Privacy Protection Policy
About this Policy
At Capital Express Assurance Limited (CAPEX), we are committed to protecting your personal information in line with regulatory requirements. As a provider of life insurance services, respectful and appropriate use of personal information is critical to our business.
This Privacy Protection Policy sets out general information about how we handle the personal information that we hold and how you can contact us about them.
In this Privacy Protection Policy, the words “we”, “us” and “our” means Capital Express Assurance Limited.
Types of personal information we collect and hold
We collect and hold a range of personal information about our customers and people from our business partners, suppliers, and service providers.
The personal information that we collect, and hold may include:
- Name, contact details (including address, email, phone number and social media handles), date of birth and gender.
- Information about your interactions with us including complaints.
- Personal information which is required to acquire a product or service from us and as may be needed during the lifecycle of that product or service.
- Information required to underwrite an application for an insurance product or assess and manage an insurance claim, including previous insurance records and claims history, information about beneficiaries and nominated representatives, employment, and income.
- Financial details such as your tax identification number and bank account details, superannuation, or other insurance policy information.
- Sensitive information (see “Sensitive Information” section below).
- Information relating to your use of our online services (see the ‘Online services’ section below); and
- Any other information that we think is necessary for you or others to acquire our products or for us (or our service providers or representatives) to provide services to you.
Sometimes we need to collect and hold sensitive information about you, for example when you are applying for an insurance product. This will generally include information about your health, activities that may impact your health, your health history, fitness, and physical activities. We may also give you the access to provide your voiceprint to identify yourself to our call centres.
Sensitive information can include details on a person’s health, racial or ethnic origin, political inclinations, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional body or trade association, criminal record, health information, genetic or biometric information.
We only collect and hold sensitive information with your consent or in other limited situations which the law allows.
How we collect personal information
We often collect personal information when we engage a prospect directly. For example, we might collect your personal information when you fill out a form with us, call us, meet with one of our agents or use our website. See the ‘Online services’ section below for more information about our collection of personal information online.
Sometimes we collect information about you from other sources that may include:
- medical practitioners or medical facilities
- our agents, insurance brokers, other insurers and reinsurers
- your relatives and representatives
- your employer or related corporate organisations
- service providers such as information brokers, investigators, lawyers, financial advisers, doctors and other medical and occupational experts;
- credit reporting agencies or information providers
- social media platforms (e.g. if you log in for our services using your social media profile)
- devices (including wearable devices) in relation to which you agree to provide personal information to us, and
- external dispute resolution bodies, and public sources, including statutory or government organizations, and public registers.
If you provide us with personal information about another person, you should obtain their consent to do so, having informed them of this Privacy Protection Policy where appropriate.
Why we collect personal information
We may collect, hold, use, and disclose your personal information to:
- provide you with the products and services you’ve asked for or under which you may receive cover or benefits (e.g. group life insurances)
- process and underwrite your application (including deciding whether to provide cover) or determine your eligibility under group insurances
- provide you with products and services
- administer products and services which includes answering your requests and complaints, managing claims, and making payments, varying products, and services, conducting market research, and managing our product portfolios.
- develop and improve our products and services
- assist us in running our business including performing administrative and operational tasks (such as training and managing staff, risk management, planning, research and statistical analysis, and systems development and testing), and
- prevent or investigate any fraud or crime, or any suspected fraud or crime.
We may also collect, hold, use, and disclose your personal information:
- as required by legislation or codes that are binding on us
- for any purpose for which you have given your consent, and
- to develop consumer insights that would enable us to serve you better. We may also use external parties to undertake the process of creating these insights.
What if you don’t want to provide us with your personal information?
- The nature of our business requires that we obtain certain minimum information from you to create a valid contract. However, in the event that the information provided is insufficient, we would have to take necessary steps to cancel such transactions.
Direct marketing and how to opt out
Unless you opt out from the consented services, we may to the extent permitted by law:
- use or disclose your personal information to let you know about products and services that we believe may be of interest to you
- market our products to you through third party channels (such as social networking sites), or via other companies who assist us to market our products and services
- conduct these marketing activities via email, telephone, SMS, Instant Messaging, mail, or any other electronic or other means, including targeted advertising through Capital Express Assurance Limited and non- Capital Express Assurance Limited websites and the Mobile Application.
- disclose your personal information to our related companies or to our trusted partners so they can tell you about their products and services;
- disclose your personal information to companies outside Capital Express Assurance Limited who assist us to market our products and services to you, and
- disclose your personal information to third parties such as brokers or agents, or for the purpose of connecting you with other businesses or customers.
You can let us know at any time (see ‘Contact Us’) if you wish to opt out of receiving direct marketing offers from us, or to opt out of any other use and disclosure of your personal information for direct marketing. Your request would be processed automatically.
You may also be able to opt out by following the instructions in particular direct marketing communications.
Disclosure of personal information
To make sure we can meet your specific needs and for the purposes described in ‘Why we collect personal information’, we may disclose your personal information to other third parties, including:
- our Regulators, National Insurance Commission (NAICOM) and other related bodies
- those involved in providing, managing or administering any aspect of your product or service, or any product (e.g. group insurance) under which you receive or may receive benefits
- service providers such as information brokers, investigators, lawyers, financial advisers, doctors, and other medical and occupational experts
- parties who sell our products or services;
- superannuation and managed funds organizations, and their advisers and service providers
- if your insurance is held in a superannuation product, to entities (and their representatives or service providers) involved in issuing, maintaining and providing administration support relating to these products
- medical professionals, medical facilities or health authorities who verify any health information you may provide
- reinsurers, claim assessors and investigators
- brokers or referrers who refer your application or business to us
- organisations we sponsor and loyalty program partners, including organisations we have an arrangement with, to jointly offer products or have an alliance with to share information for marketing purposes
- police and other enforcement bodies and government agencies where we are required or authorized by law to help detect and prevent illegal activities
- media or social networking sites that provide us with opportunities to place messages in front of you
- service providers that maintain, review, and develop our business systems, procedures, and technology infrastructure, including testing or upgrading our computer systems
- joint venture partners that conduct business with us
- organisations that assist with our product planning, analytics, research, and development
- mailing houses and telemarketing agencies and media organizations who assist us to communicate with you
- other organizations involved in our normal business practices, including our agents and contractors, as well as our accountants, auditors or lawyers and other external advisers, and
- where you have given your consent.
We may store your information in cloud or various other types of remote, networked, or electronic storage. As electronic or networked storage can be accessed from various locations via an internet connection.
When you use our website, mobile applications, email communications, social media profiles and other online services (together, ‘Online Services’), we may collect information about your location or activity including information accessed, IP address, telephone number, device identifiers, social media profile information and whether you’ve accessed third party sites. We do this to verify your identity, identify ways we can improve our services for you, maintain the continuity of your online sessions, recall your details and preferences, understand you better, and for the other purposes described in this policy.
In the case of Capex’s customers, the data subject will provide consent by responding to a dialogue box corresponding to declarations indicating whether consent is given or declined. Such declaration will be in clear and plain language. For children’s personal data, consent will be sought from their legal guardian(s).
Social Media Platforms
The data subject may wish to participate in the various blogs, forums, and other social media platforms hosted by Capex (“Social Media Platforms”) which are made available to the data subject. The main aim of these Social Media Platforms is to facilitate and allow the data subject share content.
However, Capex cannot be held responsible if the data subject shares personal information on Social Media Platforms that is subsequently used, misused, or otherwise appropriated by another user. The data subject is required to consult the Privacy Statements of such services before using them.
Storage and security of personal information
We store information in different ways, including electronic and non-electronic formats. The security of your personal information is important to us, and we take reasonable steps to protect it from misuse, interference, and loss, and from unauthorised access, modification, or disclosure, including control of access to our buildings and electronic security systems, such as firewalls and data encryption on our websites.
We may store personal information physically or electronically with third party data storage providers or our service providers. Where we do this, we use contractual arrangements to ensure those providers take appropriate steps to protect that information and restrict its use.
Your privacy rights
Accessing your personal information
You can access your personal information that we hold on request, subject to any legal restrictions or exemptions.
To request access to your personal information, please contact our Data Protection Officer (see ‘Contact Us’ below). We may charge you a small fee to cover our costs when giving you access, but we’ll always check with you first.
If we decline your request for access, we will tell you why in writing. If you have concerns, you may complain. See ‘Complaints’ below.
Updating your personal information
Please contact us if your details have changed or if you think there is something incorrect with the information, we hold about you.
We’ll accommodate your updating of information requests where we can. If we can’t, then we’ll let you know in writing. If you disagree, you may ask us to make a note of your requested correction with the information.
Data Subject’s Rights
Capex shall disclose the specific purpose for which the information is required before obtaining the information from the data subject and shall inform the data subject of his/her right and method of withdrawal of consent.
The data subject has the right to request that Capex perform certain activities on his/her personal information, such as request for a copy of their personal information, correction of errors on the personal information, a change in the use of their personal information, or delete their personal information. Capex is obligated to either carry out the data subject’s instructions or explain why it may not be possible – usually because of a legal or regulatory issue.
Data subjects have the following rights in respect of Capex ’s use of their personal information:
Right to access: The data subject has a right to a copy of their personal information as maintained by the Company
Right to rectify: Capex takes due care to ensure that the personal information we maintain about data subjects are accurate and complete. However, if a data subject believes the information is inaccurate or incomplete, such data subject has the right to request an amendment.
Right to erase: Under certain circumstances, a data subject may ask that Capex erase their personal information. For instance, where the personal information collected is no longer necessary for the original purpose or where consent is withdrawn. However, this will need to be balanced against other factors, such as the type of personal information obtained, the original reason for collection, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and Capex continuous assessment of risk relating to the data subject. There may be some legal and regulatory obligations which prevents Capex from complying immediately.
Right to restriction of processing: Under certain circumstances, but subject to regulatory requirements, a data subject may be entitled to instruct Capex to stop using his/her personal information. This is applicable where;
A data subject contests the accuracy of personal information held by the data controller
- Processing of personal data of the data subject is unlawful
- The data controller no longer requires the personal data, but the data is required by the data subject for establishment, exercise, or defense of legal claims
- The data subject has objected to processing, pending the verification whether the legal grounds for the data controller overrides those of the data subject.
Right to data portability: Under certain circumstances, data subjects have the right to ask that Capex transfers any personal information that they have provided to Capex to another third party. Once transferred, the other party will be responsible for safeguarding such personal information.
Right to object to marketing: Data Subject can object to the processing of his/her personal data for the purposes of third-party marketing.
Right to lodge a complaint: Capex data subject has the right to lodge complaints in the event that there is an objection to the manner in which personal information is being used by the Company. Such complaints can be communicated using contact details provided in our policy documentation. In certain cases, Capex may be unable to comply with data subject’s requests for reasons such as our own obligations to comply with other legal or regulatory requirements. However, Capex will always respond to complaints and where compliance is not feasible, an explanation will be provided.
The Data Controller shall communicate any rectification or erasure of personal data or restriction to each recipient to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.
In some circumstances, exercising some of these rights will mean Capex is unable to continue providing cover under the data subject’s insurance policy and may therefore result in cancellation of the policy. The data subject will therefore lose the right to bring any claim or receive any benefit under the policy, including in relation to any event that occurred before the right was exercised, if Capex’s ability to handle the claim has been prejudiced. Each data subject’s policy terms and conditions set out what will occur in the event of a policy cancellation.
Some of Capex’s assessment of risks are made automatically by inputting the data subject’s personal information into a system, the criteria of which is determined by Capex ’s underwriting team and the decision is then calculated using certain automatic processes rather than manual process via discussions. We make automated decisions in the following situations:
Premium computation: We use the data subject’s personal information to determine premium and eligibility.
Fraud and money laundering prevention: Capex uses automated anti-fraud and money laundering filters that check against global database. Individuals known to have undertaken fraudulent and / or money laundering transactions and will reject those applicants based on outcomes of the automated checks.
Application assessment: Capex may use scoring methods to assess applications, perform identity verification and determine premiums. Examples of information used by Capex systems to do this include age, address, lifestyle (e.g. smoking, drinking, exercise routines, etc.) and medical history. If a data subject does not consent to processing sensitive information in this manner, Capex may be unable to assess the application or provide a quote. Alternatively, Capex may only be able to offer the data subject policies that do not require Capex to have that information from the onset. The automated decision making performed by Capex systems during the application is proprietary to Capex, and the results thereof is not shared with third parties.
Where the data subject chooses to opt out of automatic decision-making, a formal communication to that effect will suffice. However, in some situations, it may imply that Capex will be unable to offer a quote because automated decisions are necessary to price and issue certain policies.
Data subjects can enforce the above rights by sending an email to firstname.lastname@example.org Data Controller is obligated to act on the request of the data subject without delay. In the event that the Data Controller does not take action on the request of the Data Subject, the Data Controller shall within one month of receipt of the request, inform the data subject of the reasons why the request has not been actioned.
The exercise of the rights listed above shall be in conformity with constitutionally guaranteed principles of Law for the general protection and enforcement of fundamental rights.
If you have a complaint about how we handle your personal information, we want to hear from you. You’re always welcome to contact our Data Protection Officer (see ‘Contact Us’ below). We’re committed to resolving your complaint and doing the right thing by our customers.
We may request additional details from you regarding your complaint and may need to engage or consult with other parties to investigate and deal with your issue. We’ll keep records of your request and any resolution.
Reviews and updates to this policy
- there are significant changes to privacy legislation; and/or
- there are significant changes to our information handling practices, for example, due to technological advances.
The Data Protection Officer,
Capital Express Assurance Limited
Telephone: 0803 580 9199
The Data Protection Officer
Capital Express Assurance Limited
13, Bishop Kale Close, Off Kasumu Ekemode Street,
Off Saka Tinubu Street,
Victoria Island, Lagos