Account locked

Privacy Notice

Welcome to Aviva's privacy notice for customers' use of identity verification technology (the "Software") to unlock your policy in MyAviva, powered by Onfido.

This privacy notice will give you information about how Aviva, Onfido and any other third parties on Aviva's and Onfido's behalf collect and process personal data in connection with your use of the Software. It will tell you about your privacy rights and how the law protects you. So that you are fully aware of how and why we are using your data, it is important that you read this privacy notice, together with:

• our privacy policy which can be accessed at https://www.aviva.co.uk/legal/privacy-policy.html, and
• any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, including any policy or notice provided to you when you took out or renewed your insurance policy(ies) and other Aviva products and services.

1. Important information and who we are

What is the Software?

The Software combines document verification and facial biometrics technology. Customers can use the Software within the MyAviva mobile app or the web version of MyAviva to verify their identity and unlock certain policies within MyAviva.

Use of the Software is entirely up to you. If you do not want to use the Software, you can verify your identity by other means, including by providing unique information relating to the policy you wish to access within MyAviva.

Relevant parties

Your access to the Software is facilitated by Aviva UK Digital Limited acting on behalf of the Aviva Group ("Aviva", "we", "us" or "our"). Aviva is the data controller and is responsible for your personal data.

The term 'Aviva Group' refers to one or more of the trading companies of Aviva that operate in the United Kingdom and that may or may not offer insurance and financial products or services which are relevant to you. For more information concerning Aviva and for a full list of the companies that comprise the Aviva Group, visit https://www.aviva.co.uk.

The Software is owned and maintained by Onfido Limited ("Onfido"). Onfido processes your personal data on behalf of Aviva pursuant to a contract.

Aviva has appointed a Data Protection Officer ("DPO") who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Changes to this privacy notice

We keep this privacy notice under regular review. This version was last updated on 16 June 2020.

2. The personal data we collect

You will provide Aviva and Onfido with some information about you, a photograph of you ("selfie") and a photograph of your identity document ("ID") when you use the Software. The personal data that may be collected, used, stored and transferred by Aviva and Onfido includes the following:

• identification data including your full name, date of birth, ID number and Onfido identifier;
• appearance data including your gender;
• contact data including your address, mobile number;
• place of birth and nationality;
• special category data including biometric data and racial or ethnic origin; and
• usage data including information about how you use the Software, number of unlock attempts, date and time of unlock attempt(s), outcome(s) of unlock attempt(s), reason(s) for unsuccessful unlock attempt(s).

Biometric data, when processed for the purpose of uniquely identifying or authenticating a natural person, is special category data. Biometric data is contained in your selfie and the photograph of you on your ID. It may be possible to infer racial or ethnic origin, which is also special category data, from your selfie, the photograph of you on your ID, your surname, your place of birth and your nationality. Aviva and Onfido do not process any other special categories of personal data about you in connection with your use of the Software (this includes details about your religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic data) nor any information about criminal convictions and offences. Please note, while special categories of personal data and criminal conviction and offence data are not collected or used in connection with your use of the Software, such data may still be processed by Aviva in connection with your Aviva products and/or services pursuant to the privacy policy or privacy notice applicable to such products and/or services.

Aviva and Onfido may collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, Aviva and Onfido may aggregate your usage data to calculate the percentage of users accessing a specific Software feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

3. How your personal data is used

We have set out below a description of all the ways Aviva, Onfido and third parties will use your personal data, and the legal bases relied on to do so.

Automated decision making

The processing of your personal data in connection with unlocking your policy in MyAviva may involve an element of automated decision making. The Software utilises technology which can detect whether your ID is valid and authentic, including by checking that the information on your ID is consistent with third party databases, performing image analysis and detecting anomalies in the fonts. It also verifies that your selfie is a live photo, compares it to the photo in your ID and calculates a score based on how similar the two faces are. If the analysis is inconclusive or indicates that there are anomalies, there may be manual review of your ID and selfie. At the end of this process, your policy may be unlocked, you may be asked to complete the process again or your MyAviva account may be locked to protect your information and ensure only you have access to your account. If your account is locked, you can telephone Aviva for assistance.

Change of purpose

Aviva and Onfido will only use your personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to receive an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us (see details below).

If Aviva or Onfido needs to use your personal data for an unrelated purpose, Aviva will notify you and explain the legal basis for doing so.

Please note that Aviva and Onfido may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

4. Disclosures of your personal data

Aviva and Onfido may share or disclose data as required or permitted by applicable legal or regulatory requirements, including to respond to lawful request, court orders and legal process.

Aviva and Onfido may also share your personal data with the parties set out below for the purposes set out in section 3 above:

• with the Aviva Group Companies, our agents and third parties who provide services to us;
• with Onfido's sub-processors that support the Software, such as Onfido's hosting provider (Amazon Web Services Inc.);
• with Onfido's sub-processors that support the operation of the Software, including technology to extract information from IDs (Google Inc.), manual verification and authentication of images and information (Concentrix, WNS Global Services), automated verification and authentication of images and information (Microsoft Inc., Melissa Data Corporation);
• with Onfido's sub-processors that support Onfido's receipt of and response to queries from users of the Software;
• with the National Crime Agency and other law enforcement agencies to investigate suspicious or fraudulent activity.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We only permit our third party service providers to process your personal data for specified purposes and in accordance with our instructions.

5. International transfers

Aviva and Onfido may transfer, store and process your personal data outside the European Economic Area ("EEA"). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection as provided by EEA countries is afforded to your personal data by ensuring at least one of the following safeguards is implemented:

1. unless (b) or (c) applies, we will only transfer to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
2. for certain sub-processors, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe (otherwise known as 'standard contractual clauses' or 'model clauses');
3. for sub-processors based in the United States of America ("USA"), we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the USA.

Please contact us (see details below) if you want further information on the specific mechanism used by Aviva or Onfido when transferring your personal data out of the EEA.

6. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to access your data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

You should also be aware that communications over the internet, such as emails, are not secure unless they have been encrypted.

7. Data retention

We generally only keep personal data for as long as is reasonably required to fulfil the purposes explained in this privacy notice. Please see our full privacy policy and the section titled 'retaining personal information in our systems' for more detail.

8. Your legal rights

Where we rely on your consent to process personal data, you have the right to withdraw your consent to this processing.

You may have further rights under data protection laws in relation to your personal data including the right to restrict the processing of your personal data, to receive a copy of the personal data we hold about you and the right to make a complaint at any time to the ICO. Please see our full privacy policy and the section titled 'your rights' for more detail.

If you're not happy with the way we're handling your information, you have a right to make a complaint with your local data protection supervisory authority at any time. In the UK this is the Information Commissioners Office ("ICO"). We ask that you please attempt to resolve any issues with us before contacting the ICO.

9. Contact details

If you would like more information on how we process your personal data, please access our full privacy policy.

If you have any questions about this privacy notice or how to exercise your rights please contact our Data Protection Officer.

Write to: The Data Protection Team, Aviva, Pitheavlis, Perth, PH2 0NH

Email us: DATAPRT@aviva.com