Contents
About this Privacy Notice
Who We Are
How We Collect Your Persional Information
Definition of Personal Data and Sensitive Personal Data
Your Rights
Transparency
Access
Correction
Erasure and the right to be forgotten
Review of Automated Decision Making
Objection to processing on the basis of legitimate interest
Restriction of Processing
Direct Marketing
Data Portability
Withdrawal of Consent
Southern Caribbean Country-specific Information
Sagicor Southern Caribbean Summary by Country, Data Controller, and Data Protection Regulator
Sagicor Life Country-specific information
Antigua and Barbuda
Aruba
The Bahamas
Barbados
Belize
Bermuda
Curaçao
Dominica
Grenada
Saint Lucia
St. Kitts & Nevis
St. Vincent and the Grenadines
Trinidad and Tobago
Other Countries
Details of our Data Processing
Types and sources of information that we collect
Processing under legal obligation
Data Sharing
Transfers of data to other countries
Purpose for Processing
General website visitors
In-person visitors
CCTV
Individual life and health insurance
Group life and health insurance via your employer
Pensions provided via your employer
Individual pensions
General insurance
Retail banking including lending and deposit-taking services
Wealth and investment management
Remittances
Property sales and services
Shareholders
Job Applicants
Whistleblowing
Sagicor Events and Corporate Social Responsibility (“CSR”) Projects
About this privacy notice
We are committed to protecting and using your personal information responsibly. If you have any questions about this privacy notice, please email [email protected]
The Sagicor Southern Caribbean entities (“Sagicor”, “we”, “our”, “us”) provide this privacy notice as a basis on which we will process your personal data. Please read it carefully to understand our practices regarding your personal data and how we will use it. The information we process, and the reasons why, may vary across our products and services. We explain any differences in this privacy notice.
This privacy notice is for:
- anyone who buys, uses or contacts us about our products and services, or
- someone who is a Sagicor job applicant, or
- people who work with Sagicor, such as intermediaries or third party suppliers providing goods and services to Sagicor. If you are a Sagicor employee or financial advisor, you can find our privacy notice relating to employment on the Sagicor intranet.
This privacy notice was last updated on 12 March, 2024.
Who we are
Sagicor offers a wide variety of financial products and services across the Caribbean under one brand. Due to regulatory and licensing requirements, these products and services are provided by a number of different legal entities. We are required by law to inform you of the specific legal entities that are responsible for your personal data – these are called “data controllers”.
We address this in the country-specific information below, with specific entity information and contact details. However, for any data protection query related to any Sagicor product or service you should contact our Data Privacy Office directly at [email protected]. Our data protection function operates across and has responsibility for all of our legal entities and you do not need to be able to identify the appropriate legal entity in order to exercise your rights over your data; we will assist you in doing so.
How we collect your personal information
From You
We collect your personal information from you when you get in touch with us:
|
Third Parties
Depending upon the nature of your relationship with us and subject to applicable laws and regulations, we may also collect information about you from third parties: |
|
|
Definition of personal data and sensitive personal data
Personal data is any information about you that is held in a way that allows you to be identified. We treat all personal data with great care and with the commitment to confidentiality that comes from our more than 180 years of experience and responsibility.
Data protection and privacy laws categorise some personal data as “sensitive.” This places additional duties on us to protect it and show that we are processing it for the right reasons. Please see below for the definition of how your country defines sensitive personal data.
Your rights
Your personal data belongs to you. We use it to provide products and services to you, to obey the law and to improve our services.
Different countries have different laws regarding personal data. Your legal rights will depend on where you live and where we process your data; you can find more details in the relevant country-specific sections below. To make things simple, wherever you live and whatever your relationship with us, we give you the following rights over your data:
Transparency
You have the right to a detailed explanation of what data we have about you, how and where we use it, how long we keep it and with whom it is shared. That information is contained in the details of our data processing below.
Access
You have the right to a copy of the data we hold about you. We will not charge you for providing this information in electronic form; we may charge for providing it on paper to reflect the costs and environmental impact of doing so. We may ask you to prove your identity before we release your data to you. If you want the data for a specific reason, you can help us by letting us know. Please be aware that no-one can force you to get a copy of your data and no-one should ask you to share it with them.
Correction
You have the right to have your data corrected. If you believe we have incomplete or incorrect information about you, please let us know. We may ask you to provide your identity and to provide evidence supporting the changes you would like made.
Erasure and the right to be forgotten
You have the right to have your data erased if we no longer need it. Note that in many cases we need to retain data about you in order to honour our obligations to you, because we are required to by law, or to protect your and our interests.
Review of automated decision making
You have the right to a human review of decisions we have made about you by purely automated means. Please note that almost all of our decision-making is already reviewed by a person – we use automation to support our team members.
Objection to processing on the basis of legitimate interest
You have the right to object to processing of your data where we use it to help us improve our services and develop our business. Technically this is known as processing on the basis of our legitimate interests and there is more information about this processing in the privacy notice. We are required carefully to consider and respond to your objection and show that we have taken care to protect you when doing such processing; you may also require that we do not process your data while we are considering your objection.
Restriction of Processing
You have the right, in certain other circumstances, to require us to stop processing your data. These circumstances are:
- Where we disagree about the accuracy of the information we hold about you and while we are verifying that information.
- Where we no longer require personal data that we hold about you and would normally erase it, but you wish us to retain it without otherwise processing it, for instance where you believe that you may need the information for your own purposes in a legal claim.
- You believe that the processing of your data may cause you substantial harm or distress and that our processing is not justified in accordance with the law.
Direct Marketing
You have the right to opt out of direct marketing. Note that if you do not specify which marketing you no longer wish to receive, we will stop sending you any marketing information. You will need to tell us the email addresses, phone numbers and other relevant details, and you will understand that we will need to keep these details so that we can be sure not to add you back to marketing lists in error. You also, of course, have the right to opt back into marketing at any time.
Please note that in relation to service communications, Sagicor may be required contractually or legally to continue to send you service related messages only for administrative or customer service reasons.
Data portability
In some circumstances you have the right to ask us to transfer your data to another service provider directly. This can only be done where it is technically possible both for us and for the other service provider; we and they will let you know when this is the case.
Withdrawal of consent
Most of our processing of your data is performed for one of three reasons:
- in service of a contract between you and us, or in order to enter into such a contract;
- to comply with legal obligations placed on us by the government and our regulators; or
- to help us improve our services by better understanding our customers and their needs.
However, in some cases we will ask you for your consent to processing. Where we have done so, you have the right to withdraw your consent at any time and we will stop processing. We will explain the consequences of withdrawing consent at the time we ask for it and when you ask to withdraw it.
If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to your Data Protection Regulator, whose contact details (where available) have been provided in this privacy notice.
If you would like to know more about our processing of your data or would like to exercise any of your rights, you can email us at [email protected]. You can also write to us at the address given in the relevant section for your country of residence or call our any of our regular service centre numbers and ask to speak to the privacy team.
Southern Caribbean Country Details
Country-specific information
The following information is specific to your country of residence and the Sagicor products you have.
Sagicor Southern Caribbean Summary by Country, Data Controller, and Data Protection Regulator
Country |
Data Controller |
Data Protection Regulator |
Antigua and Barbuda |
Sagicor Life (Eastern Caribbean) Inc Sagicor General Insurance Inc Sir Sydney Walling Highway St John's Antigua and Barbuda
|
N/A |
Aruba |
Sagicor Life Aruba NV Avenida Milio Croes #106 Suite 1, 2, 3 and 4 P.O. Box 166 Oranjestad Aruba
|
N/A |
The Bahamas |
Sagicor Capital Life Insurance Company Ltd. Sagicor General Insurance Inc Mareva House 4 George Street PO Box N-3937 Bahamas
FamGuard Corporation Limited Corporate Centre No. 1 Shirley Street P.O. Box SS-6232 Nassau, Bahama |
The Office of the Data Protection Commissioner 31A Poinciana House North Building East Bay Street P.O. Box N-3017 Nassau Bahamas
Tel: +1 (242) 604-1001 Email: [email protected]
There is also an electronic complaints form at the Commissioner’s website: https://www.bahamas.gov.bs/wps/wcm/connect/87dc045f-77d8-4a20-b8ad-a254496144e6/DPA-Privacy+Complaint+Form.pdf?MOD=AJPERES
|
Barbados |
Sagicor Life Inc Barbados Farms Ltd Sagicor Asset Management Inc Sagicor General Insurance Inc The Estates (Residential Properties) Limited Cecil F de Caires Building Wildey St. Michael Barbados
Sagicor Bank (Barbados) Limited Worthing Corporate Centre Worthing Christ Church Barbados
|
Data Protection Commission Ministry of Industry, Innovation, Science & Technology 5th Floor, SSA Building Vaucluse St. Thomas Barbados
Tel: +1 (246) 536-1280 Email: [email protected] |
Belize |
Sagicor Life Inc Coney Drive Business Plaza Coney Drive P.O. Box 1939 Belize City Belize
|
N/A |
Bermuda |
Sagicor Financial Company Ltd Clarendon House 2 Church Street Hamilton HM11 Bermuda
Sagicor Reinsurance Bermuda Ltd Point House 2nd Floor 6 Front Street Hamilton HM 11 Bermuda
|
Office of the Privacy Commissioner Maxwell Roberts Building, 4th Floor 1 Church Street Hamilton, HM11 Bermuda Tel: +1 (441)-543-PRIV [-7748]
Email: [email protected]
|
Curaçao |
Sagicor Life Inc Curaçao Schottegatweg Oost #11 Willemstad Curaçao
|
N/A |
Dominica
|
Sagicor Life (Eastern Caribbean) Inc WillCher Services Inc, 44 Hillsborough Street, Corner Hillsborough & Independence Street, Roseau, Dominica
Sagicor General Insurance Inc H.H.V. Whitchurch & Company Limited, P.O. Box 771, Roseau, Dominica
|
N/A |
Grenada |
Sagicor Life (Eastern Caribbean) Inc The Mutual/Trans-Nemwil Office Complex The Villa St George’s Grenada
|
N/A |
St. Lucia |
Sagicor Life (Eastern Caribbean) Inc Sagicor General Insurance Inc Sagicor Financial Centre Choc Estates Castries Saint Lucia
Sagicor Finance Inc Daher Commercial Centre, 2nd Floor Rodney Bay Gros Islet Saint Lucia
|
Attorney General’s Chambers 2nd Floor Francis Compton Building, Waterfront, Castries, Saint Lucia Tel: +1 (758) 468-3200
Email: [email protected] Email: [email protected]
|
St. Kitts and Nevis |
Sagicor Life (Eastern Caribbean) Inc TDC Building, Fort Street, Basseterre, St. Kitts
|
N/A |
St. Vincent and the Grenadines |
Sagicor Life (Eastern Caribbean) Inc S.V. Browne Agency Limited, Frenches, Kingstown, St. Vincent and the Grenadines
|
N/A |
Trinidad and Tobago |
Sagicor Life Insurance Trinidad & Tobago Limited Sagicor Investments Trinidad & Tobago Limited Sagicor Life Insurance Trinidad & Tobago Limited Sagicor General Insurance Trinidad & Tobago Limited Nationwide Insurance Company Limited
Sagicor Financial Centre Trinidad
|
N/A |
Sagicor Life Country-specific information
The following information is specific to your country of residence and the Sagicor products you have.
Antigua and Barbuda
Audience
This information is for residents of Antigua and Barbuda; note that you should also read the sections on Barbados, Saint Lucia and Trinidad to understand the rights that apply to you because we process some of your personal data in those countries also.
Data protection law
The data protection law in Antigua and Barbuda is the Data Protection Act of 2013. This act defines sensitive personal data as information on a person’s:
- physical or mental health;
- sexual orientation;
- political opinions;
- religious beliefs or beliefs of a similar nature, or;
- commission or alleged commission of any offence.
Antigua and Barbuda does not explicitly include financial records, biometric or genetic data in the definition of sensitive data but we at Sagicor will continue to treat any information of this kind that we hold about you in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law.
There is no local data protection regulator at this time.
Aruba
Audience
This information is for residents of Aruba; note you should also read the sections on Barbados and Trinidad to understand the rights that apply to you because we process some of your personal data in those countries also.
Data protection law
Aruba has no specific data protection laws at this time, so there is no specific definition of sensitive data or any additional rights that apply to you. There is no local data protection regulator.
The Bahamas
Audience
This information is for residents of the Bahamas; note that you should also read the sections on Barbados and Trinidad to understand the rights that apply to you because we process some of your personal data in those countries also.
Data protection law
The data protection law in the Bahamas is the Data Protection (Privacy of Personal Information) Act of 2003. This act defines sensitive personal data as information on a person’s:
- racial origin;
- political opinions or religious or other beliefs;
- physical or mental health (other than any such data reasonably kept by [the data controller] in relation to the physical or mental health of their employees in the ordinary course of personnel administration and not used or disclosed for any other purpose);
- trade union involvement or activities;
- sexual life; or
- criminal convictions, the commission or alleged commission of any offence, or any proceedings for any offence committed, the disposal of such proceedings or the sentence of any court in such proceedings.
The Bahamas does not explicitly include financial records, biometric or genetic data in the definition of sensitive data but we at Sagicor will continue to treat any information of this kind that we hold about you in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law.
If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the Office of the Data Protection Commissioner of the Bahamas, whose contact details are as follows:
The Office of the Data Protection Commissioner
31A Poinciana House
North Building
East Bay Street
P.O. Box N-3017
Nassau
Bahamas
Tel: +1 (242) 604-1001
Email: [email protected]
There is also an electronic complaints form at the Commissioner’s website: https://www.bahamas.gov.bs/wps/wcm/connect/87dc045f-77d8-4a20-b8ad-a254496144e6/DPA-Privacy+Complaint+Form.pdf?MOD=AJPERES
Barbados
Audience
This information is primarily for residents of Barbados. If you are a customer of Sagicor in Barbados or the countries listed below, your data is also processed by Sagicor in Barbados and Trinidad & Tobago; you should read this section and that for Trinidad & Tobago as well as the relevant section for your country of residence applies to you.
- Antigua and Barbuda
- Aruba
- Bahamas
- Belize
- Bermuda
- Curaçao
- Dominica
- Grenada
- Saint Lucia
- St Kitts & Nevis
- St Vincent and the Grenadines
- Trinidad & Tobago
Data protection law
The data protection law in Barbados is the Data Protection Act of 2019. This act defines sensitive personal data as information on a data subject’s:
- racial or ethnic origin;
- political opinions;
- religious beliefs or other beliefs of a similar nature;
- membership of a political body;
- membership of a trade union;
- genetic data;
- biometric data;
- sexual orientation or sexual life;
- financial record or position;
- criminal record; or
- proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court of competent jurisdiction in such proceedings.
Barbados does not include health records in the definition of sensitive data but we at Sagicor will continue to treat your health information in the strictest confidence and share it only with medical professionals and as needed to meet our contractual obligations to you and to comply with the law.
If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the Data Protection Commissioner of Barbados, whose contact details are as follows:
Data Protection Commission
Ministry of Industry, Innovation, Science & Technology
5th Floor, SSA Building
Vaucluse
St. Thomas
Barbados
Tel: +1 (246) 536-1280
Email: [email protected]
Belize
Audience
This information is for residents of Belize; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.
Data protection law
The data protection law in Belize is governed by the Data Protection Act of 2021.
There is not yet an appointed Data Protection Commissioner for Belize.
Bermuda
Audience
This information is for residents of Bermuda; note that you should also read the section on Barbados to understand the rights that apply to you because we process some of your personal data in that country also.
Data protection law
The data protection law in Bermuda is governed by the Personal Information Protection Act of 2016. The law will only take full effect from the 1st of January 2025, but Sagicor is committed to operating in a compliant manner and protecting your privacy now.
If you are not satisfied with Sagicor’s response to any enquiry or complaint you make to us, you have the right to complain to the Office of the Privacy Commissioner of Bermuda, whose contact details are as follows:
Office of the Privacy Commissioner
Maxwell Roberts Building, 4th Floor
1 Church Street
Hamilton, HM11
Bermuda
Tel: +1 (441)-543-PRIV [-7748]
Email: [email protected]
There is also an electronic contact form at the Commissioner’s website: https://www.privacy.bm/contact-us
Sagicor data controller in Bermuda
Sagicor does not presently offer financial services in Bermuda. Our ultimate holding company is registered there and is the data controller for our shareholder register and associated processing. We also operate a reinsurance provider which may receive personal data from other jurisdictions.
Curaçao
Audience
This information is for residents of Curaçao; note that you should also read the sections on Barbados and Trinidad & Tobago to understand rights that apply to you because we process some of your personal data in those countries.
Data protection law
The data protection law in Curaçao is governed by Landsverordening bescherming persoonsgegevens
consolidated text no. 84, or the “(National Ordinance Personal Data Protection).” This act defines sensitive data as information on data subjects including a person’s:
- religion or belief;
- race;
- political views;
- health data;
- sexual life;
- membership of a trade union.
Curaçao does not include financial records, biometric or genetic data in the definition of sensitive data but we at Sagicor will continue to treat your financial information in the strictest confidence and share it internally and externally only as needed to meet our contractual and service obligations to you and to comply with the law.
While there is a Data Protection Commissioner, at the time of writing, the law is not fully in force. This notice will be updated as the provisions become in force.
Dominica
Audience
This information is for residents of Dominica; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.
Data protection law
Dominica has no specific data protection laws at this time, so there is no specific definition of sensitive data or any additional rights that apply to you.
Grenada
Audience
This information is for residents of Grenada; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.
Data protection law
The data protection law in Grenada is governed by the Data Protection Act of 2023.
Given the recent enactment of the Act, the Office of the Data Protection Commissioner has not yet been staffed, but this notice will be updated with contact details once available.
Saint Lucia
Audience
This information is for residents of Saint Lucia; note that you should also read the sections on Barbados and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.
If you are resident in any of the following countries, we may also process some of your personal data in Saint Lucia (in addition to Barbados):
- Antigua and Barbuda
- Belize
- Dominica
- Grenada
- St Kitts & Nevis
- St Vincent and the Grenadines
Data protection law
The data protection law in Saint Lucia is governed by the Privacy and Data Protection Act of 2011 as amended in 2015. Saint Lucia has not at the time of writing appointed a Data Protection Commissioner. In the meantime you may contact the Attorney General if you are not satisfied with Sagicor’s response to any enquiry or complaint you may make to us:
Attorney General’s Chambers
2nd Floor Francis Compton Building,
Waterfront,
Castries, Saint Lucia
Tel: +1 (758) 468-3200
Email: [email protected]
Email: [email protected]
St. Kitts & Nevis
Audience
This information is for residents of St. Kitts & Nevis; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you as we process some of your personal data in those countries also.
Data protection law
The data protection law in St. Kitts & Nevis is governed by the Data Protection Bill of 2018. At the time of writing this Bill is not yet in force.
St. Kitts & Nevis has not yet appointed an Information Commissioner; when that appointment has been made we will update this privacy notice with the appropriate contact details.
St. Vincent and the Grenadines
Audience
This information is for residents of St. Vincent and the Grenadines; note that you should also read the sections on Barbados, Saint Lucia and Trinidad & Tobago to understand the rights that apply to you because we process some of your personal data in those countries also.
Data protection law
The data protection law in St. Vincent and the Grenadines is governed by the Privacy Act (No. 18), 2003.
St. Vincent and the Grenadines has not at the time of writing, appointed a Data Protection Commissioner. We will update this privacy notice with the appropriate contact details when an appointment is made.
Trinidad and Tobago
Audience
This information is for residents of Trinidad and Tobago; note that you should also read the section on Barbados to understand the rights that apply to you because we process some of your personal data in Barbados also. If you are a customer of Sagicor in the countries listed below, your data is also processed by Sagicor in Trinidad & Tobago; you should read this section as well as the relevant section for your country of residence.
- Antigua and Barbuda
- Aruba
- Bahamas
- Belize
- Bermuda
- Curaçao
- Dominica
- Grenada
- Saint Lucia
- St Kitts & Nevis
- St Vincent and the Grenadines
Data protection law
The data protection law in Trinidad and Tobago is governed by the Data Protection Act of 2011. The law has not at the time of writing been brought into full effect, but Sagicor is committed to operating in a compliant manner and protecting your privacy now.
Trinidad and Tobago has not yet appointed an Information Commissioner; when that appointment has been made we will update this privacy notice with the appropriate contact details.
Other countries
The countries listed above are those where Sagicor is licensed to do business. If you bought a Sagicor product while resident in one of those countries and have now moved elsewhere, additional rights may apply to you based on your country of residence. However, this will depend on whether we are permitted to continue to offer our services to you in that country. Please contact us at [email protected] for further information.
Details of our data processing
Types and sources of information that we may collect
The information that we collect and process varies depending on the context. Each section below lists the categories that we may collect for the purposes listed. To understand which categories we collect and process about you, please refer to the details of processing for the specific products, services or circumstances that apply to you. The categories are as follows:
Category |
Examples of data collected |
Biometric information |
Digital representations of your face, fingerprints, iris or retina used to identify you. |
Browser data |
Details provided by your computer or phone when using an app or internet browser including IP address and technical information about your device. |
Call recordings |
Audio and video recordings of inbound and outbound telephone and video conference calls |
CCTV |
Video recordings collected by cameras installed at our premises which may capture public areas surrounding our buildings as well as interior space. |
Contact and demographic information |
Your name, address, contact information such as telephone number, email address, social media details; your date of birth, marital status and gender. This also includes details of your family, dependents and relations. We will also collect your signature or other authorisation in various contexts. |
Cookies |
Small files placed on your computer or phone by us or third parties which are used to store information as part of delivering our website, app or services and to identify you during and between sessions. |
Criminal records |
Any record of a criminal offence of which you have been suspected, accused, tried or convicted. |
Employment information |
Your employment status, the name and details of your employer, your job title, remuneration and length of service, employer references, any unique identifying number or code provided by your employer. |
Filiation information |
Details of your familial relationships to other people. |
Financial information |
Your financial status, including credit score and references, assets and liabilities, income and outgoings; bank details for making and receiving payments; transactional information including specific payments and receipts as well as ongoing payment obligations and receipt entitlements. |
Government-issued identification |
Identity card or driver’s licence details, passport details, tax or other unique identifying reference numbers. |
Health information |
Your health records, details of health conditions, test results and family medical history; we may also collect genetic data in this context. |
Photographs or videos |
Your image, in video or still, and of the likeness and sound of your voice as recorded on audio or video tape, may be collected if you attend a Sagicor Event or CSR Project. Please note this excludes CCTV which is covered separately above. |
Insurance information |
Current and past policies held, claims and potential claims history including dates, nature of claim, amount, fault and details of any investigation undertaken. |
Trade Union membership |
Whether you are a member of a trade union, the name of that organisation and your position within it if applicable. |
Vehicle information |
Vehicle make and model, value, ownership, method of purchase and amounts owing, insurance status, registration mark or number, VIN, authorised drivers. |
The examples given above are not an inclusive list; please contact us if you would like a complete list of the data we may hold about you.
Processing under legal obligation
In many instances we collect and process personal data because we are obliged to by law. The laws that require this processing will vary by context and by country. To simplify the detailed information below, we have listed the key relevant laws in the section for each country. The legal landscape is continually evolving and some processing will be required by more than one piece of legislation; the lists in this notice are not intended to be inclusive.
Data sharing
Sagicor Group Entities
We will share your personal data with other entities within Sagicor in order to provide our products and services to you. This sharing is protected by binding agreements within Sagicor that ensure your data is protected and used only for the purposes stated in this notice. We will not share your information for the purposes of marketing without your prior consent.
Third Party Service Providers
Like most modern companies, Sagicor uses a number of technology and service partners to enable our services and products. Because of the breadth and complexity of our services it is not possible to provide a list of these partners in this notice; if you would like a list of the partners with whom your personal data are shared, please contact us.
Regulators
As a regulated financial services entity we are required to share your personal data with our regulators and other government functions including those listed in the country-specific section on “Laws requiring the processing of personal data”. If you would like a list of the government and regulatory parties with whom your data has been shared on this basis, please contact us.
Employers, Agents/Brokers and Credit Bureaus
We may also share your data with other parties such as your employer in group insurance plans, an agent or a broker, or with other financial services entities, such as credit bureaus. Where this is envisaged it is noted in the relevant section for the product or service. If you would like a list of the other parties with whom your data has been shared on this basis, please contact us.
Transfers of data to other countries
We transfer your personal data to other countries in a number of circumstances:
Within Sagicor to any of our locations to enable us to provide our services and products; these transfers are protected by binding agreements that include standard contractual clauses setting out the obligations of the sending and receiving parties and the safeguards that must be applied. If you would like more information on our internal transfers and safeguards as they apply to you, please contact us.
To the United States of America for the purposes of IT service provision and data resilience. Our primary data centre is located in the United States, as is our recovery facility. These transfers, which include third party service providers, are protected by binding agreements that include standard contractual clauses setting out the obligations of the sending and receiving parties and the safeguards, including specific technological measures, that must be applied. If you would like more information on our internal transfers and safeguards as they apply to you, please contact us.
To other countries as required to enable the use of technology and service partners. We conduct careful due diligence on all data sharing partners and ensure that appropriate protections are in place to keep your personal data secure. If you would like a list of the partners and countries with whom your data have been shared, please contact us.
Purpose for Processing
Subject to the applicable law in your jurisdiction, the legal bases we may rely on and which are specified in the sections below include:
Consent: where you have clearly consented to the processing of your Personal Information for a specific purpose.
Contract: where our use of your Personal Information is necessary because you have asked us to take specific steps before entering into a contract or for performance of a contract that we have concluded with you such as insurance policies.
Legal obligation: where our use of your Personal Information is necessary to comply with law (not including contractual obligations).
Legitimate interest: where our use of your Personal Information is necessary to advance our legitimate interests or those of a third party (unless your right to privacy overrides our legitimate interest).
General Website Visitors
Purposes of processing
When you visit our website, we process your data for the following purposes, and under the following legal bases:
Purpose of processing |
Legal Basis |
To deliver the website, manage and analyse traffic and protect us against digital risks |
Legitimate interest
|
To place cookies on your device
|
Consent |
When you ask to find out more about us and our products |
Consent |
When you contact us or book an appointment |
Consent |
Note that this does not include processing of your data in the context of using our product and service websites or apps as a customer; please refer to the relevant product or service for further details.
The categories of personal data we collect and process
We currently collect the following categories of data when you use our website:
- Browser data
- Cookies
- Contact and demographic information if you ask for more information, contact us or book an appointment
Retention of data
We will retain browser data and cookies from the website for 90 days. Personal data relating to requests for information and appointments will be retained for 3 years following the date of collection or your last interaction with us, whichever is the later.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
In-person visitors
Purpose of processing
When you visit any of Sagicor’s offices and branch locations, we process your data for the following purposes, and under the following legal bases:
- Access controls and visitor logs
- Legal obligation and legitimate interest
- Prevention and detection of crime
- Legitimate interest or legal obligation
- Health and safety
- Legal obligation
The categories of personal data we collect and process
We currently collect the following categories of data:
- Contact and demographic details
- Government-issued identification
- CCTV (refer to the CCTV section also)
Retention of data
We will retain a visitor log and associated identifying information including biometrics for a period of 90 days, unless an incident is suspected.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Law enforcement if required
- Our regulators if required
CCTV
Purpose of processing
We operate recorded CCTV systems at all of our physical locations. If you visit us, or come within the field of view of our cameras, we process your data for the following purposes, and under the following legal bases:
- Prevention and detection of crime
- Legitimate interest or legal obligation
- Health and safety
- Legal obligation and legitimate interest
The categories of personal data we collect and process
We currently collect the following categories of data:
- CCTV
Retention of data
We will keep recordings which may include your personal data for a period of 30 days, unless an incident is suspected, in which case the recording may be required for further investigation.
Sharing your personal data with third parties
We share your data with the following third parties only if required to do so by law:
- Our technology and service partners
- Law enforcement if required
- Our regulators if required
Individual life and health insurance
Purpose of processing
In order to offer you, consider you for and provide you with life and health insurance, we process your data for the following purposes, and under the following legal bases:
- To facilitate an efficient and effective insurance process and customer service
- Performance of a contract
- To ensure current and future clients’ insurance coverage is matched to their requirements
- Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
- To prepare and manage suitable insurance policies
- Performance of a contract
- To identify and communicate with beneficiaries
- Performance of a contract
- To manage claims against members' policies
- Performance of a contract, and in rare cases the protection of vital interests of the data subject
- To make and receive payments
- Performance of a contract
- To manage claims against clients’ policies
- Performance of a contract
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- To assess and improve business performance
- Legitimate interest or performance of a contract
- To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
- Legal obligation
- To report to regulators
- Legal obligation
- To provide online services
- Performance of a contract, legitimate interest and consent for cookies
- For the purposes of direct marketing
- Legitimate interest (selection and profiling) and consent (contact)
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Filiation information
- Financial information
- Health information
- Insurance information
- Criminal records
- Call recordings
Retention of data
Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Your insurance broker and our agents
- Other insurers either directly or via an industry association
- Our regulators
- Health professionals and providers
Group life and health insurance via your employer
Purposes of processing
We, along with your employer, are joint data controllers for group life and health insurance benefits and administration. We process your data, which may be obtained from your employer as well as directly from you, for the following purposes and under the following legal bases:
- To facilitate an efficient and effective insurance process and customer service
- Performance of a contract
- To ensure current and future clients’ insurance coverage is matched to their requirements
- Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
- To prepare and manage suitable insurance policies
- Performance of a contract
- To manage claims against members' policies
- Performance of a contract, and in rare cases the protection of vital interests of the data subject
- To identify and communicate with beneficiaries
- Performance of a contract
- To make and receive payments
- Performance of a contract
- To manage claims against members' policies
- Performance of a contract
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- To assess and improve business performance
- Legitimate interest or performance of a contract
- To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
- Legal obligation
- To report to regulators
- Legal obligation
- To provide online services
- Performance of a contract, legitimate interest and consent for cookies
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Filiation information
- Financial information
- Health information
- Insurance information
- Call recordings
Retention of data
Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Your employer
- Your employer’s insurance brokers and our agents
- Other insurers either directly or via an industry association
- Our regulators
- Health professionals and providers
Pensions provided via your employer
Purposes of processing
We, along with the trustees of your pension fund, are joint data controllers for pensions administration. We process your data, which may be obtained from your employer as well as directly from you, for the following purposes and under the following legal bases:
- To facilitate an efficient and effective pension process and customer service
- Performance of a contract
- To ensure current and future members’ pension provision is matched to their requirements
- Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
- To manage pension schemes
- Performance of a contract
- To make and receive payments
- Performance of a contract
- To identify and communicate with beneficiaries
- Performance of a contract
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- To assess and improve business performance
- Legitimate interest or performance of a contract
- To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
- Legal obligation
- To report to regulators
- Legal obligation
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Filiation information
- Financial information
- Health information
- Call recordings
Retention of data
Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Your employer
- Other pension scheme providers either directly or via an industry association
- Our regulators
Individual pensions
Purpose of processing
We process your data for the following purposes, and under the following legal bases:
- To facilitate an efficient and effective pension process and customer service
- Performance of a contract
- To ensure current and future clients’ pension provisions are matched to their requirements
- Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
- To prepare and manage suitable pension schemes
- Performance of a contract
- To make and receive payments
- Performance of a contract
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- To assess and improve business performance
- Legitimate interest or performance of a contract
- To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
- Legal obligation
- To report to regulators
- Legal obligation
- To provide online services
- Performance of a contract, legitimate interest and consent for cookies
- For the purposes of direct marketing
- Legitimate interest (selection and profiling) and consent (contact)
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Filiation information
- Financial information
- Health information
- Call recordings
Retention of data
Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your pension or the closure of any policy, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final payment was made to you. We retain this data to comply with our regulatory obligations and to provide for legal claims.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Your broker or advisor and our agents
- Your employer
- Other pension scheme providers
- Our regulators
- Health professionals and providers if required
General insurance
Purpose of processing
We process your data for the following purposes, and under the following legal bases:
- To facilitate an efficient and effective insurance process and customer service
- Performance of a contract
- To ensure current and future clients’ insurance coverage is matched to their requirements
- Legitimate interest (for marketing and product development), legal obligation and performance of a contract.
- To prepare and manage suitable insurance policies
- Performance of a contract
- To manage claims against members' policies
- Performance of a contract, and in rare cases the protection of vital interests of the data subject
- To make and receive payments
- Performance of a contract
- To manage claims against clients’ policies
- Performance of a contract
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- To assess and improve business performance
- Legitimate interest or performance of a contract
- To meet our “know-your-customer” (KYC) and anti-money-laundering (AML) obligations
- Legal obligation
- To report to regulators
- Legal obligation
- To provide online services
- Performance of a contract, legitimate interest and consent for cookies
- For the purposes of direct marketing
- Legitimate interest (selection and profiling) and consent (contact)
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Filiation information
- Financial information
- Health information
- Insurance information
- Vehicle information
- Criminal records
- Call recordings
- Browser data
- Cookies
Retention of data
Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the expiry of your policy or the closure of any claim, whichever is the later. If for any reason we collect your data but no policy is put in place for you, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on termination of your policy or at the moment that a final decision not to proceed is taken.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Your insurance broker and our agents
- Other insurers either directly or via an industry association
- Our regulators
- Health professionals and providers if required
Retail banking including lending and deposit-taking services
Purposes of processing
This information also applies to our lending and deposit-taking operations in countries where we do not provide a full banking service.
We process your data for the following purposes, and under the following legal bases:
- Due diligence, including KYC/ AML purposes
- Legal obligation
- For customer relationship management
- Performance of a contract
- Credit decision-making
- Legal obligation (affordable lending) and legitimate interest
- For loan servicing
- Performance of a contract
- To service savings and checking accounts as applicable
- Performance of a contract
- To provide online services where these are offered
- Performance of a contract, legitimate interest and consent for cookies
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- Reporting to regulators
- Legal obligation
- For the purposes of direct marketing
- Legitimate interest (selection and profiling) and consent (contact)
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Filiation information
- Financial information
- Insurance information
- Vehicle information
- Criminal records
- Call recordings
- Browser data (if online services are provided)
- Cookies (if online services are provided)
Retention of data
Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the closure of your accounts or satisfaction any borrowing, whichever is the later. If for any reason we collect your data but no account is opened for you or credit issued, we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on closure of your account, satisfaction of your loan or at the moment that a final decision not to proceed is taken.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Your advisors and brokers and our agents
- Credit reference agencies
- Your employer
- Other financial institutions either directly or via an association
- Our regulators
Wealth and investment management
Purposes of processing
We process your data for the following purposes, and under the following legal bases:
- Due diligence, including KYC/ AML purposes
- Legal obligation
- For customer relationship management
- Performance of a contract
- To provide investment advice
- Performance of a contract and legal obligation
- For credit approvals
- Legal obligation (affordable lending) and legitimate interest
- To make and receive payments
- Performance of a contract
- To service investment accounts and execute transactions
- Performance of a contract
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- To provide online services
- Performance of a contract, legitimate interest and consent for cookies
- Reporting to regulators
- Legal obligation
- For the purposes of direct marketing
- Legitimate interest (selection and profiling) and consent (contact)
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Filiation information
- Financial information
- Insurance information
- Criminal records
- Call recordings
- Browser data (if online services are provided)
- Cookies (if online services are provided)
Retention of data
Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following the closure of your accounts or satisfaction of any borrowing, whichever is the later. If for any reason we collect your data but no account is opened for you or credit agreement entered into we will retain at least some of your data for 10 years from the date on which a final decision not to proceed was taken. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted immediately on closure of your account, satisfaction of all outstanding lending or at the moment that a final decision not to proceed is taken.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Your advisors and brokers and our agents
- Credit reference agencies
- Other financial institutions either directly or via an association
- Our regulators
Remittances
Purposes of processing
We process your data for the following purposes, and under the following legal bases:
- Due diligence, including KYC/ AML purposes
- Legal obligation
- To facilitate an efficient and effective remittance process and customer service
- Performance of a contract
- To make and receive payments
- Performance of a contract
- For customer relationship management
- Performance of a contract
- To provide online services
- Performance of a contract, legitimate interest and consent for cookies
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- Reporting to regulators
- Legal obligation
- For the purposes of direct marketing
- Legitimate interest (selection and profiling) and consent (contact)
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Filiation information
- Financial information
- Browser data (if online services are provided)
- Cookies (if online services are provided)
Retention of data
Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following your most recent transaction, whether sending or receiving money. If for any reason we collect your data but no transaction is performed, we will retain at least some of your data for 10 years from the date on which the data was collected. We retain this data to comply with our regulatory obligations and to provide for legal claims; any data that is not needed for these purposes will be deleted 3 years after your last transaction or the collection of the information, whichever is the later.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Our remittance network
- Other financial institutions either directly or via an association
- Our regulators
Property sales and services
Purpose of processing
We process your data for the following purposes, and under the following legal bases:
- Due diligence, including KYC/ AML purposes
- Legal obligation
- To sell or rent a property to you
- Performance of a contract
- To maintain our rental properties
- Performance of a contract
- To make and receive payments
- Performance of a contract
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- To report to regulators
- Legal obligation
- To provide online services
- Performance of a contract, legitimate interest and consent for cookies
- For the purposes of direct marketing
- Legitimate interest (selection and profiling) and consent (contact)
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Financial information
- Insurance information
- Browser data (if online services are provided)
- Cookies (if online services are provided)
Retention of data
Except where a different period is required by law or regulatory guidance, we will keep your personal data for a period of 10 years following your most recent transaction. If for any reason we collect your data but no transaction is performed, we will retain at least some of your data for 10 years from the date on which the data was collected. We retain this data to comply with our regulatory obligations and to provide for legal claims.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Other financial institutions either directly or via an association
- Our regulators
Job Applicants
Purposes of processing
If you apply for employment with Sagicor, we process your data for the following purposes, and under the following legal bases:
- In order to assess suitability for a role with Sagicor
- Performance of a contract
- Due diligence, including KYC/ AML purposes
- Legal obligation
- To detect, prevent and investigate fraud
- Legal obligation and our legitimate interest
- To report to regulators
- Legal obligation
- To provide online services
- Performance of a contract, legitimate interest and consent for cookies
The categories of personal data we collect and process
- Contact and demographic information
- Government-issued identification
- Employment information
- Financial information
- Health information
- Browser data (if online application)
- Cookies (if online application)
Retention of data
We will keep your personal data if you are a successful applicant in line with the Employee Privacy Notice retention period. If you are an unsuccessful applicant, we will retain some of your personal data for up to 6 months from the date of your last application.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor
- Our technology and service partners
- Your former employers
- Our regulators
Whistleblowing
Purpose of processing
We process your data for the following purpose, and under the following legal basis:
- To enable the making by employees or the public of specified disclosures of improper conduct
- Public interest and legal obligation
The categories of personal data we collect and process
We may collect any of the following categories of data:
- Contact/ Demographic Data (unless complaint is made anonymously)
Other data may also be collected based on your disclosure; this will depend on the content of that disclosure but will always be collected from and therefore know by you.
Retention of data
We will keep at least some of your personal data for as long as necessary to conclude our investigation. After such time, your personal information will be deleted within 6 months.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor strictly as needed to support any investigation
- Our technology and service partners
- Regulators and law enforcement as required by law
Sagicor Events and Corporate Social Responsibility (“CSR”) Projects
Purpose of processing
If you attend or participate at an event hosted by Sagicor, we process your data for the following purpose, and under the following legal basis:
Marketing of our products and services via:
- Publicity and promotional materials, including advertising material and printed publications in Sagicor’s operating territories;
- Websites, social media channels and digital communications materials;
- Presentation and exhibition materials;
The categories of personal data we collect and process
We may collect any of the following categories of data:
- Photographs or videos with your image in video or still, and the likeness and sound of your voice as recorded on audio or video tape
- Contact and demographic information
Retention of data
- We will keep your personal data for a period of 5 years, or such longer period as may be necessary for legal, regulatory or audit purposes. After such time, your personal information will be deleted within 6 months.
Sharing your personal data with third parties
We share your data with the following third parties:
- Within Sagicor strictly in connection with Sagicor’s employee engagement and viewing of recorded footage by users of Sagicor’s corporate network.
- Our technology and service partners