Close-up image of corporate building structure

Privacy Notice

In this Notice, when we refer to “TMK”, “we, us, or our”, we mean the entities set out below in the section ‘Who are we?’

This Notice will explain to you how we collect, use, and share your personal data for the purpose of operating our business, websites, and managing our relationships with suppliers. It will also inform you of your rights relating to your personal data. If you are a job applicant who has provided your personal data to us for recruitment purposes, please click here for our Candidate Privacy Notice. If you are a former employee, contractor or other individual who previously worked under a contracting arrangement with us, please contact us at dpo@tokiomarinekiln.com to obtain a copy of our Privacy Notice for Employees and Contractors.

If you provide personal data about other persons to us, such as family, friends, or other associates, you must seek their consent.

Who are we?

We are part of the Tokio Marine Holdings, Inc. group of companies operating throughout the world.

This Notice covers:

Tokio Marine Kiln Group Limited and all its UK subsidiaries including:

  • Tokio Marine Kiln Insurance Services Limited
  • Tokio Marine Kiln Syndicates Limited
  • Tokio Marine Kiln Regional Underwriting Limited
  • Kiln Pension Guarantee Limited
  • Tokio Marine Underwriting Limited

Where your personal data is processed by other subsidiaries of Tokio Marine Kiln Group Limited or other entities in the Tokio Marine group, you should refer to the privacy notices of those companies.

TMK is a data controller in respect of personal data which we receive in connection with the services that we provide to our clients. This means that we are responsible for deciding how we can use your personal data

What personal data do we collect?

Personal data is any information that relates to a living person and that identifies you either directly from that information or indirectly, by reference to other information that we have access to.

The personal data that we collect, and how we collect it, depends upon how you interact with us.

The personal data that we collect includes:

Individual Details

Name, address (and proof of address), other contact details (e.g., email and telephone numbers), gender, marital status, family details, date and place of birth, nationality, employer, job title and employment history, educational and technical qualifications, family details and their relationship to you, and your images/videos/photographs.

Identification information

Identification numbers issued by government bodies or agencies (e.g., depending on the country you are in, social security or national insurance number, passport number, identification number, tax number, driver's licence number).

Financial information

Payment card and bank account details, income, and other financial information.

Risk details

Information about you which we collect in order to assess the risk to be insured and provide a quote. This includes information relating to your health, criminal convictions, or other special categories of personal data. For certain types of policies, this includes telematics data.

Criminal records

Criminal convictions and related security measures.

Special categories of personal data

Health data including dietary, allergies and disability information when you visit our offices, sign up for or attend any of our events. Additionally, we may process current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking or consumption of alcohol), prescription information and medical history.

Other special categories of personal data may also be processed including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and information concerning an individual's sex life or sexual orientation.

Policy information

Information about the quotes you receive and policies you take out.

Credit and anti-fraud data

Credit history and credit score, sanctions and criminal offences information received from various anti-fraud databases relating to you.

Previous and current claims

Information about previous and current claims, which may include information relating to your health, criminal convictions, or other special categories of personal data and in some cases, surveillance reports.

Marketing information

Your individual details and marketing preferences. Where we rely on consent as a basis for collecting and using your personal data for these purposes, we will also keep records of whether or not you have consented to receive marketing from us and/or from third parties.

Website and communication usage

Details of your visits to our websites and information collected through cookies and other tracking technologies, e.g., your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access. For information about how we use cookies and the choices you may have, please see the cookies policies which are available on our websites that your visit.

Audio, online meeting and webinar recordings

We will inform you whenever we record your voice (e.g., in a telephone recording) or video images (e.g. online meetings and webinars). Specifically, if we record online meetings and webinars hosted on virtual platforms such as Microsoft Teams and Zoom, the fact of the recording will be prominently displayed on your screen.

You have a right to continue or decline to participate in the meetings, webinars, phone call or other recordings.

CCTV images

Your images are captured by CCTV cameras operated by us. No voice is recorded by our CCTV system.

Who do we obtain your personal data from?

We collect personal data from various sources, including but not limited to:

  • you
  • your family members, representative, employer or trade or professional associations
  • other insurance market participants, such as insurance intermediaries (e.g., introducers, brokers, agents and coverholders), insurers and reinsurers
  • credit reference agencies
  • anti-fraud databases, sanction lists, court judgements and other databases
  • government agencies such as vehicle registration authorities and tax authorities
  • publicly available information, including but not limited to the open electoral register
  • in the event of a claim, third parties including the other party to the claim (claimant / defendant), witnesses, experts (e.g., medical experts), loss adjustors, legal advisors, and claims handlers.
  • suppliers providing products and services to us

How do we obtain your personal data?

We collect personal data in the course of our business:

When you request a service from us

For example, if you ask us to obtain insurance quotes, or if you contact us to make an enquiry about a product or a service that we provide.

Providing a service/ product to our clients

Our services and products include insurance products and services (e.g., underwriting, coverholder services and insurance administration). In these cases, your personal data will normally be provided to us by our clients (or intermediaries acting on behalf of our clients), or sometimes our clients may ask us to contact you directly. We will also obtain information from other third parties.

When you use our website or one of our online services

We collect information about your visit and how you interact with our website. We use various technologies to collect and store information when you visit our websites. For information about how we use cookies and the choices you may have, please see our cookies policies available on our websites that you visit.

When you visit our business premises or attend our events

We collect information that we need in order to identify you and complete any necessary security checks. We also collect your images on our CCTV cameras which are installed at the entrances and exits of our premises and within our premises.

We may also collect dietary, allergies and disability information for catering and your health purposes.

When you attend any meetings or any of our events, we may collect your images and voice via video recordings or still photography for marketing and promotional purposes. If we take videos or photos at any events or meetings, we will let you know either in our invitations, confirmations of the events/ meetings or at the entrance of the events/meetings.

When we engage or are proposing to engage the services or purchase products from a supplier

We collect information necessary to administer our relationship with a supplier, e.g. a review of our supplier’s capabilities and qualifications, communicate with our suppliers or proposed suppliers, make payments and recover money owed to us, and perform any ongoing monitoring and investigations where required.

Whenever you contact us or engage us on social media

We retain a copy of your email or other correspondence as a record of your communication with us. This will include occasions when you contact us for a general enquiry, a complaint or to exercise your rights in relation to your personal data.

Merger or acquisition

If we are in a process of merger, acquisition or asset transaction, we may acquire your personal data from the involved third party.

What does TMK use your personal data for and what is our legal basis for the use?

Under data protection laws, we require a legal basis prior to processing your personal data. We have set out below our purposes for processing your personal data and our legal basis for doing so.

 

Purposes for processing personal data

Legal basis

Providing a service/product to our clients

 

Quotation/inception
  • Setting you up as a client, e.g. possible fraud, sanctions, credit and anti-money laundering checks
  • Evaluating the risks to be covered and matching to appropriate policy/premium
  • Consent
  • Compliance with legal obligations
  • Legitimate interests to:
    • ensure that the client is within our acceptable risk profile
    • determine the likely risk profile and appropriate insurance product and premium
  • Performance of our contract with you
  • Assist with the prevention of crime and fraud

Policy administration
  • Client care, e.g., communicating with you and sending you updates
  •  Compliance with legal obligations
  •  Legitimate interests to:
    • correspond with you in order to facilitate the placing of and claims under insurance policies
    • manage client relationships
  • Performance of our contract with you

Claims processing
  •  Managing insurance and reinsurance claims
  •  Defending or prosecuting legal claims
  •  Investigation or prosecuting fraud
  •  Compliance with legal obligations
  •  Legitimate interests to:
    • assess the veracity and quantum of claims
    • defend and make claims
    • assist with the prevention and detection of fraud
  • Performance of our contract with you

Renewals
  • Evaluating the risks to be covered and matching to appropriate policy/ premium
  •  Legitimate interests to:
    • correspond with you in order to facilitate the placing of and claims under insurance policies
  • Performance of our contract with you

Support and other business activities
  • Providing technical, customer service and other support
  • Responding to your queries and requests for information
  • Communicating with you in connection with providing a service/ product to our clients or prospective clients
  • Collecting or refunding payments
  •  Legitimate interests to:
    • provide the relevant support and services
    • conduct the relevant business activities
  • Performance of our contract with you

Other business purposes

 

Conducting data analytics
  • General risk modelling
  • Other data analytics: Our business relies on developing products and services by drawing on our experience from prior engagements.
  • We are not concerned with an analysis of identifiable individuals, and we take steps to ensure that whenever appropriate, personal data is anonymised or pseudonymis.
  •  Legitimate interests to:
    • build risk models that allow accepting of risk with appropriate premiums
    • pursue the commercial needs of our business

Testing purposes

We may use your personal data in order to test our IT systems. Appropriate security precautions and permissions will be applied to the data and any copies used for testing.
  •  Legitimate interests to:
    • to test our IT systems
    • pursue the commercial needs of our business

Contacting and marketing to our clients and prospective clients
  • Sending newsletters and other marketing communications to individual representatives of our corporate clients or prospective clients
  • Inviting individual representatives of our corporate clients or prospective clients to events (and arrange and administer those events)
  •  Legitimate interests to:
    • pursue the commercial needs of our business

Conducting surveys and other evaluations
  • E.g. customer satisfaction surveys and other surveys for research and analytical purposes
  •  Legitimate interests to:
    • use personal data for improvement of our services and products

Business communications
  • Communicating with staff of our suppliers, our insurance partners, and other companies such as other insurers, reinsurers, coverholders, brokers and other companies who act as insurance intermediaries
  • Legitimate interests to:
    • conduct relevant business activities
  • Performance of our contract with you

Websites

Operation and use of our websites

  • Better understand how users access and use our services and websites
  • Evaluate and improve our websites, services, and business operations, and to develop new features, offerings, and services
  • Facilitating your participation in interactive features you may choose to use on our websites and personalising your experience on the websites by presenting content tailored to you
  • Your consent to use your personal data for the purposes
  • Legitimate interests to:
    • ensure and improve the safety, security, and performance of our websites.
    • provide you with a better experience when visiting our websites

Legal, compliance and corporate governance

 
  •  Manage queries, complaints and respond to data subject right requests
  • Compliance with legal obligations
  • Legitimate interests to:
    • investigate and respond to queries, complaints and respond to data subject right requests
  • Complying with our legal and regulatory obligations, and law enforcement requests
  • Compliance with legal obligations
  • Legitimate interests to:
    • comply with regulatory requirements
    • protect our business
  • Performing financial, tax and accounting audits, audits and assessments of our operations, privacy, security and financial controls, our general business, accounting, record keeping and legal functions
  • Compliance with legal obligations
  • Legitimate interest to:
    • understand our business
    • monitor our performance
    • maintain appropriate records
    • protect and secure our systems
    • defend and make legal claims
  • Purposes related to any actual or contemplated merger, acquisition, asset sale or transfer, financing, dissolution or restructuring of all or part of our business
  • Legitimate interests to:
    • structure our business appropriately

Securing and protecting our business

 
  • Protecting and securing our business operations, assets, services, network and information and technology resources

 
  • Legitimate interests to:
    • protect and secure our business and systems appropriately

Phone calls to our office, visitors to our premises and attendees of our events

 
  • To establish your identity

 
  • Legitimate interests to inform the relevant TMK staff of your call or arrival and to direct you to the designated room for the meetings or events
  • To establish that you are not at risk of Covid-19 or other infectious illnesses
  • Compliance with legal obligation
  • Your consent to use your personal data for the purposes
  • Legitimate interests to:
    • protect the health and safety of persons in our premises or attending our events
  • Processing of your dietary, allergy and disability information for catering and your health purposes.
  • Your consent to use your personal data for the purposes
  • Legitimate interests to:
    • Facilitate catering and protect your health

Use of CCTV

  

  • To protect the safety of our visitors, employees and contractors, as well as property and information located or stored on the premises

  • To prevent, deter, and if necessary, investigate unauthorised physical access to our premises

  • To prevent, detect and investigate any crime within our premises or threats to the safety of individuals within our premises (e.g. fire, physical assault)

  • The CCTV system is not used for any other purpose, such as to monitor the work of employees or their attendance
  • Legitimate interests to:
    • protect the security of our premises

 

Sensitive personal data

Sensitive personal data refers to health information, criminal records, and other sensitive personal data. See the section above under What personal data do we collect?

If we use certain sensitive personal data, data protection laws require that we must have an additional legal basis.

The additional legal basis that we rely on for processing sensitive personal data is that it is necessary for an insurance purpose and for reasons of substantial public interest, and to protect, investigate and defend legal claims.

Who do we share your personal data with?

We share personal data within and outside the Tokio Marine group of companies. These persons may act as data controllers or data processors of your personal data. A data controller is responsible for deciding how to use your personal data, while a data processor only processes your personal data on behalf of a data controller that it provides services to.

Within the Tokio Marine group of companies

Your personal data is shared with our group entities for the purposes of conducting our business, for providing services to you or our clients, for our general business administration, and for reporting or regulatory/ compliance purposes. Our group entities may either act as data controllers or data processors of personal data. Where personal data is shared between any Tokio Marine group of companies, this will be facilitated through our intra-group data sharing agreement.

Other companies

We may disclose your personal data to or share it with:

·         The relevant insurance market participants and other companies

The insurance lifecycle involves the sharing of your personal data between the various insurance market participants and other companies.

We may disclose your personal data to our insurance partners and other companies such as other insurers, reinsurers, coverholders, brokers and other companies who act as insurance intermediaries and medical service providers. These entities would usually operate as independent data controllers of personal data and are responsible for their own compliance with data protection laws. You should refer to their privacy notices for more information about their practices.

We may disclose your personal data to those who are involved in risk assessment, handling, investigation, defence or prosecution of claims, administration of insurance policies, loss adjustment and information providers such as screening, due diligence, and anti-fraud databases. These entities would usually process your personal data on our behalf.

If you are not sure whether our service provider, with whom we share your personal data, is a data controller or processor of your data, please contact us to find out.

·         Other authorised service providers

We may disclose your personal data to service providers we have retained to provide services to us.

Certain service providers such as banks, financial organisations and advisers, auditors, lawyers and tax advisers are independent data controllers of personal data which they receive from us and are responsible for their own compliance with data protection laws.

Other service providers such as our marketing agencies, document management providers and IT service providers who manage our IT and back office systems would usually act as data processors and process on our behalf, those personal data which they receive from us.

If you are not sure whether our service provider, with whom we share your personal data, is a data controller or processor of your data, please contact us to find out.

Legal and regulatory obligations

We will make disclosures in order to meet our legal and regulatory obligations to law enforcement agencies, government, and regulatory bodies such as the Prudential Regulatory Authority, the Financial Conduct Authority, the Information Commissioner’s Office and other regulators as required by law, who act as independent data controllers of the personal data.

We may make disclosures of your personal data for the purposes of legal proceedings, obtaining legal advice and complying with our obligations under data protection and other laws.

Mergers and acquisitions

We may disclose your personal data in connection with the sale, transfer, or disposal of any of our businesses to third parties who act as independent data controllers of the personal data.

How long will TMK retain your data

We will retain your personal data in accordance with our Data Retention Schedule which is for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. Our retention periods for personal data are determined based on our business needs and legal requirements. For example, we retain certain transaction details and correspondence until the time limit for claims, or to comply with regulatory requirements regarding the retention of such data. Please note that personal data that has been deleted from our systems may persist in our backups but will not be readily accessible.

 

What are your rights?

 

 

Right of access

You have the right of access to information we hold about or concerning you. If you would like to exercise this right, you should email us at dpo@tokiomarinekiln.com.  

Right of rectification or erasure

If you feel that any information that we hold about you is inaccurate you have the right to ask us to correct or rectify it. You also have a right to ask us to erase information about you where the information is no longer needed by us, where we are unlawfully processing your personal data, or where our processing of your personal data is based on your consent. Please note that there may be circumstances where you ask us to erase your personal data but we are legally entitled to retain it. Where we have disclosed your personal data to another person, we will take all reasonable steps to inform those with whom we have shared your personal data about your request to erase or correct/ rectify the personal data.

Right to object or restrict processing

You have a right to object to our processing of your personal data where our processing is based on legitimate interests. This includes the right to object to any direct marketing we may undertake and to any automated decisions based on profiling which we may carry out. You also have a right to request that we restrict processing your personal data while we consider your request to rectify or erase the personal data. Again, there may be circumstances where you object to or ask us to restrict our processing of your personal data but we are legally entitled to refuse that request.

Right to portability

You may a right to receive any personal data that you have provided to us in a commonly used, machine readable format in order to transfer it to another data controller. This is called a data portability request and is only available where we process your personal data on the basis of your consent or for the performance of our contract with you.

Right to withdraw consent

You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent.    

Right of complaint

You have a right to lodge a complaint at any time (about how we are handling your personal data or the information provided to you by TMK in this Notice) with the Information Commissioner’s Office in the UK (ICO) who can be contacted at www.ico.org.uk. However, we hope that before you do so, you will first contact us at dpo@tokiomarinekiln.com to let us know. We wish to assure you that we are committed to working with you to settle any concern or complaint your may have about how we handle your personal data. 

 

If you would like to exercise any of your rights above, please email us at dpo@tokiomarinekiln.com. We would need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a security measure we take to ensure your information is not disclosed to any person who has no right to receive it.

Where will your personal data be processed?

As mentioned, TMK may transfer certain personal data outside the UK to other Tokio Marine group entities, insurance market participants and authorised service providers (see the section Who do we share your personal data with?).

If TMK transfers personal data outside of the UK, we will ensure that the transfers comply with UK data protection laws.

Examples of countries where we may transfer personal data to (other than those recognised by the ICO as having adequate levels of data protection) include, but are not limited to, Australia, India, Singapore and the United States of America.

You have a right to contact us for more information about the safeguards we have put in place (e.g. where relevant, a copy of relevant contractual commitments, which may be redacted for reasons of commercial confidentiality) to ensure the adequate protection of your personal data when this is transferred outside the UK.

How does TMK secure your personal data?

The security of your personal data is important to us and we have implemented reasonable physical, technical and administrative security standards to protect personal data from loss, misuse, alteration or destruction.

We protect your personal data against unauthorised access, use or disclosure, using security technologies and procedures, such as encryption and limited access. Only authorised individuals access your personal data, and they receive training about the importance of protecting personal data.

Our service providers and agents who process personal data on our behalf are contractually bound to maintain the confidentiality of personal data and may not use the personal data for any unauthorised purpose.

Contact us

If you have any queries, concerns or complaints or require further information as to how your personal data is processed, or if you wish to the exercise of any of your rights in relation to your personal data, you can contact us by post, or email at:

Data Protection Officer
Tokio Marine Kiln, 20 Fenchurch Street, London EC3M 3BY

dpo@tokiomarinekiln.com


If you are not satisfied with the way in which your personal data has been handled by TMK, you may also complain to the Data Commissioner’s Office at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

T: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
casework@ico.org.uk

How often is this Notice updated?

We regularly review and revise this Notice. We will ensure that the most up to date version is published here. This Notice is last updated on 25 August 2023.