Privacy Policy

Last updated 01-02-2024

1. Introduction

This policy relates to your personal data that the Eaton Gate group may collect and hold, how you can expect your personal data to be used and for what purposes, and your rights to this data and information.

2. Important Information and Who We Are

This privacy notice covers all companies within of Eaton Gate group (together the “Group”) so “we”, “us” or “our” in this policy refers to the relevant company in the Group responsible for processing your data. Information on the different legal entities within the Group and their services can be found under our Terms of Use.

We act primarily as an insurance intermediary operating as an insurance product co-manufacturer. Insurance is a contract, represented by a policy, in which a policyholder receives financial protection or reimbursement against losses from an insurance company or insurer. In order to do this, information including your personal data, needs to be shared between different providers within the insurance lifecycle, including insurers (as co-manufacturers) other brokers (as distributors) and other third parties involved in insurance claims management, all of whom we call “data partners” in this notice. The privacy notice describes how we and other data partners collect and process your personal data in the insurance journey from the point of obtaining a quote for an insurance product or service provided by us, securing cover under that insurance product, making a claim regarding the product and in the event you decide to renew such product or service with us.

In relation to the personal data we collect and use, we are the ‘data controller.’ This means we decide the purpose and manner in which your personal data is used and processed. The Data Partners may also be data controllers of your personal data, and this is explained more fully below.

We are required under data protection law to notify you of the information contained in this privacy notice. This privacy notice applies to any individual to whom the personal data relates. This privacy notice does not form part of any contract of employment or other contract to provide services. We may update this privacy notice at any time.

The Group is committed to protecting the privacy and security of your personal data. This notice is intended to be consistent with all applicable legal and regulatory requirements regarding its subject matter. It applies to all the Group’s employees, workers and contractors.

It is important that:

  • you read this privacy notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing information containing personal data about you, so that you are aware of how and why we are using such information.
  • the information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

3. Detailed Procedures

3.1 Data Protection Principles

We will comply with data protection law. This requires that the personal data we hold about you must be:

  1. used lawfully, fairly and in a transparent way.
  2. collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. relevant to the purposes we have told you about and limited only to those purposes.
  4. accurate and kept up to date.
  5. kept only as long as necessary for the purposes we have told you about.
  6. kept securely.

3.2 Types of Personal Data We Collect About You

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection.

We will collect, store and use the following categories of personal data about you (or that of any other persons who are insured):

  • Individual data: Personal contact details such as title, name, addresses (including proof of addresses), telephone numbers, email addresses, date and place of birth, gender, marital status, and dependants and family details, vehicle and property details, next of kin and emergency contact information
  • Employment data: Employment details including job titles, the start date, location of employment or workplace, work history, working hours, training records and professional memberships, salary, pension and benefits information
  • Identification data: Nationality and identification numbers issued by government bodies or agencies or other publicly available information including national insurance number, passport number, tax identification number, driving licence number and vehicle registration details
  • Insured risk data: Details about your existing lifestyle and insurance arrangements including information from publicly available sources such as the electoral roll, geoscientific data, information and knowledge about your property and location, information about the quotes you receive and policies you take out, previous and current insurance claims (including other unrelated insurances) and telematics data
  • Financial data: Bank account details, or payment card details, income or other financial information such as payroll records and tax status information
  • Credit and anti-fraud data: credit history, credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, regulators or law enforcement agencies
  • Website and communication usage data: details of your visits to our websites and information collected through cookies and other tracking technologies, including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access
  • Special category data: includes more sensitive personal data that have additional protection under data protection regulation which we need to collect in order to assess the risk to be insured and provide an insurance quote:
    • Information about your political opinions or whether you are a politically exposed person
    • Information about your health, including any medical condition, health and sickness records
    • Information about criminal convictions and offences

If we require you to provide personal data relating to anyone other than you, you should show this notice to them. You must ensure that any such personal data you supply relating to anyone else is accurate and that you have obtained their consent to the use of their personal data for the purposes set out above. Where you authorise a third party on the policy, it is our standard practice to speak to either you or the third party regarding the policy, or your appointed insurance agent, after completing relevant identity checks.

Telephone calls with us will be recorded for training, quality and complaint handling purposes. Where we engage third parties to carry out compliance monitoring on our behalf, personal data including call recordings, may be made available to such parties for this purpose.

3.3 How is Your Personal Data Collected?

We collect your personal data from various sources including, yourself, your family members, employer or representative; other data partners; credit reference agencies; anti-fraud databases, sanctions lists, court judgements and other databases; government agencies (like DVLA or HMRC) open electoral registers and other publicly available information; or in the event of a claim, third parties including the other party to the claim, witnesses, experts (including medical experts), loss adjustors, solicitors and claims handlers.

Selected third parties may provide us with details of potential customers that may include your personal data or third parties (including data partners) may introduce business to us.

Acting as an insurance intermediary, we will present quotes and incept insurance policies on behalf of our panel insurers or sometimes intermediaries or coverholders who are appointed by those panel insurers. Further details of our panel insurers are presented on your policy documentation and are available on request.

In order for us to provide our insurance products and services, your personal data is shared between data partners, including our insurance panel members, some of which you will not have direct contact with. Whilst the Group acts as the data controller of any data it collects or uses, during the insurance journey, other data partners may also be a data controller. The initial data controller depends on how you have taken out your policy, accordingly:

  • Where your employer or another organisation took out the policy for your benefit you should contact your employer or the organisation that took out the policy who should provide you with details of the insurer or intermediary that they provided your personal data to and you should contact their data protection contact who can advise you on the identities of other data partners that they have passed your personal data to.
  • Where you are not the policy holder or an insured you should contact the organisation that collected your personal data who should provide you with details of the relevant data protection contact.

3.4 How We Use Your Personal Data

We will only use your personal data when the law allows us to and there is a legal ground to process that personal data for the activity we are undertaking. A full list of the legal grounds we use to provide services to you as an insurance intermediary is found below.

Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we have entered into with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal data in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else’s interests).
  • Where it is needed in the public interest or for official purposes.

We need all the categories of information in the list above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal data to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The full description of all the situations in which we will process your personal data in accordance with data protection law are listed below:

Activity Legal Grounds Data Category
Underwriting - providing a quote or processing your application to purchase an insurance policy, its fulfilment or other related service, including:

Performance of our contract with you.

Compliance with a legal obligation.

Legitimate interests of the Group (to ensure that data subject is within our acceptable risk profile and to assist with the prevention of crime, fraud, to prevent money laundering, determine likely risk profile, appropriate insurer and product selection).

For processing special categories of personal data (e.g. health information) and criminal records data:

  • Substantial public interest (insurance purposes)
  • establishing client relationship, credit, fraud, anti-money laundering and sanctions checks
  • Individual data
  • Employment data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
  • evaluating the risks to be covered, underwriting, and matching to appropriate insurer, policy and premium
  • Employment data
  • Insured risk data
  • Financial data
  • Special category data
Underwriting - managing and administering products and services that we supply including:

Performance of our contract with you

Legitimate interests of the Group (to correspond with data partners, beneficiaries and claimants in order to facilitate the placing of and claims under insurance policies, to recover debts due to us)
  • general client care, notifying you about changes to our products and services
  • Individual data
  • Insured risk data
  • collection or refunding of premiums, processing and facilitating other payments, debt recoveries
  • Individual data
  • Insured risk data
  • Financial data
Activity Legal Grounds Data Category
Underwriting – renewals including:

Performance of our contract with you.

Legitimate interests of the Group (to correspond with data partners to facilitate the continuation of insurance cover, to ensure that data subject is within our acceptable risk profile and to assist with the prevention of crime and fraud, determine likely risk profile, appropriate insurer and product selection)

For processing special categories of personal data (e.g. health information) and criminal records data:

  • Substantial public interest (insurance purposes)
  • contacting business partners in order to arrange the renewal of the insurance policy
  • Individual data
  • Employment data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
Claims - handling or procuring insurance claims from data partners such as appointed service providers and business partners), managing and facilitating payments, where required, including:

Performance of our contract with you.

Legitimate interests of the Group (to assist in assessing and making claims and recovering amounts under the relevant insurance policies, assisting data partners in the valuation of losses)

For processing special categories of Personal Data (e.g. health information) and criminal records data:

  • Substantial public interest (insurance purposes and establishing, defending or prosecuting legal claims)
  • claims handling, paying on claims
  • Individual data
  • Employment data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
  • valuation of claims, including oversight of visits to assess relevant claims
  • Individual data
  • Employment data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
  • defending or prosecuting legal claims and providing legal advice and services
  • Individual data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
  • investigating and prosecuting fraud or possible criminal offences
  • Individual data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
Activity Legal Grounds Data Category
Investigating and resolving any complaints you have about our services or those provided by our appointed service providers and data partners, dealing with legal disputes involving you

Performance of our contract with you.

Legitimate interests of the Group (to investigate and resolve complaints and disputes, to correspond with data partners regarding claims complaints and disputes and to assist with the prevention of crime, fraud, to prevent money laundering).

For processing special categories of personal data (e.g. health information) and criminal records data:

  • Substantial public interest (insurance purposes)
  • Individual data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
Other services throughout the insurance lifecycle, including:
  • transferring books of business, company sales and reorganisations.

Legitimate interests of the Group (to structure our business appropriately)

For processing special categories of Personal Data (e.g. health information) and criminal records data:

  • Substantial public interest (insurance purposes)

In certain circumstances, consent.
  • Individual data
  • Employment data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
  • operational and governance services, business management and planning, including accounting and auditing, general risk modelling and analytics

Legitimate interests of the Group (to manage and improve business affairs and plan, build or enhance risk models that allow placing of risk with appropriate insurers, education, training and development requirements)

For processing special categories of personal data (e.g. health information) and criminal records data:

  • Substantial public interest (insurance purposes)

In certain circumstances, consent.
  • Individual data
  • Employment data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
  • marketing, sending marketing materials and communications including data de-identification and/or aggregation

Legitimate interests of the Group (to send marketing communications about our products or services that are new or innovative or you request from us or which we feel may interest you (or those of our data partners) by post, telephone and in other circumstances where we don’t require your consent)

  • Consent (where required in limited circumstances)
  • Individual data
  • complying with our legal or regulatory obligations in the context of our consultancy business

Compliance with a legal obligation.

Legitimate interests of the Group (to ensure legal and regulatory compliance).

For processing special categories of personal data (e.g. health information) and criminal records data:

  • to establish, defend or prosecute legal claims.

In certain circumstances, consent.
  • Individual data
  • Employment data
  • Identification data
  • Insured risk data
  • Financial data
  • Credit and anti-fraud data
  • Special category data
  • information technology (IT) and related services, to monitor or procure services from service providers, your use of our information and communication systems, to ensure compliance with our IT business control policies, network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution

Legitimate interests of the Group (to correspond with website users and data partners, to ensure the quality and legality of any online services)

Compliance with a legal obligation.

For processing special categories of personal data and criminal records data:

  • Substantial public interest (insurance purposes)

In certain circumstances, consent.
  • Individual data
  • Identification data
  • Special category data


Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

We will use your special category personal data in the following ways:

  • For our staff, we will use personal data about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • We envisage that we will hold information about criminal convictions. We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. For our staff, where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.

We do not need your consent if we use special categories of your personal data in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive special category data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

3.4.1 If You Fail to Provide Personal Data

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

3.4.2 Change of Purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

3.5 Direct Marketing

We may contact you by post and telephone for our legitimate marketing purposes in order to let you know about offers and other products and services. With your consent we may from time to time contact you by SMS or email with details of our other products and services. We may collect personal data about you which, when combined with the personal data you have given us, helps us to target and tailor communications which we believe may be more relevant to you. If you would like to opt out of receiving marketing correspondence of any kind, you can let us know at any time by contacting the Data Protection Officer. We do not sell or pass on your details to any third parties for the purposes of marketing their own products or services.

3.6 Automated Decision Making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision and given you 21 days to request a reconsideration.
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

We may use automated tools with decision making to assess applications for insurance such as price rating rules or models, flood, theft and subsidence area checks and credit checks. Our data partners may do this for claims handling processes. When calculating insurance premiums, we may compare personal data against industry averages or use this to create the industry averages going forwards. These automated decisions will produce a result on whether we are able to offer insurance, the appropriate price for policies or whether we can accept claims. If the individual objects to an automated decision, we may not be able to offer the insurance quotation or renewal.

If we make an automated decision on the basis of any particularly special category or sensitive personal data, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

Where data partners use any automated broking platform we provide, insurance quotations are offered entirely by matching whether the attributes that you or that data partner have provided meet the criteria set by the insurers, which determines (i) whether a quotation will be made; (ii) on what terms; and (iii) at what price. On behalf of insurers we may use different algorithms to determine their pricing, and clients must consult each insurer’s privacy policy for further details. Our platform merely queries whether attributes of potential insureds satisfy insurers’ models and then returns the results. If the potential insured’s attributes do not satisfy our or our insurers’ models, the quotation request is referred for review by a team with underwriting authority. We may also apply fraud prediction algorithms to the information clients provide to assist us in detecting and preventing fraud. We regularly review all profiling and associated algorithms against inaccuracies and bias. These partially automated processes may result in you not being offered insurance or affect the price or terms of the insurance. You or data partners may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime. However, generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias.

3.7 Data sharing

We may have to share your data with third parties, including third-party service providers, data partners and other entities in the Group. We require all third parties to respect the security of your data and to treat it in accordance with the law. We may transfer, or permit access to, your personal data outside the UK and European Economic Area (EEA). If we do, you can expect a similar degree of protection in respect of your personal data. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. EU data protection laws allow the Group to freely transfer personal data to such countries. If we transfer personal data to other countries outside the EEA, we will establish legal grounds justifying such transfer, such as MMC Binding Corporate Rules, model contractual clauses, individuals’ consent, or other legal grounds permitted by applicable legal requirements. Individuals can request additional information about the specific safeguards applied to the export of their personal data.

3.7.1 Why Might You Share My Personal Information With Third Parties?

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

3.7.2 Which Third-Party Service Providers Process My Personal Data?

“Third parties” includes third-party service providers data partners and other business partners (including contractors and designated agents) and other entities within the Group. The following activities are carried out by third-party service providers: insurance and reinsurance underwriting and administration, claims handling services, IT services, market research, management and storage of data and data analytical services, organisations and public bodies including the Police, fraud prevention agencies and databases, conduct of market research and services to more effectively communicate with you. We can supply on request further details of these third parties we access or contribute to and how this information may be used. If you require further details contact the Data Protection Officer.

3.7.3 How Secure is My Information with Third-Party Service Providers and Other Entities in The Group?

All our third-party service providers, data partners and other entities in the Group are required under written agreements to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers and data partners to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

3.8 Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

3.9 Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. For our staff, once you are no longer an employee, worker or contractor of the Group we will retain and securely destroy your personal data in accordance with applicable laws and regulations.

3.10 Rights of Access, Correction, Erasure and Restriction

Under certain circumstances, by law you have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to another party.

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing.

3.10.1 No Fee Usually Required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

3.10.2 What We May Need From You

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

3.11 Right to Withdraw Consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

3.12 Data Protection Officer

We have appointed a data protection officer to oversee compliance with this privacy notice.

If you have any questions about this privacy notice or how we handle your personal data, please contact the dpo@egmgu.co.uk or you can contact us on 0333 234 1741.

3.13 Right to Complain to ICO

If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights in this section, or if you think that we have breached data protection regulation, then you have the right to complain to the Information Commissioner’s Office (“ICO”). Please see below for contact details of the ICO:

  • Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Tel: 0303 123 1113 (local rate) or 01625 545 745 (National rate)
  • Email: casework@ico.org.uk

3.14 Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

If you have any questions about this privacy notice, please contact the Data Protection Officer.

cityscape with layered plant collage

A world of opportunity

© 2022 Eaton Gate. Eaton Gate is a trading name of Eaton Gate MGU Limited, which is registered in England (No. 9825821) at
20 St. Dunstan’s Hill, London, EC3R 8HL. Eaton Gate MGU Limited (FRN 773194) is authorised and regulated by the Financial Conduct Authority.