1. OUR APPROACH
1.1. CFC is committed to protecting your privacy. This Privacy Notice (the “Notice”) sets out details of the information that we may collect and how we process the personal data of our customers, brokers and website visitors (“Users”).
1.2. In this notice, references to “we”, “us” or “CFC” mean:
CFC Underwriting Limited, company number: 03302887, registered address: 85 Gracechurch Street, London EC3V 0AA, UK
CFC Claims Limited, company number: 13897666, registered address: 85 Gracechurch Street, London EC3V 0AA, UK
CFC Europe S.A, company number: 0711.818.068, registered address: Bastion Tower, 5 Place du Champs de Mars, 1050 Brussels, Belgium
CFC USA, Inc., DE file number: 7226403, registered address: Floor 16, 48 Wall Street, New York, NY 10005, United States
CFC Underwriting Inc, company number: 1000496243, registered address: 3 Bridgman Avenue, Suite 204, Toronto, ON M5R 3V4, Canada
CFC Claims Inc, company number: 1000756274, registered address: 3 Bridgman Avenue, Suite 204, Toronto, ON M5R 3V4, Canada
1.3. The data controller will be the company that originally collected your information and will be listed on the documentation provided to you. If you have any questions about this Notice, please contact our data protection officer (“DPO”) by clicking here.
2. WHAT INFORMATION DO WE COLLECT
2.1. We will collect personal data when you obtain a quote for one of our products or services, or in the course of providing you with one of our products or services. We will also collect personal data when you register with us or provide your information through our website. The types of information we collect may include:
2.1.1. information you provide us in your insurance application, including names, addresses, date of birth or other information provided by you in your application for insurance;
2.1.2. information you provide us to help us carry out our obligations under any insurance contract in place between us and you;
2.1.3. information you provide us relating to an insurance claim you make or have made;
2.1.4. financial information such as bank account, income or other financial information in order to assess the risk and provide a quote, return premium or facilitate the payment of claims;
2.1.5. when you visit our website we do log your IP address to collect broad geographic information on our site visitors and to optimise our website. We do not link IP addresses to personally identifiable information;
2.1.6. information collected through cookies, for more information on how we use cookies, please click here;
2.1.7. information we obtain as a result of checking sanctions lists, such as those published by United Nations, European Union, UK Treasury, and the U.S. Office of Foreign Assets Control (OFAC); and
2.1.8. information you provide us through one of our mobile apps or customer portals.
2.2. In certain circumstances, we may need to collect sensitive or special category personal data about you, which may include information about:
2.2.1. your physical or mental health condition, or the physical or mental health condition of members of your family, or the physical or mental health condition of one of your employees; and
2.2.2. any criminal offence or alleged criminal offence committed by you, or members of your family, or one of your employees.
2.3. We will only use such sensitive or special category personal data to:
2.3.1. administer or carry out our obligations under any insurance contract in place between us and you;
2.3.2. assess and adjust any insurance claim you make; and
2.3.3. assess and respond to a complaint you might make relating to our products or services.
3. HOW WE USE YOUR INFORMATION
3.1. We will use your personal data, and may share your personal data with other third parties acting on our behalf, for one or more of the following purposes to:
3.1.1. analyse your insurance needs so that we can offer appropriate products;
3.1.2. give you an estimate or provide you with a quote for one of our policies;
3.1.3. perform money laundering checks or other checks required by law;
3.1.4. prevent or detect fraud;
3.1.5. administer or carry out our obligations under any insurance contract in place between us and you;
3.1.6. register and adjust any insurance claim you make;
3.1.7. assess any insurance claim you make, including any liaison with third parties potentially involved in your claims, e.g. communications regarding health information;
3.1.8. assess and respond to a complaint you might make relating to our products or services; and
3.1.9. ensure the security of your account and our business, preventing or detecting fraud or abuses of our website, for example, by requesting verification information in order to reset your account password.
4. INFORMATION FOR MARKETING PURPOSES
4.1. Where you have consented to us using your personal data for marketing purposes, we may use your information as follows:
4.1.1. to provide you with information, products or services that you request from us or which we feel may interest you; and
4.1.2. for market research purposes, where we may contact you to ask for your feedback.
If at any time after you have consented to us using your information for marketing purposes you wish us to stop using your information for these purposes, you will always be able to unsubscribe by clicking on the unsubscribe link within the marketing emails you receive from us.
5. GROUNDS FOR PROCESSING
5.1. To process your data lawfully we need to rely on one or more valid legal grounds. Our primary legal ground is that we need the data to fulfil our contract with you or to take certain steps prior to entering our contract with you. However, there may be circumstances where we also rely on other valid legal grounds, such as:
5.1.1. your consent to particular processing activities. For example, where you have consented to us using your information for marketing purposes;
5.1.2. our legitimate interests as a business (except where your interests or fundamental rights override these). For example, it is within our legitimate interests to use your data to prevent or detect fraud or abuses of our website; or
5.1.3. our compliance with a legal or regulatory obligation to which CFC is subject. For example, we have a regulatory duty to investigate and respond to complaints made against us and may need to process your data as part of such investigation.
6. DISCLOSURE OF YOUR INFORMATION
6.1. There are circumstances where we may wish to disclose or are compelled to disclose your personal data to third parties. This will only take place in accordance with the applicable law and for the purposes listed above. These scenarios include disclosure to:
6.1.1. our subsidiaries, group companies, branches or associated offices;
6.1.2. third party service providers or suppliers to facilitate the provision of our services or products to our Users. For example, this may include disclosure to: our data centre provider for the safe keeping of your personal data, webhosting provider through which your personal data may be collected, identity verification partners in order to verify your identity against public databases and our marketing service provider to allow us to manage marketing communications;
6.1.3. third party service providers and consultants in order to protect the security or integrity of our business, including our databases and systems and for business continuity reasons;
6.1.4. third party service providers in order to satisfy our legal obligations, including anti-fraud databases, credit reference agencies, sanctions check agencies, police and law enforcement, regulators and supervisory authorities;
6.1.5. our carriers and/or our reinsurers, to facilitate the provision of our services or products to you;
6.1.6. another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution or similar event. In the case of a merger or sale, your personal data will be permanently transferred to a successor company;
6.1.7. legal advisors who may need to manage or litigate an insurance claim;
6.1.8. public authorities where we are required by law to do so; and
6.1.9. any other third party where you have provided your consent.
7. INTERNATIONAL TRANSFER OF PERSONAL DATA
7.1. We may need to transfer your personal data internationally, either within the CFC group or to third parties, as set out in paragraph 6.
7.2. Where required by applicable law, we ensure that your privacy rights are adequately protected by appropriate technical, organisation, contractual or other lawful means including by:
7.2.1. ensuring that transfers related to UK and EU data subjects within the CFC Group are subject to the EU Commission’s standard contractual clauses, and the ICO’s international data transfer addendum;
7.2.2. where we need to send your personal data to third parties who are involved in providing you with services, we require them to provide contractual commitments that preserve your privacy rights, including by incorporating standard contractual clauses and completion of appropriate due diligence, where required.
If you would like to know more about how we protect your personal data and privacy rights, and for a copy of the safeguards we have in place, please contact dataprotection@cfc.com.
8. RETENTION OF PERSONAL DATA
8.1. If you are, or have previously been, a customer of ours then we may continue to hold and process your information for the purpose of continuing to carry out our obligations in connection with the insurance contract between us and you. We will continue to hold and process your information for the duration of the insurance contract and for a reasonable period of time afterwards in accordance with CFC’s Data Retention and Destruction Policy and as required by the applicable law for each CFC entity listed in section 1.2 above.
8.2. We may keep an anonymised form of your personal data, which will no longer refer to you, for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.
9. DATA SUBJECT RIGHTS
9.1. Data protection law provides individuals specific data subject rights, which may include the right to: access, rectify, erase, restrict, transport, and object to the processing of, their personal data. Individuals also have the right to lodge a complaint with the relevant data protection authority if they believe that their personal data is not being processed in accordance with applicable data protection law. For residents of California, please see the CCPA Addendum.
9.2. The data subject rights listed below do not apply in all circumstances, and not all of these will be available to you if you are subject to data protection law outside the UK/EU. In certain circumstances, the rights listed below may be restricted if an appropriate exemption applies i.e. to prevent fraud or maintain privilege. If you have any questions about your data subject rights please do contact us.
9.3. To exercise your rights, or if you have any queries regarding your rights, please make your request in writing to the DPO whose contact details are available in paragraph 1.2 above. Please make your request clear as to which right(s) you would like to exercise. You may also be required to submit a proof of your identity and a fee.
9.3.1. Right to make subject access request (SAR). Where we are processing your personal data as a data controller you may, where permitted by applicable law, request copies of your personal data.
9.3.2. Right to rectification. You may request that we rectify any inaccurate and/or complete any incomplete personal data.
9.3.3. Right to withdraw consent. You may, as permitted by applicable law, withdraw your consent to the processing of your personal data at any time. Such withdrawal will not affect the lawfulness of processing based on your previous consent.
In some instances, we do need your consent to provide you with insurance services. If you withdraw your consent we may not be able to provide further services to you.
9.3.4. Right to object to processing. You may, as permitted by applicable law, request that we stop processing your personal data.
9.3.5. Right to data portability. You may request for us to transfer your personal data to a third party of your choice.
9.3.6. Right to erasure. You may request that we erase your personal data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your personal data, such as a legal obligation that we must comply with, or if retention is necessary for us to comply with our legal obligations.
9.3.7. Your right to lodge a complaint with the supervisory authority. We suggest that you contact us about any questions or if you have a complaint in relation to how we process your personal data. However, you do have the right to contact the relevant supervisory authority directly, if you are unsure which supervisory authority to contact, please do let us know. To contact the Information Commissioner’s Office in the United Kingdom, please visit the ICO website for instructions.
10. PROFILING
10.1. At CFC we are always looking to find ways of building efficiencies into our business, and in order to achieve this we do carry out some profiling using data analytic and matching technologies so that we can deliver and bind quotes accurately and quickly.
10.2. We may process the data you provide to us against publicly available data sources to determine the accuracy of your insurance application and assist in preventing fraud as part of our underwriting processes.
We utilise these technologies responsibly to ensure that the technology supports our operations and does not lead to unfair or biased outcomes.
11. LINKED WEBSITES
Please note that any websites that may be linked to our websites are subject to their own privacy notice.
12. CHANGES TO THIS NOTICE
We may update this notice from time to time to ensure that it remains accurate. Please do check our site regularly so you are fully aware of any changes.
This notice was last updated on: 01 August 2024