Privacy Notice

This Privacy Notice describes how your personal data is collected and used through the Speak Up Service ("Service").

1. WHO ARE WE?

The Service is managed and administered by NAVEX. You can find out more about our relationship with NAVEX below. Aviva Central Services UK Limited is the data controller and NAVEX are the data processor (together, "we", "us" or "our"). Aviva Central Services UK Limited is a company incorporated in England & Wales with a registered number of 03259447 and whose registered office at 8 Surrey Street, Norwich, NR1 3NG.

2. WHAT INFORMATION IS COLLECTED ABOUT YOU?

Personal data means any information about an individual from which that person can be identified.

This Service may capture the following personal data and information that you provide when you make a report: (i) your name and contact details (unless you report anonymously) and whether you are employed by Aviva; (ii) the name and other personal data of the persons you name in your report if you provide such information (e.g. description of functions and contact details); and (iii) a description of the alleged misconduct as well as a description of the circumstances of the incident.

Note that the laws of some countries do not permit reports to be made anonymously; however, your personal information will be treated confidentially and will only be disclosed as set out below.

3. HOW WE USE PERSONAL DATA AND FOR WHAT PURPOSES

The personal data and information you provide will be stored in a database which is located on servers hosted and operated by NAVEX in the European Union. NAVEX is committed to maintaining stringent privacy and security practices including those related to notice, choice, onward transfer, security, data integrity, access, and enforcement. Aviva will also host the data where we extract any relevant information and share with investigating teams as appropriate.

For the purpose of processing and investigating your report and subject to the provisions of local law, the personal data and information you provide may be accessed, processed and used by the relevant personnel of Aviva, including Human Resources, Finance, Internal Audit, Legal, Corporate Compliance, management, external advisors (e.g. legal advisors), or, in limited circumstances, by technical staff at NAVEX.

Personal data and information you provide may also be disclosed to the police and/or other law enforcement or regulatory authorities.

If you are an employee, Aviva's rationale for processing your personal data is to comply with our legal obligations, including under employment law, tax requirements or immigration rules. To the extent we process any sensitive personal data about you (e.g. special category data, criminal offence data), we do so to comply with our employment law obligations.

Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.

4. OUR RELATIONSHIP WITH NAVEX

NAVEX manages and administers the Services. This means that NAVEX will collect and process your information in the ways described in this Privacy Notice on our behalf, but we remain responsible for this. NAVEX may only collect and use your information in accordance with our instructions.

5. SHARING OF YOUR PERSONAL INFORMATION

Aviva is part of the larger group of the Aviva Group Companies. We may share your personal data with certain members of our Group as explained in the Aviva Privacy Policy.

As above, we may also share your personal data with government agencies and regulatory bodies including the police and courts where necessary to do so.

6. INTERNATIONAL TRANSFERS

Sometimes we, or third parties acting on our behalf (such as NAVEX), may need to transfer personal data outside of your home country. We'll always take steps to ensure that any international transfer of personal data is carefully managed to protect your privacy rights and ensure that adequate safeguards are in place. Transfers within the Aviva Group will be covered by an agreement entered into by members of the Aviva Group (an intra-group agreement) which contractually obliges each company to ensure that your personal data receives an adequate and consistent level of protection wherever it is transferred within the Aviva Group.

For more information about data transfers and the safeguards we have put in place, please contact us.

7. HOW LONG WE WILL KEEP YOUR INFORMATION?

We generally only keep personal data for as long as is reasonably required for the reasons explained in this Privacy Notice. We do keep certain records for more extended periods if we need to do this to meet legal, regulatory, tax or accounting needs. For instance, we're required to retain an accurate record of your dealings with us, so we can respond to any complaints or challenges you or others might raise later. We'll also retain files if we reasonably believe there is a prospect of litigation. To support us in managing how long we hold your personal data and our record management, we maintain a data retention policy which includes clear guidelines on data deletion.

8. YOUR LEGAL RIGHTS

You have various legal rights in relation to your personal data. Depending on the applicable laws in your home country, these may include the right to request access to your personal data, correct any mistakes on our records, erase or restrict records where they are no longer required, ask not to be subject to automated decision making if the decision produces legal or other significant effects on you, and data portability.

Yours rights may differ depending on the jurisdiction and laws that apply. For more information on this and for full details in relation to your rights, including how to exercise them, please refer to the Aviva Privacy Policy (with respect to the UK) or contact us.

9. HOW TO CONTACT US

If you have any questions about how we process your personal data or how to exercise your legal rights, please contact our Data Protection Officer as follows:

Email:
dataprt@aviva.com

Post: The Data Protection
Team, Aviva, PO Box
7684, Pitheavlis, Perth
PH2 1JR

10. IF YOU'D LIKE TO SUBMIT A SUBJECT ACCESS REQUEST, PLEASE FILL OUT THIS FORM OR WRITE TO US AT THE ABOVE ADDRESS. YOUR RIGHT TO COMPLAIN

If you are not happy with the way we are handling your information, you have a right to make a complaint with your local data protection supervisory authority at any time. In the UK this is the Information Commissioner’s Office (www.ico.org.uk).

11. HOW DO WE MANAGE CHANGES TO THIS PRIVACY NOTICE?

We may amend this Privacy Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. This Privacy Notice was last updated June 2023.