JLT Specialty Limited (
JLTSL), a business of Marsh & McLennan Companies, Inc. ( MMC), strives to protect the privacy and the confidentiality of Personal Data that the company processes in connection with the services it provides to clients and individuals’ use of the JLTSL websites. JLTSL's services consist primarily of risk consulting and insurance broking, which enable the consideration of, access to, administration of, and making of claims on, insurance.
To arrange insurance cover and handle insurance claims, JLTSL and other participants in the insurance industry are required to use and share Personal Data. For an overview of how and why the insurance industry is required to use and share Personal Data please see the Insurance Market Core Uses Information Notice hosted on the website of a UK insurance industry association, the
Insurance Market Core Uses Information Notice hosted on the website of a UK insurance industry association, the Lloyd’s Market Association (the LMA Notice). JLTSL's use of Personal Data is consistent with the LMA Notice.
During the insurance lifecycle JLTSL will receive Personal Data relating to potential or actual policyholders, beneficiaries under a policy, their family members, claimants and other parties involved in a claim. Therefore references to “individuals” in this notice include any living person from the preceding list, whose Personal Data JLTSL receives in connection with the services it provides under its engagements with its clients. This notice sets out JLTSL's uses of this Personal Data and the disclosures it makes to other insurance market participants and other third parties.
Identity of Controller and Contract Details
JLT Specialty Limited of The St Botolph Building, 138 Houndsditch, London EC3A 7AW (
JLTSL or We) is the controller in respect of the Personal Data it receives in connection with the services provided under the relevant engagement with its client.
Personal Information that We Process
We collect and process the following
Individual details ► name, address (and proof of address), other contact details (e.g. email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant, images;
Identification details ► identification numbers issued by government bodies or agencies (e.g. depending on the country you are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s licence number);
Financial information ► payment card number, bank account number and account details, income and other financial information;
Insured risk ► information about the insured risk, which contains Personal Data and may include, only to the extent relevant to the risk being insured:
Health data ► current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g. smoking or consumption of alcohol), prescription information, medical history;
Criminal records data ► criminal convictions, including driving offences; and
Other special categories of Personal Data ► racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning an individual’s sex life or sexual orientation;
Policy information ► information about the quotes individuals receive and the policies they obtain;
Credit and anti-fraud data ► credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, regulators or law enforcement agencies;
Previous claims ► information about previous claims, which may include health data, criminal records data and other special categories of Personal Data (as described in the Insured Risk definition above);
Current claims ► information about current claims, which may include health data, criminal records data and other special categories of Personal Data (as described in the Insured Risk definition above);
Marketing data ► whether or not the individual has consented to receive marketing from us and/or from third parties and/or their marketing preferences; and
Website and communication usage ► details of your visits to our websites and information collected through cookies and other tracking technologies, including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.
Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.
How We Use and Disclose Your Personal Data
In this section, we set out the purposes for which we use Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely to process the information.
These “legal grounds” are set out in the General Data Protection Regulation (the
GDPR), which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the GDPR (the full description of each of the grounds can be found in the Appendix below).
Purpose of Processing (PDF)
Establishing a client relationship, including fraud, anti-money laundering and sanctions checks
Checking credit where we are taking any credit risk
Evaluating the risks to be covered and matching to appropriate insurer, policy and premium
General client care, including communicating with clients
Collection or refunding of premiums, paying on claims, processing and facilitating other payments
Facilitating premium finance arrangements
Managing insurance claims
Defending or prosecuting legal claims
Investigating and prosecuting fraud or possible criminal offences
Contacting you in order to arrange the renewal of the insurance policy
Throughout the insurance lifecycle
Marketing and direct marketing, including data de-identification
Transferring books of business, company sales and reorganisations
General risk modelling
• Analytics include the de-identification of personal data for the purposes of analytics
Complying with our legal or regulatory obligations
General client care, including communications with clients
General risk modelling in the context of our consultancy services in order to evaluate risks and provide advice
Analysis as part of the specific consultancy advice
Complying with our legal or regulatory obligations in the context of our consultancy business
To communicate with you regarding any queries you raise via the website
To monitor your interaction with the website to ensure service quality, compliance with procedures and to combat fraud
To ensure the website content is relevant and presented in the most effective manner for you and your device
Please note that in addition to the
disclosures we have identified in this table, we will disclose Personal Data for the purposes we explain in this notice to service providers, contractors, advisers, agents and MMC group companies that perform activities on our behalf.
Profiling and Automated Decision Making
Insurance premiums are calculated by insurance market participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires JLTSL and other insurance market participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities. Accordingly, we may use Personal Data to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. JLTSL and other insurance market participants may use special categories of Personal Data and criminal records data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance.
JLTSL and other insurance market participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios, and as set out below.
We use these models only for the purposes listed in this Privacy Notice. In most cases, our staff make decisions based on the models
Automated Broking Platform
Clients may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime. However, generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias.
We have in place physical, electronic, and procedural safeguards appropriate to the sensitivity of the information we maintain. These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorised access. If appropriate, the safeguards include the encryption of communications via Secure Sockets Layer, encryption of information during storage, firewalls, access controls, separation of duties, and similar security protocols. We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes.
Limiting Collection and Retention of Personal Information
We collect, use, disclose and otherwise process Personal Data that is necessary for the purposes identified in this Privacy Notice or as permitted by law. If we require Personal Data for a purpose inconsistent with the purposes we identified in this Privacy Notice, we will notify clients of the new purpose and, where required, seek individuals’ consent (or ask other parties to do so on JLTSL’s behalf) to process Personal Data for the new purposes.
Our retention periods for Personal Data are based on business needs and legal requirements. We retain Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, we retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When Personal Data is no longer needed, we either irreversibly de-identify the data (in which case we may further retain and use the de-identified information for analytics purposes) or securely destroy the data.
Cross-Boarder Transfer of Personal Information
JLTSL transfers Personal Data to, or permits access to Personal Data from, countries outside the European Economic Area (EEA). These countries’ data protection laws do not always offer the same level of protection for Personal Data as offered in the EEA. We will, in all circumstances, safeguard Personal Data as set out in this Privacy Notice.
Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. EU data protection laws allow JLTSL to freely transfer Personal Data to such countries.
If we transfer Personal Data to other countries outside the EEA, we will establish legal grounds justifying such transfer, such as
MMC Binding Corporate Rules, model contractual clauses, individuals’ consent, or other legal grounds permitted by applicable legal requirements.
Individuals can request additional information about the specific safeguards applied to the export of their Personal Data.
Accuracy, Accountability, Openness and Your Rights
We strive to maintain Personal Data that is accurate, complete and current. Individuals should contact us at
JLTSL_UK_DPO@JLTGroup.com to update their information.
Questions regarding JLTSL’s privacy practices should be directed to the Data Protection Officer using the contact details in the Questions, Requests or Complaints section below.
Under certain conditions, individuals have the right to request that JLTSL:
provide further details on how we use and process their Personal Data;
provide a copy of the Personal Data we maintain about the individual;
update any inaccuracies in the Personal Data we hold;
delete Personal Data that we no longer have a legal ground to process; and
restrict how we process the Personal Data while we consider the individual’s enquiry.
In addition, under certain conditions, individuals have the right to:
where processing is based on consent, withdraw the consent;
object to any processing of Personal Data that JLTSL justifies on the “legitimate interests” legal grounds, unless our reasons for undertaking that processing outweigh any prejudice to the individual’s privacy rights; and
object to direct marketing (including any profiling for such purposes) at any time.
These rights are subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). We will respond to most requests within 30 days. If we are unable to resolve an enquiry or a complaint, individuals have the right to contact the UK data protection regulator, the Information
Commissioner’s Office (ICO).
The ICO can be contacted by telephone at 0303 123 1113 or by email at
Questions, Requests or Complaints
To submit questions or requests regarding this Privacy Notice or JLTSL’s privacy practices, please write to the Data Protection Officer at the following address:
JLT Specialty Ltd
The St Botolph Building
Phone: 020 7357 1000
If we are unable to resolve an enquiry or a complaint, individuals have the right to contact the UK data protection regulator, the
Information Commissioner's Office (ICO).
The ICO can be contacted by telephone at 0303 123 1113 or by email at
Links to Third Party Websites
Our websites may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites.
Changes to this Privacy Notice
This Privacy Notice is subject to change at any time. It was last changed on 14 October 2019. If we make changes to this Privacy Notice, we will update the date on which it was last changed. Where we have an engagement with you, we will notify you of any changes we make to this Privacy Notice in accordance with the notice provisions in the terms of our engagement. In other circumstances, we will publish the revised Privacy Notice on our website.
Download our Privacy Notice here.
Privacy and Security Statement
here to see our privacy principles and how we keep personal data secure.
Individuals’ data protection rights and how to exercise them
You have a number of rights in relation to your personal data. You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required and restriction on the processing of your data. You also have rights in respect of the processing of your data, data portability and information used in relation to any automated decision making and profiling or the basis for international transfers. You can find out more information about your rights by clicking on
If you would like to exercise any of your rights then please click on
this link .
How to contact our Data Protection Officer
If you would like more information, please contact our Data Protection Officer by emailing
List of the legal groundwork we rely on:
For processing personal data
Performance of our contract with you
Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
Compliance with a legal obligation
Processing is necessary for compliance with a legal obligation to which we are subject.
For our legitimate business interests
Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child. These legitimate interests are set out next to each purpose.
For processing personal data and special categories of personal data
You explicit consent
You have given your explicit consent to the processing of those personal data for one or more specified purposes.
For legal claims
Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
Substantial public interest
Processing is necessary for reasons of substantial public interest, on the basis of EU or UK law, including where such processing is necessary for insurance purposes or fraud prevention purposes.
* Lloyd’s Broker. Authorised and regulated by the Financial Conduct Authority.
A member of the Jardine Lloyd Thompson Group. Registered Office: The St Botolph Building, 138 Houndsditch, London EC3A 7AW.
Registered in England No. 1536540. Vat No. 244 2321 96