The Cayman International Reinsurance Companies Association (“CIRCA”) is an industry group for commercial reinsurers located in the Cayman Islands, dedicated to fostering the industry through peer interaction, advocacy and education on topics impacting the regulatory and business environment.
In this Privacy Policy (“Policy”), “CIRCA” “our”, “we” or “us” refers to Cayman International Reinsurance Companies Association.
This Policy applies to visitors to the https://www.circa.ky/ website and all websites linked to this website and/or controlled by CIRCA (the “Site”), except as otherwise noted.
CIRCA is committed to maintaining the privacy and security of your personally identifiable information. As part of our commitment to information privacy, we have adopted this Policy to inform you of our information gathering practices and the ways in which we may use the information we receive. This Policy applies to all personal data submitted to us for use with or in connection with its Site located at https://www.circa.ky/.
References to “you” made herein are references to you as a “Data Subject”, (as defined in the Cayman Islands Data Protection Act (2021 Revision) including any amendments thereto and any associated regulations, guidance notes and/or codes of practice as may be issued by the Ombudsman of the Cayman Islands (the “Ombudsman”) (as the relevant Cayman Islands Data Protection Supervisory Authority from time to time) (the “DPA”).
OVERVIEW
By using the Site, including providing your personal data to us on the Site, you consent to the collection, use, processing, and disclosure of that information in accordance with this Policy.
CIRCA is committed to protecting all personal data. As part of our continuing commitment to data protection we have adopted this Policy to inform you about the types of Personal Data, (as defined in the DPA), that we may collect, use, maintain and disclose and the choices you have regarding such collection, use, maintenance and disclosure and how you may correct any inaccuracies that may arise from time to time.
CIRCA applies the following eight data protection principles enshrined in the DPA whenever any Personal Data is being processed:
- Fairness and Lawfulness: CIRCA will clarify the purpose for processing any Personal Data at the time of collection and shall only collect Personal Data in a fair, lawful and transparent manner. (for example, when you use our website or speak to one of our representatives about our products or service offerings);
- Purpose limitation: CIRCA will only collect personal data and disclose Personal Data for specified, explicit and legitimate purposes. Unless explicit consent is received, CIRCA will not use any Personal Data obtained for any purpose other than that for which it was provided;
- Data minimization: CIRCA will limit the collection of Personal Data to what is directly adequate, relevant and necessary for the relevant services required to be provided;
- Data Accuracy: CIRCA will keep Personal Data accurate and up to date and shall take reasonable steps to ensure inaccurate personal information is deleted or corrected without delay while there continues to be an existing relationship, and in certain circumstances, after that relationship has ended;
- Retention limitation: CIRCA will make all reasonable efforts to retain Personal Data in a manner consistent with the DPA and no longer than is necessary for the purposes for which it has been collected, or to comply with an individual’s request(s) and any legal, regulatory or internal or policy requirements;
- Respect for individual’s rights: CIRCA understands and is committed to processing Personal Data in accordance with the rights of the data subject under the DPA;
- Data security, integrity, confidentiality and protection: CIRCA implements internal technical and organizational measures to ensure an appropriate level of data security and protection of Personal Data from any unauthorized or malicious attacks, unlawful processing and against inadvertent harm through accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to any Personal Data transmitted, stored or otherwise processed; and
- Protection for international transfers: CIRCA shall ensure that if Personal Data is transferred outside the Cayman Islands, it is adequately protected or the transfer is otherwise permissible under applicable law.
WHAT IS PERSONAL DATA?
“Personal Data” is defined under the DPA as data relating to a living individual who can be identified and includes data such as —
(a) the living individual’s location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual;
(b) an expression of opinion about the living individual; or
(c) any indication of the intentions of the data controller or any other person in respect of the living individual”.
“Sensitive Personal Data” is defined under the DPA as data consisting of:
(a) the racial or ethnic origin of the data subject;
(b) the political opinions of the data subject;
(c) the data subject’s religious beliefs or other beliefs of a similar nature;
(d) whether the data subject is a member of a trade union;
(e) genetic data of the data subject;
(f) the data subject’s physical or mental health or condition;
(g) medical data;
(h) the data subject’s sex life;
(i) the data subject’s commission, or alleged commission, of an offence; or
(j) any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.
1. What Personal Data does CIRCA collect?
CIRCA collects various Personal Data which may include the following (this list is not exhaustive):
- name (including proof of same);
- telephone number;
- contact details (e.g. home address, telephone number, email address, postal address); and
- financial information including your method of payment such as check or wire transfer to CIRCA.
- Such information may be provided on our webpage, in a membership application form, face to face, by telephone, by email, or otherwise.
2. How do we collect your Personal Data
We only obtain Personal Data directly from you, or indirectly from third party sources as permitted by applicable laws. At times you may voluntarily choose to provide CIRCA with unsolicited Personal Data through CIRCA’s website. Where such information is provided to us for any reason, in so doing you consent to CIRCA using that information in any manner described in this Privacy Policy or as may be alternatively specifically described at point of such disclosure being made. In the event of any unsolicited information is being provided to CIRCA we request that no sensitive Personal Data unless you provide us with unambiguous consent to collect this information from you.
3. How we use your Personal Data
CIRCA generally uses Personal Data for the following purposes:
- to register you for, and facilitate your participation in, certain areas of our website, including any online updates, or message forums;
- to process any application for membership with CIRCA;
- to maintain and update out list of contacts and memberships;
- to develop and maintain our relationships and communicate as necessary with you;
- to conduct promotional activities including relevant publication updates on latest news and events of potential interest to members;
- to potentially register you for any CIRCA related events, seminars or conferences;
- to address and handle complaints received;
- to occasionally gather your opinion and survey feedback details; and
- to prevent fraud or other criminal activity.
4. The legal basis for processing your personal data
The DPA sets out certain different reasons for which a company may process Personal Data, and CIRCA does so under the following legal conditions:
- Consent: In specific situations,CIRCA may collect and process Personal Data with your consent;and
- Legitimate interest: In specific situations, CIRCA requires your Personal Data to pursue its legitimate interests in a way which might reasonably be expected as part of running its businesses and which does not materially impact your rights, freedom or interests (e.g. CIRCA may use an email
5. Where do we store and secure your Personal Data?
Personal Data received by CIRCA is primarily stored on servers maintained by CIRCA. However, CIRCA may also utilize the services of selected third party service providers from time to time. CIRCA takes appropriate measures for the protection of any Personal Data handled by any retained service providers retained.
CIRCA employs appropriate physical, technical, organizational and contractual measures to protect your Personal Data against loss, theft, unauthorized processing, destruction, damage, inappropriate copying, use or modification. The only employees who are granted access to your Personal Data are those with a business “need-to-know” or whose duties or employment responsibilities reasonably require such information.
6. How do we share the Personal Data we collect?
CIRCA identifies to whom, and for what purposes it may disclose any Personal Data at the time of collection and obtain unambiguous consent for such disclosures. CIRCA may disclose your Personal Data in the following circumstances (this list is not exhaustive):
- if CIRCA uses a third-party service provider for marketing, marketing research or membership/ contact management;
- if you as a data subject requests that Personal Data be disclosed to a third party if there is a legal request or criminal investigation; or
- if it is required to seek legal advice from CIRCA legal counsel.
7. How long does CIRCA retain your Personal Data?
CIRCA retains your Personal Data for as long as membership relationship exists, and the Personal Data is necessary to manage that relationship. When there is no longer a membership relationship, CIRCA will retain certain types of Personal Data for varying periods depending on legal requirements and business needs. Personal Data that is no longer needed will be destroyed. CIRCA will always hold your Personal Data for the least amount of time necessary in accordance with its Data Retention Policy.
8. What rights do you have in respect to your Personal Data?
Under certain circumstances, you have rights under the DPA in relation to your Personal Data. You have the right to:
- Request access to your Personal Data (commonly known as a “Subject Access Request” or “SAR”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it. Upon receipt of any Data Subject Access Request, we will provide any such Personal Data as permitted or requested law. Any such Personal Data shall be made available in the form that is generally understandable and will also clarify any defined terms or abbreviations used;
- Request rectification or correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you rectified or corrected, though we may need to verify the accuracy of the new data you provide to us prior to amending the same as requested and where appropriate also transmitting the amended Personal Data details to third parties having access to your Personal Data.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it.
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.
- Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of your Personal Data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine- readable format. However, keep in mind that we may still be under a legal or ethical obligation to retain the Personal Data, and will do so until the time frame under such legal or ethical obligation lapses, even if we transfer the data to you or a third party.
9. How quickly shall we response to your written requests?
Unless we advise to the contrary, we shall respond to written requests not later than 30 days after receipt of any written requests. We shall advise if for any reason we are unable to meet your requests within this timeframe (e.g. where a large amount of Personal Data is requested or required to be searched through and meeting the timelines would unreasonably interfere with CIRCA’s day-to-day business operations; (b) where more time may be required to consult with any relevant third party prior to CIRCA being able to decide whether or not to provide access to the requested Personal Data; or (c) you provide consent to an extension of the 30 day timeframe.
You have the right to make a complaint to the Ombudsman (see contact details below) in respect of this time limit should you choose to do so.
10. Statutory Entitlement to Complain to the Ombudsman
Should you feel that your personal data has not been handled correctly, or you are not satisfied with CIRCA’s responses to any requests you have made regarding the use of your Personal Data, you have the rights statutory entitlement under section 43 of the DPA to complain to the Cayman Islands’ Ombudsman. The Ombudsman can be contacted by calling: 1-345-946-6283 or by email at info@ombudsman.ky.
11. Changes to this Privacy Notice
We may occasionally update this Privacy Notice to reflect changes to our practices and service offerings. Whenever we post any changes to this Privacy Notice we will revise the “Last Revised” date at the commencement of this Privacy Notice. Whenever we make any material changes to the manner in which we collect, use, and/or share Personal Data we will notify you by prominently posting notice of any such alterations on the website. We recommend you check this page from time to time to inform yourself of any changes in this Privacy Notice.