Who will have access to your data?
Data will be used by Omnilife in the manner set out below (see “How will we use personal data” below).
What will we collect?
We will collect personal information about your employees (such as their name, work post code, date of birth, salary) when you apply for any of our products and services. For some products, we may also need to ask your employees about their health. We will only use your employee’s health information for the purpose of providing your policy.
Personal data – what is it?
Personal data is defined as any data from which a living individual can be identified. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).
How will we use personal data?
We will use personal data provided to:
- Provide a quote and/or provision of financial services that you have requested
- Administer your policy
- Confirm your employees identity before providing them with details of any personal information we may hold about them
- Update contact details
- Comply with the law or our regulatory requirements
- Reporting, data analysis, management information and research purposes.
If you communicate to us by email, we will need to keep your email communication for our records. The legal basis on which we will process personal data provided is legitimate interests – i.e. to provide your employees with insured benefits.
Which other organisations may we share personal data with?
We may disclose information to our group companies and in addition share information with:
- our reinsurer, General Reinsurance AG (GenRe) – a link to GenRe’s privacy notice can be found at: www.genre.com/DataPrivacy
- our medical data service provider: Medicals Direct Group
- our claims service partners: Pitmans Trustees Limited
- our IT service providers: IIJ Europe and Financial Information Technology, as part of the ongoing maintenance and development of our systems and services
- our parent company: Reinsurance Group of America
- our regulators and government agencies: the Financial Conduct Authority, Prudential Regulation Authority and Her Majesty’s Revenue and Customs ‘HMRC’
- your own doctor or relevant medical professionals, should we require additional information as a result of the answers you have supplied as part of our individual assessment process or in connection with a claim
- with your employer and/or their advisers and the advisers suppliers. We will not provide sensitive or special categories (e.g. medical or health information) of data with your employer or their advisers.
We generally hold personal data within the UK. Where we use service providers that are located in or have access to your personal data from a “third country” i.e. a country outside the European Economic Area that is not recognised to possess an adequate level of data protection by the standards of the UK (and EU) law, we put appropriate safeguards in place to ensure personal data is protected and kept secure.
How long do we hold personal data for?
We will keep personal information only as long as we require it either for policy administration or in respect of any complaints relating to the policy. We will retain insurance records to satisfy regulatory requirements which will be for a maximum of seven years after we stop providing the insurance. After this time, data will either be anonymised (a means by which an individual can no longer be identified by the data) or deleted. We will regularly review our data retention policy to ensure that data is not kept for longer than is necessary.
How can employees access the personal data we hold and correct it?
Your employees have the right to ask for a copy of the information we hold about them and to correct any inaccuracies in the information we hold. To make a request for any personal information we may hold about them, they complete a Data Subject Rights Request form on our parent company’s (RGA) website https://www.rgare.com/dsr-intake/insured
Following the completion of the Subject Access Request form, within one month of their request we will:
- provide a description of the information we hold
- confirm why we are holding it
- confirm who it could be disclosed to
- provide a copy of the information in an intelligible form, usually a pdf file.
If we do hold information about the employee, they can ask us to correct any mistakes by completing the online form detailed above.
Some complicated requests may require up to 90 days for completion and response. If so, you will be notified within 30 days of the additional time requirement.
Before you provide us with any personal data about an employee(s) you must obtain the correct authority from the individual(s) concerned and undertake to keep them advised about how their information will be used.
By requesting a quote and/or provision of financial services, you are saying that you agree to the collection and use of any personal information sent to or requested by us, provided it is used as set out in this Policy. We will only keep your employee’s information for as long as it is relevant for the purpose for which it was collected or requested in accordance with applicable regulations.
In certain circumstances we may need an employee’s consent to obtain additional personal information, e.g. for individual assessment or as part of our claims assessment process. The employee has the right to withdraw their consent at any time, however, once consent has been refused or withdrawn we will not be able to continue with processing their personal data. Should an employee decide that they no longer wish to continue with their individual assessment process or a claim, they should complete an online Data Subject Rights Request form on our parent company’s (RGA) website https://www.rgare.com/dsr-intake/insured
Whilst we are committed to making sure we protect the privacy of personal data, the Internet (including email) is not a 100% secure medium of communication and, accordingly, we cannot guarantee the security of any information transmitted via the Internet. We are not responsible for any damages you, or others, may suffer as a result of the loss of confidentiality of such information.
We may monitor or record your communications with us to improve our service and the services we provide through this website and for security and regulatory purposes.
The Company does not make any decisions based on automated decision making processes.
How to complain
If an employee is unhappy with the way in which their personal data is handled, they should contact our Data Protection Officer by email at firstname.lastname@example.org. Or by post at:
Data Protection Officer
Omnilife Insurance Company Limited
24 Chiswell Street
If they remain unhappy with our response to their complaint, they can complain directly to the Information Commissioners Office (ICO). The ICO are the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. To raise a complaint, visit https://ico.org.uk/concerns/.
Omnilife Insurance Company Limited is registered with the UK Information Commissioner under the Data Protection Act 1998, registration number ZA165009