We are committed to meeting our obligations under all applicable data protection legislation. We respect the information and privacy rights of all individuals, recognise the importance of the lawful treatment of Personal Data, and will collect and use personal information responsibly, securely and fairly. When processing Personal Data, companies incorporated, or individuals ordinarily resident, or with a branch, agency or other regular presence:
i) in the UK, are subject to the UK Data Protection Act 1998; or
ii) in the Republic of Ireland, are subject to the Irish Data Protection Acts 1988 and 2003.
Both the UK and Irish legislation (“the Acts”) are a result of implementation of the European Data Protection Directive No. 95/46/EC, which aims to harmonise data protection laws throughout the EEA. In this Guide we have adopted the definitions used in the Acts, but you may wish to refer to the Glossary at the end of this Guide for an explanation of certain key terms. The full text of the UK Act can be found on the UK Information Commissioner’s website at www.informationcommissioner.gov.uk
, and the Irish Acts are at the Data Protection Commissioner’s site www.dataprotection.ie
The main purpose of the Data Protection Directive and the Acts is to protect the freedoms and rights of individuals in the manner in which their Personal Data is processed by Data Controllers and Data Processors.
The Acts set out conditions and quality standards for Processing of Personal Data. Processing should be transparent, and Data Subjects should be informed of the Processing of their Personal Data. All businesses must ensure that they comply with relevant data protection laws when they process Data. In the UK the Act is enforced by the Office of the Information Commissioner, and in Ireland by the Data Protection Commissioner. Other EEA states have enacted legislation similar to the Acts, enforced by their own Regulatory Authorities. This Guide has been prepared for policyholders, brokers, suppliers and other third party business associates of Euler Hermes UK. It sets out the main obligations of Data Controllers under the Acts, and explains conditions that must be met in order for Personal Data to be lawfully Processed. This Guide is accompanied by two Appendices: Appendix 1
- Data Protection Notice, which should be read in conjunction with this Guide;Appendix 2
- Sample Data Protection Notice, which, if you are a policyholder of Euler Hermes UK, should be incorporated into credit application forms, sale contracts, terms and conditions of trade or other standard documents that you provide to your customers.
This Guide does not cover Sensitive Personal Data as we do not process Sensitive Personal Data.The Data Protection Principles
The Acts contain eight Data Protection Principles, which impose obligations upon Data Controllers by setting out when and under what circumstances Data can be Processed. If a Data Controller fails to comply with any of the Principles, the Information Commissioner has wide powers that include:
• entry to premises and inspection of records;
• service of an enforcement notice; and
• commencement of criminal proceedings against a Data Controller and/or its officers.The Data Protection Principles require that Personal Data is:
1 fairly and lawfully Processed;
2 Processed for limited purposes;
3 adequate, relevant and not excessive;
4 accurate and kept up to date;
5 not kept for longer than is necessary for the purpose;
6 Processed in accordance with the rights of Data Subjects under the Acts;
7 kept secure (appropriate technical and organisational measures must be taken against unauthorised or unlawful Processing of Data or its accidental loss or destruction); and
8 not transferred to a country or territory outside the EEA that does not ensure adequate data protection rights.
When considering the Principles, it is important to remember that the term ‘processing’ is very widely defined to encompass almost any operation that is carried out on Data (including obtaining, recording, collating, retrieving, disclosing, sharing or simply holding information). You should also bear in mind that the Acts apply only to Personal Data, i.e. Data relating to a living individual, from which that individual can be identified, such as financial information relating to a named sole trader or partner in a firm. It does not apply to data relating to corporate bodies, such as company accounts.What is ‘fair and lawful’ Processing?
In order to comply with Principle 1 in relation to fair and lawful Processing of Data the following conditions must be satisfied:
1 A “Fair Processing Information Notice” should be given to all Data Subjects, before Processing commences, informing them of the Processing to be carried out by the Data Controller. This notice should contain at least the following information:
• the identity of the Data Controller;
• the purpose for which the Data is intended to be Processed; and
• any other further information which may be necessary in the circumstances (including, where the Irish legislation applies, the Data Subject’s rights of access to, and rectification of, their Data); and
2 A “processing condition” under the Acts must be satisfied. This means that the Data can only be Processed lawfully by the Data Controller, if either:
i) the Data Controller has the Data Subject’s consent; or
ii) Processing is necessary for the performance of a contract between the Data Subject and the Data Controller (or for taking steps at the request of the Data Subject with a view to entering into a contract); or
iii) Processing is necessary for the purposes of legitimate interests unless prejudicial to the Data Subject.
In practical terms, this means that all Data Subjects must be provided with a Processing notice under the Acts. In addition, where a contractual relationship between the Data Subject and the Data Controller does not exist (or is not intended or under negotiation), the Data Controller must obtain the consent of Data Subjects in order for the Data Controller to be able to Process Data, or should be able to satisfy itself that Processing is necessary for legitimate interests and is not prejudicial to the Data Subject. Guidance issued under the Acts has clarified that a Data Subject’s consent cannot be inferred from a failure by the Data Subject to respond to a written notice - active agreement must be obtained. However, where a Data Subject has been given an opportunity in a written document to object to Processing before it commences, and has not done so, it will be easier for the Data Controller to conclude that the Processing is permitted because it is for legitimate interests and not prejudicial to the Data Subject.How can you comply in practice?
Euler Hermes UK may Process Data relating to you in connection with your Policy with Euler Hermes UK. You are therefore a Data Subject of Euler Hermes UK. Where Euler Hermes UK also Processes Data provided by you relating to third parties (for example your customers), both you and Euler Hermes UK are Data Controllers under the Acts. You may therefore be a Data Controller in respect of third parties and a Data Subject in respect of Euler Hermes UK, at the same time. As a result of the above, both Euler Hermes UK and you have legal obligations under the Acts. As Data Controllers, you and Euler Hermes UK are obliged to provide all Data Subjects with Fair Processing Information in relation to Processing that is carried out on data by the Data Controller.
Please see the attached Appendix 1 for our Data Protection Notice to you, which contains Fair Processing Information in respect of any Personal Data relating to you, that you may provide to us in connection with your Policy.
If there is an actual or intended contractual relationship between the Data Controller and the Data Subject (such as Euler Hermes UK has with a policyholder or you may have with your customer), the Data Controller only needs to notify the Data Subject of the Processing carried out by the Data Controller. There is no need to obtain the Data Subject’s consent to the Processing. If there is no contractual relationship with the Data Subject (for example, where Euler Hermes UK Processes Data relating to one of your customers), in addition to notification the Data Controller should give the Data Subject an opportunity to object to the Processing of data, so as to be able to conclude that such Processing will be for a legitimate interest and not prejudicial to the Data Subject.
The suggested Notice contained in Appendix 2 will notify your customers of Processing carried out by both you and Euler Hermes UK on Data relating to them, in connection with the Policy, and give them a chance to object. Once the relevant Notice has been provided to the Data Subject by you, it will fulfill both your and our obligations to notify your customers under the Acts.
Therefore, in order to comply with the Acts, if you are a policyholder of Euler Hermes UK, you should incorporate the Notice contained in Appendix 2 into your credit applications and other pre-contractual or contractual documents supplied to your customers. If the Data Subject objects to the Processing, you must inform your contact at Euler Hermes UK immediately, by giving us their name and address, so that both Euler Hermes UK and you can avoid breaching the Acts.Registration
The Acts require Data Processors to be registered with the UK Information Commissioner or the Irish Data Protection Commissioner as appropriate before Processing Personal Data. If you believe that you will be Processing Personal Data in connection with your Policy with Euler Hermes UK, you should register with the necessary authority. The rights of Data Subjects under the Acts
Data Subjects have the following additional rights under the Acts:
• of access to Data held by a Data Controller;
• to prevent Processing likely to cause damage or distress to the individual;
• or for the purpose of direct marketing;
• in relation to automated decision making;
• of compensation, if the individual can prove that he/she has suffered damage or distress as a result of a breach of the Acts;
• to apply to a court to block, erase, destroy or rectify Personal Data;
• to have the Information Commissioner investigate whether a Data Controller is acting in compliance with the Acts.
If one of your customers requires information on any third party to whom you have provided their Personal Data (including Euler Hermes UK), you must give them such information. We appreciate that these are complex issues, but we hope that this Guide is of assistance to you in understanding the Acts and their implications for your business and your relationship with us.
If you have any questions concerning this Guide, please approach your usual contact at Euler Hermes UK, or the Data Protection Officer at:
Legal & Secretariat Department,
Euler Hermes UK
1 Canada Square
Tel: 020 7860 2921
If you require more detailed information or advice on the Acts, you should seek your own legal advice or contact the Office of the UK Information Commissioner (information line 01625 545745), the Irish Data Protection Commissioner, or the relevant local Regulatory Authority.
© 2012 Euler Hermes UK. All rights reserved. The content of this Guide is merely for guidance. Please note that whilst we are happy to offer some general practical advice and guidance, it is provided upon the strict condition that you accept that such advice and guidance is given wholly without any liability or responsibility of Euler Hermes UK and should you act upon the same, it will be at your own risk. Comments or suggestions in this Guide cannot replace the need for you obtaining independent legal advice. This Guide does not constitute or form part of the terms and conditions on which Euler Hermes UK would insure you. This Guide may be subject to change at any time and at our sole discretion without prior warning.Glossary
Terms used in Section H (Data Protection Guide) have the following meanings:
“Data” is Personal Data which is recorded or Processed by means of equipment operating automatically and
controlled by the Data Controller and stored in a Relevant Filing System.
“Data Controller” is a person or organisation which (either alone or jointly or in common with other persons)
determines the purposes for which and the manner in which any Personal Data of Data Subjects is Processed. For example if you obtain Data from a Data Subject or a third party and then Process it, you are a Data Controller. If you pass that Data to a third party such as Euler Hermes UK then both you and Euler Hermes UK are Data Controllers.
“Data Subject” is an individual who is the subject of Personal Data and whose Data is being Processed by the
“Data Processor” is a person who Processes Personal Data on behalf of the Data Controller (for example when Processing is outsourced), but does not include employees of the Data Controller.
“European Economic Area (“EEA”)” means any of the following countries: Austria, Belgium, Bulgaria, Cyprus,
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovak Republic, Slovenia, Spain, Sweden, United Kingdom, Iceland, Liechtenstein and Norway.
“Fair Processing Information” means information which ensures transparency, including the identity of the Data Controller, and what Processing the Data Controller carries out on the Data of the Data Subject.
“Personal Data” means Data relating to any living individual who can be identified from such information. This can include names and addresses of employees, directors, shareholders, individual clients, customers, suppliers or other business associates, where individuals can be identified from the information or from any
other information which is in the possession of the Data Controller.
“Process/Processes/Processed/Processing” means obtaining, recording, holding the data or carrying out
any operation on the Data. Regulatory Authorities means authorities regulating the Processing of Data under European Directive 97/66/EC within the EEA, or outside the EEA.
“Relevant Filing System” is a readily accessible set of information relating to individuals that are structured either by reference to individuals or by reference to criteria relating to individuals and includes both electronic and manual filing systems.
“Sensitive Personal Data” is Data relating to racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, commission or alleged commission of an offence (including related proceedings) in respect of a Data Subject.Appendix 1 - Data Protection information notice
1 DefinitionsWords in italics have the meaning given by the UK Data Protection Act 1998 (“the UK Act”) or, where relevant, the Irish Data Protection Act 1988 as amended by the Data Protection Act 2003 (“the Irish Act”). The UK Act and the Irish Act are together referred to as “the Acts”. Euler Hermes UK, a branch of Euler Hermes Europe S.A. (N.V.) , Avenue des Arts 56, 1000 Brussels, Belgium. Company no. 0403.248.596 RPM Brussels. Insurance firm, registered under code 418, and Euler Hermes Services UK Limited (“EHUK”) are registered under the UK Act to Process Personal Data. Euler Hermes Ireland, a branch of Euler Hermes Europe S.A. (N.V.) , Avenue des Arts 56, 1000 Brussels, Belgium. Company no. 0403.248.596 RPM Brussels. Insurance firm, registered under code 418, and Euler Hermes Services Ireland Limited (“EH Ireland”) are registered under the Irish Act to Process Personal Data. EHUK and EH Ireland are referred to in this notice as “EH”.
2 Processing of Personal Data by EH Where EH is provided with Personal Data relating to you or to a third party, it will be Processed in accordance with the Acts for the purpose of carrying out credit insurance, risk assessments, credit management, debt collection and other associated activities. Personal Data will be held
securely and kept confidential at all times. EH may share Personal Data with companies in the Euler Hermes Group or other responsible third parties, within or outside the EEA.
3 Supply of Third Party Personal Data to Euler Hermes
By supplying to EH Personal Data relating to a third party Data Subject, you confirm that:
• you have obtained the consent of the relevant Data Subject to you Processing their Personal Data by supplying it to EH, and to EH Processing their Personal Data for the purposes set out above;
• you have a current notification entry filed with the UK Information Commissioner’s Office and/or the Irish Data Protection Commissioner as appropriate;
• you will comply with all your obligations as a Data Processor under the Acts, and in particular will have in place appropriate technical and organisational measures to safeguard against any unauthorised or unlawful Processing, accidental loss, destruction or damage of Personal Data; and
• you will indemnify EH against any loss or damage caused by your breach of the Acts. We may contact you regarding other EH products by post, telephone, fax, e-mail or other means.
If you do not wish to be contacted in future for marketing purposes, please notify us by writing to the Marketing Department at
Euler Hermes UK
1 Canada Square
You have the right of access to your Personal Data that EH holds on you, and you have the right to rectify such Data if inaccurate or Processed unfairly. If you wish to exercise these rights, you should write to the Data Protection Officer at Euler Hermes UK at the address above. For further information on the Acts and Processing of Personal Data please see the websites of the Information Commissioner in the UK at www.ico.gov.uk or the Data Protection Commissioner in Ireland at www.dataprotection.ie
.Appendix 2 - Sample Data Protection Notice
Please ensure that the Data Protection Notice, as stated below, is incorporated into your credit applications and/or other pre-contractual or contractual documents supplied to your customers. If the Data Subject objects to the Processing as stated in the Notice you must inform your contact at Euler Hermes UK immediately by giving us their name and address.
UK DATA PROTECTION ACT 1998 / REPUBLIC OF IRELAND DATA PROTECTION ACTS 1988 AND 2003 (“THE ACTS”) – INFORMATION NOTICE
Words shown in italics have the meaning given by the Acts. Data relating to you as an individual or to individuals within your organisation (“personal data”) may be processed by us as data controllers for the purpose of carrying out our business and will be held securely in confidence. We may disclose your personal data to third parties such as insurers, credit insurers, credit reference agencies and other carefully selected parties, who may process your personal data as data controllers for the purpose of carrying out insurance, risk assessments, credit management and other associated activities. We may also receive personal data on you from such third parties. Your personal data may be processed within or outside the European Economic Area, but always in strict compliance with the Acts. We or such third parties may contact you with details of other
products in writing, electronically, by telephone or by other means. By providing us with your personal data, you consent to our processing of such data as described in this notice. You should tick the relevant box and return this notice to us with your name and address if:
* you object to processing of your personal data as set out in this notice; or
* you do not wish to be contacted for marketing purposes; or
* you require details of any third party data controllers who may also process your personal data.
You have the right of access to your personal data we hold on you, and you have the right to rectify such data if inaccurate or processed unfairly. If you wish to exercise these rights, please write to us with details of your request. For more information on your rights or definitions used in this notice, please see the UK Information Commissioner’s website at www.ico.gov.uk
or the Irish Data Protection Commissioner’s website at www.dataprotection.ie