity which lends funds to a person or company to cover the cost of an insurance premium. | ||
Profiling: means using automated processes without human intervention (such as computer programmes) to analyse your personal data in order to evaluate your behaviour or to predict things about you which are relevant in an insurance context, such as your likely risk profile. | ||
Risk Management Assessors: Any internal or external auditor or assessor who may have access to your personal data for the sole purpose of assessing risk to DUAL. | ||
Special Categories of Data: means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership. | ||
Service Providers: these are a range of third parties to whom we outsource certain functions of our business. For example, we have service providers who provide / support 'cloud based' IT applications or systems, which means that your personal data will be hosted on their servers, but under our control and direction. We require all our service providers to respect the confidentiality and security of personal data and execute appropriate data processing agreements with them. | ||
Solicitors: we frequently use solicitors to advise on complex or contentious claims or to provide us with non-claims related legal advice. In addition, if you are a claimant, you may be represented by your own solicitor(s). | ||
Third Party Administrators (or TPAs): these are companies outside the DUAL Group which administer the policies, the handling of claims, or both, on our behalf. We require all TPAs to ensure that your personal data is handled lawfully, and in accordance with this Policy and our instructions based on appropriate agreements. | ||
Uninsured Loss Recovery Agencies means an entity that recovers uninsured losses. |