Privacy Policy

We process personal information in order to be able to provide our customers with the best possible service/product. We always ensure we have a legitimate purpose and appropriate legal basis to hold personal information. We strive to maintain the highest possible data protection standards and to handle all data with the upmost care and we will only use your data in a safe and ethical way.

Our Privacy Policy

Your trust is important to us, so we want you to be aware of our Privacy Policy which explains how we collect, store and handle your personal information. ‘Personal information’ in this Privacy Policy has the same meaning as ‘personal data’ in the EU General Data Protection Regulation 2016/679/EU (GDPR) and equivalent UK legislation. Essentially, it means any information which is connected to a living individual who can be identified from that information, either by itself or when combined with other data which might come into our possession. Information about individuals acting as sole traders and certain partnerships, where they are individually identifiable, and the information relates to them as an individual may also constitute personal data.

Report a Data Breach

If you suspect data about QBE EO’s customers, staff or other contacts has been inappropriately disclosed or you find QBE EO property which may contain confidential or personal information, please let our Data Protection Team know as soon as possible by completing our Data Breach Form.

Fair Processing Notice

QBE European Operations (‘QBE EO’) is committed to ensuring your privacy is protected. This Fair Processing Notice sets out details of the information that we may collect from you and how we may use that information. Please take your time to read this notice carefully. When using a QBE EO website, this notice should be read alongside the website terms and conditions and cookie policy.

1. About Us

QBE EO is part of a wider group of companies, the QBE Insurance Group, one of the world’s leading international insurers and reinsurers. As a business insurance specialist, we offer a range of insurance products from the standard suite of property, casualty and motor to the specialist financial lines, marine and energy. All are tailored to the individual needs of our client base of small, medium and large businesses.

To enable us to provide insurance services, including providing a quote and then insurance, and dealing with any claims or complaints that might arise, we need to collect and process data. This makes us a ‘data controller’ for any personal information that you provide to us which makes us responsible for complying with data protection laws.

The specific company acting as a data controller of your personal information will be listed in the documentation we provide to you. A list of all the companies within QBE EO which act as data controllers is set out below.

QBE Underwriting Limited
QBE European Operations Plc
QBE UK Limited (‘QBE UK’)
QBE Europe SA/NV
QBE Management Services (UK) Limited
QBE Management (Ireland) Limited
QBE Underwriting Services (Ireland) Limited
QBE Underwriting Services (UK) Limited
QBE European Services Limited
QBE Europe Intermediary Services SAS

If you are unsure about who the data controller of your personal information is, you can also contact us at any time by e-mailing us at dpo@uk.qbe.com.

2. About the insurance market

Insurance involves the use and disclosure of your personal information by various insurance market participants such as intermediaries, insurers and reinsurers. The London Insurance Market Core Uses Information Notice sets out those core necessary personal information uses and disclosures. Our core uses and disclosures are consistent with the London Market Core Uses Information Notice. We recommend you review this notice (by clicking the link above).

3. Our processing of your personal information

The types of personal information that we collect, and our uses of that personal information depend on your relationship with us. For example, we will collect different personal information depending on whether you are a policyholder, a beneficiary or a third party covered by an insurance policy we provide, a website user, a claimant, a witness, an intermediary, an expert or another third party.
We may use your personal information for a number of different purposes and in each case, we must have a ‘legal ground’ to do so. We will rely on the following ‘legal grounds’ when we process your ‘personal information’:

To enter into or perform the insurance contract that we hold with you/your employer or the relevant entity to which you are otherwise connected. For example, to provide you with a quote/with your insurance policy and other associated products (e.g. legal expenses cover). We will rely on this for activities such as handling and paying your insurance claims. (Contract performance)
Where we have a legal or regulatory obligation to use such personal information. For example, our regulators require us to hold certain records of our dealings with you, or investigating whistleblowing concerns. (Legal or regulatory obligation)
We use your personal information to achieve our legitimate business interests, but only in a way that is proportionate, and that respects your privacy rights. These include:
- assessing applications for insurance cover from you and/or your employer or the relevant entity to which you are otherwise connected, and providing quotations;
- providing services which are ancillary to the insurance we provide;
- assessing, investigating, paying or otherwise handling claims;
- maintaining and updating our business records (including to keep a record of the decisions we make when different types of applications are made;
- training and quality assurance;
- developing and improving our products and services;
- carrying out analytics across our datasets;
- responding to your enquiries;
- keeping you informed about our products and services (including direct marketing);
- building and managing our business relationships;
- protecting our business or a third party’s business (for example ensuring IT network and information security, physical security, enforcing claims, including debt tracing and collection);
- preventing and detecting fraud and financial crime;
- monitoring the number of visitors to and usage of our website;
- complying with our legal and regulatory obligations;
- handling complaints;
- managing our business portfolio, reorganising our company group;
- establishing, exercising or defending legal claims;
- keeping our staff, contractors, visitors and our business safe and to protect them from crime
- ensuring that we have appropriate insurance in place, managing and claiming under that insurance;
- any other purposes we identify as necessary in order for our business needs or operations, or reasonable business needs of a third party.
(Legitimate interests)

We need to use your personal information to protect your vital interests or those of another individual, for example in relation to a kidnap claim. (Vital interests)

Sometimes we will request or receive some of your ‘special category/sensitive personal information’, which includes information that relates to your physical and/or mental health, genetic or biometric data, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. We may also need details of your criminal convictions including information relating to any unspent convictions, pending prosecutions, fixed penalty notices or other relevant elements such as arrests or unspent cautions for fraud prevention purposes or to carry out money laundering checks. We won’t actively collect information about your sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership although it is possible that this could be disclosed indirectly in certain circumstances when answering our questions.
Where you provide personal information to us about other individuals (for example, members of your family or your employees) we will also be data controller of and responsible for their personal information. You should refer them to this notice.
When we process such ‘special category/sensitive personal information’, we must have an additional ‘legal ground’. We will rely on the following legal grounds when we process your ‘special category/sensitive personal information’:

Processing for an insurance purpose, necessary for a substantial public interest, including: (a) advising on, arranging, underwriting or administering an insurance contract; (b) administering a claim under an insurance contract; (c) exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law (Insurance purpose)
Processing for the purposes of preventing or detecting unlawful acts and there is a substantial public interest in such use. Such purposes include when we are investigating potential or suspected insurance fraud or money laundering. (Preventing or detecting unlawful acts)
Processing to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or when we are investigating a legal claim that a third party has made against you/our policyholder. (Legal rights)
You have provided your consent to our use of your special category/sensitive personal information. (Consent)
We need to use your special category/sensitive personal information to protect your vital interests or those of another individual, for example in relation to a kidnap claim, or in relation to accidents in an emergency. (Vital interests)
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, for example in relation to claims handling, fraud detection or investigating whistleblowing concerns (Public interest)

In order to make this notice as user friendly as possible, we have split it into different sections. Please click on the link below that best describes your relationship with us.

Prospective policyholders or beneficiaries (PDF 55Kb)

Policyholder or beneficiary under an insurance policy (PDF 60Kb)

Claimants and prospective claimants and third parties under commercial insurance policies (PDF 59Kb)

Witnesses to an incident or other individuals who provide us with information in relation to an incident (PDF 47Kb)

Intermediaries, sub-brokers, appointed representatives and other business partners, such as lawyers and claims handlers (PDF 48Kb)

Users of the QBE EO websites (PDF 39Kb)

Visitors to our offices (PDF 38Kb)

4. What marketing activities do we carry out?

We may use your personal information to provide you with information about products or services which may be of interest to you where you are an existing customer or business contact or where you have provided your consent for us to do so. We may do this by post, email, telephone and social media.

We are committed to only sending you marketing communications that you have clearly expressed an interest in receiving. If you wish to opt out of marketing, you may do so by clicking on the 'unsubscribe' link that appears in all emails or telling us when we call you. Otherwise you can always contact us using the details set out in section 10 to update your contact preferences.

Please note that, even if you do choose not to receive marketing messages, we may still send you service-related communications where necessary.

Unsubscribe from QBE EO Marketing Communications.

5. How long do we keep your personal information for?

We will retain your Personal Information for as long as is reasonably required for the purposes explained in this Privacy Policy. We are also required to keep certain information, which may include personal information, to meet legal, regulatory, tax or accounting needs. For example, we may also retain your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges you or others might raise later, or if we reasonably believe there is a prospect of litigation.

The specific retention period for your personal information will depend on your relationship with us, the type of personal information we hold and the reasons we hold your personal information.

We maintain a data retention policy to assist us in managing how long we hold your personal information and our record management, and this includes clear guidelines on data retention and deletion.

Where your personal information is no longer required we will ensure it is either securely deleted, anonymised such that any information that could identify an individual is removed or it is stored in a way which means it will no longer be used by the business.

If you would like more information about the periods for which your personal information will be stored or our data retention policy, please contact us using the details set out in section 10.

6. What is our approach to sending information overseas?

Sometimes we (or third parties acting on our behalf) may need to store or process your personal information in countries outside of the UK.

Where we need to transfer your personal information outside the UK and the EEA, we will take steps to ensure that your personal information is protected. We will do this using a number of different methods including:

putting in place appropriate contracts. We use a set of contract wording known as the 'Standard Contractual Clauses' which have been approved by the data protection authorities. You can find out more about the Standard Contractual Clauses here.
transferring personal information only to countries which have been deemed by the UK data protection authority to have adequate levels of data protection (such as countries in the European Economic Area ('EEA')). You can find out more about this here
where appropriate other substantive operational and/or technical means of protection, such as strengthened encryption measures, advanced due diligence and transparency measures and additional contractual obligations.

Depending on our relationship and your particular circumstances, we might transfer personal information anywhere in the world.

If you would like further information regarding our data transfers and the steps we take to safeguard your personal information, please contact us using the details set out in section 10.

7. How do we protect your information

We have a package of technical, organisational and contractual measures in place to protect your personal information which have been adopted to comply with the latest data protection requirements. The measures cover various aspects of data security including the following:

Encryption, data masking and activity logging as appropriate
Putting in place access controls and maintaining access logs, including data loss prevention
Having minimum password requirements and requiring regular changes to passwords
Having physical access controls to our offices
Implementing procedures for security incident management and back-up and recovery and having in place disaster recovery and business continuity plans
Use of firewalls and up-to-date virus scanning software and email filtering services
Vulnerability scanning to assess systems, networks and applications for known security weaknesses
Penetration testing to evaluate the security of systems and applications
Third party security reviews and contractual measures to ensure that QBE suppliers have appropriate security controls to safeguard QBE data and services
Development and Change processes to ensure that technology changes are authorised, appropriate, and tested to reduce the likelihood to introducing vulnerabilities into the QBE environment
Providing regular security and privacy/data protection training for all our employees

Our security measures are kept under periodic review and are regularly updated to reflect developments in technology and security and changes to our business. However, please be aware that there are inherent security risks in transmitting data, such as e-mails or via the Internet, because it is impossible to safeguard completely against unauthorised access by third parties.

8. Profiling and Automated Decision Making

What is profiling?

Profiling is any form of automated processing of personal information and information provided by third party sources, to evaluate certain personal aspects. Insurance underwriting, and sometimes claims payment, is based on profiling as it assesses the event that you are seeking to insure and the likelihood of that event occurring.

We use profiling as part of:

Assessing insurance applications. For example, when we are considering whether or not to offer a motor policy, we will consider the likelihood of an accident occurring (e.g. using your claims history) and the likely cost of replacing your vehicle (e.g. using our wider experience of dealing with other claims). We will compare this information against industry averages and our previous experience. We will use the outcome of that profiling to decide whether or not to offer insurance and at what price.
Assessing and administering claims. We use systems as part of our claims process to inform the questions we ask of you and to help us decide on an appropriate settlement figure. For example, if you are making a claim for injury, we will use information relating to your injury, treatment and prognosis to generate a valuation band for your injuries.
Preventing and detecting insurance fraud. We use systems to help us recognise likely indications of insurance fraud. This might result in a claim being passed to our fraud team for further investigation.
Improving our business. We may also use profiling and data analysis to ensure data quality and accuracy and to help us improve our processes, our products and services and check the way our models, algorithms and machine-learning tools work.

We keep our profiling process under regular review, and, in most cases, an individual will then make a decision based on the outcome of that profiling.

What is automated decision making?

Automated decision making refers to a situation where a decision is taken using personal information that is processed solely by automatic means (i.e. using an algorithm or other computer software) rather than a decision that is made with some form of human involvement.

Automated decision making is widely used in the insurance industry to offer and administer insurance efficiently and accurately.

Where an automated decision produces a legal or other similarly significant effect concerning you (for example, where your policy or claim is rejected), we will only carry out automated decision making:

using your personal information where it is necessary for the purposes of entering into or performing a contract with you (e.g. to assess your insurance application)
using your special category/sensitive personal information where it is necessary for an insurance purpose (such as administering your claim or detecting insurance fraud)

In all other cases, we will ask for your consent in advance.

We currently use automated decision in our SME motor business. We use an electronic-trading system called Acturis to help us assess the risk and calculate what premium we charge. We have certain pricing rules which are fed into the system. For example, whether you have had a claim in the last 5 years will affect the price as will the amount you wish us to cover. Using these rules, the system automatically decides whether to accept, decline or refer your application to an underwriter for further consideration.

You have the right in certain circumstances not to be subject to a decision which is based solely on automated processing. Please see section 9 for further details of your rights in this respect.

9. Your rights

Under data protection law you have a number of rights in relation to the personal information that we hold about you which we set out below. These rights might not apply in every circumstance. You can exercise your rights by contacting us at any time using the details set out in section 10.

We will not usually charge you in relation to a request. We may ask you for proof of identity to ensure that we only disclose information to the right individual.

We aim to respond to all valid requests within one month. However, it may take us longer if the request is particularly complicated or you have made several requests. We will always let you know if we think a response will take longer than one month. We may also ask you to provide more detail about what you want to receive or are concerned about, as this will help us to provide you with a prompt response.

We take your rights seriously but there may be some circumstances where we cannot comply with your request, for example if complying with it would mean that we couldn't comply with our own legal or regulatory obligations. In these instances, we will let you know why we cannot comply with your request.

In some circumstances, complying with your request may mean that we are unable to continue providing you with insurance and may need to cancel your insurance policy or discontinue your claim. For example, if you request erasure of your personal information, we will not have the information required to pay your claim. We will inform you of this at the time you make a request.

The right to access your personal information

You are entitled to a copy of the personal information we hold about you and certain details about how we use it.

We will usually provide your personal information to you in writing unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means where possible.

The right to rectification

We always take care to ensure that the information we hold about you is accurate and where necessary up to date. If you believe that there are any inaccuracies, discrepancies, or gaps in the information we hold about you, you can contact us and ask us to update or amend it.

The right to restriction of processing

In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information.

The right to withdraw your consent

Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information.

Please note that for some purposes, we need your consent in order to provide your policy or handle your claim. If you withdraw your consent, we may need to cancel your policy, or we may be unable to pay your claim. We will advise you of this at the point you seek to withdraw your consent.

The right to erasure

This is sometimes known as the 'right to be forgotten'. It entitles you, in certain circumstances, to request deletion of your personal information. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdraw consent.

Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example, we may be unable to erase your information as you have requested because we have a legal or regulatory obligation to keep it.

The right to object

In certain cases, you have the right to object to our processing. This arises in relation to:

Marketing: You have control over the extent to which we market to you and you have the right to request that we stop sending you marketing messages at any time. You can do this either by clicking on the 'unsubscribe' button in any email that we send to you or by contacting us at any time using the details set out in section 10. Please note that even if you exercise this right because you do not want to receive marketing messages, we may still send you service-related communications where necessary.

Processing based on our legitimate interest: Where we process your personal information on the basis of a legitimate interest, you can object to such processing, unless our purpose outweighs any prejudice to your privacy rights.

The right to data portability

In certain circumstances, you can request that we transfer personal information that you have provided to us directly to a third party.

Rights relating to automated decision-making

Where an automated decision produces a legal or other similarly significant effect concerning you (for example, where your policy or claim is rejected), you have the right to ask us to reconsider a decision taken by automated means or to take a new decision on a different basis (e.g. by introducing some form of human involvement).

The right to make a complaint to the ICO

You have a right to complain to the Information Commissioners Office (ICO) if you believe that we have breached data protection laws when using your personal information. You can visit the ICO's website at www.ico.org.uk for more information. Please note that lodging a complaint will not affect any other legal rights or remedies that you have.

10. Contacting us

If you would like further information about any of the matters in this notice or if have any other questions about how we collect, store or use your personal information, you may contact our data protection officer by emailing dpo@uk.qbe.com or writing to:

The Data Protection Officer
QBE European Operations
30 Fenchurch Street
London EC3M 3BD

11. Updates to this Notice

From time to time we may need to make changes to this notice, for example, as the result of changes to law, technologies, or other developments. We will provide you with the most up-to-date notice and you can check this page periodically to view it.

This notice was last updated on 3rd June 2024.

Ireland Privacy Policy

We process personal data in order to be able to provide our customers with the best possible service/product. We always ensure we either have a legitimate purpose to hold personal data or obtain consent. We strive to maintain the highest possible Data Protection standards and we will handle all data with the upmost care.

Our Privacy Policy

Your trust is important to us, so we want you to be aware of our Privacy Policy which explains how we collect, store and handle your personal data.

Report a Data Breach

If you suspect data about QBE’s customers, staff or other contacts has been inappropriately disclosed or you find QBE property which may contain confidential or personal data, please let our Data Protection Team know as soon as possible by completing our Data Breach Form.

Fair Processing Notice

QBE European Operations ("QBE") is committed to ensuring your privacy is protected. This Fair Processing Notice sets out details of the information that we may collect from you and how we may use that information. Please take your time to read this notice carefully. When using a QBE website, this notice should be read alongside the website terms and conditions and cookie policy.

1. About Us

QBE is part of a wider group of companies, the QBE Insurance Group, one of the world’s leading international insurers and reinsurers. As a business insurance specialist, we offer a range of insurance products from the standard suite of property, casualty and motor to the specialist financial lines, marine and energy. All are tailored to the individual needs of our small, medium and large client base.

To enable us to provide insurance services, including providing a quote and then insurance, and dealing with any claims or complaints that might arise, we need to collect and process data. This makes us a "data controller" for any personal information that you provide to us which makes us responsible for complying with data protection laws.

The specific company acting as a data controller of your personal information will be listed in the documentation we provide to you.
A list of all the companies within QBE European Operations which act as data controllers is set out below.

QBE Insurance (Europe) Limited
QBE Underwriting Limited
QBE Re (Europe) Limited
QBE European Operations Plc
QBE UK Limited (“QBE UK”)
QBE Europe SA/NV
QBE Management Services (UK) Limited
QBE Management (Ireland) Limited
QBE Underwriting Services (Ireland) Limited
QBE Underwriting Services (UK) Limited
QBE European Services Limited
QBE Insurance Services (Regional) Limited

If you are unsure about who the data controller of your personal information is, you can also contact us at any time by e-mailing us at dpo@uk.qbe.com.

2. About the insurance market

Insurance involves the use and disclosure of your personal information by various insurance market participants such as intermediaries, insurers and reinsurers. The Code of Practice on Data Protection for the Insurance Sector sets out the obligations of insurers operating in Ireland in respect of the use and processing of personal information. We recommend you review this notice.

3. Our processing of your personal information

The types of personal information that we collect, and our uses of that personal information will depend on your relationship with us. For example, we will collect different personal information depending on whether you are a policyholder, a beneficiary or a third party covered by an insurance policy we provide, a website user, a claimant, a witness, a broker, an expert or another third party.

Sometimes we will request or receive some of your “sensitive personal information”. Sensitive personal information is information that relates to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. For example, we may need access to information about your health in order to provide you with a quote, provide your insurance policy, or process any claims you make.

We may also need details of any unspent criminal convictions you have for fraud prevention purposes or to carry out money laundering checks. We won’t actively collect sensitive personal information about your sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership although it is possible that this could be disclosed indirectly in certain circumstances when answering our questions.

Where you provide personal information to us about other individuals (for example, members of your family or your employees) we will also be data controller of and responsible for their personal information. You should refer them to this notice.

In order to make this notice as user friendly as possible, we have split it into different sections. Please click on the section below that best describes your relationship with us.

Prospective policyholders or beneficiaries

If you apply for an insurance policy with us or where someone else (such as your employer) applies for an insurance policy which will benefit you, this section will be relevant to you and sets out our uses of your personal information.

What personal information will we collect?

Your name, address, date of birth and gender.
Contact information, including previous contact information, such as your telephone numbers and email addresses.
Financial information such as your bank details, payment details and information obtained as a result of our credit checks such as bankruptcy orders, individual voluntary arrangements or county court judgments.
Information about your relationship to the policyholder where you are the beneficiary.
Information relating to your identity such as your national insurance number, passport number, vehicle registration number or driving licence number.
Information about your job such as your job title, employment history and employment records (including information on your salary, benefits and earnings), education history and professional accreditations.
Information which we obtain as part of checking sanctions lists.
Additional information which is relevant to the insurance application such as previous insurance policies you have held and claims you have made. This will also include any information specific to the type of policy application. For example:
- If you are applying for a property protection policy, we may collect and use information which relates to your property.
Information which we have gathered from publically available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.
Information obtained through our use of cookies. You can find out more information about this in section 10.

What sensitive personal information will we collect?

Details about your criminal convictions and any related information. This will include information relating to any offences or alleged offences you have committed and any caution, court sentence or criminal sentence which you are or have been subject to, for example if you have applied for motor fleet cover, we will request to know about any motoring convictions your employees have.
Details about your physical and mental health which are relevant to the insurance application (e.g. if you apply for a motor policy, we will ask about any medical conditions which cause you as the driver to have a restricted driving licence). This may take the form of medical reports or underlying medical data such as x-rays or blood tests.
Whilst we do not actively collect other sensitive personal information, there may be some circumstances where you disclose the following sensitive personal information when answering our questions, for example:
- Details of your race or ethnicity, including your nationality where we collect your driving licence for the purposes of providing a quote for motor insurance cover; and
- When we are providing a quote for motor insurance cover, we will ask for details about your occupation which may indicate your trade union membership, political opinions, religious or philosophical beliefs - for example if you require motor insurance because you are a Church Minister.

How will we collect your personal information?

We will collect information directly from you when:

you apply for a policy;
we are providing you with a quotation;
you use any of the QBE Group websites;
you contact us to make a complaint;
you contact us by email, telephone and through other written and verbal communications; and
you request information about our products and services or subscribe to a newsletter or bulletin.

As well as obtaining information directly from you, we will collect information from:

the applicant (where you are a beneficiary or named under an insurance policy);
third parties involved in the insurance application process (such as our business partners and representatives, brokers or other insurers);
publicly available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.
fraud prevention and detection agencies;
other companies within the QBE Group; and
credit reference agencies.

What will we use your personal information for?

We may use your personal information for a number of different purposes. In each case, we must have a "legal ground" to do so. We will rely on the following “legal grounds”, when we process your "personal information":

We need to use your personal information to enter into or perform the insurance contract that we hold with you. For example, we need to use your personal information to provide you with a quote.
We have a legal or regulatory obligation to use such personal information. For example, our regulators require us to hold certain records of our dealings with you.
We need to use your personal information for a justifiable purpose (e.g. to keep a record of the decisions we make when different types of applications are made, to keep business and accounting records, manage our business operations and to develop and improve our products and services). When using your personal information for these purposes, we will always consider your rights and interests.

When the information that we process is classed as “sensitive personal information", we must have an additional “legal ground". We will rely on the following legal grounds when we process your "sensitive personal information":

In the case of sensitive personal information relating to your health, where such processing is necessary for an insurance purpose, we will rely on this legal ground for processing health personal data relating to an insurance policy or claim. Such insurance purposes include evaluating your insurance application and managing claims.
You have provided your consent to our use of your sensitive personal information (e.g. in relation to your marketing preferences). In some circumstances, we may need your consent to process sensitive personal information. Without it, we may be unable to offer you an insurance policy. We will always explain why your consent is necessary.
We need to use your sensitive personal information to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or when we are investigating a legal claim that a third party brings against you.
We need to use and process your sensitive personal information in the UK for purposes relating to an insurance policy or claim and there is a substantial public interest in such use. Such purposes include evaluating your insurance application and managing claims.

Purpose for processing	Legal grounds for using your personal information	Legal grounds for using your sensitive personal information
To set you up as a policyholder including carrying out fraud, sanctions, credit and anti-money laundering checks.	It is necessary to enter into your insurance contract. We have a relevant legal or regulatory obligation. We have a justifiable purpose (to assess the insurance application).	In the case of health data, such use is necessary for insurance purposes. • Such use is necessary for insurance purposes in the UK. We need to establish, exercise or defend legal rights. You have given us your explicit consent.
To evaluate your insurance application and provide a quote.	It is necessary to enter into or perform your insurance contract. We have a relevant legal or regulatory obligation. We have a justifiable purpose (to assess the insurance application and provide you with a quote).	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK You have given us your explicit consent.
Communicating with you and resolving any complaints that you might have.	It is necessary to enter into or perform your insurance contract. We have a justifiable purpose (to send you communications, record and investigate complaints and ensure that future complaints are handled appropriately).	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers).	We have a justifiable purpose (to develop and improve the products and services we offer).	You have given us your explicit consent.
Complying with our legal or regulatory obligations.	We have a relevant legal or regulatory obligation.	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice).	We have a relevant legal or regulatory obligation. We have a justifiable purpose (to effectively manage our business operations).	You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Monitoring applications, reviewing, assessing, tailoring and improving our products and services and similar products and services offered by the QBE Group.	We have a justifiable purpose (to develop and improve the products and services offered by QBE or the QBE Group).	You have given us your explicit consent.
Investigating or detecting the unauthorised use of our systems, to secure our system and to ensure the effective operation of our systems.	We have a justifiable purpose (to ensure the integrity and security of our systems).	You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Transferring or selling part of our business or re-organising our company structure.	We have a justifiable purpose (to manage our business portfolio and re-organise our company). We have a relevant legal or regulatory obligation.	You have given us your explicit consent.

Who will we share your personal information with?

We will keep your personal information confidential and we will only share it where necessary for the purposes set out above with the following parties:

Other QBE Group companies for our general administration purposes or for the prevention and detection of fraud.
Our insurance partners such as brokers, sub-brokers, coverholders, other insurers, reinsurers or other companies who act as insurance distributors.
Third parties who assist in the administration of your insurance application. These include surveyors, valuers and other experts.
Other insurers who provide our own insurance (reinsurers) and companies who arrange such reinsurance.
Third parties who provide sanctions checking services.
Insurance industry bodies (including Insurance Ireland and the Motor Insurers' Bureau of Ireland).
Fraud detection agencies and other third parties who operate and maintain fraud detection registers.
Our regulators including the Central Bank of Ireland, the UK Financial Conduct Authority and the UK Prudential Regulation Authority.
An Garda Siochana, other third parties or law enforcement agencies where reasonably necessary for the prevention or detection of crime.
Credit reference agencies.
Third party suppliers we appoint to help us carry out our everyday business activities such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers and tax advisers.
Third parties who undertake analysis for the purposes of product improvement.
Selected third parties in connection with any sale, transfer or disposal of our business.

Policyholder or beneficiary under an insurance policy

If you take out an insurance policy with us (e.g. a business interruption policy) or if you are listed as an applicant or beneficiary under a policy that someone else has with us (such as a named solicitor under a professional indemnity policy), this section will be relevant to you and sets out our uses of your personal information.

What personal information will we collect?

Your name, address, date of birth and gender.
Contact information, including previous contact information, such as your telephone numbers and email addresses.
Financial information such as your bank details, payment details and information obtained as a result of our credit checks such as bankruptcy orders, individual voluntary arrangements or district or small claims court judgments.
Information about your relationship to the policyholder where you are the beneficiary and/or not the policyholder.
Identification relating to your identity such as your PPS number, passport number, vehicle registration number or driving licence number.
Information about your job such as job title, employment history and employment records, (including information on your salary, benefits and earnings), education history and professional accreditations.
Information which we obtain as part of checking sanctions lists.
Information relevant to your insurance policy. This will depend on the nature of the policy but could include details relating to your property or business activities.
Information relevant to your claim or your involvement in the matter giving rise to a claim. For example, if you make a claim following a road traffic accident, we may use personal information relating to your vehicle and named drivers.
Information relating to your previous policies or claims.
Information which we obtain as part of checking sanctions lists.
Information which we have gathered from publicly available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.
Information obtained through our use of cookies. You can find out more information about this in section 10.
Surveillance footage which may also include CCTV footage, video recordings, photos and reports that have been obtained by our private investigators, G4S and other third parties which we engage to assist us with looking into claims on our behalf in relation to suspected fraud.

What sensitive personal information will we collect?

Details about your criminal convictions and any related information. This will include information relating to any offences or alleged offences you have committed and any caution, court sentence or criminal sentence which you are or have been subject to.
Details about your physical and mental health which are relevant to your policy or claim (e.g. if you take out or are covered by a travel policy, we may need details of pre-existing medical conditions). This may take the form of medical reports or underlying medical data such as x-rays or blood tests.
We may also collect other sensitive personal information, for example:
- Details of race or ethnicity, including your nationality, in limited circumstances, where relevant to your claim;
- Your political opinions (where these have been made publically available), religious or philosophical beliefs (for example, where it is relevant to your medical treatment preferences are revealed by your job description) or trade union membership;
- Genetic data, in limited circumstances, where relevant to your claim;
- Biometric data, such as voice recordings to analyse potentially fraudulent claims; and
- Data concerning your sex life or sexual orientation, in limited circumstances, where relevant to your claim, such as in a claim for occupational health services.

How will we collect your personal information?

We will collect information directly from you:

when you apply for or renew a policy;
when we are providing you with a quotation;
when you make a claim on your policy or via the administration of a claim, or we are notified of an incident relevant to a policy;
when you respond to a customer survey;
when you use any of the QBE websites;
when you contact us by email, telephone (including our telephone helpline) and through other written and verbal communications, including our online live chat facility via our e-trading platform;
when you request information about our products and services or subscribe to a newsletter or bulletin; and
when you make a complaint.

As well as obtaining information directly from you, we will collect information from:

The named policyholder where you are a beneficiary;
Third parties involved in your insurance policy or claim (such as our business partners and representatives, brokers, sub-brokers, other insurers, claimants, defendants, witnesses or other individuals who provide us with information in relation to an incident);
Other third parties who provide a service in relation to your insurance policy or claim such as loss adjusters, claims handlers, lawyers, experts (including medical experts and medical reports), healthcare and rehabilitation providers and other service providers;
Emergency assistance and medical services providers;
Claims services providers;
Publicly available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.
Other companies within the QBE Group;
Credit reference agencies;
Insurance industry and other fraud prevention and detection databases and sanctions screening tools such as Insurance Link, Insurance Confidential and Motor Insurers' Bureau of Ireland databases.
Insurance industry databases;
Our regulators including the Central Bank of Ireland, the UK Financial Conduct Authority and the UK Prudential Regulation Authority;
An Garda Siochana where they have provided us with information and other law enforcement agencies;
Government agencies such as the National Driver Licence Service, the Road Safety Authority, the Revenue Commissioners and the National Bureau of Criminal Investigation;
Professional regulators such as the Medical Council and the Law Society of Ireland / the Legal Services Regulatory Authority; and
Selected third parties in connection with any sale, transfer or disposal of our business.

What will we use your personal information for?

We need to use your personal information to enter into or perform the insurance contract that we hold with you. For example, we need to use your personal information to provide you with your insurance policy and other associated products (e.g. legal expenses cover). We will rely on this for activities such as handling and paying your insurance claims and preventing and detecting fraud.
We have a legal or regulatory obligation to use such personal information. For example, our regulators require us to hold certain records of our dealings with you.
We need to use your personal information for a justifiable purpose (e.g. to properly investigate incidents which are the subject of a claim, to keep business and accounting records, manage our business operations and to develop and improve our products and services). When using your personal information for these purposes, we will always consider your rights and interests.

In the case of sensitive personal information relating to your health, where such processing is necessary for an insurance purpose, we will rely on this legal ground for processing health personal data relating to an insurance policy or claim. Such insurance purposes include handling and paying insurance claims.
You have provided your consent to our use of your sensitive personal information (e.g. in relation to your marketing preferences). In some circumstances, we may need your consent to process sensitive personal information. Without it, we may be unable to provide your policy or handle claims. We will always explain why your consent is necessary.
We need to use such sensitive personal information to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or when we are investigating a legal claim that a third party brings against you.
We need to use and process your sensitive personal information in the UK for purposes relating to an insurance policy or claim and there is a substantial public interest in such use. Such purposes include evaluating your insurance application and managing claims.

Purpose for processing	Legal grounds for using your personal information	Legal grounds for using your sensitive personal information
To administer and manage the insurance policy.	It is necessary to enter into or perform your insurance contract. We have a relevant legal or regulatory obligation. We have a justifiable purpose (to properly manage the insurance policy).	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. You have given us your explicit consent.
Handling and paying insurance claims	It is necessary to enter into or perform your insurance contract. We have a relevant legal or regulatory obligation. We have a justifiable purpose (to assess and pay your claim and handle the claims process).	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Prevention and detection of and investigating and prosecuting fraud and sanctions checking. This might include sharing your personal information with third parties such as An Garda Siochana, and other insurance and financial services providers and insurance industry databases.	It is necessary to enter into or perform your insurance contract. We have a relevant legal or regulatory obligation. We have a justifiable purpose (to prevent, detect and prosecute fraud and other financial crime).	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
Complying with our legal or regulatory obligations.	We have a relevant legal or regulatory obligation.	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Communicating with you and resolving any complaints that you might have.	It is necessary to enter into or perform your insurance contract. We have a relevant legal or regulatory obligation. We have a justifiable purpose (to send you communications, record and investigate complaints and ensure that future complaints are handled appropriately).	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers).	We have a justifiable purpose (to develop and improve the products and services we offer).	You have given us your explicit consent.
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice).	We have a justifiable purpose (to effectively manage our business operations). We have a relevant legal or regulatory obligation.	You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Monitoring applications, reviewing, assessing, tailoring and improving our products and services and similar products and services offered by the QBE Group.	We have a justifiable purpose (to develop and improve the products and services offered by QBE or the QBE Group).	You have given us your explicit consent.
Tracing and recovering debt.	We have a justifiable purpose (to trace and recover debt that is owed to us).	We need to use your information in order to establish, exercise or defend legal rights.
Investigating or detecting the unauthorised use of our systems, to secure our system and to ensure the effective operation of our systems)	We have a justifiable purpose (to ensure the integrity and security of our systems).	You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
To apply for and claim on our own insurance.	We have a justifiable purpose (to ensure that we have appropriate insurance in place).	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
Transferring or selling part of our business or re-organising our company structure.	We have a justifiable purpose (to manage our business portfolio and re-organise our company). We have a relevant legal or regulatory obligation.	You have given us your explicit consent.

Who will we share your personal information with?

We will keep your personal information confidential and we will only share it where necessary for the purposes set out above with the following parties.

Other QBE Group companies for our general administration purposes, marketing purposes in accordance with the preferences you have expressed or for the prevention and detection of fraud.
Our insurance partners such as brokers, sub-brokers, reinsurers or other companies who act as insurance distributors.
Third parties who assist in the administration of insurance policies or the handling of claims. These include loss adjusters, claims handlers, private investigators, accountants, auditors, banks, lawyers and other experts including medical experts.
Other insurers who provide our own insurance (reinsurers) and companies who arrange such reinsurance.
Third parties who provide sanctions checking services.
Insurance industry bodies (including Insurance Ireland and the Motor Insurers' Bureau of Ireland).
Fraud detection agencies and other third parties who operate and maintain fraud detection registers.
Investigative firms and third parties, [such as G4S, who we ask to look into claims on our behalf in relation to suspected fraud.
Health providers (for example, a hospital which is responsible for any treatment you receive through the policy or a rehabilitation provider).
Our regulators including the Central Bank of Ireland, the UK Financial Conduct Authority and the UK Prudential Regulation Authority.
An Garda Siochana and other third parties or law enforcement agencies where reasonably necessary for the prevention or detection of crime.
Debt collection agencies.
Credit reference agencies.
Our third-party service providers such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisers.
Third parties who undertake analysis for the purposes of product improvement.
Selected third parties in connection with any sale, transfer or disposal of our business.
Government departments, such as the Department of Employment Affairs and Social Protection, in connection with personal injury claims, including disclosing information on any hospitals that you have attended.
Policyholders, for the purposes of claims review meetings and discussing claims experiences.

Third party claimant and prospective claimants and third parties under commercial insurance policies

If you make a claim, or are intending to make a prospective claim, against a third party who has an insurance policy with us, this section will be relevant to you and sets out our uses of your personal information.

What personal information will we collect?

Your name, address, date of birth and gender.
Contact information, including previous contact information, such as your telephone numbers and email addresses.
Financial information such as your bank details, payment details and information obtained as a result of our credit checks such as bankruptcy orders, individual voluntary arrangements or district or small claims court judgments.
Information relating to your identity such as your PPS number, passport number, vehicle registration number or driving licence number.
Information about your job such as job title, employment history and employment records (including information on your salary, benefits and earnings), education history and professional accreditations.
Information relating to previous insurance policies you have held and claims you have made.
Information relevant to your claim or your involvement in the matter giving rise to a claim. For example, if you make a claim following a road traffic accident, we may use personal information relating to your vehicle and named drivers.
Information relating to your previous claims.
Information which we obtain as part of checking sanctions lists.
Information we have obtained from insurance industry databases such as Insurance Link, Insurance Confidential and the Motor Insurers' Bureau of Ireland databases;
Information which we have gathered from publicly available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.
Surveillance footage which may also include CCTV footage, video recordings, photos and reports that have been obtained by our private investigators, G4S and other third parties which we engage to assist us with looking into claims on our behalf in relation to suspected fraud.

What sensitive personal information will we collect?

Details about your criminal convictions and any related information. This will include information relating to any offences or alleged offences you have committed and any caution, court sentence, or criminal sentence which you are or have been subject to.
Details about your physical and mental health which are relevant to your claim (e.g. because you have been injured whilst at a property insured by us). This may take the form of medical reports or underlying medical data such as x-rays or blood tests.
We may also collect other sensitive personal information, in limited circumstances, where relevant to your claim, for example:
- Details of your race or ethnicity, including your nationality;
- Your political opinions, religious or philosophical beliefs or trade union membership;
- Genetic data;
- Biometric data, such as voice recordings to analyse potentially fraudulent claims; and
- Data concerning your sex life or sexual orientation, such as in a claim for occupational health services.

How will we collect your personal information?

As well as obtaining information directly from you, we may collect information from:

The party who holds a policy with us.
Third parties involved in the insurance policy or claim (such as our business partners and representatives, brokers, sub-brokers, other insurers, claimants, defendants, witnesses or other individuals who provide us with information in relation to an incident to an incident).
Other third parties who provide a service in relation to your claim such as loss adjusters, claims handlers, solicitors and professional experts (including medical experts), healthcare and rehabilitation providers and other service providers.
Emergency assistance and medical services providers.
Claims services providers.
publicly available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.
Other companies within the QBE Group.
Insurance industry and other fraud prevention and detection databases and sanctions screening tools such as Insurance Confidential, Insurance Link and the Motor Insurance Bureau of Ireland databases and contracted vendor data wash tools.
An Garda Siochana where they have provided us with information and other law enforcement agencies.
Government agencies such as National Driver Licence Service, the Road Safety Authority, the Revenue Commissioners and the National Bureau of Criminal Investigation;
Professional regulators such as the Medical Council and the Law Society of Ireland / Legal Services Regulatory Authority.

What will we use your personal information for?

We have a legal or regulatory obligation to use such personal information. For example, our regulators require us to hold certain records of our dealings with you.
We need to use your personal information for a justifiable purpose (e.g. to properly investigate incidents which are the subject of a claim, to keep business and accounting records, manage our business operations and to develop and improve our products and services). When using your personal information for these purposes, we will always consider your rights and interests.

In the case of sensitive personal information relating to your health, where such processing is necessary for an insurance purpose, we will rely on this legal ground for processing health personal data relating to an insurance policy or claim. Such insurance purposes include when we are investigating potential or suspected insurance fraud.
We need to use and process your sensitive personal information in the UK for purposes relating to an insurance policy or claim and there is a substantial public interest in such use. Such purposes include evaluating your insurance application and managing claims.
We need to use such sensitive personal information to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or we are considering the claim that has been made against our policyholder.
You have provided your consent to our use of your personal information. In some circumstances, we may need your consent to process sensitive personal information (e.g. health information). Without it, we may be unable to handle your claims. We will always explain why your consent is necessary.

Purpose for processing	Legal grounds for using your personal information	Legal grounds for using your sensitive personal information
Handling and paying claims.	We have a justifiable purpose (to assess and pay your claim and handle the claims process). We need to use your information in order to comply with our legal obligations.	In the case of health data, such use is necessary for insurance purposes Such use is necessary for insurance purposes in the UK. We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
Prevention and detection of and investigating and prosecuting fraud and sanctions checking. This might include sharing your personal information with third parties such as An Garda Siochana, and other insurance and financial services providers and insurance industry databases.	We have a justifiable purpose (to prevent, detect and prosecute fraud and other financial crime). We have a relevant legal or regulatory obligation.	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
Complying with our legal or regulatory obligations.	We have a relevant legal or regulatory obligation.	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Communicating with you and resolving any complaints that you might have.	We have a relevant legal or regulatory obligation. We have a justifiable purpose (to send you communications, record and investigate complaints and ensure that future complaints are handled appropriately).	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers).	We have a justifiable purpose (to develop and improve the products and services we offer).	You have given us your explicit consent.
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice). For business processes and activities including analysis, review, planning and business transaction.	We have a justifiable purpose (to effectively manage our business operations). We have a relevant legal or regulatory obligation.	You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Tracing and recovering debt.	We have a justifiable purpose (to trace and recover debt that it is owed to us)	We need to use your information in order to establish, exercise or defend legal rights.
To apply for and claim on our own insurance.	We have a justifiable purpose (to ensure that we have appropriate insurance in place).	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
Investigating or detecting the unauthorised use of our systems, to secure our systems and to ensure the effective operation of our systems).	We have a justifiable purpose (to ensure the integrity and security of our systems).	You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Transferring or selling part of our business or re-organising our company structure.	We have a justifiable purpose (to manage our business portfolio and re-organise our company). We have a relevant legal or regulatory obligation.	You have given us your explicit consent.

Who will we share your personal information with?

We will keep your personal information confidential and we will only share it where necessary for the purposes set out above with the following parties.

Other QBE Group companies for our general administration purposes, marketing purposes in accordance with the preferences you have expressed or for the prevention and detection of fraud.
Our insurance partners such as brokers, sub-brokers, reinsurers or other companies who act as insurance distributors.
Third parties who assist in the administration of your claim such as loss adjusters, claims handlers, private investigators, accountants, auditors, banks, lawyers and other experts including medical experts.
Other insurers (e.g. where another insurer is also involved in a claim that you are making).
Other insurers who provide our own insurance (reinsurers) and companies who arrange such reinsurance.
Third parties who provide sanctions checking services.
Insurance industry bodies (including Insurance Ireland and the Motor Insurers' Bureau of Ireland).
Fraud detection agencies and other third parties who operate and maintain fraud detection registers.
Investigative firms we ask to look into claims on our behalf in relation to suspected fraud.
Health providers (for example, a hospital which is responsible for any treatment you receive through the policy or a rehabilitation provider).
Our regulators including the Central Bank of Ireland, the UK Financial Conduct Authority and the UK Prudential Regulation Authority.
An Garda Siochana and other third parties or law enforcement agencies where reasonably necessary for the prevention or detection of crime.
Our third-party service providers such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisers.
Selected third parties in connection with any sale, transfer or disposal of our business.
Government departments, such as the Department of Employment Affairs and Social Protection, in connection with personal injury claims, including disclosing information on any hospitals that you have attended.

Witnesses to an incident or other individuals who provide us with information in relation to an incident

If you are a witness to an incident or an individual who otherwise provides us with information in relation to an incident which is the subject of a claim, this section will be relevant to you and sets out our uses of your personal information.

What personal information will we collect?

Your name, address, date of birth and gender.
Contact information, including previous contact information, such as your telephone numbers and email addresses.
Information relevant to the incident that you have witnessed.
Information which we have gathered from publicly available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.

What sensitive personal information will we collect?

We do not routinely process sensitive personal information of witnesses. However, we may do so if it is relevant to the incident that you have witnessed (for example, if you have a health condition which may affect your witness statement).

How will we collect your information?

As well as obtaining information directly from you, we will collect information from:

Third parties involved in the incident you witnessed (such as brokers, sub-brokers, other insurers, claimants, defendants, other witnesses or other individuals who provide us with information in relation to an incident).
Other third parties who provide a service in relation to the claim which relates to the incident you witnessed such as loss adjusters, claims handlers, and experts (including medical experts), healthcare and rehabilitation providers and other service providers.
Publicly available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.
Other companies within the QBE Group.

What will we use your personal information for?

We have a legal or regulatory obligation to use such personal information. For example, our regulators require us to hold certain records of our dealings with you.
We need to use your personal information for a justifiable purpose (e.g. to properly investigate incidents which are the subject of a claim, to keep business and accounting records, managing our business operations and to develop and improve our products and services). When using your personal information for these purposes, we will always consider your rights and interests.

In the case of sensitive personal information relating to your health, where such processing is necessary for an insurance purpose, we will rely on this legal ground for processing health personal data relating to an insurance policy or claim.
We need to use and process your sensitive personal information in the UK for purposes relating to an insurance policy or claim and there is a substantial public interest in such use. Such purposes include evaluating your insurance application and managing claims.
We need to use such sensitive personal information to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves.
You have provided your consent to our use of your sensitive personal information.

Purpose for processing	Legal grounds for using your personal information	Legal grounds for using your sensitive personal information
Handling and paying claims.	We have a justifiable purpose (to assess and pay claims and handle the claims process). We have a relevant legal or regulatory obligation.	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. We need to use your information in order to establish, exercise or defend legal rights You have given us your explicit consent.
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice). For business processes and activities including analysis, review, planning and business transactions.	We have a justifiable purpose (to effectively manage our business operations). We have a relevant legal or regulatory obligation.	You have given us your explicit consent.
Complying with our legal or regulatory obligations.	We have a relevant legal or regulatory obligation.	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes in the UK. You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
Prevention and detection of and investigating and fraud. This might include sharing your personal information with third parties such as An Garda Siochana and other insurance and financial services providers and insurance industry databases.	We have a justifiable purpose (to prevent and detect fraud and other financial crime). We have a relevant legal or regulatory obligation.	In the case of health data, such use is necessary for insurance purposes. Such use is necessary for insurance purposes. We need to use your information in order to establish, exercise or defend legal rights You have given us your explicit consent.
Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers).	We have a justifiable purpose (to develop and improve the products and services we offer).	You have given us your explicit consent.
Investigating or detecting the unauthorised use of our systems, to secure our system and to ensure the effective operation of our systems)	We have a justifiable purpose (to ensure the integrity and security of our systems).	We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent
Transferring or selling part of our business or re-organising our company structure.	We have a justifiable purpose (to manage our business portfolio and re-organise our company). We have a relevant legal or regulatory obligation.	You have given us your explicit consent.

Who will we share your personal information with?

We will keep your personal information confidential and we will only share it where necessary for the purposes set out above with the following parties:

Other QBE Group companies for our general administration purposes or for the prevention and detection of fraud.
Our insurance partners such as brokers, sub-brokers, reinsurers or other companies who act as insurance distributors.
Third parties who assist in the administration of the insurance policy or claim. These include loss adjusters, claims handlers, private investigators, accountants, auditors, banks, lawyers and other experts including medical experts.
Other insurers (e.g. where another insurer is also involved in the claim which relates to the incident you witnessed).
Other insurers who provide our own insurance (reinsurers) and companies who arrange such reinsurance.
Fraud detection agencies and other third parties who operate and maintain fraud detection registers.
Investigative firms we ask to look into claims on our behalf in relation to suspected fraud.
Our regulators including the Central Bank of Ireland, the UK Financial Conduct Authority and the UK Prudential Regulation Authority.
An Garda Siochana and other third parties or law enforcement agencies where reasonably necessary for the prevention or detection of crime.
Our third-party service providers such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisers.
Selected third parties in connection with any sale, transfer or disposal of our business.

Brokers, sub-brokers appointed representatives and other business partners, such as lawyers and claims handlers

If you are a broker or sub-broker doing business with us, an appointed representative or other business partner such as a lawyer or claims handler, this section will be relevant to you and sets out our uses of your personal information.

What personal information will we collect?

Your name, address, date of birth and gender.
Contact information, including previous contact information, such as your telephone numbers and email addresses.
Information relating to your identity such as PPS number, passport number, vehicle registration number or driving licence number.
Information about your job such as job title and previous roles.
Information which we obtain as part of checking sanctions lists.
Information which we have gathered from publicly available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.

What sensitive personal information will we collect?

Information relating to your criminal convictions (including offences and alleged offences and any court sentence or unspent criminal convictions).

How will we collect your information?

As well as obtaining information directly from you, we will collect information from:

Other QBE Group companies.
Publicly available sources such as internet search engines like Google, Companies Registration Office, Government department websites and social media sites, including Facebook, YouTube and LinkedIn.
From service providers who carry out sanctions checks.

What will we use your personal information for?

We need to use your personal information to enter into or perform the contract that we hold with you. For example, we may need certain information in order to operate our business partnership arrangement.
We have a legal or regulatory obligation to use such personal information. For example, we may be required to carry out certain background checks.
We need to use your personal information for a justifiable purpose (e.g. to keep business and accounting records, manage our business operations and to improve quality, training and security). When using your personal information for these purposes, we will always consider your rights and interests.

In the case of sensitive personal information relating to your health, where such processing is necessary for an insurance purpose, we will rely on this legal ground for processing health personal data relating to an insurance policy or claim. Such purposes include communicating with you to manage and handle your queries.
We need to use and process your sensitive personal information in the UK for purposes relating to an insurance policy or claim and there is a substantial public interest in such use. Such purposes include evaluating your insurance application and managing claims.
• We need to use your sensitive personal information to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves.
You have provided your consent to our use of your sensitive personal information.

Purpose for processing	Legal grounds for using your personal information	Legal grounds for using your sensitive personal information
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g. tax or legal advice). For business processes and activities including analysis, review, planning and business transaction.	We have a justifiable purpose (to effectively manage our business operations). We have a relevant legal or regulatory obligation.	You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
To provide key business services such as policy and claims administration	We have a justifiable purpose (to effectively provide insurance services and rely on the expertise of other third parties to assist)	Not applicable.
To build and maintain our business relationships	We have a justifiable purpose (to build strong business relationships and manage such relationships).	Not applicable.
To communicate with you and provide you with marketing communications.	We have a justifiable purpose (to operate and develop our business).	Not applicable.
Complying with our legal or regulatory obligations.	We need to use your information in order to comply with our legal obligations.	You have given us your explicit consent. In the case of health data processing, such use is necessary for insurance purposes. Such use is necessary for insurance purposes. We need to use your information in order to establish, exercise or defend legal rights.
Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers).	We have a justifiable purpose (to develop and improve the products and services we offer).	Not applicable.
Communicating with you to manage and handle your queries.	We have a justifiable purpose (to send you communications to effectively manage our business and respond to your queries). It is necessary to enter into or perform our contract with you.	Not applicable.
Investigating or detecting the unauthorised use of our systems, to secure our systems and to ensure the effective operation of our systems).	We have a justifiable purpose (to ensure the integrity and security of our systems).	We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent
Transferring or selling part of our business or re-organising our company structure.	We have a justifiable purpose (to manage our business portfolio and re-organise our company). We have a relevant legal or regulatory obligation.	You have given us your explicit consent.

Who will we share your personal information with?

We will keep your personal information confidential and we will only share it where necessary for the purposes set out above with the following parties:

Our policyholders and other third parties such as claimants where relevant.
Other QBE Group companies for our general administration purposes, marketing purposes in accordance with the preferences you have expressed or for the prevention and detection of fraud.
Our insurance partners such as brokers, sub-brokers, reinsurers or other companies who act as insurance distributors.
Third parties who assist in the administration of the insurance policy or claim. These include loss adjusters, claims handlers, private investigators, accountants, auditors, banks, lawyers and other experts including medical experts.
Other insurers who provide our own insurance (reinsurers) and companies who arrange such reinsurance.
Third parties who provide sanctions checking services.
Fraud detection agencies and other third parties who operate and maintain fraud detection registers.
Our regulators including the Central Bank of Ireland, the UK Financial Conduct Authority and the UK Prudential Regulation Authority.
An Garda Siochana and other third parties or law enforcement agencies where reasonably necessary for the prevention or detection of crime.
Our third party service providers such as IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisers.
Selected third parties in connection with any sale, transfer or disposal of our business.

Users of the QBE websites

If you are a user of the QBE websites, this section will be relevant to you and sets out our uses of your personal information.

What personal information will we collect?

General information submitted via the website, for example where you provide your details via the contact us section such as your name, contact details (telephone numbers and email addresses) and company name.
Information obtained through our use of cookies. You can find more information about this in section 10.

What sensitive personal information will we collect?

Information submitted through the claim reporting tool for motor incidents including:

Details about criminal convictions and any related information. This will include information relating to any offences or alleged offences committed and any caution, court sentence, or criminal sentence which you or your drivers are or have been subject to.
Details about known medical conditions
Details of any injuries which have been suffered by a beneficiary or a third party.

How will we collect your personal information?

We will collect your information directly from our website.

What will we use your personal information for?

We need to use your personal information for a justifiable purpose (e.g. to monitor the number of visitors and usage of our website, to follow up on enquiries and to provide marketing information to you). When using your personal information for these purposes, we will always consider your rights and interests.

Purpose for processing	Legal grounds for using your personal information	Legal grounds for using your sensitive personal information
To follow up on enquiries you make.	We have a justifiable purpose (to respond to your queries).	You have given us your explicit consent. In the case of health data processing, such use is necessary for insurance purposes. Such use is necessary for insurance purposes.
To provide marketing information to you (including information about other products and services and undertaking customer surveys) in accordance with preferences you have expressed.	We have a justifiable purpose (to send you selected communications about other products and services we offer)	You have given us your explicit consent.

Who will we share your personal information with?

We will keep your personal information confidential and we will only share it where necessary for the purposes set out above with our QBE Group companies.

4. What marketing activities do we carry out?

We only send marketing communications to our business contacts such as brokers, sub-brokers, appointed representatives and other business partners. We will send marketing communications via post, email, telephone and social media.

You can opt-out of marketing communications at any time by contacting us using the details set out in section 11 below.

5. How long do we keep your personal information for?

We will keep your personal information for as long as reasonably necessary to fulfil the purposes set out in section 3 above and to comply with our legal and regulatory obligations.

We have a detailed retention policy in place which governs how long we will hold different types of information for. The exact time period will depend on your relationship with us and the type of personal information we hold, for example:

If you take out a policy with us but do not make a claim, we will keep your personal information for 7 years from the expiry of your policy.
If you make a claim under a policy we provide, we will keep your personal information for 7 years from the date on which the claim is settled.
If we have a business relationship with you, we will retain your details for the lifetime of such relationship and for 7 years after.
Where an insurance quote has not been taken up, we will hold quote and related personal information for a period of 6 months.

If you would like further information regarding the periods for which your personal information will be stored, please contact us using the details set out in section 11.

6. What is our approach to sending information overseas?

Sometimes we (or third parties acting on our behalf) will transfer personal information that we collect about you to countries outside of the European Economic Area ("EEA").

Where a transfer occurs we will take steps to ensure that your personal information is protected. We will do this using a number of different methods including:

putting in place appropriate contracts. We will use a set of contract wording known as the "Standard Contractual Clauses" which has been approved by the data protection authorities. You can find out more about the Standard Contractual Clauses here.
transferring personal information only to countries which have been deemed by European data protection authorities to have adequate levels of data protection. You can find out more about this here.

Depending on our relationship and your particular circumstances, we might transfer personal information anywhere in the world. A summary of our regular data transfers outside the EEA is set out below:

Country of transfer	Reason for the transfer	Method we use to protect your information
Australia	Reporting to our parent company	Standard Contractual Clauses
Philippines	Some of our back-office functions are provided by our Group Shared Services Centre in the Philippines.	Standard Contractual Clauses
USA	Our email system is provided through a hosted service with servers located in the USA.	Standard Contractual Clauses
India	Some of our third party IT and technology suppliers provide some of their services from India.	Standard Contractual Clauses

If you would like further information regarding our data transfers and the steps we take to safeguard your personal information, please contact us using the details set out in section 11.

7. How do we protect your information

We have a package of technical and organisational measures in place to protect your personal information which have been adopted to comply with the latest data protection requirements. The measures cover various aspects of data security including the following:

Encryption, data masking and activity logging as appropriate
Putting in place access controls and maintaining access logs
Having minimum password requirements and requiring regular changes to passwords
Having physical access controls to our offices
Implementing procedures for security incident management and back-up and recovery and having in place disaster recovery and business continuity plans
Use of firewalls and up-to-date virus scanning software and email filtering services
Providing regular security and privacy/data protection training for all our employees

8. Profiling and Automated Decision Making

What is profiling?

Profiling is any form of automated processing of personal information to evaluate certain personal aspects. Insurance underwriting, and sometimes claims payment, is based on profiling as it assesses the event that you are seeking to insure and the likelihood of that event occurring.

We use profiling as part of:

Assessing insurance applications. For example, when we are considering whether or not to offer a motor policy, we will consider the likelihood of an accident occurring (e.g. using your claims history) and the likely cost of replacing your vehicle (e.g. using our wider experience of dealing with other claims). We will compare this information against industry averages and our previous experience. We will use the outcome of that profiling to decide whether or not to offer insurance and the premium price.
Assessing and administering claims. We use systems as part of our claims process to inform the questions we ask of you and to help us decide on an appropriate settlement figure. For example, if you are making a claim for injury, we will use information relating to your injury, treatment and prognosis to generate a valuation band for your injuries.
Preventing and detecting insurance fraud. We use systems to help us recognise likely indications of insurance fraud. This might result in a claim being passed to our fraud team for further investigation.

We keep our profiling process under regular review and, in most cases, an individual will then make a decision based on the outcome of that profiling.

What is automated decision making?

Automated decision making is widely used in the insurance industry to offer and administer insurance efficiently and accurately. Where an automated decision produces a legal or other similarly significant effect concerning you (for example, where your policy or claim is rejected), we will only carry out automated decision making:

using your personal information where it is necessary for the purposes of entering into or performing a contract with you (e.g. to assess your insurance application);
using your sensitive personal information where it is necessary for an insurance purpose (such as administering your claim or detecting insurance fraud).

In all other cases, we will ask for your consent in advance.

Please see section 9 for the rights that arise when we carry out automated decision making.

9. Your rights

Please note that although we take your rights seriously, there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn't comply with our own legal or regulatory obligations. In these instances we will let you know why we cannot comply with your request.

In some circumstances, complying with your request may result in your insurance policy being cancelled or your claim being discontinued. For example, if you request erasure of your personal information, we would not have the information required to pay your claim. We will inform you of this at the time you make a request.

The right to access your personal information

You are entitled to a copy of the personal information we hold about you and certain details about how we use it.

The right to rectification

We always take care to ensure that the information we hold about you is accurate and where necessary up to date. If you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.

The right to restriction of processing

The right to withdraw your consent

Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information.

Please note that for some purposes, we need your consent in order to provide your policy or handle your claim. If you withdraw your consent, we may need to cancel your policy or we may be unable to pay your claim. We will advise you of this at the point you seek to withdraw your consent.

The right to erasure

Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example we may be unable to erase your information as you have requested because we have a legal or regulatory obligation to keep it.

The right to object

In certain cases, you have the right to object to our processing. This arises in relation to:

Marketing: You have control over the extent to which we market to you and you have the right to request that we stop sending you marketing messages at any time. You can do this either by clicking on the "unsubscribe" button in any email that we send to you or by clicking the link in section 11. Please note that even if you exercise this right because you do not want to receive marketing messages, we may still send you service related communications where necessary.

Processing based on our justifiable purpose: Where we process your personal information on the basis of a justifiable purpose, you can object to such processing, unless our purpose outweighs any prejudice to your privacy rights.

The right to data portability

In certain circumstances, you can request that we transfer personal information that you have provided to us directly to a third party.

Rights relating to automated decision-making

The right to make a complaint to the DPC

You have a right to complain to the Data Protection Commission (DPC) if you believe that we have breached data protection laws when using your personal information. You can visit the DPC's website at www.dataprotection.ie for more information. Please note that lodging a complaint will not affect any other legal rights or remedies that you have.

Privacy Policy

Our Privacy Policy

Report a Data Breach

Fair Processing Notice

What is profiling?

What is automated decision making?

The right to access your personal information

The right to rectification

The right to restriction of processing

The right to withdraw your consent

The right to erasure

The right to object

The right to data portability

Rights relating to automated decision-making

The right to make a complaint to the ICO

Ireland Privacy Policy

Our Privacy Policy

Report a Data Breach

Fair Processing Notice

Prospective policyholders or beneficiaries

Policyholder or beneficiary under an insurance policy

Third party claimant and prospective claimants and third parties under commercial insurance policies

Witnesses to an incident or other individuals who provide us with information in relation to an incident

Brokers, sub-brokers appointed representatives and other business partners, such as lawyers and claims handlers

Users of the QBE websites

What is profiling?

What is automated decision making?

The right to access your personal information

The right to rectification

The right to restriction of processing

The right to withdraw your consent

The right to erasure

The right to object

The right to data portability

Rights relating to automated decision-making

The right to make a complaint to the DPC

Downloads