Privacy & Data Protection Policy

Howden Group Holdings Limited and Howden Group Services Limited UK Privacy Notice

Howden Group Holdings Limited (“Howden Group”) is a holding company of insurance intermediaries, which needs to process and share information, including personal data, with certain third parties. Howden Group Services Limited (“HGS”) is wholly owned by Howden Group and provides services to the Howden Group of companies within the UK.

If you are a prospective, current or ex client or customer of any of the Howden Group insurance intermediaries, their fair processing notices can be found at:

If you are a grantee, beneficiary, supplier or other representative of the Howden Foundation, their fair processing notice can be found here:

Howden Foundation

If you are a job applicant, or a current or ex-employee or contingent worker of HGS in the UK, a copy of the relevant fair processing notice is available from Human Resources or can be viewed here.

This notice explains how Howden Group and HGS process the personal data of Howden Group Shareholders and visitors to our UK business premises. This notice may be updated from time to time.

In this notice:

We, us or our refers to Howden Group and/or HGS (as applicable); and
You and your, refers to the individual whose personal data may be/is being processed.

There may be other terms, which are defined in the Glossary.

This notice sets out the following:

SECTION 1: THE DATA WE MAY COLLECT ABOUT YOU (YOUR PERSONAL DATA)

We may need to collect and process personal data about you to:

meet our legal and regulatory requirements relating to the running of our business;
meet our legal obligations concerning our Shareholders; and
ensure appropriate security and meet our health and safety obligations when you visit our UK offices.

The types of personal data that are processed may include:

Types of personal data	Details
Shareholders
Individual details	Name, address (including proof of address), other contact details (e.g. email and telephone numbers), date of birth, employer, gender, office location, and Group business segment and division.
Identification details	Identification numbers issued by government bodies or agencies, including your national insurance number, passport number, tax identification number and driving licence number.
Financial information	Bank account or other financial information
Share information	Number, class and value of shares, and dividend, shareholder resolution voting and transaction history.
Visitors to UK offices
Individual details	Name, address, contact details (e.g. email and telephone numbers), employer, job title.
Identification details	CCTV images.

SECTION 2: WHERE WE MIGHT COLLECT YOUR PERSONAL DATA FROM

We might collect your personal data from various sources, including:

Shareholders

you;
government agencies, such as Companies House and HMRC;
within the Howden Group; or
third party professional advisors to our global businesses.
Which of the above sources apply will depend on your particular circumstances.

Visitors

you;
your company representative; or
within the Howden Group.

Which of the above sources apply will depend on your particular circumstances.

SECTION 3: IDENTITIES OF DATA CONTROLLERS AND DATA PROTECTION CONTACTS

Shareholders

Howden Group Holdings Limited (“Howden Group”) will be the data controller. You should contact the Howden Group data protection contact.

Visitors

Howden Group Services Ltd (“HGS”) will be the data controller. You should contact the HGS data protection contact.

We have provided the data protection contact details for the Howden Group in the UK in Appendix 3.

SECTION 4: THE PURPOSES, CATEGORIES, LEGAL GROUNDS AND RECIPIENTS, OF OUR PROCESSING OF YOUR PERSONAL DATA

Shareholders

The purposes for which we may process your personal data are:

Shareholder communications
Share transfers, allotments and other share-related matters including dividends, shareholder votes and operation of an internal market
Share register management and reconciliations
Shareholder analysis, internal and external reporting, and KYC
Shareholder covenant restrictions including post-employment obligations.

Visitors

The purposes for which we may process your personal data are:

Building security
Meet our legal obligations, e.g. health and safety and HMRC reporting
Facilitate networking opportunities with visiting overseas visitors from within the Howden Group.

Please Note: If we have previously advised that we are relying on consent as the basis of our processing activities, going forward we will not be relying on that legal basis save where otherwise explicitly stated.

Please Note: Please be aware, if you choose not to provide your personal data, we may be unable to provide shareholder services, or provide you with access to our premises.

Appendix 1 sets out the purposes, categories, legal grounds and recipients of our processing of your personal data. (The legal grounds are set out in the GDPR.)

SECTION 5: PROFILING AND AUTOMATIC DECISION MAKING

No profiling or automated decision making is used concerning Shareholders and Visitors.

Please note. You have certain rights in respect of automated decision making, where that decision has significant effects on you, including where it produces a legal effect on you. See Section 8 for more information about your rights.

SECTION 6: RETENTION OF YOUR PERSONAL DATA

We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 4 of this Policy. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements.

In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.

We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.

SECTION 7: SHARING YOUR DATA AND INTERNATIONAL TRANSFERS

Shareholders

We may share data with third parties to help manage our business and improve how we deliver services. These third parties may, from time to time, need to have access to your personal data. These third parties may include:

Group employee benefit trust/trustee;
Group share registrar;
Group entity management system suppliers;
Service Providers, who help manage our IT and back office systems and Shareholder processes including offshore support services;
Group Shareholder Portal hosts and support services;
Our regulators, which may include the FCA and ICO, as well as other regulators and law enforcement agencies around the world;
Financial institutions, such as banks and including credit reference agencies and organisations working to prevent fraud in financial services; and
Solicitors and other professional services firms (including our auditors), who may also be legal representatives for you, us or a third party.

We may be under legal or regulatory obligations to share your personal data with courts, regulators or law enforcement agencies. Also, if we were to sell part of our businesses we would need to transfer your personal data to the purchaser of such businesses.

Visitors

We may share your data with HMRC as part of our regulatory reporting obligations.

We may also share your data with the police, in the event of a security incident where CCTV recordings need to be examined and to solicitors and other third parties involved in any investigation or prosecution arising from the incident.

We may share the data of overseas visitors from within the Howden Group with other Howden Group companies.

International Transfers

We may transfer data to our Service Providers and Howden Group companies, including those that are located outside the EEA. We may also make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests. These transfers would always be made in compliance with the GDPR. If you would like further details, please contact the Howden Group data protection contact. We have provided our data protection contact details in Appendix 3.

SECTION 8: YOUR RIGHTS AND CONTACT DETAILS OF THE ICO

You have a number of rights in relation to your personal data.

You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any automated decision making or the basis for international transfers. You may also exercise a right to complain to your Supervisory Authority. These are set out in more detail as follows:

Your right	What this means
Access	You can ask us to: confirm whether we are processing your personal data; give you a copy of that data; provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any Automated Decision Making or Profiling, to the extent that information has not already been provided to you in this Policy.
Rectification	You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
Erasure	You can ask us to erase your personal data, but only where: it is no longer needed for the purposes for which it was collected; or you have withdrawn your consent (where the data processing was based on consent); or following a successful right to object (see 'Objection' below); or it has been processed unlawfully; or to comply with a legal obligation to which we are subject. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims; There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances where we would deny that request.
Restriction	You can ask us to restrict (i.e. keep but not use) your personal data, but only where: its accuracy is contested (see Rectification), to allow us to verify its accuracy; or the processing is unlawful, but you do not want it erased; or it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal data following a request for restriction, where: we have your consent; or to establish, exercise or defend legal claims; or to protect the rights of another natural or legal person.
Portability	You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but in each case only where: the processing is based on your consent or the performance of a contract with you; and the processing is carried out by automated means.
Objection	You can object to any processing of your personal data which has our 'legitimate interests' as its legal basis (see Appendix 2 for further details), if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Automated Decision Making	You can ask not to be subject to a decision which is based solely on automated processing (see Section 5, but only where that decision: produces legal effects concerning you (such as the rejection of a claim); or otherwise significantly affects you. In such situations, you can obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision. Your right to obtain human intervention or to contest a decision does not apply where the decision which is made following automated decision making: is necessary for entering into or performing a contract with you; is authorised by law and there are suitable safeguards for your rights and freedoms; or is based on your explicit consent.
International Transfers	You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the European Economic Area. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
Supervisory Authority	You have a right to lodge a complaint with your local supervisory authority about our processing of your personal data. In the UK, the supervisory authority for data protection is the Information Commissioner’s Office (ICO). We do ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.

If you have any questions in relation to our use of your personal data, you should first contact the data protection contact of the relevant participant. We have provided our data protection contact details in Appendix 3.

Please note the following if you do wish to exercise these rights:

We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
Third Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.

YOUR RIGHT TO COMPLAIN TO THE ICO

If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights in SECTION 10, or if you think that we have breached the GDPR/UK data protection laws, then you have the right to complain to the ICO. Please see below for contact details of the ICO:

	Address	Phone	Email
England	Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF	0303 123 1113 (local rate) or 01625 545 745 (national rate)	casework@ico.org.uk
Scotland	Information Commissioner's Office, 45 Melville Street, Edinburgh, EH3 7HL	0131 244 9001	scotland@ico.org.uk
Wales	Information Commissioner's Office, 2nd floor Churchill House, Churchill Way, Cardiff, CF10 2HH	029 2067 8400	wales@ico.org.uk
Northern Ireland	Information Commissioner's Office, 3rd Floor 14 Cromac Place, Belfast, BT7 2JB	0303 123 1114 (local rate) or 028 9027 8757 (national rate)	ni@ico.org.uk

SECTION 9: GLOSSARY

Key definitions:

Howden Group means Howden Group Holdings Limited (“Howden Group”) and any other company which is for the time being a subsidiary or holding company of Howden Group and any subsidiary of any such holding company and for the purposes of this contract, the terms “subsidiary” and “holding company” shall have the meanings ascribed to them by section 1159 Companies Act 2006 or any statutory re-enactment of those provisions.

Insurance Intermediaries help policyholders and insurers arrange insurance cover. They may offer advice and handle claims. Many insurance and reinsurance policies are obtained through intermediaries.

Solicitors – we may use solicitors to provide legal advice on complex or contentious matters.

Key data protection terms:

Automated decision making refers to a decision which is taken solely on the basis of automated processing of your personal data - this means processing using, for example, software code or an algorithm, which does not involve any human intervention.

Data controller means a natural or legal person, which determines the means and purposes of processing of personal data.

GDPR is the EU General Data Protection Regulation and the new UK Data Protection Act, which replaces the UK Data Protection Act 1998 from 25 May 2018.

ICO means the Information Commissioner's Office regulates the processing of personal data by all organisations within the UK.

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Process / Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Service Providers: these are a range of third parties to whom we outsource certain functions of our business, certain of which may be Howden Group companies and certain of which may be independent third parties.

Special categories of personal data means personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

APPENDIX 1: THE PURPOSES, CATEGORIES, LEGAL GROUNDS AND RECIPIENTS, OF OUR PROCESSING OF YOUR PERSONAL DATA

Purpose	Categories of data	Legal grounds	Disclosures
Shareholders
Shareholder communications	Individual details Identification details Financial information Share information	Legal obligation Legitimate interests	Solicitors
Share transfers, allotments and other share-related matters including dividends, shareholder votes and operation of an internal market	Individual details Identification details Financial information Share information	Legal obligation Legitimate interests	HMRC, Companies House, employee benefit trust, offshore services provider, shareholder portal provider and share registrar.
Share register management and reconciliations	Individual details Identification details Financial information Share information	Legal obligation Legitimate interests	Share Registrar, shareholder portal provider and offshore services provider.
Shareholder analysis, internal and external reporting, and KYC	Individual details Identification details Financial information Share information	Legal obligation Legitimate interests	HMRC, Companies House, FCA, ICO, offshore services provider, shareholder portal provider and other regulators, financial institutions, solicitors and other professional firms.
Shareholder covenant restrictions including post-employment obligations	Individual details	Performance of a contract Legitimate interests	Solicitors
Visitors
Building security	Individual details Identification details	Legitimate interests	Police, solicitors, other third parties involved in any investigation or prosecution
Meet our legal obligations, e.g. health and safety and HMRC reporting	Individual details	Legal obligation	HMRC
Facilitate networking opportunities with visiting overseas visitors from within the Howden Group and its subsidiaries	Individual details	Legitimate interests	Other Howden Group companies

Appendix 2: LIST OF LEGAL GROUNDS WE RELY UPON

Legal ground	Details
For processing personal data
Performance of our contract with you	Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
Compliance with a legal obligation	Processing is necessary for compliance with a legal obligation to which we are subject.
Protection of vital interests of you or another person	Processing is necessary in order to protect the vital interests of you or of another natural person.
In the public interest	Processing is necessary for the performance of a task carried out in the public interest.
For our legitimate business interests	Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child. These legitimate interests are set out next to each purpose.
For processing special categories of personal data
In the substantial public interest	Processing is necessary for reasons of substantial public interest, on the basis of EU or UK law. This includes for ‘insurance purposes’.
Protection of vital interests of you or another person, where you are unable to consent	Processing is necessary to protect the vital interests of you or of another natural person where you are physically or legally incapable of giving consent.
For legal claims	Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
For health services	Processing is necessary for the purposes of preventive or occupational medicine, for medical diagnosis, the provision of health or social care or treatment on the basis of EU or UK law or pursuant to contract with a health professional that is under legal or professional obligations of secrecy.
Your explicit consent (optional)	You have given your explicit consent to the processing of those personal data for one or more specified purposes. You are free to withdraw your consent, by contacting our data protection contact – see Appendix 3.
Your explicit consent (necessary)	You have given your explicit consent to the processing of those personal data for one or more specified purposes, where we are unable to procure, provide or administer insurance cover without this consent. You are free to withdraw your consent by contacting our data protection contact – see Appendix 3. However withdrawal of this consent will impact our ability to provide insurance or pay claims. For more detail see section 5.

Appendix 3: DATA PROTECTION CONTACT

Our data protection contacts in the UK are:

	Email	Address
Howden Group Holdings Limited and Howden Group Services Limited	dpo@howdengrp.com	Andy Searle Howden Group Services Limited, 1 Creechurch Place, London, EC3A 5AF
Howden Insurance Brokers Limited	dpo@howdengroup.com	Andrew Hall Howden Insurance Brokers Limited, 1 Creechurch Place, London, EC3A 5AF
DUAL Corporate Risks Limited	dpo@dualgroup.com	Kimberley Miles DUAL Corporate Risks Limited, 1 Creechurch Place, London, EC3A 5AF