Saga Group Privacy Policy

This is the standard data protection privacy policy for the Saga Group.

When it comes to your privacy we never compromise. We will always be clear about why we need the details we ask for, and ensure your personal information is kept as secure as possible. How we do this is explained in this privacy policy. Please see the Glossary to understand the meaning of some of the terms used.

Last updated: 1st October 2019

Introduction

This privacy policy gives you information about how Saga collects and processes your personal data. It is important you read this document together with any other privacy or fair processing policies we give you on specific occasions where we collect or process your personal data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

Who are we?

The Saga Group consists of the following Saga companies, which are registered as data controllers with the Information Commissioner’s Office (ICO):

  • ST&H Transport Limited
  • Saga Leisure Limited
  • Saga Healthcare Limited
  • Bennetts Motorcycling Services Limited
  • Consolidated Healthcare Agencies Limited
  • CHMC Limited (ClaimFast)
  • PEC Services Limited
  • Saga Cruises Limited
  • Saga Services Limited
  • ST&H Limited
  • Saga Group Limited
  • MetroMail Limited
  • Saga Personal Finance Limited
  • Saga Publishing Limited
  • Saga Investment Services Limited
  • Destinology Limited
  • Saga Membership Limited
  • Acromas Insurance Company Limited (AICL)
  • Saga Retirement Villages Limited
  • Saga Pensions Trustees Limited

Saga uses a variety of trading names including:

  • Titan Travel
  • Claimfast
  • Saga Charitable Trust
  • Saga Shipping
  • Saga Holidays
  • Possibilities
  • Saga Magazine

This privacy policy is issued on behalf of the Saga Group, so when we say “Saga”, “we”, “us” or “our” in this privacy policy, we are referring to the relevant company in the Saga Group responsible for processing your data. When you purchase a product or service with us, we will tell you which Saga company is the data controller of your personal data.

Saga are committed to protecting your privacy. We comply with the principles of the General Data Protection Regulation (GDPR) and associated data protection legislation. We aim to maintain best-practice standards in our processing of personal, sensitive data and/or special category personal data.

Back to top

How we use your information

We use the information you give us, together with information we obtain from our dealings with you so that we may 1) provide goods and/or services that you request, 2) communicate with you, and 3) personalise information sent to you. Examples of how we may personalise information include using your information in generating an insurance quote for you, working out which departure airports are near to you, or when we will be delivering certain products in your area. We do not sell, trade, or rent your personal information to others.

We store all the information you give us, including information provided via online forms and information we may collect whilst you are browsing our website. Our server, like all web servers, logs the pages downloaded from our site. If you contact us electronically, we may collect your electronic identifier, e.g. Internet Protocol (IP) address or phone number supplied by your service provider. This is to help us identify the number of visits made to our websites, as well as potentially fraudulent behaviour or mystery shoppers.

Our website uses a product called SessionCam, which may record mouse clicks and movements, page scrolling and any text keyed into website forms. The information collected does not include bank details or any sensitive personal data and is collected for Saga Group’s internal use only. We use it to improve our website usability and for aggregated and statistical reporting. We may also use the information collected to clarify and answer queries from you, where the information is available.

We ask for your home, mobile phone number and email address so we can contact you in relation to an enquiry you have made, to notify you if there is a problem with your order, to let you know about important functionality changes to the website or if there is another genuine reason for doing so. For example, when you enter a contest or other promotional features, we use these details to administer the contest and notify winners. Sometimes we may use it to contact you about products and services that might be of interest to you, where you have given your consent or where we have assessed that we have a legitimate interest to do so. More details about our lawful basis for processing your information can be found in the section – lawful basis for using your information.

Sometimes we may need to collect information that the law defines as Special Category data. For example, we may require details of motoring convictions to ensure the insurance price we provide is accurate or we may need medical information if you ask us to book an easy access room due to a disability. We will not collect or use these types of data without your consent, unless the law requires us to do so or where we believe it is in your best interests. If we do, it will only be when it is necessary as determined by the law and the ICO.

Any new information you provide to us may be used to update an existing record we hold for you. If you provide a work email address, we are not responsible for any third parties having access to communications we send.

We will collect credit or debit card details from you to pay for a service or product. We will keep these details secure and ensure they are only used with your consent and/or for the purposes of any appropriate refunds.

Where we contact you by phone and/or email, we reserve the right to ask security questions (which we in our sole discretion deem appropriate) in order to satisfy ourselves that you are who you say you are.

Back to top

Fraud prevention and credit checks

We may submit your details to fraud prevention agencies and other organisations to help us prevent fraud and money laundering. We will also conduct a search with a credit reference bureau to help us in providing a quote, and to check which payment options we can make available to you. A copy of this search will be left on your credit file but will not affect your credit score. Any searches we make to provide a motor insurance quote, will be noted on your credit file and may be reflected in your credit score.

In order to assess financial and insurance risk, we will make full and open checks on electoral roll registers and public data provided to us by credit reference bureaus and other third parties. This helps us to assess your premium at quote and renewal, for credit applications and to assist with identity checks in order to prevent money laundering.

If you apply for other financial services and/or products, a check of your details with fraud prevention agencies may be necessary. The precise nature of these processes will be explained when you apply.

Our own security procedures mean that we may occasionally have to request proof of identity or check your presence on the electoral roll.

Back to top

Information received from third parties

We may receive your information from a third party, for example where you have used a price comparison website for your insurance or where we have a contract in place with a third party for marketing purposes. We will always ensure that the data has been collected and shared with us in accordance with our legal obligations.

Back to top

Lawful basis for using your information

We will always try and explain why we need data from you before we collect it.

We must have your consent to discuss your account with a third party, for example a family member. You may give this consent either orally or in writing and you may give it at any time by contacting us.

We use the information you provide to us (either orally, in writing, through your use of our website, or as a result of our dealings with you) and any data we obtain from third parties to provide the service requested by you. It may also be used for market research, offering renewals and for statistical purposes. This also includes pricing insurance risk.

We recognise that we have a legitimate interest in processing the personal data we collect about you for a number of reasons, including, but not limited to: marketing purposes, to enable us to enhance, modify, personalise, or otherwise improve our services, identify and prevent fraud, enhance and protect the security of our network and systems, and market research (e.g. determining the effectiveness of campaigns and the products/services we offer). “Legitimate interests” means the interests of our company in conducting and managing our business to enable us to give you the best service and most secure experience.

When we use your information for our legitimate interests, we make sure to consider and balance any potential impact on you and your data protection rights. Where applicable, legitimate interest assessments are conducted to ensure that these rights are protected.

Back to top

Sharing your information

As previously mentioned, we do not sell, trade or rent your information, and will never disclose information about you (including information obtained from our dealings with you) to third parties, except:

a) where we have a legal interest in a company;

b) to fulfil your specific orders for a product, service or information if it is delivered by a third party. In these instances, while the information you provide will be disclosed to them, it will only be used for the administration of the product, service or information provided. This could include (but is not limited to), verification of any quote given to you, claims processing, underwriting, pricing purposes as appropriate, testing, and to maintain management information for business analysis. For example, if you go on a holiday with us, the hotel needs to know who you are. If you take out an insurance policy provided by a third party, they will need your details in order to administer the policy, verify the quote given to you and process any claims. For further details about how your insurer handles your information, please see their Privacy Policy which can be found on their website. See your policy schedule documentation for your insurer contact details;

c) where third parties administer part or all the product or service;

d) for underwriting, pricing, insurance rating analysis and testing purposes, and to maintain management information for business analysis;

e) for tailoring adverts you see when you are online. These might be on the Saga website, social media sites such as Facebook, search results, or other sites that sell advertising space;

f) for marketing purposes, where we have a legal basis for doing so;

g) where we have engaged a third party to carry out market research on our behalf and who may contact you for the purpose of obtaining feedback about the products and services that we offer;

h) where we have your consent to do so.

We may be obliged by law to pass on your information to the police or any other statutory or regulatory authority. In some cases, exemptions may apply under relevant data protection legislation, whereby we can legitimately release personal data e.g. to prevent or detect crime or in connection with legal proceedings.

After you purchase a product or service from us, we may enter into an arrangement for that service to be provided by a new third party. If this happens, the terms and conditions of your contract with us will provide that you consent to the transfer and processing of personal and/or special category personal data to the new provider, subject to the requirements of the GDPR and associated legislation.

If we provide information to a third party (either a provider of a product or service, or an external data processing agency such as a mailing house) or a company in which Saga has a legal interest, we will exercise the strictest contractual controls, requiring them and any of their agents and/or suppliers to:

  • maintain the security and confidentiality of the information and restrict access to those of its own employees
  • use the data for the agreed purpose only and prevent it being used for any other purpose by any other party
  • refrain from communicating with you other than concerning the product in question
  • return the data to us at the conclusion of any contract term and destroy or delete any copies made of all or any part of the information unless copies are needed to be kept to comply with regulations.

In addition, we will restrict the information disclosed to the absolute minimum necessary.

Back to top

Information sent outside the EEA

We provide products and services including holidays outside the EEA (European Economic Area) and to some countries that are not Whitelisted countries. Therefore, if you travel on such holidays the information you provide may occasionally be transferred outside the EEA. From time to time Saga may use service providers and organisations outside the EEA for the purpose of processing services, system testing and maintenance.

It is worth noting, however, that some non-EEA countries do not afford the same level of data security as the UK. We will always use every reasonable effort to ensure sufficient protections are in place to safeguard your personal information.

Back to top

Keeping you informed about our products and services

When you contact us, we may ask for your permission to contact you about the products and services we offer. Where we have obtained your permission, we may contact you by post, telephone, email, text or other means to tell you about offers, products and services that may be of interest to you.

Where we have not yet been able to ask you about your marketing preferences, we may send you relevant communications about offers, products and services by post, telephone, email or text based on your previous dealings with us. For example, if you have previously asked for an insurance quote, we may send you communications about our insurance products which we feel you may be interested in. We will only ever do this in compliance with our legal obligations which includes where we believe it is in our legitimate interest to do so. You may contact us at any time to advise us that you do not want to receive such communications from us. You can update these preferences by calling us on 0800 092 3665 or by visiting MySaga at www.saga.co.uk.

We may process your information to send you communications that are tailored to your interests or to market products which we feel are like those you have shown an interest in previously. This is called “profiling for marketing purposes”. This might be in the form of display advertising you see on websites, social media (for example, using Facebook Custom Audiences and Google Custom Match), television or internet search results. We may also use profiling to tailor communications we send to you via post, telephone, email or text. If we run specific marketing campaigns through social media and digital advertising platforms you may see Saga advertising. These campaigns tend to be based on general demographics and interests and sometimes your contact details such as an email address or phone number. We would use this information to tailor the advertising you see. If you do not wish to see this advertising, you will need to adjust your preferences within the relevant social media settings and your cookie browser settings (please see our Cookie Policy for more information regarding how to do this).

At any time, you can opt out of receiving marketing information, revise the products you would like to hear about or change the method we use to communicate with you. You can update these preferences by calling us on 0800 092 3665 or by visiting MySaga at www.saga.co.uk.

We make outbound phone calls for several reasons relating to our many products, including breakdown cover and insurance. Sometimes we will need to call you in relation to an enquiry you may have started on our website. We are fully committed to the regulations set out by Ofcom and follow strict processes to ensure we comply with them.

If you make a donation to the Saga Charitable Trust, your data will not be used for marketing purposes.

Back to top

Amendment and retention of information

Please advise us in writing of any changes in your circumstances, or if you feel we hold inaccurate information about you so that we can update our records accordingly.

We will hold your personal information in accordance with the principles of the GDPR (and associated legislation) and for as long as reasonably necessary to fulfil the purposes for which it was collected. We may obtain your data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you. We are obliged and permitted by law and regulation to retain certain types of data for a minimum period. The minimum period tends to be for six years but can be longer if the statute or regulation requires.

Back to top

Your rights:

Access to your information: You have a statutory right of access to personal data that we hold about you. In order to exercise this right, we ask that you apply in writing, either via letter or email. Please refer to the information you wish to see giving dates where possible. Please note that we may ask for further information from you including proof of identity.

We will not administer Subject Access requests made by a third party (such as a relative or friend) unless accompanied by written authority of the individual who is the subject of the request.

You will not have to pay a fee to access your personal information (or to exercise any other rights). However, in exceptional circumstances, we may charge a reasonable fee or refuse to comply with your request.

Rights related to automated decision-making including profiling: We use the information we know about you to make decisions which inform our pricing, fraud prevention and the products and services we can offer. Automated decision making enables us to make efficient and fair decisions, providing a better service for our customers. Whilst you have the right to object to us using your information in this way, this could have an impact on the products or services we may be able to offer you. We use automated decision making in the following areas:

  • Pricing – we use the information we know and collect about you to inform decisions around product and service charges. For example, if you apply for insurance, we will compare what you tell us with other records to determine how likely you are to make a claim. This will help us decide whether to offer you the product and what price to charge you.

  • Tailoring our marketing communications – as mentioned previously, we use your personal information to make decisions about what products, services and offers we think you may be interested in. This ensures the communications you receive from us are tailored and relevant to your interests. You can opt out of this at any time by contacting The Data Protection Officer.

The right to erasure: you have the right to request that your personal data is erased and to prevent processing in specific circumstances which are detailed by the ICO.

The right to data portability: you have the right to obtain and reuse the personal data that you have provided to us for your own purposes which includes transferring it to other service providers.

The right to get your data corrected: If you believe the personal data we hold about you is inaccurate or wrong, you can ask us to correct it. Your request can be made verbally or in writing, but to enable us to process your request quickly we ask that you write to The Data Protection Officer at The Saga Building, Enbrook Park, Sandgate, Kent CT20 3SE or email data.protection@saga.co.uk including:

  • What information you believe is inaccurate;
  • How we should correct this information; and
  • Where available provide evidence of the inaccuracies

What we may need from you: we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who does not have the right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.

We will try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made several requests. In this case we will notify you and keep you updated.

Limits to your rights: some of your rights in relation to your personal data are not absolute, for example your right to erasure. Where this is the case, we will inform you of the extent we can comply with your requests and detail our reasons why. More information can be found by visiting the ICO’s website https://ico.org.uk/.

For further information regarding your rights, or to make a request; please write to The Data Protection Officer at The Saga Building, Enbrook Park, Sandgate, Kent CT20 3SE or email data.protection@saga.co.uk.

Back to top

Updates to our privacy policy and your comments

We keep our privacy policy under regular review, and we publish the date this privacy policy was last updated. If we decide to change our privacy policy, we will update all relevant documentation and post any changes on our websites so that you are always aware of what information we collect, how we use it, and under what circumstances we disclose it. We may also notify you by email sent to the email address specified on your account.

We welcome your questions and comments about privacy. Please write to The Data Protection Officer, The Saga Building, Enbrook Park, Sandgate, Kent CT20 3SE or email data.protection@saga.co.uk

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you feel your personal information has not been handled correctly. You can do this via ico.org.uk/concerns or by writing to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Back to top

Glossary

Personal data Information which can be used directly or indirectly to identify a specific individual, for example their name, address, email address or IP address.
Sensitive personal data / special categories of data Types of personal data which is important to protect because processing it could threaten peoples’ basic rights. For example, information about somebody’s race could be wrongfully used to discriminate against them. Other special categories of data include religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life and sexual orientation.
Processing Anything that is done with personal data. Collecting, keeping, and using personal data are all examples of processing.
Profiling The processing of personal data in order to try and work out the subject’s situation, characteristics, and/or behaviour.
Data portability The movement of personal data from one controller to another. Individuals have the right to request companies that hold their personal information transfer some of it to another company.
European Economic Area (EEA) A collective of countries which share a single market and regulations which help them trade and interact with one another. This is the group of countries that will be governed by the GDPR, and therefore do not have to implement any further measures or request permission to transfer personal data to each other. They are:
  • Austria
  • Belgium
  • Bulgaria
  • Czech Republic
  • Cyprus
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Iceland
  • Ireland
  • Italy
  • Latvia
  • Liechtenstein
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Norway
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
Data controller An entity (for example a person or an organisation), who determines for what purpose and how personal data is going to be processed.
Joint data controllers When two or more controllers govern a processing activity.
Data controllers in common When two or more controllers process the same information but for different purposes and in different ways.
Data processor An entity that processes personal data on behalf of a controller. The controller determines the purpose but the processor acts on behalf of the controller.
Third Party An entity who is not the data subject, a processor, or a controller. The third party may receive personal data but does not process it.
Whitelisted countries

Third countries (countries outside of the EEA) who have been granted an 'adequacy decision' by the EU Commission which means their data protection levels have been deemed high enough that countries within the EEA (governed by the GDPR), do not have to implement any further measures or request permission to transfer personal data there

The EU Commision has made an adequacy decision about the following countries:

  • Andorra;
  • Argentina;
  • Guernsey;
  • Isle of Man;
  • Israel;
  • Jersey;
  • New Zealand;
  • Switzerland;
  • Uruguary;
  • Japan - only covers private sector organisations;
  • Canada - only covers data subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA);
  • United States of America - only personal data covered by the EU-US Privacy Shield framework, you would need to check that the organisation has a current certification and that it covers the type of data being transferred.