Capital Insurance Markets – Data Protection Privacy Statement

You have arrived at a website that is owned and /or operated by Arachas Corporate Brokers Limited t/a Arachas, Capital IM, Capital Insurance Markets, Covercentre  (collectively, “Arachas”, “we”, “our”, “us”). We are an insurance intermediary regulated by the Central Bank of Ireland. We arrange and distribute insurance products on behalf of Insurance companies both Irish and international. We bind insurance policies on behalf of these brokers and we also carry out administration in relation to these policies.

Capital insurance Markets is part of the Arachas group and only distribute insurance products and services through our network of retail insurance brokers.

The Data Controller is Arachas Corporate Brokers Limited, trading as Arachas, Capital IM, Capital Insurance Markets, Covercentre of The Courtyard, Carmanhall Road, Sandyford Business Estate, Dublin 18. Email: dataprotection@arachas.ie

Where your insurance contract is arranged through an intermediary there may also be joint data controllers as a result of your intermediary, insurer or other third-party service providers collecting personal data from you.

Our Data Protection Officer is Máire McSherry and can be contactable by email at: dataprotection@arachas.ie “Data Controller” and “Personal Data” have the meaning given in the General Data Protection Regulations 2018

Arachas are committed to protecting and respecting your privacy. We wish to be transparent on how we process your data and show you that we are accountable with the GDPR (General Data Protection Regulation) in relation to not only processing your data but to ensure you understand your rights as a customer of ours.

It is our intention that this privacy notice explains to you the information practices of Arachas Corporate Brokers in relation to the information we collect about you.

What information we process.

In order to provide and administer insurance products and services on your behalf we must collect and process your personal data. The products and services will include but is not limited to issuing quotations, policy administration and claims handling, complaints handling. If required we may also use data we hold about you for legitimate and legal reasons such as fraud prevention or career related matters. 

  • The types of information given to Capital Insurance Markets on your behalf include information provided to us at inception and / or renewal of an insurance product such as: name, date of birth, gender, marital status, home address, contact address, email address, phone number, dependants, employment details, employee details financial details or photo ID, licence details, named driver details, risk details, claims history. We may also collect sensitive health information and details of motoring /criminal convictions and penalty points. When you provide us with personal information that relates to others such as named drivers you will agree to have received prior approval and consent from them.
  • When you provide personal information to us we will only use this information for the purposes described at point of collection such as for providing an insurance quote or employee career related matters and HR.
  • Special Category Data -if we collect any special categories of personal data on your behalf we will ensure that we obtain your explicit consent. Special Category data includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, data concerning a natural person’s sex life or sexual orientation and genetic/biometric data processed to uniquely identify a natural person.
  • Information we receive from third parties and other sources
  • The third parties through which we receive your personal data include but are not limited to:
  • Your broker/intermediary
  • Third party service providers e.g. loss adjusters, solicitors, claims management companies or any third party acting on your behalf
  • Business search databases
  • Geocoding databases
  • Insurance industry databases
  • Third party claims information
  • We may receive information about you from other websites we operate or other services we provide. We also work closely and may receive information about you from third parties including but not limited to business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies

How we use the personal information we gather

We use personal information given to us about you from the above sources in the following way: 

  • Providing professional services for our clients
  • Generate quotations and process applications and proposals for the products and services we offer 
  • Incept / renew policies
  • Administer the products and services that we supply to you
  • Process claims
  • Manage and investigate complaints
  • To contact you and your intermediary/broker if required or to respond to any communications that you might send to us.
  • To notify you about changes to our service
  • For legitimate business reasons i.e.auditing, call recording for training and verification purposes (if applicable) and customer service.
  • For legal reasons/obligations i.e.fraud prevention, compliance with central bank and other regulatory requirements and anti-money laundering and counter-terrorist financing prevention. 
  • Sharing information with third parties
  • Staff training and quality assurance purposes.
  • To establish and defend the legal rights of our group.

We may make your information available to third parties with whom we have a relationship to provide elements of services on our behalf. We have contracts in place with our data processors which means that they cannot do anything with your personal data unless we have instructed them to do so. We will only provide to those third parties the information that is necessary for them to perform the services and we take measures to protect your information.

The selected third parties that we may share your information with can include:

  • Any insurer / product provider that is a party to our products that you have applied for or contracted for
  • Your representatives: this can include your broker and the software providers through which your data is transferred to and from us, your legal representatives.
  • Any prospective seller or buyer of any business or assets related to the site, a Capital Insurance Markets or Arachas Group product or all or part of Capital Insurance Markets or Arachas Group
  • Any business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
  • Outsourced providers (regulated and unregulated)-e.g loss adjusters, legal professionals etc.
  • Insurance industry databases
  • We have a duty to disclose or share your personal information with a third party in order to comply with any legal obligation, or in order to enforce or apply our terms of business and other agreements, or to protect the rights, property or safety of our group of companies, or others. This includes exchanging information with third parties such as Government agencies for the purposes of fraud protection, anti-money laundering, credit risk reduction or criminal activity. 
  • Regulatory authorities e.g. Central Bank of Ireland, Financial Conduct Authority
  • Other companies that we deal with such as Lloyds brokers, MGA’s (managing general agents) and Insurers / Underwriters
  • There may be occasions where your data is shared with third parties outside the EEA (European Economic Area) such as service providers, external agencies, regulatory bodies, other insurance companies. In such circumstances we will ensure that such transfers are secure and in accordance with data protection law.

Any insurers / product producers that we place business with on your behalf will also have their own data protection and privacy policies and you will find reference to these in their policy documents. 

Retention of your data

We will keep your data only for as long as is necessary. Our retention periods for personal data are based on business and legal requirements and are in line with our Retention Policy. The retention periods will depend on the purpose of the processing and the nature of the information. 

Automated Decision Making

We use automated decision making for pricing and underwriting purposes i.e. to estimate your risk profile and to calculate your premium based on your risk profile.

Where we use automated decision making you have the right to obtain human intervention to contest our decision and to make representations in relation to the decision.

Your rights regarding your personal data

Arachas facilitate your, our customers, rights in line with our data protection policy and the subject access request procedure which is available on request.

At any point while we are in possession of, or processing your personal data, you, the data subject, have the following rights:

  • Right of access-you have the right to request a copy of the information that we hold about you. Click here to access the Data Access Request Form 
  • Right of rectification-you have a right to correction of data that we hold about you that is inaccurate or incomplete
  • Right to be forgotten-in certain circumstances you can ask for the data we hold about you to be erased from our records
  • Right to restriction of processing-where certain conditions apply to have a right to restrict the processing
  • Right of portability-you have the right to have the data we hold about you transferred to another organisation and in a portable format.
  • Right to object-you have the right to object to certain types of processing based on legitimate interest. However, certain legitimate grounds for processing can supersede your right to object.
  • Right to object to automated processing, including profiling
  • Right to judicial review-in the event that Arachas refuses your request under rights of access, we will provide you with a reason as to why.

Any data subject request will be forwarded on should there be a third party involved as we have indicated in the processing of your personal data.

Additional Information

  1. Data Security

Our intent is to strictly protect the security of your personal information, and to carefully protect your data from loss, misuse, unauthorised access or disclosure, alteration or destruction. 

  1. How to update/amend the personal information you have provided

You are entitled to know whether we hold information about you and, if we do (subject to certain limitations), to have access to that information and have it corrected if it is inaccurate or out of date. To exercise your rights under the GDPR please contact the Data Protection team at Arachas Corporate Brokers Limited, The Courtyard, Carmanhall Road, Sandyford Industrial Estate, Dublin 18 with proof of identity or email us at dataprotection@arachas.ie. You must contact us through your broker / intermediary if any of your details change so that we can keep your information accurate and up to date.

  1. How to lodge a complaint

In the event that you wish to make a complaint about how your personal data is being processed by Arachas or how your complaint has been handled you have the right to lodge a complaint with the Data Protection Officer whose contact details are dataprotection@arachas.ie You may also lodge a complaint with the Data Protection Commission in Ireland who can be contacted at Data Protection Commission, 21 Fitzwilliam square South, Dublin 2, D02 RD28 or Canal House, Station Road, Portarlington, Co. Laois R32 AP23. Phone +353 57 868 4800 / +353 761 104 800 Web: www.dataprotection.ie Email: info@dataprotection.ie

  1. Contacting us

Your privacy is important to us. If you have any comments or questions regarding our privacy notice, please contact us at +35312135000 or email dataprotection@arachas.ie.

  1. Changes to our Data Protection Notice 

Arachas may modify or update this privacy notice from time to time without prior notice. When a change is made we will post a revised version online. Changes will be effective from the point at which they are posted. It is your responsibility to review this privacy notice periodically so that you are aware of any changes. We encourage you to check this notice often so that you can continue to be aware of how we are protecting your personal information. Your continued use of our website constitutes your consent to the contents of this privacy notice.

This privacy notice was last reviewed in March 2020

 

The implementation date of the General Data Protection Regulation (GDPR), (Regulation (EU) 2016/689) is effective 25th May 2018. This requires that all contracts between Data Controllers and Data Processors to contain various provisions to ensure that the processing of Personal Data meets the requirements of the GDPR.

Capital IM acts as a Data Controller for the purposes of GDPR in respect of the Personal Data of individual policyholders for which our appointed Agents act as Broker. This detail is processed and retained for legitimate purposes and to allow us to offer our services. We may, subject to formal agreements, outsource our processing to external contractors.

In due course revised Agency agreements will issue to all appointed Agents. In the interim, the following outlines our GDPR procedures and our expectations of GDPR adherence by our appointed Agents.

Capital IM as of May 2018 is working towards ISO27001 accreditation. ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS) which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

Each appointed Agent of the Firm Capital IM must take its own steps to determine whether it acts as a Data Controller or Data Processor as defined in the Data Protection Acts 1988 and 2003 and GDPR. Data Protection Law for the purposes of this statement means the Data Protection Acts 1998 and 2003 as amended, updated, repealed, and includes the EU General Data protection Regulation.

Automated Data means data held electronically or on computer.

Consent of the data subject means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by a statement or a clear affirmative action signifies agreement to the processing of Personal Data relating to him or her. (Art. 4(11) GDPR)

Data Subject means the individual about whom the Personal Data relates. For appointed Agents this means both your customers and staff.

Data Controller controls the data and its use.

Data Processor processes the data on behalf of the Data Controller.

Manual Data means data held on paper or hard copy but only if it is part of a “relevant filing system”.

Processing includes anything done on or to data, so therefore covers:

  • Obtaining, recording or keeping data
  • Collecting, organising, storing, altering or adapting data
  • Retrieving, consulting or using data
  • Disclosing data by transmitting, disseminating or making available
  • Aligning, combining, blocking, erasing or destroying data.

Personal Data means data: (S.63 DP Bill)

Relating to identifiable living individuals or which could identify a living individual by reference to the data, such as by an identifier (e.g. name, identification number, location data, online identifier), or by reference to a specific factor(s) such as the physical, physiological, genetic, mental, economic, cultural, social identity of the individual and includes: criminal convictions and offences and includes, automated and manual data.

Sensitive or Special Category Data means any Personal Data as to: (S.2 DP Bill)

(a) Racial or ethnic origin, or
(b) Political opinions or religious or philosophical beliefs, or
(c) Trade union membership, or
(d) Physical or mental health or condition or sexual life, or
(e) Biometric data; or
(f) Genetic data.

Data relating to Criminal convictions and offences (including on-going criminal proceedings) is no longer categorised as Sensitive Data.

Without prejudice to the generality of the foregoing, it is envisaged that each Party, as Controller, will control and process Personal Data on its own behalf only. However, in the event that Personal Data is processed by either Party (the ‘Processor’) on behalf of the other Party (the ‘Controller’):

The parties agree the details of the;

  1. Subject matter and duration of the data processing
  2. Nature and purpose of the data processing
  3. Types of Personal Data and categories of data subjects

Where Agents refuse permission on behalf of its policyholders for the processing of Personal Data and/or Sensitive Data which we require to be processed for legitimate purposes, we may no longer be able to continue to offer services for that policyholder.

The Processor shall process such Personal Data in compliance with the provisions of Data Protection Law and in particular;

  1. Shall only process such Personal data in accordance with the documented instructions of the Controller and solely as strictly necessary for the performance of its obligations under an existing agency agreement.
  2. Shall ensure that the persons authorised by the Controller to process such Personal Data are bound by appropriate confidentiality obligations.
  3. Shall implement such technical and organisational security measures as are required with the data security obligations under Data Protection Law.
  4. Shall not engage any sub-processor without the prior written consent of the Controller and where the Controller has consented to the appointment of a sub-processor, the Processor must not replace or engage other sub-processors without the prior written consent of the Controller.
  5. Where any sub-contractor of the Processor will be processing such Personal Data on behalf of the Controller, the Processor shall ensure that a written service level agreement contract exists between the Processor and the sub-contractor ensuring that the sub-contractor meets the required standard of technical and organisational security measures as required by the Controller of the Processor.
  6. Shall ensure that staff are appropriately trained in Data Protection Law.
  7. In the event that any sub-processor fails to meet its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processors obligations.
  8. Shall inform the Controller immediately in the event of receiving a request from a Data Subject, to exercise their rights under Data Protection Law and shall provide such co-operation and assistance as may be required to enable the Controller to deal with such request, in accordance with Data Protection Law.
  9. Shall at the choice of the Controller and subject to regulatory restrictions, agree to delete or return all such Personal Data to the Controller when the Processor ceases to provide services relating to data processing.
  10. Shall make available to the Controller all information necessary to demonstrate compliance with Data Protection Law specific to the processing of Personal Data. This may include audits or inspections completed by the Controller or by an outsourced contractor mandated by the Controller.
  11. Shall notify the Controller without undue delay (and in any event within 24 hours) after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, unauthorised disclosure of, or access to , Personal Data transmitted or other wise processed and shall provide to the Controller such co-operation and assistance as may be required to mitigate against the effects or comply with reporting obligations which may apply in respect of any such breach and
  12. No such Personal Data shall be transferred outside of the European Economic Area by the Processor or any of its agents or sub-processors without the prior written consent of the Controller which consent may be subject to specific terms and conditions on the handling of such Data.