Privacy & Data Subject Requests

AUK collect and process your personal data in compliance with all relevant data protection laws including the UK General Data Protection Regulation (UKGDPR), the Data Protection Act 2018 (DPA) as well as other applicable legislation.  Personal data, or personal information, is any information about you from which you can be identified. For example, this may include your name, your date of birth, your contact details and your email address. 

AUK may collect personal data for the following reasons –

• to evaluate the risks to be covered, to ensure the policy of (re)insurance is appropriate and the premium is reflective of the risk presented;
• to provide you with a quote for an (re)insurance policy;
• to provide you with an (re)insurance policy;
• to deal with claims and other issues and complaints that arise from that (re)insurance policy;
• general client management, including communicating with you regarding administration and requested changes to your policy;
• to conduct required fraud, credit and anti-money laundering and sanctions checks;
• to fulfil legal or regulatory requirements; and
• to keep you informed of developments through marketing.

AUK may provide you with further notices highlighting certain uses of your personal information as appropriate.

The information AUK may collect depends on our relationship with you but it may include –

• personal details including name, age, gender, date of birth, photographs and marital status;
• contact information including address, telephone numbers and email address;
• financial Information including bank details, annual income and credit check details;
• information relevant to your (re)insurance policy including account name and insurance policy number;
• information relevant to your claim including claim reference number, account name and bank details;
• information obtained during telephone conversations (including recordings and transcripts of those conversations);
• marketing preferences:
• information obtained through our use of cookies;
• details of your customer experience with us; and
• information for the prevention of financial crime including verification documents such as passports and driving licences.

Some of the information collected by AUK may include special categories of personal information (sometimes referred to as ‘sensitive personal information’). These may include –

• physical, or mental health conditions;
• identification information including passport details, driver’s license details and national insurance number; and
• information relating to criminal offences, including alleged offences, criminal proceedings, outcomes and sentences (previous criminal convictions).

Please note that AUK do not knowingly collect personal data about children.

If you believe AUK have collected personal data about your child, you may contact Aspen’s Group Data Protection Officer ([email protected]) and request that we cease processing data about your child.

We may collect your personal data in the following ways –

• directly from you as the data subject;
• from your family members;
• from your insurer or intermediary;
• from your employer;
• from credit reference agencies, anti-fraud databases, court judgments and other publicly available databases;
• from public sources such as Companies House;
• from a range of third parties, which include –
  • other companies within the Aspen Group;
  • other companies with whom we have a business relationship;
  • insurance brokers and intermediaries;
• via Cookies;
• via our telephone calls with you, which may be recorded and this may include logging your telephone number, date, time and duration of the call;
• when you provide a service to us or our customers (as a supplier);
• from social media;
• in the event of a claim, claims handlers, witnesses, loss adjusters, medical professionals and hospitals, and counsel who are involved in adjusting and the processing of claims;
• government agencies, industry bodies, the Financial Ombudsman Service and regulators including the Financial Conduct Authority; and
• other third-party sources where necessary which may include –
  • companies who assist in investigating fraud, including obtaining information data from credit reference agencies;
  • companies who provide consumer classification and other personal data for marketing purposes;
  • companies who provide information which may be used by AUK to inform its risk selection, pricing and underwriting decisions; and
  • where we are complying with our legal obligations regarding money laundering and other anti-financial crime measures.

AUK processes your personal information in compliance with all relevant data protection laws including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the applicable provisions affecting or ensuring data privacy within the Insurance Act 2015, as well as all other applicable laws. The UK GDPR requires us to have a legal basis for processing your personal information. In most cases the legal basis will be one of the following –

• to fulfil our contractual obligations to you, for example to provide you with insurance cover, including the handling of claims;
• to comply with our legal obligations such as client due diligence and reporting obligations, and responding to requests from regulators, law enforcement authorities or other government authorities; and
• to meet our legitimate interests, for example, to ensure we price our products appropriately, to manage risk, to perform audits, and to maintain accurate records.

When we process personal data to meet our legitimate interests, we always balance these against your fundamental rights and freedoms and put in place robust safeguards to ensure that your privacy is protected

Generally, we do not rely on consent as a legal basis for processing your personal data in circumstances where –

• the law specifies that we have to process your personal data;
• we need to process your data to perform a contract with you;
• we have a public interest to do so; or
• we have a legitimate business reason for doing so.

Where we do rely on your consent, you have the right to withdraw it at any time in the manner indicated when your consent was provided. In addition, you can do so by contacting our Group Data Protection Officer ([email protected]).

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

If you have any queries in relation to the legal basis of processing for specific purposes, please contact our Group Data Protection Officer ([email protected]).

The length of time for which your personal data will be retained will depend on several factors, including but not limited to –

• legislative requirements;
• Aspen’s reporting requirements; and
• operational requirements (e.g. claim or pension payment processing).

Aspen seeks to minimize the time it retains data in line with the requirements of Data Protection laws, including GDPR, and any local laws applicable in your jurisdiction, and maintains a comprehensive Group Records Retention Policy to achieve this aim. This policy and associated data retention schedules pertaining to each type of information can be obtained on request from our Group Data Privacy Officer ([email protected]).

AUK does not sell any data to third parties for commercial purposes.

While providing services to you, AUK may disclose your data to third-parties which may include –

• other companies in the Aspen Group
• claims handlers and loss adjusters;
• intermediaries (such as brokers and coverholders);
• reinsurers;
• legal counsel, including those who are involved in adjusting and the processing of claims;
• witnesses;
• other insurers;
• banking partners;
• credit agencies;
• IT companies
• regulators;
• healthcare providers;
• fraud detection agencies and the Insurance Fraud Bureau; and
• law enforcement agencies.

Aspen requires that personal data is processed in accordance with our instructions and in circumstances which require the recipient to observe industry standard security measures in respect of personal data.

We do not allow our third parties to use your personal data for their own purpose.

As required by applicable data protection laws, Aspen has implemented physical, electronic and technical security measures and policies and procedures to safeguard and secure the data we collect.

All AUK staff have a legal duty to respect the confidentiality of information and access to confidential information is restricted to only those who have a reasonable need to access it. Technical controls implemented may include database encryption, email encryption, identity and access management solutions, comprehensive network protection and antivirus solutions.

AUK ensures appropriate contracts and data sharing agreements are executed when sharing data with third parties, ensuring that at least an equivalent level of security is offered by our partners and suppliers. These contracts incorporate EU/UK standard contractual clauses where personal data is transferred without an ‘adequacy decision’ to third countries outside of the UK/EU/EEA.

We do not make any decisions about you using automated means (without human review), and we will update our Privacy Notice if this position changes.

You generally have the following rights under GDPR and UK GDPR, which you can usually exercise (you may have other rights subject to the jurisdiction that you are in and should look at the jurisdiction specific sections below):

If you would like to exercise any of these rights, please contact our Data Protection Officer at; 30 Fenchurch Street, London EC3M 3BD or via email ([email protected])

For the purposes of the data protection legislation, the company responsible for your personal data (i.e. the data controller) is the Aspen Group company stated in your contract of (re)insurance or employment contract.

If you have any complaints, queries or wish to exercise your data protection rights, please contact Aspen’s Group Data Protection Officer at;

30 Fenchurch Street, London EC3M 3BD or via email ([email protected]).

Where you are dissatisfied with any aspect of our handling of your personal data, you have a right to lodge a complaint with the relevant authority responsible for data protection in your jurisdiction. In the UK this is the Information Commissions Office (ICO). The ICO’s contact details are set out below

Information Commissions Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

UK Residents – Transferring your data outside of the UK

The personal data that we collect about you may be transferred to, or stored at, one or more of Aspen’s locations outside of the UK. Your personal data may be processed in Aspen’s other offices (including the US, Bermuda, Singapore, Switzerland, Canada and Australia) and India.

Following the UK’s departure from the EU, the EU authorities have made an adequacy decision in respect of the UK. This means that the UK is deemed to provide an essentially equivalent level of protection for personal data to that which exists within the EU. In turn, the UK Government has made an adequacy decision in respect of the EU. On that basis, data can flow freely between the two areas. Irrespective of this, AUK will continue to ensure that any recipient of data provides at least the same level of protection as we would ourselves.

Transfers of your personal data to jurisdictions outside of the UK will be made subject to similar safeguards and considerations to those that apply to the personal data for EU/EEA residents (see section above). However, where your personal data is transferred to a country or recipient in a country that does not offer ‘adequacy’, appropriate safeguards will be in place, including the use of Standard Contractual Clauses.

Additionally, where the recipient is in the USA and is certified to the EU-US Privacy Framework and UK-US Data Bridge, Aspen may also rely on this safeguard.

EU / EEA Residents – Transferring Your Data Outside of the EU

The personal data that AUK may collect about you could be transferred to, and stored in, one or more countries outside of the EEA or outside the jurisdiction in which you reside. It may also be processed by staff operating outside of the EEA (or outside the jurisdiction in which you reside) who work for Aspen or for our Third-Party Suppliers.

In such cases, AUK will take appropriate steps to ensure an adequate level of data protection is in place. This could be an “adequacy” decision, in the country of the recipient or appropriate safeguards, such as the EU Standard Contractual Clauses required under GDPR.

If AUK cannot ensure such an adequate level of data protection, your personal data will only be transferred outside the EEA (or outside the jurisdiction in which you reside) if you have given your prior consent to such transfer, or if there are other specific exemptions that allow us to transfer the data outside the EU for example, for the establishment, exercise or defence of legal claims and any local law requirements for the transfer have been satisfied.

Your personal data may be processed in Aspen’s other offices (including the US, Bermuda, Singapore, Switzerland, Canada and Australia) and India.

EU Representative Contact Details

If you are in the EU, then please make any requests via our EU Representative (The DPO Centre) ([email protected])

If you wish to invoke any of your rights under relevant privacy regulations or to make a general enquiry regarding Aspen’s approach to securing your data, please do so by contacting Aspen’s Group Data Protection Officer ([email protected]).

Please note that only you or someone that you authorise to act on your behalf may submit these requests. Your request must provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information and sufficient detail to allow us to properly understand, evaluate and respond to your request.

In response to such a request, we may also ask you to verify your identity or to provide additional information that helps us to understand your request better. Once we have the necessary information from you regarding proof of identity, or in the case of an agent, proof of authorisation, and your request is valid, we will respond to you as soon as possible but no later than within 30 days unless the number and complexity of the requests made are deemed to be excessively high. In this case, we may extend this time by up to two months. We will inform you if we need to make use of this additional time and why we need to do so as soon as is practicably possible.

EU / EEA Data Subject Requests

If you wish to invoke any of your rights under relevant privacy regulations or to make a general enquiry regarding Aspen’s approach to securing your personal data, please do so by contacting our EU / EEA (The DPO Centre) ([email protected]).

Please note that only you or someone that you authorise to act on your behalf may submit these requests. Your request must provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information and sufficient detail to allow us to properly understand, evaluate and respond to your request.

In response to such a request, we may also ask you to verify your identity or to provide additional information that helps us to understand your request better. Once we have the necessary information from you regarding proof of identity, or in the case of an agent, proof of authorisation, and your request is valid, we will respond to you as soon as possible but no later than within 30 days unless the number and complexity of the requests made are deemed to be excessively high. In this case, we may extend this time by up to two months. We will inform you if we need to make use of this additional time and why we need to do so as soon as is practicably possible.

Due to the nature of our business, AMAL and AIUK is unable to contact all its policyholders, beneficiaries or claimants as we do not always know who they are, particularly in the case of reinsurance policies. This means that we cannot ensure that all data subjects will be aware when our Privacy Notice changes. However, we will always ensure that it is updated to reflect any changes in legislation, our own policies or best market practices.

Any changes we may make to this Notice in the future will be posted on our website and you are advised to regularly check and review the Notice to ensure you understand how we may be processing your personal data. Any changes we may make to this Notice (which will, unless otherwise indicated, apply to any personal data already obtained before the changes were made) will be effective from the date on which those changes have been posted on this page.

This Notice was last updated on 14^th March 2025.

AUK collect and process your personal data in compliance with all relevant data protection laws including the UK General Data Protection Regulation (UKGDPR), the Data Protection Act 2018 (DPA) as well as other applicable legislation.  Personal data, or personal information, is any information about you from which you can be identified. For example your name, your date of birth, your contact details and your email address. 

AUK may collect personal data for the following reasons –

• to consider your application for employment;
• to conduct background checks for legal and regulatory purposes;
• to deal with any issues that may arise from your application;
• to communicate with you and to carry out administration in connection with your application.

The types of personal data that we may collect and use include –

• personal details including name, age, date of birth and marital status;
• contact information including address, telephone numbers and email address;
• National insurance number;
• business title and grade or level;
• employment history;
• education history;
• financial information relating to your salary and taxation (such as credit history, reward and overall current and requested salary package);
• aptitude testing of cognitive abilities through psychometric testing; and
• survey information related to experience of the recruitment process.

The types of special categories of personal data that AUK may collect, and use include –

• nationality (including visa status, the need for sponsorship, current right to work in the UK and full identity verification);
• ethnicity (language details, education institutions, background information and Equal Opportunities data);
• gender;
• pictures including copies of your ID;
• CCTV footage if you enter our premises for an interview;
• employment references;
• certifications
• background checks including checks carried out via a third-party specialist providers. That might include evidence of right to work in the UK, proof of current address, criminal records, current and previous employment (including directorships and similar positions listed on Companies House), academic verification, international sanctions and credit history;
• health data (obtained only at offer stage and through our Occupational Health provider, who will act as a separate data controller for that purpose);
• health and safety related information, where relevant; and
• information on your family members.

When providing us with the data, you represent that such data is accurate, complete, up to date, and is supplied for the sole purpose of seeking job or employment vacancies or positions.

Aspen is an equal opportunities employer and does not in any way discriminate against any individual who provides information in line with equal opportunity categories should you choose to provide this. Information provided is only used for reporting on the diversity of our candidate base across Aspen.

Your personal data will be used to assess and administer your application for employment at Aspen. This may involve –

• contacting you as a potential candidate;
• conducting interviews;
• assessing the suitability of you as a candidate;
• conducting background checks on you;
• preparing your employment contract for signature;
• internal procedures to ‘onboard’ you;
• monitoring and reviewing Aspen’s resourcing practices

Most of the personal data that Aspen holds about you is provided by you.  In addition, we may collect data from –

• official authorities and publicly available data sources (for identity verification, financial, immigration, directorship and criminal history);
• your previous employers;
• your educational institutions you attended;
• tax authorities;
• credit reference agencies;
• third party providers specialising in background screening;
• recruitment agencies;
• surveys; and
• we also use cookies to follow the application process and to improve the use of our website

AUK processes your personal information in compliance with all relevant data protection laws including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the applicable provisions affecting or ensuring data privacy within the Insurance Act 2015, as well as all other applicable laws. The UK GDPR requires us to have a legal basis for processing your personal information. In most cases the legal basis will be one of the following –

We will only keep your personal data for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Policy and to comply with our legal and regulatory obligations.  If you are not employed by AUK, unless you have consented for us to hold your CV for longer to be considered for other roles, we will retain application records for 6 months.

AUK does not sell any data to third parties for commercial purposes.

AUK may share your personal data with other Aspen Group companies in order to administer your application and, if you accept employment with AUK, to administer your employment.

If you agree for your CV to be retained for possible future vacancies, we may share your data within other Aspen Group companies.

In some cases, AUK may use third party suppliers to assist with the recruitment process. The third party may operate in countries outside the EEA, such as India or the United States. In these instances, we ensure those parties have appropriate arrangements in place to allow for international transfer.

All disclosures are made following the applicable laws and regulations, and the necessity to disclose data.

AUK may also disclose your personal data to the third parties listed below for the purposes described in this Privacy Policy. This may include –

• outsourced recruitment organisations (including background checking, psychometric assessments, video interviewing etc.);
• resourcing teams who assess and administer your application for employment at AUK;
• third party providers who facilitate discussions with current employees to enable you to talk about working for Aspen;
• relevant entities to process your financial data (HR, Payroll and Reward teams);
• insurance and healthcare entities;
• technical support teams;
• survey providers;
• third party providers of welcome merchandise

As required by applicable Data Protection laws, Aspen has implemented physical, electronic and operational technical and security measures and controls, policies and procedures to safeguard and secure the data we collect, process and store throughout the lifecycle of that data.

All AUK staff have a legal duty to respect the confidentiality of information and access to confidential information is restricted to only those who have a reasonable need to access it. Technical controls implemented may include database encryption, email encryption, identity and access management solutions, comprehensive network protection and antivirus solutions.

AUK ensures appropriate contracts and data sharing agreements are executed when sharing data with third parties, ensuring that at least an equivalent level of security is offered by our partners and suppliers. These contracts incorporate EU/UK standard contractual clauses where personal data is transferred without an adequacy decision to third countries outside of the UK/EU/EEA.

If you are seeking employment via our Early Careers Program, candidates may be asked to complete an online assessment. The results from the assessment will determine if the candidate moves to the next stage of the recruitment process or not. This process is handled by a third party, with the results communicated to Aspen’s Human Resource team, who will then continue the recruitment process for those candidates who passed the online assessment. AUK does not use any other form of automated decision making.

You generally have the following rights under GDPR and UK GDPR, which you can usually exercise (you may have other rights subject to the jurisdiction that you are in and should look at the jurisdiction specific sections below) –

If you would like to exercise any of these rights, please contact our Data Protection Officer at;

30 Fenchurch Street, London EC3M 3BD or via email ([email protected])

If you have any complaints, queries or wish to exercise your data protection rights, please contact Aspen’s Group Data Protection Officer at;

30 Fenchurch Street, London EC3M 3BD or via email ([email protected]).

Where you are dissatisfied with any aspect of our handling of your personal data, you have a right to lodge a complaint with the relevant authority responsible for data protection in your jurisdiction. In the UK this is the Information Commissions Office (ICO). The ICO’s contact details are set out below

Information Commissions Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

If you wish to invoke any of your rights under relevant privacy regulations or to make a general enquiry regarding Aspen’s approach to securing your data, please do so by contacting Aspen’s Group Data Protection Officer ([email protected]).

Please note that only you or someone that you authorise to act on your behalf may submit these requests. Your request must provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information and sufficient detail to allow us to properly understand, evaluate and respond to your request.

In response to such request, we may also ask you to verify your identity or to provide additional information that helps us to understand your request better. Once we have the necessary information from you regarding proof of identity, or in the case of an agent, proof of authorisation, and your request is valid, we will respond to you as soon as possible but no later than within 30 days unless the number and complexity of the requests made be deemed excessively high, in which case we may extend this time by a maximum of a further two months. We will inform you if we need to make use of this additional time and why we need to do so as soon as is practicably possible.

This Privacy Policy is subject to regular review and may be updated from time to time.

This Notice was last update on 14^th March 2025.

If you are in Australia, we will only collect and process your personal data if it is necessary for, or directly related to, one of our functions or activities. All activities are undertaken in adherence to the Privacy Act 1988.

We may use or disclose the personal data we collect about you for one or more of the purposes described in the UK Privacy Notice set out above (or for any related purpose) if we believe you would reasonably expect us to use or disclose your personal data for that purpose. We may also use and disclose your personal data with your consent, or where we are otherwise required or permitted by the Privacy Act 1988.

You may be provided with additional Privacy Notices and Privacy Statements relating to the processing of your personal data in Australia. Any queries regarding our services in Australia should be directed to the Aspen Group Data Protection Officer ([email protected])

If you are in Bermuda, we will only collect your personal information if it is reasonably necessary for, or directly related to, one of our functions or activities. All activities are undertaken in adherence to The Personal Information Protection Act 2016 (PIPA).

We may use or disclose the personal information we collect about you for one or more of the purposes described in the UK Privacy Notice set out above (or for any related purpose) if we believed you would reasonably expect us to use or disclose your personal information for that purpose. We may also use and disclose your personal information with your consent, or where we are otherwise required or permitted by PIPA.

You may be provided with additional Privacy Notices and Privacy Statements relating to the processing of your personal information in Bermuda. Any queries regarding our services in Bermuda should be directed to the Aspen Group Data Protection Officer ([email protected]).

If you are in Singapore, we will only collect your personal data if it is reasonably necessary for, or directly related to, one of our functions or activities. All activities are undertaken in adherence to the Personal Data Protection Act 2012 (DPA).

We may use or disclose the personal data we collect about you for one or more of the purposes described in the UK Privacy Notice set out above (or for any related purpose) if we believe you would reasonably expect us to use or disclose your personal data for that purpose. We may also use and disclose your personal data with your consent, or where we are otherwise required or permitted by the DPA.

You may be provided with additional Privacy Notices and Privacy Statements relating to the processing of your personal data in Singapore. Any queries regarding our services in Singapore should be directed to the Aspen Group Data Protection Officer ([email protected]).

If you are in Canada, we will only collect your personal data if it is reasonably necessary for, or directly related to, one of our functions or activities. All activities are undertaken in adherence to the Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable provincial privacy statutes.

We may use or disclose the personal data we collect about you for one or more of the purposes described in the UK Privacy Notice set out above (or for any related purpose) if we believe you would reasonably expect us to use or disclose your personal data for that purpose. We may also use and disclose your personal data with your consent, or where we are otherwise required or permitted by PIPEDA and applicable provincial statutes.

You may be provided with additional Privacy Notices and Privacy Statements relating to the processing of your personal information in Canada. Any queries regarding our services in Canada should be directed to the Aspen Group Data Protection Officer ([email protected]).

If you are in California, we will only collect your personal data if it is reasonably necessary for, or directly related to, one of our functions or activities. All activities are undertaken in adherence to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

We may use or disclose the personal data we collect about you for one or more of the purposes described in the UK Privacy Notice set out above (or for any related purpose) if we believe you would reasonably expect us to use or disclose your personal data for that purpose. We may also use and disclose your personal data with your consent, or where we are otherwise required or permitted by the CCPA and CPRA.

You may be provided with additional Privacy Notices and Privacy Statements relating to the processing of your personal information in California.

As required by the CCPA, you can also raise Data Privacy matters by –

• email: [email protected]
• calling us on + 1-877-245-3510.