Version 2.0 Dated 20th November 2023
CIC Insurance Group PLC, (this includes all its subsidiaries and regional companies in Uganda, Malawi and South Sudan) is committed to protecting the fundamental human right to privacy. CIC (we, our, us) respects the personal information and data we collect from you through the different mediums.
Who we are.
CIC Group of P.O Box 59485-00200 is the controller in respect of personal data it processes in connection with the services provided under the relevant engagement with its customers. In certain cases, and for the purposes of performing some services, CIC and its clients may have agreed that CIC is a processor. When CIC acts as a processor, it complies with all obligations set out in the agreement concluded with its clients.
- What Personal Data Do We Collect About You?
As a Data Controller and a Data Processor, CIC Group collects personal data directly from the Data Subject or indirectly through intermediaries, service providers and other third parties. We may collect the following personal information;
Types of Information
Identification and Contact Information
name, address (and proof of address), other contact details (e.g., email and telephone details), gender, marital status, family details, date and place of birth, Profession/Occupation/Employer details, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant.
Government Generated Information
National ID and ID Number, KRA PIN, Huduma Number, Passport Details, NHIF & NSSF Details, National Council of Disabled Persons Details
Employment and Educational Information
Employment History, Educational Background including institutions attended and Professional Memberships
Bank Account, Investments, payment card number, bank account number and account details, income and other financial information
Credit Reference Information
Credit data: credit history and credit score details received from various credit score
databases, or regulators.
Insured’s Risk Information
Information about the insured risk, which contains Personal Data and sensitive personal data only to the extent relevant to the risk being insured and may include:
o Health data: current or former physical or mental medical conditions, health status, injury or disability information, medical procedures performed, relevant personal habits (e.g., smoking or consumption of alcohol), prescription information, medical history.
o Criminal records data: criminal convictions received from law enforcement agencies.
information about previous claims, which may include health insurance claims, previous personal insurance including criminal records data for c, and other categories of sensitive personal data.
Photographs, Videos, Audios, Telephone Recordings
Online Activity Information
CIC Group automatically logs information about you and your computer or device such as the IP address, pages viewed and action on our website through Cookies and Web Beacons
Information relating to specific product offerings
Property Information such as cars, houses, personal household items, personal assets, travel information, business and shareholding information, claims history
Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.
- Where We Collect Personal Information
We use Personal Information to carry out our business activities. The purposes for which we use your Personal Information will differ based on our relationship (i.e. Members, Employees, Business Partners, Prospective Members, etc.) including the type of communications between us and the services we provide.
- We collect Personal Data from various sources, including (depending on the country you are in):
- Individuals and their family members, online or by telephone, or in written correspondence
- Individuals’ employers.
- In the event of a claim, third parties including the other party to the claim (claimant/ defendant), witnesses, experts (including medical experts), loss adjustors, lawyers and claims investigators etc.
- Other insurance market participants, such as Insurers, Reinsurers and other insurance sales Intermediaries.
- Credit reference agencies (to the extent CIC is taking any credit risk)
- Government agencies, such as motor vehicle registration authorities and tax authorities
We obtain your personal data from sources such as;
- Application forms, Claims Forms, Proposal Forms and other forms that you fill.
- Software applications (apps) made available by us to you
- Our Website (www.cic.co.ke)
- Meetings, Telephone conversations and other forms of communication
- Social Media applications and/or tools
- Use of Your Personal Data
CIC may use your personal data for the following purposes.
- Know your Customer (KYC) and Customer Due Diligence (CDD)
- Communicating with customers, business partners and employees.
- Assessing and making determination on provision of financial products or services, employing persons as employees and such other business decisions.
- Enhancing and improving product and service offering including maintaining information security.
- Fulfilling regulatory requirements such as Filing Reports with various regulators such as Office of the Data Protection Commissioner (ODPC), Insurance Regulatory Authority (IRA), Financial Reporting Centre (FRC), Capital Markets Authority (CMA), Retirements Benefits Authority (RBA).
- To respond to feedback, queries and complaints that you submit through our feedback form.
- Facilitating business operations including information technology systems.
- Providing marketing information through communication channels such as email, texts, and other platforms. (here you have provided specific consent and opt-in/subscribe to receiving CIC Insurance marketing, products and services information, we will send you communication we think will be of interest to you. You can unsubscribe/opt-out from our marketing communication by clicking ‘Unsubscribe’ on the footer of a CIC Insurance marketing e-mail or any other marketing communication received.)
To personalize and improve our services, including to provide or recommend, features, content, and advertisements. Where this is the case, we will take appropriate measures to protect your personal information in accordance with this Privacy Statement.
- Legal Justification for Our Use of Personal Data
The primary purpose for collecting and processing your personal data is to perform contractual and statutory tasks related to management of the financial products/solutions you have with us. We will also process your data in connection with other tasks as required by law and statutory regulations. In addition to these, personal data may be used in product and service development.
We commit to always identify and document without prejudice the lawful basis of processing your personal data for each specific purpose and put necessary security measures to ensure safeguarding of your personal data and the lawful purpose consented to always applies.
- How We Store and Protect Your Data
We have put in place appropriate physical, legal, technical and organization safeguards to protect the personal data we collect in connection with our services. Such measures include but are not limited to requiring confidentiality from employees and other persons authorize to handle personal data and implementing information technology security measures such as system rights, audit trails and firewalls.
You should be aware that the Internet is not a secure form of communication and sending and receiving information over the Internet carries with it risks including the risk of access and interference by unauthorized third parties. We do not accept responsibility or liability for the confidentiality, security or integrity of your Personal Data in connection with its transmission over the Internet.
- Disclosure of Personal Data.
CIC undertakes to keep your personal data confidential and where it is necessary to satisfy the purpose for which it was collected or as may be required by law CIC will share your data with third parties.
PURPOSE OF PROCESSING
Establishing a client relationship, including fraud, anti-money
laundering and sanctions checks
Checking credit where we are taking any credit risks.
Legitimate interests of CIC (to ensure that the client is within our acceptable risk profile and to assist with the
prevention of crime and fraud)
Credit Reference Agencies
Evaluating the risks to be covered
And matching to appropriate
insurer, policy and premium
General client care, including communicating with client
Collection/ refunding of premiums, paying on claims, and processing and facilitating other payments
Debt Recovery Providers
Managing insurance claims
Third parties involved in
handling or otherwise addressing the claim, such as
health care professionals
Defending or prosecuting legal
Third parties involved in the
investigation or prosecution, such as private investigators
Contacting you in order to arrange
the renewal of the insurance
THROUGHOUT THE INSURANCE LIFECYCLE
Marketing analytics and direct
marketing, including data.
General risk modelling
Complying with our legal or
OTHER FINANCIAL SERVICES
Sale of Land
Asset Management / Investment
CIC Group shall not disclose your personal information to any third parties such as service providers other than with your prior consent, for a legitimate reason or for the performance of a contract.
In order to facilitate the provision of our financial solutions including asset management, investment, insurance cover, and administer insurance claims, we rely on the data subject’s consent to process personal sensitive information, such as medical records and financial information. This consent allows us to share the information with other Insurers, Intermediaries and Reinsurers that may need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner).
You understand that by using our site services and our products you agree to be bound by this statement of privacy. If you agree to this statement on behalf of an entity, you represent and warrant that you have the authority to bind that entity to our privacy statement, by using our products and/or accessing our site, if you do not accept it in entirety you must inform us immediately indicating what part of our privacy statement you are not agreeable to.
The affected individual’s consent to this processing of personal information is a necessary condition for CIC to be able to provide the services the client requests. Where you are providing us with information about a person other than yourself, you agree to notify them of our use of their Personal Data and to obtain such consent for us.
Individuals may withdraw their consent to such processing at any time. However, doing so may prevent CIC from continuing to provide the services. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Personal Data, it may not be possible for the insurance cover to continue.
- Cross-border Transmission of Your Personal Data
Your data is primarily stored in our data centers located within Kenya and some data is stored on cloud in and accessed in other jurisdictions. In as much as some of these jurisdictions may not always offer the same level of protection for personal data as offered in Kenya, we will ensure an appropriate level of protection by the recipient of the data when we transmit your data outside Kenya.
If we transfer Personal Data to other countries outside Kenya, we will establish legal grounds justifying such transfer, such as individuals’ consent, or other legal grounds permitted by applicable legal requirements.
Prior to transferring personal data outside Kenya, we shall ascertain that the transfer is based on the provided legal and regulatory standards. Circumstances in which we may transfer your personal data outside are highlighted in the table below;
There being appropriate data protection safeguards with respect to the security and protection of personal data in respect to the jurisdiction to which the data is being transferred to.
Storage of your personal data in a cloud whose data server is located in one of the European countries that has implemented the General Data Protection Regulation (GDPR).
An adequacy decision having being made by the Office of the Data Commissioner
Where the Data Commissioner has published a list of countries which have appropriate data protection safeguards, and we decide to store your data in that jurisdiction in furtherance to our legitimate interest.
When we reinsure your risk as part of our legitimate interest and the reinsurance company requests for your personal data in respect to the insurance policy
When following your express consent, we transfer your personal data to another jurisdiction.
- Retention of Personal Data
Personal Data is retained as long as necessary for the purpose for which it is collected and to meet legal, regulatory and operational requirements. Retention periods may differ for each insurance policy taken. At the end of the retention period, non-identifiable data is kept for management information purposes. CIC Group has also put in place Data retention policy in line with Data Protection law.
CIC Group may also retain your contact information for the purposes of inviting you to renew any of your insurance policy from time to time and may use your contact to send you notifications notifying you of our various products, renewal notice and claim updates.
You are responsible for the confidentiality of any password you have put in place to allow you to access certain products or services. Please note our customer service agents will never request you to share your password.
- Your Data Protection Rights
We will collect, process and store your personal data in accordance with your rights under the Data Protection Act and attendant Regulations. Under certain circumstances, you have the following rights in relation to your personal data:
DESCRIPTION OF RIGHT
Right to object to processing of personal data – You have a right to object to the processing of their personal data. In implementation of this right, you shall use the statutory form “Request for restriction or objection to the processing of personal data” provided in our website.
The right is not an absolute right and we can reject the request where we demonstrate that we have justifiable reasons for processing that would negate your interests e.g. when we are required by a government agency exercising their legal mandate to provide your personal data against your request not to avail the same or in our defense of a legal claim. We will always inform you when we have decline your request and provide the reasons. This right is however absolute when it relates to direct marketing.
Right to restrict processing of personal data – You have the right to request the suspension of processing of your personal data in certain circumstances. In implementation of this right, you shall use the statutory form “Request for restriction or objection to the processing of personal data” provided in our website
This right is not an absolute right and shall be available when.
Right to access personal data – You have the right to access your personal data and obtain information of how the said personal data is used and processed. In implementation of this right, you shall use the statutory form “Request for access to personal data” provided in our website
You may access your personal data through our Self-Service Portals. Should you want to access your personal data in any other format, you may use the form subject to availing us available notice and other circumstances as shall be communicated by us to you.
Right to rectification of personal data– You have the right to request your personal data to be corrected in instances of inaccuracy or incompleteness. In implementation of this right, you shall use the statutory form “Request for rectification” provided in our website.
The right is available always subject to the discretion accorded to us to decline with reasons
Right to data Portability – You have the right to receive your personal data in a structured, commonly used and machine-readable format to transmit the said personal data obtained to another third party without any hindrance. In implementation of this right, you shall use the statutory form “ Request for Data Portability” provided in our website
This right is available always provided that it is technically feasible for us to provide the personal data in the required format.
Right to erasure – This right is sometimes referred to as “the right to be forgotten” and entitles you to request deletion or removal of your personal data from our records. In implementation of this right, you shall use the statutory form “Request for erasure of personal data “provided in our website
Right of erasure does not apply if processing of your personal data is necessary for one of the following reasons.
Right to complain to the Office of the Data Commissioner
This right is available always.
Right to withdraw consent to processing of personal data.
This right only applies where personal data is processed based upon your consent.
Rights relating to automated decision making and profiling – You have a right not to be subjected to a decision based solely on our automated processing, including profiling, which legally and significantly affects you.
This right is not applicable when a decision is:
In exercising your right as provided above, we may request specific information from you to help us confirm your identity. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Queries and concerns about your rights should be CIC Group Plc, CIC Plaza, Mara Rd, Upper Hill P.O Box 59485 – 00200 Nairobi or E-mail: firstname.lastname@example.org
- Enforcing Your Rights
If you wish to enforce any of your rights as highlighted above as provided under the Data Protection Act and attendant Regulations, then please contact us on our details in clause 16 below. You may use the various statutory forms made available by us and we will respond to your request without undue delay and within the statutory timelines.
If you feel we have not complied with your right to privacy and other provided rights regarding your personal data, you have a right to complain to us through the provided tool available on our website or you may pay us a visit and fill the complaint form and we shall endeavor to resolve such a complain. You however have the right to contact the Office of the Data Commissioner or such other data supervisory authority in the jurisdiction we operate in.
The cookies policy on our websites and apps gives you more information on cookies, how and where we use them, and how you can control them.
- Changes to This Data Privacy Statement
CIC Group reserves the right to change the provisions of this Privacy Statement at any time. Where the changes will have a fundamental impact on the nature of the processing of your data or your rights, we shall notify you in advance. We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy Statement.
Your use of the Website and applications following the posting of such revised Statement shall constitute your acceptance of any such changes. We encourage you to review our Privacy Statement whenever you visit the Website and application(s) to guarantee your understanding of how your information may be collected, processed and used.
- Contact Information
If you have any queries relating to your personal data and/or this Privacy Statement, contact us through DataProtectionOffice@cic.co.ke
Our address for purposes of data processing is;
Data Protection Officer
The CIC Group Plc
CIC Plaza, Mara Road, Upper Hill
P.O. Box 59485 – 00200 Nairobi, Kenya
Tel 020 282 3000, 0703 099 120
email@example.com | www.cic.co.ke