
Privacy Notice
In this Notice, when we refer to “TMK”, “we, us, or our”, we mean the entities set out below in the section ‘Who are we?’
This Notice will explain to you how we collect, use, and share your personal data for the purpose of operating our business, websites, and managing our relationships with suppliers. It will also inform you of your rights relating to your personal data. If you are a job applicant who has provided your personal data to us for recruitment purposes, please click here for our Candidate Privacy Notice. If you are a former employee, contractor or other individual who previously worked under a contracting arrangement with us, please contact us at dpo@tokiomarinekiln.com to obtain a copy of our Privacy Notice for Employees and Contractors.
If you provide personal data about other persons to us, such as family, friends, or other associates, you must seek their consent.
Who are we?
We are part of the Tokio Marine Holdings, Inc. group of companies operating throughout the world.
This Notice covers:
Tokio Marine Kiln Group Limited and all its UK subsidiaries including:
- Tokio Marine Kiln Insurance Services Limited
- Tokio Marine Kiln Syndicates Limited
- Tokio Marine Kiln Regional Underwriting Limited
- Kiln Pension Guarantee Limited
- Tokio Marine Underwriting Limited
Where your personal data is processed by other subsidiaries of Tokio Marine Kiln Group Limited or other entities in the Tokio Marine group, you should refer to the privacy notices of those companies.
TMK is a data controller in respect of personal data which we receive in connection with the services that we provide to our clients. This means that we are responsible for deciding how we can use your personal data
What personal data do we collect?
Personal data is any information that relates to a living person and that identifies you either directly from that information or indirectly, by reference to other information that we have access to.
The personal data that we collect, and how we collect it, depends upon how you interact with us.
The personal data that we collect includes:
Individual Details
Name, address (and proof of address), other contact details (e.g., email and telephone numbers), gender, marital status, family details, date and place of birth, nationality, employer, job title and employment history, educational and technical qualifications, family details and their relationship to you, and your images/videos/photographs.
Identification information
Identification numbers issued by government bodies or agencies (e.g., depending on the country you are in, social security or national insurance number, passport number, identification number, tax number, driver's licence number).
Financial information
Payment card and bank account details, income, and other financial information.
Risk details
Information about you which we collect in order to assess the risk to be insured and provide a quote. This includes information relating to your health, criminal convictions, or other special categories of personal data. For certain types of policies, this includes telematics data.
Criminal records
Criminal convictions and related security measures.
Special categories of personal data
Health data including dietary, allergies and disability information when you visit our offices, sign up for or attend any of our events. Additionally, we may process current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking or consumption of alcohol), prescription information and medical history.
Other special categories of personal data may also be processed including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and information concerning an individual's sex life or sexual orientation.
Policy information
Information about the quotes you receive and policies you take out.
Credit and anti-fraud data
Credit history and credit score, sanctions and criminal offences information received from various anti-fraud databases relating to you.
Previous and current claims
Information about previous and current claims, which may include information relating to your health, criminal convictions, or other special categories of personal data and in some cases, surveillance reports.
Marketing information
Your individual details and marketing preferences. Where we rely on consent as a basis for collecting and using your personal data for these purposes, we will also keep records of whether or not you have consented to receive marketing from us and/or from third parties.
Website and communication usage
Details of your visits to our websites and information collected through cookies and other tracking technologies, e.g., your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access. For information about how we use cookies and the choices you may have, please see the cookies policies which are available on our websites that your visit.
Audio, online meeting and webinar recordings
We will inform you whenever we record your voice (e.g., in a telephone recording) or video images (e.g. online meetings and webinars). Specifically, if we record online meetings and webinars hosted on virtual platforms such as Microsoft Teams and Zoom, the fact of the recording will be prominently displayed on your screen.
You have a right to continue or decline to participate in the meetings, webinars, phone call or other recordings.
CCTV images
Your images are captured by CCTV cameras operated by us. No voice is recorded by our CCTV system.
Who do we obtain your personal data from?
We collect personal data from various sources, including but not limited to:
- you
- your family members, representative, employer or trade or professional associations
- other insurance market participants, such as insurance intermediaries (e.g., introducers, brokers, agents and coverholders), insurers and reinsurers
- credit reference agencies
- anti-fraud databases, sanction lists, court judgements and other databases
- government agencies such as vehicle registration authorities and tax authorities
- publicly available information, including but not limited to the open electoral register
- in the event of a claim, third parties including the other party to the claim (claimant / defendant), witnesses, experts (e.g., medical experts), loss adjustors, legal advisors, and claims handlers.
- suppliers providing products and services to us
How do we obtain your personal data?
We collect personal data in the course of our business:
When you request a service from us
For example, if you ask us to obtain insurance quotes, or if you contact us to make an enquiry about a product or a service that we provide.
Providing a service/ product to our clients
Our services and products include insurance products and services (e.g., underwriting, coverholder services and insurance administration). In these cases, your personal data will normally be provided to us by our clients (or intermediaries acting on behalf of our clients), or sometimes our clients may ask us to contact you directly. We will also obtain information from other third parties.
When you use our website or one of our online services
We collect information about your visit and how you interact with our website. We use various technologies to collect and store information when you visit our websites. For information about how we use cookies and the choices you may have, please see our cookies policies available on our websites that you visit.
When you visit our business premises or attend our events
We collect information that we need in order to identify you and complete any necessary security checks. We also collect your images on our CCTV cameras which are installed at the entrances and exits of our premises and within our premises.
We may also collect dietary, allergies and disability information for catering and your health purposes.
When you attend any meetings or any of our events, we may collect your images and voice via video recordings or still photography for marketing and promotional purposes. If we take videos or photos at any events or meetings, we will let you know either in our invitations, confirmations of the events/ meetings or at the entrance of the events/meetings.
When we engage or are proposing to engage the services or purchase products from a supplier
We collect information necessary to administer our relationship with a supplier, e.g. a review of our supplier’s capabilities and qualifications, communicate with our suppliers or proposed suppliers, make payments and recover money owed to us, and perform any ongoing monitoring and investigations where required.
Whenever you contact us or engage us on social media
We retain a copy of your email or other correspondence as a record of your communication with us. This will include occasions when you contact us for a general enquiry, a complaint or to exercise your rights in relation to your personal data.
Merger or acquisition
If we are in a process of merger, acquisition or asset transaction, we may acquire your personal data from the involved third party.
What does TMK use your personal data for and what is our legal basis for the use?
Under data protection laws, we require a legal basis prior to processing your personal data. We have set out below our purposes for processing your personal data and our legal basis for doing so.
Purposes for processing personal data |
Legal basis |
Providing a service/product to our clients |
|
Quotation/inception |
|
|
|
Policy administration |
|
|
|
Claims processing |
|
|
|
Renewals |
|
|
|
Support and other business activities |
|
|
|
Other business purposes |
|
Conducting data analytics |
|
|
|
Testing purposes |
|
We may use your personal data in order to test our IT systems. Appropriate security precautions and permissions will be applied to the data and any copies used for testing. |
|
Contacting and marketing to our clients and prospective clients |
|
|
|
Conducting surveys and other evaluations |
|
|
|
Business communications |
|
|
|
Websites |
|
Operation and use of our websites
|
|
Legal, compliance and corporate governance |
|
|
|
|
|
|
|
|
|
Securing and protecting our business |
|
|
|
Phone calls to our office, visitors to our premises and attendees of our events |
|
|
|
|
|
|
|
Use of CCTV |
|
|
|
Sensitive personal data
Sensitive personal data refers to health information, criminal records, and other sensitive personal data. See the section above under What personal data do we collect?
If we use certain sensitive personal data, data protection laws require that we must have an additional legal basis.
The additional legal basis that we rely on for processing sensitive personal data is that it is necessary for an insurance purpose and for reasons of substantial public interest, and to protect, investigate and defend legal claims.
Who do we share your personal data with?
We share personal data within and outside the Tokio Marine group of companies. These persons may act as data controllers or data processors of your personal data. A data controller is responsible for deciding how to use your personal data, while a data processor only processes your personal data on behalf of a data controller that it provides services to.
Within the Tokio Marine group of companies
Your personal data is shared with our group entities for the purposes of conducting our business, for providing services to you or our clients, for our general business administration, and for reporting or regulatory/ compliance purposes. Our group entities may either act as data controllers or data processors of personal data. Where personal data is shared between any Tokio Marine group of companies, this will be facilitated through our intra-group data sharing agreement.
Other companies
We may disclose your personal data to or share it with:
· The relevant insurance market participants and other companies
The insurance lifecycle involves the sharing of your personal data between the various insurance market participants and other companies.
We may disclose your personal data to our insurance partners and other companies such as other insurers, reinsurers, coverholders, brokers and other companies who act as insurance intermediaries and medical service providers. These entities would usually operate as independent data controllers of personal data and are responsible for their own compliance with data protection laws. You should refer to their privacy notices for more information about their practices.
We may disclose your personal data to those who are involved in risk assessment, handling, investigation, defence or prosecution of claims, administration of insurance policies, loss adjustment and information providers such as screening, due diligence, and anti-fraud databases. These entities would usually process your personal data on our behalf.
If you are not sure whether our service provider, with whom we share your personal data, is a data controller or processor of your data, please contact us to find out.
· Other authorised service providers
We may disclose your personal data to service providers we have retained to provide services to us.
Certain service providers such as banks, financial organisations and advisers, auditors, lawyers and tax advisers are independent data controllers of personal data which they receive from us and are responsible for their own compliance with data protection laws.
Other service providers such as our marketing agencies, document management providers and IT service providers who manage our IT and back office systems would usually act as data processors and process on our behalf, those personal data which they receive from us.
If you are not sure whether our service provider, with whom we share your personal data, is a data controller or processor of your data, please contact us to find out.
Legal and regulatory obligations
We will make disclosures in order to meet our legal and regulatory obligations to law enforcement agencies, government, and regulatory bodies such as the Prudential Regulatory Authority, the Financial Conduct Authority, the Information Commissioner’s Office and other regulators as required by law, who act as independent data controllers of the personal data.
We may make disclosures of your personal data for the purposes of legal proceedings, obtaining legal advice and complying with our obligations under data protection and other laws.
Mergers and acquisitions
We may disclose your personal data in connection with the sale, transfer, or disposal of any of our businesses to third parties who act as independent data controllers of the personal data.
How long will TMK retain your data
We will retain your personal data in accordance with our Data Retention Schedule which is for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. Our retention periods for personal data are determined based on our business needs and legal requirements. For example, we retain certain transaction details and correspondence until the time limit for claims, or to comply with regulatory requirements regarding the retention of such data. Please note that personal data that has been deleted from our systems may persist in our backups but will not be readily accessible.
What are your rights?
|
|
Right of access |
You have the right of access to information we hold about or concerning you. If you would like to exercise this right, you should email us at dpo@tokiomarinekiln.com. |
Right of rectification or erasure |
If you feel that any information that we hold about you is inaccurate you have the right to ask us to correct or rectify it. You also have a right to ask us to erase information about you where the information is no longer needed by us, where we are unlawfully processing your personal data, or where our processing of your personal data is based on your consent. Please note that there may be circumstances where you ask us to erase your personal data but we are legally entitled to retain it. Where we have disclosed your personal data to another person, we will take all reasonable steps to inform those with whom we have shared your personal data about your request to erase or correct/ rectify the personal data. |
Right to object or restrict processing |
You have a right to object to our processing of your personal data where our processing is based on legitimate interests. This includes the right to object to any direct marketing we may undertake and to any automated decisions based on profiling which we may carry out. You also have a right to request that we restrict processing your personal data while we consider your request to rectify or erase the personal data. Again, there may be circumstances where you object to or ask us to restrict our processing of your personal data but we are legally entitled to refuse that request. |
Right to portability |
You may a right to receive any personal data that you have provided to us in a commonly used, machine readable format in order to transfer it to another data controller. This is called a data portability request and is only available where we process your personal data on the basis of your consent or for the performance of our contract with you. |
Right to withdraw consent |
You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent. |
Right of complaint |
You have a right to lodge a complaint at any time (about how we are handling your personal data or the information provided to you by TMK in this Notice) with the Information Commissioner’s Office in the UK (ICO) who can be contacted at www.ico.org.uk. However, we hope that before you do so, you will first contact us at dpo@tokiomarinekiln.com to let us know. We wish to assure you that we are committed to working with you to settle any concern or complaint your may have about how we handle your personal data. |
If you would like to exercise any of your rights above, please email us at dpo@tokiomarinekiln.com. We would need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure we take to ensure your information is not disclosed to any person who has no right to receive it.
Where will your personal data be processed?
As mentioned, TMK may transfer certain personal data outside the UK to other Tokio Marine group entities, insurance market participants and authorised service providers (see the section Who do we share your personal data with?).
If TMK transfers personal data outside of the UK, we will ensure that the transfers comply with UK data protection laws.
Examples of countries where we may transfer personal data to (other than those recognised by the ICO as having adequate levels of data protection) include, but are not limited to, Australia, India, Singapore and the United States of America.
You have a right to contact us for more information about the safeguards we have put in place (e.g. where relevant, a copy of relevant contractual commitments, which may be redacted for reasons of commercial confidentiality) to ensure the adequate protection of your personal data when this is transferred outside the UK.
How does TMK secure your personal data?
The security of your personal data is important to us and we have implemented reasonable physical, technical and administrative security standards to protect personal data from loss, misuse, alteration or destruction.
We protect your personal data against unauthorised access, use or disclosure, using security technologies and procedures, such as encryption and limited access. Only authorised individuals access your personal data, and they receive training about the importance of protecting personal data.
Our service providers and agents who process personal data on our behalf are contractually bound to maintain the confidentiality of personal data and may not use the personal data for any unauthorised purpose.
Contact us
If you have any queries, concerns or complaints or require further information as to how your personal data is processed, or if you wish to the exercise of any of your rights in relation to your personal data, you can contact us by post, or email at:
Data Protection Officer
Tokio Marine Kiln, 20 Fenchurch Street, London EC3M 3BY
If you are not satisfied with the way in which your personal data has been handled by TMK, you may also complain to the Data Commissioner’s Office at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
T: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
casework@ico.org.uk
How often is this Notice updated?
We regularly review and revise this Notice. We will ensure that the most up to date version is published here. This Notice is last updated on 25 August 2023.