privacy notice for employees who have been asked to complete an individual assessment process

Your personal data – what is it?

Personal data is defined as any data from which a living individual can be identified.

Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).

Who are we?

ERGO Lebensversicherung AG UK Branch, trading as Ellipse, is the data controller of personal data in respect of arranging and administering group insurance contracts.

How will we use the information about you?

We will process personal data in order to undertake any activity relating to our policies, products and services and, where relevant, to process applications, set up and administer policies, products and services and handle any claims.

The legal basis on which we will process your data is legitimate interests – i.e. to provide you with insured benefits. However for special categories of information, such as health information, we will ask you for your consent.

Consent and withdrawal of consent

In order for Ellipse to decide whether, and on what terms, cover is to be provided, we will ask some members to complete our individual assessment process. This requires the member to disclose personal and special categories of personal information. You will be asked to consent to providing this additional information when you start to complete the online questionnaire. If once the online questionnaire has been completed you subsequently decide to withdraw consent please contact us.

Automated decisions

We use software to process the individual assessment questionnaire. Where the outcome is that we can provide cover on ordinary terms, this decision will be actioned by us. If the outcome is either that cover can only be offered at higher rates, or that cover cannot be offered to you, this outcome will be reviewed by our underwriters before a decision is made and communicated to you.

What personal data do we hold and where did we get it from?

From your employer:

Your employer will have passed on to us employee details as part of the insurance contract which underpins the employee benefits offered to you by your employer.

Our website:

When you access our website, certain information (e.g. IP address, date, time) is automatically kept on our server for a period of four weeks for data security purposes only (e.g. in order to identify and trace any persons attempting to gain unauthorised access to the web server). Anonymised usage data (date, time of day, pages viewed, navigation, software used, etc) is also recorded on our behalf by Google Analytics for the purpose of analysing usage behaviour. We use cookies to retrace usage behaviour in anonymised form. This anonymised usage data is recorded, processed and used only in order to gear our website to the users’ needs and not to collect any personal information about you. You can decide whether you wish to accept or decline these cookies by modifying the settings in your browser, which is explained here.

If you send us an e-mail or you register to use our secure website, your personal data (i.e. name or e-mail address) will be used only for our correspondence with you in order to send you the documents you produce or information you requested.

Our online system:

If you access sections of our website which are reserved for registered users we will hold your personal data for the period as described below.

Which other organisations may we share your data with?

Ellipse may share your sensitive or special categories of personal information with:

  • other Munich Re companies
  • our reinsurer, Munich Re, their reinsurers and any reinsurer of our purchaser in the sale, transfer or transaction relating to our business
  • our medical assessment service provider, Medical Screening Solutions
  • our IT service providers: NIU Solutions, Northdoor and RedSpire, as part of the ongoing maintenance and development of our systems and services
  • our regulators and government agencies: the Financial Conduct Authority, BaFiN (the German financial regulator) and Her Majesty’s Revenue and Customs ‘HMRC’
  • your own doctor or relevant medical professionals, should we require additional information as a result of the answers you have supplied as part of our individual assessment process
  • with your employer and/or their advisers. We will not provide sensitive or special categories of data (e.g. medical or health information) with your employer or their advisers

 

We do not transfer personal data outside the EEA.

How long do we hold your personal data for?

We will keep personal information only as long as we require it either for policy administration or in respect of any complaints relating to the policy. We will retain insurance records to satisfy regulatory requirements which will be for a maximum of six years after we stop providing the insurance. After this time, data will either be anonymised (a means by which an individual can no longer be identified by the data) or deleted. We will regularly review our data retention policy to ensure that data is not kept for longer than is necessary.

How can you access the data and correct it?

You can find out if we hold any personal information by making a ‘subject access request’. Within one month of your request we will:

  • give you a description of the information we hold
  • tell you why we are holding it
  • tell you who it could be disclosed to
  • let you have a copy of the information in an intelligible form, usually a pdf file

 

To make a request for any personal information we may hold you please contact us.

If we do hold information about you, you can ask us to correct any mistakes by contacting us.

How to complain

If you are unhappy with the way in which your personal data is handled, please contact our Data Protection Officer.

If you remain unhappy with our response to your complaint, you can complain directly to the Information Commissioners Office (ICO). They are the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Visit https://ico.org.uk/concerns/ to raise a complaint.