Kingsbridge Contractor Insurance – Data Protection Notice

 

Last Updated: April 2024

 

1. INTRODUCTION AND SCOPE

 

This data protection notice (this “Notice”) describes how Kingsbridge Risk Solutions Ltd t/a Kingsbridge Contractor Insurance (“Kingsbridge”) collects, handles, secures, shares and uses the personal data of users visiting Kingsbridge’s website and the personal data of individuals in relation to other interactions, transactions, sites or applications that reference this Notice, or who provide their personal data to Kingsbridge through other channels (such as by phone or e-mail), such users and individuals being “Data Subjects”.

 

This Notice applies only to the personal data of Data Subjects who are resident in the or the United Kingdom (UK) or the European Economic Area (EEA).

 

We shall act as a controller of Data Subjects’ personal data that is collected or received in accordance with this Notice.

 

To receive this notice in another format (for example, audio, large print, braille) please contact Kingsbridge using the contact details in section 12 (How to Contact Kingsbridge) below.

 

2. WHAT PERSONAL DATA DOES KINGSBRIDGE PROCESS AND HOW IS IT COLLECTED?

 

User Provided Personal Data

Data Subjects may provide the following types of personal data to Kingsbridge (whether by uploading, email, telephone, post or otherwise) which may then be collected, used, stored and transferred in accordance with this Notice:

Type of personal data	Personal data includes:
Contact Data	·     Physical address(es) ·     Email address ·     Telephone numbers
Identity Data	·     First name ·     Last name ·     Username or similar identifier ·     Title ·     Date of birth ·     Gender
Financial Data	·     Bank account ·     Payment card details
Profile Data	·     Username and password ·     Purchases or orders made ·     Interests ·     Preferences ·     Feedback ·     Survey responses
Transaction Data	·      Details about payments to and from Data Subjects ·      Purchases made
Marketing and Communications Data	·     Preferences in receiving marketing from Kingsbridge and its third parties ·     Communication preferences.

 

Automatically Collected Personal Data

The following types of personal data may be automatically logged when Data Subjects access and use the website or otherwise interact with us, which Kingsbridge may then collect, use, store and transfer in accordance with this Notice:

Type of personal data	Personal data includes:
Technical Data	·     Cookies – see section 5 (Cookies) ·     Internet protocol (IP) address ·     Login data ·     Browser type and version ·     Time zone setting and location ·     Browser plug-in types and versions ·     Operating system and platform ·     Other technology on the devices used to access the website
Usage Data	·     Information about how the website is used

 

 

 

Third Party Provided Personal Data

Kingsbridge may also obtain Data Subjects’ personal data from the following third parties:

Third Party	Type of personal data	Source of data
Recruitment agencies	·     Contact Data ·     Identity Data	·     General correspondence (including emails) ·     Contracts ·     Referrals
Accountancy firms	·     Contact Data ·     Identity Data	·     General correspondence (including emails) ·     Contracts ·     Referrals ·
Service Providers	·     Contact Data ·     Identity Data	·     General correspondence (including emails) ·     Contracts ·     Purchase orders ·     Financial/bank transfer information ·     Tax/regulatory documents ·     Fraud prevention tools ·     Marketing lists

 

Children

 

Kingsbridge’s products and services are not provided to children. We do not knowingly collect personal data from children under the age of 13. If you are a parent or guardian of a child under the age of 13 and believe they have disclosed personal to Kingsbridge, please contact us using the contact details at section 12 (How to Contact Kingsbridge) below. A parent or guardian of a child under the age of 13 may review and request deletion of such child’s personal data as well as prohibit the use thereof.

 

Cookies

 

Please see section 5 (Cookies) below for details on how Kingsbridge use cookies on its website.

 

3. HOW DOES KINGSBRIDGE USE PERSONAL DATA?

 

 

Purpose	Type of personal data	Lawful basis for processing	Details
To monitor the use of Kingsbridge’s website.	·   Technical Data ·   Usage Data	·   Legitimate interest ·   Consent (in relation to non-essential cookies)	To improve the functionality and content of our website.
To create and maintain and account with us.	·   Identity Data ·   Contact Data ·   Profile Data	·   Legitimate interest ·   Consent	To enable Data Subjects to set up an account and to access and manage their account in accordance with its functionality.   To improve the speed at which Data Subjects can purchase our products and services
To provide products and services (including necessary communications (other than marketing))	·   Identity Data ·   Contact Data ·   Financial Data ·   Transaction Data	·   Legitimate interests ·   Necessary to comply with a legal obligation ·   Performance of a contract	To enable us to provide our products and services to Data Subjects.
To manage and protect Kingsbridge’s business (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).	·   Identity Data ·   Contact Data ·   Technical Data	·   Legitimate interests ·   Necessary to comply with a legal obligation	To manage Kingsbridge’s business and ensure the effective operation of Kingsbridge’s website and of Kingsbridge’s products and services. To prevent fraud.
To undertake identification verification.	·   Identity Data ·   Contact Data	·   Legitimate interests ·   Necessary to comply with a legal obligation	To prevent fraud.
To use data analytics to improve the website and Kingsbridge’s products and services.	·   Technical Data ·   Usage Data	·   Legitimate interests	To keep the website updated and relevant. To develop Kingsbridge’s business and inform Kingsbridge’s marketing strategy.
To contact Data Subjects who request such contact	·   Identity Data ·   Contact Data	·   Consent	To respond to Data Subjects’ contact requests.
To send personal marketing and promotional materials to Data Subjects as individuals.	·   Identity Data ·   Contact Data ·   Marketing and Communications Data	·   Consent	To promote Kingsbridge’s products and services.
To send marketing and promotional materials to Data Subjects in a business context.	·   Identity Data ·   Contact Data ·   Marketing and Communications Data	·   Legitimate interests	To promote Kingsbridge’s products and services.
To enable Data Subjects to complete a survey	·   Identity Data ·   Contact Data ·   Profile Data ·   Usage Data	·   Consent	To obtain feedback from Data Subjects on our website, products and services so that we can make improvements to them.

 

Kingsbridge may process Data Subjects’ personal data under more than one lawful basis depending on the specific purpose for which Kingsbridge is using the personal data. If a Data Subject has provided consent to processing and subsequently withdraws that consent, Kingsbridge may still process that Data Subject’s personal data where Kingsbridge has another lawful basis for doing so, provided that the Data Subject has not expressly asked us to stop processing their personal data in accordance with section 10 (Legal Rights) below. Where more than one lawful basis has been set out in the table above, Data Subjects should contact Kingsbridge if they need details about the specific lawful basis that Kingsbridge is relying on to process their personal data.

 

Where Kingsbridge needs to collect personal data by law or under the terms of a contract that Kingsbridge has with a Data Subject and the Data Subject fails to provide that personal data when requested, Kingsbridge may not be able to perform the contract it has with the Data Subject.

 

4. SHARING OF PERSONAL DATA

Kingsbridge may share Data Subjects’ personal data with the following categories of third parties:

Third Party	Description
Service Providers	Kingsbridge’ service providers include third parties that provide Kingsbridge with services such as IT services, hosting services, administration services and other business process services. Such third parties will act as Kingsbridge’s processors.
Professional advisors	Kingsbridge may need to provide Data Subjects’ personal data to its professional advisers that provide services to Kingsbridge. Kingsbridge’s professional advisors include lawyers, accountants, bankers, auditors and insurers. Such third parties may act as Kingsbridge’s processors or independent controllers.
Authorities	Kingsbridge may disclose personal data where required in order to respond to requests from regulatory or governmental authorities (such as the Financial Conduct Authority), court orders, legal process, or to establish or exercise our legal rights or defend against legal claims.  It may also be necessary for Kingsbridge to share personal data in order to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law.  In such circumstances, Kingsbridge will take appropriate measures to ensure that the recipient understands the sensitive nature of the personal data that they may receive.
Group Companies	Kingsbridge may share Data Subjects’ personal data with its group companies, and in such circumstances will ensure that all necessary protections are put in place as required by applicable law.
Other Third Parties	Kingsbridge may share Data Subjects’ personal data with third parties to whom we may choose to transact business with.   Kingsbridge may share Data Subjects’ personal data with third parties to whom it may choose to sell, transfer or merge parts of its business or its assets (including in relation to restructuring/insolvency situations). Alternatively, Kingsbridge may seek to acquire other businesses or merge with them. If a change happens to Kingsbridge’s business, then the new owners may use Data Subjects’ personal data in the same way as set out in this Notice.   Data Subjects’ personal data may be a transferred asset in any sale of all or part of Kingsbridge’s business.

 

Kingsbridge requires all its data processors and any other third party that Kingsbridge provides Data Subjects’ personal data to respect the security of Data Subjects’ personal data and to treat it in accordance with applicable law.

Kingsbridge does not allow its data processors to use Data Subjects’ personal data for their own purposes and only permits them to process Data Subjects’ personal data for specified purposes and in accordance with Kingsbridge’s instructions.

5. COOKIES

 

Our website uses cookies. Please see https://www.kingsbridge.co.uk/cookie-policy/, which provides details of the cookies used on our website and how Users can reject or accept such cookies.

6. MARKETING

 

Data Subjects may receive marketing communications from Kingsbridge if they have requested such communications from Kingsbridge or, where permitted by applicable law, if they have purchased goods or services from Kingsbridge and they have not opted out of receiving future marketing communications.

 

Third Party Marketing Companies

 

Kingsbridge will obtain Data Subjects’ explicit consent before it shares their personal data with any company outside of Kingsbridge’s group of companies for marketing purposes.

 

Opt-Out

 

If a Data Subject does not wish to receive marketing information from Kingsbridge, the Data Subject can opt-out by contacting Kingsbridge using the contact details at section 12 (How to Contact Kingsbridge) below or by clicking the opt-out link in Kingsbridge’s electronic marketing communications.

 

7. INTERNATIONAL TRANSFERS

 

Data Subjects’ personal data collected by Kingsbridge in the UK or the EEA may be transferred outside of the UK or the EEA (as applicable) to those third parties specified in section 4 (Sharing of Personal Data) above; however, in such circumstances, to the extent Kingsbridge is required to do so under applicable law, Kingsbridge will ensure contractual or other measures that have been adopted or approved by the UK Government or the European Commission (as applicable) are taken (such as ensuring applicable standard contractual clauses are in place).

Data Subjects can obtain more information about the countries to which their personal data is transferred and copies of the additional measures put in place by contacting Kingsbridge using the contact details at section 12 (How to Contact Kingsbridge) below.

 

8. SECURITY OF PERSONAL DATA

 

Kingsbridge maintains appropriate physical, technical, administrative, and organisational security measures to protect personal data from loss, misuse, and unauthorised access, disclosure, alteration, and destruction, including (where appropriate):

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

 

All of Kingsbridge’s employees, contractors and data processors who have access to, and are associated with, the processing of personal data are obligated to keep the personal data confidential and not use it for any other purpose than to carry out the services they are performing for Kingsbridge.

 

While Kingsbridge will use all reasonable efforts to safeguard Data Subjects’ personal data, the use of the internet is not entirely secure and for this reason Kingsbridge cannot guarantee the security or integrity of any personal data that is transferred from Data Subjects or to Data Subjects via the internet.

9. RETENTION OF PERSONAL DATA

 

Kingsbridge will only retain Data Subjects’ personal data for as long as necessary to fulfil the purposes Kingsbridge collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, Kingsbridge considers the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which Kingsbridge processes the personal data and whether Kingsbridge can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for personal data are available from Kingsbridge on request using the contact details at section 12 (How to Contact Kingsbridge) below.

We may anonymise Data Subjects’ personal data so that it can no longer be associated with you and is no longer classed as personal data. In such circumstances we may use such information without further notice to the Data Subject.

10. LEGAL RIGHTS

 

Data Subjects may have the following rights under applicable data protection laws in relation to their personal data:

Data Subject’s right	Description
Request access to the Data Subject’s personal data.	This enables the Data Subject to receive a copy of its personal data that Kingsbridge holds and to check that Kingsbridge is lawfully processing it.
Request correction of the personal data that Kingsbridge hold about the Data Subject.	The Data Subject can require Kingsbridge to correct any mistakes in the Data Subject’s personal data free of charge.   The Data Subject must provide Kingsbridge with enough information to identify the Data Subject (e.g. account number, username, registration details) and let Kingsbridge know the information that is incorrect and what it should be replaced with.
Request right to erasure/ to be forgotten of the Data Subject’s personal data.	This enables the Data Subject to ask Kingsbridge to delete or remove the Data Subject’s personal data where there is no permitted reason for Kingsbridge continuing to process it.   The Data Subject can ask Kingsbridge to erase the Data Subject’s personal data where: ·       the Data Subject does not believe that Kingsbridge needs the Data Subject’s personal data in order to process it for the purposes set out in this Notice; ·       if the Data Subject has given Kingsbridge consent to process the Data Subject’s personal data, the Data Subject withdraws that consent and Kingsbridge cannot otherwise legally process the Data Subject’s personal data; ·       the Data Subject objects to Kingsbridge processing and Kingsbridge does not have any legitimate interests that mean it can continue to process the Data Subject’s personal data; or ·       the Data Subject’s personal data has been processed unlawfully or has not been erased when it should have been.
Object to processing of the Data Subject’s personal data.	The Data Subject has the right to object where Kingsbridge is relying on a legitimate interest (or those of a third party) and the Data Subject feels the processing of its personal data impacts on its fundamental rights and freedoms.   The Data Subject also has the right to object where Kingsbridge is processing the Data Subject’s personal data for direct marketing purposes.   In some cases, Kingsbridge may demonstrate that Kingsbridge has compelling legitimate grounds to process the Data Subject’s personal data which override the Data Subject’s rights and freedoms.
Request restriction of processing of the Data Subject’s personal data.	This enables the Data Subject to ask Kingsbridge to suspend the processing of the Data Subject’s personal data in the following scenarios: ·       if the Data Subject wants Kingsbridge to establish the accuracy of the personal data; ·       where Kingsbridge’s use of the personal data is unlawful but the Data Subject does not want Kingsbridge to erase it; ·       where the Data Subject needs Kingsbridge to hold the personal data even if Kingsbridge no longer requires it as the Data Subject needs it to establish, exercise or defend legal claims; or ·       the Data Subject has objected to Kingsbridge’s use of the personal data but Kingsbridge needs to verify whether Kingsbridge has overriding legitimate grounds to use it.
Request the transfer of the Data Subject’s personal data to the Data Subject or to a third party.	The Data Subject can require Kingsbridge to provide to the Data Subject, or a third party the Data Subject has chosen, the Data Subject’s personal data in a structured, commonly used, machine-readable format.   This right only applies to automated personal data that the Data Subject initially provided consent for Kingsbridge to use or where Kingsbridge used the personal data to perform a contract with the Data Subject.
Withdraw consent at any time where Kingsbridge is relying on consent to process the Data Subject’s personal data.	This will not affect the lawfulness of any processing carried out before the Data Subject withdraws its consent.   If the Data Subject withdraws its consent, Kingsbridge may not be able to provide the Data Subject with access to the Platform or certain functionalities.  Kingsbridge will advise the Data Subject if this is the case at the time that the Data Subject withdraws consent.

Exercising These Rights

To exercise any of the rights set out above, please contact Kingsbridge using the contact details provided in section 12 (How to Contact Kingsbridge) below.  Kingsbridge will respond to any rights that a Data Subject wants to exercise within one (1) month of receiving the request, unless the request is complex, in which case it may take longer.

Kingsbridge may need to request specific information from a Data Subject to help it confirm that Data Subject’s identity and that Data Subject’s right to access its personal data (or to exercise any of its other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Kingsbridge may also contact the Data Subject to ask it for further information in relation to its request to speed up Kingsbridge’s response.

Please be aware that there are exceptions and exemptions that apply to some of the rights, which Kingsbridge will apply in accordance with the applicable data protection laws.

Complaints

In addition to the above rights, Data Subjects’ have the right to lodge a complaint with a supervisory authority.

Personal Data Obtained by Kingsbridge from Third Parties

Data Subjects should review the privacy notice provided by the applicable third party or contact that third party for details about what rights the Data Subject has in respect of the personal data processed by that third party and how to exercise them.

No Contract

Please note that this Notice does not form a contract between Data Subjects and Kingsbridge.

 

11. FINANCIAL CONDUCT AUTHORITY

 

Kingsbridge Risk Solutions Limited is authorised and regulated by the Financial Conduct Authority. FCA firm reference number: 309149.

 

12. HOW TO CONTACT KINGSBRIDGE

 

To ask any questions regarding this Notice or to exercise any rights, please contact the Kingsbridge Data Privacy Officer using the following contact details:

 

Address: 9 Miller Court, Tewkesbury, Gloucestershire, GL20 8DN

Telephone: 01242 808740

Email: info@kingsbridge.co.uk

 

13. AMENDMENTS TO THIS NOTICE

 

Kingsbridge reserves the right to change, modify, add or remove portions of this Notice from time to time and in its sole discretion but will update Data Subjects that changes have been made by indicating on this Notice the date it was last updated.