privacy notice

Transparency

You have the right to a detailed explanation of what data we have about you, how and where we use it, how long we keep it and with whom it is shared. That information is contained in the details of our data processing below.

Access

You have the right to a copy of the data we hold about you. We will not charge you for providing this information in electronic form; we may charge for providing it on paper to reflect the costs and environmental impact of doing so. We may ask you to prove your identity before we release your data to you. If you want the data for a specific reason, you can help us by letting us know. Please be aware that no-one can force you to get a copy of your data and no-one should ask you to share it with them.

Correction

You have the right to have your data corrected. If you believe we have incomplete or incorrect information about you, please let us know. We may ask you to provide your identity and to provide evidence supporting the changes you would like made.

Erasure and the right to be forgotten

You have the right to have your data erased if we no longer need it. Note that in many cases we need to retain data about you in order to honour our obligations to you, because we are required to by law, or to protect your and our interests.

Review of automated decision making

You have the right to a human review of decisions we have made about you by purely automated means. Please note that almost all of our decision-making is already reviewed by a person – we use automation to support our team members.

Objection to processing on the basis of legitimate interest

You have the right to object to processing of your data where we use it to help us improve our services and develop our business. Technically this is known as processing on the basis of our legitimate interests and there is more information about this processing in the privacy notice. We are required carefully to consider and respond to your objection and show that we have taken care to protect you when doing such processing; you may also require that we do not process your data while we are considering your objection.

Restriction of Processing

You have the right, in certain other circumstances, to require us to stop processing your data. These circumstances are:

• Where we disagree about the accuracy of the information we hold about you and while we are verifying that information.
• Where we no longer require personal data that we hold about you and would normally erase it, but you wish us to retain it without otherwise processing it, for instance where you believe that you may need the information for your own purposes in a legal claim.
• You believe that the processing of your data may cause you substantial harm or distress and that our processing is not justified in accordance with the law.

Direct Marketing

You have the right to opt out of direct marketing. Note that if you do not specify which marketing you no longer wish to receive, we will stop sending you any marketing information. You will need to tell us the email addresses, phone numbers and other relevant details, and you will understand that we will need to keep these details so that we can be sure not to add you back to marketing lists in error. You also, of course, have the right to opt back into marketing at any time. 

Please note that in relation to service communications, Sagicor may be required contractually or legally to continue to send you service related messages only for administrative or customer service reasons.

Data portability

In some circumstances you have the right to ask us to transfer your data to another service provider directly. This can only be done where it is technically possible both for us and for the other service provider; we and they will let you know when this is the case.

Withdrawal of consent

Most of our processing of your data is performed for one of three reasons:

• In service of a contract between you and us, or in order to enter into such a contract;
• To comply with legal obligations placed on us by the government and our regulators; or
• To help us improve our services by better understanding our customers and their needs.

However, in some cases we will ask you for your consent to processing. Where we have done so, you have the right to withdraw your consent at any time and we will stop processing. We will explain the consequences of withdrawing consent at the time we ask for it and when you ask to withdraw it. 

If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to your Data Protection Regulator, whose contact details (where available) have been provided in this privacy notice. 

If you would like to know more about our processing of your data or would like to exercise any of your rights, you can email us at [email protected]. You can also write to us at the address given in the relevant section for your country of residence or call our any of our regular service centre numbers and ask to speak to the privacy team.

Antigua and Barbuda

Audience

This information is for residents of Antigua and Barbuda; note that you should also read the sections on Barbados, Saint Lucia and Trinidad to understand the rights that apply to you because we process some of your personal data in those countries also.  

Data protection law

The data protection law in Antigua and Barbuda is the Data Protection Act of 2013. This act defines sensitive personal data as information on a person’s: 

• physical or mental health; 
• sexual orientation; 
• political opinions; 
• religious beliefs or beliefs of a similar nature, or;  
• commission or alleged commission of any offence. 

Antigua and Barbuda does not explicitly include financial records, biometric or genetic data in the definition of sensitive data but we at Sagicor will continue to treat any information of this kind that we hold about you in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law. 

There is no local data protection regulator at this time. 

Aruba

Audience

This information is for residents of Aruba; note you should also read the sections on Barbados and Trinidad to understand the rights that apply to you because we process some of your personal data in those countries also.  

Data protection law

Aruba has no specific data protection laws at this time, so there is no specific definition of sensitive data or any additional rights that apply to you.  There is no local data protection regulator.  

The Bahamas

Audience

This information is for residents of the Bahamas; note that you should also read the sections on Barbados and Trinidad to understand the rights that apply to you because we process some of your personal data in those countries also.  

Data protection law

The data protection law in the Bahamas is the Data Protection (Privacy of Personal Information) Act of 2003. This act defines sensitive personal data as information on a person’s: 

• racial origin; 
• political opinions or religious or other beliefs; 
• physical or mental health (other than any such data reasonably kept by [the data controller] in relation to the physical or mental health of their employees in the ordinary course of personnel administration and not used or disclosed for any other purpose); 

• trade union involvement or activities; 
• sexual life; or 
• criminal convictions, the commission or alleged commission of any offence, or any proceedings for any offence committed, the disposal of such proceedings or the sentence of any court in such proceedings. 

The Bahamas does not explicitly include financial records, biometric or genetic data in the definition of sensitive data but we at Sagicor will continue to treat any information of this kind that we hold about you in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law. 

If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the Office of the Data Protection Commissioner of the Bahamas, whose contact details are as follows: 

The Office of the Data Protection Commissioner 

31A Poinciana House 

North Building 

East Bay Street 

P.O. Box N-3017

Nassau

Bahamas

Tel: +1 (242) 604-1001 

Email: [email protected]  

There is also an electronic complaints form at the Commissioner’s website: https://www.bahamas.gov.bs/wps/wcm/connect/87dc045f-77d8-4a20-b8ad-a254496144e6/DPA-Privacy+Complaint+Form.pdf?MOD=AJPERES

Barbados

Audience

This information is primarily for residents of Barbados. If you are a customer of Sagicor in Barbados or the countries listed below, your data is also processed by Sagicor in Barbados and Trinidad & Tobago; you should read this section and that for Trinidad & Tobago as well as the relevant section for your country of residence applies to you.  

• Antigua and Barbuda 
• Aruba 
• Bahamas 
• Belize 
• Bermuda 
• Curaçao 
• Dominica 
• Grenada 
• Saint Lucia 
• St Kitts & Nevis 
• St Vincent and the Grenadines 
• Trinidad & Tobago 

Data protection law

The data protection law in Barbados is the Data Protection Act of 2019. This act defines sensitive personal data as information on a data subject’s: 

• racial or ethnic origin; 
• political opinions; 
• religious beliefs or other beliefs of a similar nature; 
• membership of a political body; 
• membership of a trade union; 
• genetic data; 
• biometric data; 
• sexual orientation or sexual life; 
• financial record or position; 
• criminal record; or
• proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court of competent jurisdiction in such proceedings. 

Barbados does not include health records in the definition of sensitive data but we at Sagicor will continue to treat your health information in the strictest confidence and share it only with medical professionals and as needed to meet our contractual obligations to you and to comply with the law. 

If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the Data Protection Commissioner of Barbados, whose contact details are as follows: 

Data Protection Commission 

Ministry of Industry, Innovation, Science & Technology  

5th Floor, SSA Building 

Vaucluse 

St. Thomas 

Barbados

Tel:  +1 (246) 536-1280

Email: [email protected]

Belize 

Audience 

This information is for residents of Belize; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.

Data protection law

The data protection law in Belize is governed by the Data Protection Act of 2021.

There is not yet an appointed Data Protection Commissioner for Belize.

Bermuda 

Audience 

This information is for residents of Bermuda; note that you should also read the section on Barbados to understand the rights that apply to you because we process some of your personal data in that country also.

Data protection law

The data protection law in Bermuda is governed by the Personal Information Protection Act of 2016. The law will only take full effect from the 1^st of January 2025, but Sagicor is committed to operating in a compliant manner and protecting your privacy now.

If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the Office of the Privacy Commissioner of Bermuda, whose contact details are as follows:

Office of the Privacy Commissioner

Maxwell Roberts Building, 4th Floor

1 Church Street

Hamilton, HM11

Bermuda

Tel: +1 (441)-543-PRIV [-7748]

Email: [email protected]

There is also an electronic contact form at the Commissioner’s website: https://www.privacy.bm/contact-us

Sagicor data controller in Bermuda

Sagicor does not presently offer financial services in Bermuda. Our ultimate holding company is registered there and is the data controller for our shareholder register and associated processing. We also operate a reinsurance provider which may receive personal data from other jurisdictions.

Curaçao

Audience 

This information is for residents of Curaçao; note that you should also read the sections on Barbados and Trinidad & Tobago to understand rights that apply to you because we process some of your personal data in those countries.

Data protection law

The data protection law in Curaçao is governed by Landsverordening bescherming persoonsgegevens
consolidated text no. 84, or the “(National Ordinance Personal Data Protection).” This act defines sensitive data as information on data subjects including a person’s:

• religion or belief;
• race;
• political views;
• health data;
• sexual life;
• membership of a trade union.

Curaçao does not include financial records, biometric or genetic data in the definition of sensitive data but we at Sagicor will continue to treat your financial information in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law.

While there is a Data Protection Commissioner, at the time of writing, the law is not fully in force. This notice will be updated as the provisions become in force.

Dominica

Audience

This information is for residents of Dominica; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.

Data protection law

Dominica has no specific data protection laws at this time, so there is no specific definition of sensitive data or any additional rights that apply to you.

Grenada

Audience

This information is for residents of Grenada; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.

Data protection law

The data protection law in Grenada is governed by the Data Protection Act of 2023.

Given the recent enactment of the Act, the Office of the Data Protection Commissioner has not yet been staffed, but this notice will be updated with contact details once available.

Saint Lucia

Audience

This information is for residents of Saint Lucia; note that you should also read the sections on Barbados and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.

If you are resident in any of the following countries, we may also process some of your personal data in Saint Lucia (in addition to Barbados):

• Antigua and Barbuda
• Belize
• Dominica
• Grenada
• St Kitts & Nevis
• St Vincent and the Grenadines

 Data protection law

The data protection law in Saint Lucia is governed by the Privacy and Data Protection Act of 2011 as amended in 2015. Saint Lucia has not at the time of writing appointed a Data Protection Commissioner. In the meantime you may contact the Attorney General if you are not satisfied with Sagicor’s response to any enquiry or complaint you may make to us:

Attorney General’s Chambers

2nd Floor Francis Compton Building,

Waterfront,

Castries, Saint Lucia

Tel: +1 (758) 468-3200

Email: [email protected]

Email: [email protected]

St. Kitts & Nevis

Audience

This information is for residents of St. Kitts & Nevis; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you as we process some of your personal data in those countries also.

Data protection law

The data protection law in St. Kitts & Nevis is governed by the Data Protection Bill of 2018. At the time of writing this Bill is not yet in force.

St. Kitts & Nevis has not yet appointed an Information Commissioner; when that appointment has been made we will update this privacy notice with the appropriate contact details.

St. Vincent and the Grenadines

Audience

This information is for residents of St. Vincent and the Grenadines; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.

Data protection law

The data protection law in St. Vincent and the Grenadines is governed by the Privacy Act (No. 18), 2003.

St. Vincent and the Grenadines has not at the time of writing, appointed a Data Protection Commissioner. We will update this privacy notice with the appropriate contact details when an appointment is made.

Trinidad and Tobago

Audience

This information is for residents of Trinidad and Tobago; note that you should also read the section on Barbados to understand the rights that apply to you because we process some of your personal data in Barbados also. If you are a customer of Sagicor in the countries listed below, your data is also processed by Sagicor in Trinidad & Tobago; you should read this section as well as the relevant section for your country of residence.

• Antigua and Barbuda
• Aruba
• Bahamas
• Belize
• Bermuda
• Curaçao
• Dominica
• Grenada
• Saint Lucia
• St Kitts & Nevis
• St Vincent and the Grenadines

Data protection law

The data protection law in Trinidad and Tobago is governed by the Data Protection Act of 2011. The law has not at the time of writing been brought into full effect, but Sagicor is committed to operating in a compliant manner and protecting your privacy now.

Trinidad and Tobago has not yet appointed an Information Commissioner; when that appointment has been made we will update this privacy notice with the appropriate contact details.

Other countries

The countries listed above are those where Sagicor is licensed to do business. If you bought a Sagicor product while resident in one of those countries and have now moved elsewhere, additional rights may apply to you based on your country of residence. However, this will depend on whether we are permitted to continue to offer our services to you in that country. Please contact us at [email protected] for further information.

Types and sources of information that we may collect

The information that we collect and process varies depending on the context. Each section below lists the categories that we may collect for the purposes listed. To understand which categories we collect and process about you, please refer to the details of processing for the specific products, services or circumstances that apply to you. The categories are as follows:

The examples given above are not an inclusive list; please contact us if you would like a complete list of the data we may hold about you.

Processing under legal obligation

In many instances we collect and process personal data because we are obliged to by law. The laws that require this processing will vary by context and by country. To simplify the detailed information below, we have listed the key relevant laws in the section for each country. The legal landscape is continually evolving and some processing will be required by more than one piece of legislation; the lists in this notice are not intended to be inclusive.

Data sharing

Sagicor Group Entities

We will share your personal data with other entities within Sagicor in order to provide our products and services to you. This sharing is protected by binding agreements within Sagicor that ensure your data is protected and used only for the purposes stated in this notice. We will not share your information for the purposes of marketing without your prior consent.

Third Party Service Providers

Like most modern companies, Sagicor uses a number of technology and service partners to enable our services and products. Because of the breadth and complexity of our services it is not possible to provide a list of these partners in this notice; if you would like a list of the partners with whom your personal data are shared, please contact us.

Regulators

As a regulated financial services entity we are required to share your personal data with our regulators and other government functions including those listed in the country-specific section on “Laws requiring the processing of personal data.” If you would like a list of the government and regulatory parties with whom your data has been shared on this basis, please contact us.

Employers, Agents/Brokers and Credit Bureaus

We may also share your data with other parties such as your employer in group insurance plans, an agent or a broker, or with other financial services entities, such as credit bureaus. Where this is envisaged it is noted in the relevant section for the product or service. If you would like a list of the other parties with whom your data has been shared on this basis, please contact us.

Transfers of data to other countries

We transfer your personal data to other countries in a number of circumstances:

Within Sagicor to any of our locations to enable us to provide our services and products; these transfers are protected by binding agreements that include standard contractual clauses setting out the obligations of the sending and receiving parties and the safeguards that must be applied. If you would like more information on our internal transfers and safeguards as they apply to you, please contact us.

To the United States of America for the purposes of IT service provision and data resilience. Our primary data centre is located in the United States, as is our recovery facility. These transfers, which include third party service providers, are protected by binding agreements that include standard contractual clauses setting out the obligations of the sending and receiving parties and the safeguards, including specific technological measures, that must be applied. If you would like more information on our internal transfers and safeguards as they apply to you, please contact us.

To other countries as required to enable the use of technology and service partners. We conduct careful due diligence on all data sharing partners and ensure that appropriate protections are in place to keep your personal data secure. If you would like a list of the partners and countries with whom your data have been shared, please contact us.

General Website Visitors

Purposes of processing

When you visit our website, we process your data for the following purposes, and under the following legal bases:

Note that this does not include processing of your data in the context of using our product and service websites or apps as a customer; please refer to the relevant product or service for further details.

The categories of personal data we collect and process

We currently collect the following categories of data when you use our website:

• Browser data
• Cookies
• Contact and demographic information if you ask for more information, contact us or book an appointment
  

Retention of data

We will retain browser data and cookies from the website for 90 days.  Personal data relating to requests for information and appointments will be retained for 3 years following the date of collection or your last interaction with us, whichever is the later.

Sharing your personal data with third parties  

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners

In-person visitors

Purpose of processing

When you visit any of Sagicor’s offices and branch locations, we process your data for the following purposes, and under the following legal bases: 

• Access controls and visitor logs
• Legal obligation and legitimate interest
• Prevention and detection of crime
• Legitimate interest or legal obligation
• Health and safety
• Legal obligation

The categories of personal data we collect and process

We currently collect the following categories of data:  

• Contact and demographic details
• Government-issued identification
• CCTV (refer to the CCTV  section also)

Retention of data

We will retain a visitor log and associated identifying information including biometrics for a period of 90 days, unless an incident is suspected.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Law enforcement if required
• Our regulators if required

CCTV

Purpose of processing

We operate recorded CCTV systems at all of our physical locations. If you visit us, or come within the field of view of our cameras, we process your data for the following purposes, and under the following legal bases: 

• Prevention and detection of crime
• Legitimate interest or legal obligation
• Health and safety
• Legal obligation and legitimate interest

The categories of personal data we collect and process

We currently collect the following categories of data:  

• CCTV

Retention of data

We will keep recordings which may include your personal data for a period of 30 days, unless an incident is suspected, in which case the recording may be required for further investigation.

Sharing your personal data with third parties

We share your data with the following third parties only if required to do so by law:  

• Our technology and service partners
• Law enforcement if required
• Our regulators if required

Individual life and health insurance

Purpose of processing

In order to offer you, consider you for and provide you with life and health insurance, we process your data for the following purposes, and under the following legal bases: 

• To facilitate an efficient and effective insurance process and customer service  
• Performance of a contract 
• To ensure current and future clients’ insurance coverage is matched to their requirements  
• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
• To prepare and manage suitable insurance policies 
• Performance of a contract 
• To identify and communicate with beneficiaries
• Performance of a contract
• To manage claims against members' policies 
• Performance of a contract, and in rare cases the protection of vital interests of the data subject 
• To make and receive payments  
• Performance of a contract  
• To manage claims against clients’ policies 
• Performance of a contract  
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• To assess and improve business performance   
• Legitimate interest or performance of a contract 
• To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
• Legal obligation
• To report to regulators 
• Legal obligation
• To provide online services
• Performance of a contract, legitimate interest and consent for cookies
• For the purposes of direct marketing
• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Filiation information
• Financial information
• Health information
• Insurance information
• Criminal records
• Call recordings

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Your insurance broker and our agents
• Other insurers either directly or via an industry association
• Our regulators
• Health professionals and providers

Group life and health insurance via your employer

Purposes of processing

We, along with your employer, are joint data controllers for group life and health insurance benefits and administration. We process your data, which may be obtained from your employer as well as directly from you, for the following purposes and under the following legal bases: 

• To facilitate an efficient and effective insurance process and customer service  
• Performance of a contract 
• To ensure current and future clients’ insurance coverage is matched to their requirements  
• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
• To prepare and manage suitable insurance policies 
• Performance of a contract 
• To manage claims against members' policies 
• Performance of a contract, and in rare cases the protection of vital interests of the data subject 
• To identify and communicate with beneficiaries
• Performance of a contract
• To make and receive payments  
• Performance of a contract  
• To manage claims against members' policies 
• Performance of a contract  
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• To assess and improve business performance   
• Legitimate interest or performance of a contract
• To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
• Legal obligation
• To report to regulators 
• Legal obligation
• To provide online services
• Performance of a contract, legitimate interest and consent for cookies 

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Filiation information
• Financial information
• Health information
• Insurance information
• Call recordings

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Your employer
• Your employer’s insurance brokers and our agents
• Other insurers either directly or via an industry association
• Our regulators
• Health professionals and providers

Pensions provided via your employer

Purposes of processing

We, along with the trustees of your pension fund, are joint data controllers for pensions administration. We process your data, which may be obtained from your employer as well as directly from you, for the following purposes and under the following legal bases: 

• To facilitate an efficient and effective pension process and customer service  
• Performance of a contract 
• To ensure current and future members’ pension provision is matched to their requirements  
• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
• To manage pension schemes 
• Performance of a contract
• To make and receive payments  
• Performance of a contract  
• To identify and communicate with beneficiaries
• Performance of a contract
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• To assess and improve business performance   
• Legitimate interest or performance of a contract
• To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
• Legal obligation
• To report to regulators 
• Legal obligation

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Filiation information
• Financial information
• Health information
• Call recordings

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Your employer
• Other pension scheme providers either directly or via an industry association
• Our regulators

Individual pensions

Purpose of processing

We process your data for the following purposes, and under the following legal bases: 

• To facilitate an efficient and effective pension process and customer service  
• Performance of a contract 
• To ensure current and future clients’ pension provisions are matched to their requirements  
• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
• To prepare and manage suitable pension schemes 
• Performance of a contract 
• To make and receive payments  
• Performance of a contract  
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• To assess and improve business performance   
• Legitimate interest or performance of a contract
• To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
• Legal obligation
• To report to regulators 
• Legal obligation
• To provide online services
• Performance of a contract, legitimate interest and consent for cookies
• For the purposes of direct marketing
• Legitimate interest (selection and profiling) and consent (contact)    

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Filiation information
• Financial information
• Health information
• Call recordings

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your pension or the closure of any policy, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final payment was made to you. We retain this data to comply with our regulatory obligations and to provide for legal claims.

Sharing your personal data with third parties

We share your data with the following third parties:   

• Within Sagicor
• Our technology and service partners
• Your broker or advisor and our agents
• Your employer
• Other pension scheme providers
• Our regulators
• Health professionals and providers if required

General insurance

Purpose of processing

We process your data for the following purposes, and under the following legal bases: 

• To facilitate an efficient and effective insurance process and customer service  
• Performance of a contract 
• To ensure current and future clients’ insurance coverage is matched to their requirements  
• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
• To prepare and manage suitable insurance policies 
• Performance of a contract 
• To manage claims against members' policies 
• Performance of a contract, and in rare cases the protection of vital interests of the data subject 
• To make and receive payments  
• Performance of a contract  
• To manage claims against clients’ policies 
• Performance of a contract  
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• To assess and improve business performance   
• Legitimate interest or performance of a contract
• To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
• Legal obligation
• To report to regulators 
• Legal obligation
• To provide online services
• Performance of a contract, legitimate interest and consent for cookies
• For the purposes of direct marketing
• Legitimate interest (selection and profiling) and consent (contact)  

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Filiation information
• Financial information
• Health information
• Insurance information
• Vehicle information
• Criminal records
• Call recordings
• Browser data
• Cookies

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Your insurance broker and our agents
• Other insurers either directly or via an industry association
• Our regulators
• Health professionals and providers if required

Retail banking including lending and deposit-taking services

Purposes of processing

This information also applies to our lending and deposit-taking operations in countries where we do not provide a full banking service.
We process your data for the following purposes, and under the following legal bases: 

• Due diligence, including KYC/ AML purposes
• Legal obligation
• For customer relationship management
• Performance of a contract
• Credit decision-making
• Legal obligation (affordable lending) and legitimate interest
• For loan servicing
• Performance of a contract
• To service savings and checking accounts as applicable
• Performance of a contract
• To provide online services where these are offered
• Performance of a contract, legitimate interest and consent for cookies
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• Reporting to regulators
• Legal obligation
• For the purposes of direct marketing
• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Filiation information
• Financial information
• Insurance information
• Vehicle information
• Criminal records
• Call recordings
• Browser data (if online services are provided)
• Cookies (if online services are provided)

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the closure of your accounts or satisfaction any borrowing, whichever is the later. If for any reason we collect your data but no account is opened for you or credit issued, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on closure of your account, satisfaction of your loan or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Your advisors and brokers and our agents
• Credit reference agencies
• Your employer
• Other financial institutions either directly or via an association
• Our regulators

Wealth and investment management

Purposes of processing

We process your data for the following purposes, and under the following legal bases: 

• Due diligence, including KYC/ AML purposes
• Legal obligation
• For customer relationship management
• Performance of a contract
• To provide investment advice
• Performance of a contract and legal obligation
• For credit approvals
• Legal obligation (affordable lending) and legitimate interest
• To make and receive payments
• Performance of a contract
• To service investment accounts and execute transactions
• Performance of a contract
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• To provide online services
• Performance of a contract, legitimate interest and consent for cookies
• Reporting to regulators
• Legal obligation
• For the purposes of direct marketing
• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Filiation information
• Financial information
• Insurance information
• Criminal records
• Call recordings
• Browser data (if online services are provided)
• Cookies (if online services are provided)

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the closure of your accounts or satisfaction of any borrowing, whichever is the later. If for any reason we collect your data but no account is opened for you or credit agreement entered into we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on closure of your account, satisfaction of all outstanding lending or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Your advisors and brokers and our agents
• Credit reference agencies
• Other financial institutions either directly or via an association
• Our regulators

Remittances

Purposes of processing

We process your data for the following purposes, and under the following legal bases: 

• Due diligence, including KYC/ AML purposes
• Legal obligation
• To facilitate an efficient and effective remittance process and customer service
• Performance of a contract 
• To make and receive payments  
• Performance of a contract  
• For customer relationship management
• Performance of a contract
• To provide online services
• Performance of a contract, legitimate interest and consent for cookies
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• Reporting to regulators
• Legal obligation
• For the purposes of direct marketing
• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Filiation information
• Financial information
• Browser data (if online services are provided)
• Cookies (if online services are provided)

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following your most recent transaction, whether sending or receiving money. If for any reason we collect your data but no transaction is performed, we will retain at least some of your data for 10 years from the date on which the data was collected. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted 3 years after your last transaction or the collection of the information, whichever is the later.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Our remittance network
• Other financial institutions either directly or via an association
• Our regulators

Property sales and services

Purpose of processing

We process your data for the following purposes, and under the following legal bases: 

• Due diligence, including KYC/ AML purposes
• Legal obligation
• To sell or rent a property to you
• Performance of a contract
• To maintain our rental properties
• Performance of a contract
• To make and receive payments
• Performance of a contract
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• To report to regulators
• Legal obligation
• To provide online services
• Performance of a contract, legitimate interest and consent for cookies
• For the purposes of direct marketing
• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Financial information
• Insurance information
• Browser data (if online services are provided)
• Cookies (if online services are provided)

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following your most recent transaction. If for any reason we collect your data but no transaction is performed, we will retain at least some of your data for 10 years from the date on which the data was collected. We retain this data to comply with our regulatory obligations and to provide for legal claims.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Other financial institutions either directly or via an association
• Our regulators

Shareholders

Purpose of processing

The entity in which you are a shareholder will process your data for the following purposes, and under the following legal bases: 

• Statutory notice requirements for shareholders
• Performance of a contract
• Due diligence, including KYC/ AML purposes
• Legal obligation
• To make and receive payments
• Performance of a contract
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• To report to regulators
• Legal obligation

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Financial information

Retention of data

Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the end of your shareholding. If for any reason we collect your data but no shares are owned by you or on your behalf, we will retain at least some of your data for 10 years from the date on which the data was collected. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted 3 years after your shareholding ends or the collection of the information, whichever is the later.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor
• Our technology and service partners
• Other financial institutions including stock exchanges, brokers and registrars either directly or via an association
• Our regulators

Job Applicants

Purposes of processing

If you apply for employment with Sagicor, we process your data for the following purposes, and under the following legal bases: 

• In order to assess suitability for a role with Sagicor
• Performance of a contract
• Due diligence, including KYC/ AML purposes
• Legal obligation
• To detect, prevent and investigate fraud
• Legal obligation and our legitimate interest
• To report to regulators
• Legal obligation
• To provide online services
• Performance of a contract, legitimate interest and consent for cookies

The categories of personal data we collect and process

• Contact and demographic information
• Government-issued identification
• Employment information
• Financial information
• Health information
• Browser data (if online application)
• Cookies (if online application)

Retention of data

We will keep your personal data if you are a successful applicant in line with the Employee Privacy Notice retention period.  If you are an unsuccessful applicant, we will retain some of your personal data for up to 6 months from the date of your last application.

Sharing your personal data with third parties

We share your data with the following third parties:

• Within Sagicor
• Our technology and service partners
• Your former employers
• Our regulators

Whistleblowing

Purpose of processing

We process your data for the following purpose, and under the following legal basis: 

• To enable the making by employees or the public of specified disclosures of improper conduct
• Public interest and legal obligation

The categories of personal data we collect and process

We may collect any of the following categories of data:

• Contact/ Demographic Data (unless complaint is made anonymously)

Other data may also be collected based on your disclosure; this will depend on the content of that disclosure but will always be collected from and therefore know by you. 

Retention of data

We will keep at least some of your personal data for as long as necessary to conclude our investigation.  After such time, your personal information will be deleted within 6 months.

Sharing your personal data with third parties

We share your data with the following third parties:  

• Within Sagicor strictly as needed to support any investigation
• Our technology and service partners
• Regulators and law enforcement as required by law