Who is the Data Controller responsible for the processing of your data?
In respect to Income Protection Plus business, Pharmaceutical and General Provident Society Limited trading as PG Mutual is the Data Controller.
In respect to Private Medical Insurance introductions through PG Mutual, P&G Insurance Services Limited trading as PG Mutual Services is the Data Controller.
How can I contact the Data Controller?
You can contact the Data Controller by sending an email to firstname.lastname@example.org or by calling 01727 840095.
Alternatively, you are welcome to write to the Data Controller at the following address: Pharmaceutical and General, 11 Parkway, Porters Wood, St Albans, AL3 6PA.
What are the purposes of our processing and on what legal basis are we processing your data?
Product Quotations – Income Protection Plus and Private Medical Insurance
The applicable Data Controller for these products will require your name, gender, date of birth, occupation, post code and your choices with regards to the product variant you wish to be quoted for. Your email or telephone number are requested in order for the Data Controller to contact you about your quotation and to remind you periodically by email or text not to forget about your quotation.
All the data the relevant Data Controller requires from you in order for them to provide you with a product quotation will be provided by you or your agent at your consent. You may withdraw your consent at any time.
Product Applications – Income Protection Plus and Private Medical Insurance
After receiving an appropriate product quotation, the applicable Data Controller will then require you to complete an application form. In addition to the information provided by you at the quotation stage, the Data Controller will require further details relating to your occupational, financial, medical and insurance history in order for it to undertake appropriate due diligence on the acceptability of your application to the relevant Data Controller. Part of this due diligence process may require the Data Controller to share your data with third-party agencies.
The data required by the relevant Data Controller for the application and due diligence process will be provided by you or your agent at your consent. You are under a legal obligation when providing data for the purpose of an application for insurance cover to take reasonable care to make sure the data you provide is full and accurate to the best of your knowledge. Failure to do so could lead to a future claim being declined or your insurance policy being cancelled without any refund. You may withdraw your consent at any time but the Data Controller will retain for a period not exceeding 15 years such parts of the data you provide as it needs to ensure it can protect itself against a potential future legal claim relating to the application.
Membership and Insurance Administration – Income Protection Plus
If you accept an offer to become an Income Protection Plus member of the Data Controller following the quotation and application stages, you will simultaneously become a policyholder with, and a member of, PG Mutual. The Data Controller will need to use the data you provided at the quotation and application stages to administer your policy and your membership in accordance with the Memorandum and Rules of the Data Controller, and the terms of your policy, including contacting you periodically about your premiums, the performance of your investment element, the accuracy of your data and adequacy of your cover, and to ensure your data remains accurate and your insurance cover up-to-date.
Insurance Claims – Income Protection Plus
In the event you wish to make a claim for Income Protection Plus benefit, the Data Controller will require additional occupational, insurance, medical and financial data from you in order to assess your claim, and you may be required to provide further such data at regular intervals. You will be required to consent to the Data Controller contacting, and where necessary, sharing data with relevant third parties to validate the legitimacy of your claim and to monitor your condition. If you decline to consent to your data being used in this manner, the Data Controller is entitled to suspend your claim in accordance with your policy terms.
Nominations – Income Protection Plus
In order for you to take advantage of the Enhanced Loyalty Bonus provisions of your policy and the nominations provision, you will need to nominate at least one individual using the nominations procedure. You should seek the consent of anyone whose personal data you pass to us before doing so, but we will hold this data for you as it is in the legitimate interests of your nominated persons for us to do so.
The Data Controller has a regulatory obligation to help to reduce financial crime and may use your data as necessary as part of its financial crime risk monitoring procedures.
The Data Controller has a statutory and regulatory obligations to submit relevant financial and performance reports to the appropriate regulator. Your data may be used by the Data Controller as necessary to meet its statutory responsibilities.
If you have provided consent to the Data Controller to receive such communications, you may receive information about other products or services available through PG Mutual or its subsidiaries. You can withdraw your consent at any time and, if you are a member of the Data Controller, you can alter your communication preferences for marketing materials in your Members Area.
Recorded Telephone Calls
The Data Controller generally records telephone calls made to and from its office for the purpose of monitoring service quality standards and for use in any complaint or legal claim brought against it. If you do not wish to have a telephone call with the Data Controller recorded, the Data Controller reserves the right to insist that an alternative method of communication be used to maintain an audit trail.
How do we guarantee the security of your data?
The Data Controller maintains security policies and procedures designed to protect your data against loss, misuse, alteration, unauthorised access and theft. The head office building perimeter is monitored by CCTV.
How will minors' data be processed?
The Data Controller will not collect or process personal data for a minor without fully complying with the special rules for consent when dealing with minors. In the rare cases of a minor (16-18 years of age) looking to apply for Income Protection Plus or Private Medical Insurance, the consent of an appropriate guardian will be necessary before the application can be accepted.
How long will we keep your data?
Any data you have consented to the Data Controller using will be kept as long as your consent has not been withdrawn.
Data used by the Data Controller for the purpose of performing your contract, or for the purpose of complying with a regulatory or statutory compliance or reporting requirement, will be held for at least fifteen years after the completion of your membership for the purpose of protecting the Data Controller against any future legal claims.
Data used by the Data Controller for the purpose of complying with regulatory or statutory compliance or reporting purposes will be held for at least fifteen years to protect the
Who will receive your data?
The Data Controller will share your data:
- With your consent, with a medical interview service provider for the purpose of either obtaining medical information relevant to an application for Income Protection Plus or a claim for Income Protection Plus benefit.
- With competent public bodies, regulators or judicial bodies where the Data Controller is under a legal obligation to do so;
- If you were introduced to the Data Controller by your employer who pays your premiums on your behalf, the Data Controller may share the some of your data with the employer to confirm your continued participation in the scheme and verify premium levels;
- If you were introduced to the Data Controller through a partner association, the Data Controller may share some of your data to verify your membership of the partner association to confirm your eligibility for any offers you may have claimed or to prepare invoices where the partner association pays your premiums on your behalf;
- With third party bodies as part of the Data Controller’s regulatory responsibility to protect against financial crime;
- With carefully selected electronic data storage partners for the purpose of backing-up your data safely and securely;
- With respect to email correspondence, with Microsoft 365 with whom part of the agreement ensures that any data transmitted to the USA from the EEA complies with the model contract terms prepared by the EU for the protection of data.
What are your rights when you provide us with your data?
Under the General Data Protection Directive you have the following rights:
- to require that we cease processing your personal information;
- to require us not to send you marketing communications;
- to require us to erase your personal information;
- to require us to restrict or object to our data processing activities;
- to receive from us the personal information we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal information to another data controller; and
- to require us to correct the personal information we hold about you if it is incorrect.
Please note that these rights may be subject to limitations allowed by legislation, and we may be entitled to refuse requests where exceptions apply.
If you are not satisfied with how we are processing your personal information, you can make a complaint to the Information Commissioner.
You can find out more about your rights under data protection legislation from the Information Commissioner's Office website: www.ico.org.uk.
Will your data be processed outside the European Economic Area (“EEA”)?
While the Data Controller will make every effort to retain your data within the United Kingdom, from time to time third parties used by the Data Controller may process data outside the EEA. In these circumstances, your data will only be transferred on one of the following bases:
- the country is approved by the European Commission as providing an adequate level of protection for personal information; or;
- the recipient has agreed with us standard contractual clauses approved by the European Commission, obliging the recipient to safeguard the personal information; or
- there exists another situation where the transfer is permitted under applicable data protection legislation (for example, where a third-party recipient of personal data in the United States has registered for the EU-US Privacy Shield).