IOMA GROUP’S PRIVACY POLICY

This Privacy Policy is issued by the IOMA group of companies (collectively referred to as “IOMA”, “Group”, “IOMA Group”, “we”, “us” and “our” in this Privacy Policy) that operate in the Isle of Man.

BACKGROUND

Your information will be held by Isle of Man Assurance Limited, Isle of Man Insurance Management Limited and IOMA Horizons Limited, which are part of the IOMA Group. This privacy notice is to let you know how companies within the Group promise to look after your personal information. This includes what you tell us about yourself, what we learn by having you as a customer, and the choices you give us about what marketing you want us to send you. This notice also tells you about your privacy rights and how the law protects you.

CONTENT

1. POLICY OVERVIEW

2. ABOUT US

3. WHAT INFORMATION DO WE COLLECT ABOUT YOU AND HOW DO WE COLLECT IT?

4. IN WHAT CIRCUMSTANCES DO WE NEED TO COLLECT YOUR SENSITIVE INFORMATION?

5. HOW THE LAW PROTECTS YOU

6. HOW WE USE YOUR INFORMATION

7. HOW WE SHARE YOUR INFORMATION OUTSIDE OF THE IOMA GROUP

8. MARKETING

9. OUR SITE AND COOKIES

10. YOUR RIGHTS

11. WHERE IS YOUR INFORMATION?

12. HOW WE LOOK AFTER YOUR INFORMATION

13. HOW LONG WE KEEP YOUR INFORMATION FOR

14. HOW TO CONTACT US

1. POLICY OVERVIEW

1.1 Scope of this policy

This Privacy Policy relates to our use of any personal information we collect from you via the following services:

• Any IOMA Group website that links to this Policy (“Websites”); or
• Social media or IOMA content on other websites;

It also relates to our use of any personal information we collect through other means, such as

• Email
• In person
• Other third party sources.

We’ve approached our Privacy Policy with brevity and clarity in mind. We’re happy to provide any additional information or explanation needed and/or answer any questions you may have (please refer to the “ABOUT US” section below).

1.2 Policy updates

We keep this Privacy Policy under regular review to make sure we’re being transparent about how we use your personal information. Any changes to our Privacy Policy will be reflected at www.iomagroup.co.im/privacy.html

2. ABOUT US

2.1 Who are we?

We are the IOMA group of companies that operate in the Isle of Man. For a full list of these companies please click on the following link: www.iomagroup.co.im/companies. You’ll find our registered address below. We will let you know which company you have a relationship with when you take out a product or service with us.

2.2 Who’s the Data Controller?

For the purposes of data protection laws, we are the “data controller” of all personal information that we collect, use and/or otherwise process about you under this Privacy Policy.

2.3 How to contact us

If you have any questions about this Privacy Policy or the ways in which we handle your personal information, please contact us as follows:

FAO: The Data Protection Officer
Address: IOMA House, Hope Street, Douglas, Isle of Man IM1 1AP
Email: data.protection@iomagroup.co.im

3. WHAT INFORMATION DO WE COLLECT ABOUT YOU AND HOW DO WE COLLECT IT?

3.1 What types of information do we collect about you?

The type of information we collect about you depends on the nature of your interactions with us. Depending on the circumstances, we may receive or collect personal information about you, when you contact IOMA for example by doing any of the following:

Data you give to us:

• When you apply for our products and services
• When you talk to us on the phone or in our offices
• When you use our websites or mobile device apps
• In emails and letters
• In insurance claims or other documents
• In customer surveys
• When you apply for a job with the IOMA Group

Data we collect when you use our services.

• Payment and transaction data.
• Profile and usage data. This includes the profile you create to identify yourself when you connect to our internet, mobile and telephone services. It also includes other data about how you use those services. We gather this data from devices you use to connect to those services, such as computers and mobile phones, using cookies and other internet tracking software.

Data from third parties we work with:

• Companies that introduce you to us
• Financial advisers
• Brokers and intermediaries
• Credit reference agencies
• Insurers
• Comparison websites
• Fraud prevention agencies
• Employers
• Payroll service providers
• Public information sources such as UK Companies House and the IOM Companies Registry
• Banks
• Market researchers
• Medical practitioners
• Government and law enforcement agencies.

3.2 Personal information about others

We may collect information about other members of your household or family, for example, family members on whose life you take out a life insurance policy or who may be beneficiaries of a trust established by you. If you give us information about another person it is your responsibility to ensure and confirm that:
• you have told the individual who we are and how we use personal information, as set out in this Privacy Policy; and
• you have permission from the individual to provide that personal information (including any sensitive personal data) to us and for us to process it, as set out in this Privacy Policy.

4. IN WHAT CIRCUMSTANCES DO WE NEED TO COLLECT YOUR SENSITIVE INFORMATION?

In certain circumstances, we will collect information that is deemed sensitive. This is most likely to include:

• Information about your health (for example if you ask us to provide you information in connection with an insurance claim); and/or

• Information about any criminal record you may have.

We seek to limit any sensitive personal data that we collect and, unless we have other specific lawful reasons to use this information (such as in an emergency situation), we will ask for your consent to collect it.

5. HOW THE LAW PROTECTS YOU

Your privacy is protected by law. This section explains how that protection works.

Data protection law states that we are only allowed to use personal information if we have a proper reason to do so. This includes sharing it outside the IOMA Group. The law states that we must have one or more of the following reasons:

• When you consent to it; or
• To fulfil a contract we have with you, or
• When it is our legal duty, or
• When it is in our legitimate interest.

A legitimate interest is when we have a business or commercial reason to use your information. But even then, it must not unfairly go against what is best or right for you. If we rely on our legitimate interest, we will tell you what that is.

Here is a list of the ways that we may use your personal information, and which of the reasons we rely on to do so. This is also where we tell you what our legitimate interests are.


What we use your personal information for Our reasons Our legitimate interests
     
• To manage our relationship with you or your business.
• To develop new ways to meet our customers’ needs and to grow our business.
• To develop and carry out marketing activities.
• To study how our customers use products and services from us.
• To provide guidance about our products and services.
• Your consent.
• Fulfilling contracts.
• Our legitimate interests.
• Our legal duty.
• Keeping our records up to date, working out which of our products and services may interest you and informing you about them.
• Developing products and services, and what we charge for them.
• Identifying types of customers for new products or services.
• Seeking your consent when we need it to contact you.
• Being efficient about how we fulfil our legal duties.

     
• To develop and manage our products and services.
• To manage how we work with other companies that provide services to us and our customers.
• Fulfilling contracts.
• Our legitimate interests.
• Our legal duty.
• Developing products and services, and what we charge for them.
• Identifying types of customers for new products or services.
• Being efficient about how we fulfil our legal and contractual duties.

     
• To deliver our products and services
• To administer customer payments.
• To administer fees, charges and interest due on customer accounts.
• To collect and recover money that is owed to us.
• Fulfilling contracts.
• Our legitimate interests.
• Our legal duty.
• Being efficient about how we fulfil our legal duties.
• Complying with law and regulation that apply to us.

• To identify, investigate, report, and seek to prevent financial crime.
• To manage risk for us and our customers.
• To obey laws and regulations that apply to us.
• To respond to complaints and seek to resolve them.
• Fulfilling contracts.
• Our legitimate interests.
• Our legal duty.
• Developing and improving how we deal with financial crime, as well as doing our legal duties in this respect.
• Complying with regulations that apply to us.
• Being efficient about how we fulfil our legal duties.

• To run our business in an efficent and proper way (e.g. audit, managing our business capability, financies, planning, communications and corporate goverance).
• Our legitimate interests.
• Our legal duty.
• Complying with regulations that apply to us.
• Being efficient about how we fulfil our legal duties and contractual duties.

• To exercise our rights containd in agreements or contracts.
• Fulfilling contracts.
 


Groups of personal information

We use lots of different types of personal information, and group them together like this.


Type of personal information Description

Financial Your financial position, status and history.

Contact Where you live and how to contact you.

Socio-Demographic This includes details about your work or profession, nationality, education and where you fit into general social or income groupings.

Transactional Details about payments to and from your accounts with us, and insurance claims you make.

Contractual Details about the products or services we provide to you.

Locational Data we get about where you are, such as may come from your mobile phone or the address where you connect a computer to the internet.

Behavioural Details about how you use our products and services.

Technical Details on the devices and technology you use.

Communications What we learn about you from letters, emails, and conversations between us.

Open data and public records Details about you that are in public records such as Isle of Man Companies Registry and UK Companies House, the UK Electoral Register, and information about you that is openly available on the internet.

Open data and public records Details about you that are in public records such as Isle of Man Companies Registry and UK Companies House, the UK Electoral Register, and information about you that is openly available on the internet.

Usage data Other data about how you use our products and services.

Documentary data Details about you that are stored in documents in different formats, or copies of them. This could include things like your passport, drivers licence, or birth certificate.

Special types of data The law and other regulations treat some types of personal information as special. We will only collect and use these types of data if the law allows us to do so:
• Racial or ethnic origin
• Religious or philosophical beliefs
• Trade union membership
• Genetic and bio-metric data
• Health data including gender
• Criminal convictions and offences.

Consents Any permissions, consents, or preferences that you give us. This includes things like how you want us to contact you, whether you get paper statements, or prefer large-print formats. National identifier A number or code given to you by a government to identify who you are, such as a National Insurance number.

6. HOW WE USE YOUR INFORMATION

We may use information to:
•  Administer quotes and policies, including to:
   - assess your application for a product, service or quote,
   - understand your risk so we can offer you the best available price,
   - verify your identity and carry out anti-fraud or anti-money laundering checks,
   - provide you with premium and payment options,
   - administer your policy including updating you on and delivering our services.
   - handle claims,
   - deal with complaints, or
   - reconnect with you if you move house or change employer.

• Identify products which may be of interest to you and provide you with information about those products.

To improve our customer service. We may record calls to the IOMA Group and/or monitor calls for the purposes of improving our customer service, ensure quality assurance, training, security and for general business purposes (on the basis of our legitimate interest in improving our customer service).

To process your job applications. We will use your information to process any job applications that you submit to us, whether directly or via an agent or recruiter (speculatively or in response to any advertisement) (on the basis of our legitimate interest to recruit new employees or contractors).

To optimise our website. If you use our site, we will use your information to ensure that the content from our website is presented in an effective manner for you and your device, to provide you with access to our site in a manner that is effective, convenient and optimal, and to provide you with content that is relevant to you, using site analytics and research and in certain circumstances combining that with other information we know about you (on the basis of our legitimate interests to operate and present an effective and convenient website to our website users).

To ensure security and protect our business interests. In certain circumstances, we use your information to ensure the security of our services, building, and people, including to protect against, investigate and deter fraud, unauthorised or illegal activities, systems testing, maintenance and development (on the basis of our legitimate interests to operate a safe and lawful business or where we have a legal obligation to do so).

Sharing information across the IOMA Group. We may share and aggregate information about you from across the IOMA Group, including personal information held within the IOMA Group relating to other policies held with us, quotes or claims details and depending on your preferences, we may use this information to:
   - help us identify products and services that may be of interest to you, to tailor and package our products and services;
   - to determine pricing and/or offer available discounts; and
   - conduct customer research and develop marketing campaigns.

To comply with legal and regulatory requirements. We may, as a matter of law, and without requiring notice or consent, use your information for crime and fraud prevention, systems administration within the IOMA Group and to monitor and/or enforce the Group’s compliance with any regulatory requirements.

7. HOW WE SHARE YOUR INFORMATION OUTSIDE OF THE IOMA GROUP

If you request a quote, or purchase a product or service, your personal information may be shared with and processed by companies within the IOMA Group, by introducers, intermediaries, reinsurers and agents, as well as the policyholder (for a corporate policy) and your broker or agent for the purposes of administration, including third parties providing services to them, (as detailed above).

Your information may be disclosed when we believe in good faith that the disclosure is:

• required by law;
• to protect the safety of our employees, the public or IOMA property;
• required to comply with a judicial proceeding, court order or legal process; or
• in the event of a merger, asset sale, or other related transaction; or
• for the prevention or detection of crime (including fraud).

We may also disclose your information to third party suppliers or service providers to conduct our business, for example, to help administer your policy, to assist in managing and storing data, provide data analytics, conduct market research and to communicate with you effectively. This may include any online or digital partners we work with, so we, or our online or digital partners on our behalf, can communicate with you through their platforms.

In addition, unless you opt out of receiving direct marketing, we may share your information with third parties who help run any marketing campaigns.

We may share your information with regulatory bodies in the Isle of Man (primarily the Isle of Man Financial Services Authority) or if applicable, in the UK or overseas (directly or via shared databases) to prevent and detect fraud.

Where we do share your information with third parties, we will wherever possible require them to maintain appropriate security to protect your information from unauthorised access or processing.

Consent

By providing your personal information to the IOMA Group you consent to the transfer of your personal information as described above.

If you choose not to give personal information

We may need to collect personal information by law, or under the terms of a contract we have with you.

If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your accounts or policies. It could mean that we cancel a product or service you have with us.

Any data collection that is optional would be made clear at the point of collection.

8. MARKETING

8.1 When you’ll hear from us

We may from time to time provide you with updates and offers for IOMA’s products and services via marketing tailored to you, whether through online services or by direct marketing (e.g. phone, e-mail, text, post); and use information we hold about you from across the IOMA Group to help us identify, tailor and package IOMA Group products and services, determine pricing and offer discounts that may be of interest to you.

We will only do this if you have indicated that you are happy to receive marketing communications from us – that is, if you have either:

• purchased products such as a pension, an offshore bond or general insurance policy from us and have not told us that you don’t want to hear from us; or

• signed up to receive marketing communications from us and have not later told us that you don’t want to hear from us.

We will not use sensitive personal details (such as information relating to your health record or any criminal issues) in order to provide you with marketing, discounts or pricing unless you have given your explicit consent to allow us to use this information for these purposes.

8.2 Opting out of or withdrawing your consent in relation to marketing

If you no longer want to hear from us, you can opt out or unsubscribe by:

• following the “unsubscribe” link contained in any marketing communications that you receive from us
• by Email to: Updatecustomerdetail@iomagroup.co.im
• by Phone on: 01624 681200; or
• by contacting us on the details given in section 2 above headed “ABOUT US”.

8.3 Third parties and marketing

We might rely on third parties to help us manage our marketing communications, but we won’t share your information with any third parties for their marketing purposes unless you agree to our doing so.

9. OUR SITE AND COOKIES

9.1 What we collect when you interact with our sites and apps

As you may already know, most websites collect certain information automatically about the way in which you interact with them. This might include your IP address, geographical location, device information (such as your hardware model, mobile network information, unique device identifiers) browser type, referral source, length of visit to the site, number of page views, the search queries you make, and similar information.

This information will be collected by us or by a third party site analytics service provider and will be collected using cookies.

As we’ve described above, we use this information to save your settings, such as the last product you searched for so you can find it easily the second time, help improve our functionality and services, run diagnostics, analyse trends, track visitor movements, gather broad demographic information and personalise our services.

9.2 What do we mean by “cookies”?

Cookies are small amounts of information in the form of text files that we store on the device you use to access our site or our marketing communications. Cookies allow us to monitor your use of our services and improve them. For example, a temporary cookie is also used to keep track of your "session". Without that temporary cookie you will not be able to purchase products or other services that may be offered via our site.

We also use cookies for site analytics purposes and to monitor how customers interact with and receive our marketing communications (for example if you open a marketing communication and/or click on any of our offers). We use this information to try to improve the relevance and tone of our future communications to ensure we’re serving you as best as we can.

If you don’t want cookies to be installed on your device, you can change the settings on your browser or device to reject cookies. For more information about how to reject cookies using your internet browser settings, please consult the “Help” section of your internet browser or visit http://www.aboutcookies.org. Please note that if you do set your Internet browser to reject cookies, you may not be able to access all of the functions of the site.

10. YOUR RIGHTS

10.1 Overview of your rights

You have certain rights in respect of the personal information that we hold about you, including:

The right to be informed of the ways in which we use your information, as we seek to do in this Privacy Policy;

The right to ask us not to process your information for marketing purposes;

The right to request access to the information that we hold about you (known as a subject access request). We will take all reasonable steps to confirm your identity before providing you with details of any personal information we may hold about you

The right to request that we correct or rectify any information that we hold about you which is out of date or incorrect;

In certain circumstances, the right to ask us to stop using information about you; and

The right to lodge a complaint about us to the Isle of Man Information Commissioner’s Office (https://inforights.im) or the relevant authority in your country of work or residence.

Please note that we reserve the right to retain certain information for our own record-keeping (for example, to ensure that you do not receive marketing communications that you have opted-out of receiving) and to defend ourselves against any claims. We may also need to send you service-related communications relating to the services that we provide to you even when you have requested not to receive marketing communications.

10.2 Some upcoming new rights…

From 25 May 2018, you will have certain additional rights in respect of the information that we hold about you, including:
• The right to withdraw consent that you have provided to us to use your personal information (refer to paragraph 5 to see when we are relying on your consent).
• The right to object to our using your information on the basis of our legitimate interests (see paragraph 5 above to see when we are relying on our legitimate interests) (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• The right to receive a copy of any information we hold about you (or request that we transfer this information to another service provider) in a structured, commonly-used, machine-readable format, in certain circumstances.
• The right to ask us to limit or cease processing or erase information we hold about you in certain circumstances.

10.3 How to exercise your rights

Contacting us. You can exercise your rights by contacting us using the details in the “HOW TO CONTACT US” section below, or by ticking the applicable boxes on forms that we use to collect your information, or to tell us that you don’t want to participate in marketing.
• If you wish to remove your information from our marketing circulation lists, which include receiving marketing emails, you can unsubscribe by scrolling to the bottom of the email and clicking the ‘unsubscribe’ link.
• We will comply with your requests unless we have a lawful reason not to do so.

10.4 What we need from you to process your requests

Please be aware that we may need you to provide additional information (such as to confirm your identity and/or to confirm what information you wish to access) in order to process your request.

11. WHERE IS YOUR INFORMATION?

11.1 Our service providers and suppliers

We are based in the Isle of Man which is outside the European Economic Area (EEA). Information that we collect about you may be sent to and held by us in countries outside of the EEA including where we work with suppliers and service providers that are either based outside of the EEA or have servers based outside of the EEA.

11.2 Data transfers out of the EEA

If we send personal information to countries outside the European Economic Area (‘EEA’), there will be a contract in place to make sure the recipient protects the data to the same standard as the EEA. This may include following international frameworks for making data sharing secure.

11.3 Sending data outside of the EEA

We will only send your data outside of the European Economic Area (‘EEA’) to:

• Follow your instructions
• Comply with a legal duty
• Work with our agents and advisers who we use to help administer your insurance product and services.

If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:

• Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA.
• Put in place a contract with the recipient that means they must protect it to the same standards as the EEA.
• Transfer it to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA.

12. HOW WE LOOK AFTER YOUR INFORMATION

We are committed to protecting the confidentiality and security of the information that you provide to us and we put in place appropriate technical, physical and organisational security measures to protect against any unauthorised access or damage to, or disclosure or loss of, your information. For example we:

• Ensure the physical security of our offices.
• Ensure the physical and digital security of our equipment, devices and systems by mandating appropriate password protection, encryption and access restrictions.

• Are a “PCI DSS” compliant company, meaning that we apply certain high standards of security in respect of your payment information.

• Ensure appropriate access controls so that access to your information is only granted to those of our people that need to use it in the course of their work.

• Carry out regular penetration testing of our systems and third party reviews of our software.

• Maintain internal policies and deliver data protection and confidentiality training to make sure our people also understand their responsibilities in looking after your information and commit to taking appropriate measures to enforce these responsibilities.

12.1 Links to other sites and resources

Our site may from time to time contain content and links to other sites that are operated by third parties. Please note that we do not control these third party sites or the cookies that such third parties operate and this Privacy Policy will not apply to them. You should ensure that you consult the Terms of Use and Privacy Policy of the relevant third party site to understand how that site collects and uses your information and to establish whether and for what purposes they use cookies.

You should also be aware that communications over the internet, such as e-mails, are not secure unless they have been encrypted.

13. HOW LONG WE KEEP YOUR INFORMATION FOR

We will keep your personal information for as long as you are a customer of the IOMA Group. After you stop being a customer, we may keep your data for six years for one of these reasons:

• To comply with our legal and regulatory obligations
• To respond to any questions or complaints
• To show that we treated you fairly
• To maintain records according to rules that apply to us.
We may keep your data for longer than six years if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.

14. HOW TO CONTACT US

For any questions or concerns relating to this Privacy Policy or our data protection practices, or to make a subject access request (see section 10.1 above), please contact us at:

The Data Protection Officer
Isle of Man Assurance Limited
IOMA House
Hope Street
Douglas
Isle of Man IM1 1AP
Email Address: data.protection@iomagroup.co.im

However, if you remain dissatisfied with our response, you have the right to take the matter up with the Isle of Man Information Commissioner’s Office (ICO). The ICO is an independent authority and the Isle of Man’s supervisory authority for information rights.

You can contact the Information Commissioner via the ICO website at https://www.inforights.im.

LAST UPDATED: 14 May 2018