Data Protection Notice
DPN for all UK, Isle of Man and Republic of Ireland Company websites
Canada Life Limited, Canada Life International Limited, CLI Institutional Limited, Canada Life International Assurance (Ireland) DAC, Canada Life Asset Management Limited, Canada Life European Real Estate Limited, Stonehaven UK Limited and Canada Life Platform Limited, (referred to as ‘Canada Life’, ‘we’, ‘us’ or ‘our’ in this DPN) take their privacy obligations very seriously.
You may interact with Canada Life in any one (or more) of the following capacities: as data controller, a policyholder, joint policyholder, employer policyholder, trustee, insured person, professional adviser, beneficiary, next of kin, personal representative, executor claimant, or member. No matter which capacity you interact with Canada Life, you will be referred to as ‘you’ or ‘your’ in this DPN. Any personal data about yourself (provided by you or about you by another party) or which you provide about someone else will be treated in accordance with the applicable laws and regulations in any relevant jurisdiction relating to privacy or the use or processing of personal data of each respective Canada Life entity.
Using personal data
We use your personal data to undertake activities relating to the setting up, administration and renewal of our Investment, Pension, Life and Equity Release policies, products and services. This includes processing applications and handling any claims. For the majority of our business we will rely on the performance of our contractual arrangements with you as the legal basis for processing.
We do not use personal data for marketing purposes, and we do not make your personal data available to third parties for the purpose of direct marketing. For business-to-business marketing purposes we do use personal data of institutional investors, professional investors and advisers.
We may use underwriting software to process some applications and quotations, this may include an element of automated decision making taking into account the Special Categories of Personal Data provided. We may make decisions about you based on automated decision making, considering the answers to the medical conditions and any existing medical conditions. These help determine eligibility and terms of the policy and may be referred to it in the event of a claim.
We will occasionally use images, video and audio of employees, contractors and participating stakeholders in connection with its business activities, and will give all affected employees, contractors, professional advisers, members and policyholders, reasonable notice of the collection of such data. This data may be sent to or included in different formats, including but not limited to email, websites, social networks and printed materials.
Exceptionally, we may rely on our legitimate interests to process your personal data. When we do, we will demonstrate compelling legitimate grounds for doing so. For employer-related group insurance products, the Data Protection Act (DPA) permits appropriate information about employees to be provided by an employer to an insurer without individual consent (including details of long-term absentees, current and previous claimants, and medical underwriting decisions). The DPA permits that members may individually withdraw their consent. In those instances, Canada Life will be unable to provide cover for that individual.
We rely on legitimate interest to process your personal data for statistical analysis, which helps us to improve our processes, products and services. The purpose of this statistical analysis is not to make decisions about you directly, but to undertake data analysis to help us to improve our processes, our products and services. Additionally, we will process your personal data to undertake market research, including customer feedback surveys. To maximise the security of your information, we pseudonymise your personal information where possible. This means removing information from which you can be directly identified.
When medically underwriting or assessing a claim we will use the information provided by you or received from someone else and obtain consent if we require information from medical professionals.
Canada Life Asset Management Limited and Canada Life European Real Estate Limited use personal data to undertake activities relating to the sales, marketing, setting up, evaluation, verification, and administration of our products and services. These products and services include but are not limited to:
• making commercial loans available;
• Investment Management relating to collective investment vehicles; and/or
• acting as a landlord and providing services in that capacity,
We may obtain data from you from our website, from one of our partners (or the means identified below in the sharing personal data section of this notice) or from you directly (for example, if you contact us by telephone, in writing by post or email or in person). Telephone calls may be recorded for training and monitoring purposes, and to comply with applicable law and regulations. We collect information through “Cookies” to improve your experience of our website but not for the purposes of sales and marketing.
Sharing personal data
We share personal data only on the basis of the purposes for which it was collected. This notice is intended to illustrate the instances where data may be shared. However, we will share your data only for the limited and compatible purposes for which it was originally obtained:
• with other Canada Life group companies including those outside the European Economic Area (EEA) and countries that have an EU adequacy decision, which is country that the European Commission has decided has adequate protection;
• personal data collected via professional advisers including quotation requests and application forms will be shared within the Canada Life group of companies to provide professional advisers with product information which may be relevant for their client’s needs and requirements;
• with any of our service providers including, funding providers, solicitors, reinsurers and / or regulators;
• with any of our partners which provide certain fund, custodian, depositary and corporate administration services and related products, such as Waystone Management (UK) Limited;
• in the context of a lending relationship with other lenders or finance parties involved in the relationship;
• in the context of our relationship with our landlords, tenants, borrowers and suppliers (where necessary to the relationship, for example for monitoring compliance with the loan terms or headlease terms);
• with selected third-party suppliers for the purposes of statistical analysis to help us improve our products, services and processes;
• with selected third-party research agencies and providers of market research services, including customer feedback surveys;
• with selected third-party agents, suppliers, operators, managers, sub-contractors, service providers and advisers who act on our behalf to help us administer our products and services including but not limited to such firms that:
- undertake property valuations or provide specialist property consultancy advice;
- manage our property portfolio;
- provide us with legal or audit advice;
- debt recovery services;
- insolvency services;
- security services (including providers of databases to prevent financial crime, telephone interception services, building access systems, closed circuit television services, automatic number plate recognition services or other surveillance services);
- event management services; and
- providers of systems that manage and store data;
• to facilitate actual or proposed sales, transfers, assignments, mergers or other dispositions of parts or the whole of our business, or our assets and to facilitate acquisitions of businesses or other assets, subject to customary obligations to keep such information confidential and secure;
• in any circumstances if permitted or required to do so by law or regulation, where required by any court of competent jurisdiction (or any competent judicial body, tribunal or arbitral body of any kind) or to comply with a judicial proceeding or legal process;
• with other insurers and government agencies, including without limitation His Majesty’s Revenue and Customs (HMRC), Department of Work and Pensions (DWP), the Isle of Man Income Tax Division and the Revenue Commissioners;
• in order to prevent, detect or investigate financial crime including fraud or other criminal activity, we may share your data with other companies (including private investigators), organisations (including fraud prevention agencies and databases), public bodies (including the police) and associations and credit reference agencies
• we will not share your medical information with anyone other than yourself without your consent except as described in the next bullet point. This includes your employer, spouse, other relatives, friends or your legal or professional adviser. In some circumstances, it may be appropriate to advise your employer about your medical information, for example, to recommend alternative supportive therapy. However, we will seek your consent in such circumstances;
• for employer-related products and services only, some medical information related to underwriting decisions and non-medical information about you necessary for lawful policy and claim administration purposes will be shared with your employer;
• we will not share non-medical information concerning you with your spouse, other relatives, friends or your legal or professional adviser unless you provide your consent to us in writing;
• for insurance related products, with your own doctor or relevant medical professionals; and/or in any circumstances if permitted or required to do so by law or if we have your consent to do so.
International Transfers
Given the global nature of our business, we use third party suppliers and outsourced services (including cloud-based services), which can require transfers of personal data outside of the EEA and countries that have an EU adequacy decision. In doing so, we ensure there are contractual arrangements in place with those organisations who have organisational and technical measures to protect your personal data.
We will only transfer data outside of the EEA and countries that have an EU adequacy decision if there is an appropriate legal basis for doing so. Although this list may change from time to time, we may transfer personal data to the following countries outside of the EEA and countries that have an EU adequacy decision:
- Barbados
- Bermuda
- Cayman Islands
- Hong Kong (branch)
- India
- USA
In relation to our annuity book, communication with annuitants will necessitate correspondence in any global country (depending upon the annuitant’s location) for the purposes of our activities.
In relation to any claims commenced whilst abroad, communication with medical professionals, authorities, tax offices, embassy staff and surveillance will necessitate correspondence in any global country (depending on the location of the claimant) for the purposes of our activities.
Retention of your personal data
We will keep your personal data only for so long as is necessary and for the purpose for which it was originally collected. In particular, for so long as there is any possibility that either you or we may wish to bring a legal claim, or where we are required to keep your personal data due to legal or regulatory reasons. Each Canada Life department has a departmental ‘Records Retention and Disposal Guide’ (RRDG), which defines the length of time that records processed by that department are retained before deletion.
Fraud prevention and detection
In order to prevent and detect fraud it may be necessary to:
• share information about you with other organisations (including private investigators) and public bodies (including the Police).
• check and/or file your details with fraud prevention agencies and databases.
If false or inaccurate information is provided and fraud is identified, details will be passed to fraud prevention agencies. Law enforcement agencies may access and use this information. We and other organisations may also access and use this information to prevent fraud and money laundering, for example when:
– Checking details on applications for credit and credit-related or other facilities.
– Managing credit and credit-related accounts or facilities.
– Recovering debt.
– Checking details on proposals and claims for all types of insurance.
– Checking details of job applicants and employees.
We and other organisations may access and use information recorded by fraud prevention agencies from other countries.
Employer-related products (Group Insurance)
Group Insurance products are policies taken out by an employer to provide cover for its employees. We need certain data to enable us to administer these insurance policies.
Canada Life requests basic personal data to be provided by an employer for the administration of a Group Insurance policy. In addition, for pricing purposes, we will also require details of long-term absentees, current and previous claimants, and medical underwriting decisions.
The DPA permits appropriate information about employees to be provided by an employer to an insurer without individual consent. This includes details of long-term absentees, current and previous claimants, and medical underwriting decisions.
The Act allows an individual to specifically withdraw their consent for this transfer of data. If an individual does withdraw their consent, Canada Life will not be able to provide cover for that individual.
Canada Life will not use this data to market directly to individuals or pass this data to other parts of our company in order to market directly to individuals.
There are circumstances where we will require more information from you, such as medical details to assess a claim or underwrite a particular benefit. In these circumstances, we will ask for your explicit consent to process this data.
We use an underwriting engine to process some applications and quotations which will use an element of automated decision making. This does not apply to claims assessment or to medical underwriting.
Medical Information in employer-related products and services
- Canada Life will not share your medical information with anyone other than yourself without your consent. This includes your employer, spouse, other relatives, friends or your legal advisor. In some circumstances, it may be appropriate to advise your employer about your medical information, for example, to recommend alternative supportive therapy. However, Canada Life will obtain your consent in such circumstances.
Non-Medical Information in employer-related products and services
- Canada Life will not share non-medical information concerning you with your spouse, other relatives, friends or your legal advisor unless you provide your consent to us in writing. Non-medical information about you will be shared with your employer only for lawful policy and claim administration purposes.
Appointed Representatives
- We recognise that we will need to communicate with appointed legal representatives and/or attorneys where the contractual formalities permit third parties to act in your interests.
Insurance related
- Canada Life will share your data with your own doctor or relevant medical professionals for insurance related products.
Actuarial pricing and mortality
The nature of our business is to provide investments, life and pensions cover, critical illness, income protection and employer-related group products. To do this we need to use the personal data provided to carry out analysis of actuarial risks (risks of gains or losses), mortality and morbidity risks and pricing. This will be carried out in accordance with the Institute & Faculty of Actuaries’ data handling protocols.
Online data capture
Communicating, interacting or applying to us online: we may gather location data and online identifiers which may identify you, such as your internet protocol (IP) address (the unique personal address which identifies your device on the internet) and mobile device IDs.
Our legal grounds for using your data
For processing personal data and special categories of personal data |
|
Legal ground |
Details |
Performance of our contract with you or an employer |
For the majority of our activities, we will rely on the performance of our contractual arrangements with you. Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract. |
Compliance with a legal obligation |
Processing is necessary for compliance with a legal obligation to which we are subject. |
In the public interest |
Processing is necessary for the performance of a task carried out in the public interest. |
For our legitimate business interests |
Exceptionally, we may rely on our legitimate interests to process your personal data. When we do so, we will demonstrate compelling legitimate grounds for doing so. This includes sending professional investors, advisers and institutional investors’ information about relevant products and events. With selected third-party suppliers, for the purpose of conducting statistical analysis and market research services including customer feedback on our behalf. Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where you are a child. |
Your explicit consent (optional) |
You have given your explicit consent to the processing of those personal data for one or more specified purposes. You are free to withdraw your consent, by contacting our Data Protection Officer. |
Your explicit consent (necessary) |
You have given your explicit consent to the processing of those personal data for one or more specified purposes, where we are unable to procure, provide or administer insurance cover without this consent. You are free to withdraw your consent by contacting our Data Protection Officer. However, withdrawal of this consent will impact our ability to provide insurance or pay claims. |
For health services |
Processing is necessary for the purposes of preventive or occupational medicine, for medical diagnosis, the provision of health or social care or treatment on the basis of EU or UK law or pursuant to contract with a health professional of who is under legal or professional obligations of secrecy. |
- We will only share your data in any circumstances where we are permitted or required to do so by law or if Canada Life has your consent to do so.
Non-EU entities
On 31 January 2020 the UK left the European Union (‘EU’), ceasing to be a member. EU law requires that all entities processing the data of EU citizens that are not established in the EU designate in writing a Representative in the EU to be addressed in addition to or instead of that entity by EU citizens on all issues related to data processing. In order to meet our requirements, any Canada Life entity listed above that is not established in the EU, which processes the personal data of EU citizens has designated Canada Life Irish Holding Company Limited, an Irish registered entity within the Canada Life group, as its Representative. The Representative may also be called upon to cooperate with competent supervisory authorities with regard to ensuring compliance with the General Data Protection Regulation (‘GDPR’).
Contractual clauses in place between Canada Life and its group entities and external suppliers are compliant with the GDPR, which ensures that personal data provided to Canada Life is processed in accordance with our instructions and the requirements of the GDPR. Canada Life will continue to follow and apply all appropriate data protection legislation.
YOUR RIGHTS AND CONTACT DETAILS OF THE INFORMATION COMMISSIONER’S OFFICE (ICO) You may have the right to require us to: • provide you with further details on the use we make of your personal data or your special categories of data; • provide you with a copy of the personal data that you have provided to us or which we hold; • update any inaccuracies in the personal data we hold; • delete any special category of data or personal data for which we no longer have lawful grounds to use; • cease processing of your personal data that is based on consent, by withdrawing your consent to that particular processing; • cease any processing based on legitimate interests’ grounds, unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and • restrict how we use your personal data whilst a complaint is being investigated. We reserve the right to amend or modify this DPN at any time and in response to any changes in applicable Data Protection and privacy legislation. If we decide to change our DPN, we will post these changes on our website so that you are aware of the information we collect and how we use it at all times. Data Protection Officer (DPO) If you have any questions, or complaints, in relation to our use of your personal data, you should first contact the appropriate DPO, on the details below: For Canada Life Limited, Canada Life Asset Management Limited, Canada Life European Real Estate Limited, Canada Life Platform Limited and Stonehaven UK Limited: Canada Life Place, For Canada Life International Limited or CLI Institutional Limited: Canada Life House For Canada Life International Assurance (Ireland) DAC: Irish Life Centre In the unlikely event that you are dissatisfied with our response, you have the right to take the matter up with the appropriate national regulator whose addresses are: England |
Information Commissioner's Office |
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) |
Email: casework@ico.org.uk |
Scotland |
Information Commissioner's Office |
Tel: 0303 123 1115 |
Email: scotland@ico.org.uk |
Wales |
Information Commissioner's Office |
Tel: 0330 414 6421 |
Email: wales@ico.org.uk |
Northern Ireland |
Information Commissioner's Office |
Tel: 0303 123 1114 (local rate) or 028 9027 8757 (national rate) |
Email: ni@ico.org.uk |
Ireland |
Data Protection Commission |
Tel:+353 1 7650100 or +353 57 8684800 |
Email: info@dataprotection.ie |
Isle of Man |
Information Commissioner |
Tel: +44 1624 693260 |
Email: ask@inforights.im |
This DPN is dated 31st March 2024. Any future updates will be made available as described above.
The Retirement Account- Data Protection Notice