Privacy policy of Claims Settlement Agencies Ltd (CSA)

Important Notice

This is the privacy notice of Claims Settlement Agencies Limited (registration number: 02558156) whose registered office is at 12 Helmet Row, London EC1V 3QJ United Kingdom referred to as we, us or our in this privacy notice.

This privacy notice sets out how we collect and process your personal data. This privacy notice also provides certain information that is legally required and lists your rights in relation to your personal data.

This privacy notice relates to personal information that identifies you as a natural person (whether you are an actual or potential customer, an individual who browses our website or an individual outside our organisation with whom we interact). We refer to this information throughout this privacy notice as personal data or personal information and further detail of what this includes are set out in this privacy notice below.

The privacy and security of your personal information is very important to us so we want to assure you that your information will be properly managed and protected by us at all times.  Please read this privacy notice carefully as it explains how we may collect and use your personal data.

This privacy notice may vary from time to time so please check it regularly.  This privacy notice was last updated in May 2018.

Scope of our privacy notice

This privacy notice applies to anyone who interacts with us about our policies and services (‘you’, ‘your’), in any way (for example, by email, through our website and by phone). We will give you further privacy information if necessary for specific contact methods or in relation to specific products or services.

This privacy notice applies to you if you ask us about, buy or use our policies and services. It describes how we handle your information, regardless of the way you contact us (for example, by email, through our website, by phone and so on). We will provide you with further information or notices if necessary, depending on the way we interact with each other.

If you have any questions about this, please contact us at info@csal.co.uk

How we collect personal information

We collect personal information from you and from third parties (anyone acting on your behalf, for example, Insurance Brokers, Insurance Intermediaries, Insurance Companies, Medical Emergency Assistance Companies, Travel Companies, Tour Operators and so on). Please see below for more information.

Where you provide us with information about other people, you must make sure that they have seen a copy of this privacy notice and are comfortable with you giving us their information.

We collect personal information from you:
  • through your contact with us, including by phone (we may record or monitor phone calls to make sure we are keeping to legal rules, codes of practice and internal policies, and for quality assurance purposes), by email, through our websites, by post, by filling in claims or other forms.
  • We also collect information from other people and organisations.
For all our clients, we may collect information from:
  • your parent or guardian, if you are under 18 years old;
  • a family member, or someone else acting on your behalf;
  • doctors, other clinicians and health-care professionals, hospitals, clinics and other health- care providers (including those based outside the UK);
  • any service providers who work with us in relation to your policy or service;
  • fraud-detection and credit-reference agencies; and
  • sources which are available to the public, such as the edited electoral register or social media.
For all insurance based services, we may collect information from:
  • the main member, if you are a dependent under a family insurance policy;
  • your employer, if you are covered by an insurance policy your employer has taken out;
  • brokers and other agents; and
  • other third parties we work with, such as agents working on our behalf, insurers and reinsurers, actuaries, auditors, solicitors, translators and interpreters, tax advisers, debt- collection agencies, credit-reference agencies, fraud-detection agencies (including health- insurance counter-fraud groups), regulators, data-protection supervisory authorities, health- care professionals, other health-care providers and medical-assistance providers.

Categories of personal information

We process two categories of personal information about you and (where this applies) your dependents:
  • standard personal information (for example, information we use to contact you, identify you or manage our relationship with you); and
  • special categories of information (for example, health information, information about your race, ethnic origin and religion and information about crime in connection with checks against fraud or anti-money-laundering registers).

For more information about these categories of information, see below.

Standard personal information includes:

contact information, such as your name, address, email address and phone numbers;

  • the country you live in, your age, your date of birth;
  • information about your employment;
  • details of any contact we have had with you, such as any complaints or incidents;
  • financial details, such as details about your payments and your bank details;
  • the results of any credit or any anti-fraud checks we have made on you;
  • information about how you use our products and services, such as insurance claims; and
  • information about how you use our website, other technology, including IP addresses or other device information (please see our Website Policy for more details).
Special category information includes:
  • information about your physical or mental health, (we may get this information from application forms you have filled in, from notes and reports about your health and any treatment and care you have received or need, or it may be recorded in details of contact we have had with you such as information about complaints or incidents, quotes and records of medical services you have received);
  • information about your race, ethnic origin and religion; and
  • information about any criminal convictions and offences (we may get this information when carrying out anti-fraud or anti-money-laundering checks, or other background screening activity.

What we use your personal information for

We process your personal information for the purposes set out in this privacy notice. We have also set out some legal reasons why we may process your personal information (these depend on what category of personal information we are processing). We normally process standard personal information if this is necessary to provide the services set out in a contract, it is in our or a third party’s legitimate interests or it is required or allowed by any law that applies. Please see below for more information about this and the reasons why we may need to process special category information.

By law, we must have a lawful reason for processing your personal information. We process standard personal information about you if this is:
  • necessary to provide the services set out in a contract – if we have a contract with you, we will process your personal information in order to fulfil that contract (that is, to provide you and your dependents with our policies and services);
  • in our or a third party’s legitimate interests – details of those legitimate interests are set out in more detail below;
  • required or allowed by
We process special category information about you because:
  • it is necessary for an insurance purpose (for example, advising on, arranging, providing or managing an insurance contract, dealing with a claim made under an insurance contract, or relating to rights and responsibilities arising in connection with an insurance contract or law);
  • it is necessary to establish, make or defend legal claims;
  • it is necessary for the purposes of preventing or detecting an unlawful act in circumstances where we must carry out checks without your permission so as not to affect the outcome of those checks (for example, anti-fraud and anti-money-laundering checks or to check other unlawful behaviour, or carry out investigations with other insurers and third parties for the purpose of detecting fraud);
  • it is necessary for a purpose designed to protect the public against dishonesty, malpractice or other seriously improper behaviour (for example, investigations in response to a safeguarding concern, individual’s complaint or a regulator telling us about an issue);
  • it is in the public interest, in line with any laws that apply;
  • it is information that you have made public; or
  • we have your permission.

As is best practice, we will only ask you for permission to process your personal information if there is no other legal reason to process it. If we need to ask for your permission, we will make it clear that this is what we are asking for, and ask you to confirm your choice to give us that permission. If we cannot provide a product or service without your permission (for example, we can’t manage and run a health trust without health information), we will make this clear when we ask for your permission. If you later withdraw your permission, we will no longer be able to provide you with a product or service that relies on having your permission.

Legitimate Interest

We process your personal information for a number of legitimate interests, including managing all aspects of our relationship with you, to help us improve our services and policies, and in order to exercise our rights or handle claims. More detailed information about our legitimate interests is set out below.

Legitimate interest is one of the legal reasons why we may process your personal information. Taking into account your interests, rights and freedoms, legitimate interests which allow us to process your personal information include:

  • to manage our relationship with you, our business and third parties who provide products or services for us (for example, to check that you have received a service that you’re covered for, to validate invoices and so on);
  • to make sure that claims are handled efficiently and to investigate complaints (for example, we may ask your treatment provider for information to make sure we receive accurate information and to monitor the quality of your treatment and care);
  • to keep our records up to date and to provide you with marketing as allowed by law;
  • to develop and carry out marketing activities (we combine information you give us with information we receive about you from third parties to help us understand you better);
  • for statistical research and analysis so that we can monitor and improve products, services, websites or develop new ones;
  • to enforce or apply our website terms of use, our policy terms and conditions or other contracts, or to protect our (or our customers’ or other people’s) rights, property or safety;

to exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with.

Marketing and preferences

We may use your personal information to send you marketing by post, by phone, through social media, by email and by text.

We can only use your personal information to send you marketing material if we have your permission or a legitimate interest as described above.

If the sole service we provide is in relation to processing a claim, then the right for CSA to use your personal information to send you marketing information will not apply.

Sharing your information

We share your information within the CSA Group, with relevant policyholders (including your employer if you are covered under a group scheme), with funders arranging services on your behalf, with people acting on your behalf (for example, brokers and other agents) and with others who help us provide services to you (for example, health-care providers and medical- assistance providers) or who we need information from to allow us to handle or confirm claims or entitlements (for example, professional associations). We also share your information in line with the law. For more information about who we share your information with, please see below.

We sometimes need to share your information with other people or organisations for the purposes set out in this privacy notice.

For all our clients, we share your information with:
  • other members of the CSA Group of companies;
  • other organisations you belong to, or are professionally associated with, in order to confirm your entitlement to claim discounts on our products and services;
  • doctors, clinicians and other health-care professionals, hospitals, clinics and other health- care providers;
  • suppliers who help deliver products or services on our behalf;
  • people or organisations we have to, or are allowed to, share your personal information with by law (for example, for fraud-prevention or safeguarding purposes;
  • the police and other law-enforcement agencies to help them perform their duties, or with others if we have to do this by law or under a court order;
  • if we (or any member of the group) sell or buy any business or assets, the potential buyer or seller of that business or those assets; and

If we share your personal information, we will make sure appropriate protection is in place to protect your personal information in line with data-protection laws.

Anonymised and combined information

We may use anonymised information (with all names and other identifying information removed) or information that is combined with other people’s information, or reveal it to others, for research or statistical purposes. You cannot be identified from this information and we will only share the information in line with legal agreements which set out an agreed, limited purpose and prevent the information being used for commercial gain.

Transferring information outside the European Economic Area (EEA)

We deal with many international organisations and use global information systems. As a result, we transfer your personal information to countries outside the EEA (the EU member states plus Norway, Liechtenstein and Iceland) for the purposes set out in this privacy notice. Not all countries outside the EEA have data-protection laws that are similar to those in the EEA and if so, the European Commission may not consider those countries as providing an adequate level of data protection.

We take steps to make sure that, when we transfer your personal information to another country, appropriate protection is in place, in line with data-protection laws. Often, this protection is set out under a contract with the organisation who receives that information. For more information about this protection, please contact us at info@csal.co.uk

How long we keep your personal information

We keep your personal information in line with set periods calculated using the following criteria.

  • How long you have been a client with us, the types of products or services you have with us, and when you will stop being our client
  • How long it is reasonable to keep records to show we have met the obligations we have to you and by law
  • Any time limits for making a claim
  • Any periods for keeping information which are set by law or recommended by regulators, professional bodies or associations
  • Any relevant proceedings that apply

If you would like more information about how long we will keep your information for, please contact us at info@csal.co.uk

Your Rights

You have the right to access your information and to ask us to correct any mistakes and delete and restrict the use of your information. You also have the right to object to us using your information, to ask us to transfer information you have provided, to withdraw permission you have given us to use your information and to ask us not to use automated decision-making which will affect you. For more information, see below.

You have the following rights (certain exceptions apply).
  • Right of access: the right to make a written request for details of your personal information and a copy of that personal information
  • Right to rectification: the right to have inaccurate information about you corrected or removed
  • Right to erasure (‘right to be forgotten’): the right to have certain personal information about you erased
  • Right to restriction of processing: the right to request that your personal information is only used for restricted purposes
  • Right to object: the right to object to processing of your personal information in cases where our processing is based on the performance of a task carried out in the public interest or we have let you know the processing is necessary for our or a third party’s legitimate interests. You can object to our use of your information for profiling purposes where it is in relation to direct marketing
  • Right to data portability: the right to ask for the personal information you have made available to us to be transferred to you or a third party in machine-readable formats
  • Right to withdraw consent: the right to withdraw any consent you have previously given us to handle your personal information. If you withdraw your consent, this will not affect the lawfulness of Bupa’s use of your personal information prior to the withdrawal of your consent and we will let you know if we will no longer be able to provide you your chosen product or service
  • Right in relation to automated decisions: you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you, unless it is necessary for entering into a contract with you, it is authorised by law or you have given your explicit consent. We will let you know when such decisions are made, the lawful grounds we rely on and the rights you

Please note: Other than your right to object to the use of your data for direct marketing (and profiling to the extent used for the purposes of direct marketing), your rights are not absolute: they do not always apply in all cases and we will let you know in our correspondence with you how we will be able to comply with your request.

If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. If we do not meet your request, we will explain why.

In order to exercise your rights please contact info@csal.co.uk

Accessing our website and cookies

When you visit one of our websites we may collect information from you, such as your email address, IP address and other online identifiers. This helps us to track unique visits and monitor patterns of customer website traffic, such as who visits and why they visit. We use third parties to collate IP addresses to help us understand our Internet traffic data and data regarding your browser type and computer. We may also use web usage information to create statistical data regarding the use of our website.  We may then use or disclose that statistical data to others for marketing and strategic development purposes, but no individuals will be identified in such statistical data.

We may use cookies and/or pixel tags on some pages of our website.  A cookie is a small text file sent to your computer. A pixel tag is an invisible tag placed on certain pages of our website, but not on your computer. Pixel tags usually work together with cookies to help us to give you a more tailored service. We also use cookies and pixel tags in our email communication to personalise the email and track whether the email has been opened and whether the recipient has used any website links contained in the email communication. This allows us to monitor and improve our email communications and website. Useful information about cookies, including how to remove them, can be found at http://allaboutcookies.org.

Internet browsers normally accept cookies by default, although it’s possible to set a browser to reject cookies. We’ll ask your permission before using any cookie that’s not essential to the email or the use of the website. However, refusing to accept cookies may restrict your use of our website and/or delay or affect the way in which our website operates. You can find more information on cookies when you visit our website.

The open nature of the internet is such that data may flow over networks without security measures and may be accessed and used by people other than those for whom the data is intended. While this is outside of our control, we do take the protection of your information very seriously and aim to apply appropriate levels of security at all times.

Contact us

For the purposes of relevant data protection legislation, we are a controller of your personal data.  As a controller we use (or process) the personal data we hold about you in accordance with this privacy notice.

If you have any questions, comments, complaints or suggestions in relation to this notice, or any other concerns about the way in which we process information about you, please contact our Data Controller at info@csal.co.uk