About this Privacy Notice
This privacy notice explains how Carpenters (referred to in this document as "we," "us," or "our") collect, use, and protect your personal information. Our goal is to provide you with clear information and uphold our obligations under Data Protection laws, which in England, Scotland and Wales include the UK GDPR 2018 and the Data Protection Act 2018.
About Carpenters
Carpenters Group is a leading provider of insurance and legal services in the UK. We work in partnership with insurers, brokers and MGAs to deliver a variety of fully outsourced claims solutions.
Our registered office is Leonard House, Scott's Quays, Birkenhead, Wirral, CH41 1FB. We have offices throughout the UK, in Liverpool, Birkenhead, Leeds, Haywards Heath, Manchester and Glasgow.
Carpenters Group
Privacy Notice
The ways in which we use your personal information depend on our relationship with you, but generally fall into two primary categories:
- Providing and managing our claims and legal services
- Managing our employment relationships
Further details about these and other uses can be found throughout this notice.
When Carpenters deliver insurance services, we often manage claims involving accidents, losses, damages, or injuries. Handling these claims requires us to collect and use personal information about people who may have been affected, witnessed events, or been involved in the claim in any capacity.
The exact nature of the personal information we collect, and our reasons for collecting it, depend on the details of each claim and the specific services we are delivering.
Generally, when delivering our claims and legal services, we collect, use, and store the following types of personal information, examples of which are provided below.
|
Type |
Example information |
|
Contact |
Name, Address, Telephone Number, Email address. |
|
Personal |
information about your marital status, income level, employment details, and aspects of your home or family life. |
|
Financial |
Bank account information and record of payments. |
|
Contractual |
Information relating to your contracted services. |
|
Identity documents |
Information contained within identification documents, such as driver’s licenses and passports. |
|
CCTV, images and voice |
Data from CCTV, call recordings, or other digital media, including your image, voice, or call transcripts. |
|
Insurance and claims history |
Details regarding your insurance coverage, claims history, including medical information, convictions, fines, or penalties. |
|
Special Category |
Information containing or revealing racial or ethnic origin, biometric data, data concerning health and disability. This includes medical records and reports, information about injury, diagnosis, prognosis, treatment and medication. |
|
Criminal / unlawful offence Data
|
This includes details that reveal or relate to criminal or unlawful offenses and any allegations of such offenses. Offense data may cover, but is not limited to, motoring charges and convictions, legal proceedings, prior convictions, instances of fraud, bankruptcies and other financial sanctions such as County Court Judgments. |
|
Children's information
|
Information that includes or reveals details about minors /children relevant to a claim, such as identity, medical, or other special category data. |
|
Support Needs |
Information that helps us understand individuals’ needs and provide appropriate support or adjustments, including details about health, finances, or personal circumstances. |
|
Preferences |
Such as your marketing permissions, contact and accessibility requirements, such as large print format |
|
Location information |
Information obtained from your vehicle revealing information about your location and travel history |
|
Technical |
Information about the devices and technology you use, including your IP address and how you interact and use our applications, emails and text messages, portals, products and services. |
You are a customer and have provided information to us
Most of the personal information we handle comes directly from you, either when you are involved in a claim, instruct us to deliver a legal service or when you contact us with a question about our services.
Engaging our services
When you express interest in engaging our services, consent is the legal ground that we rely upon. Where consent is provided, we gather personal details needed to determine how we can help and to start the process of becoming a customer, this does not affect the processing of your data under other legal grounds.
After you provide this information, we then rely upon other lawful basis to access and process your data further. Typically, this is to fulfil the contracted services and comply with our legal responsibilities such as identity verification, screening for fraud or conflicts, and keeping accurate records.
Providing you with our services
The varied nature of our customers, the services and the types and complexity of claims ad legal services we manage it is likely that we will collect large volumes of your personal information throughout the duration of a claim, these are described within section: Types of Personal Information.
We will let you know what information we need as the claim or legal service progress. Generally, the reason we require information is for the following purposes.
|
Purpose |
Lawful basis. |
|
To progress your claim or legal service |
Contractual obligation |
|
To manage and respond to queries and provide updates on your claim or service |
Legitimate interest |
|
To comply with legal, regulatory, or statutory requirements. |
Legal obligation |
|
To ensure reasonable adjustments or safeguarding measures are in place for you. |
Legal obligation |
|
To deliver services or activities relevant to your claim or service, such as arranging vehicle repairs or medical support. |
Legitimate interest |
|
To detect, prevent, or report crime, fraud, or any suspicious or unlawful activity. |
Legitimate interest |
|
To arrange payments connected to your claim or legal service. |
Legitimate interest |
|
To handle and resolve complaints. |
Legal obligation |
|
To manage and maintain our systems and applications, including implementing security measures. |
Legitimate interest |
|
To conduct audits, training, and quality checks, improve our products, services, and systems. |
Legitimate interest |
Depending on the situation, information about you may be shared with us by other individuals or organisations involved in your claim.
Interested parties
Such as Third-Party Claimants, Witnesses and professional agencies
- Information supplied by others involved in the claim process, such as policy holders, witnesses, passengers, or professionals present at the incident.
- Information from professional sources, including your insurer, solicitors, insurance or claims management agencies, medical professionals, law enforcement, or legal advisors.
Information obtained during our activities
(include but not limited to)
We carry out a range of activities to verify the information provided, gather supporting evidence, confirm identities and legal status, and to help detect or prevent any criminal or fraudulent behaviour.
- Agencies focused on preventing financial crime and fraud, including law enforcement or government authorities, may provide us with information to help detect fraud or notify us about criminal convictions or offenses.
- Medical agencies, such as those evaluating your health, injuries, recovery, or prognosis, may supply relevant details relating to the nature of the claim.
- Organisations such as DVLA, insurance industry bodies, and government portals may share information to confirm your details, driving license, or vehicle status, including aspects like proper insurance, legal documentation, and vehicle condition.
- Publicly available information and sources.
Medical records
Consent
We ask for your written consent as our lawful basis to access medical records, such as those from your doctor or hospital. Once received, we rely on a different lawful basis to review and use them; to perform our contracted legal services, as such we are required to retain them for as long as needed to complete our activities and meet legal requirements.
Our customers have access to MyClaim, our dedicated online portal that streamlines communication with us. Through this platform, you can monitor and manage your claim, as well as securely upload and retrieve important documents and information. We also utilise this portal and a trusted SMS solutions partner to send you timely emails and text messages, keeping you updated on the progress and actions needed for your claim.
Our customers or other parties involved in a claim may share information about you that they believe is relevant, such as details about the incident or your involvement. In some cases, this can happen without your knowledge or consent.
The information we receive is solely used to process legal services and claims and to meet our legal or professional obligations. These obligations include adhering to Solicitors Regulation Authority (SRA) rules and complying with fraud prevention laws that require us to carry out certain tasks and retain information for specific timeframes. As a result, these requirements might limit your data rights, such as requests for deletion or access, or asking us to stop processing your information.
Although not exhaustive, there are key activities that may result in third parties providing us with your personal information.
|
Examples of information sharing |
Our Lawful Basis |
|
Professionals such as medical specialists, law enforcement, or legal advisors provide information about you, if it is relevant to an incident or claim that involves you. |
Legitimate interest / Legal obligation |
|
If you are involved in a claim, whether as a claimant, defendant, or another interested party, we may use your information to deliver services such as arranging medical care, managing repairs, or processing compensation for any damages or losses. |
Legitimate interest |
|
Your details might be shared by a customer who names you as relevant to their claim, such as their nominated representative, beneficiary, or someone otherwise connected to the case. |
Legitimate interest |
|
We may receive information about you from other individuals involved or present during the incident, such as witnesses or those providing details that they consider relevant. |
Legitimate interest / Legal obligation |
|
Your information may be used to identify, prevent, or report criminal or unlawful, fraudulent, or suspicious activity. |
Legitimate interest |
|
To manage payments relating to you. |
Legitimate interest |
|
To handle and resolve complaints. |
Legal obligation |
|
To manage and maintain our systems and applications, including implementing security measures. |
Legitimate interest |
|
To conduct audits, training, and quality checks, helping us improve our products, services, and systems. |
Legitimate interest |
During the process of managing a claim, we may be required to share information with appropriate third parties to facilitate the progression of a claim and to comply with our legal and professional responsibilities.
|
Third party |
Sharing Purpose |
|
Your insurance company |
When we process your personal and claim-related information on behalf of your insurer, we do so as joint controllers. Your insurer may store and use claim information as specified in your contract with them. |
|
Joint Account Holders |
If your insurance is linked to a joint account, personal details such as your name and address and claims details are accessible to both account holders. This means that both individuals can view and manage the claim information, ensuring transparency and facilitating communication. |
|
Representatives and/or Nominees |
If you have given consent or appointed someone through power of attorney, we may share your information with them as outlined in your agreement. |
|
Third-Party Insurance Companies |
We may share relevant details such as policy numbers, claim details, and contact information to support the resolution of insurance claims. |
|
Courts & Parties to the claim |
If you make a claim needing a court application, your information becomes part of the court bundle and will be shared with relevant parties such as the Claimant, Defendant, legal representatives, and others named by the court. Claims cannot be submitted anonymously, though some data may be redacted in certain cases. Contact your file handler for details. |
|
Financial Crime and Fraud Prevention Agencies and Databases |
Your information may be used where required to meet our obligations relating to fraud and money laundering prevention, as well as to verify your identity and information you have provided. Relevant parties include, but are not limited to, the Insurance Fraud Bureau or the Motor Insurer Anti-Theft Agency. |
|
Motor Insurance Bureau (MIB) and Claims/OIC Portal |
We use these services for activities such as obtaining information about road traffic accidents, managing claims online, exchanging documentation between relevant parties including lawyers and insurers, and maintaining pre-action protocols. For example, the Motor Insurance Bureau (MIB) helps in obtaining accident information, while the Claims/OIC Portal facilitates online claim management and document exchange. |
|
Driver and Vehicle Licensing Agency (DVLA) |
We may check license status, entitlements, restrictions, and details of endorsements or convictions linked to a Driving License Number (DLN) to ensure compliance with legal requirements and to verify the accuracy of the information provided. |
|
Medical and Health Services |
We may share your data to engage professionals such as medical experts, rehabilitation specialists, or legal advisors to assess, manage, or verify personal injury claims. |
|
Automotive Companies |
Your information may be used to arrange and manage repairs, evaluate damage, or provide temporary solutions like vehicle hire through repair specialists or engineers, such as auto body shops, mechanical engineers, or rental car companies |
|
Regulatory Bodies |
When required, we may need to process or share your information to comply with legal and regulatory requirements, your data may be shared with authorities such as the Solicitors Regulation Authority (oversees solicitors in England and Wales), Financial Conduct Authority (regulates financial services), Information Commissioner’s Office (responsible for data protection), Legal Ombudsman Service (handles complaints about legal services), and legal auditors (ensure compliance with legal standards). |
|
Law Enforcement and Government Agencies |
In certain situations, we may need to share your personal information with law enforcement or government authorities. This could happen with or without your knowledge or consent, depending on circumstances; such as compliance with a court order or investigation of a crime. |
|
Carpenters Group entities
|
Your information may be shared within Carpenters Group entities as part of business operations such as customer service management, internal audits, compliance checks, or for other activities consistent with this privacy notice. |
Legal and Insurance services and claims Information
Carpenters are subject to multiple legal, regulatory, contractual and operational obligations that determine how long we must retain your information.
Generally, information relating to our legal and insurance services is retained for minimum of six years from the end of your relationship with us. This is to satisfy our regulatory and fraud prevention purposes, and to also defend any claim or complaint within the limitations period.
Some information we may be subject to longer, such as information relating to claims involving a child/minor, in these circumstances, we adjust our retention periods.
Visiting our website
When you access and interact with our website, we use automated tools that collect information about your device, and to manage any queries you may have.
|
Category |
Details |
Lawful Basis |
|
Technical information |
If you consent to our use of Cookies when you connect to our website our system may collect and use information about your activity during your visit, and collects other technical information, including: Type of device used: helps us optimise our website for different devices. Browser and operating system used: helps us to ensure compatibility and improve user experience. IP address: to enhance security and identify user locations for better service delivery. See cookie policy for details. |
Legitimate Interest |
|
Managing general queries |
Information provided when you engage with the chat function or add information to the contact us pages is used to manage your queries, provide customer support, and improve our services. This data helps us respond promptly and accurately to your needs. |
Consent |
When you visit our office, you will be asked to sign in and wear an identification card. The information gathered is stored within our access control system to manage your access and ensure security. This data helps us monitor entry points and maintain a secure environment.
Managing your visit
You may choose to provide information about accessibility or dietary needs or other information required to manage your visit; this information is used and retained only for the purposes of your visit.
Guest Wifi
If you chose to connect to our Wi-Fi services, you will be presented with an electronic notice with terms and conditions of use, when you connect, automation allocates your device with an IP address and generates audit logs that capture details of your activities.
CCTV
Our offices are protected with CCTV cameras, these continually monitor and record key access points throughout the building; for the purposes of detecting and preventing crime and to ensure health and safety. Recordings are retained within our systems and are automatically deleted after 1 month.
Drills, Incidents and accidents
During a drill or following an incident that involves you, we may need to take certain details such as your name, contact information, and specific actions taken during the event to record activities or to investigate an accident or manage an incident. We will let you know at the time any legal, regulatory, or contractual obligations that we have regarding our requirements to share or retain your information.
We maintain an Employee Privacy Notice that contains additional privacy information specific to our colleagues and those who have applied for a position with us, such as data collection practices, storage duration, and employee rights regarding their personal information.
Please contact riskandcompliance@carpentersgroup.co.uk
As a large company, we undertake various business activities to ensure operational stability. Other than the routine activities described in this notice, the use of personal information is limited and often anonymized or aggregated. Our other operational activities are summarized below.
|
Purpose |
Lawful basis |
|
To ensure fair treatment for customers (for example, by supporting our regulators or suppliers when legally required, or by making reasonable adjustments to our services for vulnerable individuals as necessary) and addressing complaints and ensuring fair treatment for customers. |
Legal Obligation |
|
To handle and respond to any questions or feedback regarding our products or services. |
Legitimate interest |
|
To fulfil our legal and regulatory responsibilities or to comply with a court order. |
Legal Obligation |
|
To host information, deliver IT services and applications. Apply sufficient security and data loss prevention measures and undertake improvements and testing activities in accordance with maintaining our ISO 27001 and ISO 22301 certification. |
Legal Obligation |
|
To share information with our trusted third parties who perform contracted activities on our behalf. |
Legitimate Interest |
|
To improve our products, services, and systems by using technology, analyse feedback, identify ways to enhance functionality, reliability, and user experience. |
Legitimate Interest |
|
To review our internal processes and ensure our staff maintain high standards of customer service, for example, by recording calls for training and administrative purposes. |
Legitimate Interest |
|
To undertake activities such as budget setting, satisfaction surveys and performance and management reviews. |
Legitimate Interest |
|
To enter into sale of a business, entity or assets, or seek to acquire new businesses, merger, restructure, or other sale or transfer of some or all of our assets to ensure continued growth and operational efficiency. |
Legitimate Interest
|
|
To enforce our legal rights against breach of contract or agreement (e.g., non-payment, unauthorised use of services), detection or prevention of fraud or crime (e.g., identity theft, financial fraud), and to protect people, property, or assets (e.g., safeguarding customer data, securing company premises). |
Legitimate Interest
|
Our routine operations do not require of data transfers outside of the UK. However, on occasion it may be necessary to engage with an agency or an individual who are not based within the UK. Should the need arise, we will only transfer information required to achieve the purpose and using sufficient protections to ensure that the same level of protection in in place.
We use automated decision-making tools; however, these do not fall within a category or scope of activities requiring your notification. If our activities changes, we will update this notice and inform you directly where required.
The General Data Protection Regulations and the UK Data Protection Act 2018 [the Regulations] provide individuals within the UK and EEA with specific data protection rights, explained by the UK regulator, the Information Commissioner's Office (ICO): For the public | ICO.
|
The rights |
About the right |
|
Getting copies of your information (SAR) |
Make a subject access request (SAR) to find out if Carpenters are using or storing your personal data and get copies of it. |
|
Make a subject access request |
Use this service to ask Carpenters for your personal information. |
|
Make a data protection complaint |
Tell Carpenters if you're concerned about how they are using your data. |
|
Get your data corrected |
You can challenge the accuracy of personal data held about you by Carpenters. |
|
Get your data deleted |
You can ask Carpenters to delete personal data that we hold about you. |
|
Object to Carpenters using your data |
You have the right to object to the processing or use of your personal data in some circumstances. |
|
Being informed if your personal data is being used |
Carpenters must inform you if we are using your personal data. |
|
Limit how Carpenters uses your data |
You can limit the way Carpenters use your personal data. |
|
Data portability |
You have the right to get your personal data from Carpenters in a way that is accessible. |
|
Decisions being made about you without human involvement |
Decisions are made about you when your personal data is processed automatically. |
Exceptions and exemptions
Your data protection rights may be restricted by certain exemptions set out in data protection laws and other applicable legislation. These exemptions can affect how you exercise or enforce your rights, depending on the type of data and its purpose. For example, information we receive from our client may be protected by client confidentiality, which, in most cases, takes priority over the right to access.
A data protection rights request can be made regarding your own personal information, or with explicit authorisation from the individual concerned.
This request may be submitted in any format and to any employee within the organisation. For convenience, it is recommended that you contact: riskandcompliance@carpentersgroup.co.uk
Once we receive your request, we will acknowledge it and let you know if we require any further details, such as information needed to confirm your identity.
Our aim is to respond within one month. If we need additional time, we will inform you and explain the reasons for the delay.
If you are unhappy about how we have managed your information or dissatisfied about how we have responded to your information request, please contact us and let us know. You can reach out to our Data Protection Officer at riskandcompliance@carpentersgroup.co.uk
Alternatively, you may wish to raise a complaint directly with the information regulator Make a complaint | ICO / https://ico.org.uk/make-a-complaint/
|
V# |
Date |
Author |
Change Description |
|
0.1 |
October 2017 |
Data Protection Officer |
Updated existing policy for discussion |
|
0.2 |
December 2017 |
Data Protection Officer |
Reviewed for inclusion with CCD |
|
1.0 |
April 2018 |
Data Protection Officer |
Final review (Informed Art13/14) |
|
3.0 |
July 2019 |
Data Protection Officer |
Review and update information relating to subject access |
|
4.0 |
July 2020 |
Data Protection Officer |
Review & Minor amendments |
|
5.0 |
September 2020 |
Data Protection Officer |
Review & Update re electronic signatures |
|
6.0 |
September 2021 |
Data Protection Officer |
Updated re Defendant CNF |
|
7.0 |
February 2022 |
Data Protection Officer |
Owner Update |
|
8.0 |
February 2023 |
Data Protection Officer |
review, updated as CL only |
|
9.0 |
September 2023 |
Data Protection Officer |
Contact/Owner update |
|
10.0 |
November 2023 |
Data Protection Officer |
Review |
|
11.0 |
August 2025 |
Data Protection Officer |
Review & combine Fair Processing and Website visitor notices |
