Privacy Notice

Great American International Insurance (UK) Limited


This Privacy Notice explains the use and processing of Personal Data (as defined below) by Great American International Insurance (UK) Limited (Company number 02714031 and FCA reference number 202874) of 32 Queen Square, Bristol, BS1 4ND, UK

For the purposes of this Privacy Notice, Great American International Insurance (UK) Limited is referred to as “Great American UK”, or “we”, or “us” or “our” in relation to its products and services.


This Privacy Notice describes Great American UK’s data protection practices and Data Subjects’ rights in respect of Personal Data relating to (i) Policyholders; (ii) Insureds; (iii) Claimants (as each term is defined below); and the rights of Website visitors, all of which are referred to in this Privacy Notice under those terms or as “you” or “your”).

Great American UK maintains a contractual relationship with the Policyholder, so it is important that the Policyholder or Claimant (as the case may be) ensures it has an understanding of how its Personal Data is processed by Great American UK and trusted parties it utilises with regard to its insurance products when entering into an insurance contract with Great American UK. This is described in this Privacy Notice.


For the purposes of this Privacy Notice, the following words and phrases shall have the following meanings:

– Claimant means an incorporated or unincorporated body or natural person who makes a claim under and/or pursuant to a Policy, and the term Claim shall be interpreted accordingly.

– Data Protection Law means all data protection and privacy legislation in force in the United Kingdom (“UK”) including but not limited to the Data Protection Act 2018; the General Data Protection Regulation (EU) 2016/679; the Privacy the Electronic Communications Regulations 2011; and  any replacement legislation thereof.

– Data Subject means any individual who provides Personal Data to Great American UK for the purpose of entering into a Policy or otherwise.

– Insured means an incorporated or unincorporated body or natural person who is a beneficiary under a Policy.

– Personal Data shall have the meaning assigned thereto by Data Protection Law. Please note that “Personal Data” does not include data where the identity has been removed (i.e., anonymous data).

– Policy means an insurance contract between Great American UK and the Policyholder.

– Policyholder means an incorporated or unincorporated body or natural person who enters into a Policy with Great American UK.

– Policy Personal Data means personal data relating to any Policyholder, Insured or Claimant processed by Great American UK pursuant to a Policy.

– Website means any website of Great American UK or a group company thereof.

– The terms “Controller”; “Data Subject”; “Personal Data”; “Processor”; “Processing” and “Sensitive Data” and “Special Category Data” (and any derivatives of this term) shall each have the meaning given under Data Protection Law.



For the purpose of setting up, writing and administering a Policy; assessing and processing any Claims; and handling Website data; Great American UK may collect and gather the following categories of Personal Data:

– Identity Data such as first name, surname, gender, date of birth, marital status, place of work, employment details, and insured property to the extent such property identifies a Data Subject.

– Contact Data such as address, e-mail address, telephone number, and workplace contact details.

– Regulatory Information, if applicable, such as ‘know your customer’ or anti-money laundering information required by law or regulation.

– Benefits Data concerning Policy benefits and coverage allocated to Insureds and/or property (to the extent such property may be associated with a Data Subject).

– Sensitive Data and/or Special Category Data including personal data regarding health including details of personal injury or illness, and other details regarding  the health of a Policyholder or otherwise as required to assess the eligibility of an individual for a Policy or to assess a claim;

– Financial Data consisting of credit related data of company directors in respect of certain Great American UK commercial bond products.

– Online identifiers such as IP Address, traffic data, cookies and other communication data.


The type of Personal Data collected and processed varies depending upon whether you are a Policyholder, Insured, Claimant or Website user and the kind of insurance cover provided, the type of Claim we are being asked to pay, or type of interaction we have had.

Aggregated data: In addition to other Personal Data processed, Great American UK collects, uses and shares aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from Policy Personal Data but is not considered Personal Data under Data Protection Law, as this data does not directly or indirectly reveal Data Subjects’ identity.

If you fail to provide Personal Data or provide false data: In some cases, providing Personal Data is necessary to enter into an insurance contract with Great American UK and/or to comply with applicable law. Where Great American UK needs to collect Personal Data: (a) by law; (b) under the terms of a Policy or other contract we have with a Policyholder; (c) in order to offer, underwrite, extend and administer Policy benefits to Insureds; or (d) to assess and process Policy claims by Claimants; and this Personal Data is not provided when requested (whether requested by Great American UK or by one or more third party intermediaries), Great American UK may not be able to perform its obligations under a Policy and the processing of any claims may be delayed, suspended or stopped.  The provision of false information may mean that a claim made under a Policy will not be paid and may possibly result in criminal prosecution for fraud.



Great American UK receives Personal Data via a range of different channels.  This Privacy Notice sets out Great American UK’s data protection practices and Data Subjects rights for:

– Direct interactions with Policyholders or other Data Subjects, such as communications by post, telephone, email or otherwise. For example, Great American UK in some cases will communicate with Policyholders and Insureds by post and electronic communications for Policy creation, administration and processing claims.

– Indirect interactions: Great American UK receives Policy Personal Data relating to Policyholder, Insureds and Claimants from insurance brokers, third party agents, claims handlers, loss adjusters, third party intermediaries, solicitors and other third parties involved in the creation and administration of a Policy and/or a Policy claim;

– Website interactions, where Personal Data is gathered from interactions with our website or supplied by you via our website.

– Third parties or publicly available sources, such as from publicly available sources such as Companies House and credit agencies.



Great American UK will only use or transfer Personal Data in accordance with Data Protection Law and any other applicable laws. Most commonly, Great American will use Personal Data in the following circumstances:

– Where Great American UK writes or is considering writing a Policy with a Policyholder and for assessing or processing any claim made as a result of that contract.

– Where it is necessary for Great American UK’s legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

– Where Great American UK must comply with a legal or regulatory obligation.

– Where consent has been granted by the Data Subject.

– For other reasons required by law.


Generally, Great American UK does not rely on consent as a legal basis for processing Policy Personal Data other than when we need to process Sensitive Data of Claimants when assessing and processing a claim, or when  underwriting certain types of insurance cover. Typically, such consent (which could be explicit consent if required) is obtained from Claimants by third party claims managers whom Great American UK engages to manage Policy claims.  You have the right to request the withdrawal of your consent by contacting us, using the details provided in the last section of this Privacy Notice under (Contact Us).

Great American UK also uses Website data to continually improve the ease of use of our website (and website functionality) for you and for other users, and to fulfil any requests you make via our Website and to understand how and what you use the website for. For details of how we use Cookies on the website please refer to  our Cookies Policy, a copy of which is available upon request (see Contact Us below). 

The following describes the basis for processing of the data Great American UK collects:


Purpose/Activity Type of data Lawful basis for processing
1. Create, administer and renew Policy, including verification of Policyholder and Insured identity and eligibility for Policy.  

Ø Identity

Ø Contact

Ø Regulatory

Ø Financial

Ø Benefits

o  Performance of a contract with Policyholder (or for taking steps at Policyholder’s request with a view to entering into a contract).
2. To process and administer payments under Policy including:(a) manage premiums, payments and charges(b) collect and recover money owed Ø Identity

Ø Contact

Ø Financial

o  Performance of a contract with Policyholder

o  Necessary for our legitimate interests (to recover debts due to us)

3. To manage our relationship with Policyholder which will include:

(a) issuing policy and renewal documents

(b) notifying about changes to our terms or privacy notice

(c) updating Policy information, including details of Insured and other beneficiaries.

Ø Identity

Ø Contact

Ø Financial

Ø Benefits


o  Performance of a contract with Policyholder

o  Necessary to comply with a legal obligation

o  Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

4. Policy underwriting Ø Identity

Ø Contact

Ø Financial

Ø Benefits


o  Performance of a contract with Policyholder

o  Necessary for our legitimate interests (to recover debts due to us)

5. To assess, manage, process, defend and settle claims.  

Ø Identity

Ø Contact

Ø Financial

Ø Special


o   Performance of a contract with Policyholder

o  Necessary for our legitimate interests (to manage, process, defend and settle claims)

o  Consent / Explicit Consent

o  Necessary for the establishment, exercise or defence of legal claims

6. To administer and protect our business  

Ø  Identity

Ø Contact

Ø Financial

Ø Regulatory

o  Necessary for our legitimate interests (for running our business, provision of Policy administration, data and network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

o  Necessary to comply with a legal obligation

7. To administer and improve Website services  


Ø Identity

Ø Contact

Ø Online Identifiers


o  Performance of a contract with Policyholder (or the act of entering a contract)

o  Necessary for our legitimate interests in improving website efficiency and understanding users and traffic to the site

o  Consent in the case of cookies applied


Great American UK will only process Personal Data in a manner compatible with the purposes described in this Privacy Notice, unless required or authorised by law, or where it is in your own vital interest or that of another person (e.g., in the case of an emergency).


Great American UK contracts with other entities that perform certain tasks on its behalf (“Service Providers”). This is required in order to underwrite, provide and manage a Policy and any Claims made pursuant to a Policy.

From time to time, Great American UK will need to make Personal Data available to its group companies (i.e. a parent company, a subsidiary company and/or a parent of another subsidiary company) for the provision of and administration of a Policy or due to executive oversight by its parent or group company. From time to time, Great American UK will need to make Personal Data available to unaffiliated third parties.  Such unaffiliated third parties may include the following:

 – Professional advisors: Accountants, auditors, lawyers, bankers, insurers, and other outside professional advisors in all of the countries in which Great American UK operates.

 – Service Providers: Companies that provide products and services to Great American UK such as reinsurance providers, loss adjusters, Claims handlers, third party agents and intermediaries, IT systems suppliers and support, Website administrators, data storage, IT developers, (re)insurance, credit card companies, payment processors, analytics companies, Website hosting providers, and other service providers.

 – Public and Governmental Authorities: Entities that regulate or have jurisdiction over Great American UK and/or a Policy and/or a Policy Claim such as regulatory authorities, law enforcement, public bodies and judicial bodies.

 – Corporate transaction: A third party in connection with any proposed or actual reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of the Great American UK business, assets or stock (including in connection with any insolvency event or similar proceedings).



Personal Data may be transferred, stored and accessed within the United Kingdom, or transferred to, stored in, and accessed from group companies situate in the United States of America, or transferred outside of these jurisdictions where Great American UK deems it necessary to do so to facilitate or service a contract of insurance. In all instance, Personal Data shall be processed and / or transferred in compliance with law, in order to fulfil the purposes described in this Privacy Notice.

Whenever Great American UK transfers Policy Personal Data out of the United Kingdom we ensure a similar degree of protection is given to it by using  contracts which comply with Data Protection Law and any other requisite legislation.



Great American UK is committed to maintaining the security of Personal Data processed. Great American UK maintains appropriate physical, procedural, organisational and technical security measures intended to prevent loss, misuse, unauthorised access, disclosure, or modification of Policy Personal Data under its control.    If you have reason to believe that your Personal Data is not secure, please notify Great American UK immediately using the contact information supplied in below (under Contact Us).



Great American UK retains Personal Data for no longer than is allowed under Data Protection Law and, in any case, no longer than such Personal Data is necessary for the purpose for which it was processed. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure thereof, the purposes for which we process Personal Data and whether we can achieve those purposes through other means, and the applicable legal retention requirements.  Typically (but not always) our retention period for Policy Personal Data will be for 6 years after Policy coverage ends, unless a longer retention period is required by applicable law or regulation (such as retention obligations arising under financial regulations and tax law or for litigation purposes) or is justified under applicable statutory limitation periods.

In some circumstances we may anonymise Personal Data (so that it can no longer be associated with Data Subjects) for research or statistical purposes, in which case Great American UK may use this information indefinitely without further notice to you.



Under certain circumstances Data Subjects (including Policyholders, Insureds, Claimants and Website users) have rights under Data Protection Law in relation to personal data, namely:

 – Request access to your personal data (commonly known as a “Data Subject Access Request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

 – Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

 – Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.  Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

 – Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and you believe the processing impacts your fundamental rights and freedoms. However, we may demonstrate that we have compelling legitimate grounds to process your information that override your objection.

 – Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it because you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

 –  Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.  Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

 – Withdraw consent at any time if and to the extent we are relying on consent as the legal basis to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.  If you withdraw your consent, we may not be able to provide certain products or services to you, or process a Policy claim.  We will advise you if this is the case at the time you withdraw your consent.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee, or refuse to comply, if your request is clearly unfounded, repetitive or excessive.  We may also need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights).  This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.  We may also contact you to ask you for further information in relation to your request to speed up our response.  We try to respond to all legitimate requests within one month, and earlier where possible. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests.  In this case, we will notify you and keep you updated.

In order to exercise one or more of your rights in respect of your Personal Data, please contact Great American UK using the information provided below under the last section (Contact Us). Great American UK will respond to your request(s) as soon as practicable, but in any case, within the legally required period of time.

Data Subjects have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) for data protection issues ( ). We would, however, appreciate the opportunity to respond to your concerns first, so please contact us using the information listed in below under (Contact Us).



It is important that Personal Data which Great American UK holds relating to Policyholders, Insureds and Claimants is accurate and current. Please keep Great American UK informed, using the contact details listed below under (Contact Us) regarding any Personal Data changes during your relationship with us.



Great American UK reserves the right to change this Privacy Notice at any time, and in its sole discretion. If changes are made, they will be posted to our website. Policyholders, Insureds and Claimants may be asked to confirm that they have read the Privacy Notice, or any modified version thereof.



Great American UK has appointed a Head of Compliance who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact us using the following details:

Head of Compliance

Great American International Insurance (UK) Limited

32 Queen Square, Bristol, BS1 4ND, UK

or alternatively address your query to the Head of Compliance through the contact section of our website:


Last updated: 16th September 2021