GDPR Privacy Notice

1. Controller

Suzhou LAMP Information Consulting Company Limited is the Controller under the EU General Data Protection Regulation (EU GDPR).
Suzhou LAMP Information Consulting Company Limited is incorporated in England, company registration number 320594400024986


2. Contact details of the Controller

You may contact Suzhou LAMP Information Consulting Company Limited to make requests, for example to exercise your data protection rights, to provide positive feedback or to make complaints by writing to us at

No. 98 Suhui Road,
CIQ Tower,
10th Floor,
Room 1018 Suzhou Industrial Park,
Suzhou,
China,
215021

or by emailing our Data Protection Officer at dpo@lampinsurance.com.


3. Representative including contact details

Suzhou LAMP Information Consulting Company Limited has appointed LAMP Holdings Gibraltar Limited as its Representative under the EU GDPR. This Representative may be contacted at Suite 822, Europort Building 8, PO Box 708, Gibraltar, GX11 1AA.

The Representative has been appointed as the criteria set out in Article 3(2), EU GDPR are met, specifically:

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union”


4. Contact details of the Data Protection Officer

Suzhou LAMP Information Consulting Company Limited has appointed a Data Protection Officer (DPO). You may contact the DPO to make requests, for example to exercise your data protection rights, to provide positive feedback or to make complaints by writing to the Data Protection Officer at No. 98 Suhui Road, CIQ Tower, 10th Floor, Room 1018 Suzhou Industrial Park, Suzhou, China, 215021 or by emailing our Data Protection Officer at dpo@lampinsurance.com.


5. Purposes of the processing

Suzhou LAMP Information Consulting Company Limited processes your personal data for one or more of the following purposes:

  • To provide administration of insurance products to you or to a company that is contracted to provide you with a related product
  • To provide administration of insurance products on behalf of LAMP Insurance Company Limited when it is acting as reinsurer
  • To provide claims handling support for your insurance product
  • To provide customer services, e.g. complaints management, to you or to a company that is contracted to provide you with a related product
  • To provide management information analyses for use by companies within the LAMP group

6. Legal basis for the processing

The legal basis for processing your personal data is that the processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract.

The legal basis for processing your special personal data is that the processing is needed for a matter of substantial public interest, specifically the processing is necessary for an insurance purpose.


7. Categories of personal data

Suzhou LAMP Information Consulting Company Limited may receive your personal data and special categories of personal data from third parties for the purposes set out above. The categories of personal data we process will vary depending upon the type insurance product that is held by you or the insurance product provided to an organisation that you are contracted to. Personal may include:

  • Special Lines business

    • Policy holder details e.g. name, address, contact details, occupation, medical information, passport number, photographs, driving licence number, vehicle registration number, bank account details, related data from solicitor/broker/intermediary, monthly policy statement, premium shortfall and commission reconciliation
  • Property

    • Policy holder details e.g. name, address, contact details, NI number, medical information, passport number, photographs, driving licence number, vehicle registration number, bank account details, related data from solicitor/broker/intermediary, monthly policy statement, premium shortfall and commission reconciliation
  • Legal business

    • Policy holder details e.g. name, address, contact details, NI number, medical information, passport number, photographs, driving licence number, vehicle registration number, bank account details, related data from solicitor/broker/intermediary, monthly policy statement, premium shortfall and commission reconciliation
  • Healthcare business

    • Employer information, contact person, banking details, intermediary information, re-insurance company information, employee information (from policy holder), applicant information including name, occupation, gender, date of birth, country of residence, data of birth, marital status, age, height, weight, passport number, application date, contact number, premium information, insurance programme information, general medical information, thorough medical history, statement of oral health, policy summary details, claim summary details, payment details including bank and allocation details, individual application forms from members

8. Any recipient or categories of recipients of your personal data

Within Suzhou LAMP Information Consulting Company Limited, only those members of the workforce who have a valid business ‘need to know’ will be granted access to your personal data. Further, individual team members will only be given access to the part of your data that they need to perform their roles. These members of our team:

  • Provide insurance customer application services
  • Provide claims handling services to your or to a company you are contracted to
  • Provide payment processing for professional services

Externally, your data may be shared with the following types of organisations for the reasons set out below – specifically so that we can deliver an insurance product or service you, or to a company you are contracted to. Wherever possible the data shared are either anonymised and/or minimised and only those with a valid business ‘need to know’ in the receiving organisation are granted access.

  • For Special Lines business – your personal data may be shared with:

    • Third party companies for the purpose of validating claims – e.g. independent engineers may require limited personal data to make site visits to assess vehicle faults and/or breakdowns
    • Third party repair companies – e.g. we may need to share limited policy holder details to facilitate a repair for you
    • Companies that provide regulatory compliance services that we must legally comply with, e.g. sanctions searches
    • Intermediaries who are contracted to perform audit functions for us
    • Companies that work with us to sell products or services on our behalf
    • Companies that provide accounting and payment processing services to us
    • Companies that may provide finance services to you if you have asked for them
  • For Healthcare business – your personal data may be shared with:

    • Third party administrator companies, for example those which provide emergency medical assistance and claims administration services when you need it. These services help us to support you.
    • Contracted network of hospitals and doctors, e.g. for direct billing purposes
    • Companies contracted to perform audit functions for us
    • Corporate clients who work with us to provide your product or related services
  • For Legal business (includes After the Event) – your personal data may be shared with:

    • Introducers and intermediaries, e.g. solicitors who may introduce your business to us and who may require updates particularly in the event of a claim
    • Intermediaries who are contracted to perform audit functions for us
    • Specialist external professional service providers who may be instructed to recover your premium or to negotiate costs
    • Processors that may provide professional services, such as scanning and storage services.

Where the Financial Ombudsman Services is mandated to resolve complaints for any line of business described above, we may need to share your data with it, for example when complaints are made. Not all lines of business are covered by the Financial Ombudsman Service.

We may be required to share your personal data with other agencies to prevent fraud.

In the event of litigation, we may be required to share your information with professional service providers, e.g. lawyers, hospitals, doctors.

Your data may also be passed to the following companies within the LAMP group. Access to your personal data will only be granted to members of their work force(s) who have a valid business ‘need to know’ – i.e. to process the data to deliver the services we are contracted to provide to you or to a company you are contracted to. Further, individual members of their work force(s) will only be given access to the part of your data that they need to perform their particular roles.

  • LAMP Insurance Company Limited
  • LAMP Services Limited
  • Tegamus Law Limited

If you wish to understand more about what companies your personal data are shared with, please contact our Data Protection Officer at dpo@lampinsurance.com


9. Details of transfers to third country and safeguards

We do not transfer your data to other third countries or international organisations.


10. Retention period or criteria used to determine the retention period

Your personal data will be kept for as long as the insurance policy, or warranty or sales and administration services to which it applies is valid, and thereafter for a period sufficient to protect the Suzhou LAMP Information Consulting Company Limited business interests in the event of needing to comply with regulation and/or to meet any potential liability claim or litigation.


11. Data subject rights

You have the right to exercise the following rights under EU data protection law. Please contact us using the contact details set out above if you wish to exercise any of these rights:

  • Transparency – we must provide you with all the information set out in this privacy notice in a concise, transparent, intelligible and easily accessible form, using clear and plain language, so that you may understand how and why we process your data and what your rights are. We must keep you informed in timely manner about our progress in responding to requests from you to access your rights under data protection law.
  • Rights of access by the data subject – you have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, to access to the personal data and associated information.
  • Right to rectification – you have the right to have the personal data concerning yourself rectified without undue delay if it not accurate. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing a supplementary statement.
  • Right to erasure (‘right to be forgotten’) – In some limited circumstances, you may have the right to obtain from us the erasure of your personal data without undue delay, when and if:

    1. Processing your personal data is no longer necessary in relation to the purposes for which your data were collected
    2. Where you withdraw consent for processing, but only if consent was the legal basis relied upon for that processing (please note this does not apply to our customers)
    3. You object to processing and there are no overriding legitimate grounds for the processing or where you withdraw your consent to marketing
    4. Your personal data has been unlawfully processed
    5. Your personal data has to be erased to comply with a legal obligation to which the Controller is subject
    6. Your personal data has been collected in relation to the offer of information society services to children
  • Right to restriction of processing – In some limited circumstances you have the right to request that the processing of your personal data is restricted, in some cases for a limited time only, specifically when:

    1. You are contesting the accuracy of your personal data while we verify its accuracy or correct it
    2. The processing is unlawful and you oppose the erasure of your data
    3. Where we no longer need your personal data for the purposes for which it was obtained but where you require the data for the establishment, exercise or defence of legal claims
    4. Where you have objected to the processing of your data pending the verification whether legitimate grounds of the Controller override your interests.

    You have the right to be informed by the Controller before the restriction of processing is lifted

  • Notification obligation regarding rectification or erasure of personal data or restriction of processing – We will let you know when the following things happen, unless is proves impossible or disproportionate to do so:

    1. When we have rectified your data
    2. When we have erased your personal data
    3. When we have restricted the processing of your personal data
    4. When we intend to lift any restriction to the processing of your personal data

    We will also advise you about any recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort

  • Right to data portability – Upon your request and where the legal basis for processing your personal data is ‘consent’ or ‘contract’, we will provide you with a copy of your personal data that you have provided to us and which are processed by automated means, in a structured, commonly used and machine-readable format. Upon your request and where technically feasible, we will also transmit those data to another data controller
  • Right to object – In some limited circumstances, you have the right to object to our processing of your personal data. When certain conditions are met we, as Controller, will no longer process your personal data. This right can be exercised only when:

    1. Either the processing is necessary for the performance of a task carried out in the public interest or processing is necessary for the purposes of our legitimate interests (including profiling), but where we cannot demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or where processing is necessary for the establishments, exercise or defence of legal claims
    2. Processing for direct marketing purposes, including profiling

    When personal data are processed for scientific or historical research purposes or statistic purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.

  • Automated decision-making, including profiling – You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significant effects. At the current time, Suzhou LAMP Information Consulting Company Limited does not perform automated decision making or profiling.

12. The right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint about us with the supervisory authority for data protection. The regulator in the company of the appointed Representative is:

Gibraltar Regulatory Authority
2nd floor
Eurotowers 4
1 Europort Road
Gibraltar

Tel: 0303 123 1113 (local rate)


13. The source your personal data originates from and whether it came from publicly accessible records.

The data we hold about you does not originate from publicly accessible records. If you have not provided us with your personal data directly, we have obtained it from one of the following sources:

  • Healthcare – Medical information may be supplied directly from members, hospitals, doctors, contracted third partner assistance companies e.g. emergency medical assistance providers, corporate clients, or intermediaries (agents or brokers).
  • Special Lines – intermediaries, brokers, third parties and/or dealers.
  • Legal – Intermediaries, brokers, agents.
  • Across all business lines – from another company within the LAMP group that works with Suzhou LAMP Information Consulting Company Limited to deliver your contracted product.

14. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data

Suzhou LAMP Information Consulting Company Limited has a legal obligation to perform a sanctions search on insured persons. Failing to do so would be a breach of the law.


15. The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences

Suzhou LAMP Information Consulting Company Limited does not currently perform automated decision making or profiling.


The Suzhou LAMP Information Consulting Company Limited GDPR Privacy Notice is available for download.

(656.8 KiB) Suzhou LAMP Information Consulting Company Limited GDPR Privacy Notice FINAL V1.0 Suzhou LAMP Information Consulting Company Limited GDPR Privacy Notice