Ensuring your privacy is protected
- Chill Insurance
- Information Collection
- Purposes for which we hold your Information
- Recipients of Data
- Special categories of data and data on criminal convictions and offences
- How and when we may contact you
- Automated individual decision making including profiling
- Subject Rights
- Right to rectification
- Right to erasure
- Right to object
- Right to restrict processing
- Right to access
- Right to portability
- Right to withdraw consent
- Right to complain
- International Transfers
- Questions or Complaints
Ensuring your privacy is protected
Chill Insurance Limited (“Chill Insurance”) respects your right to privacy and complies with our obligations under relevant data protection legislation including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
We take great care with any personal data we hold, so that we provide the highest standard of service to you, whilst taking steps to keep your data secure and to ensure it is only used for the specified, explicit and legitimate purposes stated within this Policy.
It is important that you read this Policy and show it to anyone else who is insured under your policy of insurance, including any named drivers, joint policyholders and anyone living at the property insured under your policy, as it also applies to them.
In circumstances where you provide personal data including special categories of data or sensitive data relating to persons other than you who are or will be insured under your policy of insurance, you are confirming that you have obtained the consent of such other persons to the processing of their personal and special categories of data for the purposes set out in this Policy.
Unless otherwise stated, the controller (as defined in the GDPR) of your personal data for all purposes outlined in this Policy is Chill. We can be contacted by post at Chill Insurance House Ravenscourt Business Park, Sandyford, Dublin 18, D18 K267 Ireland by telephone at 01 400 3400 or by email at firstname.lastname@example.org. Our data protection officer (“DPO”) can provide you with additional information on this Policy and your rights as outlined in Section 9. Their contact details are below:
Data Protection Officer, Chill Insurance, Ravenscourt Business Park, Sandyford, Dublin 18, D18 K267. Email: email@example.com
1. Chill Insurance
We, our, us, Chill refers to Chill Insurance Limited trading as Chill Insurance. Chill Insurance Limited is a private company limited by shares incorporated in Ireland with company number 506021 and having its registered office at Chill Insurance House, Ravenscourt Business Park, Sandyford, Dublin 18, D18 K267, Ireland. We are a registered insurance intermediary and provide both Life and Non-Life Insurance services.
2. Information Collection
We collect information from you when you access our Chill.ie website, when you request a quote online or over the phone, when you speak to members of our staff or enter competitions. We also collect information from sources other than you. We will only collect information that is adequate, relevant and limited to what is necessary in relation to the purposes identified within this Policy.
The table below outlines the categories and types of data we collect along with the source of the data. The type of data we collect will depend on the product or service you are availing of. The types of data we collect may change over time; the following table is an indicative list to help you understand the types of data we collect.
Please note that before we deal with your representative s (for example a family member or friend) we will first need your express permission authorising them as a nominated contact to your account. If you wish to nominate a contact, call our office on 014003400.
|Data Category||Data Type||Where we collect the data from|
|Identity & Individual Data||Name, address, email address, phone number, gender, marital status, date of birth, Official identification documents and numbers including PPS, driver number, license number, passport number, VAT number, vehicle registration number, IP address and other technical/usage data when you visit our website.||
Identity data, employment status & occupation, previous insurance history, details of any previous claims and claims occurring during the term of a policy arranged by us.
Driving history (including motoring convictions, disqualifications/ penalty points, health data, vehicle details.
|Financial Data||Your financial information: including bank and payment card details, payment transaction history, and information on income or turnover.||
|Special Category Data – Health Data||Information about your health||
|Criminal Convictions Data||Details of any unspent motoring (including penalty points) or non-motoring convictions (if any)||
|Technical Data||Technical information, including the Internet Protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, how often you use the application and other performance data; and||
|Usage Data||Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), methods used to browse away from the page, and any phone number used to call us.||
|Telematics Data||Driver data and location data: car location; drivers’ actions on road (representing how the driver of the car accelerates, corners, brakes, performs lateral movements and speeds).||
3. Purposes for which we hold your Information
The main purposes for which Chill uses your personal information are to provide a quote, setup, administer and manage your policy and to carry out marketing and analytics. The following section provides more detail on the purposes for which we process your personal data and the legal basis by which we do this.
|Purpose/Activity||Legal basis for processing|
|To provide you with a quote for insurance||Performance of a contract with you|
|To administer your insurance policy||Performance of a contract with you|
|To respond to your queries and to provide you with the information you request from us in relation to our Services.||
|To manage payments, fees and charges in respect of insurance premiums, and to collect and recover money owed to us.||
|Recording telephone calls (for quality and verification purposes, to assist us in the prevention of fraud)||Necessary for our legitimate interests (quality and verification purposes)|
|To provide you with marketing communication about other services we feel may interest you.||
|To ensure that content is presented in the most effective manner for you and for your computer or device.||Necessary for our legitimate interests (to keep our Site and the Services updated and relevant and to develop and grow our business).|
|To administer and protect our business, our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.||Necessary for our legitimate interests (for running our business and as part of our efforts to keep our Site and the Services safe and secure)|
|To use data analytics to improve or optimise our Site, marketing, customer relationships and experiences.||Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Site and the Services updated and relevant, to develop and grow our business and inform our marketing strategy).|
|To measure or understand the effectiveness of advertising we serve to you and others, and, where applicable, to deliver relevant advertising to you.||
|To prevent, detect and report fraud, money laundering and other offences to protect our business, risk management||
|To provide you with telematics services on behalf of your insurance underwriters.||Necessary for our legitimate interests (to offer drivers an opportunity to reduce their insurance premiums).|
3.1 Change of Use
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our data protection officer at the contact details listed in Section 1 of this Policy. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with this Policy, where this is required or permitted by law.
3.2 Consequences of not providing us with information
You can choose not to give us personal information; however this may have an effect on you. We may need to collect personal information by law, or to enter into or fulfil a contract we have with you. If you choose not to give us this personal information, it may delay or prevent us from fulfilling our contract with you, or doing what we must do by law. It may also mean that we cannot provide you with a quote or manage your policies with us which means we may need to cancel a product or service you have with us.
4. Recipients of Data
We may share your personal data with outside organisations, below is a list of the categories of recipients of organisations we share your personal data with:
Insurance companies and brokers
When you request a quote from us we will need to share your personal data with our panel of insurance providers. As outlined earlier the insurance provider you have chosen is also a controller of your personal data. Further information on how they protect your personal data may be found in their privacy policies. We may also continue to share personal data such as identity and policy data with insurance providers to manage and administer your policy and for the prevention and detection of fraud.
Any party you have given us permission to speak to (such as a relative, friend or legal advisor), in certain circumstances other people insured under your policy of insurance (such as a named driver) and other people or companies associated with you.
Our employees, agents and contractors including companies that provide services in relation to telecommunications and postage, data storage, document production and destruction, IT and IT security, customer loyalty programmes, fraud detection, making and receiving payments, data analysis and management information, credit checking, risk analysis, complaints handling, marketing and market research.
If you hold insurance against a liability that may be incurred by you against a third party, where for whatever reason you cannot be found or you become insolvent, or the court finds it just and equitable to so order, then your rights under the contract will be transferred to and vest in the third party even though they are not a party to the contract of insurance. The third party has a right to recover from the insurer the amount of any loss suffered by them. Where the third party reasonably believes that you as policyholder have incurred a liability the third party will be entitled to seek and obtain information from the insurer or from any other person who is able to provide it concerning:
- the existence of the insurance contract,
- who the insurer is,
- the terms of the contract, and
- whether the insurer has informed the insured person that the insurer intends to refuse liability under the contract.
Government, Statutory and Regulatory Bodies
State regulators and authorities such as the Data Protection Commission, the Revenue Commissioners, the Central Bank of Ireland and the Financial Services & Pension Ombudsman; Law Enforcement Agencies such as An Garda Síochána & The Criminal Assets Bureau. Industry bodies such as Motor Insurers Bureau of Ireland and Personal Injuries Assessment Board.
We may also disclose your personal data to the following recipients or categories of recipients:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If Chill Insurance or substantially all of its business or assets are acquired or transferred to a third party whether in the event of a merger, reorganisation, transfer of undertakings, receivership, liquidation or other winding up or any other similar circumstances, in which case personal data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any law, legal obligation or court order, or in order to enforce rights under the GDPR or other agreements.
- To protect our rights, property or safety, our customers, or others. This includes exchanging information with other companies and organisations for the maintenance and security of the site and services.
5. Special categories of data and data on criminal convictions and offences
We will process Health Data where it is necessary and proportionate for the purposes of providing a policy of insurance or to comply with a legal obligation to which we are subject. We will also process data on Criminal Convictions and offences including penalty point data where it is necessary and proportionate for the steps taken leading into or the performance of your insurance contract and to comply with our legal obligations. Processing for this purpose is permitted by the Irish Data Protection Act 2018.
6. How and when we may contact you
We may contact you by phone/email/sms/post for the following purposes:
- Administration of your insurance policy
- To provide you with renewal terms on an existing policy
- To offer you assistance when you have requested a quote from us either over the phone or through our website; for example by providing you with details to retrieve your quote online and issuing you with a reminder before your quote expires.
- Handling customer service queries and complaints
- Marketing Chill products and services (unless you have opted out of receiving marketing communications)
- Provision of customer loyalty programme
- Conducting market research
7. Automated individual decision making including profiling
Automated individual decision making, including profiling, takes place when you request a quote from Chill through our website. The insurance providers we provide quotes on behalf of carry out this automated individual decision making. This means that we run your personal data through algorithms and internal models set by each of the insurance providers to determine your risk profile and calculate your insurance premium. This process includes the use of information you provide to Chill in your online quote form. For example, some factors that insurance providers would use for a car insurance policy are the age of the vehicle, location where the vehicle is parked and the age of drivers. This may include special categories of data, where relevant, such as Health Data or Criminal Convictions and offences data such as penalty point data.
Automated individual decision making, including profiling, take place when you operate your vehicle following the installation of a telematics device. Once activated the telematics device installed in your vehicle will record and analyse data about the driving behaviour of you and anyone who drives your car. This means that your personal data will be used to develop a profile of how, where and when your car is driven. This information is combined with information on your driving behaviour to form a driving score, this driving score can be used to affect your insurance premium. The assessment of your driving behaviour to form a driving score is automatically assessed by internal models.
You have the right to human intervention to express your interests and contest automated decisions. If for any reason you are not satisfied with the quote obtained via our website please contact our office to request a quote on 01 400 3400. For further information on individual insurance provider’s automated individual decision making processes, please refer to their privacy policies.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. This means that the period of time for which we store your personal data may depend on the type of data we hold. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. The table below outlines a general summary of our retention periods:
|Data Type||Retention Period|
|Quote Only Data (Where you have not purchased a policy)||15 months|
|Policy data||7 years from the date you no longer hold an active policy with us|
|Marketing preferences||Indefinitely to identify customer opt-out marketing preferences|
9. Subject Rights
a. Right to rectification
You have the right to have Chill correct any inaccurate personal data we have collected about you. You also have the right to have incomplete personal data completed; you may provide us with supplementary information to do this. To do so, please contact our customer care team by phone on 01 400 3400 or by email at firstname.lastname@example.org.
b. Right to erasure
In certain instances, you have the right to have Chill erase the personal data we have collected about you. Your right of erasure will apply in the following circumstances:
- We no longer need the data for the purpose that it was originally collected;
- You withdraw your consent
- You object to the processing and the organisation has no overriding legitimate interest in the data;
- We have collected the data unlawfully; orThe data must be erased to comply with a legal obligation;
This right will not apply where we are required to process personal data in certain circumstances including the following:
- For exercising the right to freedom of expression;
- For compliance with a legal obligation, such as the performance of a contract (i.e. your insurance policy or a quote) or compliance with certain legislation, for example we have a legal requirement (Consumer Protection Code 2012) to keep your policy data for at least 6 years.
- For the performance of a public interest task or exercise of official authority;
- For health purposes in the public interest;
- For archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
- For the establishment, exercise or defence of legal claims.
To exercise this right, please contact our data protection officer at the contact details listed in Section 1 of this Policy.
c. Right to object
You have the right to object to the processing of your personal data at any time:
- For direct marketing purposes.
- For profiling to the extent it relates to direct marketing.
- Where we process your personal data for the purposes of legitimate interests pursued by us, except where we can demonstrate compelling legitimate grounds for this processing which would override your interests, rights and freedoms or in connection with the enforcement or defence of a legal claim.
Should this occur, we will no longer process your personal data for these purposes unless doing so is justified by a compelling legitimate ground as described above.
To exercise your right to object, please contact our data protection officer at the contact details listed in Section 1 of this Policy.
NOTE: We will use all reasonable efforts to communicate the fact that you have exercised your right to rectification or erasure of personal data or restriction of processing in accordance with these rights outlined above, to each recipient to whom your personal data has been disclosed in accordance with this Policy, unless this proves impossible or involves disproportionate effort.
d. Right to restrict processing
You have the right to have Chill restrict the processing of your personal data where one of the following applies:
- You contest the accuracy of the personal data (we will restrict the processing of the personal data until we verify the accuracy of the personal data)
- The processing is unlawful and you oppose the erasure of your personal data
- Chill no longer requires the personal data for the purposes of the processing but the data is required by you for the establishment, exercise or defence of legal claims
- You object to the processing of the personal data as outlined in Section 9.c above (we will restrict the processing of the personal data while we verify our legitimate grounds for the processing which may override your interests, rights and freedoms)
Where you have restricted the processing of your personal data, we will continue to store your personal data but will only process it with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of other people or for reasons of important public interest or other non-restricted purposes.
e. Right to access
You have the right to obtain from us information on the personal data we hold on you including the following:
- Purposes of the processing
- Type of personal data held
- Categories of recipients of the personal data
- Information on how long the data will be stored
- If automated individual decision making, including profiling, takes place, as well as information on the logic involved and consequences of this
- If data is not collected directly from you, information on the source of the data
- The existence of the right to request from us rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing
- The right to lodge a complaint with the Data Protection Commission
Any such request should be submitted in writing and sent for the attention of the data protection officer at the contact details listed in Section 1 of this Policy. We will need to verify your identity in such circumstances and may request more information or clarifications from you if needed to help us locate and provide you with the personal data requested. There is usually no charge applied to access your personal data (or to exercise any of the other rights). However, if your request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee. Alternatively, we may refuse to comply with your request in these circumstances.
f. Right to portability
You have the right to receive personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You also have the right to provide this data to another controller or have Chill transmit this data to another controller on your behalf, where technically feasible. This applies to automated data only to the extent provided by you to us. This right to portability is limited to the following situations.
- Where the processing is based on the legal basis of consent
- Where the processing is based on the legal basis of entering into or performance of a contract
g. Right to withdraw consent
Where we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time. We rely on your consent for marketing activities only. It is your choice to receive these communications and you have the right to withdraw your consent at any time. This does not affect the legality of the processing which took place when we had your consent. For further information on our marketing activities and how to stop receiving marketing communications, please see Section 10.
Please note if you withdraw your consent, we will no longer send direct marketing communications to you.
h. Right to complain
If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights in Section 9, then you have the right to complain to the Data Protection Commission (DPC). Please see below for contact details of the DPC.
For marketing purposes we may contact you in relation to special offers, competitions, products and services from Chill via email, post, SMS and phone.
For non-customers we rely on consent to contact you for marketing. Consent will always be provided in the form of a clear opt-in. You have the right to withdraw your consent at any time using the contact details listed in this section.
For existing or past customers, we rely on legitimate interest (to develop and grow our business) to contact you for marketing. We will always provide you with the option to opt-out at the point of data collection. Additionally, you can use the contact details listed in this section to opt-out of receiving future marketing communications.
If you would prefer not to receive this type of communication from us, you can do any one of the following;
- email email@example.com,
- call 1800 845 557
All emails and texts will also contain a link to unsubscribe or opt-out of future marketing communications from Chill.
11. International Transfers
Some of our suppliers who provide us with services such as IT security or data hosting services may process your personal data such as identity and policy data outside the European Economic Area (“EEA”) where privacy laws may not be as protective as those in your jurisdiction. There are special requirements set out under Chapter V of the GDPR to regulate such data transfers and ensure that adequate security measures are in place to safeguard and maintain the integrity of your personal data on transfer.
Where we transfer your personal data outside the EEA to our suppliers, we will make sure that it is protected to the same extent as in the EEA and we will use at least one of the following safeguards:
- Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA
- Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.
- Transfer it to organisations that are compliant with the EU/US Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to those used and expected within the EEA.
Chill Insurance will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Policy. We will use all reasonable efforts to put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, other recipients and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use reasonable procedures and security features to try to prevent unauthorised access. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
15. Questions or Complaints
Contact us. If you have any questions or complaints relating to this Policy, please contact us at:
Data Protection Officer, Chill Insurance, Ravenscourt Business Park, Sandyford, Dublin 18, D18 K267. Email: firstname.lastname@example.org.
Effective date of this policy: 3rd September 2020