M&A Privacy Policy

  1. Introduction

Howden Mergers & Acquisitions (“Howden M&A”, “we”, “us”, “our”) refers to a group of distinct legal entities that has M&A offices situated around the world. We need to collect and process personal data from or about individuals (“you”, “your”) in order to provide our services, and this Privacy Notice applies to you in the event we have collected personal data from or about you in our role as a data controller. It explains when, why and how we collect and process your personal data, the third parties with which we may share your personal data, what your rights are in the event we hold your personal data, and how you can enforce these rights.

We may amend this Privacy Notice from time to time in order to reflect any changes in how we process personal data, or to satisfy any new requirements under applicable data protection laws. If we make any significant changes, we will let you know directly.

This version of the Privacy Notice was published in October 2023

  1. Definitions

To be clear on what we mean in this Privacy Notice:

  • “personal data” is any information that can be used to identify a living individual;
  • “sensitive personal data” is personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, health data, sex life or sexual orientation;
  • “data controller” means an organisation that decides how and why to collect personal data;
  • “the Howden Group” is Howden Group Holdings Limited and any company or organisation in which Howden Group Holdings Limited holds significant share capital. You can find out more information about the other companies in the Howden Group by visiting www.howdengroupholdings.com; and
  • “third-party” is someone who isn’t you, us, or a company in the Howden Group.
  1. Who does this Privacy Notice relate to?

This Privacy Notice relates to the following types of individuals, where we hold your personal data:

  • Employees or representatives of our prospective, current and former clients;
  • Other individuals named in policy or transactional documents;
  • Individuals who we liaise with at insurers and other market participants;
  • Individuals who contact us with a query, concern or complaint;
  • Individuals whose personal data we may have obtained from publicly available sources, for example in connection with us undertaking background checks on our potential clients; and
  • Individuals who request information from us, or permit us to contact them for marketing purposes.

There are types of individuals who this Privacy Notice does not relate to, for example our employees and sub-contractors (including prospective and former employees and sub-contractors). If you are one of these individuals and would like further information, please contact us using the details set out under Section 13.

  1. Who are we?

Howden M&A Limited is part of the Howden Group, and is incorporated in England under company number 10687642 with its registered office at One Creechurch Place, London, EC3A 5AF. It is registered with the Financial Conduct Authority (“FCA”) under Firm Reference Number 775106, and it is an Appointed Representative of Howden Insurance Brokers Limited. Finally it is registered with the Information Commissioner’s Office (ICO) under registration ZA792262.

Howden M&A (Germany) Gmbh is also part of the Howden Group. It is incorporated in Germany under company number HRB108670 and registered in the Insurance Intermediaries Register. Its UK branch is registered with the FCA under Firm Reference 839850 and registered with the ICO under registration ZB054018. Note that data protection authority registration is not required in the EU member states in which Howden M&A (Germany) Gmbh and its branches operate.

For individuals and clients based in the UK your data controller is likely to be Howden M&A Limited, and for individuals and clients based in mainland Europe the data controller is likely to be Howden M&A (Germany) Gmbh.

  1. When and how we collect this personal data

We may collect personal data from, or about, you at different times and through different channels depending on our relationship with you, for example if: 

  • You contact us with an enquiry;
  • You are named in a document that has been provided to us by your employer;
  • We receive notification of a claim that is made against you, or that you bring against one of our policyholders;
  • You are a client of a business that we acquire;
  • You visit one of our stands at a show or trade fair;
  • You give permission to other companies to share your information with us;
  • Your information is publicly available and we have a legitimate reasons to use it; and
  • We are provided with your personal data by third parties such as anti-fraud and crime-prevention agencies, credit reference and vetting agencies, and other data providers.
  1. WHAT personal data do we collect?

Depending on your relationship with us, we may hold the following types of personal data about you:

  • Identity and contact data: for example, your name, gender, date of birth, postal address, job title, telephone number and e-mail address;
  • Location data: for example, your residential, work or IP address,, and in the event of a claim, where the incident occurred;
  • Correspondence data: for example, copies of letters and e-mails we send you or you send to us, and notes or call recordings of any telephone conversations.
  • Information we obtain from other sources: including credit agencies, antifraud and other financial crime prevention agencies;
  • Complaint data: for example, what the complaint was, how we investigated it and how we resolved it, including any contact with third-party adjudicator services;
  • Internet data: for example, information such as your IP address that may be collected by cookies and other online technologies such as Google Analytics when you visit a Howden Group website, and which may in turn be made available to us; and

Due to the nature of the services we provide, we do not anticipate needing to collect special category data from, or about, you.

  1. The lawful ways we use personal data

We collect and process personal data for the following lawful reasons:

  • To comply with a legal obligation: for example the rules set by our regulators in the UK and EU, to fulfil your data rights under data privacy laws, handle complaints about our services, and to comply with other legal requirements such as preventing money laundering and other financial crimes;
  • For our legitimate business interests: for example, to arrange and administer a policy where your employer is our client, to respond to third party claimants, to maintain accurate records in our systems, to monitor and improve our products and services through the use of analytics, to demonstrate compliance with applicable regulations, to undertake some marketing activities, and to facilitate internal management reporting activities across our businesses. Where we rely on this lawful reason, we assess our business needs to ensure they are proportionate and do not affect your rights. In some instances, you also have the right to object to us relying on this lawful reason (if applicable) to process your personal data. Further information on this right is provided under Section 12;
  • With your consent: for example, if you consent to us contacting you for marketing purposes. You can withdraw your consent at any time (to the extent we are relying on it) by using the contact details set out under Section 13; and

Whilst other lawful bases do exist, these are unlikely to apply to the processing activities we undertake with personal data.

  1. Who we share personal data with

Below are the categories of third parties that we may share your personal data with, but only where we have a legitimate reason to do so:

  • Other Howden Group companies;
  • Insurers, intermediaries (including, but not limited to, insurance brokers and managing general agencies), risk management assessors and third party administrators who work with us to help manage and administer our policies;
  • Credit reference, credit scoring and fraud prevention agencies;
  • Debt collection agencies;
  • Law enforcement, government bodies, courts, tax authorities and our regulators;
  • Service providers who help us manage our IT and back office systems, or who provide platforms to us that we then use or make available to you;
  • Marketing fulfilment, webinar and customer satisfaction service providers, acting on our behalf in facilitating online events, providing marketing communications and capturing feedback from our customers on our service levels;
  • Any third party where disclosure is required to comply with legal or regulatory requirements;
  • Potential purchasers of our businesses.
  1. Sharing data within the Howden Group

As stated in Section 8, we may share personal data with other companies within the wider Howden Group for the following purposes:

  • To receive administrative support from those companies, such as the receipt of IT, HR, Finance and Compliance services;
  • So that these companies can provide market insight to providers on a confidential basis, but only where personal data has been aggregated or anonymised; and
  • So that we can offer you services that may be available from another company in the Howden Group, but only if permitted under electronic marketing laws.

We will only share the minimum amount of personal data required to achieve these purposes, ensuring that we have a lawful basis to share personal data and that any processing undertaken on our behalf is governed by a data processing agreement. 

  1.  International data transfers

Some of the third parties that we work with, for example insurers and our service providers, may be based outside of the countries in which we are established. Where we need to transfer personal data overseas to deliver our services or for other legitimate reasons (for example where legally required), and in the event the overseas country is not considered to provide an adequate level of protection under applicable data protection laws, then we shall ensure that a formal and enforceable set of standard contractual clauses is, or has been, entered into between us and the overseas recipient.

  1. Retaining and destroying personal data

We retain personal data about you in order to provide any services that you may request from us, to meet a number of legal and regulatory record-keeping requirements, as well as to support our own legitimate business interests. In most cases we will retain your personal data for 7 years following the end of our relationship with you in order to ensure we can sufficiently handle any disputes, claims or complaints that may arise in connection with the relationship. In some cases we may need to retain your personal data for longer than this period, for example if a relevant insurance policy allows for a longer claim notification window, and in some cases we shall retain your personal data for a shorter period, for example if you ask us to provide you with a quote but then choose not to proceed. 

  1. Your data rights

Data protection laws give you rights relating to your personal data. Should you wish to enforce a right (generally at no cost to you), or make a data protection complaint, please use the contact details set out under Section 13. We aim to provide a final response within one month of receiving a request, unless the request is particularly complex in which case we will let you know when we expect to complete it by:


You have a right to request a copy of the personal data that we hold on you, along with meaningful information on how it is used and who we share it with, however there are some instances where we may not be able to provide you with some or all of the information we hold. Where this is the case we will explain to you why when we respond to your request, unless the relevant laws or regulations prevent us from doing so.



You have a right to ask us to correct inaccurate or incomplete personal data that we hold about you. We will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why.


You can request that we delete your personal data in certain circumstances, for example if we no longer need the personal data for the purpose(s) for which we collected it. We will either confirm to you that this has been done, or if we are unable to delete it due to a compelling overriding reason we will let you know why.

Restrict processing

You can ask us to restrict the processing of your personal data in certain circumstances. If you do so, we will either confirm that this has been done, or if we are unable to do so, we will let you know why.

Data portability

In certain circumstances you have the right to request that your personal data be transferred to yourself or a nominated third party in a common, machine readable format. If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why.

Object to direct marketing

You can object to receive direct marketing from us, and this right is absolute. You can do this by simply clicking on the unsubscribe link in any email you receive from us or alternatively getting in touch with us.

Object to our legitimate interests

Where we process your personal data to achieve a legitimate business interest of ours, for example those described under Section 7, you have the right to challenge this. If you do so, we will either confirm to you that the processing has stopped, or explain why we believe our interest in the relevant activity outweighs your interest.

Object to automated decision-making

Whilst this right exists under data protection law, we do not undertake automated decision-making about individuals.

Should you submit a request or complaint to us and remain unhappy with our response, you may raise a complaint with the relevant data protection authority. Examples of these are listed in the table below:


Hesse (state within Germany)*


Wycliffe House

Water Lane, Wilmslow



Hessische Beauftragte für Datenschutz und Informationsfreiheit

Gustav-Stresemann-Ring 1

65189 Wiesbaden


+44(0)3031231113/[email protected] 

+49(0)61114080/ [email protected]




3 Place de Fontenoy

TSA 80715

75334 Paris Cedex 07



Box 8114

104 20 Stockholm


+46(0)86576100/[email protected] 



Autoriteit Persoonsgegevens
PO Box 93374


ul. Stawki 2 
00-193 Warszawa


+48(0)225310300/[email protected]

*Each German state has its own data protection authority that is responsible for enforcing data protection law in the private sector. The contact information of Hesse’s data protection authority have been provided as this is the state in which Howden M&A (Germany) Gmbh’s head office is situated.

  1. Our contact details

The primary point of contact for all issues arising from this Privacy Notice, including requests to exercise your rights or to contact our DPO, are as follows: 

  • By post: DPO, Howden M&A Ltd, 1 Creechurch Place, London, EC3A 5AF