01993 894 700

Talk to us to help save yourself time & money

Aston Lark Employee Benefits Privacy Notice

1.     Introduction

This privacy notice tells you what you can expect Aston Lark Employee Benefits Limited ("Aston Lark”, “we", "us", "our") to do with personal information we hold on you, what kinds of information we hold, how we receive it and who we receive it from. It also explains who else we may share your information with, and gives you details about your data rights and how you may use them.

This privacy notice is updated from time to time, to reflect any changes in how we use and handle personal information. If we make any significant changes, we will let you know directly.

This version of the privacy notice was published on 1 October 2023. It contains updates to better inform you how we collect and use personal data, as well as to let you know about changes to the names that both we and our wider group of companies are known by.               

2.     Definitions

To be clear on what we mean in this privacy notice:

  • “personal data” is any information that can be used to identify a living individual;
  • “sensitive personal data” is personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, health data, sex life or sexual orientation;
  • “data controller” means an organisation that decides how and why to collect personal data;
  • “the Howden Group” is Howden Group Holdings Limited and any company or organisation in which Howden Group Holdings Limited holds significant share capital. You can find out more information about the other companies in the Howden Group by visiting www.com;
  • “Howden UK & Ireland” refers to a group of UK and Ireland companies within the Howden Group that provide non-specialty insurance (for example household or professional insurance), employee benefits & wellbeing, and mortgage broking services. This includes Aston Lark, and you can find a list detailing all the companies in this group by visiting here; and
  • “third-party” is someone who isn’t you, us, or a company in the Howden Group.

3.     Who does this Privacy Notice relate to?

This privacy notice relates to the following types of individuals, where we hold your personal information:

  • Individuals who are prospective, current or former clients, including their representatives, for example those with power of attorney;
  • Other individuals named on policies, joint policy holders, beneficiaries or dependents;
  • Employees of our corporate clients who we liaise with, or who are covered under a policy;
  • Members of a trade or professional association that we partner with;
  • Visitors to our websites;
  • Individuals who contact us with a query, concern or complaint;
  • Individuals who we contact for marketing purposes; and
  • Third parties who make a claim against, or are subject to a claim from, one of our policyholders in relation to an insured event.

There are other types of individuals who this privacy notice does not relate to, for example our employees and sub-contractors (including prospective and former employees and sub-contractors), employees of our current, former or prospective business partners and service suppliers, and members of the press. If you are one of these individuals and would like further information on how we collect, use and store your data, please contact us using the details below.

4.     A bit about us

In the UK we trade under a number of trading names, and where we do this we hold the appropriate approvals and permissions from the relevant authorities to do so. You can view a full list of all our current trading names at any time on the Financial Services Register which can be accessed by visiting https://register.fca.org.uk.

If you have any questions about this privacy notice or how we use your information you can email us at compliance@astonlark.com, or alternatively please feel free to contact your usual advisor directly in the event that you are an existing client. We have also appointed a Data Protection Officer (DPO) who can be contacted in the following ways:

By e-mail: dpo@howden-insurance.co.uk

By post: FAO The Data Protection Officer, Aston Lark, Ageas House, The Square, Gloucester Business Park, Brockworth, Gloucester, GL3 4ZP, UK.

5.     The lawful ways we use personal data

We use personal data for the following lawful reasons:

  • To enter into or perform a contract: for example, to provide you (as applicable) with an insurance quotation, to start, change of cancel a product or service we offer you, to manage any claims which arise, to answer any queries you may have, action your requests or perform any debt recovery;
  • To comply with a legal obligation: for example the rules set by our regulator the Financial Conduct Authority (FCA), to fulfil your data rights under data protection laws, handle complaints about data protection or our products and services, and to comply with other legal requirements;
  • For our legitimate business interests: example, to administer and deliver our products and services where your employer is our client, to detect and prevent fraud, to detect and prevent fraud, money laundering and other financial crimes, to monitor and improve our business, to demonstrate compliance with applicable laws and regulations, handle legal claims, to respond to other types of complaint not previously mentioned, and to undertake some marketing activities. Where we rely on this lawful reason, we assess our business needs to ensure they are proportionate and do not affect your rights. In some instances, you also have the right to object to this kind of use Further information on this right is provided under Section 15;
  • With your consent: for example, when you ask us to provide you with information or permit us to contact you for marketing purposes. You can withdraw your consent at any time (to the extent we are relying on it) by using the contact details set out under Section 4; and
  • To protect vital interests: in extreme or unusual circumstances, we may need to use your information to protect your life or the lives of others.

6.     When we collect your personal data

We collect personal data from you if or when: 

  • You request a quotation from us, either directly or via a third-party when they have permission to share your information with us;
  • You purchase, change or cancel a policy taken out through us;
  • You notify us of a claim;
  • You contact us to request information or to make a complaint;
  • You visit our website and submit a query, or if our website deploys cookies onto your device (further information on what cookies we deploy and why can be found by accessing the cookie policy which is available on our website);
  • You take part in a competition, prize draw or survey that we administer;
  • You visit one of our stands, for example at a show or trade fair, and give us your information; and
  • You have made your information publicly available, and we have a legitimate reason to review it.

We also collect personal data about you from other third-party sources where we have legal grounds to do so. These sources may include your employer, your partner or spouse, anti-fraud and crime-prevention agencies, credit reference and vetting agencies, and other data providers.

7.     What personal data do we collect?

Depending on your relationship with us, we may hold the following types of information about you:

  • Identity and contact data: for example, your name, gender, date of birth, postal address, job title, telephone number and e-mail address;
  • Policy information: for example, your policy number, details of your coverage, premiums due, relationship to the policyholder (if applicable) and previous claims history;
  • Payment and account data: for example, your bank account details, credit/debit card details where you are the payer of a premium, and information about your purchases with us, including any payment plans or arrears;
  • Location data: for example, your residential, work or IP address, the location of an insured item or property, and in the event of a claim, where the incident occurred;
  • Correspondence data: for example, copies of letters and e-mails we send you or you send to us, and notes or call recordings of any telephone conversations;
  • Information we obtain from other sources: including credit agencies, antifraud and other financial crime prevention agencies, price comparison websites, and other data providers (who may provide us with demographic or internet-based data);
  • Complaint data: for example, what the complaint was, how we investigated it and how we resolved it, including any contact with relevant authorities or third-party adjudicator services;
  • Sensitive personal data: for example health-related data, your race and ethnicity, your political views, or your religious beliefs, but only in restricted circumstances as explained under Section 8.

8.     The lawful ways we use sensitive personal data

We only use these types of data with your explicit consent, or to protect your vital interests, or when:

  • It is necessary to meet a legal, regulatory or contractual requirement arising from a contract of insurance;
  • It is necessary to prevent and detect crimes, including financial crimes such as fraud, money laundering and terrorist financing;
  • It is necessary to establish, exercise or defend a legal claim;
  • It is necessary to safeguard vulnerable clients; or
  • You have manifestly made this type of data public.

Whilst the above list is not exhaustive, it does outline the scenarios which apply more often to insurance-related matters. Exactly how we lawfully use your sensitive personal data will be determined first-and-foremost by what happens during the lifetime of your policy (if applicable).

9.     Who we share you personal data with

Below are the categories of third parties that we may share your personal data with, but only where we have a legitimate reason to do so:

  • Other companies, similar to us, who are in the Howden Group;
  • Business partners, brokers, intermediaries, suppliers and agents involved in delivering products and services to you;
  • Price comparison websites and other similar companies who offer ways to research and apply for financial products and services;
  • Credit reference, credit scoring and fraud prevention agencies;
  • Debt collection agencies;
  • Law enforcement, government bodies, regulatory organisations, courts and public authorities;
  • Our panel of insurers and insurance brokers;
  • Media agencies and other marketing organisations that we advertise with or conduct marketing activities through;
  • A third party where disclosure is required to comply with legal or regulatory requirements;
  • Personal representatives appointed by you to act on your behalf, or those appointed to represent a third-party claimant;
  • Your employer where applicable, for example in circumstances where we are required to confirm details of any policy exclusion communicated to us by an insurance or benefits provider; and
  • Potential purchasers of our business.

10.Sharing data within the Howden Group

As stated in Section 9, we may share personal data with other companies within the Howden Group in order to receive administrative support from those companies, such as the receipt of Compliance services, or to offer you products and services that may be available from another company in the Howden Group, but only if permitted under electronic marketing laws.

We will only share the minimum amount of personal data required to achieve these purposes, ensuring that we have a lawful basis to share personal data and that any processing undertaken on our behalf is governed by a data processing agreement. 

11. Transferring personal data internationally

We do not intend to transfer your personal data internationally, and generally would only do so if the recipient (for example a benefits provider) is based in a country that has been deemed “adequate” by the UK Secretary of State. This means that the receiving country is considered to have data protection laws and remedies that are of an equivalent standard to those found within the UK.

If we have a genuine and valid business need to transfer your personal data to a country which is not, at the time of the transfer, considered “adequate”, we will ensure that the recipient enters into a formal and enforceable legal agreement that reflects the standards required by the relevant data protection laws.

You have the right to ask us for more information about the safeguards we use when sending your personal data overseas, and can do so by using the contact details provided under Section 4.

12. Retaining and destroying personal data

We retain information about you to provide the services that you purchase from us and to meet a number of legal and regulatory requirements, as well as our own legitimate business interests. For the period we retain your information, it is held securely by us or by third-party service suppliers contracted to store it on our behalf.

Most client data is retained for a period of seven years from when the policy concerned expires. This is to ensure that we can assist our clients and insurers with any late claims, complaints or disputes that may arise, including those raised by third parties, for the time such cases are allowed under current laws.

There are isolated instances where we may need to retain your personal data for longer, for example if we are ordered by the police, a court of law or another authority to keep information relating to an official investigation. There are also times when we may keep your information for a shorter period, for example if we provide you with a quotation but you do not ultimately buy a policy.

You can request further information on these retention periods by using the contact details set out under Section 4.

13.Automated decision-making and profiling

We may use the information you provide to build a profile of you. For example if we have your permission to contact you for marketing purposes, we will use this information to help identify what products and services you may find useful or relevant. We do this to try and ensure that we do not waste your time by contacting you about services that you are unlikely to be interested in.

Much of your personal data will be processed by us using “automated means” (done by computer without significant intervention by human beings) and this may include some of the decisions we may make about you. As explained under Section 15, you have rights in relation to automated decision-making and profiling.

14.Your obligation to provide information to us

Where we collect information from you in relation to insurance, and your policy is subject to UK law, you are under a legal duty to give us information. The exact obligation which applies to you depends on what your insurance relates to:

Personal clients

If you are a personal client, in other words someone buying insurance which is wholly or largely unrelated to your profession, you are under a legal duty to answer all questions we ask fully and honestly, to the best of your knowledge. This is known as a “duty to take reasonable care not to make a misrepresentation”, and is a requirement of the UK Consumer Insurance (Disclosure & Representations) Act 2012.

Business & commercial clients

Business and commercial clients are under a similar duty, known as “fair presentation”. This means that, in addition to answering our questions fully and honestly, you must also make reasonable searches for and disclose any significant or material facts which are relevant to the insurance being arranged. This includes reasonable searches of information available to other interested parties, such as agents and other people or organisations covered by the insurance, and is a requirement of the UK Insurance Act 2015.

Consequences of providing incomplete or inaccurate information

Failing to comply with the relevant legal duty may lead to a higher premium being payable, special terms or a higher excess being imposed, or the policy being cancelled or voided.

15. Your data rights

Data protection law gives you rights relating to your personal data. This section gives you an overview of these rights and how they relate to the information you may have given to us. You can exercise any of your rights by contacting us using the details provided under Section 4 and telling us which right (or rights) you would like to exercise:

Access

You have a right to request a copy of the personal data that we hold on you, along with meaningful information on how it is used and who we share it with, however there are some instances where we may not be able to provide you with some or all of the information we hold. For example, we may not to be able to provide personal data where doing so could prejudice or impact the privacy of other individuals, the prevention or detection of crime, legal professional privilege, or negotiations we may be having with you. Where this is the case we will explain to you why when we respond to your request, unless the relevant laws or regulations prevent us from doing so.

 

Rectification

You have a right to ask us to correct inaccurate or incomplete personal data that we hold about you. We will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why.

Erasure

You have the right to request that your personal data is erased where it was either collected unlawfully, or if we no longer need it for the purposes for which it was originally collected. We will either confirm to you that this has been done, or if we are unable to delete it due to a compelling overriding reason we will let you know why and also inform you how long we will hold it for.

Restrict processing

You can ask us to restrict the processing of your personal data in certain circumstances. If you do so, we will either confirm to you that this has been done, or if we are unable to restrict it, we will let you know why.

Object to direct marketing

You can always object to receiving direct marketing from us, including any profiling activities we undertake for direct marketing purposes. This right is absolute. You can do this by simply clicking on the unsubscribe link in any email you receive from us or alternatively getting in touch with us.

Object to automated decision-making

You can object to decisions made about you using your information and undertaken by purely automated means in certain circumstances. This includes profiling activities that feed into automated decisions made about you. This right applies so long as:

 

1.       The activity is not necessary for performing or entering into a contract between you and us; or

2.       You have not already consented to the activity.

 

If you object about an automated decision we make, we will either arrange for someone to assess the automated decision and confirm the outcome of this assessment to you, or alternatively contact you to explain why your right does not apply in the specific circumstance.

Object to our legitimate interests

Where we process your personal data to achieve a legitimate business interest, you have the right to challenge this. If you do so, we will either confirm to you that the processing has stopped, or explain why we believe our interest in the relevant activity outweighs your interest.

Object to statistical processing

You can object to us using your personal data for statistical purposes in some instances. If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why.

Data portability

In certain circumstances, you have the right to request that your information be compiled into a common, machine readable format and either provided directly to you or sent by us to a third-party you nominate. If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why.

Complaints

If you are unhappy with how we have used your personal data or if you believe we have failed to fulfil your data rights, you have the right to complain to us.

You can also raise concerns or complaints directly with the data protection supervisory authority in the event you are not satisfied with our response. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO). You can find detailed information about their powers, your rights under UK law and the ICO’s contact details on their website: www.ico.org.uk.