Thomas Cook Travel Insurance Privacy Notice
ERGO Travel Insurance Services Ltd and Taurus Insurance Services (hereafter referred to as “We”), as the Data Controllers, are committed to protecting and respecting your privacy in accordance with the current General Data Protection Regulation ("Regulation").
Thomas Cook Tourism (“Thomas Cook”) is the data controller in respect of your holiday and insurance marketing data. Refer to section 10 of this Privacy Notice.
Sitata, Inc, act as data processor in respect of matching your holiday to the most appropriate insurance product. Refer to section 11 of this privacy notice.
Below is a summary of the main ways in which we process your personal data.
1. How we use your personal data
We use the personal data we hold about you for the purposes of providing a contract of insurance, handling claims and any other related purposes (this may include underwriting decisions made via automated means), for offering renewal, research or statistical purposes and to provide you with information, products or services that you request from us or which we feel may interest you.
Most commonly, we will use your personal data in the following circumstances:
Where we need to perform the contract we are about to enter into or have entered into with you
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
Where we need to comply with a legal or regulatory obligation
We will also use your data to safeguard against fraud and money laundering and to meet our general legal obligation or regulatory obligation.
2. Special categories of personal data
Some of the personal information, such as information relating to health or criminal convictions, may be required by us for the specific purposes of underwriting or as part of the claims handling process. The provision of such data is conditional for us to be able to provide insurance or manage a claim. Such data will only be used for the specific purposes set out in the administrator Privacy Notice.
3. Disclosure of your personal data
We disclose your personal data to third parties involved in providing products or services to us, or to service providers who perform services on our behalf. These include our group companies, affinity partners, brokers, agents, third party administrators, reinsurers, other insurance intermediaries, insurance reference bureaus, credit agencies, medical service providers, fraud detection agencies, loss adjusters, external law firms, external accountants and auditors, regulatory authorities, and as may be required by law.
4. International transfers of data
We may transfer your personal data to destinations outside the United Kingdom (“UK”) or European Economic Area (“EEA”). Where we transfer your personal data outside of the UK or EEA, we will ensure that it is treated securely and in accordance with any applicable Data Protection legislation.
5. Your rights
You have the right to ask Thomas Cook not to process your data for marketing purposes, to see a copy of the personal information we hold about you, to have your data deleted (subject to certain exemptions), to have any inaccurate or misleading data corrected or deleted, to restrict the processing of your data, to ask us to provide a copy of your data to any controller and to lodge a complaint with the local data protection authority.
Taurus have appointed a UK Data Representative who is responsible for overseeing questions in relation to this policy. If you have any questions, including any requests to exercise your legal rights, please contact them using the details below:
Write: Taurus Support Services Ltd, 29a Crown Street, Brentwood, Essex, England, CM14 4BA
Your data will not be retained for longer than is necessary and will be managed in accordance with our data retention policy. In most cases the retention period will be for a period of seven (7) years following the expiry of the insurance contract, or our business relationship with you, unless we are required to retain the data for a longer period due to business, legal or regulatory requirements.
7. Sharing of personal data
In addition to the third parties mentioned above, we may disclose your information to third parties for our legitimate business interests or as follows to supply certain services. In some cases, those third parties may require access to some or all of your personal data that we hold. Details of our third party supplier Privacy policies can be found under the section Third Party Policies.
Whenever fraud prevention agencies transfer your personal data outside of the UK or EEA, they too will impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the EEA. They also require the recipient to subscribe to ‘international frameworks’ intended to allow secure data sharing.
8. More information
9. Thirty party policies
Worldpay (UK) Limited, Merchant Card Payment services provider:
Liberty Mutual Insurance Europe SE, Financial Failure insurer:
ERGO Travel Insurance Services Ltd, policy administration:
Great Lakes Insurance SE, policy underwriter:
DAS, Legal Expenses insurer:
Thomas Cook use the marketing contact data provided for the purpose for which it was collected: to send requested content and to respond to marketing questions. Thomas Cook also use marketing contact data to send notices for direct marketing of products where you have provided your consent.
10.2 Legal Basis
Thomas Cook process marketing data based on consent given by individuals who opt-in. Thomas Cook may also process the marketing data where there is a legitimate interest to do so but only where your interests or rights are not overridden by doing so.
10.3 What personal data do Thomas Cook collect?
Marketing data includes your contact details such as name, physical address, email and telephone number.
10.4 Where your data is stored and who it is shared with
Thomas Cook share marketing data with carefully selected suppliers that carry out certain functions, including technology and data management partners who help us to administer the Services and companies that help with IT services, storing and combining data, marketing, advertising campaign, and market research.
Thomas Cook may transfer personal data to, and process personal data in a country outside of the UK or EEA. If your data is transferred outside of the UK or EEA, it will be protected in the same way as if it was being used in the UK or EEA. In most cases, this will be by using an approved UK and EU approved contractual clauses. Your data may also be processed in countries which have reached Adequacy Decisions with the European Commission.
If you’ve agreed to receive marketing communications, your personal data will be retained for up to 12 months after your insurance ends, or such other time that may be required for legal and audit purposes or where required by law. After this period, your data will be securely erased. If your personal data is needed after this period for analytical, historical or other legitimate business purposes, appropriate measures will be taken to anonymise this personal data.
You have the right at any time to ask us not to process your personal data for marketing purposes. You can exercise your right to prevent such processing by selecting the ‘no marketing’ option on the forms we use to collect your data. You can also exercise this right at any later time by using the unsubscribe link on any marketing e-mail you receive, or by contacting us.
10.7 Contact details:
Full name of legal entity: Thomas Cook Tourism
Title: Data Protection Officer
Email address: firstname.lastname@example.org
Postal address: UK Legal & Compliance Dept, Thomas Cook Tourism, C/O Tmf Group 8th Floor, 20 Farringdon Street, London, United Kingdom, EC4A 4AB.
Thomas Cook encourage you to make contact if you have a complaint so any issues or concerns you may have can be resolved. You have the right to lodge a complaint with the data protection regulator where you believe your legal rights have been infringed, or where you have reason to believe your personal data is being or has been used in a way that doesn’t comply with the law. The contact details for the Information Commissioner’s Office (ICO), the data protection regulator in the UK, are available on the ICO website (ico.org.uk/).
10.8 Data Subject Requests
You have the right to make a Data Subject Access Request in many circumstances. That is a request for access to the personal data that is held about you, there is no charge for this unless the request is manifestly unfounded or excessive.
Thomas Cook may ask for proof of identity and sufficient information about your interactions to assist in locating your personal data. If someone is acting on your behalf they will need to provide written and signed confirmation from you that you have given your authority to that person/company for them to make the request. Evidence of this will need to be provided before and data is provided to you (or another person acting on your behalf). Data will not be provided if it includes the personal data of other individuals or there is any other lawful reason to withhold that information.
Please see the section above titled ‘Contact details’ if you need to make a Data Subject Access Request.
11. Sitata Data Management