Privacy notice for business relationships

You should read this privacy notice if you are an individual with whom Rothesay Life Plc has a business or commercial relationship with.

Understanding the terms of this privacy notice

The meaning of words which appear in bold underlined text are explained in the glossary. You can click on each term to see the definition. Alternatively, you can open the full glossary in another tab by clicking the link below.

Glossary

Throughout this notice any reference to “we” or “us” refers to Rothesay Life Plc.

To read this privacy notice, please click on each section below.

About us and our relationship with you

‘Rothesay’ is the trading name for Rothesay Life Plc, an insurance company established in the UK with company registration number 06127279 and ICO registration Z1003678. We are authorised in the UK by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our registered office address is The Post Building, 100 Museum Street, London WC1A 1PB.

This privacy notice applies to all situations where we process personal data about any individual with whom we have a business or commercial relationship, for example if you are an employee, officer or representative of a supplier, client (such as a trustee or insurer), counterparty (such as a financial institution or reinsurer), shareholder or advisor, or you are simply just visiting our offices.

We are a controller under data protection laws. This privacy notice explains how we use and look after your personal data. This privacy notice also tells you about your privacy rights and how the law protects you.

About this privacy notice

This privacy notice contains information about:

The personal data that we process as a controller
Where the personal data has been obtained
The reasons why we process your personal data and the lawful basis we use to do so
The security measures that we have in place to keep your personal data secure
The length of time we store your personal data for
The organisations, or categories of organisation, with whom we might share your personal data
International transfers of your personal data
The rights you have under data protection laws in relation to our processing of your personal data

Please note that we may change this privacy notice from time to time.

To request a printed copy of this privacy notice please contact us using the contact details contained in the part of this privacy notice headed Contact details.

The personal data we process

The categories of personal data we process include the following:

1. Business contact personal information: Personal data relating to individuals working for entities or businesses that have a past, existing or potential business or commercial relationship with us, including:

Name
Address (work email and postal)
Contact telephone number
Employer name
Job title
Job location
Other personal data concerning your preferences relevant to our services

2. Compliance information: Personal data relating to individuals which is processed to ensure we can comply with our legal and regulatory obligations. This includes:

Data provided by clients and counterparties to Rothesay for anti-money laundering (“AML”) or “Know-Your-Customer” (“KYC”) purposes
Results of AML and KYC data

3. CCTV Information: Personal data relating to individuals processed by the CCTV system operated within our offices.

Where the personal data has been obtained

Personal data will usually be collected directly from you through the recruitment exercise.

There will be instances where we collect personal data from other sources. We collect personal data from other sources to comply with regulations related to carrying out KYC and AML checks on individuals who work with us, our business partners, and our clients (such as trustees). This involves the use of financial sanctions screening companies and data from publicly available sources. If we are looking to do business with you, we may have obtained your contact details from a third-party recommendation or an external source.

The reasons why and lawful bases relied on to process your personal data

The table below provides details of the purpose and the lawful bases upon which we process personal data.

Type of personal data	Why we need it	Lawful bases for processing
Business contact personal information	Operating our business We process personal data to run our business, including: Seeking services that your organisation provides Fulfilling contractual obligations with the organisation you represent Internal record keeping Conducting vendor due diligence exercises Client event management	Legitimate interests pursued by us or by a third party It is in our interest and the interest of the entities that we engage with to ensure our business can operate effectively.
Business contact personal information Compliance information	Fulfilling our legal and regulatory obligations We process personal data to fulfil our obligations under applicable law and regulation. This includes: Financial checks on business partners and counterparties AML and KYC checks on individuals	Compliance with a legal obligation to which we are subject We need to ensure that we run our business in accordance with laws and regulations. We may also process sensitive personal data under a substantial public interest condition, such as meeting regulatory requirements.
Business contact personal information	Keeping you informed We process personal data to maintain our business relationships and to keep you informed of our business. This could include: Sending business communications Sending marketing communications Organising and holding events in connection with the promotion of our business	Legitimate interests pursued by us or by a third party It is in our interest and your interest to ensure we can maintain our strong business relationship and keep you informed of our business so we can collaborate more effectively.
Business contact personal information CCTV information	Managing access to our premises and for security purposes	Legitimate interests pursued by us or by a third party We need to take steps to ensure the personal safety of our staff and visitors as well as protect our buildings and assets from intrusion, theft, vandalism, damage or disruption.

We may also process personal data including sensitive personal data to comply with other laws, regulations or criminal reporting requirements that we are subject to. This includes compliance with law enforcement agency procedures in connection with various investigations and compliance with any requirement to prevent or detect unlawful acts.

How we keep your personal data secure

Our commitment to corporate security is demonstrated through the implementation of policies, controls and procedures, which are externally certified and audited to the international information security standard, ISO 27001:2013.

Our security policies, controls and procedures are regularly reviewed and updated so that we maintain good practices across our business to keep your information safe.

We have contractual arrangements in place with all of our service providers who process personal data which are compliant with data protection laws. We regularly check that our service providers are complying with their contractual commitments. This includes assessing and reporting on our service providers’ information security controls to check their compliance using questionnaires and/or on-site audits.

How long we store your personal data for

We will only keep your personal data for so long as reasonably required and, in any event, only for as long as our internal rules and polices allow us to fulfil our business or legal and regulatory obligations. This will usually be six years from the conclusion of a relevant business relationship with you or a company you are associated with.

Who has access to your personal data

We share personal data with a variety of other companies to operate our business. However, we only share the personal data where necessary to help us satisfy one or more of the reasons for processing set out above.

We have detailed the types of companies with whom we currently share personal data below. The companies fall into two categories.

Processors with whom we share personal data

For these companies, we determine the purposes for which the personal data we pass to them is processed and they should not process that personal data other than in accordance with our written instructions. Processors with whom we share personal data:

1. Compliance screening companies
We engage compliance screening companies to ensure that we do not break laws and regulations. This includes Credit Ratings Agencies, such as Moody's Investors Services Ltd,

2. IT service providers
Our main IT infrastructure and core software is provided by Goldman Sachs Group, Inc.. This means that personal data we process is stored on Goldman Sachs’ IT systems.

3. Other service providers to our business
Other companies who process personal data on our behalf include those who provide day-to-day operational business services such as emails, archiving, document scanning and copying, document destruction and printing.

Controllers with whom we share personal data

For these companies, we do not determine the purposes for which the personal data we pass to them is processed once it is shared. To understand how the other controllers process your personal data , you should refer to their privacy notices. Controllers with whom we share personal data:

1. Event organisers and event venues
We will only pass on necessary personal data to event organisers or venues in circumstances where you have agreed to attend one of our events.

2. Managing entities for our offices
To ensure the security of our offices, you will be required to share ID with the company who manages our shared premises.

3. Professional advisers
We sometimes have to share personal data with our professional advisers (including accountants and lawyers) where it is required for the purposes of their advice.

4. Regulators, law enforcement and auditors
We will share personal data when requested by regulators, law enforcement agencies or other third parties to comply with obligations imposed on us by laws and regulations.

International transfers

Where personal data is transferred to and processed in a country outside of the UK or the EEA (as applicable), we take steps to provide appropriate safeguards to protect your personal data, including by entering into approved standard contractual clauses obliging recipients to protect your personal data and only transferring personal data to the extent that an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data is ensured in compliance with data protection laws.

If you want further information on the specific mechanisms used by us when transferring your personal data outside of the UK or EEA, please contact us using the details contained in the part of this privacy notice headed Contact details.

Your rights

Under certain circumstances, you have the following rights under data protection law:

The right of access to personal data relating to you (known as Subject Access Requests)
The right to correct any mistakes in your personal data
The right to require us to delete your personal data
The right to restrict our processing of your personal data
The right to object to us processing your personal data, including for marketing purposes
The right to have your personal data provided to another controller

How to exercise your rights

If you wish to exercise any of your rights, please contact us using the details contained in the part of this privacy notice headed Contact details.

Contact details

How to contact us regarding this privacy notice

You may want to contact us to:

Ask any questions you have in relation to the information contained in this privacy notice
Exercise any of your rights under the data protection laws
Request a printed copy of this privacy notice printed in large print or braille
Request an audio version of this privacy notice
Make a complaint (see below)

To contact us you can email our Data Protection Officer (DPO) at dpo@rothesay.com or write to:

Data Protection Team, Rothesay Life Plc, The Post Building, 100 Museum Street, London WC1A 1PB

If you live within the European Union, you can also contact our European representative. Their details are as follows:

Address: Bird & Bird GDPR Representative Services SRL, Avenue Louise 235, 1050 Bruxelles, Belgium.

Or email: EUrepresentative.Rothesay@twobirds.com

How to make a complaint

If you have a problem or concern relating to the ways we process your personal data or the contents of this privacy notice, please contact us in the first instance.

We hope that we will be able to address the problem or concern to your satisfaction. However, you also have the right to make a complaint to the Information Commissioner’s Office. The process for making a complaint to the Information Commissioner’s Office is available here:

www.ico.org.uk/make-a-complaint

Their contact details are as follows:

Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Or phone: 0303 123 1113

ico.org.uk