The implementation date of the General Data Protection Regulation (GDPR), (Regulation (EU) 2016/689) is effective 25th May 2018. This requires that all contracts between Data Controllers and Data Processors to contain various provisions to ensure that the processing of Personal Data meets the requirements of the GDPR.
Capital IM acts as a Data Controller for the purposes of GDPR in respect of the Personal Data of individual policyholders for which our appointed Agents act as Broker. This detail is processed and retained for legitimate purposes and to allow us to offer our services. We may, subject to formal agreements, outsource our processing to external contractors.
In due course revised Agency agreements will issue to all appointed Agents. In the interim, the following outlines our GDPR procedures and our expectations of GDPR adherence by our appointed Agents.
Capital IM as of May 2018 is working towards ISO27001 accreditation. ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS) which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
Each appointed Agent of the Firm Capital IM must take its own steps to determine whether it acts as a Data Controller or Data Processor as defined in the Data Protection Acts 1988 and 2003 and GDPR. Data Protection Law for the purposes of this statement means the Data Protection Acts 1998 and 2003 as amended, updated, repealed, and includes the EU General Data protection Regulation.
Automated Data means data held electronically or on computer.
Consent of the data subject means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by a statement or a clear affirmative action signifies agreement to the processing of Personal Data relating to him or her. (Art. 4(11) GDPR)
Data Subject means the individual about whom the Personal Data relates. For appointed Agents this means both your customers and staff.
Data Controller controls the data and its use.
Data Processor processes the data on behalf of the Data Controller.
Manual Data means data held on paper or hard copy but only if it is part of a “relevant filing system”.
Processing includes anything done on or to data, so therefore covers:
- Obtaining, recording or keeping data
- Collecting, organising, storing, altering or adapting data
- Retrieving, consulting or using data
- Disclosing data by transmitting, disseminating or making available
- Aligning, combining, blocking, erasing or destroying data.
Personal Data means data: (S.63 DP Bill)
Relating to identifiable living individuals or which could identify a living individual by reference to the data, such as by an identifier (e.g. name, identification number, location data, online identifier), or by reference to a specific factor(s) such as the physical, physiological, genetic, mental, economic, cultural, social identity of the individual and includes: criminal convictions and offences and includes, automated and manual data.
Sensitive or Special Category Data means any Personal Data as to: (S.2 DP Bill)
(a) Racial or ethnic origin, or
(b) Political opinions or religious or philosophical beliefs, or
(c) Trade union membership, or
(d) Physical or mental health or condition or sexual life, or
(e) Biometric data; or
(f) Genetic data.
Data relating to Criminal convictions and offences (including on-going criminal proceedings) is no longer categorised as Sensitive Data.
Without prejudice to the generality of the foregoing, it is envisaged that each Party, as Controller, will control and process Personal Data on its own behalf only. However, in the event that Personal Data is processed by either Party (the ‘Processor’) on behalf of the other Party (the ‘Controller’):
The parties agree the details of the;
- Subject matter and duration of the data processing
- Nature and purpose of the data processing
- Types of Personal Data and categories of data subjects
Where Agents refuse permission on behalf of its policyholders for the processing of Personal Data and/or Sensitive Data which we require to be processed for legitimate purposes, we may no longer be able to continue to offer services for that policyholder.
The Processor shall process such Personal Data in compliance with the provisions of Data Protection Law and in particular;
- Shall only process such Personal data in accordance with the documented instructions of the Controller and solely as strictly necessary for the performance of its obligations under an existing agency agreement.
- Shall ensure that the persons authorised by the Controller to process such Personal Data are bound by appropriate confidentiality obligations.
- Shall implement such technical and organisational security measures as are required with the data security obligations under Data Protection Law.
- Shall not engage any sub-processor without the prior written consent of the Controller and where the Controller has consented to the appointment of a sub-processor, the Processor must not replace or engage other sub-processors without the prior written consent of the Controller.
- Where any sub-contractor of the Processor will be processing such Personal Data on behalf of the Controller, the Processor shall ensure that a written service level agreement contract exists between the Processor and the sub-contractor ensuring that the sub-contractor meets the required standard of technical and organisational security measures as required by the Controller of the Processor.
- Shall ensure that staff are appropriately trained in Data Protection Law.
- In the event that any sub-processor fails to meet its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processors obligations.
- Shall inform the Controller immediately in the event of receiving a request from a Data Subject, to exercise their rights under Data Protection Law and shall provide such co-operation and assistance as may be required to enable the Controller to deal with such request, in accordance with Data Protection Law.
- Shall at the choice of the Controller and subject to regulatory restrictions, agree to delete or return all such Personal Data to the Controller when the Processor ceases to provide services relating to data processing.
- Shall make available to the Controller all information necessary to demonstrate compliance with Data Protection Law specific to the processing of Personal Data. This may include audits or inspections completed by the Controller or by an outsourced contractor mandated by the Controller.
- Shall notify the Controller without undue delay (and in any event within 24 hours) after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, unauthorised disclosure of, or access to , Personal Data transmitted or other wise processed and shall provide to the Controller such co-operation and assistance as may be required to mitigate against the effects or comply with reporting obligations which may apply in respect of any such breach and
- No such Personal Data shall be transferred outside of the European Economic Area by the Processor or any of its agents or sub-processors without the prior written consent of the Controller which consent may be subject to specific terms and conditions on the handling of such Data.