Privacy policy

Ways we collect data

We collect personal data in the following ways:

• Through our online forms;
• When you contact us either through our website, telephone, post, email or other means;
• When you enquire about any of our products or services;
• When you take out any of our insurance policies, or engage in any of our other products or services;
• Through our third party affiliates such as Experian;
• When you complete our surveys or provide us with feedback on our services;
• When you register with us to receive our products or services;
• When you make payments to us using our website or otherwise;
• When you choose to receive marketing communications from us; and
• When you otherwise use our services.

The personal data of our Users is processed under UK GDPR and DPA’18 under the following legal bases:

1. All information provided by a User when obtaining a quote or taking out an insurance policy is processed under the legal basis of contract.
2. All personal data collected from Users for the purposes of direct marketing activities is processed under the legal basis of consent. If we ask for your consent to process your personal data you may withdraw your consent at any time by contacting us at [email protected]. Similarly, should you wish to opt out of our marketing emails and communications, please use the unsubscribe button in our email footer or alternatively email us using the above address.
3. All other personal data, including personal data that is collected directly from Users during the course of using our website, filling in surveys or forms or otherwise contacting Prima, which has not been listed above, is processed under legitimate business interest for the purposes of providing information to Users on our products and services or otherwise effectively delivering our services.

Types of data we collect

We may collect the following personal data about you:

• Full name;
• Date of birth;
• Address;
• Gender;
• Job title;
• Profession;
• Marital status and relationships to other people (e.g., family members on the same insurance policy);
• Contact information (e.g., email addresses and telephone numbers);
• Demographic information (e.g., preferences and interests);
• Data about the area that you live in (e.g., crime, demographic, socio-economic, housing, forecasts of livelihoods and activities);
• Information about health, life events, resilience and capability that help us identify if you’re a vulnerable customer and whether we need to change our approach to suit you;
• Unique identification data (e.g., driving licence number);
• Information about your previous motor insurance quotes, policies, claims and any other data relevant to your motor insurance product;
• Driving information (e.g., your driving licence provision, restrictions or endorsements and driving convictions);
• Financial crime and sanctions-related data (e.g., information obtained from lists of fraud, money laundering and sanctions);
• Vehicle information (e.g., registration number, vehicle specification details, MOT and finance history);
• Payment information (e.g., payment card number, bank account details and other payment information);
• Credit assessment data received from credit agencies such as Experian (e.g., credit scores, credit product repayment history, bankruptcy, voluntary arrangements and county court judgments);
• IP address;
• Web browser type and version;
• Operating system;
• How you use our website, including the date, times and frequency with which you access our website and the way you use and interact with its content;
• Telephone recordings and online chat transcripts from your interactions with our customer support teams;
• Marketing communication preferences and customer feedback; and
The history of our relationship with you.

Some of the categories of personal data that we may collect are special categories of personal data (also known as sensitive personal data). In particular, we may process data about your health and criminal convictions where this is required to offer you an insurance quote. Please see the below section for more information about special category data.

We may be required by law to collect certain personal data about you, or as a consequence of any contractual relationship we have with you. Failure to provide this information may prevent or delay the fulfilment of these obligations.

It’s important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during the period that we hold it.

Special Category Data

During the course of using our website, Prima and our third party affiliates may process special category personal data from Users including, but not limited to, gender, racial and ethnic origin, religious or philosophical beliefs, health and sexual orientation.

Where special category personal data is processed, we will ensure that the necessary additional safeguards are in place to protect such data, acknowledging that by definition special category data should be treated with additional care due to the sensitive nature of the data collected.

Our use of your personal data

The personal data provided to us may be used in the following ways:

• To provide you with products and services;
• To personalise services;
• To deal with your enquiries and requests;
• For internal record-keeping;
• To improve and develop products and services;
• To contact you with marketing and offers relating to products and services offered by us and/or other members of the Prima group (unless you have opted out of marketing, or we are otherwise prevented by law from doing so);
• To contact you for market research purposes or feedback;
• To comply with legal obligations to which we are subject and cooperate with regliators and law enforcement bodies;
• To exercise or defend our rights and interests, or the rights and interests of third parties;
• In order to facilitate the sale of all or part of our business; and
• To complete credit and wider checks, including in relation to potential customers, policy holders and named drivers.

Third party sources

Prima may receive personal data about you from the following third parties:

• Comparison websites and other similar platforms that you’ve used to obtain quotes for motor insurance;
• Third parties who provide you with additional services to your motor insurance (e.g., motor legal cover or breakdown cover);
• Third parties who supply us with services related to your motor insurance cover (e.g., a third-party insurer, legal advisers and other experts);
• Third parties involved in your claim (e.g., claims handler, other insurer, claimants, defendants, witnesses and lawyers);
• Credit reference agencies (e.g., Experian);
• Providers of insurance information, including no claims history, fraud, crime and sanctions data (e.g., Motor Insurers' Bureau (MIB), Claims Underwriting Exchange (CUE), LexisNexis, MyLicence, TransUnion and CIFAS);
• Government agencies and regliatory bodies (e.g., Driver and Vehicle Licensing Agency (DVLA), Financial Conduct Authority (FCA), Prudential Regliation Authority (PRA), Information Commissioner's Office (ICO) and Financial Ombudsman Service (FOS));
• Insurance industry bodies (e.g., Association of British Insurers);
• Third parties who provide us with information about people who’ve expressed an interest in hearing about insurance products;
• Third parties who provide us with other services (e.g., actuaries, auditors, legal advisers and other professional advisers);
• Providers of marketing and advertising services;
• HM Land Registry;
• The Office for National Statistics;
• Open Government Licence;
• Internet searches;
• News articles; and
• Social media sites.

Links to other websites

Our website may, from time to time, provide links to other websites. We have no control over the websites we link to and we’re not responsible for their content. This privacy policy does not extend to your use of any websites we link to. We recommend you read the privacy policy of other websites before using them.

How we keep your data secure

We use technical and organisational measures to safeguard your personal data. For example:

• Access to your account is controlled by a password and a username that’s unique to you
• We store your data on secure cloud servers

Technical and organisational measures include ways of dealing with any suspected personal data breach. If you suspect any misuse, loss or unauthorised access to your data, please let us know immediately by emailing us at [email protected].

For more details about how to protect your personal data, computers and devices against fraud, identity theft, viruses and many other online problems, please visit https://www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

Who we share data with

We may share your personal data in the following circumstances:

• Service providers and business partners. We may share your personal data with our service providers and business partners that perform marketing services and other business operations for us. For example, we may partner with other companies to process secure payments, fulfil orders, optimise our services, send newsletters and marketing emails, support email and messaging services and analyse information.
• Third party data providers (as listed in section above) We may share your personal data with third party data providers in order to enable them to provide us with information about you, as described in the ‘Data that’s received from third parties’ section of this privacy policy.
• Insurers or reinsurers. We may share your personal data with insurers or reinsurers that we work with in order to enable us to properly underwrite your insurance policy
• Industry bodies, law enforcement agencies, courts, regulators, government authorities or other third parties. We may share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.
• Asset purchasers. We may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business, or in the course of negotiations for any such transaction. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this Privacy Policy.
• Our parent company Prima Assicurazioni SpA and our other group companies, for any of the reasons in this Privacy Policy.
• Fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and some fraud prevention agencies, and your data protection rights, can be found at www.cifas.org.uk/fpn.

The recipients referred to above may be located outside the UK. See the section on "International Data Transfer" below for more information.

International data transfers

Prima may, from time to time, transfer data between different Prima entities, including its parent company Prima Assicurazioni SpA. Where applicable such transfers are made under an Intra Group Agreement and Data Processing Agreement that is in place between Prima Subsidiary UK and Prima Assicurazioni SpA. Alongside this, any transfer between Prima entities is limited to within the European Economic Area (“EEA”).

In order to provide services to you, Prima may transfer your personally identifiable information to third parties, affiliates, and service providers, some of which may process and/or store your personally identifiable information outside of the EEA. However, in such an instance all reasonable steps will be taken to ensure that your personal data is treated securely and in accordance with this Privacy Policy (where possible). Any data transfers that take place outside of the EEA will be covered by the necessary Data Transfer Agreement (“DTA”) and Standard Contractual Clauses (“SCCs”).

Data retention

We will keep your personal data for as long as we have a relationship with you. Once our relationship with you has come to an end, we operate a data retention period of 7 years from the date of our last interaction with a User. 7 years after the date of our last interaction with a User all of the data provided by the User during all of their interactions with us will be reviewed and securely deleted/ destroyed, subject to our legal and regulatory obligations.

We will delete your personal data when it is no longer required for these purposes. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing or use of the data.

Automated decisions about you

The way we analyse personal data for the purposes of risk assessment and fraud prevention may involve employing solely automated means to make decisions about you.

We may make the following automated decisions about you:

• Where such decisions are necessary for entering into a contract. For example, we may decide not to offer our products to you, or we may decide on the types of products that are suitable for you, or how much to charge you for our products
• Where such decisions are required or authorised by law, for example for fraud prevention purposes
• Where you give your explicit consent to us carrying out automated decision-making.

You can contact us at [email protected] to request further information about automated decision-making, object to our use of automated decision-making, or request an automated decision to be reviewed by a human being.

We also make automated decisions about you based on your personal data which may include, but is not limited to, selecting personalised offers, discounts or recommendations to send you.

These types of decisions will not have a significant impact upon you, but you can still contact us for further information.

Processing the personal data of those below the age of 13

Our website is not intended for use by anyone under the age of 13 nor does Prima knowingly collect or solicit personally identifiable information from anyone under the age of 13. If you are under the age of 13, you may not attempt to send any information about yourself to us, including your name, address, telephone number, or email address.

During the course of using our relationship with a User, we may unintentionally process the personal data of children under the age of 13. This may occur where a responsible adult User has made an insurance claim, where a child is a claimant. Where this is the case, we acknowledge that the necessary parent or legal guardian has consented to Prima processing this information. Whilst we do not encourage the disclosure of such data, we recognise that the processing of such data may occur as part of making an insurance claim.

In the event that we confirm that we have collected personally identifiable information from someone under the age of 13 without verification of parental consent, we will delete/destroy that information promptly. If you are a parent or legal guardian of a child under the age of 13 and believe that we might have any information from or about such a child, please contact us at the email or mailing address provided at the end of this Privacy Policy.

Your rights

You may have the following rights in relation to your personal data, to exercise any of the below rights please email us at [email protected].

• Right to access – You have the right under DPA’18 to access the information that we hold about you. This will be provided to you within one calendar month of the request date.
• Right to rectification – You have the right under DPA’18 to request the amendment or updating of all the personal data that we hold about you.
• Right to erase – This includes the right to request that we delete or remove your personal data from our systems. Should you make such a request, your personal data will be deleted in line with our statutory and legal responsibilities.
• Right to restrict our use of your personal data – In line with Article 18 (1) (a) to (d) of UK GDPR you have the right under DPA’18 to obtain from the controller a restriction of processing.
• Right to data portability – You may have the right under DPA’18 to receive personal data we hold on you in a structured, commonly used and machine readable format. This right will only apply where the lawful basis of processing is consent or the performance of a contract and the processing is by automated means.
• Right to object – This includes the right to object to our use of your personal data.
• Right to complain to us or the relevant data protection authority (see ‘contact us’ below).

We encourage you to contact us to update or correct your personal data if it changes or if the personal data, we hold about you is inaccurate.

We will contact you if we need additional information from you in order to honour your requests.

Enforcement

We cooperate with the appropriate regulatory authorities, including local data protection authorities (the UK Information Commissioner’s Office (“ICO”)), to resolve any complaints regarding the collection, processing and disclosure of personally identifiable information that cannot be resolved between Prima and the individual.

If you have a concern about your privacy or would like to know more about how your personally identifiable information is collected or used, please contact us. We ask that when you contact us with a complaint, please include contact information and clearly describe your complaint. For any complaint regarding privacy please use [email protected].

We will respond to your request or complaint within a reasonable time and will let you know the next steps in resolving your complaint. If you are not satisfied with our response, you may also contact your local and federal data protection authorities to lodge a complaint.

Should you not be satisfied with the process, conduct or response to a request you may have made you have the right to complain to the ICO (https://ico.org.uk/make-a-complaint/).

Changes to this privacy policy

We reserve the right to change this privacy policy as we may deem necessary from time to time.

Where changes to this privacy policy will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights (e.g., to object to the processing).

Contact us

Prima Subsidiary Ltd is the controller responsible for the personal data we collect and process.

To make enquiries, exercise any of your rights set out above, or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your data), please contact us by emailing [email protected].

Our Data Protection Officer can be contacted at: DigitalLawUK Ltd, Digital Media Centre, County Way, Barnsley, South Yorkshire, S70 2JW or [email protected]