What we do with your data and what your rights are
We are Mike India 5 Limited T/a The Brownsword Group, a claims investigation specialist operating in the capacity of data processor (or sometimes joint data controllers) under authority and direction from our clients, the data controllers. Our address is Delta House, Alphagate Drive, Denton, Manchester, M34 3SH and you can email us at email@example.com or phone us on 0161 320 2555. If you prefer the retro approach you can send us a fax: 0161 320 2550.
All data is processed lawfully, fairly, transparently and in accordance with data protection legislation. We think this privacy notice is written in clear and transparent language, but if you disagree or have any questions, you can email us at firstname.lastname@example.org
The Data Protection Act 1998 has been replaced, from 25th May 2018, with the General Data Protection Regulations. The ‘GDPR’ can be found in full here if you want to read a few hundred pages of European legislation:
We act as sole data controller only in our capacity as an employer and in relation to any data submitted via our website contact form which is not in relation to instructions from our clients. Information on privacy for our employees is an internal document only.
Our commitment to you the consumer (the “data subject”):
- We aim to operate in a clear and transparent way at all times where possible.
- We will collect and process data fairly and lawfully.
- We will only use data in a way that people would reasonably expect.
- If you are contacting us using our contact form on the website and are not previously known to us and are not a customer of our clients, your data will be processed in accordance with your request and for the purposes of your enquiry only (for example, job applicants).
- Data you send to us via the website contact form will be processed internally in order to handle your request in the relevant department, and may be held on file with your consent for a period of time (for example if we are not currently recruiting but are interested in your profile we may keep your cv and personal details for future reference, if you say we can – you can change your mind at any time and tell us to delete it).
- If you are contacting us to apply for a vacancy or submit your cv, we may research and access publically available information on the internet including social media in pursuance of your application.
- If you are contacting us using our contact form on the website as a customer of our clients, we are acting as data processors in accordance with the requirements of our client, the data controller. It is the duty therefore of our data controllers to provide full privacy notice information and this can be requested from them directly. We act for many data controllers; for information on the data controller responsible for your case (usually your insurance company or a solicitor), including identity and contact details, please telephone us on: 0161 320 2555 or email us at: email@example.com alternatively please consult your policy details directly.
- As a customer of our clients, if you refuse to provide information to us this may affect the processing of your claim.
- We will not share any data with any third parties nor transfer it outside the UK.
- The recipients of the data we process will be our data controller (typically your insurance company as we are carrying out enquiries for them).
- We may engage third parties in the course of our data processing, for example a company who provides translation services, who would need your basic personal data to carry out the role (such as your name and address to attend the meeting), or the DVLA or Police if we are making enquiries involving them (for example we are investigation a road traffic incident where the Police attended and we wish to obtain the Police report). We will never disclose your personal data to any third party who does not have a function in our claims investigation enquiries.
- We retain the right to pass information on to any authorities who required us to do so by law as governed by the relevant legislation applicable in the UK.
- The purpose of processing your data is determined by the data controllers we are acting for and based on their instructions to us (for example, to help settle an insurance claim).
- The categories of personal data we process are determined by the data controllers we are acting for and based on their instructions to us. Personal data will either be presented to us by our data controllers based on information you have provided to them, or will be obtained directly from you in our dealings with you (conversations and written communication) or may be obtained by publicly accessible sources.
- We will process personal data (for example your name, address, date of birth, occupation and so forth) and also sensitive personal data where this is applicable to our enquiries (criminal convictions or racial or ethnic information where we are establishing identity or confirming the details provided to your insurance company, for example).
- The retention period (how long we will keep your data) is determined by our data controllers, typically this might be 6 or 7 years. After that time, all data will be securely destroyed.
- Each data subject (you) has rights as set out by the GDPR, these are:
- The right to be informed – that means a company should tell you what they do with your data. That is this privacy notice you are reading.
- The right of access – this means you can request a copy of your data and details about what is done with it. Because we are likely to just be the data processor, we will send any requests like this to the data controller to action.
- The right of rectification – if you think we have got something wrong, please tell us and we will discuss this with you and look at putting it right. We will also make every effort to make sure data is accurate in the first plce, so hopefully you won’t need this one!
- The right of erasure – you can request that a company deletes your data. They might not always do it though, it depends on what basis it was collected, but we will discuss this with you if you make this request.
- The right to restriction processing – similar to the above, you can ask a company not to carry out certain types of data processing, such as “stop sending me leaflets!”
- The right of data portability – if you are moving all your data from one company to another, they now have to send this data for you (for example if you are swapping mortgages).
- The right to object – you can object to a company processing data. This doesn’t mean they will automatically stop, but you can object. Again it depends on why the data is being processed.
- Rights about automated decision-making and profiling – this is where a company uses a computer to make a decision; we don’t do this so it doesn’t apply here.
- You always have the right to lodge a complaint with the Information Commissioner’s Office (the ICO). You can do that here: https://ico.org.uk/concerns/
- You have a right to be forgotten under data protection legislation however this might adversely affect our ability to provide services to your insurance company or solicitor. This right is not automatic and may be declined depending upon circumstances. Any right to be forgotten requests will be directed to the data controller handling your claim. For full information on the right to be forgotten please see; https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-to-erasure/
- We will process and store your data really securely, including on paper, on computer systems (which no-one outside the company can access), on CD/DVD, and on the network including back-ups. We will carry out manual processing (things like photocopying) and electronic processing (email and computer storage). We have ISO 27001, that’s a standard to make sure our IT systems are super-safe, with encryption and antivirus and lots of other techy stuff. We review our processes on a regular basis to make sure we still comply with the law.
- All companies need a lawful basis (or several) to be able to legally process data. Our lawful bases for processing personal data and sensitive personal data are:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes (the consent being the lawful contract for services between you and your insurance company).
- processing is necessary for the performance of a contract to which the data subject is party. The services of the company may be necessary for the insurance company to fulfil their obligations under the contract with the data subject in the event of an insurance claim on their policy.
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Processing may be required in order to investigate and settle an insurance claim accurately. In this regard the legitimate interests of the insurance company to collect and use personal data will be considered against the rights of individual(s).
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject.
- processing relates to personal data which are manifestly made public by the data subject.
- processing is necessary for the establishment, exercise or defence or legal claims or whenever courts are acting in their judicial capacity.
- We will only process data for the purposes it has been collected for; nothing else.
- We will not use any of your data for marketing purposes.
If this information is required in any other format please contact us at: firstname.lastname@example.org with your requirements and we will aim to assist where reasonably practicable, for example we can provide a paper copy, bigger font, or email it to you. We might not be so keen to provide it in Latin, but we will consider all reasonable requests!
This privacy notice has been written in conjunction with: ICO guidelines and data protection legislation including Articles 12, 13 and 14 of the GDPR (the GDPR is the General Data Protection Regulations, new laws which replace the Data Protection Act 1998); and the Privacy and Electronic Communication Regulations 2015.