1. Who are we?
Throughout this notice, when we say ‘we’ or ‘us’ we are referring to Royal London Insurance Designated Activity Company (DAC), a company registered in Ireland (registration number: 630146). Royal London Insurance DAC, trading as Royal London Ireland, provides life insurance products to its customers in the Republic of Ireland via independent intermediaries (Financial Brokers). Royal London Insurance DAC also administers closed books of business with respect to life (investment) products in Ireland and Germany.
Royal London Insurance DAC is a wholly owned subsidiary of The Royal London Mutual Insurance Society Limited which is registered in England, number 99064, at 80 Fenchurch Street, London, EC3M 4BY.
2. What is personal data and why do we collect and process it?
Personal data is defined under the General Data Protection Regulation (GDPR) as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In essence, personal data is your personal information. Please see section 3 below for the type of personal data that we collect. We collect and process personal data primarily to provide you with our products and to administer a policy you have with us. Section 4 of this privacy notice tells you what to expect us to do with your personal data when you make contact with us or use one of our services.
3. What type of personal data do we hold about you?
Depending on the type of product and service provided, we will collect and process the following data about you:
- Information about you – such as your name, age, gender, date of birth, work/profession, hobbies and nationality.
- Special category data – this is personal data that needs more protection because it is sensitive. Where it is relevant to your policy, we will collect data relating to your medical history, health or biometrics.
- Government identifiers – data from your identification documents, such as your driving license, PPS number or passport.
- Contact information – for example your address, Eircode, email address and phone numbers.
- Online information – for example cookies and your IP address (your computer’s internet address), if you use our websites.
- Financial information – such as your salary and bank account details for any payments to us or which we make to you. If we need to verify information on your finances, we will require copies of your financial accounts.
- Telephone calls or video recordings – for example voice recording when you contact us or CCTV footage if you visit our offices.
- Contractual information – for example details about your products and benefits.
4. How we use your personal data?
We use your data for a number of reasons:
Providing a quote and calculating your premium.
- Underwriting and processing your application, to establish whether we can offer you insurance cover and on what terms.
- Automated decision-making, as part of our sales process, when you receive a quote, and customer profiling if we make an assumption about you (please refer to section 11 for further information).
- Setting up and administering your policy.
- Completing any requests, making and receiving payments, or managing any queries or claims you make.
- Verifying your identity and attempting to prevent fraud and other financial crime. If you make a big deposit into your pension, we ask where the money has come from to comply with money laundering laws.
- Researching our customers’ opinions and exploring new ways to enhance the servicing experience we provide to meet your needs.
- Assessing, developing and managing our products, systems, prices, our business and brand.
- Fulfilling any other legal or regulatory obligations.
- Sending you information relating to our service or your product.
- To analyse, assess and improve our customer service, and to help with our people training.
- Identifying vulnerable customers to help determine whether we need to take further steps to ensure these customers are not disadvantaged in any way (please refer to section 11 for further information).
- Managing the relationship with your Financial Broker, if you have appointed one.
5. Where do we get your data from?
Most of the data we get comes directly from you or your Financial Broker when you apply for one of our products or services. We may also get personal data about you from other sources, including:
- Medical professionals – for example if we need information for underwriting purposes or to support a claim.
- Premium quotation services – if your Financial Broker used a quotation service to get your premium quotes, the service provider may share some of your data with us.
- Data brokers -
- if it’s necessary and reasonable to obtain contact information (email and phone numbers) to carry out customer research, promote brand awareness or remind you about the benefits of your plan or;
- to help put our customers into groups for product development and assessment purposes. We use this information to create a better understanding of all our customers, and to help us to meet changing needs.
- Other insurance providers where you have also applied to them for cover.
- The owner of the policy, on behalf of another person covered or a beneficiary.
- Publicly available information - including social media websites and online content, newspaper articles, television, radio and other media content, court judgements, public registers and specialist databases (for example Companies Registration Office, Vision-net, Oracle, Dow Jones, SoloCheck) and the electoral register.
7. What are our legal grounds for using your personal data?
The General Data Protection Regulation (Articles 6 and 9(4)) and associated legislation sets outs specific bases under which your data may be processed lawfully. The legal basis for the processing of personal data by us will depend on the purpose for which the processing is being carried out.
We will only use your personal data when one of these conditions has been satisfied. The following tables show the legal grounds for each use of your data:
|Uses of your data
Setting up and administering your policy
This covers all the usual activities, such as:
Completing any requests or claims you make
For administrative, audit and reporting purposes, we share your data with Royal London Group and our service providers. Where possible, we will make your data anonymous.
Your data will only be transmitted within the Royal London Group and to our service providers when appropriate safeguards, including contractual provisions, are in place.
If we lose touch
We may use a trusted third party to find you and reunite you with your policy.
Necessary for the performance of a contract
The personal information you provide about yourself or another person on your application or policy, may be processed when it is needed to either agree to or comply with a contract. For example, where we process your data to assess your application, calculate your premium or to provide your policy.
If you do not provide these details, we will be unable to fulfil your contract.
The medical data you, your medical practitioner or your GP provide will be used, where necessary, for underwriting your policy or for claims assessment.
In certain cases, the data provided may be for another individual or family member where it is relevant to your policy.
We’ll share your data with our reinsurers, and appropriate medical professionals, including our Chief Medical Officer, if we need another opinion or on specialist cases, or if we need further help to check whether you meet Revenue rules around accessing your pension early.
Necessary for insurance product
The 2018 Data Protection Act provides legal grounds for processing your medical data in connection with an insurance or pension product.
We use your personal data and special category data, where necessary, to comply with legal obligations including:
Necessary for compliance with a legal obligation
Your Personal data may be processed where Royal London Ireland has a legal obligation to perform such processing.
In certain cases, and where necessary, the special category data provided may be processed for the following purposes:
Necessary to provide legal advice and legal proceedings
The 2018 Data Protection Act provides legal grounds for processing special category data for legal advice and legal proceedings.
We may disclose your information to An Garda Síochána or other authorities. For example, if we have serious concerns about your wellbeing.
Necessary to protect vital interests
We may get your email address from data brokers if, for example, we’d like to use it for a research project. We will ensure the data broker has obtained your consent to the sharing of your data.
To set up your policy we may need to contact a medical professional or your GP.
In order to assess a claim, we will use your consent before we contact your medical practitioner or your GP so that they can provide the necessary information.
If you want to use our Helping Hand service, we will need your consent to pass your contact details to RedArc, the independent company that provides the service.
You may provide us with information about a vulnerability you have. With your consent, we would keep a record of this information so that we are aware that you are a vulnerable customer and proactively accommodate your vulnerability when we’re in contact with you. Your sharing of this information is voluntary and depends on personal circumstances.
Your personal data may be processed when we receive your consent.
The consent you provide must be freely given, informed, specific, unambiguous and given with a positive affirmative action.
Your consent can be withdrawn at any time.
Necessary for legitimate interests
We also use your data when we have a “legitimate interest” and that interest isn’t outweighed by your privacy rights. Each activity is assessed, and your rights and freedoms are considered to make sure that we’re not being intrusive or doing anything beyond your reasonable expectation. We’ll assess the information we need, so we only use the minimum.
If you want further information about processing under legitimate interests, you can contact us using the details at the end of this privacy notice.
You also have the right to object to any processing done under legitimate interests. We’ll re-assess the balance between our interests and yours, considering your particular circumstances. If we have a compelling reason, we may still continue to use your data.
We use legitimate interests for the following:
|Use of your data
|We collect and provide service information on your policy.
|To manage our business:
We need to continuously improve our service quality and training.
We manage our network and information security (for example: developing, testing and auditing our websites and other systems, dealing with accidental events or unlawful or malicious actions).
We need to ensure that our systems are always secure and that your data is always protected.
We need to prevent and detect fraud, dishonesty and other crimes (for example, to prevent someone trying to steal your identity).
|We use CCTV at our premises.
|We need to protect our staff and visitors for health and safety reasons and security purposes.
Our products are developed with a particular set of customer needs in mind. In order to make sure your policy is still suitable for you and is working as we intended, we combine your data with other customers to analyse and segment it.
We’ll use your underwriting responses and claims data to analyse how we can redesign products and/or make our underwriting process easier, with better outcomes for potential and existing customers and policyholders.
We financially assess the performance of our business; we conduct risk management exercises, and we carry out long-term statistical modelling.
To assess and develop our products, systems, prices, business and brand
We need to develop our products and services, and make sure our product charges are fair.
We need to make sure we are treating you fairly and check your product is suitable for you.
We need to make sure that we are looking after your money and that we have enough money to pay our customers when the time comes.
We need to understand our risks, provide management information and help us to manage our business.
We may conduct research before we launch new products or before we make changes or improvements to existing products to make sure it’s the right thing to do. We might also conduct research to ask customers what they think of Royal London Ireland, our products and services.
Where we don’t have your contact details, we may obtain your telephone number from data brokers to contact you for a research project. However, we always take steps to check that you have not objected to such contact, e.g., by checking the National Directory Database.
To research our customers’ opinions and new ways to meet our customers’ needs
We need to see how many categories of customers we have and to tailor our products and services accordingly.
We need to make sure our communications are easy to understand and that our products are being sold to the correct audience.
We need to make sure our research is efficient and connects with the right types of people, so we can be confident of any decisions we make based on the results.
|We don’t currently market other products to you, but we reconsider this at regular intervals and may choose to do this in the future. Where these communications are marketing and therefore optional, we will make it clear that you can opt out of these.
8. Overseas Transfers
We sometimes use third parties located in other countries to provide support services. As a result, your personal data may be processed in countries outside the European Economic Area (EEA).
These services will be carried out by experienced and reputable organisations on terms which safeguard the security of your data and comply with the European data protection requirements. Some countries have been assessed by the European Commission (EC) as being ‘adequate’, which means their legal system offers a level of protection for personal data which is equal to the EC’s protection. Where the country hasn’t been assessed as adequate, we use ‘standard contractual clauses’ within the legal agreement to safeguard the processing of your personal data.
The European Commission has recognised ‘standard contractual clauses’ as offering adequate safeguards to protect your rights. We’ll use these clauses where required, to make sure your data is sufficiently protected to the same standard prescribed by GDPR. The European Commission approved standard contractual clauses are available here.
We use ‘standard contractual clauses’ in the provision of the following services to Royal London Ireland:
- IT support and technology development with operations based in India.
- Reinsurance services with our global reinsurance partners who have operations based in the United States and Bermuda.
- Services with other providers/suppliers, research partners and administrators who have operations based in India, Malaysia, Australia, South Africa and the United States.
We always ensure all personal data is provided with adequate protection and all transfers of personal data outside the EEA are done lawfully.
If you have a life (investment) policy in Germany, we will have access to your personal data in Ireland, and will transfer it to the Isle of Man. There, a company called RL360 helps us in the administration of your policy.
We have put in place security measures designed to prevent your personal data and Special Categories of Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We use industry standard solutions to encrypt and protect email traffic. If your email service doesn’t support Transport Layer Security (TLS) or if you do not want to use our managed email Security Service, we may not be able to communicate with you by email, and any emails we do send or receive will not be protected by encryption and could be intercepted.
Use of internet email is not a guaranteed secure communication channel, therefore, we recommend you don’t send anything confidential to us by email. We may also change our Email Security Service provider at any time without notice and without changing the provision in this notice. Once we receive your data, we use strict procedures and security features to protect your data from unauthorised access.
In the event of a potential data security breach, we will notify you and the Data Protection Commissioner’s Office if we are legally required to do so, or there is a risk to your rights and freedoms as a result of the breach.
10. How long do we keep personal data for?
We will only keep your personal data for as long as it is considered necessary for the purpose for which it was collected and to comply with our legal and regulatory requirements.
In the absence of specific legal, regulatory, or contractual requirements we will keep your personal data for seven years after your relationship with us has ended. Call recordings will be held for three months.
But there are times when, depending on the type of policy you have or specific regulations, we may keep it for a different time period. This amount of time will depend on:
- The type of data we have about you.
- We keep underwriting and claims information for ten years to allow us to assess whether our policy cover is appropriate. We need information for the longer period to make sure we can evaluate a large enough number of cases and make informed decisions.
- Whether you or a regulatory authority like the Ombudsman asks us to keep the data for longer. There needs to be a valid reason for this request.
- The relevant legal and regulatory rules that our business must follow.
- Whether there is a dispute, legal or otherwise, between us which requires us to keep your personal data.
For those customers who bought their policy from GRE Life, Royal Liver, or Irish Life (Home Service), we are working to align the retention period for these customers to the policy outlined above.
11. Do we make solely automated decisions about you or profile you?
Automated decisions are where a computer makes a decision about you without a person being involved.
Profiling is when we make assumptions about you.
We make automated decisions about you as part of the underwriting process. We ask for relevant information about your job, interests, travel, health and family history. For example, we need to know if one of your interests is skydiving, as this would typically increase your risk of claiming under an insurance policy and potentially your premium.
You have the right to ask for a person to review the automated decision. You can also ask for the decision to be made through our manual underwriting process.
There are some cases where we won’t be able to offer a decision online and will need your application to be reviewed by our underwriting team. We may request further information from you or from your medical professional before we’ll be able to confirm whether we can offer you cover, and on what basis.
We will undertake checks for the prevention and detection of crime, as we are required by law to do so. These checks use automated means to make decisions about you. This may result in declining the services you requested and stopping services currently provided to you. Please see section 12 “What are my rights” for further information.
Many people may become vulnerable at some point in their lives. When a person notifies us that they have a relevant vulnerability we may keep a record of this information to allow us to proactively accommodate their vulnerability when we’re in contact with them.
We may, in the future, consider analysing your personal data to create a profile so that we can contact you with information relevant to you. When building a profile, we would use Experian software to provide us with insight into our customers. The software uses a variety of publicly available and market research sources to divide the population into a series of categories. The categories are a way of grouping people who are likely to have similar social, demographic (i.e. age, location) and financial circumstances. The results are assessed and combined so we get a picture of our customers as a whole, and tailor the products and services we provide. If we were to undertake such an exercise, we would complete a Data Protection Impact Assessment and a Legitimate Interest Assessment to assess and mitigate any personal data related risks. Please see section 12 “What are my rights” for further information.
In the future, we may like to keep a note of the category you fall into so we can tailor our communications to suit you. Before we do this, we’ll assess if this is fair.
12. What are my rights?
Your rights are outlined below. The easiest way to exercise any of your rights would be to contact our Data Protection Officer at the contact details provided. We will provide a response within 30 days, if not sooner. There is no charge for exercising any of your rights, however, we reserve the right to request a small charge for repetitive or excessive access requests. We may ask you for proof of identity when you request to exercise some of these rights to ensure we are dealing with the correct individual.
Access to your personal data
You have the right to find out what personal data we hold about you, in many circumstances.
Correcting or adding to your personal data
If any of your details are incorrect, inaccurate or incomplete you can ask us to correct them or to add data.
Withdrawing your consent
If you have provided consent for us to use your data, you have the right to withdraw your consent at any time. If you withdraw consent, then we may not be allowed to use your data going forward. However, it would not invalidate processing that was carried out before you withdrew consent. Withdrawal of consent may impact the product and services we can provide to you or the ability to administer your policy or process your claim. In this event, we will let you know what the impact would be.
Transferring your personal data to another organisation (Data portability)
In some circumstances you can ask us to send an electronic copy of the personal data you have provided to us, either to you or to another organisation.
Objecting to the use of your personal data for legitimate interests
You also have the right to object to any processing done under legitimate interests. We will re-assess the balance between our interests and yours, considering your particular circumstances. If we have a compelling reason, we may still continue to use your data if that interest is not deemed to be outweighed by your privacy rights.
Objecting to direct marketing
You have a specific right to object to our use of your data for direct marketing purposes, which we will always act upon.
Objecting to automated decision making
You have a right to object if we have made an automated decision, including profiling, which has legal and significant effect against you. You also have the right to challenge the decision and ask for a human review. These rights do not apply if we are authorised by the law to make such decisions and appropriate safeguards are in place to protect your rights.
Restricting the use of your personal data
If you are uncertain about the accuracy or our use of your data, you can ask us to stop using your data until your query is resolved. We will let you know the outcome before we take any further action in relation to this data.
Right to Erasure
You can ask us to delete your personal data in some circumstances, such as if your policy has ended and we do not need to keep your data for legal or regulatory reasons. If we are using consent to process your data and you withdraw it, you can ask us to erase your data.
14. Changes to our Privacy Notice
Making sure that we keep you up to date with privacy information is a continuous responsibility and we keep this notice under review. We will update our notice as changes are required.
This privacy notice was last updated on 6 November 2023.
15. Contact us
If you have any questions, or comments regarding this privacy notice, or if you are unhappy about the way Royal London Ireland uses your data, please contact us using the details below.
Post: Data Protection Officer, Royal London Insurance DAC, 47-49 St Stephen’s Green, Dublin 2.