Privacy Policy Notice

HDFC International Life and Re Company Limited ("HDFC International Life and Re Company Limited") is the life reinsurer incorporated in the Dubai International Financial Centre ("DIFC") and is regulated by the Dubai Financial Services Authority (“DFSA”) to carry out life reinsurance business in and from the DIFC. Our business consists of both, treaty and facultative reinsurance arrangements of ceding insurers, across a broad range of life insurance products, including Individual Life and Group Life.

Introduction

In accordance with the Data protection Law, HDFC International Life and Re Company Limited, being the data controller for the purpose of its services, must provide the information on how personal data will be processed. However, we act as a Reinsurer and hence, we are not in direct contact with the Data subject for the purpose of reinsurance services.

• What personal data we may collect and hold;
• The purposes for which your personal information may be collected, held, used and disclosed;
• How we collect and hold your personal information;
• How we protect your personal information;
• Who we may share your personal information with (including transfers out of the DIFC);
• How you may access and correct your personal information; and
• How you can contact us.

This privacy policy notice is designed to provide compliance with all relevant applicable Data Protection laws. HDFC International Life and Re Company Limited acknowledges that certain laws might be modified to require stricter standards than those described in this privacy policy notice, in which case we will ensure compliance with those stricter standards.

HDFC International Life and Re Company Limited will handle personal data in accordance with Data Protection Laws.

Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

As a reinsurer, we need to obtain information about the policies held by customers of the insurance companies we have reinsurance arrangements with, to properly assess the risk associated with reinsuring those insurance policies (individual and group life). This means we may process information about individuals named in an insurance policy, or individuals that are beneficiaries of, or have made claims under an insurance policy, or individuals who are involved in an incident giving rise to an insurance claim. This privacy policy notice applies to any individual whose personal information we process in the course of providing the services (each a "data subject" or "you").

We may collect your personal information from a variety of sources, such as:

• the insurance companies we have reinsurance arrangements with for covering the risks. When an insurance company provides us with your personal data based on the reinsurance agreement, they confirm that they have obtained and undertake to obtain all requisite consents or we ask them to provide you with a copy of this privacy notice before doing so.
• other reinsurers and retrocessionaries.
• people who are involved in a claim or assist us in investigating or processing claims, including witnesses and external claims data collectors and verifiers.
• public sources, such as public databases (where permitted by law).
• reinsurance brokers or intermediaries.
• third party service providers.
• healthcare service providers/TPAs.
• financial institutions.
• Insurance and reinsurance companies while onboarding them as customers (clients and business partners)
• directly from an individual.

Occasionally we may collect your personal information from a third party, in particular from authorized, regulatory, public sources such as government regulators, industry self-governing bodies, third party AML compliance screening database and other publicly available records. This will be most common when we are complying with our legal obligations regarding money laundering and other financial crimes. If appropriate and required, in these circumstances we will either notify the insurers of our sources or seek your consent through them for use by our regulator.

We do not normally collect personal information from you directly. There are instances where we provide certain tools or prescribed forms to insurers that allow for information supplied by you directly to the insurer to be automatically provided to us. We may also collect personal information if you voluntarily supply it to us, for example by sending us an email.

The type of information we may collect and process from insurers and/or other reinsurers will depend upon the type of insurance policy we are underwriting. It may include any of the below (where permitted by law):

• Personal details: Your name, age, gender, date of birth, photographs, marital status, nationality, height and weight, leisure activities and interests.
• Identification information and criminal data: Your government-issued ID, passport copies, driving licence, and criminal record (but only where it is lawful to collect this data).
• Contact Information: Your address, telephone numbers and email address.
• Information about your family and home: Your family health or morbidity history, number of children and name, age and gender of children, your dwelling type, your household income, and demographics.
• Employment and experience information: Your employment history, job role, salary, employment benefit options, educational background and any professional licenses and qualifications.
• Financial information: Details pertaining to your bank account, annual income, salary investment/savings, tax payer ID, credit history/details.
• Information to conduct our business: Information relating to underwriting and managing and processing reinsurance claims, such as previous insurance records including medical and financial reports and claims histories including health information, services relating to our businesses and your business dealings or relationship with us.

From the information we collect about you, we may also derive or generate further information such as risk assessment ratings. Some of this information is generated through profiling (see the section below at 10).

Some of the categories of information we collect are special categories of personal data (sometimes referred to as "sensitive personal information”). These include:

• your health records (such as your medical history, genetic test results and information, prescription history, death certificate and reports on medical diagnoses, tests and treatment).
• your family medical history.
• information about your personal characteristics and circumstances of a sensitive nature such as your racial or ethnic origin, political affiliations, criminal records, sex life, mental and physical health and genetic information.
• your membership of a professional association or trade union.

We use your personal data:

• to provide our services and fulfil our contractual obligations to customers (clients and business partners) and other third parties;
• for reinsurance administration;
• to review, process and manage claims;
• to conduct data analysis, which helps us assess risks for underwriting, price the products appropriately and improve our services;
• to help us prevent and detect fraud, money laundering, terrorism and other crimes;
• to help develop new and improve existing services;
• to operate and expand our business activities;
• to carry out background checks, where lawful;
• to perform administrative activities in connection with our services;
• to exercise, defend and protect our legal rights or the rights of our clients or third parties;
• to comply with legal and regulatory obligations and to cooperate with regulatory bodies to which we are subject;
• for research and development/enhancement of insurance products and reinsurance services; and
• to audit our business.

The way we analyse personal information for the purposes of risk assessment, fraud prevention and detection, and to report or communicate to our clients as part of providing the services may involve profiling, which means that we may process your personal information using software that is able to evaluate certain personal aspects about you and calculate/assess risks or outcomes. For example, we may analyse personal information about your lifestyle or health information or medical history to predict the likelihood of a claim being made on your insurance policy.

As we are reinsurer, we do not make any decisions about your ability to buy an insurance policy or the price of insurance. However, the personal information we process (including by profiling) may be shared with your insurance provider and may impact the decisions made by your insurance provider. If you have questions about automated decision making by your insurance provider, you should contact your insurance provider.

We are committed to processing your personal information fairly and lawfully and in transparent manner, only to the extent necessary to achieve the purposes listed above.

We must have a lawful basis to process your personal data. In most cases, our ability to obtain and process your personal data is based on one of the following lawful bases:

• Performance of Contract
• Processing your personal information is necessary to comply with our legal obligations, such as complying with any applicable legal, tax, regulatory obligations such as due diligence and reporting obligations, and responding to requests from our regulators. In line with anti-money laundering requirements under the applicable AML laws and regulations all customers (clients and business partners) including beneficiaries are required to be identified. We will also engage in screening for the purpose of AML regulations and counter terrorist financing legislations including PEP screening and with UN, US, EU, UAE and other applicable/relevant sanction regimes;
• Processing your personal data is necessary to meet our legitimate interests and the legitimate interests of our clients, for example to provide our services to clients, to improve our services, to ensure we price the products appropriately, to manage and assess risks, to manage our business efficiently, to perform audits, and to maintain, store and use accurate and correct records.

If it is necessary that we process your sensitive personal information for one of the purposes listed above, we will only do so where one of the following applies:

• Your explicit consent has been obtained. Where consent is legally required to process your sensitive personal information, your insurance provider (or the insurance company that collected your personal information) will obtain consent from you. You may withdraw your consent at any time by contacting the insurance company that collected your personal information;
• We need to process your sensitive personal information to establish, exercise or defend a legal claim; or
• We are otherwise authorized by applicable Federal and regulatory laws and rules to process your sensitive personal information.

We may share your personal information with third parties under the following circumstances:

• HDFC group companies. We operate as a global reinsurance provider, so we may share your personal information with group companies who may use this information for the purposes described in this privacy policy notice.
• Insurance companies, intermediaries/brokers, financial institutions and retrocessionaires. We may share your personal information with insurance companies, intermediaries/brokers, financial institutions, retrocessionaires/business partners that use your personal data in connection with the provision of reinsurance services including reinsurance administration and processing of claims. For example, we may share your personal data with other reinsurers for the purposes of settling claims.
• Service providers. We may share your personal data with service providers that perform services and other business operations or support services for us, for example, IT and analytics providers, actuarial service entities/actuarial team of Group/parent company, auditors and professional/legal advisers.
• Any law enforcement agency, court, regulator, government authority or professional body. We may share your personal data with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, customers (clients and business partners) rights or the rights of any third party.
• Asset or equity purchasers. We may share your personal information with any third party that purchases, or to which we transfer, all or substantially all of our assets/equity and business. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal data uses it in a manner that is consistent with this privacy policy notice

You have certain rights regarding your personal information, subject to local law. These include the right to:

• access your personal data;
• rectify your information/data we hold;
• erase your personal data;
• to withdraw consent given to insurers;
• restrict our use of your personal data;
• object to our use of your personal data;
• receive your personal data in a usable electronic format and transmit it to a third party (right to data portability); and
• lodge a complaint with relevant data protection authority.

Since, in many cases, we receive your data directly from your insurance provider you should contact your insurance provider first if you would like to exercise your rights. We would encourage you to inform your insurance provider if your personal information needs to be corrected or updated (and you may be under a legal duty to do so).

Please note that your insurance provider will likely require additional information from you in order to meet your requests.

As per our adopted data security framework, we implement technical and organizational measures and use only secure processes and systems in accordance with the provisions of the applicable Data Protection Law for the transfer, storage and processing of your data, to ensure an appropriate level of security of your personal data we process, from the identified risks to which the personal data is exposed by virtue of human action or physical or natural environment. These measures are aimed at ensuring the on-going security and confidentiality of personal data. We evaluate these measures on a regular basis to ensure an adequate security of the processing and any such other security measures are introduced from time to time.

We will normally keep your personal data for as long as you have an interest in, or claim against, a policy we are underwriting. Beyond that, we retain personal information for a period of time that reasonably allows us to investigate, commence or defend legal claims brought by or against us or our clients, comply with our regulatory obligations and conduct required analysis. We securely destroy or delete personal data when its retention period has expired.

We may retain aggregated or anonymised data (which is not treated as personal data under this privacy policy notice) for longer.

As a Global reinsurer, your personal information may be transferred to, stored, and processed in other countries, which may include countries that are not regarded as ensuring an adequate level of protection for personal data under Data Protection Law.

We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your personal information is adequately protected and secured. For more information on the appropriate safeguards in place, please contact us at the details contained in the "Contact us" section below.

HDFC International Life and Re Company Limited is the controller responsible for the personal data we collect and process. Other Group entities or support service entities may also be controllers in respect of your personal data, depending on the nature of the services they provide.

If you have questions or concerns regarding the way in which your personal data has been used, please e-mail us at info@hdfclifere.com or call or write to us.

If you would like to exercise a data subject right, you may use the above.

Our Corporate information and address is:

Registered Office

HDFC International Life and Re Company Limited
Regulated by the DFSA
Unit OT 17-30, Level 17,
Central Park, Dubai International Financial Centre (DIFC),
P.O. Box 114603, Dubai, United Arab Emirates

Our telephone number is:

Board: +971 4 354 6969

HDFC International Life and Re Company Limited’s Data Protection Officer is Mr. Manoj Raman, Head – Customer Relations and Business Systems. If you have any questions or concerns for our DPO regarding the way in which your personal data has been used or on any of your rights as outlined above, please submit a written request to DPO via email at DPO@hdfclifere.com.

We are committed to working with you to obtain a fair resolution of any complaint or concern about this privacy policy notice. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to lodge a complaint with supervisory authority in particular, in the jurisdiction of your residence or place of work or place of alleged infringement, if you consider that the processing of personal data relating to you carried out is not as per the relevant Data Protection Laws.

The provision by you of personal data, as outlined in the section titled “Purpose of processing and lawful basis for processing” is required for us to provide our reinsurance services and so that we can comply with our contractual, tax, legal, regulatory requirements referred above. Where you fail or refuse to provide such personal data to the insurance provider, we may not be able to perform the contract we have entered with them or we may be prevented from complying with our legal and regulatory obligations.

We may modify or update this privacy policy notice from time to time. If we make a major change to this privacy policy notice, we will post a notice about this on our website, and we may ask the insurance companies we work with to notify its customers on our behalf.

You will be able to see when we last updated the privacy policy notice, as it will include a revision date, shown below.