This privacy notice explains how Metfriendly deals with the data we collect from you. It has been written in accordance with the General Data Protection Regulation (GDPR), which is in effect as of 25 May 2018 and applies directly in all member states of the EU and to the UK during the “Transition Period” to 31 December 2020. You can trust us to act in accordance with this privacy notice – however, if you have any concerns about your data, or want to report a failing in terms of how your data is being collected or used, you can either contact us or get in touch with the Information Commissioner’s Office (ICO).
We are Metfriendly. Metfriendly is the trading name of the Metropolitan Police Friendly Society Limited. Our address is: Central Court, Knoll Rise, Orpington, Kent, BR6 0JA. Our website is: www.mpfs.org.uk. Our email address for general enquiries is: [email protected]. Our telephone number is: 01689 891454.
Metfriendly is a data controller. This means that we collect data about our members and those to whom we send information, and decide what to do with that data.
Our data protection officer is John Midlane. John is responsible for Metfriendly’s data protection processes. His email address is: [email protected].
Why we process your data
There are three main reasons that we would process your data.
- Because you have purchased one or more of our products. In this case, we may process your data for the following reasons:
- To stay in touch about the product or products you purchased.
- To tell you about your rights as a member, such as your right to attend our Annual General Meeting (AGM).
- To tell you about other Metfriendly products or services that might interest you.
- Because you have requested something from us – e.g. a free Metfriendly calendar, a place at one of our events, or entry into one of our prize draws. If you sign up for postal delivery, we have legitimate interests for using your data. If you prefer electronic communications (emails, text/SMS messages, or voice calls), then we will ask for your consent to use your data to carry out your request. The legal basis for this is under section 1(a) Article 6 of the GDPR: “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” (we call this “consent”).
- Because you have opted into our mailing list to receive details of our products and services, and updates on matters that affect policing. If you sign up for postal delivery, we have legitimate interests for using your data. If you prefer to use electronic communications (emails, text/SMS messages, or voice calls), then we will ask for your consent to use your data to carry out your request. The legal basis for this is under section 1(a) Article 6 of the GDPR: “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” (we call this “consent”).
Metfriendly’s legitimate interests
We exist as a mutual friendly society because of our members – without our members, we would not exist. So, we want to grow our membership to replace those who leave and to increase the number of members we have. The more members we have, the lower the costs are for them. We have legitimate interests in growing our membership.
We encourage people to become members by telling them about Metfriendly and its products. We do not want to overwhelm potential members with unwanted or unnecessary communications (this would be counterproductive and deter people), so we make it easy to unsubscribe and try to keep our marketing and communications to reasonable levels.
The kinds of data we process
Almost all the data we collect and process is classed as “ordinary” (names, addresses, emails, etc.). However, we also collect some “special category” data when handling new applications or claims for protection plans. This includes data relating to the health of the applicant or claimant, and sometimes that of their relations.
The GDPR bans the processing of such data unless permitted by a national law. In the UK, the Data Protection Act 2018 allows insurance companies (like us) to process health-related data in order to carry out our insurance business, subject to certain conditions. Metfriendly meets those conditions and so we process your health-related data subject to the same safeguards as the rest of your data.
How we share your data
We do not share data with third parties for marketing purposes.
We do share data with other firms for processing, where we do not (or cannot) do this processing ourselves.
We use mailing houses to process and issue legally required documents such as your annual benefit statement and your invitation to our Annual General Meeting. Your data will only be kept by them for long enough to complete these tasks.
We use a firm to process and send emails for us – see the next section for details.
We also use a UK-based firm to process member referral offers and deliver gift voucher codes. We only share your email address and this will not be used for any other purpose.
If you apply for a protection product from us, or make a claim on one, we will share your data with our reinsurance partner firms to assist us in dealing with your application or claim. The data we share will include data relating to your health (“special data” as defined in the GDPR). These firms are “data controllers” in their own right and will have their own Privacy Notices. They are situated either in the UK or in the EU/EEA.
If you hold our Income Protection policy and use the free Personal Nurse Advice service provided by our partner firm RedArc, we will share your personal data with RedArc to enable them to provide this service to you. RedArc has its own Privacy Notice which it would provide to you after you make contact with them.
Why we transfer your data outside the UK
HubSpot is a US based service, which we use primarily for email marketing and for this purpose we transfer data to HubSpot. HubSpot has incorporated “Standard Contractual Clauses” into its contract with us, which means that it has equivalent safeguards on your data as any EU country.
When necessary, we also transfer data (including special category data) to our reinsurers in the UK and the EU/EEA. We do this if it is necessary for obtaining reinsurance on our protection products (e.g. life insurance and income protection). All our reinsurers have data protection safeguards in place to keep your data secure.
How long we keep your data
We generally keep data for six years after we have stopped using it. For policies, this is measured from the date that the policy ended. For membership, this is measured from the date that the last policy you held with us ended. For marketing, we keep your data for three years from the date that we collected it, or from when we last heard from you – whichever is later.
You have the following rights:
The right to be informed
We provide details about us, how and why we collect data, and how we process it, here in this Privacy Notice, and when we collect data.
The right of access
You can ask us for a copy of your personal data, and other supplementary information, called a subject access request or ‘SAR’. Your request can be verbal or in writing, including via social media, and with a very few exceptions, is free.
The right to rectification
You can have incorrect information corrected or incomplete data completed free of charge, by asking in writing or verbally.
The right to erasure
You have the right for your personal data to be deleted from all our records – although this only applies in certain circumstances (for instance, it does not apply if we need your data to process a contract that we have with you).
The right to restrict processing
You can instruct us not to process your data although we can continue to store it. This is not an absolute right and only applies in certain circumstances (if and while you are contesting accuracy of data, or when data has been unlawfully processed but you oppose erasure and request restriction instead; if we no longer need the personal data but you want us to keep it to establish, exercise or defend a legal claim; or if you have objected to processing your data under Article 21(1), and we are considering whether legitimate grounds override your rights).
The right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services, to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. The right only applies to information that you have directly provided to us.
The right to object
You can object to the processing of your personal data in certain circumstances; in particular, you have an absolute right to stop your data being used for direct marketing. You can make an objection verbally or in writing. We offer you the chance to opt out of marketing in all our marketing communications. You need to specify reasons why you are objecting to the processing of your data, based on your particular situation. In these circumstances this is not an absolute right, and we may not comply if we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or if the processing is for the establishment, exercise or defence of legal claims. We would balance your interests, rights and freedoms with our own legitimate grounds. If we are satisfied that we do not need to comply with your request we would let you know. We would explain our decision and inform you of your right to make a complaint to the ICO and your ability to seek to enforce your rights through a judicial remedy.
Rights in relation to automated decision making and profiling.
This right applies where we make a decision solely by automated means without any human involvement; and profiling (automated processing of personal data to evaluate certain things about you).
We can only carry out this type of decision-making where the decision is:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to us; or
- based on your explicit consent.
More details on this are shown below under “Automatic decisions we make with your data”.
Changing your mind about consent
You can withdraw your consent at any time. You can do so by email, telephone or post. Our contact details are on our marketing materials and website. If we need to keep your data for legal or contractual reasons (for example, if you are still a member and have plans held with us), we are able to do so. Otherwise, we will stop processing your data and delete it immediately.
How to complain if something goes wrong
You can complain to the ICO if you believe your data has been lost or mishandled by us. The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Its website is: ico.org.uk. Its phone number is: 0303 123 1113 (charged at a local rate – calls to this number cost the same as calls to 01 or 02 numbers).
Where we get your data from
We obtain most of your data directly from you (the “data subject”). We also obtain data from the Metropolitan Police Federation and the Metropolitan Police and City of London Police payroll services. We use this data to identify you and ensure our records are up to date in terms of your current work location, rank and employment status.
Why we need your data
We need your data to be able to deliver our services and products properly. When you start a contract with us, you will need to provide us with some personal data – otherwise, we will not be able to fulfil our end of the deal.
Automatic decisions we make with your data
Some of our products are only available to people within certain age groups. Similarly, some of our products are only relevant to members of police services. We do not want to send details of such products to people for whom they are not relevant, so we may use an automatic system (“profiling”) to block such communications. If you want to hear about certain products anyway, just let us know, and we will send you information about them on request.
Recording telephone calls
We record incoming and outgoing telephone calls. We do this for a number of reasons: 1) so that you don’t have to provide written confirmation of instructions or information about contracts; 2) to monitor the way our team deals with our customers; and 3) for staff training. We do not share any part of these recordings with third parties, except when we are legally required to do so.
Last updated on 1 December 2020