Privacy & data protection policy
At Howden Insurance Brokers Nederland B.V. ("Howden Nederland”, “we", "us", "our") we regularly collect and use information which may identify individuals ("personal data") in connection with advising, arranging and assisting in the administration and performance of general insurance contracts. These individuals may include professional contacts, insured persons or claimants (“you”, “your”). We understand our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable data protection laws.
The purpose of this Privacy Notice is to provide a clear explanation of when, why and how we collect and use personal data. We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to navigate to the information that may be most relevant to you and to allow you to click on a topic to find out more.
Do read this Privacy Notice with care. It provides important information about how we use personal data and, where we hold your data, explains your legal rights. This Privacy Notice is not intended to override the terms of any agreement or other contract which you have with us or any rights you might have available under applicable data protection laws.
We may amend this Privacy Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify you about material changes by prominently posting a notice on our website. We encourage you to periodically check back and review this Privacy Notice so that you will always know what information we collect, how we use it, and with whom we share it.
This version of the Privacy Notice was published on the 29 June 2022
Who does this Privacy Notice relate to?
This Privacy Notice relates to the following types of individuals, where we hold your personal information:
- Individuals who are prospective, current or former clients;
- Employees or representatives of our prospective, current or former clients;
- Other individuals named in policy or transactional documents;
- Visitors to our websites;
- Individuals who contact us with a query, concern or complaint;
- Individuals who request information from us or permit us to contact them for marketing purposes.
There are types of individuals who this Privacy Notice does not relate to, for example our employees and sub-contractors (including prospective and former employees and sub-contractors). If you are one of these individuals and would like further information on how we collect, use and store your data, please contact us. Our contact details are shown in Section 9.
- WHO is responsible for looking after your personal data?
We are a data controller and a subsidiary of Howden Broking Group Limited (“HBG”), which is part of the Howden Group. Our registered office is at Veerhaven 7, 3016 CJ, Rotterdam, Netherlands, with company registration number 58513396, and our WFT-register license number is 12042018. Finally we are registered with KiFiD under number 300.015556.
- WHAT personal data do we collect?
We collect your personal data and use it in different ways depending on your relationship with us and how you have interacted with us. We may collect this personal data from you directly, or we may be provided with it by a third party. Depending on your relationship with us, we may hold the following types of personal data about you
- Identity and contact data: for example, your name, date of birth, postal address, telephone number and e-mail address;
- Claims data: for example, data relating to claims made via us, or your previous claims experience;
- Payment and account data: for example, your bank account details or brokerage fees;
- Location data: For example, your postal or IP address, the location of any insured property, and in the event of a claim, where the incident occurred;
- Correspondence data: for example, copies of letters and e-mails we send you or you send to us, and notes or call recordings of any telephone conversations;
- Internet data: for example, information collected by cookies and other online technologies such as Google Analytics, as you use our website or contact us by online methods;
- Information we obtain from other sources: for example from credit agencies, anti-fraud and other financial crime prevention agencies and other data providers. This can include demographic data and interest-based data;
- Complaint data: for example, what the complaint was, how we investigated it and how we resolved it, including any contact with KiFiD or other third party adjudicator services.
Some of our processes combine different sets of information we hold. This can include combining different data sets we have about you, or combining your information with that of other individuals.
Special Category Data
Certain types of information are known as “special category data” under data protection law, and receive additional protection due to their sensitivity, for example information that reveals an individual’s health or medical condition, criminal conviction history, race or ethnicity, political views or religious beliefs. We will only collect this information where we have a legal basis for doing so, and where it is strictly necessary, such as:
- When it is relevant to the type of insurance you are enquiring about, have purchased, previously held or that you have been named on;
- When it is relevant to a claim you have made or that someone else has made against you;
- Where it is relevant to a complaint or issue you have raised with us; and,
- To arrange alternate forms of correspondence for you, such as Braille, audio format or Touch-Type services.
- What PURPOSES do we use your personal data for and what is our LEGAL BASIS?
Data protection law requires us to establish a legal basis to use your personal data. We will generally use your personal data for one of the four reasons set out below:
- To enter into or perform a contract: for example to provide you or the business you represent with an insurance quotation, to start, change or cancel an insurance policy, to administer the policy, to manage any claims which arise, to answer any queries you may have, action your requests or perform any debt recovery;
- To comply with a legal obligation: for example the rules set by regulators in the European Union (EU), to fulfil your rights under data protection laws, to handle complaints, and to comply with other legal requirements such as preventing financial crimes;
- For our legitimate business interests: for example to detect and prevent fraud, for statistical analysis, to monitor and improve our business and our products and services, to demonstrate compliance with applicable laws and regulations and some marketing activities. Where we rely on our legitimate interests to process personal data, we assess our business needs to ensure they are proportionate and do not affect your rights. In some instances, you also have the right to object to this kind of use as explained under Section 8;
- With your consent: for example when if you permit us to use your personal data for a specific purpose where no other lawful basis applies. Where a processing activity is based on your consent, documentation that you need to complete will include a provision where you can indicate that consent. You are able to subsequently withdraw that consent at any time as explained under Section 8, and we will tell you more about the possible consequences of doing so at that time.
Although data protection law provides for other legal bases, these are either unlikely to apply due to the nature of our business or would only be applicable in extreme circumstances, such as needing to use your personal data in order to protect your life or the lives of others.
Special Category Data
The processing of special category data requires an additional legal basis to the grounds set out above. This additional legal basis will typically be:
- your explicit consent;
- the establishment, exercise or defence by us or third parties of legal claims; or
- a substantial public interest exemption provided for under local law, such as where the processing is necessary to assist with the management and implementation or insurance, or to detect or prevent unlawful acts, or to prevent fraud
- Who do we SHARE your personal data with?
Where applicable, we share your personal data with the following types of third parties when we have a valid reason to do so:
- Other companies within Howden Group Holdings (HGH) which support us in providing our services to you;
- Insurers and intermediaries including, but not limited to, insurance brokers, managing general agencies, risk management assessors, loss recovery agencies, third party administrators and claims assessors who work with us to help manage the services we provide;
- Service Providers, who help manage our IT and back office systems;
- Our regulators in the Netherlands and EU, which may include Autoriteit Financiële Markten (AFM) and Autoriteit Persoonsgegevens (AP), and around the world;
- Credit reference agencies and organisations working to prevent fraud in financial services;
- Solicitors and other professional services firms representing you, us or a third party claimant;
- customer satisfaction service providers, acting on our behalf in capturing feedback from our customers on our service levels; and
- Potential purchasers of our businesses.
As stated above we may make your information available to other HGH companies so that they can provide us with IT and infrastructure support, for statistical analysis, for business reporting or for external business development purposes for which they may receive remuneration, such as providing market insight to insurers on a confidential basis. We and they will only disclose your personal data to third parties outside of the Howden Group in accordance with data protection law, or in an anonymised and/or aggregated format where necessary to support the purposes stated above.
- International Transfers
For business purposes, to help prevent/detect crime or where required by Law or Regulation, we may need to transfer, or allow access to, your personal data to parties based overseas. These parties include brokers, insurers, re-insurers, service providers, other Howden Group companies & law enforcement agencies. Where we do this, we will ensure that your information is transferred in accordance with applicable data protection laws.
If the data protection laws of the country to which we intend to transfer your personal data are not recognised as being equivalent to those in the EU, we will ensure that the recipient enters into a formal legal agreement that reflects the standards required.
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 9 if you would like further information.
- Automated Decision Making and Profiling
If you are an Insured Person undertaking a credit check through a premium finance lender, we may use Automated Decision Making to determine what action to take based on the resulting credit score. We do not use Profiling.
Please note: You have certain rights in respect of Automated Decision Making and Profiling. See Section 8 for more information about your rights.
- How long do we keep your personal data?
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 3. In most cases this will be for seven (7) years following the end of our relationship with you however, in some circumstances we may retain your personal data for longer periods of time, for instance;
- Where we are required to do so in accordance with legal or regulatory requirements;
- So that we have an accurate record of your dealings with us in the event of any complaints;
- If we reasonably believe there is a prospect of litigation relating to our dealings with you.
We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used. You can request a copy by contacting us on the details shown in Section 9.
- What are your rights?
Data protection law gives you rights relating to your personal data. This section gives you an overview of these rights and how they relate to the information you give us. The Autoriteit Persoonsgegevens has also published detailed information about your rights on their website: https://www.autoriteitpersoonsgegevens.nl/
- Your right of access
You have a right to request copies of the personal data we hold on you, along with meaningful information on how it is used and who we share it with. This right always applies, but there are some instances where we may not be able to provide you with all the information we hold. If this is the case, we will confirm why we are unable to provide it, unless there is a valid legal reason why we cannot.
- Your right to rectification
If personal data we hold is inaccurate or incomplete, and this has an impact on the way we are using your data, you have the right to have any inaccuracies corrected and for any incomplete data to be completed. If you ask us to rectify your personal data, we will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why.
- Your right to erasure (the right to “be forgotten”)
You have the right to request that your personal data is erased in certain circumstances. If you ask us to erase your personal data, we will either confirm to you that this has been done, or if we are unable to delete it, let you know why and also inform you how long we will hold it for.
- Your right to restrict processing
You can ask us to restrict the use of your personal data in certain circumstances. If you ask us to restrict the use of your personal data, we will either confirm to you that this has been done, or if we are unable to restrict it, we will inform you why.
- Your right to object to direct marketing
You can object to receiving direct marketing from us, for example by clicking on the unsubscribe link in any email you receive from us. If you do so, we will ensure that you do not receive such material going forward, unless you change your mind and specifically request it in the future.
- Your right to object to automated decision-making
You can object to solely automated decisions made about you using your personal data. If you do so, we will arrange for someone to assess the decision and confirm the outcome to you.
- Your right to challenge our legitimate interests
You can challenge our use of your personal data where we rely on a legitimate business interest as a legal basis to process your information. If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why.
- Your right to object to the use of your information for statistical purposes
You can object to us using your personal data for statistical purposes in some instances. If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why.
- Your right to data portability
In certain circumstances, you have the right to request that your personal data be compiled into a common, machine readable format and either provided directly to you or sent by us to a third-party you nominate. If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why.
- Your right to complain
If you are unhappy with how we have used your personal data or if you believe we have failed to fulfil your data rights, you have the right to complain to us using the details shown in Section 9 of this Privacy Notice. If you remain unhappy with our response you may raise a complaint with a supervisory authority. In the Netherlands the supervisory authority is the Autoriteit Persoonsgegevens who can be contacted by the following the instructions available on their website here.
- How you can contact us
The primary point of contact for all issues arising from this Privacy Notice, including the exercising of your data subject rights, is our data protection team who can be contacted by sending an email to [email protected]. Should you wish to exercise one of your rights, please note the following:
- We take the confidentiality of personal data seriously, and reserve the right to ask you for proof of your identity if you make a request;
- We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request;
- We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly;
- Local laws provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege;
- We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.