The privacy and security of your personal information and data is important to us. This privacy notice explains who we are, the types of information and data we collect and hold, how we use it, who we share it with and how long we keep it. It also informs you of certain rights you have regarding your personal data and information under current data protection laws. We will update this privacy notice as required and so we suggest you revisit this privacy notice regularly to keep yourself informed since any changes will be effective once they are published.
The Conduit group will apply the standards set out in the Bermuda Personal Information Protection Act 2016 (PIPA), UK Data Protection Act 2018 (DPA) and/or the EU General Data Protection Regulation (GDPR), as applicable.
The terms used in this privacy notice are based on the requirements and recommendations of the Bermuda Office of the Privacy Commissioner (Privacy Commissioner) and the UK Information Commissioner’s Office (ICO). You can find out more about the Privacy Commissioner here: https://www.privacy.bm and about the ICO here: https://ico.org.uk.
Who are we?
The Conduit group is a specialty reinsurer based in Bermuda that offers specialist reinsurance cover to other insurers. Our group includes:
- Conduit Holdings Limited, which is a holding company for the rest of the group;
- Conduit Reinsurance Limited, which is licensed and supervised by the Bermuda Monetary Authority as a Class 4 insurer; and
- Conduit UK Limited, which is a marketing company based in the UK and does not carry out any regulated activity.
The data controller is likely to be Conduit Holdings Limited for any investor-related activities, Conduit Reinsurance Limited for any reinsurance activities and for recruitment or employment of Bermuda-based employees and Conduit UK Limited for relationship management in the UK and employment of those based in the UK.
In any case, you can contact the group Privacy Officer with any data protection queries by email to firstname.lastname@example.org. Please give us of as much detail as possible when you contact us, which will make it quicker and easier for us to comply with your request.
What personal data and information do we collect?
As a reinsurer, we usually receive anonymised data from a primary insurance company. However, there could be occasional cases where we would need to collect the personal data and information of the insured person, a beneficiary or an injured party. We also process personal data and information for recruitment and employment purposes, relationship management and dealing with complaints.
The types of personal data and information we may process in relation to our reinsurance activity is likely to be limited but could include an individual’s name, telephone number, email address, postal address, geolocation, gender, date of birth, historical insurance and claims information, bank or payment details, sanction screening output and additional details in order to help us determine insurance risks or claims details or for relationship management.
We may need to request and collect special category or sensitive personal information such as details of convictions or medical history in order for us to assess a risk, provide support to an insurance company in assessing risk or loss or to enable the investigation of claims.
We only collect and process sensitive personal data and information where it is critical for the delivery of a product or service and without which the product or service cannot be provided. We will therefore not, and the insurer is likely not to, seek your explicit consent to process this information as it is required to provide the service requested or to determine a claim, and its processing is legitimised by its criticality to the service provision. If you object to use of this information, then it’s unlikely that you will be able to obtain the insurance you request or for your claim to be processed.
In relation to recruitment and employment activity, we may process an applicant or worker’s name, telephone number, email address, postal address, gender, date of birth, bank or payment details, photograph, qualification information, right to work in the relevant country and other information that we need in the recruitment or employment context. We are likely also to process special category personal data and information about any criminal convictions and we may process sensitive personal data and information such as health data, marital status, racial or ethnic origin and trade union membership. Where any of this information is necessary for the purposes of performing or exercising our rights or obligations as an employer, such as not to discriminate against an employee or dismiss them unfairly or assessing a candidate’s working capacity, we will not ask your consent. If we don’t have a legitimate interest in processing such special category data, we will ask your consent and you are free to refuse (or, if you consent, to withdraw that consent at any time by giving us notice).
We may process certain personal data and information of our investors, such as their or their staff’s name, telephone number, email or postal address, gender, bank or payment details for relationship management, or for the payment of amounts due to that investor, such as dividends.
How do we use personal data and information?
We will use personal data and information:
- To administer reinsurance agreements
- To support an insurer with risk and loss analysis and adjustment
- For disaster scenarios, sanctions checking, risk analysis and fraud prevention
- For portfolio and event analysis
- To develop new products and services
- In the context of our role as a recruiter and/or employer and a company that has a broad investor base
The legal basis for our processing of personal data and information includes:
- For pre-contractual and contractual purposes
- For compliance with legal and regulatory obligations
- Where the processing is necessary for our legitimate interests
Securing personal data and information
We follow strict security procedures in the storage and disclosure of personal data and information in line with industry practices.
When do we share personal data and information?
In the event that we sell or buy any business or assets, we may disclose your personal data and information to the prospective seller or buyer of such business or assets. If Conduit Holdings Limited (or any of its subsidiary companies) is sold or substantially all of its assets are acquired by a third party, personal data and information held by it about our staff and customers, and potentially about their staff and their customers will be one of the transferred assets.
We may also share personal data and information with other companies in our group, with primary insurers, insurance brokers, our own insurers or reinsurers, loss adjustors, medical or other experts or other third parties who are necessary or desirable in order for us to offer our products and services.
In addition, we use external service providers in the day to day running of our business such as IT companies, registrars and recruitment companies, some of whom may have access to or otherwise process personal data and information. We have contracts with all such providers that mandate how they process and secure that data.
We may also share personal data and information with regulators, other professional bodies, law enforcement or other government agencies to comply with legal or regulatory obligations or valid requests from such bodies.
Where will we process personal data and information?
Since we are based in Bermuda, the data and information we collect about you is likely to be transferred to, stored at, and otherwise processed at a destination outside of the European Economic Area (the EEA). We transfer data within our group on the basis of our binding corporate rules, which establish adequate protection for personal data and information and is legally binding on all of our group companies.
Personal data and information may also be processed by third party providers outside of the EEA but this will only be done subject to contractual restrictions regarding confidentiality and security in line with applicable data protection laws and regulations.
How long do we keep your data and information for?
We will not keep your personal data and information for longer than is necessary for the purpose for which it was provided unless we are required to by law or have other legitimate reasons to keep it for longer (for example, if necessary for any legal proceedings or required under our regulatory obligations). We will typically keep information for no more than six years after termination or cancellation of the service we provide.
There are a number of rights that you have under Bermuda, UK and European data protection laws. Commonly exercised rights are:
- Access – You may reasonably request a copy of the information we hold about you
- Erasure – Where we have no legitimate reason to continue to hold your information, you have the right to have your personal data and information deleted (sometimes known as the “right to be forgotten”)
- Rectification – If the information we hold is incorrect, you may request that we correct that error or omission and restrict our processing of the personal data and information while we verify the requested changes.
If you are unhappy about the way we have handled your data or upheld your rights, you can request a review or initiate a complaint to the Privacy Commissioner or the ICO at any time.