
Privacy Notice
At Bannerman Rendell Ltd we recognise the importance of great customer service and set ourselves high standards. Should there be an occasion when we do not meet your expectations, we will commit to dealing with your complaint in a thorough and professional manner.

Purpose of this document
Bannerman Rendell Limited (BRL) is committed to protecting the privacy and security of the personal information that we process in connection with everyone with whom we do business. This privacy notice describes how we may collect and use personal information about data subjects, in accordance with the Data Protection Act 2018, it also conforms with EU Regulation 2016/679 General Data Protection Regulation (GDPR).
Data Protection for Website Users
The Website is for information purposes only.
Bannerman Rendell Ltd does not use cookies and cannot detect or otherwise identify users of its website.
Data protection principles and data sharing
We will comply with all applicable data protection law. This says that the personal information we hold about data subjects must be:
-
Used lawfully, fairly and in a transparent way.
-
Collected only for valid purposes that we have clearly explained to data subjects and not used in any way that is incompatible with those purposes.
-
Relevant to the purposes we have told data subjects about and limited only to those purposes.
-
Accurate and kept up to date.
-
Kept only as long as necessary for the purposes we have told data subjects about.
-
Kept securely.
To arrange insurance cover and handle insurance claims, BRL and other participants in the insurance industry are required to use and share ‘personal data.’ For an overview of how and why the insurance industry is required to use and share ‘personal data,’ please refer to the Insurance Market Core Uses Information Notice hosted on the website of a UK insurance industry association, the Lloyd’s Market Association (the LMA Notice). This notice is supported by all the major UK insurance industry organisations. BRL’s use of ‘personal data’ is consistent with the LMA Notice, which can be found on the following link: https://lmg.london/wp-content/uploads/2024/05/Lloyds-Core-Uses-Notice-Document-28-05-24.pdf
The kind of information we hold about data subjects
Personal data, or personal information, means any information about data subjects from which data subjects can be identified. It does not include data where a data subject’s identity has been removed.
There are certain special categories of more sensitive personal data which require a higher level of protection (see below).
There may be ‘special categories’ of more sensitive personal data which require a higher level of protection.
We may collect, store, and use the following categories of personal information about data subjects:
-
individual details - name, address (and proof of address), other contact details (e.g. email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant;
-
identification details - identification numbers issued by government bodies or agencies depending on the country data subjects are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s license number;
-
financial information - bank account number and account details, income and other financial information.
We may also collect, store and use the following categories of sensitive personal information about data subjects, only to the extent relevant to the risk being insured:
-
information about the insured risk, which may contain personal data and may include health data, including but not limited to current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g. smoking or consumption of alcohol, prescription information, medical history);
-
criminal convictions, including driving offences;
-
information about the quotes individuals receive and the policies they obtain;
-
credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agencies;
-
information about previous claims, which may include health data, criminal records data and other ‘special categories’ of ‘personal data’;
-
information about current claims, which may include health data, criminal records data and other ‘special categories’ of ‘personal data’ (as described above).
-
marketing data; and
-
details of data subjects’ visits to our websites and information collected through cookies and other tracking technologies, including, but not limited to, data subjects IP address and domain name, data subjects’ browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that data subjects access.
How we will use information about data subjects
We will only use data subjects’ personal information when the law allows us to. Most commonly, we will use data subjects’ personal information in the following circumstances:
1. Where we need to perform the contract we have entered into with data subjects.
2. Where we need to comply with a legal obligation.
3. Where it is necessary for our legitimate interests (or those of a third party) and data subjects’ interests and fundamental rights do not override those interests.
We may also use data subjects’ personal information in the following situations, which are likely to be rare:
1. Where we need to protect data subjects’ interests (or someone else's interests).
2. Where it is needed in the public interest or for official purposes
Situations in which we will use data subjects’ personal information
We need the information in the lists above (see ‘The kind of information we hold about data subjects’) primarily to allow us to perform our contract with data subjects and to enable us to comply with legal obligations. In some cases we may use data subjects’ personal information to pursue legitimate interests of our own or those of others, provided data subjects’ interests and fundamental rights do not override those interests. The situations in which we will process data subjects’ personal information, how we share the information, and identify the “legal grounds” on which we rely to process the information is set out in the LMA Notice and in the table below.



Purpose
Category of Data
Disclosures
Legal Grounds for Processing
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of data subjects’ personal information.
Change of purpose
We will only use data subjects’ personal information for the purposes for which we collected it as described above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use data subjects’ personal information for an unrelated purpose, we will notify data subjects and we will set out the legal basis which allows us to do so.
Please note that we may process data subjects’ personal information without data subjects’ knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
‘Special categories’ of particularly sensitive personal information
In order to facilitate the provision of insurance cover and administer insurance claims, unless another legal ground applies, we rely either on the data subject’s consent to process special categories of personal data which allows us to share the information with other Insurers, Intermediaries and Reinsurers that need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner); or we may rely on the following insurance purpose:
-
where the processing of certain special categories of personal data is:
-
necessary for an insurance purpose. “Insurance purpose” is defined to include advising, arranging, underwriting, administering, administering a claim under, exercising a right or complying with an obligation in connection with an insurance contract. The government has confirmed that “insurance” includes “reinsurance”;
-
is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data, data concerning health or criminal convictions; and
-
is necessary for reasons of substantial public interest. Risk basing pricing, detecting and investigating fraudulent claims and the efficient administration and payment of insurance claims have been given as examples of activities that are in the substantial public interest.
-
Where a third party provides us with sensitive personal information about a data subject, the third party agrees to notify the data subject of our use of their personal data and to obtain such consent or rely on the insurance purpose as required by all applicable data protection law.
Data subjects may withdraw their consent to such processing at any time by contacting our Data Protection Representative using the contact details in this notice, below. However, doing so may prevent us from continuing to provide the services to the relevant client. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Special Categories of Personal Data and Criminal Records Data, it may not be possible for the insurance cover to continue.
Do we need data subjects’ consent to use data subjects’ sensitive personal information?
We do not need data subjects’ consent if we use data subjects’ sensitive personal information as set out in this notice and in compliance with all applicable data protection law, to carry out our legal obligations, or in exercise of specific legal rights.
In limited circumstances, we may approach data subjects for written consent to allow us to process data subjects’ sensitive personal data. If we do so, we will provide data subjects with full details of the information that we would like and the reason we need it, so that the data subject can carefully consider whether they wish to consent. Data subjects are not obliged to give consent and can withdraw consent if previously granted and we cannot make data subjects consent, or penalise if data subjects refuse to consent.
Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. A data subject has the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning him or her or significantly affects him or her (such as where underwriting risk is assessed or a claim is rejected), unless:
-
the decision is based only on personal data; and
-
is necessary to enter into or perform a contract with the data subject; or
-
the data subject has provided his or her consent.
-
-
the decision is based on special categories of personal data; and
-
is necessary for an insurance purpose; or
-
the data subject has provided his or her consent.
-
In addition, data subjects have the right to:
-
be informed about when such automated decision making has taken place; the logic used and likely consequences; and ask the data controller to reconsider the decision or to take a new decision on a different basis (e.g. by introducing some form of human involvement).
Data sharing
We may have to share your data with third parties, such as third-party service providers and other entities as set out in the LMA Notice. We might do this when:
-
required by law
-
where it is necessary to administer the working relationship with you
-
or where we have another legitimate interest in doing so.
We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the EU. If we do, you can expect a similar degree of protection in respect of your personal information.
Data subjects’ rights in connection with personal information
Data subjects have the right to:
-
Request access to data subjects’ personal information (known as a ‘data subject access request’). This enables data subjects to receive a copy of the personal information we hold about data subjects and to check that we are lawfully processing it.
-
Request correction of the personal information that we hold about data subjects. This enables data subjects to have any incomplete or inaccurate information we hold about data subjects corrected.
-
Request erasure of data subjects’ personal information. This enables data subjects to ask us to delete or remove personal information where there is no good reason for us continuing to process it. Data subjects also have the right to ask us to delete or remove data subjects’ personal information where data subjects have exercised data subjects’ right to object to processing (see below).
-
Object to processing of data subjects’ personal information where we are relying on a legitimate interest (or those of a third party) and there is something about data subjects’ particular situation which makes data subjects want to object to processing on this ground. Data subjects also have the right to object where we are processing data subjects’ personal information for direct marketing purposes.
-
Request the restriction of processing of data subjects’ personal information. This enables data subjects to ask us to suspend the processing of personal information about data subjects, for example if data subjects want us to establish its accuracy or the reason for processing it.
-
Request the transfer of data subjects’ personal information to another party.
-
In the limited circumstances where data subjects may have provided data subjects’ consent to the collection, processing and transfer of data subjects’ personal information for a specific purpose, data subjects have the right to withdraw data subjects’ consent for that specific processing at any time.
-
Make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues but data subjects would be expected to have first utilised the Company’s grievance procedures.
Data subjects will not have to pay a fee to access data subjects’ personal information (or to exercise any of the other rights listed above). However, we may charge a reasonable fee if data subjects’ request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Data Protection Designated Persons
We have designated an individual to oversee the Company’s compliance with data protection requirements as set out in the GDPR. If data subjects have any questions about this privacy notice or how we handle data subjects’ personal information, please contact us either by email info@bannermanrendell.com , or write to us at:
-
Data Protection Office
-
Bannerman Rendell Limited
-
5-10 Bury Street
-
London
-
EC3A 5AT
-
United Kingdom
Changes to this privacy notice
We will update this privacy notice when necessary. We may also notify data subjects in other ways from time to time about the processing of data subjects’ personal information.