Consumer privacy notice

This notice describes how we collect, store, use and share personal data.  It also explains the rights you may have in relation to the personal information that we hold about you. It applies to personal data provided to us directly and indirectly, both by you, and by others on your behalf.

Throughout this notice, when we say ‘we’ or ‘us’ we’re referring to the Royal London Mutual Insurance Society Limited, a company registered in England and Wales, authorised and regulated by the FCA (registration number:99064).

This is the ‘parent’ company of the Royal London Group and is your main point of contact for all of our companies. We have several different companies who sit underneath. Within the Royal London Group, one or more of the following authorised and regulated firms will process information to provide your products and services:

  • Royal London Marketing Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales number 4414137.
  • Royal London Savings Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales number 3642633.
  • Royal London Asset Management Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales number 2244297.
  • Royal London Marketing (CIS) Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales number 3390839.
  • RLUM (CIS) Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales number 2369965.
  • Royal London (CIS) Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales number 8629353.

Personal data is defined under the General Data Protection Regulation (GDPR) as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In essence, personal data is your personal information. Please see section 3 for the type of personal data that we collect. We collect and process personal data primarily in order to provide you with our products and to administer a policy you have with us. Section 4 of this privacy notice tells you what you can expect us to do with your personal data when you make contact with us or use one of our services.

When we collect your personal data, we’ll let you know if any of it is optional. If it is, we’ll explain why it would be useful to us, and you can decide whether it’s something you’re happy for us to have.
 
Dependent on the type of product and service provided we may collect and process the following personal data about you:
 

  • Information about you - such as your name, age, gender, date of birth, work/profession, hobbies and nationality.
  • Special category data - this is personal data that needs more protection because it is sensitive.  Where it is relevant to your policy, we will collect information relating to your medical history, health, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, and biometric data, where it is used for identification purposes.
  • Government identifiers – for example, information from your identification documents, such as your driving license, National Insurance number or passport.
  • Contact information – for example, your address, email address and phone numbers.
  • Online information – for example Cookies and IP address (your computer’s internet address), if you use our websites.
  • Financial information – for example salary and your bank account details for any payments you make to us or we make to you.  If we need to verify information on your finances, we will require copies of your financial accounts.
  • Telephone calls or video recordings – for example voice recording when you contact us, complete a survey at the end of a call to our Customer Services Team or CCTV footage if you visit our offices.
  • Contractual Information – for example details about your products and benefits.
  • Family & beneficiaries’ information – for example your marital status, dependants, next of kin, family medical history or nominated beneficiaries. If you provide information on another individual it’s important you ensure they are aware of the detail you`ve provided to us.  Their personal data will be processed in accordance with this Privacy Notice, so please let them know it’s important that they read this policy.

We use your personal data for a number of reasons: 

  • Providing a quote, underwriting, processing your application, setting up and administering your policy We need this information to help us calculate your premium. For larger cases we may need additional financial information.  We use this information to establish if, and on what terms, we can offer you insurance cover.
  • Completing any requests, making and receiving payments, or managing any queries or claims you make.
  • Verifying your identity, preventing fraud and financial crime.
  • Researching our customers’ opinions and exploring new ways to enhance the servicing experience we provide to meet your needs.
  • Assessing, developing and managing our products, systems, prices, our business and brand.
  • Fulfilling any other legal or regulatory obligations.
  • Sending you information relating to your product.
  • Telephone calls may be recorded to allow you to give us instructions by phone, to analyse, assess and improve our customer service, for training and quality purposes, to manage complaints and to protect you and your information from fraud and financial crime.
  • Identifying vulnerable customers to help determine whether we need to take further steps to ensure these customers are not disadvantaged in any way. (please refer to section 10 for further information).
  • Automated decision making as part of our sales process when you receive a quote and profiling as we may make an assumption on you (please refer to section 10 and 11 for further information).
  • Sending you marketing information by post, or where you have provided permission to be contacted by email, text and other electronic means – you can easily change your mind and “opt out” of receiving marketing information by emailing us: GDPR@Royallondon.com or ringing us on 0345 602 1885. If you’re a member, sending you membership information and managing your rights.
  • No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. Any marketing communication you may receive will be from Royal London.
  • We also use your information to create “lookalike audiences” to help us target campaigns to new people who are similar to our best customers.
  • Managing the relationship with your Financial Adviser, if you have appointed one.
  • Monitoring the use of our websites – for further information please see our Cookies Policy

Most of the personal data we get comes directly from you when you apply for one of our products or services, or from your Financial Adviser if you have appointed one.  We may also, where necessary, obtain personal data about you from other sources. 

  • Medical professionals – for example if we need information to set up your policy or to support a claim. We will only do this if you provide us with consent.
  • Premium quotation services - If you used an introducer or a quotation service (price comparison website) to obtain premium quotes for you, the service provider will share some of your information with us.
  • Tracing companies - if we lose touch, we may use a trusted 3rd party to find you and reunite you with your policy, if we can.
  • Data brokers
    • if it’s necessary and reasonable to obtain contact information (email and phone numbers) to carry out customer research, promote brand awareness or remind you about the benefits of your plan; or;
    • to help put our customers into groups for product development and assessment purposes.
  • Affinity partnerships - where you have taken a policy out via one of our partnerships, we will receive your information from them.  Further information on the partnership will have been provided when you took out the policy.
  • Introducers – if you receive a quote from one of our introducers or a price comparison website.
  • The policyholder to the policy, on behalf of another person covered or a beneficiary.
  • ‘Third party cookies’ - to collect information on how visitors use our website.  Our Cookies Policy can give you more information.
  • Publicly available information - including social media websites and online content, newspaper articles, television, radio and other media content, court judgements, public registers, electoral register and specialist databases (for example Companies Registration Office, and Dow Jones).

As you’d expect, our employees will access your records for the purposes mentioned above.  For example, our customer service staff need access to your policy details to support you when you get in contact and our research team will need access to a subset of your data to perform their analysis.  We regularly check who has access to our systems.

 

We will also share your personal data with these third parties:

  • Your Financial Adviser, if you have appointed one. For example, you may have authorised your Financial Adviser to:
    • make changes to your policy on your behalf.
    • obtain copies of your documentation to look after your policies. 
  • Affinity partnerships– if you receive a quote or buy a policy through one of our partner relationships, we will, where necessary, share your information with them to enable them to contact you to support an enquiry, offer a new product or service or contact you when a payment has been missed.
  • Introducers – if you receive a quote from one of our introducers or a price comparison website, we will, where necessary, share your information with them to enable them to contact you to support an enquiry, offer a new product or service or contact you when a payment has been missed.
  • Our service providers, e.g.  those who perform some underwriting activities for us, mailing houses for printing, market research agencies, offsite storage, confidential waste disposal companies and approved IT specialists who support our technology.
  • Our professional advisers: auditors; medical professionals, legal advisers.
  • Our annuity bureau panel of providers who help us to provide quotes for you – if you have a pension and choose to use the service when you retire.
  • Our Reinsurers*, who require data including policy details, claims, medical and suspected fraud and other financial crime data.
  • Trustees - if your plan is held in trust, we'll need to share limited information with the trustee(s).
  • Identity authentication, law enforcement and fraud prevention agencies.
  • Legal and Regulatory bodies e.g. The HM Revenue & Customs, the Courts of the UK, regulators such as the Financial Conduct Authority, Information Commissioner’s Office, Financial Ombudsman Service and the UK Financial Services Compensation Scheme.
  • Data Brokers (e.g. Experian) in order for us to source contact details for research, where appropriate.
  • If you pay your premium by Direct Debit, we will share your information with our bank.
  • We may share your information with advertising partners (e.g. Facebook, Google, YouTube, Sky TV, ITVX, 4OD) to help us identify and market to new customers, or to serve you ads we think might be relevant to you. We will always consider your rights and freedoms before we do this and assess the balance between our interests and yours.
  • Companies within the Royal London Group.
  • Companies you ask us to share your information with.
  • In the event Royal London was to merge or sell any part of its business or assets, it will be necessary to pass your personal information to the prospective buyer/party.

Please note that any third parties will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

Reinsurers

Our Reinsurers require information including policy details, claims, medical and suspected fraud and other financial crime information.  Reinsurance, or insurance for insurers, allows us to insure some of our risk with another company or companies.  Our Reinsurers will use your information for purposes such as, but not limited to, deciding whether to provide reinsurance cover to us, assessing and dealing with claims and to meet legal requirements.

They’ll keep your information for as long as needed for the relevant purposes, in line with the requirements under GDPR, and may need to disclose it to other companies within their group, their agents, third party service providers, law enforcement or regulatory bodies.   Let us know if you want further details of the Reinsurers specific to your policy by using the details in the Contact Us section.

We sometimes use third parties located in other countries to provide support services.  As a result, your personal data may be processed in countries outside the European Economic Area (EEA). 

These services will be carried out by experienced and reputable organisations on terms which safeguard the security of your information and comply with the European data protection requirements.  Some countries have been assessed by the European Commission (EC) as being ‘adequate’, which means their legal system offers a level of protection for personal information which is equal to the EC’s protection.   Where the country hasn’t been assessed as adequate, the method we have chosen to safeguard your information is ‘standard contractual clauses’ within the legal agreement to safeguard the processing of your personal data.

The European Commission and the UK have recognised ‘standard contractual clauses’ as offering adequate safeguards to protect your rights and we’ll use these where required ensuring adequate protection for your information as prescribed by the GDPR. The European Commission approved standard contractual clauses are available here.

We use ‘standard contractual’ clauses for the below activities, to help us provide:

  • IT support and technology development with operations based in India.
  • Reassurance services with our global reassurance partners who have operations based in the United States and Bermuda.
  • Services with other providers/suppliers, research partners and administrators who have operations based in India and the United States.

We will always ensure your personal data is provided with adequate protection and all transfers of personal information outside the EEA are done lawfully.

We have put in place security measures designed to prevent your Personal Data and Special Categories of Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We use Transport Layer Security (TLS) to encrypt and protect email traffic. We also use the Clearswift Managed Email Security Service to protect our outgoing email traffic.  However, if your email service doesn’t support TLS or if you do not wish to use our Clearswift Managed Email Security Service, we may not be able to communicate with you by email, and any emails we do send or receive will not be protected by encryption, and could be intercepted.  We may also change our Email Security Service provider at any time without notice and without changing the provision in this notice.  

Once we receive your information, we use strict procedures and security features to protect your information from unauthorised access. 

In the event of a potential data security breach we will notify you and the Data Protection Commissioner’s Office if we are legally required to do so, or there is a risk to your rights and freedoms as a result of the breach.

We will retain your personal data for as long as it is considered necessary for the purpose for which it was collected, and to comply with our legal and regulatory requirements. This will involve retaining your personal data for a reasonable period of time after your policy or your relationship with us has ended.

In the absence of specific legal, regulatory, contractual requirements or technical reasons, your personal information is kept for 7 years after our relationship with you has ended.

There are some exceptions to this rule:

  • The Financial Conduct Authority requires us to keep some pension transfer information indefinitely.
  • If you applied for a quote for one of our Consumer products we will keep your details on file for two years.  This is for analysis purposes so we can develop our business and also for marketing purposes, if you have not opted out of receiving these communications.
  • As part of our business we undertake specific research and statistical analysis for underwriting, actuarial and pricing purposes.  In this event we may retain minimised personal data, some of which may be medical information.  The use of this data will not be used to make a decision against you.
  • Where there is a dispute, legal or otherwise, between us which requires us to keep your personal information.

Automated Decisions

Automated decisions are where a computer makes a decision about you without a person being involved.  We also profile our customers, which means we make assumptions about you to help us treat you fairly.

Underwriting

We make automated decisions about you as part of the underwriting journey. Our usual process is for us to ask relevant information about your job, interests, travel, health and family history – for example we need to know if one of your interests is skydiving, as this could increase your risk and potentially your premium.

The online system makes a decision based on rules that have been created by specialist rule developers. These rules are based on the internal underwriting guidance.

For life and critical illness cover, if you were unlikely to get an automatic accept or not accept decision, we use ‘machine learning’ to predict the decision that would have been made if you followed the full underwriting process. The machine learns from our own database of existing quote, application and claims information as well as socio-economic data based on your postcode that we obtain from Experian. It decides whether your application would be likely to be accepted or not accepted.

We’ll then indicate whether we can offer our standard premium, an increased premium or exclusions to your cover.

There are some cases where we won’t be able to offer a decision online and need your application to be reviewed by our underwriting team. They may request further information from you or, with your permission, from your doctor before we’ll be able to confirm whether we can offer you cover, and on what basis. There will be a small proportion of cases where we aren’t able to offer cover online and we’ll flag this indicative decision during the online journey. As this is an indicative decision, it means that you don’t have to disclose this, if asked, on other insurance applications. However, you have the right to ask for someone to review the automated decision, so you can also ask for the decision to be made via our manual underwriting process. Note that if the decision is still that we are unable to offer you cover, this would need to be disclosed if you applied for insurance elsewhere.

Crime Prevention

We will undertake checks for the prevention and detection of crime as we are required by law to do so. These checks use automated means to make decisions about you.  This may result in declining the services you requested and stopping services currently provided to you.  Please see section 12 “What are my rights” for further information.

Vulnerability

The Financial Conduct Authority defines a vulnerable consumer as someone who, due to their personal circumstances, is especially likely to experience disadvantage. It’s been identified a lot of people will be vulnerable at some point in their life, so we need to make sure we can identify who these customers are and support them.

We’ve created our own method, using socio-economic data from Experian and additional research with consumers, to help us assess levels of vulnerability within the UK population. We then use this information to help identify how many of our customers are likely to be more vulnerable, and ensure our products are designed with this in mind. For example, we may provide additional information on our statements where we suspect our customers might be less financially capable or less engaged in financial matters.

In the future we’d like to keep a note of the category you fall into, against your records, so we can tailor our communications to suit you. Before we do this, we’ll assess if this is fair.

Socio economic profiling

We may analyse your personal data to create a profile so that we can contact you with information relevant to you. When building a profile, we use Experian software, to provide us with insight into our customers. The software uses a variety of publicly available and market research sources to divide the population into a series of categories. The categories are a way of grouping people who are likely to have similar social, demographic (i.e. age, location) and financial circumstances. The results are assessed and combined so we get a picture of our customers as a whole, and tailor the products and services we provide. Please see section 12 “What are my rights” for further information.

In the future we’d like to keep a note of the category you fall into, against your records, so we can tailor our communications to suit you. Before we do this, we’ll assess if this is fair.

Your rights are outlined below. The easiest way to exercise any of your rights would be to contact our Data Protection Officer at the contact details provided.  We will provide a response within 30 days, if not sooner.  There is normally no charge for exercising any of your rights. We may ask you for proof of identity when you request to exercise some of these rights to ensure we are dealing with the right individual.

Access to your personal information

You have the right to find out what personal data we hold about you, in many circumstances.  Please see section 15 below for our contact details.

Correcting or adding to your personal information

If any of your details are incorrect, inaccurate or incomplete you can ask us to correct them or to add information.

Withdrawing your consent

If you have provided consent for us to use your personal data, you have the right to withdraw your consent at any time. If you withdraw consent, then we may not be allowed to use your data going forward.  However, it would not invalidate any processing that was carried out before you withdrew consent.

Withdrawal of consent may impact the product and services we can provide to you, or the ability to administer your policy such as a claim.  In this event, we will let you know what the impact would be.

Transferring your personal data to another organisation (Data portability)

In some circumstances you can ask us to send an electronic copy of the personal data you have provided to us, either to you or to another organisation.

Objecting to the use of your personal data for legitimate interests

You also have the right to object to any processing done under legitimate interests.  We will re-assess the balance between our interests and yours, considering your particular circumstances.  If we have a compelling reason, we may continue to use your personal data, if that reason is not outweighed by your privacy rights.  However, we will inform you of that decision and reasoning for continuation of processing.

Objecting to direct marketing

You have a specific right to object to our use of your personal data for direct marketing purposes, which we will always act upon.

Objecting to automated decision making

You have a right to object if we have made an automated decision, including profiling, which has legal and significant effect against you.  You may also have the right to challenge the decision and ask for a human review.  These rights do not apply if we are authorised by the law to make such decisions and appropriate safeguards are in place to protect your rights.

Restricting the use of your personal data

If you are uncertain about the accuracy or our use of your personal data, you can ask us to stop using your personal data until your query is resolved.  We will let you know the outcome before we take any further action in relation to this data. 

Right to Erasure

You can ask us to delete your personal data in some circumstances, such as if your policy has ended and we do not need to keep it for legal or regulatory reasons.  If we are using consent to process your personal data and you withdraw it, you can ask us to erase it.

If you’re dissatisfied with how we’re using your personal data, you have the right to complain to the Information Commissioner.  We’d encourage you to contact us first, so we can deal with your concerns.

The Information Commissioner`s office can be contacted by:

  • Visiting their website www.ico.org.uk
  • Phone on 0303 123 1113
  • Write to Information Commissioner`s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Making sure that we keep you up to date with privacy information is a continuous responsibility and we keep this notice under review.  We will update our notice as changes are required.

If we need to use your personal data for a new purpose which we haven’t previously told you about, we will contact you to explain the new use of your data.  We will set out why we are using it and our legal reasons.

This privacy notice was last updated on the 27 June 2024.

If you have any questions or comments regarding this privacy notice, or if you are unhappy about the way Royal London uses your information, please contact us using the following details.

Post: Data Protection Officer, Royal London, Royal London House, Alderley Park, Congleton Road, Nether Alderley, Macclesfield, SK10 4EL.

Email: GDPR@Royallondon.com