Privacy Notice

This Privacy Notice describes how Pool Reinsurance Company Limited and its subsidiaries (“Pool Re” the “Group”, “we”, “us”, “our”) collect and use personal information about you in connection with our commercial buildings terrorism re-insurance services and consultancy business (our “Businesses”). Collection may take place Directly from you or Indirectly from third parties (see Section “Other ways we collect your personal information”).

The registered addresses, registered company numbers and Information Commissioner’s Office (ICO) registered numbers of our Group companies are as follows:

 Pool Reinsurance Company Limited:

• Registered address: 7 Savoy Court, London WC2R 0EX
• Registered number: 02798901
• ICO number: ZA542262

Pool Re Services Limited:

• Registered address: Equitable House, 47 King William Street, London EC4R 9AF
• Registered number: 13679394
• ICO number: ZB351757

Pool Re Solutions Limited:

• Registered address: Equitable House, 47 King William Street, London EC4R 9AF
• Registered number: 13610468
• ICO number: ZB351763

For details of the senior person responsible for the Group’s data protection compliance programme, please contact: dataprotection@poolre.co.uk

We are committed to safeguarding your personal information (also known as “personal data”) in line with all applicable laws, including the UK Data Protection Act 2018 and the UK General Data Protection Regulation (collectively the “GDPR”).

This Privacy Notice explains:

• The types of data subject and personal information we collect
• How we use your personal information and the lawful basis/ground(s) relied upon
• Our use of cookies and other similar technologies
• With whom we may share your personal information and where we may transfer it
• Other ways we collect your personal information
• How long we retain your personal information for
• How we protect your personal information
• Your data subject rights regarding your personal information
• What to do if you do not wish for us to collect or hold your personal information
• Contacting us and the UK’s data protection supervisory authority

In some cases, additional or supplemental privacy notices may be created to apply to certain personal information that we collect and process. For example, more specific information is provided to our employees.

We may amend this Privacy Notice from time to time, therefore we encourage you to refer to it periodically. If you have any questions, please contact us via email at dataprotection@poolre.co.uk or alternatively by post by writing to: Pool Re, Equitable House, 47 King William Street, London EC4R 9AF.  If the alterations are material or affect your GDPR rights, we will let you know before the updated version becomes effective so that you may object if you wish.

The types of data subjects and personal information we collect

• Contact Information: including email and physical home and work addresses, mobile and landline phone numbers;
• Identifiers: including name, title, age, date of birth, tax reference or ID number, Government-issued identifier such as driver’s licence, passport or National Insurance number;
• Internet: including your device’s browser type and version, operating system and platform, browser plug-in types and versions, browsing history, social media posts, device ID, IP address, MAC address, data about how you have interacted with our website;
• Qualifications: including educational and professional history and qualifications, membership of professional bodies and societies;
• Sensitive Information: including bank and credit card details, passwords;
• Special Category Data: including health data (e.g. disabilities, dietary requirements), racial or ethnic origin, religious or philosophical beliefs and sexual orientation; and
• Status: including gender, sex, marital status, nationality, citizenship or location of birth, relationship to others e.g. parent, spouse etc.

collectively referred to as “All Categories”.

We take appropriate steps to keep your personal information accurate, complete and up to date. If you believe your personal information is out of date or incomplete, contact our senior responsible person (“SRP”).

We collect personal information about individuals who:

• are applicants (including speculative) for job roles (“Applicants”);
• are individuals engaged by us under a contract for services (“Consultants”);
• submit comments, or questions to us (including via our website) (“Enquirers”);
• are representatives of potential, current or past clients of our Businesses (“Clients”);
• are representatives of our Businesses’ partners and suppliers (“Representatives”); and
• visit our website (“Visitors”);

collectively referred to as “Everyone”.

How we use your personal information, and the lawful basis/ground relied upon

Explanation of the lawful processing ground(s)/condition(s)

Comply with a Legal Obligation means processing your personal information where it is necessary for us to comply with a legal obligation.

Consent as the applicable law requires/permits means either: (a) an explicit, specific, informed, freely given unambiguous indication of your agreement to our processing of your personal information; or (b) an indication of your acceptance, following the provision of transparency information and a refusal to exercise your opt-out right (sometimes referred to as “implied consent”).

Legitimate Interests means our interest in conducting and managing our Businesses as explained in Table 1. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests by undertaking an assessment. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your Consent, to Comply with a Legal Obligation or conduct Legal Claims or to protect Vital Interests). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific processing activities by contacting our SRP at dataprotection@poolre.co.uk.

Performance of a Contract means processing your personal information where it is necessary for the performance of a contract to which you or your employer is a party or to take steps at your or their request before entering such a contract.

Additional lawful processing conditions: Special Category Data

Legal Claims means processing your special category data because it is necessary for us to establish, exercise or defend legal claims.

Publicly Available means processing the special category data which you have volunteered for public consumption e.g. via open public media posts.

Vital Interests means processing your special category data where it is necessary to protect your (or another individual’s) life or death interests and you are incapable of giving Consent (e.g., an allergic reaction to food served at an event).

Our use of cookies and other similar technologies  

We use cookies and equivalent technology to enable the website to function effectively and to improve Visitor experience. Some cookies are used to collect Internet information.  For more information about our use of cookies, and your options for accepting or declining their use, please see our Cookie Policy. You may change your cookie settings at any time via the cookie consent management tool on our website.

With whom we may share your personal information and where we may transfer it

The processing related to our website takes place in the UK. Subject to legally permissible exemptions, the personal data of Everyone will not be disclosed for a purpose(s) other than that for which they were collected but may be communicated to: (a) our authorised staff (including Consultants and Representatives) and service providers; (b) as legally permissible, further independent data controllers (including professional advisers and accountants) with whom we have appropriate agreements and government and regulatory entities e.g. HMRC (collectively “the “Recipients”). A current list of our Recipients is available upon request by contacting our SRP.  Further, we may disclose your personal data to third parties to whom we may sell (or buy), transfer or merge part(s) of our Businesses or assets.

Restricted transfers

Personal data is primarily stored within our servers located within the European Union and/or the UK or other countries deemed adequate under the GDPR (“Adequate Countries”). However, subject to the provision of suitable safeguards, we have the right to move your personal data and our servers (including those provided by our service providers) to areas outside the Adequate Countries. In the absence of a decision on adequacy by the UK’s Secretary of State, the suitable safeguards include guarantees of a contractual or negotiated nature, including Binding Corporate Rules and approved international data transfer agreements. In the absence of a decision on adequacy or other suitable safeguards as described above, the transfer to and/or processing of your personal data outside the Adequate Countries will be carried out only with your Consent.

Other ways we collect your personal information

We collect your personal information in a variety of ways, including but not limited to:

• When you interact with us directly (virtually or in-person) including by online means; and
• By phone, at meetings or conferences, or any other direct means; (collectively “Direct Interactions”)
• Through government agencies, publicly available records, public sources and other Members; and/or
• From industry associations e.g., BIBA, Airmic, others (collectively “Indirectly”).

How long we retain your personal information for

We retain your personal information in accordance with our retention policy which sets out retention periods as may be required by law, or where there is a reason to keep it because of our legitimate need, legal action (actual or in reasonable contemplation), or for internal or external investigations. Once a retention period has lapsed, we take appropriate steps to dispose of your personal information.

How we protect your personal information

We adopt a variety of security measures and technologies to help protect your personal information from unauthorised access, use, disclosure, alteration or destruction in line with the UK GDPR. We oblige our service providers to implement at least equivalent standards of data protection as stipulated in our written contract with them.

Your data subject rights regarding your personal information

We comply with the UK GDPR which gives individuals several rights over their personal information. Depending upon the lawful processing ground(s)/condition(s) relied upon to justify our processing of your personal information you may be entitled to request:

• Access to your personal information (commonly known as a “data subject access request”) to receive a copy of the personal information we hold about you;
• Correction of the personal information that we hold about you, if the information is incomplete or inaccurate;
• Erasure of your personal information where there is no good reason for us continuing to process it or where you have exercised your right to object to processing;
• Objection to processing of your personal information where we are relying on a Legitimate Interests (or those of a third party);
• Restriction or suspension of processing of your personal information where we are relying on our Legitimate Interests;
• Transfer (portability) of your personal information to another party where we are relying on your Consent or Performance of a Contract; and
• Withdrawal of your Consent to the processing or your personal information, where we previously obtained it.

If you would like to exercise your rights, please contactdataprotection@poolre.co.uk. We may ask you to verify your identity before fulfilling the request. Verification ensures that your personal data are kept secure. Depending on the nature of the request, you may not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded or excessive. Alternatively, we may refuse to comply with the request in the terms in which you made it in such circumstances.

If you would like to make a complaint, please refer to the Contacting us and the UK’s data protection supervisory authority section for more information.

What to do if you do not wish for us to collect or hold your personal information

Where you are given the option to share your personal information with us during a Direct Interaction, you can always choose not to do so. If you object to the processing of your personal information, or if you have provided your Consent to processing and you later choose to withdraw it, we will respect that choice in accordance with our legal obligations and any legal exemptions which may apply. This could mean that we may not be able to perform the actions necessary to achieve the purpose(s) as set out in this notice or that you may be unable to engage with us.

Contacting us and the UK’s data protection supervisory authority

If you have any questions specifically about this Privacy Notice or wish to make a data subject request, please contact our SRP at dataprotection@poolre.co.uk. If you are dissatisfied with how we have handled your personal information or request, please contact us in the first instance and we will aim to resolve the matter. You also have the right to submit a complaint to the data protection supervisory authority in the United Kingdom being the Information Commissioner’s Office (ICO).

Last updated: 14 October 2024