Privacy Policy

1. Introduction

We, Howden Reinsurance Brokers LLC (“we”, “us”, “our”), part of the Howden Group, need to collect, process and share information, including information which may identify individuals (‘personal data’), in order to provide our insurance broking services. This Privacy Notice applies to you in the event that we have collected personal data from or about you. It explains when, why and how we collect and process your personal data, the third parties with which we may share your personal data, what your rights are in the event we hold your personal data, and how you can enforce these rights.

We may amend this Privacy Notice from time to time in order to reflect any changes in how we process personal data, or to satisfy any new requirements under applicable data protection laws. If we make any significant changes, we will let you know directly.

This version of the Privacy Notice was published on 1st February 2025

2. Definitions

To be clear on what we mean in this Privacy Notice:

• “Applicable data protection law(s)” means applicable data protection laws in the KSA including the Saudi Arabia Personal Data Protection Law (the “KSA PDPL”)[1].
• “Personal data” means any information that identifies or can be used to identify an individual.
• “Sensitive data” means personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health data, sex life or sexual orientation, data relating to security criminal convictions and offenses and data that indicates that one or both of the individual’s parents are unknown.
• “Controller” means an organization that decides why and how to collect and process personal data from or about an individual.
• “Processor” means an organization that is engaged by a controller to process personal data on its behalf.
• “The Howden Group” means Howden Group Holdings Limited and any company or organization in which Howden Group Holdings Limited holds significant share capital, such as Howden Reinsurance Brokers LLC. Howden is international insurance group that supports clients while using insurance as a tool to increase resilience for individuals, businesses, and communities.
• “third-party” means someone who isn’t you, us, or a company in the Howden Group.
• “SDAIA” means the Saudi Data & Artificial Intelligence Authority.

3. Who does this Privacy Notice relates to

This Privacy Notice relates to the following types of individuals (“you”, “your”, “data subjects”) where we hold your personal data:

• Directors, authorized personnel, beneficial owners, other associates of, or persons exercising control over, prospective, current and former clients or intermediaries that we do business with.
• Individuals who contact us with a query, concern or complaint.
• Individuals who request information from us or permit us to contact them for marketing purposes.

4. Our details

We are a data controller, and our registered office at Riyadh, Alrabi district, Prince Mohammed Bin Salman Bin Abdulaziz Road, 4124, 6664, the Kingdom of Saudi Arabia under commercial register number 1009182740.

Should you have a data protection query, wish to enforce one of your rights or wish to make a data protection complaint, then please send an email to: [email protected]

5. What personal data do we collect

Depending on your relationship with us, we may collect the following types of personal data from or about you:

• Identity and contact data: for example, your name, gender, date of birth, postal address, job title, telephone number and e-mail address. We may also collect identification details and documents to verify your identity;
• Policy and claims information: for example, your policy number, insured amounts, premiums due, relationship to the policyholder, claims made via us or your previous claims history;
• Payment and account data: for example, your bank account details, credit/debit card details if you are the payer of a premium;
• Location data: for example, your residential or IP address, the location of any insured property, and in the event of a claim, where the incident occurred;
• Correspondence data: for example, copies of letters and e-mails we send you or you send to us, and notes or call recordings of any telephone conversations
• Information we obtain from other sources: for example, information we obtain from credit agencies, anti-fraud and other financial crime prevention agencies when permitted to do so under applicable data protection laws.
•  Complaint data: for example, what the complaint was, how we investigated it and how we resolved it, including any contact with third-party adjudicator services;
•  Sensitive data: in some cases, it may be necessary for us to collect more sensitive types of information, for example health-related data, as part of responding to a claim, or it may be necessary for us to collect data relating to criminal convictions or offences as part of undertaking ‘know your customer’ checks which are required by our regulators.

6. How do we collect personal data

We may collect personal data from, or about, you at different times and through different channels depending on our relationship with you, for example if:

• You request an insurance quotation from us, either directly or via an intermediary;
• You purchase, change or cancel an insurance policy.
• You are named on the insurance policy of our client.
• We receive notification of a claim that is made against you or that you bring against one of our policyholders.
• You are a client of a business that we acquire;
• You contact us in writing or speak to us on the phone;
• You visit one of our stands at a show or trade fair;
• You give permission to other companies to share your information with us;
• Your information is publicly available through sources such as regulatory or company registers, which we may need to consult in order to satisfy our due diligence processes for new and existing clients.
• We are provided with your information from your employer or intermediary when they complete one of our proposal forms or questionnaires; or
• We are provided with your personal data by other third parties including antifraud and crime-prevention agencies, credit reference and vetting agencies, and other data providers.

7. Our purposes and lawful bases for processing

We are required to establish a lawful basis and purpose for collecting personal data. Generally, we collect personal data pursuant to the following lawful bases and purposes:

• To comply with a legal obligation: for example, to fulfil your data rights under data privacy laws, handle complaints about data privacy or our financial products and services, and to comply with other legal requirements such as preventing money laundering and other financial crimes.
• For our legitimate business interests: for example, to provide our client (who may be your employer) with a quote or broking services, to share data internally for administrative purposes, to improve our products and services, or to carry out analytics across our datasets. Where we rely on this lawful basis, we assess our business needs to ensure they are proportionate and do not affect your rights. In all cases, we will not rely on this lawful basis to process sensitive data;
• For the implementation of a previous agreement to which you are a party; 
• With your consent: for example, if you consent to us processing your personal data for marketing purposes; and
• To protect actual interests: in extreme or unusual circumstances, we may need to use your personal data to protect your moral or material interest.

The processing of sensitive data requires additional controls. If and where we collect this type of our data, these controls may include:

• Obtaining your explicit consent to process your sensitive personal data.
• Not processing your sensitive personal data for marketing purposes;
• Not collecting or processing your sensitive personal data for scientific, research, or statistical purposes without your explicit consent;
• Restricting processing of any health data, including medical files, that we may hold on you for the purposes specified above to the minimum number of employees or workers required and granting access only to the extent necessary to enable the provision of any required health services; and
• Restricting any health data processing procedures and operations to the minimum extent possible of employees and workers as necessary to enable the provision of health insurance services or to offer health insurance programs.

PLEASE NOTE – Collection of personal data is mandatory unless stated otherwise.   Where you do not provide the requested personal data such as where our lawful basis of processing is your explicit consent, documentation that you need to complete will include a provision where you can indicate that consent. If you choose to withdraw your consent we will tell you more about the possible consequences, including that we may no longer be able to act as your broker of record or place or administer your policy and that you may have difficulties finding other cover. Further, we may not be able to support you in processing your claim.

We will not process your personal data in a manner that is inconsistent with the purpose for which we have collected the data or the basis on which we have relied to collect your personal data, unless we have your consent or a legal basis to process the personal data for an additional purpose.

8. Who do we share personal data with

Below are the categories of third parties we may share your personal data with for the purposes described under Section 7:

• Other Howden Group companies;
• (Re)insurers and intermediaries including but not limited to other (Re)insurance Brokers and Managing General Agencies.
• Risk Management Assessors, Uninsured Loss Recovery Agencies and Third-Party Administrators who work with us to help manage the (re)insurance process and administer our policies.
• Service Providers who help manage our IT and back-office systems, or who provide platforms and portals for administering policies and member details;
•  Our regulators and law enforcement agencies (including authorities outside of the location which personal data has been collected);
• Credit reference agencies, Premium Finance Providers, and organizations working to prevent fraud in financial services.
• Solicitors (who may be legal representatives for you, us or a third-party claimant) and other professional services firms (including our auditors);
• Marketing fulfilment, webinar and customer satisfaction service providers, acting on our behalf in facilitating online events, providing marketing communications and capturing feedback from our customers on our service levels.
• Claims Experts who work with us to help manage the claims process.
• Potential purchasers of our businesses.

9. Sharing data with the Howden Group

As stated in the previous section, we may share personal data with other companies within the wider Howden Group for the following purposes:

• To receive administrative support from those companies, such as the receipt of IT, HR, Finance and Compliance services;
• So that these companies can provide market insight to insurers on a confidential basis, but only where personal data has been aggregated or anonymized; and
• So that we can offer you services that may be available from another company in the Howden Group, but only if permitted under marketing laws.

We will only share the minimum amount of personal data required to achieve these purposes, ensuring that we have a lawful basis to share personal data and that any processing undertaken on our behalf is governed by a data processing agreement.

10. International data transfers

In line with one of the legal bases identified in Section 7 above and in line with applicable data protection law, we may need to transfer, or allow access to, your personal data to parties based outside of the Kingdom of Saudi Arabia. Where we do this, we will ensure that your personal data is transferred in accordance with the applicable data protection law’s requirements.

If the data protection laws of the jurisdiction where we transfer your personal data are not recognized by SDAIA as being equivalent to those in the Kingdom of Saudi Arabia, we will ensure that the recipient enters into a formal legal agreement that reflects the standards required, this incudes containing standard contractual clauses (such as the clauses issued by SDAIA available here).

You have the right to ask us for more information about the safeguards we have put in place as mentioned above.

11. Retaining personal data

We will retain your personal data only for as long as is necessary to fulfil the purpose as set out in Section 7, or as required by applicable data protection laws. In most cases this will be for ten (10) years following the end of our relationship with you however, in some circumstances we may retain your personal data for longer periods of time, for instance.

• Where we are required to do so in accordance with legal, regulatory or accounting rules.
• So that we have an accurate record of your dealings with us in the event of any complaints or challenges;
• If we reasonably believe there is a prospect of litigation relating to your personal dealings.

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required, we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business. You can request a copy by contacting us on the details shown under Section 4 of this Privacy Notice.

12. Security

We are committed to protecting the personal data you provide us. We have implemented security policies, rules and technical measures to protect the personal data that we have under our control, in accordance with applicable data protection laws. The security measures are designed to prevent unauthorized access, improper use or disclosure, unauthorized modification and unlawful destruction or accidental loss. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 

13. Automated decision-making

Please note we do not undertake any automated decision-making or profiling with your personal data.

14. Your rights

Data protection law gives you rights relating to your personal data. Should you wish to enforce a right (generally at no cost to you), or make a data protection complaint, please contact [email protected]

We aim to provide a final response within 30 days of receiving a request. This initial period may be extended for another 30 days if your request requires disproportionate efforts, or if we receive multiple requests from you.

If any request is repetitive, manifestly unfounded, or requires disproportionate efforts, we reserve the right to refuse it, in which case we will notify you of the refusal and the reason behind it.

Subject to applicable data protection laws, we always be able to fully address your request, for example:

• If it would impact the confidentiality we owe to others;
• We are legally entitled to deal with the request in a different way; or
• If the request involves deletion of personal data required to comply with legal requirements.

Please note we may need to request specific data from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

You may have the following rights:

To access: You have a right to access your personal data held by us subject to certain restrictions.

Request access: You have a right to request a copy of the personal data that we hold on you in a readable and clear format, along with meaningful information on how it is used and who we share it with, however there are some instances where we may not be able to provide you with some or all of the information we hold. Where this is the case, we will explain to you why when we respond to your request, unless the applicable data protection laws or regulations prevent us from doing so.

Rectification: You have a right to ask us to correct inaccurate or incomplete personal data that we hold about you. We will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why. This is subject to any supporting documents or evidence which may be required to verify such request.

Erasure: You can request that we delete your personal data in certain circumstances, for example if we no longer need the personal data for the purpose(s) for which we collected it. We will either confirm to you that this has been done, or if we are unable to delete it due to a compelling overriding reason, we will let you know why.

Restrict processing: You can ask us to restrict the processing of your personal data in certain circumstances. If you do so, we will either confirm that this has been done, or if we are unable to do so, we will let you know why.

Withdraw your consent: You may withdraw your consent at any time to the use of your personal data for a particular purpose (where we have asked you for consent to use your personal data for that particular purpose).

Complain: If you feel that we do not comply with applicable data protection laws, you may lodge a complaint with the Saudi Data and Artificial Intelligence Authority through https://sdaia.gov.sa/en/Contact/Pages/ContactUs.aspx or any other competent authority later designated as having jurisdiction to receive such complaints.