DATA PRIVACY POLICY

Version 1.0 Dated 1st March 2022

Policy Statement

This Privacy Statement, applies to personal data that CIC INSURANCE GROUP Plc (including its subsidiary Companies in Kenya, Uganda, Malawi and South Sudan) (“CIC”, “we” “our” “us”, “CIC Group”) collects and handles for the purposes of maintaining and providing CIC related information to the vis. For the purposes of this Privacy Policy, “Personal data” means any information relating to an identified or identifiable natural person. We are committed to protecting your personal data in accordance with the all the applicable laws and regulations.   

1. Identity of Data Controller

CIC Group of P.O box 59485-00200 is the controller in respect of personal data it processes in connection with the services provided under the relevant engagement with its customers.

In certain cases, and for the purposes of performing some services, CIC and its clients may have agreed that CIC is a processor. When CIC acts as a processor, it complies with all obligations set out in the agreement concluded with its clients.

2. Information We Collect

 We may collect the following personal information:

  • Individual details:name, address (and proof of address), other contact details (e.g., email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant.
  • Identification details:identification numbers issued by government bodies or agencies (e.g., depending on the country you are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s license number).
  • Financial information:payment card number, bank account number and account details, income and other financial information.
  • Insured risk:Information about the insured risk, which contains Personal Data and sensitive personal data only to the extent relevant to the risk being insured and may include:
    • Health data: current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking or consumption of alcohol), prescription information, medical history.
    • Criminal records data: criminal convictions received from law enforcement agencies.
  • Credit data: credit history and credit score details received from various credit score databases, or regulators.
  • Previous claims: information about previous claims, which may include health insurance claims, previous personal insurance including criminal records data for c, and other categories of sensitive personal data.

Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.

3.Where we collect personal information

We collect Personal Data from various sources, including (depending on the country you are in):

  • Individuals and their family members, online or by telephone, or in written correspondence
  • Individuals’ employers.
  • In the event of a claim, third parties including the other party to the claim (claimant/ defendant), witnesses, experts (including medical experts), loss adjustors, lawyers and claims investigators etc.
  • Other insurance market participants, such as Insurers, Reinsurers and other insurance sales Intermediaries
  • Credit reference agencies (to the extent CIC is taking any credit risk)
  • Government agencies, such as motor vehicle registration authorities and tax authorities
  • Claim forms

4.Data processing purpose and legal basis

The primary purpose for collecting and processing your personal data is to perform contractual and statutory tasks related to management of the financial products/solutions you have with us. We will also process your data in connection with other tasks as required by law and statutory regulations. In addition to these, personal data may be used in product and service development.

5.How we store and protect your personal data

CIC maintains appropriate technical and organizational safeguards against unauthorized processing of personal data and against accidental loss, destruction or damage.

6.How we use and Disclose Your Personal Data:

CIC undertakes to keep your personal data confidential and where it is necessary to satisfy the purpose for which it was collected or as may be required by law CIC will share your data with third parties.

Please note that in addition to the disclosures we have identified in the table below, we may disclose Personal Data for the purposes we explain in this Privacy Policy to service providers, contractors, agents and CIC Group companies that perform activities on our behalf.

PURPOSE OF PROCESSING

LEGAL GROUNDS

DICLOSURE

Establishing a client relationship, including fraud, anti-money laundering and sanctions checks

· Performance of our contract with the client.

·Compliance with a legal obligation

·Legitimate interests of CIC (to ensure that the client is within our acceptable risk profile and to assist with the prevention of crime and fraud.

· Consent

· Substantial public interest

Anti-fraud data base

Checking credit where we are taking

any credit risk.

Legitimate interests of CIC (to ensure that the client is within our acceptable risk profile and to assist with the prevention of

crime and fraud)

Credit reference

agencies

Evaluating the risks to be covered and

matching to appropriate insurer, policy and premium

· Performance of our contract with the client.

· Compliance with a legal obligation

· Legitimate interests of CIC (to ensure that the client is within our acceptable risk profile and to assist with the prevention of crime and fraud.

· Consent

· Substantial public interest

Insurers

Policy Administration

 

 

General client care, including communicating with

client

· Performance of our contract with the client.

· Legitimate interests of CIC (to correspond with clients, beneficiaries and claimants in order to facilitate the placing of and claims under insurance policies).

· Consent

· Substantial public interest

Telco providers.

Collection or refunding of premiums, paying on claims, and processing and

facilitating other payments

· Performance of our contract with the client.

· Legitimate interests of CIC (to recover debts due to us)

· Insurers

· Banks

· Debt recovery providers

Claims

 

 

Managing insurance claims

·   Performance of our contract with the client.

· Legitimate interests of CIC (to assist our clients in assessing and making claims)

· Insurers

· Claims

· Handlers

· Lawyers

· Loss

· Adjustors

· Experts

· Third parties involved in handling or otherwise addressing the claim, such as health care professionals

Defending or prosecuting legal claims

· Performance of our contract with client

· Legitimate interests of CIC (to assist our client in assessing and making claims).

· To establish, defend or prosecute legal claims

·Insurers

· Lawyers

· Police

· Experts

· Other insurers

· Anti-fraud databases

· Third parties involved in the investigation or prosecution, such as private investigators

Renewals

 

 

Contacting you in order to arrange the renewal of the insurance policy

· Performance of our contract with the client.

· Legitimate interests of CIC (to correspond with clients to facilitate the continuation of insurance cover)

· Insurers

· Intermediaries

Throughout the Insurance lifecycle

Marketing analytics and direct marketing, including data anonymization.

 

· Legitimate interests of CIC (to bring clients relevant offers)

· Where we do not have an existing relationship with the individual, consent

· Insurers

· Group companies

General risk modelling

· Legitimate interests of CIC (to build risk models that allow placing of risk with appropriate insurers)

· Consent

· Insurers

Complying with our legal or regulatory obligations

· Compliance with a legal obligation

· Legitimate interests of CIC (to take pre-emptive steps to ensure legal and regulatory compliance)

 

7.Consent

In order to facilitate the provision of our financial solutions including insurance cover and administer insurance claims, we rely on the data subject’s consent to process personal sensitive information, such as medical records. This consent allows us to share the information with other Insurers, Intermediaries and Reinsurers that may need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner).

The affected individual’s consent to this processing of personal information is a necessary condition for CIC to be able to provide the services the client requests.

Where you are providing us with information about a person other than yourself, you agree to notify them of our use of their Personal Data and to obtain such consent for us.

Individuals may withdraw their consent to such processing at any time. However, doing so may prevent CIC from continuing to provide the services. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Personal Data, it may not be possible for the insurance cover to continue.

8.Cross-border Transmission of personal data

Your data is primarily stored in our data centers located within Kenya and some data is stored on cloud in and accessed in other jurisdictions. In as much as some of these jurisdictions may not always offer the same level of protection for personal data as offered in Kenya, we will ensure an appropriate level of protection by the recipient of the data when we transmit your data outside Kenya.

If we transfer Personal Data to other countries outside Kenya, we will establish legal grounds justifying such transfer, such as individuals’ consent, or other legal grounds permitted by applicable legal requirements.

9.Your data protection rights

You have a right:

  1. To Request CIC access to a copy of your Personal Data processed by us in relation to you. The request can be made directly to the following address: CIC Insurance Group Plc, CIC Plaza, Mara Rd, Upper Hill P. O Box 59485 – 00200 Nairobi or E-mail: dataprotection@cic.co.ke
  2. To Request correction of false or misleading Personal Data we hold about you – You can do this by visiting our head office or branch offices across the county or you can send an official request through dataprotection@cic.co.ke; Please note we shall verify the accuracy of the information you provide us
  3.  Request erasure of your Personal Data where there is no good reason for us continuing to process it. Please note that we reserve the right to decline this request for specific legal or regulatory obligations
  4. To object to the processing of all or part of their personal data.
  5. Request the transfer of your Personal Data to you or a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  6. Right to object and withdraw your consent to the processing of your Personal Data. We may in certain circumstances continue to process if we have a legitimate reason to do so; because this will not affect the lawfulness of any processing carried out before you withdraw your consent.

In exercising your right as provided above, we may request specific information from you to help us confirm your identity. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Queries and concerns about your rights should be CIC Group Plc, CIC Plaza, Mara Rd, Upper Hill P. O Box 59485 – 00200 Nairobi or E-mail: dataprotectionoffice@cic.co.ke

9.1. Deletion and retention periods

We are basically storing and processing your personal data only as long as it is necessary to perform our obligations under the agreement with you or as long as the law requires us to store it. If the data is not required anymore for statutory or contractual obligations, it will be deleted.

10. Security Assurance

CIC has put in place technical and operational measures to ensure integrity and confidentiality of your data via controls around; information classification and segregation, access control, cryptography, physical security, monitoring and compliance.

11. Cookies

CIC Insurance Group may use cookies and similar technologies on our websites and apps, and in our emails. Cookies are text files that gather small amounts of information, which your computer or mobile device stores when you visit a website or use an app. When you return to the website or app, or visit websites and apps that use the same cookies, they recognize these cookies and your device.

We use cookies to do many different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improving your online experience. We also use cookies in some of our emails to help us understand how you interact with our emails, and to help us improve our future email communications.

The cookies policy on our websites and apps give you more information on cookies, how and where we use them, and how you can control them.

12. Changes to this privacy policy

We may modify or update this statement from time to time. Where the changes will have a fundamental impact on the nature of the processing of your data or your rights, we shall notify you in advance. We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy statement.

You are advised to review this Privacy statement periodically for any changes. Changes to these Privacy Policies are effective when they are posted on this page.

This Website Privacy Statement was last updated on (1st March 2022)

13. Contact Information

If you would like to contact us for clarification of this policy, you can email us on dataprotectionoffice@cic.co.ke. Our address for purposes of data processing is;

Data Protection Officer

The CIC Group Plc

CIC Plaza, Mara Road, Upper Hill

P.O. Box 59485 – 00200 Nairobi, Kenya

Tel 020 282 3000, 0703 099 120

dataprotectionoffice@cic.co.ke | www.cic.co.ke