This privacy notice is designed to provide compliance with applicable laws in the United Kingdom and European Union, in particular, the United Kingdom’s Data Protection Act of 2018 and the General Data Protection Regulation, and the European Union’s General Data Protection Regulation.

Personal information means information, or a combination of pieces of information, that could reasonably allow an individual to be identified.

As an insurance business, we need to obtain information from and about individuals (“data subject”, “you”) to engage with them and manage their insurance policies, including life insurance, annuities, group risk and investment policies.

In most cases we obtain personal information directly from you, mainly from the forms that you complete and provide to us and communications that we have with you.

Depending on the type of your insurance policy and circumstances related to your specific situation, we may also obtain your personal information from the following sources:

• From the policyholder when you are a beneficiary or next of kin of an individual who took out an insurance policy;
• From the company you work for, or worked for, when your employer or a broker facilitated your enrollment to an insurance policy that we offer;
• From financial advisers, brokers and trustees when you purchased an insurance policy through them, or when they were involved in your policy offering;
• From legal advisers and attorneys who act on our or your behalf;
• From people who are involved in a claim or assist us in investigating or processing claims, including witnesses and external claims data collectors, verifiers and healthcare service providers.
• From government agencies and regulatory bodies, including the FCA, PRA, Information Commissioner’s Office (“ICO”), Pensions Regulator and Financial Ombudsman Service (“FOS”), the Department for Work and Pensions (“DWP”), and law enforcement agencies;
• From our service providers that help us maintain the accuracy of our data (for example, by identifying individuals who are deceased and providing up-to-date contact details) or undertake sanction screenings;
• From publicly available sources, including any data searchable on the internet, public databases and social media.

The type of personal information we collect, and process will depend upon our engagement with you and the type of an insurance policy we offer. It may include any of the below:

• Personal details: Your name, title, age, gender, date of birth, date of death, country of residence.
• Identification information: Your national insurance number, a government issued identity document, such as a passport, driving license.
• Contact information: Your address, postcode, phone numbers, email address.
• Financial information: Details pertaining to your bank account, such as your bank account number and sort code, annual income, and information about policy related payments to and from you, taxes paid.
• Information relating to your policy and claims: Policy and/or claim reference number, product name, type and status, start and end dates of policy, policy history, premium amount, underwriting decision and risk rating, claim history.
• Employment information: Your employer’s name, employment history, job role, salary, employment benefit options, dates of employment and termination.
• Information relating to business dealings: Your name, name of the company you work for, company address, corporate email address, corporate phone number.
• Information relating to your complaints or enquiries: Nature and content of your request.

Depending on the type of your insurance policy, some of the categories of information we collect are special categories of personal information (sometimes referred to as “sensitive personal information”). These include:

• Your health records: such as your medical history, physician statements, reports on medical diagnoses, tests and treatment.
• Criminal data: such as fraud and sanctions related data, including information about criminal activities, allegations, investigations, proceedings, sanctions and penalties.

We use your personal information:

• To provide our products and fulfil our contractual obligations to policyholders, including underwriting, evaluation and pricing of risks to be insured, calculation of insurance premium, administration of policies, payment of benefits and management of customer records;
• To review, process and manage claims;
• To process payments and taxes, and return or recover money in relation to insurance policies;
• To communicate with you and provide response to your complaints or enquiries;
• To prevent, detect and investigate fraud and other crime by carrying out fraud, sanctions, terrorism and anti-money laundering checks;
• To carry out data analysis to improve services;
• To manage our commercial risk by taking out and maintaining reinsurance;
• To manage our business operations, including by carrying out audits, managing funds and producing management information;
• To establish, enforce and defend our legal rights;
• To comply with applicable legal, regulatory and professional obligations, including cooperating with regulatory bodies, government and law enforcement authorities;
• To manage relationship with third parties, including financial advisers, brokers and trustees that we work with; and
• To buy, sell, transfer or dispose of any part of our business.

We do not make any decisions about you solely by automated means. For the purposes of fraud prevention, detection and risk assessment we analyse personal information using software that is able to evaluate certain personal aspects about you and predict risks, however the outcomes obtained during this process are always reviewed manually.

We are committed to processing your personal information fairly and lawfully and only to the extent necessary to achieve the purposes listed above.

We must have a legal basis to process your personal information. In most cases, our ability to obtain and process your personal information is based on one of the following legal bases:

• 1. Processing your personal information is necessary to perform a contract with you, in particular, if you are a policyholder of our insurance product;
• 2. Processing your personal information is necessary to comply with our legal obligations, such as due diligence and reporting obligations, and responding to requests from our regulators; and
• 3. Processing your personal information is necessary to meet our legitimate interests and the legitimate interests of our clients, for example, to improve our services, ensure we price our products appropriately, manage risk, manage our business efficiently, perform audits, and maintain accurate records. Our legitimate interests usually include – making sure that our products are performing as we intended; our business is operating effectively and in compliance with relevant legal and regulatory obligations, guidelines, standards and codes of conduct; we adequately safeguard our business, shareholders, employees and policyholders. If it is necessary that we process your sensitive personal information for one of the purposes listed above, we will only do so where the following applies:
• 4. We are authorised by local law to process your sensitive personal information. More specifically, in the UK we may process such information when it is necessary to provide and manage an insurance product or to comply with regulatory requirements relating to unlawful acts and dishonesty.

Please refer to the table at the end of this privacy notice for further details on the categories of information, the purpose of processing and the legal basis of processing.

We may share your personal information with the following parties:

• RGA group companies. We operate as a global business, so we may share your personal information with group entities. For example, we use RGA UK Services Limited for administration services and claims assessments; we also use RGA Enterprise Services Company as part of the ongoing maintenance and development of our IT systems.
• Third party administrators, who provide administrative services to us.
• Reinsurers, who provide reinsurance services. If you wish to know which reinsurers receive your personal information with respect to your insurance policy, please contact us as suggested in the section ‘Contact Us’ below.
• Our clients and brokers, who facilitated your enrollment to an insurance policy.
• Our identity verification and sanctions-checking service providers. We use Experian Ltd and other companies who we contract to check your information against relevant databases they have access to. For further details of Experian’s Privacy Policy, please refer to their website www.experian.co.uk
• Your own doctor or relevant medical professionals should we require additional information as a result of the answers you have supplied as part of our individual assessment process or in connection with a claim.
• Our regulators and government agencies. We may be required to share your information with the FCA, PRA, DWP, Her Majesty’s Revenue and Customs (“HMRC”), Office of Financial Sanctions Implementation (“OFSI”), National Crime Agency (“NCA”), Office of Foreign Asset Control (“OFAC”), and other regulators or law enforcement agencies to comply with legal obligations or otherwise protect our rights.
• Legal advisers, accountants, auditors, financial institutions and professional service firms, who act on our or your behalf.
• Service providers. We may share your personal information with service providers that perform services and other business operations for us, for example, IT applications and back-office systems.
• Asset purchasers. We may share your personal information with any third party that purchases, or to which we transfer, all or substantially all of our assets and business.

You have certain rights regarding your personal information. These include the right to:

• access your personal information and details relating to the processing of your personal information;
• rectify the information we hold about you;
• erase your personal information;
• restrict our use of your personal information;
• object to our use of your personal information;
• receive your personal information in a usable electronic format and transmit it to a third party (right to data portability); and
• lodge a complaint with your local data protection authority.

To exercise any of these rights, please complete a Data Subject Rights Request form on our parent company’s (RGA) website https://www.rgare.com/dsr-intake/insured, or using the contact details provided in section ‘Contact Us’ below.

We will respond to your request within one month of receipt.  This may be extended by two further months taking into account complexity and number of requests-provided the extension is informed within the initial month. Please note that Omnilife may require additional information from you in order to honour your requests.

We are committed to working with you to obtain a fair resolution of any request, complaint or concern about privacy. If you remain unhappy with our response, you can complain directly to the Information Commissioner’s Office; to raise such complaint, please visit https://ico.org.uk/concerns/. If you reside in any country that is a member of the European Union, you can contact our EU Representative using the details contained in the ‘Contact us’ section below or complain directly to the data protection authority in the country of your residence.

We implement technical and organisational measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the on-going integrity and confidentiality of personal information. We evaluate these measures on a regular basis to ensure the security of the processing.

We will normally keep your personal information for as long as we are required to retain it to manage your insurance policy or claims for the purposes described above. In most cases we will keep your personal information for 10 years after your policy is closed. If you would like to know more about circumstances around the retention of your personal information, please contact us at the details contained in the ‘Contact us‘ section below.

If we need to transfer your personal information to other members of our group, to service providers, or to other parties located outside the United Kingdom and European Union, we will make sure that adequate safeguards are in place with those parties. We typically rely on our Binding Corporate Rules for internal data transfers among the entities of our group. In case of external data transfers to service providers, we put in place contractual commitments with suitable data protection clauses in accordance with applicable local legal requirements to ensure that your personal information is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details contained in the ‘Contact us’ section below.

If you have any queries in relation to this privacy notice or the way in which your personal information has been collected, you may contact us at privacy@rgare.com or call or write to us.

Our postal address is:

Omnilife Insurance Company Limited, Level 45, 22 Bishopsgate, London, EC2N 4BQ, United Kingdom

Our telephone number is:

+44 020 7374 0123

Our EU Representative postal address is:

RGA International Reinsurance Company dac, 3rd Floor, Block C Central Park, Leopardstown, Dublin 18, D18 X5T1.

Our EU Representative telephone number is:

+353 1.290.2900 (Ireland)

If you would like to exercise a data subject right, you may use our online contact form.

Omnilife’s Data Protection Officer is Dean Scotson.  Should you have any questions or concerns for our DPO regarding the way in which your personal information has been used, please contact him via email at dpo@rgare.com.

You may request a copy of this privacy notice from us using the contact details set out above. We may modify or update this privacy notice from time to time. If we make a significant change to this privacy notice, we will post a notice about this on our website and inform you directly.

Further details on the categories of information, the purpose of processing and the legal basis of processing:

Personal Data: