This Privacy Statement relates to La Fraternelle Mutual Fire Insurance Society (“La Fraternelle”).
La Fraternelle is a Mutual Society established in the Bailiwick of Guernsey and is registered with the Office of the Data Protection Authority as a data controller. The clients / policyholders dealt with by La Fraternelle are resident in the Bailiwick of Guernsey. La Fraternelle has appointed Orion Insurance Management Limited as a data processor.
La Fraternelle has to comply with applicable legislation in respect of data protection, being the Data Protection (Bailiwick of Guernsey) Law, 2017 and any other data protection laws or regulations having effect in the Bailiwick of Guernsey.
Additionally, La Fraternelle has contractual confidentiality obligations which are owed to clients, prospective clients, Service Providers and potentially others.
In the ordinary course of business, La Fraternelle comes into possession of personal and / or confidential information (“Data“) in respect of individuals (“Individuals”), such as:
- Clients/policyholders (who may also be categorised as members) & prospective clients/policyholders (who may also be categorised as prospective members)
- Complainants, correspondents and enquirers
- Relatives, guardians and associates of the data subject
- Advisers, consultants and professional experts and their directors, officers, employees, agents and representatives
- Directors and employees (including temporary and casual workers) of La Fraternelle
La Fraternelle will process personal data for the following purposes:
- Accounting, bookkeeping and related services
- Advertising, marketing and public relations
- Customer & client administration
- Insurance administration
- Membership administration
- Personnel, employee and payroll administration
For the purposes of this privacy statement, Data may include personal information, contracts and related documents between La Fraternelle and other parties (whether or not Individuals) including the service providers to La Fraternelle (“Service Providers”), and includes any information that relates to an identified or identifiable living Individual from which that Individual can be identified (whether from that information alone, or in conjunction with other information which La Fraternelle has or is likely to obtain) (“Personal Data”).
Personal data is defined in the relevant legislation, the data classes that La Fraternelle may process includes:
- Personal details
- Employment details
- Financial details
- Education and training details
- Family, lifestyle and social circumstances
- Goods or services provided
La Fraternelle may also process special categories of data or sensitive data, including:
- Offences (including alleged offences)
- Trade union membership
In obtaining and using Personal Data in connection with shareholders or prospective investors, Service Providers and others (as may be applicable), La Fraternelle will act as a data controller.
The Data may be held electronically, processed via automated processes, or held in general files, and where processed on La Fraternelle’s behalf by Service Providers, will be subject to written contracts governing that processing and setting out the security and confidentiality measures which the Service Providers have committed to implement.
This document sets out La Fraternelle’s policies and guidelines with regard to the obtaining, storing, processing, use, disclosure, transfer and safeguarding of Data as data controller.
For the avoidance of doubt and notwithstanding anything to the contrary in this privacy statement, nothing in this privacy statement shall prevent La Fraternelle from complying with any legal or regulatory obligation to disclose data in accordance with applicable law or regulation.
Obtaining and Using Personal and Confidential Data
Personal Data may only be processed if the data subject has given his / her consent, or if the processing is necessary for the performance of a contract to which the data subject is party, for the taking of other pre-contractual measures at his / her request, where processing is otherwise necessary for compliance with legal obligations, to protect the vital interests of the data subject; or is otherwise necessary for legitimate interests or on public interest grounds.
As a Data Controller, La Fraternelle is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles:
- Personal Data must be processed fairly, lawfully and in a transparent manner
- Personal Data must be collected for specified, explicit and legitimate purposes, and not further processed in a manner which is incompatible with those purposes
- Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected
- Personal Data must be accurate and, where necessary, kept up to date, and reasonable steps must be taken to ensure that Personal Data that is inaccurate is erased or corrected without delay
- Personal Data must be kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which it is processed
- Personal Data must be processed in a manner that ensures its security appropriately, including protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures
In addition, La Fraternelle imposes confidentiality obligations on its Service Providers and is subject to confidentiality obligations regarding shareholders (and prospective investors) and Service Providers.
- Only Data, which is strictly necessary for the purpose of a share subscription and / or the contract between La Fraternelle and a shareholder or prospective investor or a Service Provider, should be requested or obtained from the relevant party
- Through the application forms, privacy statement(s) and prospectus makes shareholders, prospective investors, Service Providers and relevant Individuals aware of;
- the identity of La Fraternelle;
- the purposes for which the Data relating to that relevant Individual will be stored and used;
- the legal basis for that processing and
- where that legal basis is a legitimate interest of La Fraternelle or a third party, a description of those legitimate interests and the right to object to the processing; and
- where the legal basis is consent, the right to withdraw consent;
- the recipients or categories of recipients (if any) of the Data;
- where applicable, details of international data transfers;
- details of storage and retention periods;
- details of any automated decision-making, including any profiling;
- the right of Individuals to get access to their Personal Data, to rectify any such Personal Data, and their other rights applicable to data protection laws;
- the right to lodge a complaint with the Office of the Data Protection Authority (“ODPA”), which can be contacted at firstname.lastname@example.org or by telephone on +44 (0) 1481 742074.
- La Fraternelle will not use Data other than for the purposes which have been brought to the attention of the relevant Individual and, if consent is required, to which the relevant Individual has consented.
- Where Service Providers process Data for La Fraternelle pursuant to contracts between La Fraternelle and the Service Providers, the Service Providers act as data processors of La Fraternelle. La Fraternelle will ensure that:
- appropriate due diligence is undertaken on such Service Providers to confirm that the Service Providers provide sufficient guarantees to implement appropriate technical and organisational security measures so as to meet the requirements of applicable law and to ensure the protection of the rights of the Individuals with regard to their Personal Data; and
- any contracts with such Service Providers impose obligations on the Service Providers which are required under applicable law and which assist La Fraternelle in complying with its own obligations under applicable law.
- Where Service Providers are dealing with existing shareholders, the Service Providers have confirmed that they have procedures in place to verify on behalf of La Fraternelle that all existing Data held relating to those existing shareholders is accurate and up to date.
Recipients of Data held by La Fraternelle may include:
- Employees and agents of La Fraternelle
- Ombudsman & Regulatory Authorities
- Police Forces
- The individual or customer themselves
- Relatives, Guardians or Other Persons Associated with the Customer or Individual
- Suppliers, Providers of Goods or Services
Storage and Security of Data
Each of La Fraternelle and the Service Providers is obliged to implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, or accidental loss, alteration, unauthorised disclosure or access. This applies particularly where such Personal Data will be transmitted over a network. Similar security measures should also apply to the other Data.
Generally, La Fraternelle shall, and where it appoints the Service Providers, shall ensure that the Service Providers shall:
- considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Individuals, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which shall include, as appropriate:
- pseudonymisation and encryption;
- the ability to ensure ongoing confidentiality, integrity, availability and resilience;
- the ability to restore availability and access in a timely manner in the event of a technical incident;
- a process for regular testing, assessing and evaluating the effectiveness of those measures;
- take all reasonable steps to ensure that employees and other agents are aware of and comply with the security measures which have been implemented, including training of their respective relevant employees and agents;
- ensure that technical security controls are implemented to limit access to the Data on a “need to know” basis;
- ensure that all hard copies of Data are securely stored and are only accessed on a “need to know” basis.
La Fraternelle is obliged to retain certain information to ensure accuracy, to help maintain quality of service and for legal, regulatory, fraud prevention and legitimate business purposes.
It is obliged by law to retain customer-related identification and transaction records for five years from the end of the relevant investor relationship or the date of the transaction respectively. Other information, including personal data of the directors and business contact information, will be retained for no longer than is necessary for the purpose for which it was obtained by La Fraternelle or as required or permitted for legal, regulatory, fraud prevention and legitimate business purposes. In general, La Fraternelle (or its service providers on its behalf) will hold this information for a period of seven years from the termination of the relevant business relationship, unless it is obliged to hold it for a longer period under law or applicable regulations. Certain director information may be held indefinitely where it forms part of the statutory books and records of La Fraternelle.
La Fraternelle (or its service providers on its behalf) will also retain records of telephone calls and any electronic communications for a period of five years from the date of such call or communication.
In accordance with applicable data protection laws, La Fraternelle will be obliged to notify the ODPA of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data (each a “personal data breach”) within 72 hours of becoming aware of same, unless the personal data breach is unlikely to result in risks to Individuals. Furthermore, La Fraternelle will need to notify any impacted Individuals without undue delay where a personal data breach is likely to result in a high risk to those Individuals.
In the event of a personal data breach:
- La Fraternelle shall consider the likely risks arising from the Personal Data breach, taking into account the nature and scope of the personal data in question, the extent of the breach, the period of the breach, and any security measures which may militate against risk, such as encryption. In doing so, the potential consequences for the affected Individuals will be considered;
- any incident in which Personal Data has been put at risk will be reported to the ODPA within 72 hours of La Fraternelle becoming aware of the incident. Where a report is made to the ODPA, La Fraternelle will provide such information and detail as is required under applicable data protection laws or as the ODPA may request, which shall include:
- a description of the nature of the personal data breach, including where possible, the categories and approximate numbers of impacted Individuals, and the categories and approximate number of personal data records concerned;
- a description of the likely impact of the personal data breach;
- a description of measures to mitigate possible adverse effects;
- reporting to the ODPA may be conducted in phases where the full extent of the personal data breach is not known within 72 hours of La Fraternelle becoming aware of same. Any such phased reporting will be conducted in consultation with the ODPA;
- any incidents which are likely to result in high risk to Individuals will be notified to the impacted Individuals without undue delay unless this would involve disproportionate effort. In this latter case, a public communication or similar equally effective notification measure shall be implemented by La Fraternelle;
- Where, having considered the matter, La Fraternelle comes to a determination that no notification need or will be made to the ODPA and / or the affected data subjects, La Fraternelle shall in any event keep a summary record of each incident which has given rise to the risk of unauthorised disclosure, loss or alteration of personal data, which will include an explanation as to why La Fraternelle did not consider it necessary to inform the ODPA.
- Records of security incidents will be made available to the ODPA on request.
La Fraternelle shall ensure that the Service Providers notify La Fraternelle without delay of any security incident and provide all reasonable assistance to La Fraternelle to enable it to comply with its obligations under data protection law.
Privacy Impact Assessments
La Fraternelle may be required to undertake privacy impact assessments in relation to the processing of Personal Data in certain circumstances and will undertake an impact assessment where the processing in question, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to Individuals.
Without limitation, the following may be indicative of high risk processing:
- a significant change to the processing operations relating to the Personal Data, including where implemented by one of the Service Providers;
- processing involving evaluation, scoring, monitoring or profiling of Individuals;
- Combining of two or more data sets arising from separate processing operations conducted for different purposes;
- Innovative use of technologies or of organisational measures to protect Personal Data;
- Data transfers across borders outside the European Economic Area (the “EEA”) or equivalent jurisdictions (including Guernsey).
Any privacy impact assessment shall include:
- a systematic description of the envisaged processing operations and the purposes of the processing, including where applicable the legitimate purposes pursued by La Fraternelle;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to Individuals; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure protection of personal data and to demonstrate compliance with applicable data protection laws taking into account the rights and legitimate interests of Individuals.
La Fraternelle shall consult with the ODPA where necessary in accordance with applicable data protection laws, and where appropriate shall seek the views of Individuals or their representatives.
La Fraternelle shall ensure that the Service Providers notify La Fraternelle without delay of any new processing or change in processing arrangements (including implementation of any new technology) to facilitate La Fraternelle in determining whether the processing is likely to result in high risk to Individuals and shall provide all reasonable assistance to La Fraternelle to enable it to comply with its obligations under applicable data protection laws with regard to undertaking a privacy impact assessment.
Transfers of Data from the EU or equivalent jurisdictions
The transfer and distribution of Personal Data, whether to a Service Provider or a third party, is restricted, and is only permitted in limited circumstances. Particular restrictions and limitations apply to the transfer of Personal Data to countries outside of the EEA or those that do not have equivalent levels of data protection.
No transfer of data outside of the EEA or equivalent countries will be permitted unless the board of La Fraternelle has approved both the transfer and the measures implemented at the recipient company.
Subject Access Requests
Where an Individual makes a subject access request in writing, there is an obligation on the data controller to provide certain information to the data subject.
Accordingly, on receipt of any data subject access request, La Fraternelle shall within 30 days:
- inform the Individual as to whether the data processed by or on behalf of La Fraternelle includes Personal Data relating to the Individual, and where it does, to provide a description of:
- the categories of the Personal Data;
- the Personal Data constituting the data;
- the purposes for which they are being or are to be processed;
- the recipients or categories of recipients to whom they are or may be disclosed;
- information as to source, where not obtained directly from the Individual;
- where possible, the envisaged storage period, or alternatively the criteria used to determine that period;
- the right to lodge a complaint to the Office of the Data Protection Authority;
- details of any automated decision making or profiling;
- the appropriate safeguards with regard to international data transfers.
- provide the Individual with a copy of the information Personal Data of the Individual;
- provide the relevant information to the Individual free of charge, in an easily visible, intelligible and clearly legible manner within one month of a proper request from the data subject, unless an exception applies under applicable data protection laws.
If La Fraternelle does not intend taking action at the request of the data subject, La Fraternelle shall inform the Individual without delay and the reasons for not taking action, as well as the right of the Individual to complain to the ODPA.
La Fraternelle shall ensure that the Service Providers notify La Fraternelle without delay of any data subject access request and provide all reasonable assistance to La Fraternelle to enable it to comply with its obligations under applicable data protection laws in relation to any data subject access requests.
Other Data Subject Rights
Individuals have the following rights, in certain circumstances:
- the right to rectify Personal Data
- the right to restrict processing
- the right to object to processing
- the right to be forgotten
- the right to data portability.
La Fraternelle shall comply with applicable data protection laws in honouring Individual rights as set out above. However, if La Fraternelle does not intend taking action at the request of the data subject, La Fraternelle shall inform the Individual without delay and the reasons for not taking action, as well as the right of the Individual to complain to the ODPA.
La Fraternelle shall ensure that the Service Providers notify La Fraternelle without delay of any data subject requests to enforce the above rights and provide all reasonable assistance to La Fraternelle to enable it to comply with its obligations under applicable data protection laws in relation to any such data subject requests.
Contacting La Fraternelle
La Fraternelle can be contacted at its registered office:
29 Glategny Esplanade
St Peter Port,
La Fraternelle has nominated David Le Poidevin as the individual responsible for data protection, who can be contacted at David@La Fraternelle-insurance.co.uk or on 728864.
Updates to this Privacy Statement
Any changes La Fraternelle makes to its Data protection and Privacy Statement in the future will be posted on its website, please check back frequently to see any updates or changes.