Aspen adheres to all relevant Data Privacy regulations in the jurisdictions in which we operate. Under these regulations you may have the right to access personal data we hold about you and to request correction, rectification or erasure of such personal data, or to request a digital copy for transfer purposes. You may also object to the processing of your personal data or request the restriction of processing of your personal data. You have the right to opt out of the sale of your personal information. However, since Aspen does not sell personal information, the ability to opt out is not applicable. Aspen has implemented a number of internal policies and processes to support these rights and to ensure that we can meet valid requests in line with the requirements of the GDPR, UK GDPR, CCPA or other applicable local laws. Aspen does not discriminate on the basis of having exercised these rights. These rights are not absolute and we will let you know if we determine that there is a legal basis preventing us from honouring your request or if a specific right does not apply under the laws relevant to the particular jurisdiction in which you are based. Please see the separate jurisdiction specific sections of this Notice for key information related to the relevant laws.
Privacy & Data Subject Requests
Aspen’s commitment to your privacy
Aspen is committed to protecting and respecting your privacy rights and will comply with all applicable data protection and privacy laws. Our Privacy Notice tells you about the use that Aspen makes of the personal information we hold about you, how we collect certain personal information, under what circumstances we may share or otherwise use the information and to whom we may disclose it.
This Notice makes clear that, subject to applicable local laws, the personal information Aspen holds about you will be:
- used lawfully, fairly and in a transparent way
collected and processed only for specific, explicit and legitimate purposes
adequate, relevant and limited to the purposes we have told you about
accurate and kept up to date
kept only as long as necessary
kept securely
never sold to a third party for commercial purposes
Please note that, with effect from 30 December 2020, if your policy has been transferred to Lloyd’s Insurance Company S.A (Lloyd’s Europe) under the Lloyd’s Part VII Transfer arrangement then Lloyd’s Europe are now the Data Controller of personal data in respect of this policy. The full implications of the this change, and details of the Lloyd’s Europe Data Privacy Notice – including use of your data – can be found here.
Your Rights Under Data Privacy Regulations
What Information Do We Collect From Policyholders?
The personal data we collect (also known as PII or NPI), how we collect it, how we will use it and who we will share it with will depend upon a number of factors including, but not limited to:
- whether you are a prospective policyholder who then declines to take up the offer of insurance
if you are a current or former policyholder
whether you have made a claim; and the complexity of any claim(s) made
The sections below describe this in more detail.
The Data We Might Collect
We may collect information from you or your representative, including agents and brokers, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you. We may also share this information with Third Party Suppliers for a legal business purpose. The type of personal information we collect depends on the context in which your information is collected, as well as the product or service (if any) that you have with us. In particular, we may collect some of all of the following categories of personal information:
• Identifiers (PII) such as name, alias, address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license or state identification card number, passport number, signature, physical characteristics or description, insurance policy information, financial information, medical information or other similar identifiers or personal information categories.
• Protected classification characteristics (SPII) such as age, race, ethnicity, ancestry, national origin, citizenship, political opinions, religious or philosophical beliefs, trade union membership, marital status, medical condition, disability, sex (including gender, gender identity, gender expression, pregnancy/childbirth and related medical conditions), sexual orientation, veteran or military status, biometric or genetic information and criminal convictions.
• Commercial information, including records of products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
• Biometric information.
• Internet or other electronic network activity regarding your interaction with our Internet Web site, application or advertisement.
• Geolocation data.
• Audio, electronic, visual, thermal, olfactory or similar information.
• Professional or employment-related information.
• Educational information.
• Inferences drawn from any of the information identified above.
How Do We Collect This Data?
We collect PII about you through our underwriting and claims processes, either directly from you or via:
your family members, employer or representative such as an insurance broker
other insurance companies;
credit reference agencies
anti-fraud databases, sanctions lists, court judgements and other publicly available databases;
government agencies such as the DVLA and HMRC
auditors
open electoral register; or
in the event of a claim, third parties including the other party to the claim (claimant / defendant), witnesses, experts (including medical experts), loss adjustors, solicitors, and claim handlers.
Where you provide personal information to us about other individuals (for example, family members who are a named beneficiary under your policy) you should refer them to this Notice before supplying us with their data on their behalf.
Why Do We Collect this Data?
All of the information you provide during the policy administration process will only be used for the purpose of enabling us to provide insurance services to you, including providing you with a quote and then insurance, and dealing with any claims or complaints that might arise, or to fulfil legal or regulatory requirements, if necessary.
In the event that we quote for a policy, you become a policyholder, have a claim or complaint, the information we collect about you will be used for the following purposes:
• quotation and inception purposes;
• to set you up as a client, including fraud, credit and anti-money laundering and sanctions checks;
• evaluating the risks to be covered and matching to appropriate policy / premium;
• policy administration;
• collection and refund of premiums;
• general client care, including communicating with you regarding administration and requested changes to your policy;
• sending you your policy documentation;
• claims processing;
• managing insurance claims;
• defending or prosecuting claims on behalf of our insureds, or Aspen Group;
• investigating and prosecuting fraud;
• contacting you in order to renew your insurance policy;
• Insurance lifecycle;
• general risk modelling and underwriting;
• complying with our legal or regulatory obligations; and
• transferring books of business, company sales and reorganisations
The Legal Bases For Collecting Your Data
Aspen may collect, store, transfer and process data under a number of different bases as summarised in the table below.
We will only use your personal data (PII) for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your PII for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.
Please note that other locally permissible legal bases of processing are available, but which are not required to be detailed in the table, with some specific details included in the jurisdiction-specific sections below.
If you have any queries in relation to the legal basis of processing for specific purposes, please contact the Group Data Protection Officer via email at [email protected] or the local representatives detailed in the jurisdiction-specific sections.
How Long Will The Information Be Retained?
The length of time for which your data will be retained will depend on a number of factors, including but not limited to:
- legislative requirements;
- Aspen reporting requirements; and
- operational requirements (e.g. claim or pension payment processing).
Aspen seeks to minimize the time it retains data in line with the requirements of the GDPR or any local laws that apply in your jurisdiction, and maintains a comprehensive Group Records Retention Policy in order to achieve this aim. This policy and associated data retention Schedules pertaining to each type of information can be obtained from Aspen’s Group Data Privacy Officer at [email protected].
How We Protect Your Data
As required by applicable data protection and privacy law, Aspen has physical, electronic and operational security procedures intended to safeguard and secure the information we collect throughout the lifecycle of that information. All Aspen staff have a legal duty to respect the confidentiality of information and access to confidential information is restricted to only those who have a reasonable need to access it.
Technical controls implemented include database encryption, email encryption, identity and access management solutions, comprehensive network protection and antivirus solutions.
Aspen also protects your data contractually when sharing with third-parties, ensuring that at least an equivalent level of security is offered by our partners and suppliers. These contracts incorporate the EU/UK Standard Contractual Clauses where data is transferred without an adequacy decision.
Automated Decision Making
We do not make any decisions about you using automated means (without human review), however we will update our Privacy notice if this position changes.
Selling and / or Sharing Your Data
Aspen does not sell any data to third parties for commercial purposes.
Insurance involves the use and disclosure of your personal data by various insurance market participants such as intermediaries, insurers and reinsurers. The London Insurance Market Core Uses Information Notice sets out those core necessary personal data uses and disclosures. Our core uses and disclosures are consistent with the London Market Core Uses Information Notice (irrespective if you have a Lloyd’s or non-Lloyd’s policy), except as identified below, and we recommend that you review this notice.
In the course of providing services to you Aspen may engage, and disclose your data to, a number of Third Party Suppliers, e.g. Claims Handlers, Employment Services, or recruiting partners, in connection with services provided by them. At all times, Aspen will require that the personal data is processed in accordance with our instructions and in circumstances which require the recipient to observe industry standard security measures in respect of personal data. We do not allow our Third Party Suppliers to use your personal data for their own purpose.
Aspen may also be under a duty to disclose or share your personal data in order to comply with a legal or regulatory obligation, where such disclosure is required by applicable tax or social security authorities, the U.S. Securities and Exchange Commission (SEC), the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA), the Bermuda Monetary Authority (BMA) or similar Regulatory body, the police or a court of competent jurisdiction.
We may share your personal information with other entities within the Aspen Group as part of delivering services to you, our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, or for system maintenance support and hosting of data.
We may also share your personal information with other third parties, for example, in the context of a possible sale or restructuring of the business or a part of the business. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes, subject to any legal or regulatory obligation where such data cannot be anonymised. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction.
Please also refer to the jurisdiction specific sections of this Notice for further information regarding your rights regarding the sale of your data.
Changes To This Notice or Your Personal Information
Due to the nature of our business, Aspen is unable to contact all of its policyholders, beneficiaries or claimants as we do not always know who they are, particularly in the case of reinsurance policies. This means that we cannot ensure that all data subjects will be aware when our Privacy Notice changes. However, we will always ensure that it is updated to reflect any changes in legislation, our own policies or best market practices.
Any changes we may make to this Notice in the future will be posted on Aspen’s web site and you are advised to regularly check and review the Notice to ensure you understand how we may be processing your personal data. Any changes Aspen may make to this Notice (which will, unless otherwise indicated, apply to any personal data already obtained by Aspen before the changes were made) will be effective from the date on which those changes have been posted on this page.
This Notice was last updated on 7 Sep 2021.
It is important that the personal information we hold about you is accurate and current. Please keep us informed of any changes to your personal information during your relationship with us.
Complaints or Queries
For the purposes of the data protection legislation, the company responsible for your PII (i.e. the data controller) is the Aspen Group company stated in your contract of insurance or employment. If you have any questions on this Policy, please contact Aspen’s Group Data Protection Officer at
30 Fenchurch Street,
London EC3M 3BD
or via email at: [email protected].
Where you are dissatisfied with any aspect of our handling of your personal data, you have a right to lodge a complaint with the relevant authority responsible for data protection in your jurisdiction. For details of relevant authorities, please see the jurisdiction-specific sections of this Notice.
Australian Residents
If you are in Australia, we will only collect your personal information if it is reasonably necessary for, or directly related to, one of our functions or activities. We will seek your consent before collecting any sensitive information about you. We may use or disclose the personal information we collect about you for one or more of the purposes described in this Notice, or for any related purpose if we believe you would reasonably expect us to use or disclose your personal information for that purpose. We may also use and disclose your personal information with your consent, or where we are otherwise required or permitted by Australian law to do so.
Any queries regarding our services in Australia should be directed to the Aspen Group Data Protection Officer at [email protected]
California Residents
Under the California Consumer Privacy Act (CCPA), and subject to certain exceptions, California consumers have specific rights regarding their personal information. This section describes those rights and how to exercise them.
Right to Opt-out of Sales: Aspen does not sell data regarding its customers for any commercial purposes. Should this change at any point in the future then we will provide appropriate facilities to enable any customer to opt out of the sales process via our CCPA Request Portal, details of which are included below.
Right to Delete: Unless an exemption applies, you have the right to request that we delete any personal information that we hold about you. Aspen does not charge for this deletion. Your request should be submitted as described below. As soon as is practicably possible following verification of your request and identity, we will securely delete your personal information from our records or inform you otherwise if an exemption applies. We will also request that any service providers with which we have shared your details in order to manage your policy to delete the same data.
Right to Know: In line with CCPA requirements, the table below summarises how Aspen has collected and used certain types of personal data over the past 12 months. Over and above this disclosure, you have the right to request that we disclose this same type of information to you about our collection and use of your own personal details. Such requests can be made up to twice per year and subject to certain exceptions. As soon as is practicably possible following verification of your request and identity, we will disclose to you as required:
- the categories of personal information we collected about you;
- the categories of sources from which we collected personal information about you;
- categories of personal information we have disclosed for a business purpose;
- the categories of third parties to whom we have disclosed that personal information;
- our business or commercial purposes for collecting that personal information; and
- the specific pieces of personal information we collected from you
Submitting Requests: You can submit requests as described above using our online California Consumer Privacy Act Portal by clicking here. Alternatively, you can call us on +1-888-502-0625.
As soon as is practicably possible following receipt, we will take appropriate steps to verify your identity and complete your request subject to any exemptions. Please note that, in some cases, we may need to request additional information in order to verify your identity and confirm the nature of your request. This additional information will be to ensure the continued security of your personal information during the request process. We may also carry out checks, if necessary, with third party identity verification services, to verify your identity before taking any action with your personal information. If we are unable to adequately verify a request, we will notify you as soon as is possible.
Authorized agents may also initiate a request on behalf of another individual using the same methods. In this case, we will take appropriate verification steps to ensure any request is authorized by the data subject. For example, authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.
Non-Discrimination and Financial Incentives: We will not discriminate against you for exercising any of your CCPA rights or impose unreasonable requirements on financial incentives offered to California consumers related to your personal information.
EU / EEA Residents
Transferring Your Data Outside Of The EU
The personal data that we collect about you may be transferred to, and stored at, one or more countries outside the EEA or outside the jurisdiction in which you reside. It may also be processed by staff operating outside the EEA (or outside the jurisdiction in which you reside) who work for Aspen or for our Third Party Suppliers. In such cases, Aspen will take appropriate steps to ensure an adequate level of data protection, including an appropriate “Adequacy” decision, in the country of the recipient as required under the GDPR (or as required under local laws in your jurisdiction) and as described in this Notice.
If Aspen cannot ensure such an adequate level of data protection, your personal data will only be transferred outside the EEA (or outside the jurisdiction in which you reside) if you have given your prior consent to such transfer and any local law requirements for the transfer have been satisfied. Your personal data is currently processed in Aspen’s operating jurisdictions (including the UK, US, Bermuda, Ireland, Dubai, Singapore, Switzerland and Australia) and India.
EU Representative Contact Details
If you are located in the EU, then please make any requests via our EU Representative (The DPO Centre) at [email protected]
EU / EEA Data Subject Requests
If you wish to invoke any of your rights under relevant Privacy regulations or to make a general enquiry regarding Aspen’s approach to securing your data, please do so by contacting our EU / EEA representative.
Please note that only you or someone that you authorize to act on your behalf may submit these requests. Your request must provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information and sufficient detail to allow us to properly understand, evaluate and respond to your request.
In response to such request, we may also ask you to verify your identity or to provide additional information that helps us to understand your request better. Once we have the necessary information from you regarding proof of identity, or in the case of an agent, proof of authorization, and your request is valid, we will respond to you as soon as possible but no later than within 30 days unless the number and complexity of the requests made be deemed excessively high, in which case we may extend this time by a maximum of a further two months. We will inform you if we need to make use of this additional time and why we need to do so as soon as is practicably possible.
UK Residents
Transferring your data outside of the UK
The personal data that we collect about you may be transferred to, or stored at, one or more of Aspen’s locations outside of the UK.
Following the UK’s departure from the EU, the EU authorities have made an adequacy decision in respect of the UK. This means that the UK is deemed to provide an essentially equivalent level of protection for personal data to that which exists within the EU. In turn, the UK Government has made an adequacy decision in respect of the EU. On that basis, data can flow freely between the two areas. Irrespective of this, Aspen will continue to ensure that any recipient of data provides at least the same level of protection as we would ourselves.
Please note that the UK’s adequacy status has been limited to a period of 4 years from 1 January 2021.
Transfers of your personal data to jurisdictions outside of the UK and EEA will be made subject to similar safeguards and considerations to those that apply to the personal data EU/EEA residents (see section above).
Special Note On Consent For Policyholders, Beneficiaries And Claimants
Under the UK GDPR, we do not need your consent if we use your PII (including Special Category Data) to carry out insurance processing activities or to meet our legal obligations in the field of insurance law. In very limited circumstances, and where applicable, we may approach you for your written consent to allow us to process Special Category Data. Please see the “Explicit Consent” category under the Legal bases section above for further details.
Data Subject Requests
If you wish to invoke any of your rights under relevant Privacy regulations or to make a general enquiry regarding Aspen’s approach to securing your data, please do so by contacting Aspen’s Group Data Protection Officer.
Please note that only you or someone that you authorize to act on your behalf may submit these requests. Your request must provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information and sufficient detail to allow us to properly understand, evaluate and respond to your request.
In response to such request, we may also ask you to verify your identity or to provide additional information that helps us to understand your request better. Once we have the necessary information from you regarding proof of identity, or in the case of an agent, proof of authorization, and your request is valid, we will respond to you as soon as possible but no later than within 30 days unless the number and complexity of the requests made be deemed excessively high, in which case we may extend this time by a maximum of a further two months. We will inform you if we need to make use of this additional time and why we need to do so as soon as is practicably possible.
Employees and Potential Employees*
* Aspen has a dedicated recruitment partner for UK, Europe and Asia vacancies. Should you apply for a position your details will be processed by our recruitment partner in conjunction with Aspen.
What Information Do We Collect From Employees and Potential Employees
The personal data we collect (also known as PII or NPI), how we collect it, how we will use it and who we will share it with will depend upon a number of factors including, but not limited to:
- whether you are a prospective, current or former employee, contractor, worker, director or officer;
- if you have opted to take an international secondment within the Aspen Group; and
- if an employee of Aspen group, which optional reward benefits you have selected connected with your employment
The sections below describe this in more detail.
The Data We Might Collect
We may collect information from you or your representative, including recruitment agents, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you. In particular, we may collect some or all of the following categories of personal information:
- Identifiers such as name, alias, address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license or state identification card number, passport number, signature, physical characteristics or description, medical information or other similar identifiers or personal information categories.
- Protected classification characteristics (SPII) such as age, race, ethnicity, ancestry, national origin, citizenship, political opinions, religious or philosophical beliefs, trade union membership, marital status, medical condition, disability, sex (including gender, gender identity, gender expression, pregnancy/childbirth and related medical conditions), sexual orientation, veteran or military status, biometric or genetic information and criminal convictions.
- Biometric information.
- Internet or other electronic network activity regarding your interaction with our Internet Web site, application or advertisement.
- Professional or employment-related information.
- Educational information.
- Attendance records, including. attendance at Aspen offices for hybrid, office-based and remote workers.
- Inferences drawn from any of the information identified above.
How Do We Collect This Data?
We collect PII about you through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties, including former employers, referees, and other background check agencies or through information that is available in the public domain. In the US, please note that, in addition to this Statement, you may receive additional notices relating to background and credit check processes.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us (including, in the case of office attendance, through swipe card records), and occasionally following the termination of your relationship with us.
Should you provide personal information to us about other individuals (for example, family members who are benefits recipients or beneficiaries) you should refer them to this Notice before supplying us with their data on their behalf.
Why Do We Collect this Data?
All of the information you provide during the recruitment process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements, if necessary. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role for which you have applied.
In the event that you are offered and accept a role with Aspen, the information we collect about you will be used for the following purposes:
- administering and maintaining HR records (including but not limited to information relevant to induction, on-boarding and leaver processes);
- planning, paying and reviewing your salary or fees, other remuneration and benefits
- assessments of your performance or conduct including performance appraisals and reviews and for the purposes of disciplinary, grievance, whistleblowing and other internal procedures
- planning, delivering or arranging training courses related to your role and/or continued professional development, including providing information to external training providers
- maintaining sickness and other absence records
- maintaining health and safety records and ensuring a safe working environment
- taking decisions on your fitness to work and complying with our obligations under applicable laws and regulations, including employment equality or fair employment legislation in your jurisdiction; providing references and information to future employers
- alumni relations
- providing information to relevant external authorities for tax, social security and other purposes as legally required
- equal opportunities monitoring
- monitoring IT usage, including in connection with an investigation or employment disciplinary action, monitoring building access and office attendance to review office capacity, working arrangements for our staff (including those in hybrid, office and home-working arrangements); allowing and removing access to data systems
- providing information to any future purchasers of Aspen or parts of its business, including but not limited to due diligence purposes
- planning or reviewing options, in relation to the operation or management of Aspen
For the avoidance of doubt, PII (including Special Category Data) will be processed in a manner consistent with any Aspen Group equal opportunities policy in place from time to time.
Where appropriate, and subject to applicable local law, we may collect information about criminal convictions as part of the recruitment process and subsequently as part of periodic background screening checks commensurate with your duties and responsibilities, or we may be notified of such information directly by you in the course of you working for us. Therefore, we envisage that we may hold information about unspent criminal convictions. We will use information about criminal convictions and offences for the following purposes, subject to applicable local law:
- to make decisions about your recruitment and/or continued employment
- in determining your ability to perform a role and the department or environment in which you work; or
- in complying with our regulatory reporting obligations or with our professional obligations to clients.
- less commonly, subject to applicable local law, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
Special Note On Consent For Employees and Recruits
We do not need your consent if we use your PII (including Special Category Data) to carry out our legal obligations or to exercise specific rights in the field of employment law. In very limited circumstances, and where applicable, we may approach you for your written consent to allow us to process Special Category Data. Please see the “Explicit Consent” category above for further details.
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).