Hyperion Insurance Group Limited and Hyperion Services Limited UK Privacy Notice
Hyperion Insurance Group Limited (Hyperion) is a holding company of insurance intermediaries, which needs to share information, including personal data, with certain third parties. Hyperion Services Limited (HSL) company is wholly owned by Hyperion and provides services to Hyperion Insurance Group within the UK.
If you are a prospective, current or ex client or customer of any of the Hyperion Insurance Group insurance intermediaries, their fair processing notices can be found at:
- Howden UK Group Limited
- RKH Specialty Limited
- DUAL Corporate Risks Limited
If you are a job applicant, or a current or ex employee or contingent worker of Hyperion Insurance Services or Hyperion Insurance intermediaries in the UK, a copy of the relevant fair processing notice is available from Human Resources or at:
- Job applicants – Hyperion Insurance Group website - Careers
- Current employee or contingent worker – Hyperion intranet or via Human Resources
- Ex employee or contingent worker – via Human Resources.
This notice explains how Hyperion and HSL process the personal data of Hyperion Shareholders and visitors to our UK business premises. This notice may be updated from time to time – this version is dated 25 May 2018 and historic versions are archived here.
In this notice:
- We, us or our refers to Hyperion and/or HSL (as applicable); and
- You and your, refers to the individual whose personal data may be/is being processed.
There may be other terms, which are defined in the Glossary.
This notice sets out the following:
- THE DATA WE MAY COLLECT ABOUT YOU (Your Personal Data)
- WHERE WE MIGHT COLLECT YOUR PERSONAL DATA FROM
- IDENTITIES OF DATA CONTROLLERS AND DATA PROTECTION CONTACTS
- THE PURPOSES, CATEGORIES, LEGAL GROUNDS AND RECIPIENTS OF OUR PROCESSING OR YOUR PERSONAL DATA
- PROFILING AND AUTOMATED DECISION MAKING
- RETENTION OF YOUR PERSONAL DATA
- SHARING YOUR DATA AND INTERNATIONAL TRANSFERS
- YOUR RIGHTS AND CONTACT DETAILS OF THE ICO
- GLOSSARY OF KEY TERMS
- Appendix 1: THE PURPOSES, CATEGORIES, LEGAL GROUNDS AND RECIPIENTS OF OUR PROCESSING OR YOUR PERSONAL DATA
- Appendix 2: LIST OF LEGAL GROUNDS WE RELY ON
- Appendix 3: DATA PROTECTION CONTACTS
SECTION 1: THE DATA WE MAY COLLECT ABOUT YOU (YOUR PERSONAL DATA)
We may need to collect and process personal data about you to:
- meet our legal and regulatory requirements relating to the running of our business;
- meet our legal obligations concerning our Shareholders; and
- ensure appropriate security and meet our health and safety obligations when you visit our UK offices.
The types of personal data that are processed may include:
|Types of personal data||Details|
|Individual details||Name, address (including proof of address), other contact details (e.g. email and telephone numbers), date of birth, employer, office location, and Group business segment and division.|
|Identification details||Identification numbers issued by government bodies or agencies, including your national insurance number, passport number, tax identification number and driving licence number.|
|Financial information||Bank account or other financial information|
|Share information||Number, class and value of shares, dividend and transaction history.|
|Visitors to UK offices|
|Individual details||Name, address, contact details (e.g. email and telephone numbers), employer, job title.|
|Identification details||CCTV images.|
SECTION 2: WHERE WE MIGHT COLLECT YOUR PERSONAL DATA FROM
We might collect your personal data from various sources, including:
- government agencies, such as Companies House and HMRC;
- within the Hyperion Insurance Group; or
- third party professional advisors to our global businesses.
- Which of the above sources apply will depend on your particular circumstances.
- your company representative; or
- within the Hyperion Insurance Group.
Which of the above sources apply will depend on your particular circumstances.
SECTION 3: IDENTITIES OF DATA CONTROLLERS AND DATA PROTECTION CONTACTS
- Hyperion will be the data controller. You should contact the Hyperion data protection contact.
- HSL will be the data controller. You should contact the HSL data protection contact.
We have provided the data protection contact details for the Hyperion Insurance Group in the UK in Appendix 3.
SECTION 4: THE PURPOSES, CATEGORIES, LEGAL GROUNDS AND RECIPIENTS, OF OUR PROCESSING OF YOUR PERSONAL DATA
The purposes for which we may process your personal data are:
- Shareholder communications
- Share transfers, allotments and other share transactions, including dividends and operation of an internal market
- Share register management and reconciliations
- Shareholder reporting and KYC
- Shareholder covenant restrictions.
The purposes for which we may process your personal data are:
- Building security
- Meet our legal obligations, e.g. health and safety and HMRC reporting
- Facilitate networking opportunities with visiting overseas visitors from within the Hyperion Insurance Group.
Please Note: If we have previously advised that we are relying on consent as the basis of our processing activities, going forward we will not be relying on that legal basis save where otherwise explicitly stated.
Please Note: Please be aware, if you choose not to provide your personal data, we may be unable to provide shareholder services, or provide you with access to our premises.
Appendix 1 sets out the purposes, categories, legal grounds and recipients of our processing of your personal data. (The legal grounds are set out in the GDPR.)
SECTION 5: PROFILING AND AUTOMATIC DECISION MAKING
No profiling or automated decision making is used concerning Shareholders and Visitors.
Please note. You have certain rights in respect of automated decision making, where that decision has significant effects on you, including where it produces a legal effect on you. See Section 8 for more information about your rights.
SECTION 6: RETENTION OF YOUR PERSONAL DATA
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.
In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.
SECTION 7: SHARING YOUR DATA AND INTERNATIONAL TRANSFERS
We may share data with third parties to help manage our business and improve how we deliver services. These third parties may, from time to time, need to have access to your personal data. These third parties may include:
- Group employee benefit trust/Trustee, Group share registrar, Group entity management system supplier, including but not limited to third party administrators, management and external advisers who work with us to help manage the Shareholder processes;
- Service Providers, who help manage our IT and back office systems;
- our regulators, which may include the FCA and ICO, as well as other regulators and law enforcement agencies in the EU and around the world;
- financial institutions, such as banks and including credit reference agencies and organisations working to prevent fraud in financial services; and
- Solicitors and other professional services firms (including our auditors), who may also be legal representatives for you, us or a third party.
We may be under legal or regulatory obligations to share your personal data with courts, regulators or law enforcement agencies. Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses.
We may share your data with HMRC as part of our regulatory reporting obligations.
We may also share your data with the police, in the event of a security incident where CCTV recordings need to be examined and to solicitors and other third parties involved in any investigation or prosecution arising from the incident.
We may share the data of overseas visitors from within the Hyperion Insurance Group with other Hyperion Insurance Group companies.
We may transfer data to our Service Providers and Hyperion Insurance Group companies, including those that are located outside the EEA. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests. These transfers would always be made in compliance with the GDPR. If you would like further details, please contact the Hyperion data protection contact. We have provided our data protection contact details in Appendix 3.
SECTION 8: YOUR RIGHTS AND CONTACT DETAILS OF THE ICO
You have a number of rights in relation to your personal data.
You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any automated decision making or the basis for international transfers. You may also exercise a right to complain to your Supervisory Authority. These are set out in more detail as follows:
What this means
You can ask us to:
You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
You can ask us to erase your personal data, but only where:
We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances where we would deny that request.
You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
We can continue to use your personal data following a request for restriction, where:
You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where:
You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis (see Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our legitimate interests.
Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Automated Decision Making
You can ask not to be subject to a decision which is based solely on automated processing (see Section 5, but only where that decision:
In such situations, you can obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision. Your right to obtain human intervention or to contest a decision does not apply where the decision which is made following automated decision making:
You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Economic Area. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
You have a right to lodge a complaint with your local supervisory authority about our processing of your personal data. In the UK, the supervisory authority for data protection is the Information Commissioner’s Office (ICO). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
If you have any questions in relation to our use of your personal data, you should first contact the data protection contact of the relevant participant. We have provided our data protection contact details in Appendix 3.
Please note the following if you do wish to exercise these rights:
- We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
- We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
- We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
- Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
- Third Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.
YOUR RIGHT TO COMPLAIN TO THE ICO
If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights in SECTION 10, or if you think that we have breached the GDPR/UK data protection laws, then you have the right to complain to the ICO. Please see below for contact details of the ICO:
|England||Information Commissioner's Office,|
|0303 123 1113 (local rate) or 01625 545 745 (national rate)||firstname.lastname@example.org|
|Scotland||Information Commissioner's Office,|
45 Melville Street,
|0131 244 email@example.com|
|Wales||Information Commissioner's Office,|
2nd floor Churchill House,
|029 2067 firstname.lastname@example.org|
|Northern Ireland||Information Commissioner's Office,|
3rd Floor 14 Cromac Place,
|0303 123 1114 (local rate) or 028 9027 8757 (national rate)||email@example.com|
SECTION 9: GLOSSARY
Hyperion Insurance Group means the Hyperion Insurance Group Limited (Hyperion) and and any other company which is for the time being a subsidiary or holding company of Hyperion and any subsidiary of any such holding company and for the purposes of this contract, the terms “subsidiary” and “holding company” shall have the meanings ascribed to them by section 1159 Companies Act 2006 or any statutory re-enactment of those provisions.
Insurance Intermediaries help policyholders and insurers arrange insurance cover. They may offer advice and handle claims. Many insurance and reinsurance policies are obtained through intermediaries.
Solicitors – we may use solicitors to provide legal advice on complex or contentious matters.
Key data protection terms:
Automated decision making refers to a decision which is taken solely on the basis of automated processing of your personal data - this means processing using, for example, software code or an algorithm, which does not involve any human intervention.
Data controller means a natural or legal person, which determines the means and purposes of processing of personal data.
GDPR is the EU General Data Protection Regulation and the new UK Data Protection Act, which replaces the UK Data Protection Act 1998 from 25 May 2018.
ICO means the Information Commissioner's Office regulates the processing of personal data by all organisations within the UK.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Process / Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Service Providers: these are a range of third parties to whom we outsource certain functions of our business, certain of which may be Hyperion Insurance Group companies and certain of which may be independent third parties.
Special categories of personal data means personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
APPENDIX 1: THE PURPOSES, CATEGORIES, LEGAL GROUNDS AND RECIPIENTS, OF OUR PROCESSING OF YOUR PERSONAL DATA
|Purpose||Categories of data||Legal grounds||Disclosures|
Share transfers, allotments and other share transactions, including dividends and operation of an internal market
HMRC, Companies House, employee benefit trust and share registrar.
Share register management and reconciliations
Shareholder reporting and KYC
HMRC, Companies House, FCA, ICO and other regulators, financial institutions, solicitors and other professional firms.
Shareholder covenant restrictions
Police, solicitors, other third parties involved in any investigation or prosecution
Meet our legal obligations, e.g. health and safety and HMRC reporting
Facilitate networking opportunities with visiting overseas visitors from within the Hyperion Insurance Group and its subsidiaries
Other Hyperion Insurance Group companies
Appendix 2: LIST OF LEGAL GROUNDS WE RELY UPON
For processing personal data
Performance of our contract with you
Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
Compliance with a legal obligation
Processing is necessary for compliance with a legal obligation to which we are subject.
Protection of vital interests of you or another person
Processing is necessary in order to protect the vital interests of you or of another natural person.
In the public interest
Processing is necessary for the performance of a task carried out in the public interest.
For our legitimate business interests
Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child. These legitimate interests are set out next to each purpose.
For processing special categories of personal data
In the substantial public interest
Processing is necessary for reasons of substantial public interest, on the basis of EU or UK law. This includes for ‘insurance purposes’.
Protection of vital interests of you or another person, where you are unable to consent
Processing is necessary to protect the vital interests of you or of another natural person where you are physically or legally incapable of giving consent.
For legal claims
Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
For health services
Processing is necessary for the purposes of preventive or occupational medicine, for medical diagnosis, the provision of health or social care or treatment on the basis of EU or UK law or pursuant to contract with a health professional that is under legal or professional obligations of secrecy.
Your explicit consent (optional)
You have given your explicit consent to the processing of those personal data for one or more specified purposes.
You are free to withdraw your consent, by contacting our data protection contact – see Appendix 3.
Your explicit consent (necessary)
You have given your explicit consent to the processing of those personal data for one or more specified purposes, where we are unable to procure, provide or administer insurance cover without this consent.
You are free to withdraw your consent by contacting our data protection contact – see Appendix 3. However withdrawal of this consent will impact our ability to provide insurance or pay claims. For more detail see section 5.
Appendix 3: DATA PROTECTION CONTACT
Our data protection contacts in the UK are: