JIAL has enforced this Policy in order to cover all the protective regulations that Data Subjects benefit from. We do safeguard the interests of Data Subjects regardless of their residence country – be it UK, US, EU, or others.  

This Policy shall be considered up to date and applied until further notice regarding any amendments is given.

This Policy serves as a foundation for respecting your privacy and data protection rights. However, for additional safeguards, we enforced several documents which might interest you. The following documents are to be considered as supplementary, among others:

  • The Data Retention Policy and Schedule

  • Cookie Policy

  • Subject Access Request Procedure


Within the Policy, the following definitions are to be applied:

Data Subject means the natural living person to whom the personal information relates and that can be directly or indirectly identified. Data Subjects can be identified or identifiable.

Personal data is defined as any information relating to the Data Subject.

Sensitive data encompass data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law, the controller or the specific criteria for its nomination may be provided for by law.

Data Processor is a party that processes personal data on behalf and under the authority of the Data Controller. It can be a third party too.

Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Supervisory Authority refers to the independent public authority established in each country for ensuring the correct application of the data protection legislation. A specific Supervisory Authority will be concerned by the data processing of JIAL if:

  • The controller or processor is established on the territory of the supervisory authority;

  • Data subjects residing in the territory of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

  • A complaint has been lodged with that supervisory authority.

Data Protection Officer (DPO) is the person appointed by JIAL to safeguard the rights of the Data Subjects, to ensure and secured data processing and sharing, and to respond to any inquiry regarding the personal data processed.

Any reference to the Data Protection Laws shall be considered made to the following regulations:

  • The Privacy and Electronic Communications Regulations 2003

  • The Data Protection Act 2018 (DPA 2018) and the UK GDPR

  • The General Data Protection Regulation 2016/679 (GDPR)

  • Other relevant and applicable law, based on our activity or data subjects we engage with (this list is not exhaustive).


Our activity is permanently carried out under the aegis of the following data protection principles:

  1. Lawfulness, fairness, and transparency – These are the main attributes of our data processing.

  2. Purpose limitation – The purposes for processing data are lawful and explicitly specified.

  3. Data minimisation - We process relevant personal data in an adequate manner, limited to the underlying purposes.

  4. Accuracy - The personal data that we store must be up to date. Additionally, we appreciate your involvement in ensuring an error-free data base.

  5. Storage limitation - We keep your personal data in a form which permits identification of Data Subjects, and we strictly respect the retention schedules you were informed about within the Data Retention Policy.

  6. Integrity and confidentiality – The processing of personal data is carried out under strong guarantees of security in order to minimise the occurrence of data breaches.

Additionally, we take all the technical and organisational measures to ensure a safe environment for your personal data.     

Data processing

In order to legally collect the above-mentioned information, we rely on the following legal grounds. In order to enter into a contract with you or meet the existing obligations of a contract concluded with you;

  • In order to fulfil our legal obligations;

  • For our legitimate interests;

  • Your consent.

When using consent as the lawful basis of processing personal data, consent has to be explicit, free and informed. The purposes for processing personal data from you and their legal grounds can be verified below:

Legal ground = Legal obligation

Purpose: Keep our records up to date, Compliance with requests from law enforcement authorities, Compliance with our statutory obligations as a registered company.

Legal ground: Legitimate interest

Purpose: Insurance administration by JIAL or our agents, Investigation/prevention of crimes, Research or statistical purposes.

Legal ground: Contractual obligation

Purpose: Process payments,

Legal ground: Consent

Purpose: Understand your preferences and needs by analysing data from you (such as how you use our website) 

Personal data

JIAL processes the following categories of personal data:

  • Contact information – including name, address, electronic address, phone number

  • Health data

  • Financial data – meaning credit / debit card information and other information we need in order to process payments for you

  • Communication data – meaning records of contact with you (e.g. as system notes, emails and letters.).

 We are very happy to assist you with more information required for clarifications on our processing activities. Please send such requests to our Data Protection Officer, according to the "Contact" section of this policy.

 Automated Decision-Making

In connection with your application for travel insurance, we and the insurers on our panel use an automated medical screening system to screen against pre-existing medical conditions. The system will use information you provide relating to the medical history, health and lifestyle of you and any other people insured under the policy to determine whether we are able to offer you an insurance policy from any of the insurers on our panel and on what terms.

You have the right not to be subject to a decision which is based solely on automated processing, as stated in clause 9.1.6. As a result, since the medical screening system is a process based solely on automated decision-making, we rely upon the legal ground of explicit consent, as per Art. 22 (4) and 9 (2)g) of the GDPR. That means you are not obliged to take part in this screening process, but if you do not proceed this way, we will not be able to provide you with a travel insurance policy. In this case, please DO NOT provide your medical, health and lifestyle information to us on our website.

To the extent that you have provided (or will provide) personal information to us about any other individual, you agree that you have provided information to the individual about the content of this policy, and you have their permission or are otherwise legally authorised to share their personal information with us, and the insurers as detailed in the policy. We may ask for evidence related to your authorisation, as it is part of our legal obligation to process personal data in a lawful and fair way.

Details about the way any of the insurers on our panel use your personal information can be found in their separate privacy notices which are available on their websites. We are not responsible for the processing they carry out, but for the one we conduct on our website. The reason for this is that they do not operate under our instructions and instead, we are joint data controllers.


Whenever we require your consent for processing personal data, we do so in line with the General Data Protection Regulation - consent has to be freely given, specific, informed and unambiguous.

  • We will only accept voluntary consent. Otherwise, the given consent is void.

  • In the situations where consent is necessary, that represents the legal ground for personal data processing.

  • You can withdraw your consent at any time. We make sure the withdrawal of consent is as easy as giving consent.

Your rights

You, as a Data Subject, have the following rights:

  • To request access to your personal data (commonly known as a "data subject access request"), without paying any fee

  • To request correction of the personal data that we hold about you.

  • To request erasure of your personal data. 

  • To object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.

  • To request restriction of processing of your personal data.

  • To not be subject to automated decision-making, unless the data is processed for the conclusion or performance of a contract with the Data Controller, falls under legal authorisation or explicit consent. Whenever such processing relies upon consent or contractual obligations, you can further exercise your rights to express your point of view, to request human intervention and contest the automated decision.

  • To request the transfer of your personal data to you or to a third party. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

  • To withdraw consent at any time where we are relying on consent to process your personal data.  If you withdraw your consent, we may not be able to provide certain products or services to you.

  • If your request is considered excessive and/or manifestly unfounded (for example because repetitive requests having been made), JIAL is legally permitted to decline it. In this case, JIAL can charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.

  • In some cases, additional exemptions may apply, under the law. For example, Schedules 2-4 of the Data Protection Act 2018 states the cases in which we may not disclose information to you. Other sector specific rules may apply.

  • In case of having questions regarding how to exercise your rights, please contact our Data Protection Officer.

Data security

The security of your information is very important to us. We protect your information by maintaining physical, electronic, and procedural safeguards in relation to the collection, storage, and disclosure of personal data to prevent unauthorised access, accidental loss, disclosure, or destruction.

No data transmission over the internet can be entirely secure, and therefore we cannot guarantee the security of your personal information and\/or use of our sites. However, we use our reasonable endeavours to protect the security of your personal information from unauthorised access.

In the event of a data breach occurring, JIAL shall notify the competent supervisory authority within 72 hours under the condition the breach is likely to result in a risk to the rights and freedoms of natural persons. The data subjects will also be informed about this if high risks to their rights and freedoms are identified.

If JIAL is a Data Processor, it shall notify the Data Controller about the incident referred in clause 10.1. without undue delay.

Data retention

We retain your personal data only when necessary and according to the law.

The approved retention schedule can be consulted in our Data Retention Policy. 

The Data Retention Policy and Schedule contain the purposes of retaining your data and the period we are allowed to do so. Copies of these are available on request.

Data sharing

General provisions

JIAL will disclose personal data to third parties only for identified purposes, in compliance with the law. The legal grounds allowing us to transfer personal data to another entity are the following: contractual or legal obligation, our legitimate interest or your explicit consent, and following the procedure described in the "Consent" section of this policy.

If, at any point, the Company will disclose information about a Data Subject, they will be notified.

Any data sharing will be grounded on strong security measures, adequate and consistent with this Policy and the related Privacy Policies. High security and encryption measures are in place when sharing any data.

JIAL will take remedial action in response to misuse of personal information by a third party to whom JIAL has transferred such information.

Business associates might have access to personal data processed by JIAL for performing their job.

  • from time to time we may send information to, receive information from, or exchange your personal information with:

  • any company within our group of companies by means of a centralised database

  • partners or agents who support us to deliver our products and services to you, or that we refer you to, or that refer you to us

  • companies who perform essential services for us

  • regulators, courts or other public authorities

  • emergency services in the case of accident or emergency

Where we have relationships with other organisations that process your information on our behalf, we take care to ensure they have high data security standards. Such safeguards are included in the Data Processing Agreement concluded with them. We will not allow these organisations to use your personal information for unauthorised purposes.

If the business is reorganised or sold to another organisation, we shall transfer any personal information we hold to that organisation.

The full list of third parties that personal data is sent to is available on request.

 International transfers of data

We will not transfer your information to other countries outside the EEA unless it is unavoidable to allow us to deliver our products and services. If we do, we take care to ensure the same level of privacy and security as the UK.

In such situations, JIAL will decide on a case- by- case analysis, if a Transfer Risk Assessment is required. This assessment will point out the levels of risks the potential transfer exposes data subjects to and how they can be mitigated.

The documentation international data transfers rely on might be requested by data subjects at: For more details, please read the "Complaints" section of this policy.

Insurance Broker Partners

JIAL work with a network of regulated insurance brokers to enable their customers access to our insurance products via a website which adopts the brokers own branding. This is called a “White Label” page.

However, all such webpages will allow you to clearly identify the broker whose rules will be applicable to the processing operation, having their logo in the header.

Thus, any personal data processed as part of these webpages will be subject to the rules and limitations set by the broker, according to their Privacy Policy.

In this context, the only personal data collection that we are responsible for refers to the automated decision-making one, as detailed in the "Automated Decision Making" section of this policy.

All personal data provided to our associated brokers will be subsequently transferred to a joint system that allows us and the brokers simultaneous access.

Underlying documentation

Accordingly, JIAL has implemented a robust procedural system. We use this for ensuring the processing of data is transparent, lawful and fair.


  • whenever we implement a new system that might threaten the rights of data subjects or innovative solutions that rely on new technologies, we will carry out Data Protection Impact Assessments.

  • Whenever we need to transfer personal data in third countries that do not benefit from adequacy arrangements, decisions or regulations, we will carry out a Transfer Risk Assessment.

  • Whenever we need to evaluate the weaknesses in our business, we will conduct a Gap Analysis.

In addition to the above-mentioned assessments, we might have various reports created for specific reasons or ad hoc, based on situations we encounter on a daily basis.

As part of fulfilling our transparency obligations, data subjects can request the underlying documentation at any moment, at:   

However, we might not disclose all the information the documents contain, in order to protect other data subjects or for commercial reasons. In case we need to do so, we will ensure the content of the documentation can still be read and understood, without affecting the substantial information.


In case you are not pleased with the way we fulfil our obligations regarding data protection, we kindly ask you to inform us in the first instance. We are committed to having your personal data secured, so we will take all the measures to solve this.

If you are not satisfied with the way that we handled the situation, you can lodge a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, which can be contacted at:   

Although we may not always be perfect, we would appreciate it if you contacted us first and allow us to prove our commitment towards adequate implementation of the data protection rules.


We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice.

If you have any questions about this Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below:

  • Mark Povey

  • e-mail:

  • phone: 07740 171986

Updates to the policy

We regularly review this policy. Whenever we make changes that substantially affect the content and might have an impact on your rights, freedoms and legitimate interests, we will notify you (i.e. not including situations when we correct possible grammar mistakes or restructure the document herein).

You may view the most recent version here at: We also note at the beginning of the policy when the last update was.