Privacy policy

Purpose of this Privacy Notice

This privacy notice (“Privacy Notice”) describes how CIS collects and uses your personal data and any personal data relating to others that you share with us.

It is important that you read this Privacy Notice together with any other Privacy Notice that we have provided or may provide to you when we are collecting or processing personal data about you in other contexts. This Privacy Notice supplements any other notices that we provide to you.

In this notice, references to the GDPR are to the General Data Protection Regulation (EU 2016/679) including as implemented into UK law as a result of the UK’s exit from the EU. References to the DPA 18 are to the Data Protection Act 2018.

Who we are

CIS is registered as a company in England (no. 04493403) and is authorised and regulated by the Financial Conduct Authority (www.fca.org.uk) (no. 771050). Our registered office is Suite 5, Oxford House, Oxford Road, Thame, Oxfordshire, OX9 2AH.

We are the controller of your personal data which is referenced in this Privacy Notice.

When do we collect your personal data?

We collect personal data in a number of ways including:

• When we perform services for our clients (including insurance broking, claims management and other forms of insurance services);

(In these cases we typically obtain your personal data from our clients (or their advisors and/or insurers). In some cases we may obtain your personal data from you directly.)

• If you contact us as a representative of your employer in order to enquire about, commission or use our services;
• When you contact us directly in relation to travel insurance of which you are a beneficiary;
• Where a member of your family provides us with personal data about you in connection with a travel insurance or other claim;
• Where you are a professional adviser or expert such as a lawyer who is involved in advising on claims with which we are assisting our clients;
• When you attend one of our events;
• When you apply for a position at CIS in which case you will be provided with a copy of CIS’s Recruitment Privacy Notice;
• If you contact us with a complaint or query;
• If you provide personal data to us when you use our website.

When do you provide us with personal data about other people?

We request that you avoid providing us with personal data relating to other people unless we have specifically requested it.

However, there may be situations where we collect information from you about other people, for example, information about:

• individuals given to us by a group representative where those individuals are covered by a group insurance policy,
• family members or others whose personal data you provide to us in connection with a claim in the context of travel or other insurances;
• individuals who are claimants, defendants, witnesses or other named parties in a claim or potential claim against one of our clients.

If you give us personal data about another person, please ensure and confirm to us that:

• you have told the individual who we are and provided them with a copy of this Privacy Notice; and
• you have permission from the individual to provide their personal data to us.

What personal data may we collect and process?

Information you provide to us

If you seek any services from us (e.g. a quotation for insurance cover) or become a client of CIS, we may collect some/all of the following personal data from or about you:

• name, address, e-mail address, telephone numbers and other contact details;
• date and place of birth, gender, marital status;
• employment status;
• nationality;
• financial information, including bank account details.

and other personal data depending on the nature of the insurance and services we offer and/or provide to you. This may include sensitive personal data (also known as ‘special category’ personal data) (see paragraph https://catholicinsuranceservice.co.uk/privacy/#what-about-personal-data-that-is-considered-more-sensitive for more information).

Information we obtain from our clients or others

We may also receive information about you (including if you are members of clergy or staff of our clients) from third-parties such as insurers, insurance intermediaries, loss adjusters, solicitors and other professionals who provide services relating to insurance and other support that we offer. Our clients may also provide us with information about you if you are involved in a transaction, dispute or claim with one of our clients or if you have a connection with them such as being a tenant or volunteer of a client. Examples of the personal data that we may process in this context include:

• your name and contact details;
• allegations of offences including criminal offences that have been made against you or by you;
• witness statements which contain personal data about you including in some cases special category data about you such as information about your health;
• details of any complaint(s), dispute(s) or transaction(s) between you and our client.

Information we collect via the CIS website

We may collect personal data about you if you provide it to us via the CIS website including:

• Your name;
• Your email address and telephone number;
• Any personal data that you include in the “Your message” box on the Contact us page;
• Any personal data that you provide via the members’ section of the site.

Information we collect about you if you make a complaint to us

When concerns are raised with us, we may collect personal data such as:

• Your name, address, telephone number, email address and mobile phone number;
• Information relating to the matter about which you sought our advice;

What about personal data that is considered more sensitive?

We will only collect and use sensitive information (also known as ‘special category data’ under the GDPR) if there is a valid reason for doing so and where the law allows us to. Sensitive information includes personal data about health, ethnicity, religion, political opinions or sexuality (which would include information relating to alleged victims or perpetrators of sexual abuse).

Where possible we aim to collect these types of personal data in limited circumstances and we request that, where possible, you avoid disclosing to us any sensitive information relating to you or anyone else.

However, there are situations where we may collect special category data about you. This information may be required, for example, to arrange certain insurance (e.g. travel insurance) or private healthcare for you. We may also hold this information about you where you are the alleged victim or perpetrator of sexual abuse in relation to a claim against one of our clients.

Where necessary, we shall obtain your explicit consent to the processing of such information. Alternatively we may rely on other applicable lawful bases under the GDPR or DPA 18 which permit the processing of special category data without obtaining consent (see https://catholicinsuranceservice.co.uk/privacy/#on-what-lawful-basis-do-we-process-your-personal-data for more information).

Website and cookies

We may collect personal data through your use of our website, including IP addresses and other information captured using cookies. A cookie is a small piece of information that is placed on your computer when you visit certain websites. Cookies allow websites to respond to you as an individual.  To learn more about cookies please visit: http://www.allaboutcookies.org

We use session cookies (which will be deleted when you close your browser) and persistent cookies (which will remain across different visits of our website).  When you visit our website, your computer may receive the following cookies:

• __utma: A persistent cookie used by Google Analytics to track the number of times a visitor has been to the site, when their first visit was, and when their last visit occurred.
• __utmb: A persistent cookie used by Google Analytics which keeps a timestamp of the exact moment in time when a visitor enters a site.
• __utmc: A session cookie used by Google Analytics which logs when a visitor leaves this website.
• __utmz: A persistent cookie used by Google Analytics which keeps track of where the visitor came from, search engine used, and other information related to this visit.

Most browsers allow you to refuse to accept cookies. For example:

• Internet Explorer: you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector.
• Firefox: you can adjust your cookies settings by clicking “Tools”, “Options” and “Privacy”.
• Google Chrome: Click on the “Tools” menu and select “Options”. Click the “Under the Bonnet” tab, locate the “Privacy” section and click the “Clear browsing data” button. Select “Delete cookies and other site data” to delete all cookies from the list.

Please note that blocking cookies may have a negative impact upon the usability of our website.

Information gathered through cookies is used to measure and analyse information on visits to our website, to tailor the website to make it better for visitors and to improve its technical performance. We will not use the data to identify you personally or to make any decisions about you.

How do we use your personal data?

The personal data which we hold about you, whether it is collected directly from you or whether we receive it from a third party, may be processed for a number of reasons, for example, to:

General

• provide you with information you may request about the services we offer;
• verify your identity and check any relevant background circumstances for anti-money laundering purposes;
• provide you with insurance intermediary services including policy administration and overseeing claims;
• enable your insurance to operate (e.g. in the event of a claim);
• provide you with legal or risk management advice;
• send you important information regarding changes to your insurance policies and other administrative information that we need to send from time to time;
• prevent and detect crime, including fraud and money laundering;
• administer payments;
• improve our products and services;
• resolve complaints and handle requests from individuals;
• manage our business operations, maintain internal records and comply with internal policies and procedures, including those relating to auditing, finance and accounting, billing, IT and data and records management;
• comply with our statutory and regulatory obligations;
• collate information relevant to assisting both our and our client’s co-operation with public inquiries and to provide such information to such inquiries where requested;
• establish and defend our legal rights.

If you do not provide the information requested, we may not be able to arrange your insurance or provide certain other services to you.

Marketing

We may also use your information for marketing and hospitality purposes, for example, to:

• send you communications about CIS and other services we provide that may be of interest to you (e.g. sending you newsletters);
• provide you with updates on legal and insurance developments;
• contact you about other activities we may undertake and events we may host.

See https://catholicinsuranceservice.co.uk/privacy/#marketing below for more information on our use of your personal data for marketing purposes.

On what lawful basis do we process your personal data?

We only collect, use and store your personal data where we have a lawful basis to do so. This will vary according to the circumstances of how and why we have your information, but typical examples include:

• it is within our legitimate business interests.  We rely on this basis where applicable law allows us to collect and use personal data for our legitimate interests and the use of your personal data is fair, balanced and does not unduly impact your rights. For instance, it is in our legitimate interest to provide insurance intermediary, risk management and advice services;

• you have given consent (which can be withdrawn at any time by contacting us using the details below) for us to process your information (e.g. in relation to certain marketing communications);
• we are carrying out necessary steps in relation to a contract to which you are party or prior to you entering into a contract (e.g. where you have entered into an insurance contract);
• the processing is necessary for compliance with a legal obligation (e.g. for us to verify your identity under anti-money laundering requirements).

If we process any special categories of personal data (e.g. information revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; data concerning your health, sex life or sexual orientation), we must be able to satisfy an additional condition to permit the processing. This may include:

• where the processing is necessary for an insurance purpose (e.g. obtaining medical information in connection with a claim for medical expenses under a travel policy);
• where you have given us your explicit consent to do so (e.g. to cater for your medical or dietary needs at an event);
• you have made the information public;
• where the processing is necessary for the establishment, exercise or defence of legal claims; or
• the processing is necessary for reasons of substantial public interest (e.g. where steps are taken to prevent fraud or other dishonest activity).

If we process any information relating to (alleged) criminal convictions or offences, we will typically rely on one of the following lawful bases:

• preventing or detecting unlawful acts;
• complying with our regulatory requirements in relation to unlawful acts or dishonesty;
• dealing with suspicions of terrorist financing or money laundering;
• obtaining legal advice or establishing, exercising or defending legal rights.

Marketing

If you or the organisation that you represent becomes a client of CIS or is one of our professional contacts, we may use your personal data to invite you to hospitality events or other selected events for clients/ contacts and/or to send you information that we think may be of interest to you or your organisation. It is within our legitimate interests as an insurance intermediary to use your information in this way.

You will be given an opportunity to let us know if you do not wish to receive direct marketing materials and communications from us either at the time you provide your details to us and/or within each such communication.

If you change your mind about being contacted by us in the future, change your contact details, or if any information that we hold about you is inaccurate or out-of-date, please contact us so that we can update your details.

Data Security

We have in place administrative, technical and physical measures designed to guard against and minimise the risk of damage to or loss, misuse, or unauthorised processing or disclosure of the personal data that we hold.

Who may we share your personal data with?

As an insurance intermediary we must disclose personal data to insurance companies, underwriting agencies, business partners and other parties in order to provide our products and services and, in some cases, to enable you to enter into insurance contracts. Examples of other parties include other insurance intermediaries, loss adjusters, regulatory bodies, legal firms, financial institutions and others involved in administering policies and handling claims.

We may also be required to share your personal data with public inquiries such as the Independent Inquiry into Child Sexual Abuse or fraud prevention agencies such as the Claims and Underwriting Exchange Register and Theft Register. We may pass information relating to your insurance policy and any incident to the operators of these registers, their agents and suppliers.

Sometimes we contract with third parties whom we ask to process personal data on our behalf (e.g. IT consultants or cloud hosting providers). We require these third parties to comply strictly with our instructions and with data protection laws. Such service providers are contractually restricted from using or disclosing the information we give them except as necessary to perform services on our behalf or to comply with legal requirements.

We may also disclose personal data to new owners of our business in the event that we are subject to a merger or acquisition in which case we will disclose your personal data to the prospective transferor or transferee of such business or assets. Disclosure may also be made to enable company audits, for professional advice purposes (e.g. with our lawyers), regulatory inspections or to investigate a complaint, suspicion of fraud or a security threat.

We only share your personal data if we are satisfied that our partners or suppliers have sufficient measures in place to protect your information in the same way that we do. We never share your personal data outside our organisation for marketing purposes.

We reserve the right to disclose your personal data to third parties:

(a)     if we are under any legal or regulatory obligation to do so, e.g. to comply with legal process or requests from government authorities;

(b)     to permit us to pursue available remedies or limit the damages that we may sustain; and/or

(c)     in connection with any legal proceedings or prospective legal proceedings, in order to establish, exercise or defend our or a third party’s legal rights.

Transfers of your personal data outside the UK

In the course of processing your personal data, or disclosing it to the recipients referred to above, we may transfer it to countries which are outside the United Kingdom (UK), for example, in order to handle travel insurance claims and provide emergency medical assistance services when you are abroad.

Some countries outside the UK may not have laws which provide the same level of protection to your personal data as the UK. In such cases we will take steps to ensure that the transfers comply with the GDPR and that your personal data is appropriately protected.

Your rights in relation to your personal data

You have rights in respect of the personal data you provide to us. In particular:

• the right to request a copy of some or all of the personal data that we hold about you;
• if we process your personal data, on the basis that we have your consent, the right to withdraw that consent;
• the right to ask that any inaccuracies in your personal data are corrected;
• the right to have us restrict the processing of all or part of your personal data;
• the right to ask that we delete your personal data where there is no compelling reason for us to continue to process it;
• the right to request a copy of the personal data that we hold about you, in a structured, commonly used and machine-readable format and/or to transmit that data to a third party;
• the right to object to the processing of your personal data where we: (i) process on the basis of the legitimate interests ground; (ii) use the personal data for direct marketing; or (iii) use the personal data for statistical purposes.
• the right not to be subject to legal or other significant decisions being taken about you on the basis of a solely automated process (i.e. without human intervention).

Please note that the above rights may be limited in some situations, for example, where we can demonstrate that we have a legal requirement to process your personal data. You should also bear in mind that, by exercising some of these rights, you may hinder or prevent our ability to provide you with products and services.

Rights may only be exercised by the individual whose personal data is being held by us or with that individual’s express permission. We may need you to provide us with proof of identity for verification and data security purposes before you can exercise your rights.

If you want to invoke any of these rights, please contact us using the details below.

Please note that you also have the right to lodge a complaint with your local data protection authority about how we use your personal data if you are located in the UK or the EU. Please always consider raising your concern with us first by contacting us using the contact details below.

Retention of and changes to your personal data

We will ensure that the personal data we process for the purposes set out above is accurate and up-to-date.

We will keep your personal data for as long as necessary:

(a)     to comply with any statutory or regulatory requirements we are subject to under applicable law;

(b)     to fulfil the purposes for which the personal data was collected; and

(c)     to defend our or a third party’s legal rights.

We expect to keep most of the personal data that we hold for a minimum of one full policy year from the closure of a claim or the expiry of any applicable limitation period. We will keep clients’ personal data for at least six full years from the date when the client relationship ceases. In many cases, we may need to keep personal data for longer than this. Once we no longer need your information, it will be securely and confidentially destroyed or deleted.

If you have any questions about the retention periods for holding your personal data, please contact us using the Contact Us details below.

Contact Us

If you have any questions, require further information about how we protect your personal data, wish to exercise any of the above rights or if you would like to provide feedback or make a complaint about the use of your information, please contact us:

Catholic Insurance Service Limited

Registered Office:
Suite 5
Oxford House
Oxford Road
Thame
Oxfordshire
OX9 2AH

Telephone: 01296 422030
Email address: enquiries@catholicinsuranceservice.co.uk

Any complaints will be dealt with in accordance with our Complaints Policy.

We hope that we can satisfy any queries you may have about the way in which we process your personal data.

Changes to this Privacy Notice

We may make changes to this Privacy Notice from time to time as our business practices and/or applicable laws change.  We will not make any use of your personal data that is inconsistent with the original purpose(s) for which it was collected or obtained, or otherwise than is permitted by data protection laws. We will make reasonable efforts to notify you of any changes.