This website, www.CompareYourTravelInsurance.co.uk (“the Website”) is owned and operated
by Medical Travel Compared Ltd (“us”, “we”) a private limited company registered in Gibraltar
(Company number 111831) whose registered address is: 1st Floor, Grand Ocean Plaza, Ocean
Compare Your Travel Insurance is a trading name of Medical Travel Compared Ltd, which is
authorised and regulated by the Financial Services Commission, reference number FSC1248B.
proceeding with access to this website you are deemed to have accepted this policy. We reserve the
right to vary this policy at any time and will post any variations here.
Our Responsibility To Protect Your Data
1. General Points
1.1 The Board of Directors and management of Medical Travel Compared Ltd are committed
to compliance with all relevant EU and Member State laws in respect of personal data, and
the protection of the “rights and freedoms” of individuals whose information Medical Travel
Compared Ltd collects and processes in accordance with the General Data Protection
1.2 Compliance with the GDPR is described by this policy and takes into consideration our
connected processes and procedures.
1.3 The GDPR and this policy apply to all Medical Travel Compared Ltd’s personal data
processing functions, including those performed on clients’, employees’, suppliers’ and
partners’ personal data, and any other personal data that Medical Travel Compared
Ltd processes from any source.
1.4 Our Data Protection Officer is responsible for reviewing our processes, procedures,
policies and guidelines on a half-yearly basis in the light of any changes to Medical Travel
Compared Ltd’s activities (as determined by management review) and to any additional
requirements identified by means of data protection impact assessments.
1.5 This policy applies to all staff, suppliers and partners of Medical Travel Compared Ltd,
including outsourced suppliers and partners. Any breach of the GDPR will be dealt with
under Medical Travel Compared Ltd’s disciplinary policy and in if a criminal offence has been
committed, the matter will be reported as soon as possible to the appropriate authorities.
1.6 Partners and any third parties working with or for Medical Travel Compared Ltd, and
who have or may have access to personal data, will be expected to have read, understood
and comply with this policy. No third party may access personal data held by Medical Travel
Compared Ltd without having first entered into a Data Security and Confidentiality
Agreement, which imposes on the third-party obligations no less onerous than those to
which Medical Travel Compared Ltd is committed, and which gives Medical Travel Compared
Ltd the right to audit compliance with the agreement.
2. Responsibilities and roles under the General Data Protection Regulation
2.1 Medical Travel Compared Ltd is a Data Controller under the GDPR.
2.2 Top Management and all those in managerial or supervisory roles throughout Medical
Travel Compared Ltd are responsible for developing and encouraging good information
handling practices within Medical Travel Compared Ltd; responsibilities are set out in
individual job descriptions.
2.3 Medical Travel Compared Ltd’s Data Protection Officer is Kate O'Sullivan CDPO, Kate can
be contacted at kate.o'[email protected] As required in the GDPR, she is an advisor
to Medical Travel Compared Ltd, is accountable to the Directors of Medical Travel Compared
Ltd for the management of personal data and for ensuring that compliance with data
protection legislation and good practice can be demonstrated. This accountability includes:
2.3.1 development and implementation of the GDPR as required by this policy; and
2.3.2 security and risk management in relation to compliance with the policy.
2.4 Compliance with data protection legislation is the responsibility of all Employees/Staff
of Medical Travel Compared Ltd who process personal data.
2.5 Medical Travel Compared Ltd’s Training Policy sets out specific training and awareness
requirements in relation to specific roles and of staff generally.
2.6 All staff at Medical Travel Compared Ltd are responsible for ensuring that any personal
data is accurate and up-to-date.
General Data Protection Regulation
3. Data protection principles
3.1 All processing of personal data must be conducted in accordance with the data
protection principles as set out in Article 5 of the GDPR. Medical Travel Compared Ltd’s
policies and procedures are designed to ensure compliance with the principles.
The GDPR states that:
3.2 Personal data must be processed lawfully, fairly and transparently
3.2.1 Lawful –Consent is reinforced by the contract for services which is put in place
between Medical Travel Compared Ltd and the data subject, in that it is necessary
for Medical Travel Compared Ltd to hold personal data in the performance of the
contract for services, as set out in Article 6 1.(b) of the GDPR.
3.2.2 Fairly – Medical Travel Compared Ltd will make certain information available to
data subjects as soon as practicable following a request from the data subject. This
applies whether the personal data was obtained directly from data subjects or from
3.2.3 Transparently – Medical Travel Compared Ltd aim to provide all details about
personal data and reasons for processing in a transparent way. If you are unclear
about any aspects of our work or our policies, please get in touch with our Data
Controller, who is mentioned in 2.3 above.
3.3 Personal data must be adequate, relevant and limited to what is necessary for processing
3.3.1 Medical Travel Compared Ltd only collect enough personal data from
individuals as is necessary to perform the processing noted in 3.3 above.
3.3.2 All data collection forms and methods have been reviewed by our Data
Protection Officer and have been deemed to be fair methods of collection.
3.3.3 Our Data Protection Officer will ensure that, on a half-yearly basis all data
collection methods are reviewed to ensure that collected data continues to be
adequate, relevant and not excessive.
3.4 Personal data must be accurate and kept up to date with every effort to erase or rectify
3.4.1 Medical Travel Compared Ltd’s Data Controller will review and update data
within our systems as necessary. No data is kept unless it is reasonable to assume
that it is accurate.
3.4.2 Our Data Protection Officer is responsible for ensuring that all staff are trained
in the importance of collecting accurate data and maintaining it.
3.4.3 It is the responsibility of Medical Travel Compared Ltd to ensure that any
notification regarding changes of circumstances are recorded and acted upon.
3.4.4 Our Data Protection Officer is responsible for ensuring that appropriate
procedures and policies are in place to keep personal data accurate and up to date,
taking into account the volume of data collected, the speed with which it might
change and any other relevant factors.
3.4.5 CYTI (Medical Travel Compared Ltd’s Data Controller is responsible for
responding to requests for rectification from data subjects within one month of the
request. This can be extended to a further two months for complex requests,
according to Article 12 3. of the GDPR. If Medical Travel Compared Ltd decides not
to comply with the data subject request, our Data Protection Officer will respond to
the data subject to explain the reasoning and inform the data subject of their right
to complain to the supervisory authority and seek judicial remedy.
3.4.6 Medical Travel Compared Ltd’s Data Controller is responsible for making
appropriate arrangements that, where third-party organisations may have been
passed inaccurate or out-of-date personal data, they will be informed that the
information is inaccurate and/or out of date and is not to be used to inform
decisions about the individuals concerned; and for passing any correction to the
personal data to the third party where this is required.
3.5 Personal data must be kept in a form such that the data subject can be identified only as
long as is necessary for processing.
3.5.1 Where personal data is retained beyond the processing date, it will be
minimised and anonymised in order to protect the identity of the data subject in the
event of a data breach.
3.5.2 Personal data will be retained in line with the Retention of Records Procedure
and, once its retention date is passed, it will be securely destroyed as set out in this
3.5.3 Our Data Protection Officer will specifically approve any data retention that
exceeds the retention periods defined in Retention of Records Procedure and will ensure that the justification is clearly identified and in line with the requirements of
the data protection legislation. This approval will be made in writing.
3.6 Personal data must be processed in a manner that ensures the appropriate security
Our Data Protection Officer has carried out risk assessments that take into account all the
circumstances of Medical Travel Compared Ltd’s controlling or processing operations.
In determining appropriateness, our Data Protection Officer has considered the extent of possible
damage or loss that might be caused to individuals (e.g. staff or clients) if a security breach occurs,
the effect of any security breach on Medical Travel Compared Ltd itself, and any likely reputational
damage including the possible loss of client trust. Considerations have included:
Automatic locking of idle terminals;
Removal of access rights for USB and other memory media;
Virus checking software and firewalls;
Role-based access rights including those assigned to temporary staff;
Encryption of devices that leave the organisations premises such as laptops;
Security of local and wide area networks;
Privacy enhancing technologies such as pseudonymisation and anonymisation.
These controls have been selected on the basis of identified risks to personal data, and the potential
for damage or distress to individuals whose data is being processed.
3.7 The controller must be able to demonstrate compliance with the GDPR’s other principles
Medical Travel Compared Ltd demonstrates compliance with the data protection principles
of the GDPR by implementing data protection policies, adhering to codes of conduct,
implementing technical and organisational measures, as well as adopting techniques such as
data protection by design, DPIAs, breach notification procedures and incident response
Your Personal Data Rights
4. Data subjects’ rights
4.1 Data subjects have the following rights regarding data processing, and the data that is
recorded about them:
4.1.1 To make subject access requests regarding the nature of information held and
to whom it has been disclosed.
4.1.2 To prevent processing likely to cause damage or distress.
4.1.3 To prevent processing for purposes of direct marketing.
4.1.4 To be informed about the mechanics of automated decision-taking process
that will significantly affect them.
4.1.5 To not have significant decisions that will affect them taken solely by
4.1.6 To sue for compensation if they suffer damage by any contravention of the
4.1.7 To take action to rectify, block, erased, including the right to be forgotten, or
destroy inaccurate data.
4.1.8 To request the supervisory authority to assess whether any provision of the
GDPR has been contravened.
4.1.9 To have personal data provided to them in a structured, commonly used and
machine-readable format, and the right to have that data transmitted to another
4.1.10 To object to any automated profiling that is occurring without consent.
4.2 Medical Travel Compared Ltd ensures that data subjects may exercise these rights:
4.2.1 Data subjects may make data access requests as described in our Subject
Access Request Procedure; this procedure also describes how Medical Travel
Compared Ltd will ensure that its response to the data access request complies with
the requirements of the GDPR.
4.2.2 Data subjects have the right to complain to Medical Travel Compared
Ltd related to the processing of their personal data, the handling of a request from a
data subject and appeals from a data subject on how complaints have been handled
in line with our Complaints Procedure.
5.1 Medical Travel Compared Ltd understands ‘consent’ to mean that it has been explicitly
and freely given, and a specific, informed and unambiguous indication of the data subject’s
wishes that, by statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her. The data subject can withdraw their
consent at any time.
5.2 Medical Travel Compared Ltd understands ‘consent’ to mean that the data subject has
been fully informed of the intended processing and has signified their agreement, while in a
fit state of mind to do so and without pressure being exerted upon them. Consent obtained
under duress or on the basis of misleading information will not be a valid basis for
5.3 Medical Travel Compared Ltd collect special categories of personal data, as described in
Article 9 of the GDPR. Medical Travel Compared Ltd collect data related to children and do
not collect data regarding criminal convictions. None of these types of data are necessary
for Medical Travel Compared Ltd to provide its services to data subjects.
Keeping Your Personal Data Secure
6. Security of data
6.1 All staff at Medical Travel Compared Ltd are responsible for ensuring that any personal
data that Medical Travel Compared Ltd holds and for which they are responsible, is kept
securely and is not under any conditions disclosed to any third party unless that third party
has been specifically authorised by Medical Travel Compared Ltd to receive that information
and has entered into a confidentiality agreement.
6.2 Access to personal data is given on a ‘least privilege’ basis to ensure that only those who
need to use it are given access. All personal data is kept secure by the following means:
if computerised, password protected in line with best practice; and
stored on (removable) computer media which are encrypted in line with Secure
Disposal of Storage Media;
if data is held in hard copy, it is stored in a lockable room with controlled access; and
in a locked drawer or filing cabinet.
6.3 Personal data may only be deleted or disposed of in line with the Retention of Records
Procedure. Manual records that have reached their retention date are shredded and
disposed of as ‘confidential waste’. Hard drives of redundant PCs will be removed and
immediately destroyed before disposal.
6.4 Medical Travel Compared Ltd understands that processing of personal data ‘off-site’
presents a potentially greater risk of loss, theft or damage to personal data. Staff must be
specifically authorised to process data off-site.
7. Disclosure of data
7.1 For the purposes of providing you with a quote and the ability to purchase policies, we may share your data with third parties including insurance providers and risk assessment bodies - these are listed below:
Legal & General
Post Office Money
7.2 Any requests received by Medical Travel Compared Ltd to provide data to a third party in accordance with Article 23 of the GDPR must be supported by appropriate paperwork and all such disclosures must be specifically authorised by our Data Protection Officer.
To improve your experience on this site and keep you informed we may also share your data with customer support service providers, review bodies and marketing agencies who we have a relationship with.
7.3 Medical Travel Compared Ltd has provided awareness and training that ensures that personal data is not disclosed to unauthorised third parties.
Retaining Your Data
8. Retention and disposal of data
8.1 Medical Travel Compared Ltd shall not keep personal data in a form that permits
identification of data subjects for longer a period than is necessary, in relation to the
purpose(s) for which the data was originally collected.
8.2 Medical Travel Compared Ltd may store data for longer periods if the personal data will
be processed solely for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes, subject to the implementation of appropriate
technical and organisational measures to safeguard the rights and freedoms of the data
8.3 The retention period for each category of personal data is set out in Medical Travel
Compared Ltd’s Retention of Records Procedure along with the criteria used to determine
this period including any statutory obligations Medical Travel Compared Ltd has to retain the
8.4 Medical Travel Compared Ltd’s data retention and data disposal procedures will apply in
8.5 Personal data will be disposed of securely in accordance with the sixth principle of the
GDPR – processed in an appropriate manner to maintain security, thereby protecting the
“rights and freedoms” of data subjects.
9. Data Transfers
9.1 Medical Travel Compared Ltd do not transfer data to any third parties outside of the
European Economic Area (EEA).
10. Information asset register/data inventory
10.1 Medical Travel Compared Ltd has established a data inventory and data flow process as
part of its approach to address risks and opportunities throughout its GDPR compliance
project. Medical Travel Compared Ltd’s data inventory and data flow determines:
business processes that use personal data;
source of personal data;
volume of data subjects;
description of each item of personal data;
maintains the inventory of data categories of personal data processed;
documents the purpose(s) for which each category of personal data is used;
recipients, and potential recipients, of the personal data;
the role of Medical Travel Compared Ltd throughout the data flow;
key systems and repositories;
any data transfers; and
all retention and disposal requirements.
10.2 Medical Travel Compared Ltd assesses the level of risk to individuals associated with
the processing of their personal data.
10.2.1 Data protection impact assessments (DPIAs) are carried out where
appropriate in relation to the processing of personal data by Medical Travel
Compared Ltd, and in relation to processing undertaken by any other organisations
on behalf of Medical Travel Compared Ltd.
10.2.2 Medical Travel Compared Ltd shall manage any risks identified by the risk
assessment in order to reduce the likelihood of a non-conformance with this policy.
10.2.3 Where a type of processing, in particular using new technologies and taking
into account the nature, scope, context and purposes of the processing is likely to
result in a high risk to the rights and freedoms of natural persons, Medical Travel
Compared Ltd shall, prior to the processing, carry out a DPIA of the impact of the
envisaged processing operations on the protection of personal data. A single DPIA
may address a set of similar processing operations that present similar high risks.
10.2.4 Where, as a result of a DPIA it is clear that Medical Travel Compared Ltd is
about to commence processing of personal data that could cause damage and/or
distress to the data subjects, the decision as to whether or not Medical Travel
Compared Ltd may proceed will be escalated for review to our Data Protection
10.2.5 Our Data Protection Officer shall, if there are significant concerns, either as to
the potential damage or distress, or the quantity of data concerned, escalate the
matter to the supervisory authority.
10.2.6 On an ongoing basis, appropriate controls will be selected utilising best
practice principles and applied to reduce the level of risk associated with processing
individual data to an acceptable level, by reference to the requirements of the
Protecting Children’s Data
Minors and Children’s Privacy
Medical Travel Compared Ltd takes the protection and the privacy of young children especially
important. Our Service is not directed to children under the age of 16, and we do not knowingly
collect Personal Data from children under the age of 16 without obtaining parental consent.
11.1 If you are under 16 years of age, then please do not use or access the Service at any
time or in any manner. If we learn that Personal Data has been collected on the Service from
persons under 16 years of age and without verifiable parental consent, then we will take the
appropriate steps to delete this information.
11.2 If you are a parent or guardian and discover that your child under 16 years of age has
obtained a Quote or Policy via our website, then you may alert our data protection
officer kate.o'[email protected] and request that we delete that child’s Personal Data from