Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

More Options
Accept
Cookie preferences
View Privacy Policy

Privacy Notice

Icen Risk Limited/ICEN Risk B.V./Icen Risk GMBH (ICEN)
UK/Netherlands/Austria
Last updated: June 2026

1. Introduction

ICEN ("we", "us", "our") is committed to protecting your personal data. This notice explains how we collect, use, and safeguard your data in accordance with:
UK
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018 (UK)Netherlands/Austria
- EU General Data Protection Regulation (EU GDPR)
This notice applies to individuals in the United Kingdom, Netherlands, and Austria.

2. Definitions

- the (applicable) law: as noted above;
- personal data: any data about an identified or identifiable natural person;
- processing of personal data: any act or set of acts relating to personal data, including in any case the collection, recording, arranging, storage, updating, modification, retrieval, consultation, use, provision by transmission, dissemination or any other form of making available, bringing together, linking, as well as the blocking, erasure or destruction of data;
- 'file' means any structured set of personal data, whether centralised or disseminated in a functionally or geographically defined manner, accessible according to certain criteria and relating to different persons;
- 'controller' means the natural person, legal person or any other person or administrative body which, alone or together with others, determines the purpose and means of processing personal data;
- processor: the person who processes personal data on behalf of the controller, without being subject to his direct authority;
- 'data subject' means the person to whom a personal data relates;
- third party: any person, other than the data subject, the controller, the processor, or any person authorised to process personal data under the direct authority of the controller or processor;
- recipient: the person to whom the personal data are provided;
- 'consent of the data subject' means any free, specific and information-based expression of will by which the data subject accepts that personal data concerning him or her are being processed;
- providing personal data: disclosing or making available personal data;
- collection of personal data: obtaining personal data.

3. Who We Are

• Icen Risk Limited (#11691390) - Fourth Floor, 9a Devonshire Square, London, United Kingdom, EC2M 4YN
• ICEN Risk B.V. (#78504325) - Herengracht 495, Amsterdam, 1017BT
• Icen Risk GMBH (#FN 615422h) - Gonzagagasse 19/3, 1010 Wien
We act as an insurance intermediary / Managing General Agent (MGA).

4. Persona Data We Collect

We may collect:
- Identity data (name, date of birth)
- Contact data (address, email, phone)
- Financial data (bank details)
- Insurance data (policies, claims, underwriting information)
- Technical data (IP address, device information)
- Special category data (health information where required)
- Criminal data (for underwriting where legally permitted)

5. How We Use Data

We may collect:
- Identity data (name, date of birth)
- Contact data (address, email, phone)
- Financial data (bank details)
- Insurance data (policies, claims, underwriting information)
- Technical data (IP address, device information)
- Special category data (health information where required)
- Criminal data (for underwriting where legally permitted)

6. Legal Bases

We rely on:
- Contract
- Legal obligation
- Legitimate interests
- Consent**where required for example if the person concerned is a minor and has not yet reached the age of 16 or if the person concerned is of age and has been placed under guardianshipSpecial category data is processed under substantial public interest and insurance purposes.

7. Lawful processing

Personal data may only be processed if:
- the data subject has given his unambiguous consent for the processing;
- the data processing is necessary for the performance of an agreement to which the data subject is a party (e.g. an agreement to conclude a financial product or financial service or the employment contract with the data subject) or for acts, at the request of the data subject, that are necessary for the conclusion or assisting in the management of an agreement;
- the data processing is necessary to comply with a legal obligation of the controller;
- the data processing is necessary in connection with a public interest of the data subject;
- the data processing is necessary for the sake of an interest of the controller or of a third party, unless that interest is contrary to the interest of the person whose data are processed and that interest precedes it.
- The recording of the social security number will only take place if there is a legal basis for this. As a rule, such a basis will not be required for our services.
- Anyone acting under the authority of the controller or the processor – and also the processor itself – only processes personal data on behalf of the controller, except in case of regulatory or legal obligations.
- The data are only processed by persons who are obliged to maintain confidentiality on the basis of an agreement.

8. Sharing Data

We may share data with:
- Insurers and reinsurers
- Brokers and intermediaries
- Claims handlers
- IT providers
- Regulators and law enforcement

9. International Transfers

We may transfer data within the UK and EEA or internationally using:
- Adequacy decisions
- Standard contractual clauses

10. Data Retention

We retain data for 6–10 years or longer where required by law.

11. Your Rights

You have the right to:
- Access
- Correct
- Erase
- Restrict
- Object
- Portability
- Withdraw consentAt the written request of a data subject, the controller shall correct, supplement, delete and/or shield the personal data processed about the applicant if and to the extent that this data are factually incorrect, incomplete, irrelevant for the purpose of the processing or include more than is necessary for the purpose of the registration, or are otherwise processed in violation of a legal regulation. The request of the person concerned shall contain the amendments to be made.

12. Country Specific Notes

UNITED KINGDOM:
- Supervisory authority: Information Commissioner’s Office (ICO)
NETHERLANDS:
- Supervisory authority: Autoriteit Persoonsgegevens (AP)
AUSTRIA:
- Supervisory authority: Austrian Data Protection Authority (Datenschutzbehörde)

13. Automated Decisions

We may use automated underwriting tools. You may request human review.
A processing Register will be maintained where applicable.

14. Security

We implement appropriate technical and organisational measures including encryption, access control, and monitoring.

15. Data Breaches

If the controller discovers a data breach, it will investigate the matter to determine whether personal data has been lost or whether unlawful processing cannot be excluded.

If the outcome of the investigation shows that personal data of a sensitive nature has been leaked or for another reason there is (a significant chance of) adverse consequences, then the controller will take all necessary steps to rectify the breach and advise the appropriate regulatory authorities.

16. Complaints

If you have a complaint please refer this complaint to the relevant Icen company in the first instance. If you are not satisfied with the response provided, you may complain to:
- UK: ICO (www.ico.org.uk)
- Netherlands: AP (www.autoriteitpersoonsgegevens.nl)
- Austria: Datenschutzbehörde (www.dsb.gv.at)

17. Changes

We may update this notice from time to time.

Information about the General Data Protection Regulation:

text of the lawthe website of the Dutch Data Protection Authority