"Transparency"

You have the right to a detailed explanation of what data we have about you, how and where we use it, how long we keep it and with whom it is shared. That information is contained in the details of our data processing below.

"Access"

You have the right to a copy of the data we hold about you. We will not charge you for providing this information in electronic form; we may charge for providing it on paper to reflect the costs and environmental impact of doing so. We may ask you to prove your identity before we release your data to you. If you want the data for a specific reason, you can help us by letting us know. Please be aware that no-one can force you to get a copy of your data and no-one should ask you to share it with them.

"Correction"

You have the right to have your data corrected. If you believe we have incomplete or incorrect information about you, please let us know. We may ask you to provide your identity and to provide evidence supporting the changes you would like made.

"Erasure and the right to be forgotten"

You have the right to have your data erased if we no longer need it. Note that in many cases we need to retain data about you in order to honour our obligations to you, because we are required to by law, or to protect your and our interests.

"Review of Automated Decision Making"

You have the right to a human review of decisions we have made about you by purely automated means. Please note that almost all of our decision-making is already reviewed by a person – we use automation to support our team members.

"Objection to processing on the basis of legitimate interest"

You have the right to object to processing of your data where we use it to help us improve our services and develop our business. Technically this is known as processing on the basis of our legitimate interests and there is more information about this processing in the privacy notice. We are required carefully to consider and respond to your objection and show that we have taken care to protect you when doing such processing; you may also require that we do not process your data while we are considering your objection.

"Restriction of Processing"

You have the right, in certain other circumstances, to require us to stop processing your data. These circumstances are:

• Where we disagree about the accuracy of the information we hold about you and while we are verifying that information.
• Where we no longer require personal data that we hold about you and would normally erase it, but you wish us to retain it without otherwise processing it, for instance where you believe that you may need the information for your own purposes in a legal claim.
• You believe that the processing of your data may cause you substantial harm or distress and that our processing is not justified in accordance with the law.

"Direct Marketing"

You have the right to opt out of direct marketing. Note that if you do not specify which marketing you no longer wish to receive, we will stop sending you any marketing information. You will need to tell us the email addresses, phone numbers and other relevant details, and you will understand that we will need to keep these details so that we can be sure not to add you back to marketing lists in error. You also, of course, have the right to opt back into marketing at any time.

"Data Portability"

In some circumstances you have the right to ask us to transfer your data to another service provider directly. This can only be done where it is technically possible both for us and for the other service provider; we and they will let you know when this is the case.

"Withdrawal of Consent"

Most of our processing of your data is performed for one of three reasons:

• in service of a contract between you and us, or in order to enter into such a contract;
• to comply with legal obligations placed on us by the government and our regulators; or
• to help us improve our services by better understanding our customers and their needs.

However, in some cases we will ask you for your consent to processing. Where we have done so, you have the right to withdraw your consent at any time and we will stop processing. We will explain the consequences of withdrawing consent at the time we ask for it and when you ask to withdraw it.

If you would like to know more about our processing of your data or would like to exercise any of Your Rights, you can email us at [email protected]. You can also write to us at the address given in the relevant section for your country of residence or call our any of our regular service centre numbers and ask to speak to the privacy team.

Jamaica

Audience

This information is for residents of Jamaica. If you are an employee of Sagicor in the countries listed below, your data is also processed by Sagicor in Jamaica and this information applies to you.

• Costa Rica
• Panama
• The Cayman Islands

Data protection law

The data protection law in Jamaica is the Data Protection Act of 2020. This act defines sensitive personal data as information on a person’s:

• genetic data or biometric data;
• filiation, or racial or ethnic origin;
• political opinions, philosophical beliefs;
• religious beliefs or other beliefs of a similar nature;
• membership in any trade union;
• physical or mental health or condition;
• sex life;
• the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject.

Jamaica does not include financial records in the definition of sensitive data but we at Sagicor will continue to treat your financial information in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law.

If you are resident in Jamaica or we process your data there, you have the following additional rights under the Jamaica Data Protection Act:

• You have the right to prevent decisions being made about you by solely automated means. However, some kinds of decision can be exempted from this right by ministerial order.
• The protection of your personal data continues for 30 years following your death. This means that your estate can continue to exercise Your Rights and we will continue to protect your data during that time.
• If you seek to exercise your right to correction of your personal data and we are unable to confirm your revised information, you may require us to retain a record of your version of the data alongside ours.

If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the Office of the Information Commissioner of Jamaica, whose contact details are as follows:

Office of the Information Commissioner
The Masonic Building (2nd Floor)
45-47 Barbados Avenue
Kingston 5
Jamaica
Tel: +1 (876) 920-4390 Email: [email protected]

Laws requiring the processing of personal data

The list below is constantly under review and will be updated as the law changes and as we identify processing which we are legally obliged to conduct. If you would like more information about our processing on the basis of legal obligation, please contact [email protected] with your query.

Sagicor Data Controllers in Jamaica

Costa Rica

Audience

This information is for residents of Costa Rica; note that you should also read the section on Jamaica to understand the rights that apply to you because we process some of your personal data in that country also.

Data protection law

The data protection law in Costa Rica is the Data Protection act of 2013. This act defines sensitive data as information on a data subject’s:

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Spiritual convictions;
• Socioeconomic condition;
• Biomedical or genetic information;
• Sex life and sexual orientation.

Costa Rica does not expressly include financial records in the definition of sensitive data but we at Sagicor will continue to treat your financial information in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law.

If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the Data Protection Agency, whose contact details are as follows:

Costa Rica Agencia de Protección de Datos de los Habitantes (PRODHAB)
San Pedro de Montes de Oca Alameda
7th Avenue and 49th street Da Vinci Building
San Jose
San Pedro
Costa Rica

Tel: +1 (506) 2234-0189 Email: [email protected]

Sagicor Data Controller in Costa Rica

Aseguradora Sagicor Costa Rica S.A
Avenida Escazú
Edificio 205
5to Piso
San Jose
San Rafael de Escazú
Costa Rica

Panama

Audience

This information is for residents of Panama; note that you should also read the section on Jamaica to understand the rights that apply to you because we process some of your personal data in that country also.

Data protection law

The data protection law in Panama is the Personal Data Protection Law of 2021. This act defines sensitive data as information on data subject’s:

• Racial or ethnic origin;
• Religious, philosophical and moral beliefs or convictions;
• Union membership;
• Political opinions;
• Health;
• Sexual preference or orientation;
• Biometric or genetic data.

Panama does not include financial records in the definition of sensitive data but we at Sagicor will continue to treat your financial information in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law.

If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the:
Autoridad Nacional de Transparencia y Acceso a la Información (ANTA)

Del Prado Avenue
Building 713
Balboa
Ancon
Panama Tel: +1 (507) 527-9270 Email: [email protected]

Sagicor Data Controller in Panama

The Cayman Islands

Audience

This information is for residents of the Cayman Islands; note that you should also read the section on Jamaica to understand the rights that apply to you because we process some of your personal data in Jamaica also.

Data protection law

The data protection law in the Cayman Islands is the Data Protection Act (revised) of 2021. This act defines sensitive personal data as information on a person’s:

• racial or ethnic origin;
• political opinions;
• religious beliefs or other beliefs of a similar nature;
• trade union membership;
• genetic data;
• physical or mental health or condition;
• medical data;
• sex life;
• commission, or alleged commission, of an offence; or
• any proceedings for any offence committed, or alleged to have been committed.

The Cayman Islands do not explicitly include financial records in the definition of sensitive data, but we at Sagicor will continue to treat any information of this kind that we hold about you in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law.

If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the Ombudsman, whose contact details are as follows:

By post:
PO Box 2252,
Grand Cayman
KY1-1107
Cayman Islands

In person:
Office of the Ombudsman
5th Floor, Anderson Square
64 Shedden Road
George Town
Grand Cayman
Tel: +1 (345) 946- 6283 Email: [email protected]

There is also a downloadable complaint form at the Ombudsman’s website.

Sagicor Data Controllers in the Cayman Islands

Other countries

The countries listed above are those where Sagicor is licensed to do business. If you bought a Sagicor product while resident in one of those countries and have now moved elsewhere, additional rights may apply to you based on your country of residence. However, this will depend on whether we are permitted to continue to offer our services to you in that country. Please contact us at [email protected] for further information.

Types and sources of information that we may collect

The information that we collect and process varies depending on the context. Each section below lists the categories that we may collect for the purposes listed. To understand which categories we collect and process about you, please refer to the details of processing for the specific products, services or circumstances that apply to you. The categories are as follows:

Category Examples of data collected

The examples given above are not an inclusive list; please contact us if you would like a complete list of the data we may hold about you.

Processing under Legal Obligation

In many instances we collect and process personal data because we are obliged to by law. The laws that require this processing will vary by context and by country. To simplify the detailed information below, we have listed the key relevant laws in the section for each country. The legal landscape is continually evolving and some processing will be required by more than one piece of legislation; the lists in this notice are not intended to be inclusive.

Data Sharing

We will share your personal data with other entities within Sagicor in order to provide our products and services to you. This sharing is protected by binding agreements within Sagicor that ensure your data is protected and used only for the purposes stated in this notice. We will not share your information for the purposes of marketing without your prior consent.

Like most modern companies, Sagicor uses a number of technology and service partners to enable our services and products. Because of the breadth and complexity of our services it is not possible to provide a list of these partners in this notice; if you would like a list of the partners with whom your personal data are shared, please contact us.

As a regulated financial services entity we are required to share your personal data with our regulators and other government functions including those listed in the country-specific section on “Laws requiring the processing of personal data”. If you would like a list of the government and regulatory parties with whom your data has been shared on this basis, please contact us.

We may also share your data with other parties such as your employer, an agent or a broker, or with other financial services entities. Where this is envisaged it is noted in the relevant section for the product or service. If you would like a list of the other parties with whom your data has been shared on this basis, please contact us.

Transfers of data to other countries

We transfer your personal data to other countries in a number of circumstances:

• Within Sagicor to any of our locations to enable us to provide our services and products; these transfers are protected by binding agreements that include standard contractual clauses setting out the obligations of the sending and receiving parties and the safeguards that must be applied. If you would like more information on our internal transfers and safeguards as they apply to you, please contact us.

• To the United States of America for the purposes of IT service provision and data resilience. Our primary data centre is located in the United States, as is our recovery facility. These transfers, which include third party service providers, are protected by binding agreements that include standard contractual clauses setting out the obligations of the sending and receiving parties and the safeguards, including specific technological measures, that must be applied. If you would like more information on our internal transfers and safeguards as they apply to you, please contact us.

• To other countries as required to enable the use of technology and service partners. We conduct careful due diligence on all data sharing partners and ensure that appropriate protections are in place to keep your personal data secure. If you would like a list of the partners and countries with whom your data have been shared, please contact us.

General Website Visitors

Purposes of processing

When you visit our website, we process your data for the following purposes, and under the following lawful bases:

· To deliver the website, manage and analyse traffic and protect ourselves against digital risks

• Legitimate interest

· To place cookies on your device

• Consent

· When you ask to find out more about us and our products

• Consent

· When you contact us or book an appointment

• Consent

Note that this does not include processing of your data in the context of using our product and service websites or apps as a customer; please refer to the relevant product or service for further details.

The categories of personal data we collect and process

We currently collect the following categories of data when you use our website:
· Browser data
· Cookies
· Contact and demographic information if you ask for more information, contact us or book an appointment

Retention of data

We will retain browser data and cookies from the website for 90 days. Personal data relating to requests for information and appointments will be retained for 3 years following the date of collection or your last interaction with us, whichever is the later.

Sharing your personal data with third parties

We share your data with the following third parties (see also the Data Sharing section above):
· Within Sagicor
· Our technology and service partners

In-person visitors

Purpose of processing

When you visit any of Sagicor Group Jamaica’s offices and branch locations, we process your data for the following purposes, and under the following lawful bases:

· Access controls and visitor logs

• Legal obligation and legitimate interest

· Prevention and detection of crime

• Legitimate interest

· Health and safety

• Legal obligation

The categories of personal data we collect and process

We currently collect the following categories of data:

· Contact and demographic details

· Government-issued identification

· CCTV (refer to the CCTV section also)

Retention of data

We will retain a visitor log and associated identifying information including biometrics for a period of 90 days, unless an incident is suspected.

Sharing your personal data with third parties

We share your data with the following third parties:
· Within Sagicor
· Our technology and service partners
· Law enforcement if required
· Our regulators if required

CCTV

Purpose of processing

We operate recorded CCTV systems at all of our physical locations. If you visit us, or come within the field of view of our cameras, we process your data for the following purposes, and under the following lawful bases:

· Prevention and detection of crime

• Legitimate interest

· Health and safety

• Legal obligation and legitimate interest

The categories of personal data we collect and process

We currently collect the following categories of data:

· CCTV

Retention of data

We will keep recordings which may include your personal data for a period of 30 days, unless an incident is suspected, in which case the recording may be required for further investigation.

Sharing your personal data with third parties

We share your data with the following third parties only if required to do so by law:
· Our technology and service partners
· Law enforcement if required
· Our regulators if required
 

Individual Life and Health Insurance

Purpose of processing

In order to offer you, consider you for and provide you with life and health insurance, we process your data for the following purposes, and under the following lawful bases:

· To facilitate an efficient and effective insurance process and customer service

• Performance of a contract

· To ensure current and future clients’ insurance coverage is matched to their requirements

• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.

· To prepare and manage suitable insurance policies

• Performance of a contract

· To identify and communicate with beneficiaries

• Performance of a contract

· To manage claims against members' policies

• Performance of a contract, and in rare cases the protection of vital interests of the data subject

· To make and receive payments

• Performance of a contract

· To manage claims against clients’ policies

• Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To assess and improve business performance

• Legitimate interest

· To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations

• Legal obligation

· To report to regulators

• Legal obligation

· To provide online services

• Performance of a contract, legitimate interest and consent for cookies

· For the purposes of direct marketing

• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

· Contact and demographic information
· Government-issued identification
· Employment information
· Filiation information
· Financial information
· Health information
· Insurance information
· Criminal records
· Call recordings

Retention of data

We will keep at least some of your personal data for a period of 7 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 7 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:
· Within Sagicor
· Our technology and service partners
· Your insurance broker and our agents
· Other insurers either directly or via an industry association
· Our regulators
· Health professionals and providers

Group Life and Health Insurance via Your Employer

Purpose of processing

We, along with your employer, are joint data controllers for group life and health insurance benefits and administration. We process your data, which may be obtained from your employer as well as directly from you, for the following purposes and under the following lawful bases:

· To facilitate an efficient and effective insurance process and customer service

• Performance of a contract

· To ensure current and future clients’ insurance coverage is matched to their requirements

• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.

· To prepare and manage suitable insurance policies

• Performance of a contract

· To identify and communicate with beneficiaries

• Performance of a contract

· To manage claims against members' policies

• Performance of a contract, and in rare cases the protection of vital interests of the data subject

· To identify and communicate with beneficiaries

• Performance of a contract

· To make and receive payments

• Performance of a contract

· To manage claims against members’ policies

• Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To assess and improve business performance

• Legitimate interest

· To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations

• Legal obligation

· To report to regulators

• Legal obligation

· To provide online services

• Performance of a contract, legitimate interest and consent for cookies

The categories of personal data we collect and process

Retention of data

We will keep at least some of your personal data for a period of 7 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 7 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:

· Within Sagicor
· Our technology and service partners
· Your employer
· Your employer’s insurance brokers and our agents
· Other insurers either directly or via an industry association
· Our regulators
· Health professionals and providers

Pensions provided via Your Employer

Purposes of processing

We, along with the trustees of your pension fund, are joint data controllers for pensions administration. We process your data, which may be obtained from your employer as well as directly from you, for the following purposes and under the following lawful bases:

· To facilitate an efficient and effective pension process and customer service

• Performance of a contract

· To ensure current and future members’ pension provision is matched to their requirements

• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.

· To manage pension schemes

• Performance of a contract

· To make and receive payments

• Performance of a contract

· To identify and communicate with beneficiaries

• Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To assess and improve business performance

• Legitimate interest

· To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations

• Legal obligation

· To report to regulators

• Legal obligation

The categories of personal data we collect and process

• Contact and demographic information

• Government-issued identification

• Employment information

• Filiation information

• Financial information

• Health information

• Call recordings

Retention of data

We will keep at least some of your personal data for a period of 7 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 7 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:
· Within Sagicor
· Our technology and service partners
· Your employer
· Other pension scheme providers either directly or via an industry association
· Our regulators

Individual Pensions

Purpose of processing

We process your data for the following purposes, and under the following lawful bases:

· To facilitate an efficient and effective pension process and customer service

• Performance of a contract

· To ensure current and future clients’ pension provisions are matched to their requirements

• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.

· To prepare and manage suitable pension schemes

• Performance of a contract

· To make and receive payments

o Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To assess and improve business performance

• Legitimate interest

· To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations

• Legal obligation

· To report to regulators

• Legal obligation

· To provide online services

• Performance of a contract, legitimate interest and consent for cookies

· For the purposes of direct marketing

• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

Retention of data

We will keep at least some of your personal data for a period of 7 years following the expiry of your pension or the closure of any policy, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 7 years from the date on which a final payment was made to you. We retain this data to comply with our regulatory obligations and to provide for legal claims.

Sharing your personal data with third parties

We share your data with the following third parties:
· Within Sagicor
· Our technology and service partners
· Your broker or advisor and our agents
· Your employer
· Other pension scheme providers
· Our regulators
· Health professionals and providers if required

General Insurance

Purpose of processing

We process your data for the following purposes, and under the following lawful bases:

· To facilitate an efficient and effective insurance process and customer service

• Performance of a contract

· To ensure current and future clients’ insurance coverage is matched to their requirements

• Legitimate interest (for marketing and product development), legal obligation and performance of a contract.

· To prepare and manage suitable insurance policies

• Performance of a contract

· To manage claims against members' policies

• Performance of a contract, and in rare cases the protection of vital interests of the data subject

· To make and receive payments

• Performance of a contract

· To manage claims against clients’ policies

• Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To assess and improve business performance

• Legitimate interest

· To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations

• Legal obligation

· To report to regulators

• Legal obligation

· To provide online services

• Performance of a contract, legitimate interest and consent for cookies

· For the purposes of direct marketing

• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

Retention of data

We will keep at least some of your personal data for a period of 7 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 7 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:
· Within Sagicor
· Our technology and service partners
· Your insurance broker and our agents
· Other insurers either directly or via an industry association
· Our regulators
· Health professionals and providers if required

Retail Banking including Lending and Deposit-taking Services

Purposes of processing

This information also applies to our lending and deposit-taking operations in countries where we do not provide a full banking service.

We process your data for the following purposes, and under the following lawful bases:

· Due diligence, including KYC/ AML purposes

• Legal obligation

· For customer relationship management

• Performance of a contract

· Credit decision-making

• Legal obligation (affordable lending) and legitimate interest

· For loan servicing

• Performance of a contract

· To service savings and checking accounts as applicable

• Performance of a contract

· To provide online services where these are offered

• Performance of a contract, legitimate interest and consent for cookies

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· Reporting to regulators

• Legal obligation

· For the purposes of direct marketing

• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

· Contact and demographic information
· Government-issued identification
· Employment information
· Filiation information
· Financial information
· Insurance information
· Vehicle information
· Criminal records
· Call recordings
· Browser data (if online services are provided)
· Cookies (if online services are provided)

Retention of data

We will keep at least some of your personal data for a period of 7 years following the closure of your accounts or satisfaction any borrowing, whichever is the later. If for any reason we collect your data but no account is opened for you or credit issued, we will retain at least some of your data for 7 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on closure of your account, satisfaction of your loan or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:

· Within Sagicor
· Our technology and service partners
· Your advisors and brokers and our agents
· Credit reference agencies
· Your employer
· Other financial institutions either directly or via an association
· Our regulators

Business and Corporate Banking

Purpose of processing

We process your data for the following purposes, and under the following lawful bases:

· Due diligence, including KYC/ AML purposes

• Legal obligation

· For customer relationship management

• Performance of a contract

· For credit decision-making

• Legal obligation (affordable lending) and legitimate interest

· For loan servicing

• Performance of a contract

· For Point-of-Sale machines

• Performance of a contract

· To service savings and checking accounts

• Performance of a contract

· To provide online services

• Performance of a contract, legitimate interest and consent for cookies

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· Reporting to regulators

• Legal obligation

· For the purposes of direct marketing

• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

We currently collect and use the following categories of data to enable the administration of Group life and health insurance:

Retention of data

We will keep at least some of your personal data for a period of 7 years following the closure of your accounts or satisfaction any borrowing, whichever is the later. If for any reason we collect your data but no account is opened for you or credit issued, we will retain at least some of your data for 7 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on closure of your account, satisfaction of your loan or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:

· Within Sagicor
· Our technology and service partners
· Your advisors and brokers and our agents
· Credit reference agencies
· Other financial institutions either directly or via an association
· Our regulators

Wealth and Investment Management

Purposes of processing

We process your data for the following purposes, and under the following lawful bases:

· Due diligence, including KYC/ AML purposes

• Legal obligation

· For customer relationship management

• Performance of a contract

· To provide investment advice

• Performance of a contract and legal obligation

· For credit approvals

• Legal obligation (affordable lending) and legitimate interest

· To make and receive payments

• Performance of a contract

· To service investment accounts and execute transactions

• Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To provide online services

• Performance of a contract, legitimate interest and consent for cookies

· Reporting to regulators

• Legal obligation

   

· For the purposes of direct marketing

• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

· Contact and demographic information
· Government-issued identification
· Employment information
· Filiation information
· Financial information
· Insurance information
· Criminal records
· Call recordings
· Browser data (if online services are provided)
· Cookies (if online services are provided)

Retention of data

We will keep at least some of your personal data for a period of 7 years following the closure of your accounts or satisfaction of any borrowing, whichever is the later. If for any reason we collect your data but no account is opened for you or credit agreement entered into we will retain at least some of your data for 7 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on closure of your account, satisfaction of all outstanding lending or at the moment that a final decision not to proceed is taken.

Sharing your personal data with third parties

We share your data with the following third parties:

Cambio (Bureau de change)

Purpose of processing

Cambio. We process your data for the following purposes, and under the following lawful bases:

· Due diligence, including KYC/ AML purposes

• Legal obligation

· To facilitate an efficient and effective foreign exchange process and customer service

• Performance of a contract

· To make and receive payments

• Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To assess and improve business performance

• Legitimate Interest

· To report to regulators

• Legal obligations

· For the purposes of direct marketing

• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

Retention of data

We will keep at least some of your personal data for a period of 7 years following your most recent transaction. If for any reason we collect your data but no transaction is performed, we will retain at least some of your data for 7 years from the date on which the data was collected. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted 3 years after your last transaction or the collection of the information, whichever is the later.

Sharing your personal data with third parties

We share your data with the following third parties:
· Within Sagicor
· Our technology and service partners
· Other financial institutions either directly or via an association
· Our regulators

Property Sales and Services

Purpose of processing

We process your data for the following purposes, and under the following lawful bases:

· Due diligence, including KYC/ AML purposes

• Legal obligation

· To sell or rent a property to you

• Performance of a contract

· To maintain our rental properties

• Performance of a contract

· To make and receive payments

• Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To report to regulators

• Legal obligation

· To provide online services

• Performance of a contract, legitimate interest and consent for cookies

· For the purposes of direct marketing

• Legitimate interest (selection and profiling) and consent (contact)

The categories of personal data we collect and process

· Contact and demographic information
· Government-issued identification
· Employment information
· Financial information
· Insurance information
· Browser data (if online services are provided)
· Cookies (if online services are provided)

Retention of data

We will keep at least some of your personal data for a period of 7 years following your most recent transaction. If for any reason we collect your data but no transaction is performed, we will retain at least some of your data for 7 years from the date on which the data was collected. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted 3 years after your last transaction or the collection of the information, whichever is the later.

Sharing your personal data with third parties

We share your data with the following third parties:
· Within Sagicor
· Our technology and service partners
· Other financial institutions either directly or via an association
· Our regulators

Corporate Registrar Services

Purpose of processing

We process your data for the following purpose, and under the following lawful basis:

· Provider registrar services to our corporate clients

• Performance of a contract

· Due diligence, including KYC/ AML purposes

• Legal obligation

· To make and receive payments

• Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To report to regulators

• Legal obligation

The categories of personal data we collect and process

Retention of data

We will keep at least some of your personal data for a period of 7 years following the termination of your contract with us. If for any reason we collect your data but no contract is entered into, we will retain at least some of your data for 7 years from the date on which the data was collected. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted 3 years after your contract termination or the collection of the information, whichever is the later.

Sharing your personal data with third parties

We share your data with the following third parties:

· Within Sagicor
· Our technology and service partners
· Other financial institutions including stock exchanges, brokers and registrars either directly or via an association
· Our regulators

Shareholders

Purpose of processing

The entity in which you are a shareholder will process your data for the following purposes, and under the following lawful bases:

· Statutory notice requirements for shareholders

• Performance of a contract

· Due diligence, including KYC/ AML purposes

• Legal obligation

· To make and receive payments

• Performance of a contract

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To report to regulators

• Legal obligation

The categories of personal data we collect and process

· Contact and demographic information
· Government-issued identification
· Financial information

Retention of data

We will keep at least some of your personal data for a period of 7 years following the end of your shareholding. If for any reason we collect your data but no shares are owned by you or on your behalf, we will retain at least some of your data for 7 years from the date on which the data was collected. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted 3 years after your shareholding ends or the collection of the information, whichever is the later.

Sharing your personal data with third parties

We share your data with the following third parties:

· Within Sagicor
· Our technology and service partners
· Other financial institutions including stock exchanges, brokers and registrars either directly or via an association
· Our regulators

Job Applicants

Purposes of processing

If you apply for employment with Sagicor, we process your data for the following purposes, and under the following lawful bases:

· In order to assess suitability for a role with Sagicor

• Performance of a contract

· Due diligence, including KYC/ AML purposes

• Legal obligation

· To detect, prevent and investigate fraud

• Legal obligation and our legitimate interest

· To report to regulators

• Legal obligation

· To provide online services

• Performance of a contract, legitimate interest and consent for cookies

The categories of personal data we collect and process

· Contact and demographic information
· Government-issued identification
· Employment information
· Financial information
· Health information
· Browser data (if online application)
· Cookies (if online application)

Retention of data

We will keep your personal data if you are a successful applicant in line with the Employee Privacy Notice retention period. If you are an unsuccessful applicant, we will retain some of your personal data for up to 6 months from the date of your last application.

Sharing your personal data with third parties

We share your data with the following third parties:

· Within Sagicor
· Our technology and service partners
· Other financial institutions including stock exchanges, brokers and registrars either directly or via an association
· Our regulators

Whistleblowing

Purpose of processing

We process your data for the following purpose, and under the following lawful basis:

· To enable the making by employees or the public of specified disclosures of improper conduct

• Public interest and legal obligation

The categories of personal data we collect and process

We may collect any of the following categories of data:

· Contact/ Demographic Data (unless complaint is made anonymously)

Other data may also be collected based on your disclosure; this will depend on the content of that disclosure but will always be collected from and therefore know by you. NOTE: not always the case, as whistleblowing could involve third party whistleblowing.

Retention of data

We will keep at least some of your personal data for as long as necessary to conclude our investigation. After such time, your personal information will be deleted within 6 months.

Sharing your personal data with third parties

We share your data with the following third parties:

· Within Sagicor strictly as needed to support any investigation
· Our technology and service partners
· Regulators and law enforcement as required by law