Howden RCS Limited Privacy Policy
Introduction
At Howden RCS Limited ("Howden Services”, “we", "us", "our") we need to collect and process personal data from or about individuals (“you”, “your”) in order to provide our range of HR and employment support solutions, and in order to provide our health and safety services. This Privacy Notice applies to you in the event that we have collected personal data from or about you in our role as a data controller. It explains when, why and how we collect and process your personal data, the third parties with which we may share your personal data, what your rights are in the event we hold your personal data, and how you can enforce these rights.
We may amend this Privacy Notice from time to time in order to reflect any changes in how we process personal data, or to satisfy any new requirements under applicable data protection laws. If we make any significant changes, we will let you know directly.
This version of the Privacy Notice was published in January 2025.
Definitions
To be clear on what we mean in this Privacy Notice:
- “personal data” is any information that can be used to identify a living individual;
- “sensitive personal data” is personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, health data, sex life or sexual orientation;
- “data controller” means an organisation that decides how and why to collect personal data;
- “the Howden Group” is Howden Group Holdings Limited and any company or organisation in which Howden Group Holdings Limited holds significant share capital. We are part of the Howden Group, and you can find out more information about other companies in the Howden Group by visiting www.howdengroupholdings.com; and
- “third-party” is someone who isn’t you, us, or a company in the Howden Group.
Who does this Privacy Notice relate to?
This Privacy Notice relates to the following types of individuals, where we hold your personal data:
- Individuals who have visited one of our websites;
- Employees of clients to whom we provide our services;
- Individuals that are named in documents that are provided to us by our clients;
- Members of a trade or professional association;
- Individuals who contact us with a query, concern or complaint;
- Individuals whose personal data we may have obtained from publicly available sources, for example in connection with us undertaking background checks on our potential clients;
- Individuals who solicit us for a quote or service on behalf of a potential client, or who we solicit for marketing purposes.
Who are we?
Howden RCS Limited is an Appointed Representative of Howden UK Brokers Limited, which is authorised and regulated by the Financial Conduct Authority No. 307663. Registered in England and Wales under company registration number 02831010. Registered Office: One Creechurch Place, London, EC3A 5AF. We can be contacted using the contact details set out under Section 15.
When and how we collect this personal data
We may collect personal data from, or about, you at different times and through different channels depending on our relationship with you, for example if:
- You request a quotation from us, either directly or via an intermediary;
- You purchase, change or cancel a service through us;
- You contact us in writing or speak to us on the phone;
- You visit one of our stands at a show or trade fair;
- You give permission to other companies to share your information with us;
- Your information is publicly available and we have a legitimate reason to use it; and
- We are provided with your personal data by third parties such as anti-fraud and crime-prevention agencies, credit reference and vetting agencies, and other data providers.
What personal data do we collect?
Depending on your relationship with us, we may hold the following types of personal data about you:
- Identity and contact data: for example, your name, gender, date of birth, postal address, job title, telephone number and e-mail address;
- Payment and account data: for example, your bank account details and credit/debit card details;
- Location data: for example, your residential, work or IP address.
- Correspondence data: for example, copies of letters and e-mails we send you or you send to us, and notes or call recordings of any telephone conversations.
- Information we obtain from other sources: including credit agencies, antifraud and other financial crime prevention agencies;
- Complaint data: for example, what the complaint was, how we investigated it and how we resolved it, including any contact with third-party adjudicator services;
- Internet data: for example, information such as your IP address that may be collected by cookies and other online technologies when you visit our website; and
- Sensitive personal data: for example health-related data or ethnicity data, but only in restricted circumstances as explained under Section 8.
The lawful ways we use personal data
We collect and process personal data for the following lawful reasons:
- To comply with a legal obligation: for example the rules set by our regulator the Financial Conduct Authority (FCA), to fulfil your data rights under data privacy laws, handle complaints about our services, and to comply with other legal requirements such as preventing money laundering and other financial crimes;
- For our legitimate business interests: for example, to arrange and administer a service where your employer is our client, to respond to third party claimants, to maintain accurate records in our systems, to monitor and improve our products and services through the use of analytics, to demonstrate compliance with applicable regulations, to undertake some marketing activities, and to facilitate internal management reporting activities across our businesses. Where we rely on this lawful reason, we assess our business needs to ensure they are proportionate and do not affect your rights. In some instances, you also have the right to object to us relying on this lawful reason (if applicable) to process your personal data. Further information on this right is provided under Section 14;
- With your consent: for example, if you consent to us contacting you for marketing purposes. You can withdraw your consent at any time (to the extent we are relying on it) by using the contact details set out under Section 15; and
- To protect vital interests: in extreme or unusual circumstances, we may need to use your information to protect your life or the lives of others.
The lawful ways we use sensitive personal data
We only collect sensitive personal data from or about you in very narrow circumstances, and generally only if:
- This is necessary for us to carry out obligations in the field of employment law;
- This is necessary for us establish, exercise or defend a legal claim;
- This is necessary for us to safeguard vulnerable individuals;
- We have obtained your explicit consent; or
- You have manifestly made this type of data public.
Who we share your personal data with
Below are the categories of third parties that we may share your personal data with, but only where we have a legitimate reason to do so:
- Service providers who help us manage our IT and back office systems, or who provide us with tools or platforms that we either make available to you, or which we use to undertake activities mentioned earlier in this Privacy Notice;
- Marketing fulfilment, online booking, webinar and customer satisfaction service providers, acting on our behalf in facilitating online events, providing marketing communications and capturing feedback from our customers on our service levels;
- Credit reference, credit scoring and fraud prevention agencies
- Debt collection agencies;
- Law enforcement, government bodies, courts, tax authorities and our regulators;
- Payment providers use to facilitate online payment;
- Any third party where disclosure is required to comply with legal or regulatory requirements;
- Other Howden Group companies; and
- Potential purchasers of our businesses.
Use of Artificial Intelligence
In certain cases, the tools, systems or platforms alluded to under Section 9 may leverage Artificial Intelligence and related technologies. For example, in order to reduce the time it takes for us to manually produce a summary of a meeting or a phone call and then file that against a customer record, we may use a Generative AI service that analyses the transcript of that meeting or phone call to produce a summary that is then subject to a human review for accuracy. Or we may use Large Language Models that rely on our internal indexing of documents to make it easier for us to search for and retrieve information that we hold. In the event that we use Artificial Intelligence and similar technologies to make decisions about you, we will inform you of such separately.
Sharing data within the Howden Group
As stated in Section 9, we may share personal data with other companies within the wider Howden Group for the following purposes:
- To receive administrative support from those companies, such as the receipt of IT, HR, Finance and Compliance services;
- So that we can offer you services that may be available from another company in the Howden Group, but only if permitted under electronic marketing laws.
We will only share the minimum amount of personal data required to achieve these purposes, ensuring that we have a lawful basis to share personal data and that any processing undertaken on our behalf is governed by a data processing agreement.
International data transfers
In order to fulfil the purposes described in this Privacy Notice, we may need to transfer your personal data outside of the UK and/or outside of the country or region in which you are located. For example, we may use or make available to you cloud-based infrastructure that is hosted overseas.
If the overseas destination is not considered to provide an adequate level of protection under the data protection law that applies to the processing of your personal data, then we shall generally ensure that a formal and enforceable set of standard contractual clauses is, or has been, entered into between us and the overseas recipient. You can ask us for more information on this by using the contact details set out under Section 15.
Retaining and destroying personal data
We retain personal data about you in order to provide any services that you may request from us, to meet a number of legal and regulatory record-keeping requirements, as well as to support our own legitimate business interests. In most cases we will retain your personal data for 7 years following the end of our relationship with you (or equally the end of our relationship with your employer) in order to ensure we can sufficiently handle any disputes, claims or complaints that may arise in connection with the relationship.
In some cases we may need to retain your personal data for longer than this period and, in some cases, we shall only retain your personal data for a shorter period, for example if you ask us to provide you with a quote but then choose not to proceed. You can request further information on these retention periods by using the contact details set out under Section 15.
Your data rights
Data protection laws give you rights relating to your personal data. Should you wish to enforce a right (generally at no cost to you), or make a data protection complaint, please use the contact details set out under Section 15. We aim to provide a final response within one month of receiving a request, unless the request is particularly complex in which case we will let you know when we expect to complete it by:
Access | You have a right to request a copy of the personal data that we hold on you, along with meaningful information on how it is used and who we share it with, however there are some instances where we may not be able to provide you with some or all of the information we hold. Where this is the case, we will explain to you why when we respond to your request, unless the relevant laws or regulations prevent us from doing so. |
Rectification | You have a right to ask us to correct inaccurate or incomplete personal data that we hold about you. We will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why. |
Erasure | You can request that we delete your personal data in certain circumstances, for example if we no longer need the personal data for the purpose(s) for which we collected it. We will either confirm to you that this has been done, or if we are unable to delete it due to a compelling overriding reason, we will let you know why. |
Restrict processing | You can ask us to restrict the processing of your personal data in certain circumstances. If you do so, we will either confirm that this has been done, or if we are unable to do so, we will let you know why. |
Data portability | In certain circumstances you have the right to request that your personal data be transferred to yourself or a nominated third party in a common, machine readable format. If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why. |
Object to direct marketing | You can object to receive direct marketing from us, and this right is absolute. You can do this by simply clicking on the unsubscribe link in any email you receive from us or alternatively getting in touch with us. |
Object to our legitimate interests | Where we process your personal data to achieve a legitimate business interest of ours, for example those described under Section 7, you have the right to challenge this. If you do so, we will either confirm to you that the processing has stopped or explain why we believe our interest in the relevant activity outweighs your interest. |
Object to automated decision-making | You have the right to object to decisions made about you using your personal data and undertaken by purely automated means. If you do so, we will arrange for someone to assess the automated decision and confirm the outcome of this assessment to you. However please note that we do not currently make such decisions about individuals. |
Should you submit a request or complaint to us and remain unhappy with our response, you may raise a complaint directly with the UK supervisory authority whose contact details can be found at www.ico.org.uk.
Our contact details
The primary point of contact for all issues arising from this Privacy Notice, including requests to exercise your rights, are as follows:
- By e-mail: [email protected]
- By telephone: 020 3327 5700
- By post: Howden, 1 Creechurch Place, London EC3A 5AF
Communications
Depending on our relationship with you, and any marketing permissions or preferences you have provided to us, we may contact you via e-mail, phone and/or SMS/text message for the following reasons:
- “Servicing” messages and calls
These are messages that we must reasonably send you to provide you with services that you have requested from us, for example:
- To provide you with quotations, including renewal quotations;
- To provide you with your insurance documentation;
- To notify you of changes to any relevant terms and conditions;
- To perform debt recovery;
- To provide you with updated information regarding the services you receive from us, for example if we update our privacy notice, change our opening hours or office location, or if there is a change in the laws or regulations that apply to the services we offer and;
- Responding to any queries, complaints or concerns you raise with us.
Because these messages are reasonably necessary, and sometimes may be required by law, regulation, or contract, they may be sent regardless of your marketing preferences.
- “Market research” messages and calls
These are messages that we send you to gain your feedback on our services. The information you give us is then used to help us understand where we can improve our products and services. Because these messages aren’t intended to promote or sell anything to you, they may be sent to you regardless of your existing marketing preferences. However, we appreciate that some people may not wish to receive such messages. If you would like to opt-out of future market research by using the “unsubscribe” options in any market research e-mails, SMS/text messages or post you receive, or by asking to be unsubscribed when we call you.
- “Marketing” messages and calls
These are messages which we send to you to promote our products and services, as well as those of our business partners and other companies within the Howden Group.
If we contact you by e-mail or SMS/text to market our own products and services, then we will either do so because you specifically agreed to receive these messages (also known as “consent” under current laws), or because you told us you did not object to receiving these messages when you gave us your information (also known as “soft opt-in”).
The laws for telephone marketing are different, so if we use this method to market our own products and services to you, or those of another company, then we may do so either because you have specifically agreed to receiving these, or alternatively because your telephone number is not registered with, as applicable, the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS) and you have not previously told us that you do not want to receive calls from us. More information about these services is provided further on in this section.
- “Solicited” marketing calls and messages
Solicited marketing communications are any calls or messages you have specifically requested. This type of contact commonly arises when you specifically ask us to arrange for one of our business partners to contact you about their own products or services, for example if you request this via a call-back form or similar function on one of our websites. It also occurs where you ask us to contact you closer to your existing renewal date to provide you with a quotation.
Because you have specifically requested the contact, it may be made regardless of any broader marketing permissions we or our business partners may hold about you.
We and our business partners will only make this kind of contact with you to provide you with the information you have requested. If the initial attempt to contact you is unsuccessful, we or our business partners may try again, so long as the total number and frequency of the attempts does not become excessive.
- Opting out of marketing messages
You always have the right to opt out of future marketing messages or change how you receive them, and you can do so in the following ways:
- By using the “unsubscribe” links present in any marketing e-mails or SMS/text messages that we send you;
- By telling our agent that you wish to change your marketing preferences when you speak to them;
- By using the details shown in the “how you can contact us” section of this notice, and telling us to update your marketing preferences, or;
- For telephone calls and post only, by registering with the relevant Marketing Preference Services.
- Marketing on social media
You may see adverts for our products and services if you use social media platforms such as Facebook or Instagram. This normally occurs where we have asked the social media platform to advertise us to audiences who are likely to have a need for particular services.
Exactly how and when you see our adverts is determined by your own privacy settings on the specific social media platform concerned. Normally, you will be seeing the advert because you have consented to receive targeted advertising via your social media settings.
You can find out more about how you can control the adverts you see, and exert control over how and when you are targeted by advertising on social media, by visiting the “Privacy Centre” or “Privacy Settings” section of the platform’s website or mobile phone app.