getting ready for GDPR
The General Data Protection Regulations (GDPR) is EU wide legislation designed to improve the way organisations handle personal and sensitive data, in order to better protect the rights of the public. The GDPR must be implemented by 25th May 2018 and we’ve been working hard over the last nine months to make sure we are ready.
On this page you’ll find everything you need to know about our GDPR preparations, including new privacy notices, a guide for advisers and employers, and frequently asked questions.
our privacy notices
To prepare for GDPR we have created new privacy notices which explain how we handle and process personal data. Our main privacy notice is below, with further notices which explain how we process data in specific circumstances.
privacy notice for employees covered by an Ellipse policy
Your personal data – what is it?
Personal data is defined as any data from which a living individual can be identified.
Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).
Who are we?
ERGO Lebensversicherung AG UK Branch, trading as Ellipse, is the data controller of personal data in respect of arranging and administering group insurance contracts.
How will we use the information about you?
We will process personal data in order to undertake any activity relating to our policies, products and services and, where relevant, to process applications, set up and administer policies, products and services and handle any claims.
The legal basis on which we will process your data is legitimate interests – i.e. to provide you with insured benefits.
What personal data do we hold and where did we get it from?
From your employer:
Your employer will have passed on to us employee details as part of the insurance contract which underpins the employee benefits offered to you by your employer.
If you send us an e-mail or you register to use our secure website, your personal data (i.e. name or e-mail address) will be used only for our correspondence with you in order to send you the documents you produce or information you requested.
Our online system:
If you access sections of our website which are reserved for registered users we will hold your personal data for the period as described above. If you register solely to use our online nomination of beneficiaries service, we will only retain your data for as long as you use this service. Once you no longer use the service, either because you have left the employer, or your employer has withdrawn from using the service, all records will be deleted after 90 days. If you register to complete our Individual Assessment, we will hold the data you provided for the period you are covered by the insurance, plus six years (this is the time period allowed in which you can make a referral to the Financial Ombudsman Service).
Which other organisations may we share your data with?
Ellipse may share your personal information with:
- other Munich Re companies: our reinsurer, Munich Re UK Life Branch
- our medical assessment service provider: Medical Screening Solutions
- our claims service partners: Barclays, Capita, Linden Claims, Proclaim Care, PTL and Red Arc
- our IT service providers: NIU Solutions, Northdoor and RedSpire, as part of the ongoing maintenance and development of our systems and services
- our regulators and government agencies: the Financial Conduct Authority, BaFiN (the German financial regulator) and Her Majesty’s Revenue and Customs ‘HMRC’
- your own doctor or relevant medical professionals, should we require additional information as a result of the answers you have supplied as part of our individual assessment process or in connection with a claim
- with your employer and/or their advisers. We will not provide sensitive or special categories (e.g. medical or health information) of data with your employer or their advisers
We do not transfer personal data outside the EEA.
How long do we hold your personal data for?
We will keep personal information only as long as we require it either for policy administration or in respect of any complaints relating to the policy. We will retain insurance records to satisfy regulatory requirements which will be for a maximum of six years after we stop providing the insurance. After this time, data will either be anonymised (a means by which an individual can no longer be identified by the data) or deleted. We will regularly review our data retention policy to ensure that data is not kept for longer than is necessary.
How can you access the data and correct it?
You can find out if we hold any personal information by making a ‘subject access request’. Within one month of your request we will:
- give you a description of the information we hold
- tell you why we are holding it
- tell you who it could be disclosed to
- let you have a copy of the information in an intelligible form, usually a pdf file
To make a request for any personal information we may hold about you, please contact us.
If we do hold information about you, you can ask us to correct any mistakes by contacting us.
When do we ask for consent and how can you withdraw it?
In certain circumstances we may need your consent to obtain additional personal information, e.g. for individual assessment or as part of our claims assessment process. You have the right to withdraw your consent at any time, however, once consent has been refused or withdrawn we will not be able to continue with processing your personal data. Should you decide that you no longer wish to continue with your individual assessment process or a claim, please contact us.
How to complain
If you are unhappy with the way in which your personal data is handled, please contact our Data Protection Officer.
If you remain unhappy with our response to your complaint, you can complain directly to the Information Commissioners Office (ICO). They are the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Visit https://ico.org.uk/concerns/ to raise a complaint.
We use software to process the individual assessment questionnaire. Where the outcome is that we can provide cover on ordinary terms, this decision will be actioned by us. If the outcome is either that cover can only be offered at higher rates, or that cover cannot be offered to you, this outcome will be reviewed by our underwriters before a decision is made and communicated to you.
additional privacy notices
There are other circumstances where we process data differently and in these cases a separate privacy notice applies.
a guide for advisers and employers
We’ve created a comprehensive guide which explains how we are preparing for GDPR. You’ll find all the information you need, including how long we retain data, how we keep it secure, when we ask for consent, how we conduct email marketing activities with advisers, how we manage data subject rights and how we manage our suppliers.
The guide explains how we keep personal data secure. For guidance on how to stay safe when using our online systems please read our IT security statement.
frequently asked questions
Q. Is Ellipse a data processor or data controller?
A. Ellipse is a data controller. We do not act as a data processor for our clients.
Q. Will you be changing your contract terms for policyholders in light of GDPR?
A. No. Our policy terms and conditions which, alongside the policy schedule form our contract, will not be changed for existing customers. These already state that Ellipse is the data controller of personal data relating to the arranging and administration of a group insurance contract.
Q. Will you sign a Data Processing Agreement with the employer?
A. No. This is not necessary as Ellipse is not a data processor. We are a data controller with respect to the arranging and administering of group insurance contracts.
Q. Does Ellipse transfer data outside of the EEA?
Q. Do we need to obtain consent from employees for Ellipse to provide group risk cover?
A. No. Under the GDPR the basis on which we will be processing employee information is not consent, rather, the basis is legitimate business interest. This is because in the case of the administration of our insurance contracts we need to receive and process employee information in order to provide insured benefits on behalf of the employer for the benefit of employees and their families. Without it, we could not provide the cover. We do however ask for consent in some circumstances where we need to collect special categories of information for individual assessment or claims, or if an employee wishes to use our online nomination of beneficiary service.
Q. What steps can I take to stay safe when using your online systems?
A. Please read our IT security statement which explains what you can do to stay safe online.
Q. Will you be making any changes to your terms of business agreements with advisers?
A. Yes. We have asked all advisers to sign an addendum to their current agreement which includes new definitions, a new Data Protection section and a new section to reflect their obligations under the Criminal Finances Act 2017. If your firm has not completed the addendum, then please download it and send the signed copy to firstname.lastname@example.org.