CMA’s ‘Lawful Processing Conditions’:
There are six lawful processing conditions:
1. Compliance with a legal obligation
2. Performance of a contract
3. Legitimate interest
4. Public interest
5. Vital interest
6. Consent
Those upon which CMA rely are:
- Performance of a contract
- Legitimate interest and / or
- Consent
We are not in the ‘data’ business, that is to say, we do not obtain and retain ‘data’ because there is value in it; we do NOT sell personal information obtained.
We, like virtually every other business with customers, do seek, obtain and hold personal information. We manage insurance claims on behalf of our clients, insurance companies and their legal representatives or, on occasions, Guarantee claims for vehicle information suppliers. To provide an efficient, comprehensive and professional service we are provided and seek information.
We contract with insurers, who have a relationship with their customers (insureds and named persons within the insurance policy), to provide services following a claim. It is likely, if not certain by May 2018, that the insured will have contractually agreed to their insurer, our client, instructing a third party such as CMA. We will pursue information in the performance of a contract and where obtained from their insured, with consent.
Personal data may be processed on the basis that such processing is necessary in order to enter into or perform a contract with the data subject. Rec.30; Art.7(1)(b) Processing is permitted if it is necessary for the entry into, or performance of, a contract with the data subject or in order to take steps at his or her request prior to the entry into a contract. Rec.44; Art.6(1)(b) Processing is permitted if it is necessary for the entry into, or performance of, a contract with the data subject or in order to take steps at his or her request prior to the entry into a contract.
But what of, for example, third parties? If the insured vehicle is said to have struck a third party, neither our client nor we will have a contractual relationship with the driver and occupants of the other car. However, we will necessarily undertake inquiries of these parties to ensure the claim is as presented; to establish liability and quantum. To this end, we will seek and hold information about individuals with whom neither we nor our client has contracted and from whom we have not obtained consent. We will process this information on the basis, at the very least, we have a legitimate interest. Personal data may be processed on the basis that the controller has a legitimate interest in processing those data, provided that such legitimate interest is not overridden by the rights or freedoms of the affected data subjects. Rec.30; Art.7(1)(f) Processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party to whom the data are disclosed) except where the controller’s interests are overridden by the interests, rights or freedoms of the affected data subjects. Rec.47, 48; Art.6(1)(f)Processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party), except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects which require protection, particularly where the data subject is a child.
You must have motor insurance to drive your vehicle on UK roads. Third-Party insurance is the legal minimum. This means you’re covered if you have an accident causing damage or injury to any other person, vehicle, animal or property. Independent information about this can be found here and here. Personal data may be processed on the basis that the controller has a legal obligation to perform such processing. Rec.30; Art.7(1)(c) Processing is permitted if it is necessary for compliance with a legal obligation. Rec.45; Art.6(1)(c), 6(3)Processing is permitted if it is necessary for compliance with a legal obligation under EU law or the laws of a Member State.
There is also a Public Interest condition – Rec.45; Art.6(1)(e); ‘processing is permitted if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ This ground only applies where the task carried out, or the authority of the controller, is laid down in Union law or Member State law to which the controller is a subject (Article 6(3) and Recital 45).
Collecting personal data to undertake a ‘know Your Customer’, age check or money laundering* enquiry does not require specific consent.
*Money laundering is the generic term used to describe the process by which criminals disguise the original ownership and control of the proceeds of criminal conduct by making such proceeds appear to have derived from a legitimate source.