Privacy notice for policyholders

You should read this privacy notice if you are:

One of our individual policyholders
A beneficiary or potential beneficiary of a policyholder
An agent instructed to act on behalf of one of our individual policyholders for example, under a power of attorney

Understanding the terms of this privacy notice

The meaning of words which appear in bold underlined text are explained in the glossary. You can click on each term to see the definition. Alternatively, you can open the full glossary in another tab by clicking the link below.

Glossary

Throughout this notice any reference to “we” or “us” refers to Rothesay Life Plc.

To read this privacy notice, please click on each section below.

About us and our relationship with you

‘Rothesay’ is the trading name for Rothesay Life Plc, an insurance company established in the UK with company registration number 06127279 and ICO registration Z1003678. We are authorised in the UK by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our registered office address is The Post Building, 100 Museum Street, London WC1A 1PB.

This privacy notice applies to all situations where we process personal data about a policyholder, agent of a policyholder or a beneficiary or potential beneficiary in connection with an individual policy held directly with Rothesay.

We are a controller under data protection laws. This privacy notice explains how we use and look after your personal data. This privacy notice also tells you about your privacy rights and how the law protects you.

About this privacy notice

This privacy notice contains information about:

The personal data that we process as a controller
Where the personal data has been obtained
The reasons why we process your personal data and the lawful basis we use to do so
The security measures that we have in place to keep your personal data secure
The length of time we store your personal data for
The organisations, or categories of organisation, with whom we might share your personal data
International transfers of your personal data
The rights you have under data protection laws in relation to our processing of your personal data

Please note that we may change this privacy notice from time to time.

To request a printed copy of this privacy notice please contact us using the contact details contained in the part of this privacy notice headed Contact details.

The personal data we process

The categories of personal data we process include the following:

1. Policyholder information: Personal data relating to each policyholder. Personal data in this category includes:

Name
Address and contact information (telephone, email and postal address)
Policy or plan identification numbers and references
Date of birth
Gender
Marital status, dependants and next of kin
Retirement age
Retirement date
Login credentials
Government identifiers such as passport number or drivers licence number

2. Beneficiary information: Personal data relating to any individual that a policyholder would like us to consider as a potential recipient benefit payable under the individual policy. Personal data in this category includes:

Name
Address and contact information (telephone, email and postal address)
Date of birth
Gender
Marital status, dependants and next of kin

3. Policyholder Employment Information: Personal data relating to a policyholder’s employment that is relevant to the benefits payable to each individual insured under an individual policy. Personal data in this category includes:

Employer (or former employer) name
Job title, job codes, job location, and length of service
Pension benefits

4. Policyholder financial information: Financial information relating to each individual insured under an individual policy to whom we are obliged to pay, or are paying, benefits following the death of a policyholder. Personal data in this category includes:

Financial position, status and history
Bank details
National Insurance number
Tax code

5. Policy administration information: Personal data processed as a result of administering an individual policy.This includes details about payments to and from your accounts, and insurance claims you make.

6. Agent information: Contact information of an agent of a policyholder who instruct us on their behalf. Personal data in this category includes the individual's:

Name
Address (email and postal)
Other contact details

7. Sensitive personal data:The most common types of sensitive personal data we process are:

Your health information such as those contained within medical reports, test results, details of physical or mental health diagnoses or treatments, and personal behaviours such as smoking habits.
Personal data relating to criminal convictions and offences for the purposes of detecting or preventing financial crime.

Where the personal data has been obtained

Personal data will usually be collected from the trustees of the pension scheme who purchased the individual policy, the policyholder or any other individual to whom the personal data relates. If an individual policy has transferred to us from another insurer, personal data will also be provided to us by that other insurer.

There will be instances where we collect personal data from other sources. This includes:

1. Tracing agencies and mortality screening companies

We engage tracing agencies to check whether we hold the correct address for an individual insured under an individual policy.

We engage mortality screening companies to check whether an individual insured under an individual policy is alive.

2 . Financial sanctions screening companies

We engage financial sanctions screening companies to ensure that we do not break laws and regulations by making a payment in respect of an individual who:

appears on a list of financial sanctions targets: or
is subject to a sanctions programme as determined by any government or law enforcement agency

The reasons why and lawful bases relied on to process your personal data

The table below provides details of the purpose and the lawful bases upon which we process personal data.

Type of personal data	Why we need it	Lawful bases for processing
Policyholder administration information Policyholder information Policyholder employment information Policyholder financial information Beneficiary information Agent information	Administering individual policies We process personal data in order to fulfil our contractual or legal obligations under our individual policies. This includes: Managing our relationship with you including communicating with you and your representatives Managing payments, settlements, claims and transfers Managing and responding to queries and complaints	Performance of a contract with the policyholder It is necessary to process personal data in order to fulfil our contractual obligations under the individual policy to the policyholder or another party to the contract such as a beneficiary. When we need to process sensitive personal data in relation to your individual policy (such as ill-health claims) we would do so under a substantial public interest such as meeting insurance requirements.
Policyholder administration information Policyholder information Policyholder employment information Policyholder financial information Beneficiary information Agent information	Providing you with services related to your individual policy We process personal data in order to: Ensure your queries are directed to right team Store your nominated beneficiary details Inform you of additional products or services that we offer to individuals insured under our individual policies	Legitimate interests pursued by us or by a third party We have a legitimate interest to ensure we are efficient in how we fulfil contractual obligations, understand and manage customer needs and treat customers fairly and efficiently.
Policyholder administration information Policyholder information Policyholder employment information Policyholder financial information Beneficiary information Agent information Sensitive personal data	Managing our business We may process personal data in order to manage our business operations more effectively. This includes: Managing our financial position, business capabilities and planning, and corporate governance and audit Managing relationships with other companies that provide services to us for your benefit Managing risks to our business Improving and testing products and services Maintaining, testing and improving IT and the information security of systems which hold personal data Transferring or selling individual policies to another insurer to support our business objectives	Legitimate interests pursued by us or by a third party We have a legitimate interest to ensure we are efficient in how we fulfil our legal, regulatory and contractual obligations, understand and manage customer needs and treat customers fairly and efficiently. We have a legitimate interest to operate our business effectively and efficiently as well as ensuring the integrity and functionality of our Business and IT processes and systems. We also have a legitimate interest to be able to transfer individual policies to another insurer so we can operate our business effectively. We process sensitive personal data where we have a substantial public interest to do so such as meeting insurance requirements.
Policyholder administration information Policyholder information Policyholder employment information Policyholder financial information Beneficiary information Agent information Sensitive personal data	Meeting our obligations We may process personal data in order to fulfil our legal and regulatory obligations imposed upon us in relation to administering individual policies such as producing and issuing required regulatory documentation and conducting KYC, AML and sanctions checks. We may process personal data in order to fulfil our legal and regulatory obligations in relation to our customers including the identification and support of customers with vulnerable characteristics managing vulnerable customers in accordance with our consumer duties as required by the FCA to meet our obligations under the Consumer Duty.	Compliance with a legal obligation to which we are subject We need to ensure that we operate in accordance with relevant laws and regulations. This includes, but is not limited to, meeting our legal obligations in relation to customers with vulnerable characteristics and the FCA’s Consumer Duty more broadly. When we need to process sensitive personal data we would do so under a substantial public interest condition, such as meeting insurance requirements or preventing or detecting unlawful acts.
Policy administration information Policyholder information Policyholder employment information Beneficiary information Policyholder financial information Agent information Sensitive personal data	Exercising our legal rights and defending ourselves against potential legal claims We process personal data in case we need it to exercise our legal rights, and to defend ourselves against potential legal claims that might be brought against us under the terms of any of our individual policies and/or laws and regulations.	Legitimate interests pursued by us or by a third party It is in our interest to ensure that we are able to exercise our legal rights and defend ourselves against potential legal claims. We process sensitive personal data where we have a substantial public interest to do so such as preventing or detecting unlawful acts.
Policyholder information Policyholder employment information	Event management We process personal data to enable us to deal with any queries from policyholders in relation to events we organise or sponsor and to provide policyholders with opportunities to attend such events.	Legitimate interests pursued by us or by a third party It is in our interest and the interest of policyholders to ensure that we can provide opportunities for policyholders to attend events we organise or sponsor events and to assist policyholders with queries in relation to such events.

Type of personal data

Why we need it

Lawful bases for processing

Administering individual policies

We process personal data in order to fulfil our contractual or legal obligations under our individual policies. This includes:

Managing our relationship with you including communicating with you and your representatives
Managing payments, settlements, claims and transfers
Managing and responding to queries and complaints

Performance of a contract with the policyholder

It is necessary to process personal data in order to fulfil our contractual obligations under the individual policy to the policyholder or another party to the contract such as a beneficiary.

When we need to process sensitive personal data in relation to your individual policy (such as ill-health claims) we would do so under a substantial public interest such as meeting insurance requirements.

Providing you with services related to your individual policy

We process personal data in order to:

Ensure your queries are directed to right team
Store your nominated beneficiary details
Inform you of additional products or services that we offer to individuals insured under our individual policies

Legitimate interests pursued by us or by a third party

We have a legitimate interest to ensure we are efficient in how we fulfil contractual obligations, understand and manage customer needs and treat customers fairly and efficiently.

Policyholder administration information
Policyholder information
Policyholder employment information
Policyholder financial information
Beneficiary information
Agent information
Sensitive personal data

Managing our business

We may process personal data in order to manage our business operations more effectively. This includes:

Managing our financial position, business capabilities and planning, and corporate governance and audit
Managing relationships with other companies that provide services to us for your benefit
Managing risks to our business
Improving and testing products and services
Maintaining, testing and improving IT and the information security of systems which hold personal data
Transferring or selling individual policies to another insurer to support our business objectives

Legitimate interests pursued by us or by a third party

We have a legitimate interest to ensure we are efficient in how we fulfil our legal, regulatory and contractual obligations, understand and manage customer needs and treat customers fairly and efficiently.

We have a legitimate interest to operate our business effectively and efficiently as well as ensuring the integrity and functionality of our Business and IT processes and systems.

We also have a legitimate interest to be able to transfer individual policies to another insurer so we can operate our business effectively.

We process sensitive personal data where we have a substantial public interest to do so such as meeting insurance requirements.

Meeting our obligations

We may process personal data in order to fulfil our legal and regulatory obligations imposed upon us in relation to administering individual policies such as producing and issuing required regulatory documentation and conducting KYC, AML and sanctions checks.

We may process personal data in order to fulfil our legal and regulatory obligations in relation to our customers including the identification and support of customers with vulnerable characteristics managing vulnerable customers in accordance with our consumer duties as required by the FCA to meet our obligations under the Consumer Duty.

Compliance with a legal obligation to which we are subject

We need to ensure that we operate in accordance with relevant laws and regulations. This includes, but is not limited to, meeting our legal obligations in relation to customers with vulnerable characteristics and the FCA’s Consumer Duty more broadly.

When we need to process sensitive personal data we would do so under a substantial public interest condition, such as meeting insurance requirements or preventing or detecting unlawful acts.

Exercising our legal rights and defending ourselves against potential legal claims

We process personal data in case we need it to exercise our legal rights, and to defend ourselves against potential legal claims that might be brought against us under the terms of any of our individual policies and/or laws and regulations.

Legitimate interests pursued by us or by a third party

It is in our interest to ensure that we are able to exercise our legal rights and defend ourselves against potential legal claims.

We process sensitive personal data where we have a substantial public interest to do so such as preventing or detecting unlawful acts.

Event management

We process personal data to enable us to deal with any queries from policyholders in relation to events we organise or sponsor and to provide policyholders with opportunities to attend such events.

Legitimate interests pursued by us or by a third party

It is in our interest and the interest of policyholders to ensure that we can provide opportunities for policyholders to attend events we organise or sponsor events and to assist policyholders with queries in relation to such events.

We may also process personal data including sensitive personal data to comply with other laws, regulations or criminal reporting requirements that we are subject to. This includes compliance with law enforcement agency procedures in connection with various investigations and compliance with any requirement to prevent or detect unlawful acts.

How we keep your personal data secure

Our commitment to corporate security is demonstrated through the implementation of policies, controls and procedures, which are externally certified and audited to the international information security standard, ISO 27001:2013.

Our security policies, controls and procedures are regularly reviewed and updated so that we maintain good practices across our business to keep your information safe.

We have contractual arrangements in place with all of our service providers who process personal data which are compliant with data protection laws. We regularly check that our service providers are complying with their contractual commitments. This includes assessing and reporting on our service providers’ information security controls to check their compliance using questionnaires and/or on-site audits.

How long we store your personal data for

We will only keep your personal data for so long as we reasonably require it and, in any event, only for as long as our internal rules and polices allow us to fulfil our business or legal and regulatory obligations.

Who has access to your personal data

We share personal data with a variety of other companies to operate our business. However, we only share the personal data that those companies need to provide their services to us.

We have detailed the types of companies with whom we currently share personal data below.

Processors with whom we share personal data

For these companies, we determine the purposes for which the personal data we pass to them is processed and they should not process that personal data other than in accordance with our written instructions. Processors with whom we share personal data:

1. Third Party Administrators
We use specialist third party pension administration companies to help us administer the benefits insured under our individual policies. This enables us to meet our obligations in accordance with the terms of those individual policies. To enable them to do this, we need to provide them with all personal data that is relevant for this purpose.

Currently, we engage as administrators, companies trading as:

Capita Pension Solutions Limited
Aptia UK Limited
Towers Watson Limited

2. Tracing agencies, mortality screening companies and financial sanctions screening companies
We use these companies in order to check one or both of the following:

Whether a policyholder or an individual to whom we are paying benefits under an individual policy is alive and that the individual’s address remains current
Whether an individual appears on a list of financial sanctions targets or is subject to a sanction programme

3. IT service providers
Our main IT infrastructure and core software is provided by Goldman Sachs Group, Inc.. This means that personal data we process is stored on Goldman Sachs’ IT systems.

4. Other service providers to our business
Other companies who process personal data on our behalf include those who provide day-to-day operational business services such as emails, archiving, document scanning and copying, document destruction and printing.

Controllers with whom we share personal data

For these companies, we do not determine the purposes for which the personal data we pass to them is processed once it is shared. To understand how the other controllers process your personal data , you should refer to their privacy notices. Controllers with whom we share personal data:

1. Reinsurers
We provide information about the liabilities insured under our individual policies to reinsurers with whom we reinsure some of the risks to which we are exposed under those individual policies. The main such risk is that individuals whose benefits we insure live longer than we anticipated. You can request a list of reinsurers to whom we have disclosed your personal data using the details contained in the part of this privacy notice headed Contact details.

2. Trend analysis providers

We provide information to, and use services provided by, third parties to analyse how long people in the UK live and other demographic trends. We use information provided to us by these third parties in connection with the performance of our business. For example, we use it to help us to estimate how long individuals insured under our individual policies are likely to live in order to understand our liabilities in respect of individuals insured under our individual policies.

3. Other third parties

We may disclose relevant personal data with other third party controllers from time-to-time to manage our business. For example, to a prospective buyer of all or part of our business, assets or share capital, to event organisers to manage policyholder attendance at events, or to pension scheme trustees who have insured members’ benefits with us to verify that the correct benefits have been insured.

4. Professional advisers

We sometimes have to share personal data with our professional advisers (including accountants and lawyers) where it is required for the purposes of their advice.

5. Regulators, law enforcement and auditors

We will share personal data when requested by regulators, law enforcement agencies or other third parties to comply with obligations imposed on us by laws and regulations.

International transfers

Where personal data is transferred to and processed in a country outside of the UK or the EEA (as applicable), we take steps to provide appropriate safeguards to protect your personal data, including by entering into approved standard contractual clauses obliging recipients to protect your personal data and only transferring personal data to the extent that an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data is ensured in compliance with data protection laws.

If you want further information on the specific mechanisms used by us when transferring your personal data outside of the UK or EEA, please contact us using the details contained in the part of this privacy notice headed Contact details.

Your rights

Under certain circumstances, you have the following rights under data protection law:

The right of access to personal data relating to you (known as Subject Access Requests)
The right to correct any mistakes in your personal data
The right to require us to delete your personal data
The right to restrict our processing of your personal data
The right to object to us processing your personal data, including for marketing purposes
The right to have your personal data provided to another controller

How to exercise your rights

If you wish to exercise any of your rights, please contact us using the details contained in the part of this privacy notice headed Contact details.

Contact details

How to contact us regarding this privacy notice

You may want to contact us to:

Ask any questions you have in relation to the information contained in this privacy notice
Exercise any of your rights under the data protection laws
Request a printed copy of this privacy notice printed in large print or braille
Request an audio version of this privacy notice
Make a complaint (see below)

To contact us you can email our Data Protection Officer (DPO) at dpo@rothesay.com or write to:

Data Protection Team, Rothesay Life Plc, The Post Building, 100 Museum Street, London WC1A 1PB

If you live within the European Union, you can also contact our European representative. Their details are as follows:

Address: Bird & Bird GDPR Representative Services SRL, Avenue Louise 235, 1050 Bruxelles, Belgium.

Or email: EUrepresentative.Rothesay@twobirds.com

How to make a complaint

If you have a problem or concern relating to the ways we process your personal data or the contents of this privacy notice, please contact us in the first instance.

We hope that we will be able to address the problem or concern to your satisfaction. However, you also have the right to make a complaint to the Information Commissioner’s Office. The process for making a complaint to the Information Commissioner’s Office is available here:

www.ico.org.uk/make-a-complaint

Their contact details are as follows:

Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Or phone: 0303 123 1113

ico.org.uk

Privacy notice for individual policyholders