Atwood Benefits UK Ltd is committed to being transparent about how we handle your personal information and to protecting the privacy and security of your personal information. This factsheet is to be read in conjunction with the Privacy Notice to provide additional information.

When we mention “we”, “us” or “our” we are referring to Atwood Benefits UK Ltd.

We have appointed a Data Compliance Manager, Timothy Atkins, who is responsible for ensuring we are in compliance with the General Data Protection Regulation (GDPR), as incorporated into UK law by the Data Protection Act 2018. GDPR rules are designed to give UK and EU citizens more control over their personal data.

Under the UK GDPR, there are six data protection principles that we must comply with. These provide that the personal information we hold about you must be:

1.  Processed lawfully, fairly and in a transparent manner.
2. Collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to those purposes.
4. Accurate and, where necessary, kept up to date.
5. Kept in a form which permits your identification for no longer than is necessary for those purposes.
6. Processed in a way that ensures appropriate security of the data.

We are responsible for, and must be able to demonstrate, compliance with these principles. This is called accountability.

Personal data is defined as “any information relating to a data subject” and a data subject is the identified or identifiable person to whom the personal data relates.

Some personal data is deemed more sensitive and there are much stricter rules in place as to when this data can be processed. Such data is referred to as “special category data” and we will only collect and use this type of personal information when the law additionally allows us to.

We will only use your personal information for the purposes for which we collected it. If we need to use your personal information for a purpose other than that for which it was collected, we will provide you, prior to that further processing, with information about the new purpose, we will explain the legal basis which allows us to process your personal information for the new purpose and we will provide you with any relevant further information. We may also issue a new privacy notice to you.

We take data protection seriously and we have implemented technical, physical and administrative security measures to protect your information against unauthorised access, loss, misuse or destruction.

In addition, we limit access to your personal information to those employees, workers, agents, contractors and other third parties who have a business need to know in order to perform their job duties and responsibilities. You can obtain further information about these measures from our Data Compliance Manager.

Where your personal information is shared with third-party service providers, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.

We also have in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.

For processing to be lawful under the UK GDPR, we need to identify a lawful basis before we can process personal data. The tables below set out the legal basis upon which we collect and use your personal data.

In addition to the lawful bases for processing the information set out above, we will be processing it for the purpose of advising on, arranging or administering an insurance contract and only when we have your explicit consent to do so.

* We will process health information and lifestyle information when enrolling you onto the policies within your employee benefits program.

We will only keep your personal data for as long as it is necessary to do so for the purposes outlined in the Privacy Notice. Copies of your data may be retained to satisfy legal, regulatory and accounting requirements.

Personal information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal information where applicable.

In some circumstances we may anonymise your personal information so that it no longer permits your identification. In this case, we may retain such information for a longer period.

It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes, e.g. you change your home address. We cannot be held responsible for any errors in your personal information in this regard unless you have notified us of the relevant change.

As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to:

• request access to your personal information – this is usually known as making a data subject access request and it enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it
• request rectification of your personal information – this enables you to have any inaccurate or incomplete personal information we hold about you corrected
• request the erasure of your personal information – this enables you to ask us to delete or remove your personal information where there’s no compelling reason for its continued processing, e.g. it’s no longer necessary in relation to the purpose for which it was originally collected
• restrict the processing of your personal information – this enables you to ask us to suspend the processing of your personal information, e.g. if you contest its accuracy and so want us to verify its accuracy
• object to the processing of your personal information – this enables you to ask us to stop processing your personal information where we are relying on the legitimate interests of the business as our legal basis for processing and there is something relating to your particular situation which makes you decide to object to processing on this ground
• data portability – this gives you the right to request the transfer of your personal information to another party so that you can reuse it across different services for your own purposes.

If you wish to exercise any of these rights, please contact our Data Compliance Manager. We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it. While we do not normally impose an administration charge for such requests, we reserve the right to do so if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

In the limited circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact our Data Compliance Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.

If you believe that we have not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues.

Some of the third parties we deal with in accordance with this policy may be based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• we may use contracts which give personal data the same protection it has in Europe; and
• we may use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU- US Privacy Shield.

Please contact us if you want further information on the specific mechanism used by us and the suitable safeguards we use when transferring your personal data out of the EEA.

We have appropriate security measures in place to prevent personal data from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Our website may place and access certain first party cookies on your computer or device. First party cookies are those placed directly by us and are used only by us. We use cookies to facilitate and improve your experience of our website and to provide and improve our services. By using our website, you may also receive certain third party cookies on your computer or device. Third party cookies are those placed by websites, services, and/or parties other than us.

In addition, our website uses analytics services provided by Google. Website analytics refers to a set of tools used to collect and analyse usage statistics, enabling us to better understand how people use our website. Google Analytics collects the IP address assigned to you on the date you use our website, but not your name or other information that identifies you personally. We do not combine the information generated through the use of Google Analytics with your personal data. Although Google Analytics plants a persistent cookie on your web browser to identify you as a unique user the next time you use our website, the cookie cannot be used by anyone but Google. Google’s ability to use and share information collected by Google Analytics about your use of the Services is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You may find additional information about Google Analytics at www.google.com/policies/privacy/partners/. You can opt out of Google Analytics by visiting https://tools.google.com/dlpage/gaoptout/.

We reserve the right to update or amend the Privacy Notice at any time, including where we intend to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information. We will issue you with a new privacy notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.

We welcome all feedback on matters relating to privacy or to any other aspect of our service. If you feel it is not clear and plain, then please contact us. You can contact our Data Compliance Manager, Timothy Atkins, by post, telephone or email:

Atwood Benefits UK Ltd
Waterside
Park Farm
Ditton
Kent
ME20 6PE

+44 (0) 1732 220184
[email protected]