Skip to main content

BERMUDA DATA PRIVACY NOTICE

The policy of Enstar Group Limited and its subsidiaries (the “Company”) is to respect and protect the privacy of individuals whose information we process during the course of business, including personal information (which may also refer to genetic information or sensitive personal information) relating to candidates and employees (current and former), contractors, directors (including certain information about their spouse, dependents and emergency contacts where applicable), individual shareholders of the Company (where applicable), customers, claimants and visitors to our website.

This notice (the “Privacy Notice”) is intended to inform individuals about our use of your personal information in Bermuda, and in certain instances outside Bermuda, as well as provide clear and easily accessible information about our practices and policies with respect to your personal information. It does not form part of your contract with us (if any), nor does it confer any contractual rights and obligations on you or the Company. Our office in Bermuda can be found in the AS Cooper Building, 4th Floor, 26 Reid Street, Hamilton, Bermuda.

As an organization with a global presence, we are subject to various legal requirements for data protection. Our aim is to be as consistent as possible and, in addition to complying with the Personal Information Protection Act, 2016 (“PIPA”), obey all applicable laws in the countries where we operate, and apply the highest standard of privacy principles in our approach.

This Privacy Notice sets forth the Company’s policies and practices with respect to:

  • What types of personal information we may collect or process
  • How we may use your personal information
  • Who we may disclose or transfer your personal information to
  • How to contact us and exercise your rights including, among others, the rights to access, delete and update your personal information; and
  • How changes to this Privacy Notice will be made.

1. Types of Information

We may process the following types of personal information and sensitive personal information depending on the nature of our relationship with you:

  • Customer or claimant information:
    • Information including your name, address, contact details, and other details relating to your claim (which depending on the nature of the claim may include medical reports and reports of criminal convictions or crime reports) (“Claim Details”) that you, your employer, or an organisation which we insure, or a third-party claimant, provides to us in relation to the administration of an insurance or reinsurance policy with us.
    • Information relating to any request for assistance or support, including your name, address, contact details and details of any vulnerabilities (which may include medical reports) and financial information to support the claim.
    • Information you supply when you directly interact with us which may include call recording information.
  • Website visitors:
    • Details of your visits to our website and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, usage information and the resources that you access.
  • Staff information (including directors where applicable):
    • Employee or contractor-related data: your title, full name, gender, nationality and other immigration and work eligibility related information, civil or marital status, date of birth, personal contact details (e.g. address, telephone number, email), next of kin/dependent/emergency contact information, information required to make any reasonable adjustments, and any other information you disclose to your manager.
    • Information related to your employment relationship with the Company: work contact details (e.g. address, telephone number, email), bank information, work or office location (including when you are working from home), employee or worker classification, contract start and end dates, job title and description, working hours and patterns, whether you’re full or part time; salary and benefits data, including absence records and leave data (including information from your medical practitioner for example where sick leave is applicable); communication data such as emails, chats or other forms of communication; contract termination date; reason(s) for termination; your last day of work; exit interviews, status (active/inactive/terminated); reason for any job change and the date of change; benefit coverage information for you and any applicable dependents.
    • Recruitment data: information related to employment candidates, including names, gender, nationality, immigration and work eligibility status, professional information such as qualifications, references, CV and application details, interview and assessment data, vetting and verification information etc.
    • Data relating to HR processes: misconduct allegations, records of investigation proceedings and the outcomes, peer and managerial feedback, appraisals, internal talent management and succession planning, formal and informal performance management processes, flexible working processes, restructure and redundancy plans, consultation records, selection and redeployment data, health and safety audits, risk assessments, incident reports, data relating to training and development needs or training received, call sheets, contact lists, organizing travel and hotel bookings, insurance cover.
    • Due diligence information: identification documents such as copies of passport and driver’s license, address verification documents such as utility bills.
    • Employee and workplace monitoring related data: the Company conducts employee and workplace monitoring to ensure compliance with policies and procedures, and to maintain the effective operation and security of our business. This monitoring is conducted in a lawful manner and may include, but is not limited to, the use of surveillance cameras at building entrance points, monitoring of company-provided devices, emails, systems, and internet usage. For detailed information on the scope and purpose of monitoring, please contact [email protected].
    • Other information which may be collected during the normal course of employment, such as biometric information or genetic information from the recording of audio and/or video during the use of communications tools, or the use of door entry systems.

1.1. Sensitive personal information

To the extent permitted by applicable laws, we may also collect and process a limited amount of personal information falling into special categories, called “sensitive information”. For example, sensitive information may include, but is not limited to, the following types of information:

  • information relating to any criminal or fraudulent activities provided to us by you or third parties (such as anti-fraud agencies or other insurers).
  • Health information you supply to us as part of the claims administration process and/or in the course of your employment and/or engagement with us.
  • Information used in fraud prevention or sanctions checking against public databases.

2. Sources

The Company may collect personal information in various ways depending on the circumstances and nature of our relation. By way of example, we primarily collect information from the following sources:

  • Directly from you, for example during the course of a claim and/or to HR for onboarding and ongoing employment processes.
  • From authorised third parties who support our processing and handling of claims.
  • Books of insurance when assuming responsibility for administering related policies and claims.
  • From public sources for the purpose of anti-money laundering, and fraud detection, and to conduct other relevant background checks.
  • Our IT and email systems, to the extent you may use such systems e.g. in the course of your employment.
  • In respect of third-party information provided by our staff, e.g. their emergency contacts and/or dependents, we collect this from our staff directly. To the extent you provide us a third party’s personal information, you must first inform the individual of the purposes of its use – as described in this Privacy Notice – and bring this Privacy Notice to their attention. By providing the information you confirm that you are authorised to do so and/or you have obtained the individual’s consent to provide such information to us.

3. Why we process your information

We may use your personal information for the following purposes:

  • Policy administration
  • Claim processing
  • Providing payments
  • Compliance with applicable laws and regulations as well as security, and compliance with corporate financial responsibilities
  • When you visit our website, we may collect cookie information and information gathered from your browser such as IP address and location. Most browsers are initially set up to accept cookies, and you can control your cookie preferences through your browser settings (e.g. you can reset your browser to refuse all cookies or to indicate when a cookie is being sent). However, some website features and services may not function properly if your cookies are disabled. To learn more about cookies and links to manage their use on your browser please see our cookie policy. This Privacy Notice applies to our website and services that are owned by the Enstar group of companies. We do not exercise control over any third-party websites, even if they are linked on our website. These other websites may place their own cookies or other files on your computer, collect data or solicit personal information from you. We are not responsible for the privacy practices or content of these external sites, and we encourage you to review the privacy notices or policies of any third-party sites that you visit
  • When we need to contact you for the purposes of administering our service to you
  • For fraud prevention, Know Your Client, and Anti Money Laundering purposes
  • To give us feedback (for example by completing a survey)
  • To administer our employment or contractual relationship with you

4. Lawful basis

Our lawful basis for which we may process your personal information varies depending on the purpose of processing, as exampled below.

  • Where we use your personal information for the performance of contractual obligations, our lawful basis is that such use is necessary for the performance of a contract (or entering a contract).
  • Where we use your information for the purposes of your employment relationship with us, our lawful basis is that it’s necessary in the context of your present, past or potential employment relationship with us.
  • Where our use of your personal information is reasonable to progress business purposes, the efficiency of the Company and analyse how data subjects interact with us- without prejudice to your individual rights- our lawful basis is the reasonable expectation that the processing of our information should begin or cease.
  • Where we have a legal obligation to comply with applicable law or where we are required to defend a legal claim, our lawful basis is processing is required for compliance with a legal obligation or in defence of a legal claim.
  • Where we use your information for the purpose of processing a claim under an insurance (or similar) plan, our lawful basis is your deemed consent where you have an interest in or derive a benefit from such plan.

We may ask for your consent to perform certain processing which is not otherwise provided for under one of the above or other lawful bases. We shall provide clear, prominent, easily understandable, accessible mechanisms for you to give consent in relation to the use of your personal information, unless it can be implied from your conduct that you consent to the use of your personal information (excluding sensitive personal information) for the intended purposes that we have notified you of. You should be aware that it’s not a condition or requirement of your employment or use of our services to agree to any request for consent from the Company. Where consent is given, it may be withdrawn by you at any time, but this will not impact on any other lawful basis for processing relied on by the Company. In some cases, your withdrawal of consent may be treated by us as an objection to us processing your information.

5. Data transfers to third parties

Your personal information will only be used and disclosed as permitted by applicable law. Generally, any personal information collected by the Company will remain under our custody and control and will only be accessed and used internally by authorised individuals in accordance with our access protocols. We may, however, transfer your information to third parties – including our subsidiaries and affiliated companies in the provision of our services and/or to comply with a law or regulation.

We may transfer your personal information to other third parties, for example, in connection with the provision of our insurance services, third parties who are primarily business partners, reinsurers, third party administrators, and other parties involved in the processing of insurance claims. In respect of our employees and other staff, we may share your information with our service providers, including for example PwC Bermuda (for tax purposes), HSBC (for payroll purposes) and the Caribbean Investigation Network (our background and reference check provider), Argus (our Bermuda benefits provider).

We may also share your information with other service providers. For example, we use software and applications such as DocuSoft, Bridger Insight, CODA, UKG and DocuSign. Your personal information may also be accessed by third parties whom we work together with in connection with IT services (e.g. hosting, supporting and maintaining our IT systems). Your personal information may also be shared with certain interconnecting systems. Personal information contained in such systems may be accessible by providers of those systems, their associated companies and sub-contractors.

In addition, we are sometimes required to share data with other entities to comply with a law or regulation. This could include government authorities (e.g. Bermuda’s Department of Social Insurance, Department of Payroll Tax and the Department of Immigration), state or federal authorities, regulators (e.g. the Bermuda Monetary Authority, courts and/or professional bodies (e.g. CPA Bermuda and the Bermuda Bar Association).

We may also need to share your personal information in the context of litigation, or a potential company or asset sale.

Our transfers, including our international transfers as described below, are subject to a process of risk assessment. We have formal agreements in place with recipients outside of Bermuda to ensure they provide a comparable level of protection for your data, including technical and organisational security measures to protect your personal information.

6. Data transfers to overseas third parties

Enstar Group Companies are also located in Australia, the USA, the United Kingdom, and the European Economic Area. Where personal data transfers occur to these destinations, they are governed by safeguards which include International Group Data Transfer Agreements. We may transfer any information we collect mentioned above to these destinations.

Some of our service providers listed at 4 above may be based outside of Bermuda (for example, the Caribbean Investigation Network and some of our software and IT solutions), therefore, we may transfer your information to these overseas third parties.

Where your personal information is transferred to a third party located outside of Bermuda, we will take steps to ensure that your personal information is adequately protected and transferred in accordance with data transfer requirements as prescribed under section 15 of PIPA.

7. Data subject Rights

As an individual whose personal information we process, you have a number of data subject rights as required by PIPA and which we observe as our standard at Enstar Group. You may have the following rights depending on the circumstances of your case and applicable law.

  • The right to access – you may have the right to ask the Company for copies of your personal information and details about the purposes for which your personal information is being used by the Company and the names of the persons or types of persons to whom your personal information has been or is being disclosed.
  • The right to rectification – you may have the right to ask that the Company correct any information you believe is inaccurate. You may also have the right to request the Company to complete the information you believe is incomplete.
  • The right to erasure – in line with our obligations under PIPA, the Company has a retention policy and schedule which governs our retention procedure and stipulates the relevant retention periods. You may have the right to ask that the Company erase your personal information, under certain conditions, namely that the personal information is no longer relevant for the purposes of its use.
  • The right to restrict processing – you may have the right to ask that the Company restrict, cease, or not begin the processing of your personal data, under certain conditions.
  • The right to object to processing – you may have the right to object to the Company’s processing of your personal data under certain conditions for example withdraw consent to direct marketing.
  • The right to data portability – you may have the right to ask that the Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.
  • The right to complain to the regulator. If you are not satisfied with the way we have handled the request, you may have the right to escalate a complaint to the regulator.
  • The right not to have your data sold to third parties. Enstar will not sell or rent your data unless we are engaged in the sale of the Company or part of the Company and in such case, we would need to transfer your data to honour our continuing obligations to you.

To exercise your Rights, please contact the Data Protection Officer at Enstar: [email protected].

Any request must be in writing and provide sufficient detail to enable us to identify the personal information to which the request relates.

In some circumstances, for example where an exemption is provided under applicable law or where an access request is manifestly unreasonable, the Company may refuse your request in whole or in part depending on the circumstances. If this is the case, we will inform you and explain why in our response.

8. Automated Decision Making

Enstar does not engage in automated decision making or use artificial intelligence for processing the personal data it collects.

9. Retention Periods

We only retain data for as long as necessary to process your data and/or in accordance with any applicable legal or other regulatory requirements. Our retention policy varies depending on the types of information we collect and according to applicable laws. Due to the nature of our business generally, we may hold information for periods that will account for circumstances such as ongoing legal disputes with claimants, or possible future liabilities. A limited and reasonable amount of personal data may also be kept for archiving purposes and even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact in order to fulfil your wishes.

10. Data Security

We take the security of your data seriously and we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including:

  • the pseudonymisation and encryption of personal data
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability and access to personal data in a timely manner; and
  • a process for regularly testing and evaluating the effectiveness of technical and organisational measures

We ensure that those who have permanent or regular access to personal information, or are involved in the processing of personal data, or the development of tools used to process personal data, are informed of their responsibilities when processing personal information.

11. How to contact us

If you have any questions concerning this notice, please contact the Data Protection Officer at Enstar: [email protected].

Data Privacy Policy

Our Data Privacy Policy, outlining the measures we have in place, can be requested from the Data Protection Officer at Enstar: [email protected].

Version Control

This Privacy Notice is subject to change in accordance with changes to applicable laws or our internal policies and procedures. The date below indicates when this Privacy Notice was last revised.

Any changes to this Privacy Notice will be effective upon publication of the revised Privacy Notice.

Last revised: 21st January 2025

A satellite view of earth with land and sea visible

GLOBAL NETWORK

Bermuda, the U.S., London, Continental Europe, and Australia