Privacy Notice

Effective Date: 16/10/2023

Introduction

The Monument Group of companies (“Monument”, “we”, “us”, “our”) are committed to maintaining and respecting our data protection obligations.

Monument Group is comprised of multiple entities based across the globe. This Privacy Notice (“Notice”) is a general notice setting out processing activities carried out within the group. This Notice is intended to inform you of the types of processing activities carried out across the group. For specific information on data held about you, relevant to your jurisdiction, please see the end of this document or go to our Customer Centre and follow the link to the relevant entity or entities who are the controllers of your personal data.

This Notice sets out important information regarding our privacy practices in respect of Personal Data* relating to our customers and their appointed representatives, members of the general public visiting our website, external job candidates, contractors, and other business partners including but not limited to, investor companies, potential business providers and targets, goods and service providers, and shareholder nominees. Please read this Notice carefully. All enquiries regarding this Notice should be directed to the details provided in the Contact Us section below.

Read More

*For the purposes of this Notice, Personal Data includes any information which can identify a living individual and includes Sensitive Data such as race, ethnicity, health, biometric, and sexual orientation.

This Notice tells you how we collect, process, and protect your Personal Data when you interact with us. The categories of Personal Data we collect and how we process such data depends on the nature of our relationship with you and the means through which we interact, including when you visit our website.

We may update this Notice from time to time. We will notify you of any changes to this Notice by posting an update on our website. In the specific situations where this is required by applicable data protection laws and regulations, we will seek your consent before making material changes to the way we handle Personal Data previously collected from you. 

Any third-party websites which you may access via our website are not covered by this Notice. Monument accepts no responsibility or liability for the use and protection of any Personal Data which you provide to such third-party websites. You should exercise caution and read the privacy notice of the relevant third party before providing any Personal Data.

Sources of Personal Data Collection

We collect Personal Data about you from several sources, including directly from yourself, through company acquisitions and in the course of policy administration, from third parties, and through automated means. 

Read More

We collect Personal Data about you in several ways including:

  • Direct Collection – We collect Personal Data that you provide to us directly e.g., when you contact us by email, post or telephone.
  • Acquisitions and Policy Administration – When we acquire new portfolios of business, we obtain new insurance policies and existing policy information as collected by the previous controller. This means that we collect all the information related to the original insurance contract. As we continue to administer these contracts, we collect new Personal Data when policyholders want to make a change in the contract, or submit a claim.
  • Third-Party Collection. We collect Personal Data about you from third parties such as business partners. You should liaise directly with the third parties concerned should you wish that they refrain from disclosing data to us. You may also exercise your data protection rights in connection with data that has already been disclosed by contacting us – see the Contact Us section below.
  • Publicly Available Sources – We may collect Personal Data from publicly available sources such as the electoral register.
  • Automated Collection. We also collect and may permit third parties to collect Personal Data about you automatically through the use of cookies and similar tracking technologies on our website.

You may update your automated collection preferences by accessing the cookie preference centre on our website.
For more information, please refer to our Cookies Notice.

Categories of Personal Data We Collect

We collect different categories of Personal Data about you depending on the nature of our relationship with you. This includes personal identification, financial information, recruitment information, policyholder and claims information, sensitive data collected for equal opportunities monitoring, compliance information, and contract information.

Read More

We may collect one or more of the following categories of Personal Data about you depending on our relationship with you:

 

  • Personal Identification: name, contact information (such as e-mail and postal address, telephone numbers), date of birth, job title, employing organisation, and visual images;
  • Financial Information: bank account name and number, sort code, credit reports, shareholding rights, and other financial data appropriate to support business transactions and/or credential verifications;
  • Recruitment Information: professional resumé including biographical information (such as employment and education history), professional reference and recruitment feedback, notes, and related performance information, right to work documentation (such as passport, driving licence, and/or visa information), Other information about yourself that you provide in a resumé or similar document;
  • Detailed information about policyholders: this includes
    • Personal Identification data: name, gender, year and place of birth, date of death, national identification number, contact information;
    • Location data: street and number, postal/zip code, and country of residence;
    • Personal life data: civil status, partner’s identity, number of children;
    • Financial data: bank account details;
    • Professional data: date of service, social state, wage, employment history, employer, professional sector; and
    • Special categories of Personal Data including criminal offences and convictions data (“Criminal Data”) and health-related data e.g., weight, height, illnesses and treatments, smoking behaviour, and pregnancy;
  • Detailed information about your claims: including Personal Data about policyholders, witnesses, related parties, experts appointed and third-party service providers; and special categories of personal data such as medical reports, disability information and Criminal Data;
  • Sensitive Data collected for purposes other than claims and policy administration: Information regarding racial or ethnic origin, age, gender, religious or philosophical beliefs, sexual orientation, and/ or disability, for equality of opportunity monitoring purposes and only with your explicit consent;
  • Monitoring Information: video surveillance including closed-circuit television footage when entering our premises and technical information collected through the use of cookies, web beacons, and/or similar tracking technologies that we place and may permit third parties to place on our website(s), including online identifiers such as IP addresses and unique device identification, and online activity information, such as direct and social media interaction with our website;
  • Compliance Information: background verification results, including against Criminal Data, international sanctions, politically exposed persons or export controls registers, complaints or claims, investigations and other monitoring, reporting and remediation information; and
  • Contract Information: contracts (to be) entered into between us and other individuals or third parties, information regarding existing contracts between the individual and third parties.

How We Use Your Personal Data Lawfully

We may use your Personal Data for different business purposes and rely upon different legal bases, subject to applicable data protection laws and regulations. We do not process your Personal Data for purposes incompatible to those notified to you through this Notice.

Read More

We may use each category of Personal Data we collect on the following legal bases:

 

  • With your consent, for all such purposes for which you specifically provide consent. Where we process Sensitive Data about you, we additionally rely on your explicit consent obtained when we collect the data. You have the right to withdraw your consent at any time.
  • To perform our contractual obligations towards you including the management and delivery of the insurance contract. This is also to undertake pre-contractual steps at your request, such as to respond to vacancy applications we receive from you for recruitment purposes
  • To fulfil a legal obligation to which we are subject, e.g., Know Your Customer checks.
  • To pursue our legitimate interests, where it is not overridden by your own legitimate interests and/or fundamental rights and freedoms, including:
    • Managing our interactions and business relationship with you, including by responding to requests which you have submitted via our website, by telephone, e-mail, or any other means and to deal with ongoing matters relating to such requests;
    • Preventing or detecting fraud, misrepresentation, security incidents or crime;
    • Protecting the safety, property and rights of all individuals who interact with us, including through ensuring the health and safety of all individuals who are present at our business premises;
    • Bringing or defending legal claims concerning Monument Group entities.
    • Investigating any complaints received from you or from others, about our services;
    • Obtaining legal advice, support, or representation in connection with legal claims, compliance, regulatory and investigative purposes, as necessary as permitted by applicable laws and regulations;
    • Notifying you about changes to our services, where applicable;
    • Presenting content from our website in the way that we consider most effective; or
    • Keeping our website safe and secure, to run our business, provide administration and IT services, network security.
  • For such purposes that may be required or permitted by applicable data protection laws and regulations, including for any other secondary purposes that are compatible with the original purposes of processing Personal Data set out in this Notice.

 

Wherever there is a business requirement to process your Personal Data for purposes that are incompatible with those described above, we will notify you of the same by updating this Privacy Notice, and obtain your consent as required by applicable data protection laws and regulations prior to engaging in any such further processing.  We do not currently sell or intend to sell your Personal Data. For further information regarding your privacy rights please refer to Your Individual Privacy Rights set out below.

Please note that in certain circumstances such as when you have entered or are proposing to enter into a contract with us (e.g., to provide us/you with products and/or services), the provision of Personal Data is a requirement of the contract you entered/are proposing to enter into with us. The provision of Personal Data in these circumstances is necessary to enable us to perform pre-contractual steps at your request, to enter into the contract with you, and/or to perform our legal obligations under our contract with you

How We Share Your Personal Data

We may disclose your Personal Data to Monument subsidiaries and affiliates, third-party suppliers, service providers and business partners, law enforcement and other government agencies, companies with whom we are involved in a corporate transaction, or any other third parties on the legal bases set out in this Notice.

Read More

We may share your Personal Data with the categories of recipients described below:

  • Monument subsidiaries and affiliates. We may share your Personal Data within our group of companies, which includes parents, corporate affiliates, subsidiaries, business units and other companies that share common ownership for the purposes, and using the legal bases, set out in this Notice.
  • Third-Party goods and services providers, partners, and other companies. We may share your Personal Data with third parties working on our behalf in order to facilitate our interactions with you or request or support our relationship with you.
  • Law enforcement and other government agencies. We may share your Personal Data with law enforcement and/or other government agencies to comply with law or legal requirements, to enforce or apply our Terms and Conditions and other agreements, and to protect our rights, property, and the safety of our employees, clients, and third parties.
  • Companies involved in a corporate transaction with us. If we acquire insurance portfolios or other companies, or sell some or all of our assets, merge, or are acquired by another entity or otherwise restructure our business, including through a sale or in connection with a bankruptcy, we may share your Personal Data with that entity.

Cross-Border Transfers of Personal Data

In some instances, we may need to transfer your Personal Data from the originating country to another jurisdiction for processing. Where Personal Data is transferred outside the territory where it was collected, we will only do so where this is permitted under applicable laws and regulations. We will implement appropriate legal mechanisms and safeguards to ensure that your Personal Data remains adequately protected upon reaching its destination, as required by applicable data protection laws and regulations.

Read More

Our global operations expand across several jurisdictions including for instance, Bermuda, UK, Singapore, Ireland, Luxembourg, Belgium, Guernsey, Isle of Man, Spain and Italy. In some instances, it may be necessary for us to transfer your Personal Data to a Monument Group entity or to a third party outside the country where it was collected. Third party recipients include organisations with whom we engage to deliver our products and services to you. In doing so, we rely on a number of legal mechanisms to ensure that your data remains protected to a standard equivalent to that afforded to it in the country of origin.

Depending on the direction of transfer of Personal Data, this includes European Commission Adequacy Decisions and Standard Contractual Clauses, United Kingdom Adequacy Regulations and Standard Contractual Clauses, and other legally enforceable safeguards (including physical safeguards) in accordance with applicable data protection laws and regulations. A copy of the relevant mechanism and information about the safeguards we have put in place can be made available upon request by contacting us – see the Contact Us section below.

How we Protect and Secure Your Data

Monument has implemented technological and operational security procedures designed to protect your Personal Data against accidental or unlawful loss, disclosure, misuse, alteration, or use.

Read More

We limit access to your Personal Data only to employees and third parties on a business need to know basis. Third parties will only process your Personal Data upon our instructions, and they are subject to a duty of confidentiality. We have implemented procedures to respond appropriately to any suspected Personal Data breach or security incident and will notify you and relevant data protection regulators where we are legally required to do so.

Retention and Disposal of Personal Data

We do not retain your Personal Data for longer than is necessary, in line with legal, regulatory, and legitimate business requirements.

Read More

Upon reaching the end of its retention period, which is based on minimum retention periods required by applicable laws and regulations, we will take steps to review your Personal Data. We may continue to hold your Personal Data if we identify another purpose for doing so, and there is a legal basis for this purpose under applicable data protection laws and regulations. If this is the case, we will hold only the Personal Data required for the new purpose and implement systems and controls over that data in accordance with applicable data protection laws and regulations.

If there is no longer a purpose or legal basis for holding your Personal Data, we will dispose of it in a secure and permanent manner, in accordance with applicable data protection laws and regulations.

Individual Privacy Rights

Individuals whose Personal Data we process are afforded a number of rights in relation to such data, depending on the jurisdiction where they are located. To exercise your data protection rights please see the contact details in the Contact Us section of this Notice. We will respond to reasonable requests in accordance with applicable data protection laws and regulations.

Read More
The specific data protection rights applicable to you are detailed in the table below  depending on the jurisdiction where you reside or are otherwise located. Please note that these data protection rights are not absolute and there may be circumstances where we may legitimately deny a request as permitted by applicable data protection laws and regulations.  You should also note that the specific scope of the rights and their associated exemptions may further vary from one jurisdiction to another.  You will not normally have to pay a fee to access your Personal Data (or to exercise any of the other rights stated below), although we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of the other rights stated below). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We will only collect strictly necessary information to ensure that we only honour requests received from the true Data Subject or their authorised representative. We strive to respond to all legitimate requests within the relevant deadlines pursuant to applicable data protection laws and regulations. Occasionally, it may take us longer to respond if your request is particularly complex or you have made a number of different requests. In this case, we will notify you of estimated response timelines.

Depending on your jurisdiction, you may have some or all of the following rights. Please consult your local privacy notice by following the links in the Customer Centre or in the Contact Us section below

 

  INDIVIDUAL PRIVACY RIGHTS
Right to Information The right to receive the information set out in this Notice regarding our processing of your Personal Data.
Right to Object/

Opt Out

The right to opt out of our processing of your Personal Data in certain circumstances (e.g., direct marketing, Personal Data sale, automated decisions, profiling).
Right to Restriction The right to ask us to suspend the processing of your Personal Data in specific circumstances.
Right to Delete The right to request us to delete or remove Personal Data where there is no lawful reason for us continuing to process it.
Right to Access The right to receive a copy of or otherwise access Personal Data we hold about you.
Right of Rectification The right to request that we correct or complete inaccurate Personal Data we might hold about you.
Right to Portability The right to obtain and reuse your Personal Data for your own purposes across different services.
Right to Complain/ Appeal The right to lodge a complaint with a competent supervisory authority and/or appeal directly to us against a decision regarding Personal Data.
Right to Withdraw Consent The right to withdraw consent at any time that you may have provided to us for processing your Personal Data (where the Legal Basis we rely on is consent).

Contact Us

If you have questions, concerns, and/or complaints regarding this Notice or you wish to exercise your data protection rights above, please contact the Group Data Protection Manager at:

 

or contact the appropriate Data Protection office for the appropriate region. Details of each can be found below. You also have the right to complain to the appropriate data protection authority (“DPA”) in each region. Contact details for these can also be found in the appropriate Privacy Notice below.

 

Region Privacy Notice Privacy Contact

Bermuda

Monument Re

See Bermuda Privacy Notice groupcompliance@monumentregroup.com
Ireland Monument Life Insurance DAC See Customer Centre – Ireland MonumentOps@monumentinsurance.com

Isle of Man

 

See IOM Privacy Notice DataProtection@monument.im

Monument International

 

See Privacy Notice & PDPA (Singapore) – Monument International

DataProtection@monument.im

For Singapore – DPO@monumentinsurance.com

Belgium Privacy Notice Belgium compliance@monumentassurance.be
Luxembourg

Luxembourg: Luxembourg Privacy Notice

Branches:

Spain: Spain Privacy Notice

Italy: Privacy Notice MAL Italy

 

Luxembourg:

dataprotection@monumentassurance.lu or

DPO@monumentassurance.lu

 

Spain: dpo@monumentassurance.es

Italy: dpo@monumentassurance.it