What is the GDPR?

On May 4, 2016, the official text of the General Data Protection Regulation (the “Regulation”) was published in the Official Journal of the European Union, capping a four-year process to replace the European Union’s principle data privacy and security regime, the Data Protection Directive 95/46/EC (the “Directive”) that proved inadequate to resolve challenges posed by changing technology.

What is Personal Data

The Regulation redefines personal data by including a person’s “identity” in other contexts:

'Personal Data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This does not mean 'personal data' is without its grey areas.  For example, take a Vehicle Registration Mark (VRM); personal data or not? The answer, at least currently, is ... 'it depends'.  For more information see the ICO's decision notice reference FS50186040

For an overview of our conduct with regard to your information, please see our 'data map'. Our Data Protection policy can be read here.

CMA take your privacy seriously.  We will only use your personal information to administer a claim and to undertake the services we have been instructed to provide. Responsibility and accountability are the hallmarks of good data governance and critical to ensuring GDPR compliance.  Since 2011, CMA have held ISO 27001* year on year undergoing and satisfying external audit. For more information about CMA & GDPR click here.

*The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Using this family of standards helps our organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to us by you or third parties. ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).


Lawful Processing

True data governance is a CMA-wide effort that has established accountability through the organization. Staff understand they are accountable for owning the data helping to ensure it is accurate, trustworthy, and accessible. We continuously assess risk, monitor gaps, and track progress.

In order to provide your insurer services we need to collect, use, share and store personal information about you ("your information"). This includes information which we obtain from you or from third parties, credit-reference agencies (who may check the information against any particulars on the Electoral Register and any other database (public or private) which they have access to), fraud-prevention agencies or other organisations. For more information about our lawful processing conditions - click here.

Where you provide personal and financial information relating to others (e.g. dependents, joint account holders) for the purpose of progressing or administering a claim you confirm that you have their consent or are otherwise entitled to provide this information to us and for us to use it in accordance with this agreement.

We will use your information to manage your claim(s) and provide our services to prevent and detect fraud, money laundering and other crime, carry out regulatory checks and meet our obligations to any relevant regulatory authority and protect our client’s interests. 

We, insurers and fraud-prevention agencies will share your information. We and other organisations, including law enforcement agencies, may access and use this information to make assessments and to prevent and detect fraud, money laundering and other crimes. The information recorded by fraud-prevention agencies may be accessed and used by organisations in the UK and other countries. Please contact us if you want to receive details of the relevant fraud-prevention agencies. Examples of circumstances when your information or information relating to your partner or other members of your household may be accessed and/or shared include:

  • checking details on applications

  • managing accounts

  • recovering debt;

  • checking details on proposals and claims for all types of insurance; and

Information held about you by the credit-reference agencies may already be linked to records relating to your partner or members of your household where a financial “association” has been created. Any enquiry we make at a credit-reference agency may be assessed with reference to any “associated” records. Another person’s record will be associated with yours when:

·         you make a joint application;

·         you advise us of a financial association with another person; or

·         if the credit-reference agencies have existing, linked or associated records. This association may be taken into account in all future applications by either or both of you and shall continue until one of you applies to the credit-reference agencies and is successful in filing a ‘disassociation’.

We may give information about you and how you manage your account to the following:

·         Companies and organisations who provide a service to us or are acting as our agents, on the understanding that they will keep the information confidential.

·         Your advisers (including but not limited to accountants, lawyers, financial advisers or other professional advisers) where authorised by you and to any other person notified by you as authorised to give instructions or information on your behalf.

Otherwise we will keep information about you confidential unless we have a duty to disclose it or law or regulation allows us to do so for legitimate business purposes.

We will retain information about you after the conclusion of your claim, or if your claim is declined or abandoned, for as long as permitted for legal, regulatory, fraud and other financial crime prevention and legitimate business purposes.

You can ask for a copy of the information we hold about you by writing to us.

We will not contact you or share your details other than:

·         In the course or connection with our enquiries

·         Where required by a Court

·         In accordance with sections 29(3) and / or 35(2) of the data Protection Act 1998



click here to read our privacy policy




click here to read our information sharing protocol and how to change your information / preferences.




click here if you are considering or wish to make a Subject Access Request