This Privacy Statement covers the information practices of Lark (Group) Limited (registered number; 02831010) and Lark Employee Benefits Limited (registered number; 02792080), each a data controller and whose registered office is at;
We take the protection of your privacy and the confidentiality of your personal information seriously and this Statement sets out how we meet our obligations regarding data protection and the rights of our customers and prospective customers (‘data subjects’) in respect of their personal data under the Data Protection Act 1998 (‘the DPA’), and the forthcoming General Data Protection Regulation (‘the Regulation’).
The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Lark (Group) Limited and Lark Employee Benefits Limited are committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
2.SHARING YOUR DATA
Aston Scott Limited, AH Bell & Co (Insurance Brokers) Limited, Lark (Group) Limited and Lark Employee Benefits Limited (collectively the ‘Data controllers’) will be merging in 2018. In order to plan for the merger of the businesses, the Data Controllers will share your personal data with each other and once merged will operate as a single business to be known as ‘Aston Lark’. As a Data Controller, each entity is responsible for safeguarding your personal data. Where we have a specific Non-Disclosure Agreement in place with you, your data will only be shared with your explicit prior consent in accordance with its terms.
We do not sell, rent or trade our mailing lists, phone numbers or email addresses.
3.THE DATA PROTECTION PRINCIPLES
We comply with the Regulation which sets out the following principles with which any party handling personal data must comply. All personal data must be:
- processed lawfully, fairly, and in a transparent manner in relation to the data subject;
- collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific, regulatory or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific, regulatory or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
4.HOW WE WILL COLLECT INFORMATION ABOUT YOU
We will only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to you. The information obtained about you will be that which is supplied by you and your agents and representatives, as well as information: received from insurers and their agents; generally available such as online and from third party data processors; and searches that we undertake in relation to sanctions, money laundering, and credit checks.
This will include data that you input into our webpages, whether this is in relation to raising an enquiry with us, obtaining a quotation (even if this process is discontinued before being finished), or requesting documentation.
The information obtained could include; your name, contact details (including address and e-mail address, telephone number), date of birth, gender, marital status, financial details, details of occupants of your property, employment details and benefit coverage, and details of your visits to and usage of our website (please see our Cookies policy). We may also collect sensitive personal data about you such as criminal convictions or health information (a full list of sensitive personal data is set out in the DPA).
5.HOW WE WILL USE YOUR INFORMATION
The Data Controllers shall ensure that all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Your personal information will be used to enable us to fulfil our role in relation to your insurance cover and provision of any ancillary risk management services. This will be by:
- assessing your circumstances and insurance needs;
- presenting such details to insurers for the purpose of obtaining quotations and placing cover;
- arranging premium finance arrangements;
- contacting you about products and services available from Lark Group companies which may be of interest to you;
- processing claims;
- undertaking checks to guard against fraud, money laundering, bribery and other illegal activities;
- handling complaints; and
- analysing data, identifying trends, and developing our business services.
To ensure that our processing of your data is lawful, such processing will only be undertaken if;
- you have given your consent *; or
- it is necessary for the performance of a contract to which you are, or will be, a party; or
- processing is necessary for compliance with a legal obligation to which we are subject; or
- processing is necessary to protect your vital interests; or
- to perform a task carried out in the public interest or in the exercise of official authority vested in us; or
- processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child.
* CONSENT – currently under the DPA we are permitted to process data under ‘implied consent’ (an assumption of permission to do something that is inferred from an individual's actions rather than explicitly provided). Because we need to process your data in order to provide our services to you we rely on the implied consent provision – this does not extend to ‘sensitive’ personal data (as defined in the DPA and the Regulation) for which explicit consent is required. Under the Regulation we will no longer be able to process your personal data under ‘implied consent’.
We may also analyse your data, either in isolation or in connection with wider data groups, to reveal patterns, trends and associations, to assist us in making strategic business decisions.
Companies within the Lark group of companies and Aston Scott group of companies may contact you about relevant products and services which may be of interest to you. If you do not wish your data to be used in this way you should write to the Data Protection Compliance Officer at; Compliance@larkinsurance.co.uk.
6.DISCLOSURE OF YOUR PERSONAL INFORMATION
Where we use third parties to undertake functions on our behalf we will share relevant information with such third parties. This will include: insurers; premium finance providers; loss adjusters and loss assessors; incident management firms; professional advisors; other insurance brokers; agents and service providers/processors (e.g. risk managers, administrators, mailing/fulfilment houses).
Information may also be supplied to our internal auditors and professional regulatory bodies if required by them and to other parties if required or permitted by law.
It is our policy to retain documents and information about you, including insurances effected on your behalf, in electronic or paper format for a minimum of seven years or such longer period as appropriate having regard to when a claim or complaint may arise in connection with our processing of your information. The legal basis for this processing is that it is necessary for the protection of our legitimate interests. After seven years, these may be destroyed without notice to you. You should therefore retain all documentation issued to you.
You have the right to;
- information about how your data is processed,
- access the data we hold about you which will be provided to you within one month of your request, and is free of charge unless we reasonably believe that your request is manifestly unfounded or excessive,
- have incomplete or inaccurate data rectified,
- the deletion or removal of personal data where there is no compelling reason for us to continue to process it,
- restrict our processing of your personal data (although we will still be permitted to store it),
- data portability (with effect from 25th May 2018 we will be obliged to provide your data in a format that allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability),
- object to our processing your data where we do so in connection with our legitimate interests, or in relation to our profiling your data or using it for marketing purposes.
If you would like to exercise any of your rights above you may do so by writing to us at the address at the beginning of this notice, or e-mailing us with specific details of your request at; firstname.lastname@example.org.
8.TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE EEA
The Data Controllers may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA. This will take place only if one or more of the following applies;
- The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
- The transfer is to a country (or international organisation) which provides appropriate safeguards ;
- The transfer is made with the informed consent of the relevant data subject(s);
- The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
- The transfer is necessary for important public interest reasons;
- The transfer is necessary for the conduct of legal claims;
- The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
- The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.