CHARLES TAYLOR FAIR PROCESSING NOTICE 

1. Scope 

1.1 This Fair Processing Notice tells you what personal information Charles Taylor Group ((“Charles Taylor”, “we”, “us” or “our”) collects, why we collect it, what we do with it and who we share it with, as well as the choices and rights individuals have regarding this personal information. 

1.2 This Notice does not apply to the personal information that we process about our employees, which is subject to different respective employee privacy notices.   

1.3 Please see our Privacy Policy which sets out how we ensure that we look after your personal information when we collect and use it. 

2. About Charles Taylor 

2.1 Charles Taylor Group is a group of companies operating across the globe. We provide claims management solutions, providing integrated claims services, business process outsourcing and consulting services worldwide to the risk management and insurance industry, as well as to self-insured entities (our “Services”). 

2.2 This Notice explains how Charles Taylor Group companies handle the personal information that is subject to the GDPR, which we collect about individuals: 

• that use our websites and associated services 
• who are our former, current and prospective clients 
• who communicate with us 
• who otherwise use our products or engage with us regarding our Services 
• other individuals whose personal information we receive in providing the Services 

2.3 For the purposes of the UK and EU GDPR, and unless you are explicitly notified otherwise, Charles Taylor Limited is the controller of your personal information, and where the processing of personal information is also undertaken by other Charles Taylor Group companies with whom you engage, they are joint controllers with Charles Taylor Limited of your personal information. 

3. Our Processing of your Personal Data 

3.1 Our primary business is to provide claims management and related services globally, including third party claims administrator services, loss adjusting and associated risk, consulting and other services. Generally, we provide these services to entities that provide insurance cover, issue or underwrite the policies or are otherwise responsible for payment of the claims that we handle. We refer to these entities as “insurers”. Other parties in the insurance market with whom we may exchange your personal information include insurance brokers, agents, underwriters, self-insured companies and other companies or entities that issue or underwrite policies, provide coverage for or otherwise make decisions regarding the claims we handle. 

3.2 As a part of our claims management services, we process claims and handle administrative functions for insurers, such as receiving notices of claims, administering forms and documentation requests and providing support-related services to policyholders and claimants. We also help insurers evaluate, assess and establish their liability for claims and make recommendations related to the settlement of claims, including payments, repairs and replacements. We process personal information during the course of providing our claims management activities to insurers.  

3.3 Our insurer clients are data controllers of the claims data that we process on their behalf and our processing of personal information is subject to the instructions of our respective clients. Our role depends upon the relevant circumstances, including the type of services we provide to our clients. We may be acting as a data controller for the personal data processed as part of the claims handling services or as a data processor engaged to perform claims handling services on behalf of, and subject to, the instructions of our client, depending on the nature of the services we provide to them. If you are not sure whether we are a data controller for the relevant processing, please contact us at DPO@charlestaylor.com. 

4. Personal information we collect 

4.1 The types of personal information we collect and how we use it depend on your relationship with us. For example, we will collect different personal information depending on whether you are a policyholder, a beneficiary or a third party covered by an insurance policy we provide, a website user, a claimant, a witness, an intermediary, an expert or another third party. 

4.2 When you are making a claim under a policy, we will collect basic contact details together with information about the nature of your claim and any previous claims. If you are an insured person, we will need to check details of the policy you are insured under and your claims history.  

4.3 We will only use your information in ways we are allowed to by law, which includes only collecting as much information as we need. In processing the claim and as part of our claims handling services, we may collect personal data directly from you and from other sources where we believe this is necessary to manage the claim (such as public registers, databases managed by credit reference agencies, government agencies and other reputable organisations).  

4.4 We may also collect information from third parties related to you or linked to the claim such as witnesses and persons representing you, where you are involved in a third-party claim.  In addition, we may collect information to enable us to carry out background checks or to verify your identity or the identity of people related to you and others to the extent permitted by law and to investigate and protect ourselves and our clients from fraud.  We also perform sanctions screening and anti-money laundering checks, as required and permitted by applicable law. 

5. Purposes and legal grounds for our use of personal information 

5.1 The information we collect and process is required by us to open, review, adjust, assess, validate, settle and otherwise administer your claim on behalf of your insurer.   

5.2 For personal information to be processed lawfully in most countries, it must be processed on one of bases set out in the relevant applicable law. These include, among other things, the consent of the individual whose data we are processing, that the processing is necessary for the performance of a contract with the data subject, for compliance with a legal obligation to which the data controller is subject, or for the legitimate interests of the data controller or the party to whom the data is disclosed. When we process sensitive personal information (including health information, financial information, information about your political views), additional conditions must be met. When processing your personal information as data controllers in the course of our business, we will ensure that those requirements are met.  

5.3 Depending on your relationship with us, the legal basis for us processing your personal information is one of the following:  

• You have given consent to us or the party for whom we are acting  
• The processing is necessary for the performance of a contract or legal duty  
• Processing is necessary for a legitimate interest pursued by us or a third party.  

5.4 Where we rely on our legitimate interests, we will always balance them against the rights and freedoms of the people whose personal information we process. Where their rights override our legitimate interests and there are no other legal bases for processing, we will cease to process personal data. Where we rely on legitimate interest as our grounds for processing your data you have the right to object at any time.   

 5.5 We have set out more information about the legal bases for processing in the table below.  

6. Sensitive personal information (or Special Category Personal Data)  

6.1 We may process sensitive personal data about you which includes “special categories” of personal data, including:  

• Health information, including details about illness and disability, and medical treatment you have received or that you may require;  
• Information about your sex, gender, sexual orientation or marital status;  
• Information about your religious or political beliefs, or trade union membership;  
• Information about your criminal record data, where necessary for the processing and handling of your claim.   

6.2 We will only process such data:  

• Where we need to for the purposes of establishing, exercising or defending our or our client’s legal rights;  
• Where you have provided your consent;  
• Where it is necessary to protect your vital interests (or those of another person) where you are physically or legally incapable of giving consent; 
• Where it is necessary in the substantial public interest, for insurance purposes (which includes the administration of insurance claims); or  
• Where it is in the substantial public interest for preventing and detecting fraud.  

6.3 If we rely on your explicit consent to permit the processing of sensitive personal data, you may withdraw your consent at any time. However, if you do so, we may not be able to continue to process your claim.  

6.4 Where Charles Taylor provides services to clients as a data processor of personal information, we only process such personal information on behalf of, and under the instructions of our clients, or where otherwise required by the relevant applicable data protection laws. 

7. With whom might we share your personal information? 

Sale of our business or part of our business 

7.1 Your personal information may be shared with a company (the buyer) which acquires any part of Charles Taylor’s business. Where this is the case, we will ensure that your personal information is transferred to the buyer securely.  

7.2 We may need to retain your personal information for our own purposes beyond the date of the acquisition. This means that the lawful basis we rely on for processing your personal information will change. Depending on the information we retain, we may process it for the purposes of our legitimate interests, provided these interests are not overridden by your interests. 

7.3 If the part of our business which is being acquired is regulated, for example, by the Financial Conduct Authority in the UK, we may be required to retain certain business records which may include your personal information. In this event, we can rely on compliance with a legal obligation to process your personal information.   

7.4 We may consider that we need to retain copies of your personal information in order to defend ourselves against possible future legal claims. This consideration will be made carefully and, if we do retain your personal information, it will be held in line with our Group Document Retention Policy. 

The provision of services to our clients 

7.5 From time to time, we may need to disclose your personal information to third parties. Sometimes, these will be companies who process it on our behalf and only act upon our instructions. Sometimes, these will be individuals and companies such as: clinics and hospitals; air ambulances; taxi services; consultants; doctors; experts; lawyers; and other professionals within or connected to the insurance industry. Your information may be shared with insurance participants, including the policyholder. 

7.6 Any organisation or business which has access to your personal data in connection with provision of our Services should be governed by contractual restrictions and/or technical limitations to ensure that they protect your personal data and meet with the appropriate data protection legislation.  

7.7 We have set out more detail in the table below about the types of businesses with whom we may share your personal information: 

7.8 Any personal information we collect related to handling claims on behalf of our clients may be disclosed to such organisations or persons as directed by our clients; such disclosures are subject to our clients’ privacy policies. 

7.9 Where these organisations or businesses are based in a country that is not considered to provide adequate protection for your personal information by the data supervisory authority in the country from which we are exporting personal information, we will put in place an appropriate safeguard for your personal information or we will rely on one of the exemptions provided by the relevant law to permit export of your personal information.  

7.10 For example, where we need to transfer personal data to countries outside of the UK or EEA (or from one country outside of the EEA to another country outside of the EEA), we will do so where we have implemented safeguards so that your data continues to be protected to the standards set out in this Fair Processing Notice or rely on an exception under the UK or EU GDPR.  

7.11 You should be aware that if your personal information is transferred to another country, it may be subject to access requests from foreign governments, courts, law enforcement officials and national security authorities. 

7.12 We will keep records of where your data has been sent outside of the UK and EEA and you can have access to these records if you wish.  

Full details of all Charles Taylor Group offices can be found here. 

8.     Social media 

8.1 We use a third-party provider, Agorapulse, to manage our social media interactions. If you send us a private or direct message via social media, it will be stored by Agorapulse for up to 12 months.   

8.2 We see all this information and decide how we manage it. For example, if you send a message via social media that needs a response from us, we may process it as an enquiry or a complaint. When contacting Charles Taylor through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform.  

8.3 Agorapulse provides us with analytics information on engagement with our social media presence.  

9. How long do we keep records for? 

9.1 We will keep personal information in line with our Document Retention Policy, a copy of which is available on application. In the context of an insurance claim, this will usually be 7 years from the date of the last activity on the claim. 

10. Automated decision taking 

10.1 There are some very limited circumstances where we, on behalf of our clients, use computer questionnaires to give you a quick decision on whether or not they can provide you with insurance cover. In some cases, this is done to generate a quote based on your individual circumstances, including things which may involve your sensitive personal data (for example, your health data). Where we do this, the software we use compares your answers against our insurance client’s criteria and makes a ‘decision’ about whether to provide cover and, at times, how much that might cost. If there is no human decision-maker involved in generating the decision based on such a questionnaire, this is a form of ‘automated decision-making’. 

10.2 We will not use automatic decision making without: 

• a) either your explicit consent; 
• b) it being necessary for entering into, or performance of, a contract between yourself and a data controller (such as ourselves or an insurance company whom we are supporting) or 
• c) your being told by a data controller that a decision has been taken solely on automated processing. 

10.3 If you are not happy with the result of an automated decision, you can request human intervention, express your own views, and/or contest the automated decision by writing to:  

DPO@charlestaylor.com (please type ‘Automated Decision Making’ in the email subject line). 

11. Your rights 

11.1 You have certain rights under many data protection laws around the world to receive written information about the personal information that we hold about you: 

11.2 You may exercise any of the rights described above by contacting our Data Protection Officer using the details set out below. 

11.3 We will respond to your request within one month and will usually be able to fulfil your request within that time unless your request is complicated. If it is complicated, we may need to extend the deadline for responding to you to three months in total from the date of your initial request. In that case, we will let you know when you should expect our response. Generally, there is no fee for making these requests. 

11.4 You should keep in mind that, depending on the right you want to exercise, and the type of personal data involved, there may be legal reasons why we cannot meet your request. 

12. What Security measures we take 

12.1 We take information security seriously. We have implemented appropriate safeguards and technical measures to protect the security, confidentiality and integrity of the personal information we collect and maintain. Please see our Privacy Policy for more details.  

13. How do I contact the Data Protection Officer? 

13.1 We are committed to processing all personal data fairly, lawfully, and transparently. To make things simpler, Charles Taylor has nominated one data controller, Charles Taylor Limited, to handle all requests or queries you might have about our processing of your personal data. 

13.2 We have appointed a Data Protection Officer (“DPO”) to oversee compliance with data protection law.  

13.3 If you have any questions about this Notice, please contact our DPO. 

Their contact details are:   

2 Minster Court Mincing Lane, London EC3R 7BB

dpo@charlestaylor.com 

13.4 We also have a European Representative who will act on our behalf in relation to data protection compliance matters, including dealing with supervisory authorities and data subjects in the European Union. Our European Representative will work closely with our Data Protection Officer, their contact details are: 

CEGA GSL SPAIN SLU 
Calle Joan Maregall 36, Loc B 
07006 Palma de Mallorca 
Islas Baleares 
Spain 

DPOSpain@cegagroup.com 

14. Your right to complain to our supervisory authority 

14.1 We work conscientiously to handle your personal data responsibly. If you are unhappy with the way we are doing this, please contact our DPO, who will try to address your concerns. 

14.2 You have a right to complain to the UK’s data protection supervisory authority: 

The Information Commissioner 
Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 

14.3 If you are a European resident you have the right to complain to the Spanish Data Protection Agency: 

Agencia Española de Protección de Datos 
C/ Jorge Juan, 6,  
28001, Madrid,  
Spain 

14.4 We may update this Fair Processing Notice from time to time and will post changes by updating it together with the effective date on this page. We encourage you to review this website and our Fair Processing Notice periodically to understand how we process your personal information. 

14.5 This Fair Processing Notice comes into effect on 1st July 2023 replacing our previous Notice. Once effective, the revised Notice will apply to you and your personal information. 

14.6 Further details can be found in our Cookie Policy, Terms and Conditions and Privacy Policy.  

14.7 For those who work at Charles Taylor, the Charles Taylor Fair Processing Notice for Employees and our Privacy Policy Notice are accessible online via our intranet. Our Candidate Fair Processing Notice is also available on this website. 

Our other data protection policies are available upon request. 

Last updated: June 2023 

This site and all content are copyright © Charles Taylor Ltd 

All rights reserved.