Affected by Coronavirus? Visit our help and guidance
Your browser's out of date so you may not be able to use some of the features on our website. For the best experience, we recommend upgrading your browser to a newer version.
Hastings Direct.

Privacy notice

Your privacy is important and we go to great lengths to protect it. This privacy notice tells you about the personal data we hold about you and explains how we collect, use and share your details. It also tells you about your rights under data protection laws.

Some of the personal information we collect is for vehicle insurance only, so you won’t be asked for all of the information detailed here if you’re applying for home insurance.

Here at Hastings Group Holdings plc, we'll always treat your personal data with respect and our products and services are designed with your privacy in mind.

Hastings Group Holdings plc consists of the data controllers Hastings Insurance Services Ltd and Advantage Insurance Company Ltd. You can find Advantage's privacy notice here.

We are Hastings Insurance Services Limited (also referred to as 'Hastings Direct', 'we', 'us' or 'our') and our registered office is at Conquest House, Collington Avenue, Bexhill-on-Sea, East Sussex, TN39 3LW.

Our ICO registration number is Z7677970.

This is information relating to you as an individual that's linked to your name or any other way you can be identified, such as your driving licence number or your insurance policy number.

Certain types of personal information are considered to be special categories of information, due to their more sensitive nature. Sometimes we'll ask for (or obtain) special categories of information because it's relevant to your insurance policy or claim. For example, to assess risk correctly, we'll ask you about previous motoring convictions. This privacy notice highlights where we're likely to obtain special categories of information and the grounds on which we process this data. We'll only process special categories of information if they're relevant e.g. information about your health and criminal convictions.

The personal information we collect will depend on our relationship with you. We've included a number of sections below – simply read those which most apply to your relationship with us.

If you give us personal information about other people you must make sure they are aware of this privacy policy. You must also get their consent where we've indicated we'll need it.

  • This section shows what personal information we collect and use about you if you're:

    • A prospective customer and have submitted your personal information so we can provide you with an insurance quote.
    • Somebody named on a quote.

    (Both of these include any quotes obtained from price comparison websites)

    • An existing customer, either as the policy holder or covered by the policy.

    The personal information we'll collect and where we'll collect it from.

    The following information will be collected from you (or anyone applying for a policy on your behalf) online or by phone if relevant to the insurance policy:

    • Individual details: Your name, address, former address, contact details (e.g. email/telephone), gender, marital status, date of birth, length of time as a UK resident.
    • Employment information: Your job title and the nature of the industry you work in.
    • Identification details: For example, your driving licence number.
    • Previous and current claims: Any previous insurance policies you've held and claims made against those policies.
    • Other risk details: Details about the car to be insured, along with these special categories of information relating to each driver:
      • Health data: Physical or mental health factors relevant to the insurance application, e.g. DVLA notifiable conditions.
      • Criminal convictions: Any which are unspent under the Rehabilitation of Offenders Act, including any motoring and non-motoring offences/alleged offences committed or any court sentences you're subject to.
    • Marketing preferences: This includes whether you've given your consent to receive marketing information.
    • Website use, including cookies and use of our web chat service: See section 3.4 below for details.
    • Other information: This will be captured during recordings of any telephone calls or if you make a complaint. This may include special categories of information you provide when talking with us (we won't process these without your consent).
    • Financial information: Bank and payment information.
    • Driving information: If the insurance policy chosen allows for the tracking of your driving as part of the policy, the device used collects a wide range of driving data, when the car is both moving and stationary, such as:
      • Date/time: This helps us to understand what time of day the car is driven.
      • Locational data: To understand what roads are driven and the location of the vehicle when it's moving or stationary inc. Latitude, Longitude, heading and direction. It also supports the theft tracking service.
      • Speed, acceleration, cornering and braking data: To understand how smooth the driving style is.
      • Accident detection: This helps us to operate the accident alert service and to understand the circumstances relating to any accident.
      • Mobile phone use: If the driving data is collected by an app on your mobile, the app will record that the mobile is being used in another way but it will not record any of the specific data or details of the other use.
    • Additional identification details: In some situations, we may ask you for further information and/or copies of documents so that we can validate your identity. This may include details about your residency, marital status, address, driving licence details or details of your car. It could also include special categories of information (e.g. driving licence - convictions...)
    • Claims information: This will be in relation to any incident or alleged incident involving the insured car. This includes special categories of information you give us when talking to us about your claim (we'll only process this to the extent necessary in connection with your claim or in connection with legal proceedings).

    We use external sources to supplement and verify the information above. We also use them to provide the following new information, to help us understand you as a customer:

    • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgments, and information received from various anti-fraud databases. Some of this information (e.g. criminal offences) may include special categories of information about you.
    • Demographic data: Lifestyle indicators such as income, education and the size of your household.
    • Open source data: Different types of data which is in the public domain. When proportionate to do so, this will include social media about you or the circumstances of any accident.
    • Photo or video data: Includes photos taken of the damage or footage recorded relating to a claim (including accident circumstances and interviews).
    • Claims assessment reports: This could be from engineers, medical experts, claims investigators and, in limited circumstances, private investigators. Some assessment reports may include special categories of information about you.

    Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud, money laundering and to verify your identity. We use external sources to supplement and verify the information above, and to provide the following new information:

    • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgements, and information received from various anti-fraud databases. Some of this information (e.g. criminal offences) may include special categories of information relating to you.
    • Demographic data: Lifestyle indicators such as income, education, and size of your household.
    • Open source data: Other information about you that is publicly available.
    • Driving data: In relation to previously held policies.

    The external sources that provide us with information about you include:

    • The person applying for the policy (where you're an individual named under a quote) or anyone authorised to act on your or their behalf.
    • Other insurance companies.
    • Other third parties involved in the insurance application process, such as the price comparison website used or other insurers.
    • Credit reference agencies.
    • Providers of demographic data and vehicle data.
    • Financial crime detection agencies and insurance industry financial crime databases (such as for fraud prevention and checking against international sanctions) including the Claims and Underwriting Exchange (known as 'CUE') and CIFAS.
    • Insurance industry bodies and databases (including but not limited to the Motor Insurance Anti-Fraud and Theft register and the No Claims History database).
    • In the event of a claim:
      • Other parties involved in any claim, including passengers, witnesses and any third party claimants or their insurers.
      • Third party suppliers who help us provide services when a claim is made (such as external claims handlers, our repair network, medical experts, claims investigators and private investigators).
    • Third party suppliers we use to help us to carry out:
      • Our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors.
    • Government agencies and bodies such as the DVLA or regulators where required (e.g. the Financial Conduct Authority).
    • Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles) and sources licensed under the Open Government Licence v 3.0.
    • Other third parties involved in your insurance policy or a claim (e.g. other insurers).
    • Our reinsurers.

    Under our User Agreement with the Motor Insurance Bureau, our individual customer representatives don't have access to the data returned by a driving licence number search (DLN) and won't be able to discuss issues relating to your DLN with you. In these cases, we suggest you check the information associated with your DLN is correct at www.gov.uk/view-driving-licence.

    What we use your personal information for

    We may process your personal information for a number of different purposes. We must have a legal ground for each purpose and we'll rely on the following grounds:

    • We need your personal information because it is necessary to enter into or perform a contract (e.g. you request a quote with a view to entering into an insurance contract).
    • We have a legitimate interest to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and/or develop and improve our products and services). When using your personal information in this way, we'll always consider your rights and interests.
    • We have a legal or regulatory obligation to use your personal information (e.g. to meet the record-keeping requirements of our regulators).

    We must have an additional legal ground for processing special categories of information. We'll rely on the following:

    • It's in the substantial public interest and it's necessary for an insurance purpose (e.g. assessing your insurance application and managing claims) or to prevent and detect an unlawful act (e.g. fraud).
    • To establish, exercise or defend legal claims e.g. when legal proceedings are being brought against us or we want to bring a legal claim ourselves).

    See the table below. Where we've used the acronym PH this refers to the policyholder of any insurance product. In the case of vehicle insurance, ND refers to any named driver on the quote.

    Type of processing Grounds for using personal information Grounds for special categories
    To assess your insurance application and provide a quote (or a quote you're named in)
    • PH – To enter into or perform a contract
    • ND – We have a legitimate interest (to assess the insurance application and provide a quote)
    • It's necessary for an insurance purpose
    To verify your identity or carry out fraud, credit and anti-money laundering checks for an insurance application or to provide a quote (or a quote you're named in)
    • PH – To enter into or perform a contract
    • PH – To enter into or perform a contract
    • It's necessary for an insurance purpose
    • It's in the substantial public interest to prevent or detect unlawful acts
    • To establish, exercise or defend legal rights
    To set up your insurance policy (or a policy you're covered on)
    • PH – To enter into or perform a contract
    • ND – We have a legitimate interest (to set up and validate insurance policies)
    • It's necessary for an insurance purpose
    To communicate with you to manage queries and resolve any complaints you might have
    • To enter into or perform a contract
    • We have a legitimate interest (to send you communications, record and handle complaints)
    • It's necessary for an insurance purpose
    • To establish, exercise or defend legal rights
    To comply with our legal or regulatory obligations
    • We have a legal or regulatory obligation
    • It's necessary for an insurance purpose
    • To establish, exercise or defend legal rights
    To make sure we consider any customers who may be in a vulnerable circumstance
    • We have a legitimate interest (to ensure a consistent service to all of our customers and that all customers are treated equally)
    • It's necessary for an insurance purpose
    To manage any claims you make under your insurance policy (or a policy you're covered on)
    • PH – To enter into or perform a contract
    • ND – We have a legitimate interest (to pay claims and manage the claims process)
    • It's necessary for an insurance purpose
    • To establish, exercise or defend legal rights
    Using driving data to monitor driving practices
    • PH – To enter into or perform a contract
    • ND – We have a legitimate interest (to monitor the driving style of drivers insured by us)
    • We won't process your special categories of information for this purpose
    To assist in renewal pricing
    • We have a legitimate interest (to develop and improve our products and services)
    • It's necessary for an insurance purpose
    To prevent and investigate fraud on an ongoing basis
    • We have a legitimate interest (to prevent and detect fraud and other financial crime)
    • It's in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
    • To establish, exercise or defend legal rights
    For debt collection purposes
    • To enter into or perform a contract
    • We won't process your special categories of information for this purpose
    To provide improved quality, training and security (e.g. through recorded or monitored phone calls to/from us, or customer satisfaction surveys)
    • We have a legitimate interest (to develop and improve our products and services)
    • We won't process your special categories of information for this purpose
    Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice, and holding our own insurance)
    • We have a legitimate interest (to carry out business operations and activities that are necessary for the everyday running of a business)
    • We won't process your special categories of information for this purpose
    For insurance administration purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience, planning service delivery, risk assessment, and costs and charges
    • We have a legitimate interest (to develop and improve our products and services)
    • We won't process your special categories of information for this purpose
    To send you marketing materials about our products and services (with your permission)
    • We have a legitimate interest (to market our products)
    • We won't process your special categories of information for this purpose

    Who we'll share your personal information with

    We'll share personal information within Hastings Group Holdings plc and/or the following third parties, for the purposes laid out in the table above:

    • Credit reference agencies including debt collection agencies when required.
    • Finance institutions to allow us to carry out a financial transaction for your policy. For example, when you pay for your policy, we may use Worldpay (UK) Limited as a data controller for your personal data to process your card payment – please refer to their privacy notice to find out how they process this information.
    • Insurers who support our products (e.g. our motor legal protection provider or providers of any optional extras bought alongside your policy).
    • Our providers who need your information to provide a service to you (e.g. claims services, our repair network, optional extra products, repair quotes etc).
    • Providers of demographic data and vehicle data.
    • Financial crime detection agencies and insurance industry financial crime databases (such as for fraud prevention and checking against international sanctions) including the Claims and Underwriting Exchange (known as 'CUE') and CIFAS.
    • Insurance industry bodies and databases (including but not limited to the Motor Insurance Anti-Fraud and Theft register and the No Claims History database).
    • Government agencies and bodies such as the DVLA, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority).
    • Other third parties involved in the insurance application process such as the price comparison website used or other insurers.
    • Third party suppliers we use to help us carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors.
    • The police and other crime prevention and detection agencies. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
    • Selected third parties in connection with any sale, transfer or disposal of our business.
    • Where you've bought a policy using an introductory cash back incentive code or link or claim a reward through one of the price comparison websites, the relevant incentive provider.

    Sharing of motor vehicle driving data: Once you've taken a driving policy where collecting your driving behaviour is part of the contract and you've activated the device, it will record and provide us with data about your driving style. It will collect a wide range of driving data such as date, time, location, speed, acceleration, cornering and braking. If the device is an app on a mobile it will also record mobile phone use. It won't record details about the actual use but the fact that it has been used. By assessing the data, it allows us to provide customers with advice on safer driving.

    For these types of products we'll share driving data only in the following circumstances:

    • With third parties where we need to do so to manage the insurance policy or any claims (e.g. with our accident recovery partners if the car needs to be recovered following an accident).
    • Where your monitoring device was supplied by a third party, the monitored data is processed by them, as well as our Group.
    • With insurance industry bodies and databases (including, but not limited to, the Motor Insurance Anti-Fraud and Theft register and the No Claims History database).
    • Between departments within the company and/or group. For example:
      • To help reduce fraud, by checking if another person is making a false claim against the driver, the driver is making a false claim against someone else or for debt recovery.
      • To encourage safer driving by examining how various groups drive and at what time of day the most incidents happen.
      • To help calculate tailored renewal premiums for policyholders.
      • To research and refine techniques for analysing driving data, including looking at road safety issues such as analysis of certain roads to identify the risks they represent.
    • Analytics suppliers use the data for research (e.g. to improve road safety). Any information we share is made anonymous and does not contain any information classed as personal data under the data protection regulations. This means none of the data can be linked to the policyholder.

    Sometimes the police and other regulatory bodies (such as the Department for Works & Pensions) may ask us to send them information from the collected driving data about journeys made in the insured car. This is so they can investigate road traffic accidents and also work to prevent, detect and investigate criminal and fraudulent activities.

  • What personal information we'll collect and where we'll collect it from

    We'll collect the following personal information from you, or from our customer if details were exchanged at the time of the accident, where relevant to your claim:

    • Individual details: Your name, address, contact details (e.g. email/telephone), gender, marital status, date of birth, nationality.
    • Employment information: Your job title and the nature of the industry you work in.
    • Identification details: Your national insurance number, passport information, driving licence number.
    • Previous and current claims: Any previous insurance policies you have held and claims made against those policies.
    • Information which may be relevant to your claim: This includes the name and contact details of your insurer, details about your car/property and details about your claim (including any statements, photos/video footage, claims assessment reports and driving data). This information may include the following special categories of information relating to you:
      • Health data: Physical or mental health factors which are relevant to your claim (e.g. where you've been injured in a motor accident and the driver is insured through us). This may include medical records relating to any injuries.
      • Criminal convictions: Any which are unspent under the Rehabilitation of Offenders Act. This includes motoring and non-motoring offences/alleged offences you have committed or any court sentences you're subject to.
    • Financial information: Bank and payment information.
    • Website use, including cookies and use of our web chat service: See section 3.4 below for details.
    • Other information: Any that we capture during recordings of our telephone calls or if you make a complaint. This may include special categories of information you volunteer when communicating with us. We'll only process such information to the extent necessary in connection with the claim or in connection with legal proceedings. Any further processing will only be with your explicit consent.

    We use external sources to supplement and verify the information above and also to provide the following new information:

    • Individual details: Your name, address, contact details (e.g. email/telephone), date of birth and nationality.
    • Credit and anti-fraud data: Credit history, credit score, sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements (IVAs) or county court judgments, and information received from various anti-fraud databases. Some of this information (e.g. criminal offences) may include special categories of information relating to you.
    • Demographic data: Lifestyle indicators such as income, education and size of your household.
    • Open source data: Other information which is publicly available (including social media), which relates to you or the circumstances of any accident.

    The external sources that provide us with information about you include:

    • Other parties involved in your claim, including any named individual insured through us, passengers, witnesses or other third party claimants.
    • Other Hastings Group Holdings plc companies.
    • Third party suppliers we use to help us:
      • Carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, debt collection agencies, document management providers, outsourced business process management providers, our subcontractors and tax advisors.
      • Provide a service in relation to a claim (e.g. external claims handlers, our accident repair network, medical experts, claims investigators and, in limited circumstances, private investigators).
    • Credit reference agencies.
    • Data enrichment providers to assist in contact details for the processing of any claim.
    • Providers of demographic data and vehicle data.
    • Financial crime detection agencies and insurance industry databases (e.g. for fraud prevention and checking against international sanctions) including the Claims Underwriting Exchange (known as 'CUE') and CIFAS.
    • Insurance industry bodies and databases (including, but not limited to, the Motor Insurance Anti-Fraud and Theft register and the No Claims History database).
    • Government agencies and bodies such as the DVLA, HMRC, Department for Work & Pensions, or professional regulators (e.g. the Financial Conduct Authority).
    • Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles, social media) and sources licensed under the Open Government Licence v 3.0.
    • The police and other crime prevention and detection agencies. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
    • Other third parties involved in your insurance policy or a claim (e.g. other insurers).
    • Our reinsurers.

    What we'll use your personal information for

    We may process your personal information for a number of different purposes. We must have a legal ground for each purpose and we'll rely on the following grounds:

    • We have a legitimate interest to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and develop and improve our products and services). When using your personal information in this way, we'll always consider your rights and interests.
    • We have a legal or regulatory obligation to use your personal information (e.g. to meet the record-keeping requirements of our regulators).

    For special categories of information, we must have an additional legal ground for processing. We'll rely on the following:

    • It's in the substantial public interest and it's necessary for an insurance purpose (e.g. assessing your insurance application and managing claims), or to prevent and detect an unlawful act (e.g. fraud).
    • To establish, exercise or defend legal rights e.g. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

    Here's how we use your personal information and the legal grounds we rely on:

    Type of processing Grounds for using personal information Grounds for special categories
    To manage claims
    • We have a legitimate interest (to assess and pay your claim and manage the claims process)
    • We have a legal or regulatory obligation
    • To establish, exercise or defend legal rights
    To verify your identity, prevent and investigate fraud
    • We have a legitimate interest (to prevent and detect fraud and other financial crime)
    • It's in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
    • To establish, exercise or defend legal rights
    To comply with our legal or regulatory obligations
    • We have a legal or regulatory obligation
    • To establish, exercise or defend legal rights
    • It's necessary for an insurance purpose
    To communicate with you in any way and/or resolve any complaints you might have
    • We have a legitimate interest (to send you communications, record and handle complaints)
    • You've given us your explicit consent
    • To establish, exercise or defend legal rights
    To provide improved quality, training and security (e.g. through recorded or monitored phone calls to/from us or customer satisfaction surveys)
    • We have a legitimate interest (to develop and improve our products and services)
    We won't process your special categories of information for this purpose
    Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice and holding our own insurance)
    • We have a legitimate interest (to carry out business operations and activities that are necessary for the everyday running of a business)
    We won't process your special categories of information for this purpose
    For insurance administration purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience, planning service delivery, risk assessment and costs and charges
    • We have a legitimate interest (to develop and improve our products and services)
    We won't process your special categories of information for this purpose

    Who we'll share your personal information with

    We'll share personal information within Hastings Group Holdings plc and/or with the following third parties for the purposes laid out in the table above:

    • Third parties involved in administration in any part of the relevant insurance policy or claim. These include loss adjusters, claims handlers, private investigators, data enrichment providers to gain contact details, accountants, auditors, banks, lawyers and other experts including medical experts.
    • Other insurers (e.g. where another insurer has previously provided you with a policy or handled a claim) and our reinsurers.
    • Third party suppliers we appoint to help us carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisors.
    • Insurance brokers and other intermediaries.
    • Credit reference agencies.
    • Insurance industry bodies and databases (including, but not limited to, the Motor Insurance Anti-Fraud and Theft register and the No Claims History database).
    • Financial crime detection agencies and insurance industry databases (e.g. for fraud prevention and checking against international sanctions) including the Claims Underwriting Exchange (known as 'CUE').
    • Government agencies and bodies such as the DVLA, HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority).
    • Professional regulators (e.g. the Financial Conduct Authority in the UK).
    • The police and other crime prevention and detection agencies. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
    • Selected third parties in connection with any sale, transfer or disposal of our business.
  • What personal information we'll collect and where we'll collect it from

    We'll collect the following personal information from you where relevant:

    • Individual details: Your name, address, contact details (e.g. email/telephone), gender, date of birth and nationality.
    • Employment information: Your job title and the nature of the industry you work in.
    • Identification details: Your national insurance number, passport information and driving licence.
    • Claims information: In relation to any incident or alleged incident you've witnessed.
    • Photo or video data: Includes photos or footage recorded relating to a claim (including accident circumstances and interviews).
    • Website use, including cookies and use of our web chat service: See section 3.4 below for details.
    • Other information: Any that we capture during recordings of our telephone calls or if you make a complaint. This may include other special categories of information you volunteer when communicating with us about the incident you witnessed. We'll only process this information where it relates to the incident itself or legal proceedings. Any further processing will only be with your explicit consent.

    We use external sources to supplement and verify the information above and also to provide the following new information. We would always have a justification and be proportionate:

    • Claims assessment reports: By both claims investigators, and in limited circumstances, private investigators.
    • Open source data: Unstructured data in the public domain, including social media, about you or the circumstances of any accident.

    The external sources that provide us with information about you include:

    • Other parties involved in the incident you witnessed (such as any named individual insured through us, passengers, other witnesses, third party claimants, brokers, insurers and the emergency services).
    • Other third parties who provide a service in relation to a claim (such as external claims handlers, our accident repair network, medical experts, claims investigators and, in limited circumstances, private investigators).
    • Publicly available sources (e.g. the electoral roll, court judgments, insolvency registers, internet search engines, news articles, social media).

    What we'll use your personal information for

    We may process your personal information for a number of different purposes. We must have a legal ground for each purpose and we'll rely on the following grounds:

    • We have a legal or regulatory obligation to use your personal information (our regulators impose certain record-keeping rules which we must adhere to).
    • We have a legitimate interest to use your personal information (e.g. to keep a record of the decisions we make when different types of applications are made, keep business records, carry out strategic business analysis, review our business planning and develop and improve our products and services). When using your personal information in this way, we'll always consider your rights and interests.

    We must have an additional legal ground for processing special categories of information. We'll rely on the following:

    • It is necessary for an insurance purpose and it's in the substantial public interest. This will apply where we're helping with any claims under a policy (we'll only rely on this legal ground if we've not been able to obtain or you've not given us your explicit consent) and undertaking any activities to prevent and detect fraud.
    • To establish, exercise or defend legal rights (e.g. legal proceedings are being brought against us or we want to bring a legal claim ourselves).

    Here's how we use your personal information and the legal grounds we rely on:

    Type of processing Grounds for using personal information Grounds for special categories
    To investigate and manage claims made under an insurance policy
    • We have a legitimate interest (to assess and pay claims and manage the claims process
    • You've given us your explicit consent or it's necessary for an insurance purpose
    • To establish, exercise or defend legal rights
    To comply with our legal or regulatory obligations
    • We have a legal or regulatory obligation
    • You've given us your explicit consent
    • To establish, exercise or defend legal rights
    To prevent and investigate fraud
    • We have a legitimate interest (to prevent and detect fraud and other financial crime)
    • It's in the substantial public interest to prevent or detect unlawful acts (where we suspect fraud)
    • To establish, exercise or defend legal rights
    For business processes and activities including analysis, review, planning and transactions
    • We have a legitimate interest (to effectively manage our business)
    We won't process your special categories of information for this purpose

    Who we'll share your personal information with

    We'll share personal information within Hastings Group Holdings plc and/or with the following third parties for the purposes laid out in the table above:

    • Other parties involved in the incident you witnessed.
    • Other insurers (e.g. where another insurer is also involved in the claim which relates to the incident you witnessed) and our reinsurers.
    • Third parties involved in the administration of an insurance policy or claim. These include loss adjusters, claims handlers, accountants, auditors, banks, lawyers, medical experts and, in limited circumstances, private investigators.
    • Third party suppliers we use to help us carry out our everyday business activities including IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisors.
    • Insurance industry bodies and databases (including, but not limited to, the Motor Insurance Anti-Fraud and Theft register and the No Claims History database).
    • Financial crime detection agencies and insurance industry databases (e.g. for fraud prevention and checking against international sanctions) including the Claims Underwriting Exchange (known as 'CUE').
    • Government agencies and bodies such as the DVLA, HMRC, Department for Work & Pensions, or regulators (e.g. Financial Conduct Authority).
    • The police and other crime prevention and detection agencies. We and fraud prevention agencies may enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
    • Selected third parties in connection with any sale, transfer or disposal of our business.
  • What personal information we'll collect and where we'll collect it from

    We use various software (including cookies) to improve your digital journey and to identify and prevent fraud. We collect and store information about how you access and use our website, app and MyAccount (including the website you visited before coming to ours). We automatically receive the IP address of your computer, mobile device or the proxy server you use to access the internet and this may include information to identify your browser or device to analyse web traffic.

    Fraud prevention cookies collect information about certain features of your device, such as your IP address, device type, browser type, screen resolution and operating system. This is to prevent and detect devices associated with fraudulent or other malicious activity and allows us to authenticate your account.

    What we'll use your personal information for

    We may process your personal information for a number of different purposes. We must have a legal ground for each purpose and we'll rely on the following ground:

    • We have a legitimate interest to use your personal information (e.g. maintaining our business records, monitoring usage of our website, marketing our services, and improving our business model and services). When using your personal information in this way, we have considered your rights and ensured our business need doesn't cause you harm.

    Here's how we use your personal information and the legal grounds we rely on:

    Type of processing Grounds for using personal information Grounds for special categories
    Communicating with you and responding to any enquiries you have
    • We have a legitimate interest (to communicate with you or to respond to any enquiries)
    We won't process your special categories of information for this purpose.
    Monitoring usage of our website
    • We have a legitimate interest (to assess usage of our website)
    We won't process your special categories of information for this purpose

Sometimes we'll transfer the personal information we collect about you to countries outside of the European Economic Area ('EEA').

When a transfer happens we'll take steps to make sure your personal information is protected. We'll do this using a number of different methods including:

  • Only transferring data to countries that have been deemed by the EU as having adequate privacy legislation, so transferring data to them is considered equivalent to processing within the EU. You can find out more about adequacy status at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
  • Establishing appropriate contracts. We'll use a set of contract wording known as the 'standard contractual clauses' which has been approved by the data protection authorities.
  • Transferring personal data only to those companies in the United States who are certified under the 'Privacy Shield'. The Privacy Shield is a scheme under which companies certify they provide an adequate level of data protection. You can find out more about the Privacy Shield at: https://www.privacyshield.gov/Individuals-in-Europe.

We take your privacy very seriously and will only use your personal information for the purposes laid out in this Privacy Policy. When you've requested a quote or bought a policy with us we can contact you about similar products and services unless you have opted out. If we intend to market other products we will ask for your permission to do this first. We'll contact you for marketing purposes – for example, to offer other services or to ask if you want to take part in a competition we might run.

You may also give your permission for us to contact you when you visit a price comparison site for an insurance quote. This would be because our product featured in the top few providers with the most competitive price and you wanted us to contact you.

You're free to object to receiving any marketing material and can edit your marketing preferences at any time. To opt out of marketing communications please click 'unsubscribe' on any marketing message we send you or change your preferences in MyAccount. You can also call us.

We have a legitimate interest to be able to contact you to discuss how your policy (or your claim) is being administered. This form of contact falls outside of your marketing preferences and must continue so we can provide you with a policy effectively. This will never include marketing material and all information will be strictly related to your policy or claim.

We'll keep your personal information for as long as reasonably necessary to fulfil the purposes set out in section three above and to comply with our legal and regulatory obligations. We have a detailed retention policy in place which governs how long we'll hold different types of information for. The exact time period will depend on the purpose for which we collect that information, for example:

Policies, including driving data: Seven years after a policy expires and no further action on the policy is required.
Claims: Seven years after a claim has been closed unless there are extenuating circumstances requiring the claim to be held for longer.
Complaints: Seven years

In some circumstances, depending on the nature of your policy and any claims made under it, data may be kept for a further period. These circumstances could be:

  • Where children are involved in a claim.
  • Where there is a claim on your policy over a set amount - we use such personal data to inform our pricing models after the claim is finally determined.

In the circumstances of the prevention or detection of crime and the apprehension or prosecution of offenders, Hastings Insurance Service Limited and agencies can hold your personal data for different periods of time and, if you're considered to pose a fraud or money laundering risk, your data can be held for up to six years.

If a human is involved in the decision at any point it is not considered an automated decision. When deciding whether to offer an insurance policy, we use automated processing. The process considers the information you provide us, as well as information from other sources such as search tools. These are used to determine whether your application for insurance can be accepted and what the price of the policy should be. The automated decisions include:

  • The creation of pricing models and risk acceptance criteria.
  • The application of the pricing and risk models using data we hold about you, to accept or decline your request for insurance and to calculate the price of your policy.
  • Assessing your ability to pay the insurance premiums and/or credit.
  • Assessing the risk of fraud being committed on your policy.

This means we may automatically decide you pose a fraud or money laundering risk. We do this if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

If we, or a fraud prevention agency, determine you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be kept by the fraud prevention agencies and may result in others refusing to provide services, financing or employment to you.

Under data protection law you have a number of rights in relation to the personal information we hold about you. You can exercise these rights by contacting us. We won't usually charge you in relation to a request.

The right to access your personal information You're entitled to a copy of the personal information we hold about you and certain details of how we use it. We'll usually provide your personal information to you in an email unless you request otherwise.
The right to rectification We take reasonable steps to make sure the information we hold about you is accurate and, where necessary, up-to-date and complete. If you believe there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.
The right to erasure This is sometimes known as the 'right to be forgotten'. It entitles you, in certain circumstances, to request your personal information be deleted. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdraw consent. While we will assess every request, there are other factors that will need to be taken into consideration. For example, we may not be able to erase your information as you've requested because we have a regulatory obligation to keep it.
The right to restriction of processing In certain circumstances, you're entitled to ask us to stop using your personal information, for example where you think the personal information we hold about you may be inaccurate or where you think we no longer need to use your personal information.
The right to data portability In certain circumstances, you can request we transfer personal information you've provided to us to a third party.
The right to object to marketing You have control over the extent to which we market to you and the right to request we stop sending you marketing messages at any time. You can do this either by clicking on the 'unsubscribe' link or button in any email we send you or by contacting us using the details set out in section 10. Even if you exercise this right because you do not want to receive marketing messages, we may still send you service related communications where necessary.
The right to object to processing In addition to the right to object to marketing, in certain circumstances you'll also have the right to object to us processing your personal information. This will be when we're relying on there being a legitimate interest to process your personal information. In some circumstances, we will not be able to cease processing your information, but we'll let you know if this is the case.
Rights relating to automated decisions If you've been subject to an automated decision and don't agree with the outcome, you can ask us to review it.
The right to withdraw consent Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to the further use of your personal information. We'll advise you of this at the point of collection of your data.
The right to lodge a complaint with the ICO You have a right to complain to the Information Commissioner's Office if you believe that any use of your personal information by us is in breach of applicable data protection laws and/or regulations. More information can be found on the Information Commissioner's Office website. This will not affect any other legal rights or remedies that you have.

There may be some circumstances where we cannot comply with your request. For example, we would not be able to agree to your request if it would mean we couldn't comply with our own legal or regulatory requirements. In these instances, we'll let you know why we cannot agree to your request.

The protection of your personal data is very important to us. We take a number of technical and procedural measures to protect personal data. For example:

  • Where we capture your personal information through our website, we'll do this over a secure link using recognised industry standard technology (SSL) which encrypts data that's transmitted over the internet. Most browsers will indicate this by displaying a padlock symbol on the screen.
  • We prevent unauthorised electronic access to our servers by use of suitable firewalls and network security measures. We use strong internal antivirus and malware monitoring tools and conduct regular vulnerability scans to protect our internal infrastructure and also to protect communications we may send you electronically. Our servers are located in secure datacentres that are operated to recognised industry standards. Only authorised people are allowed entry and this is only in certain situations.
  • When you pay for a product by credit card, your card details are protected in accordance with the industry standard security practice called PCI DSS which includes the encryption of cardholder data if transmitted over the internet.
  • We make sure only authorised people within our business have access to your data. We do regular checks to validate that only the correct people have access. We promote responsible access to data and segregate who can see what data within the organisation.
  • Internally we have password policies in place which ensure passwords are strong and complex and are changed regularly.
  • We use secure email exchange where necessary for sensitive data and have security monitoring on all email we send and receive.
  • We schedule periodic checks of all security measures to ensure they continue to be efficient and effective, taking into account technological developments.

You can contact our Data Protection Officer if you want to exercise the rights set out above or if you have any questions about how we collect, store or use your personal information.

Please write to: The Data Protection Team, Hastings Insurance Services Limited, Conquest House, Collington Avenue, Bexhill-on-Sea TN39 3LW

Or

Email: dataprotection@hastingsdirect.com

Or

Call Hastings Direct Insurance on 0333 321 9801.

We may need to make changes to this Privacy Policy periodically. This could be as the result of government regulation, new technologies or other developments in data protection laws or privacy generally or where we identify new sources and uses of personal information (provided such use is compatible with the purposes for which the personal information was originally collected). The Data Protection Officer will make sure that this document is updated regularly or as legislation requires.

Join us...