BERMUDA DATA PRIVACY NOTICE

The policy of Enstar Group Limited and its subsidiaries (“The Company”) is to respect and protect the privacy of individuals on whom we process data during the course of our business, including data relating to, customers, and claimants.

To fulfil this policy, The Company agrees to exercise the safeguards and precautions set out in this written notice (the “Privacy Notice”) to maintain the confidentiality of information we process in Bermuda and relating to Bermudian residents’ data that we control. Our representative office in Bermuda can be found at A.S. Cooper Building, 4th Floor, 26 Reid Street, Hamilton, HM 11, Bermuda.

As a firm with a global presence, we are subject to varying requirements of data protection legislation where we operate. Our aim is to be as consistent as possible, to obey all applicable laws, and apply the highest standard of privacy principles to our approach.

This Privacy Notice sets forth The Company’s current policies and practices with respect to:

• What personal information we may hold or collect
• How we may use your personal information
• Who we may disclose your personal information to
• Contacting us and your rights to access and update your personal information; and
• How changes to this Privacy Notice will be made.

Categories of Information

We may process the following of data categories depending on our relationship with you:

• Information including your name, address, contact details, details relating to the claim (which depending on the nature of the claim may include medical reports and reports of criminal convictions or crime reports) (“Claim Details”) that you, your employer, or an organisation who we insure, or a third-party claimant provides to us in relation to the administration of an insurance/reinsurance policy that we insure or reinsure.
• Information relating to any request for assistance or support, including your name, address, contact details and details of any vulnerabilities (which may include medical reports) and financial information to support the claim.
• Details of your visits to our website and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, usage information and the resources that you access.
• Information you supply when you directly interact with us which may include call recording information.

Sensitive or Special Category data may include:

• information relating to any criminal or fraudulent activities provided to us by you or third parties (such as anti-fraud agencies or other insurers).
• Health information you supply to us as part of the claims administration process.
• Information used in fraud prevention or sanctions checking against public lists.

We collect this information from the following sources:

• Information from you supplied during the course of a claim.
• From authorised third parties who support our processing and handling of the claim.
• When assuming responsibility for administering policies and claims that relate to a book of insurance business.
• From public sources to eliminate the purpose of fraud.

Why we process your data

We process your personal data for the following purposes:

• Policy administration
• Claim processing
• Providing payments
• Compliance with applicable laws and regulations as well as security, and compliance with corporate financial responsibilities
• When you visit our website, we may collect cookie information and information gathered from your browser such as Ip address and location (see cookie policy)
• When we need to contact you for the purposes of administering our service to you
• For fraud prevention, Know Your Client, and Anti Money Laundering purposes
• To give us feedback (for example by completing a survey)

Lawful basis

Our lawful basis for processing this data varies depending on the purpose of processing, these are outlined below.

• Where we process your data for the performance of contractual obligations, our lawful basis is performance of a contract.
• Where we process your data to progress the efficiency of the company and analyse how data subjects interact with us, our lawful basis is legitimate interest.
• Where we have a legal obligation to comply with applicable law or where we are required to defend a legal claim, our lawful basis is processing is required for compliance with a legal obligation or in defence of a legal claim.

Data transfers to third parties

We may transfer your personal data to third parties who are primarily business partners, reinsurers, third party administrators, and other parties involved in the processing of insurance claims. In addition, we are sometimes required to share data with other entities to comply with a law or regulation. This could include state or federal authorities, courts, external advisors, and similar third parties.

Our transfers are subject to a process of risk assessment. We have formal agreements in place with recipients outside of Bermuda to ensure they provide an adequate level of protection for your data, including technical and organisational security measures to protect your personal data.

International Transfers

Enstar Group Companies are also located in Australia, the USA, the United Kingdom, and the European Union. Where personal data transfers occur to these destinations, they are governed by safeguards which include International Group Data Transfer Agreements. We may transfer any information we collect mentioned above to these destinations.

Data Subject Rights

We observe a number of data subject rights as required by international law and adopted by Enstar Group as our standard. You may have the following rights depending on the circumstances of your case and applicable local law.

• The right to access – you have the right to ask the Company for copies of your personal data. We may charge you a small fee for this service.
• The right to rectification – you have the right to ask that the Company correct any information you believe is inaccurate. You also have the right to request the Company to complete the information you believe is incomplete.
• The right to erasure – you have the right to ask that the Company erase your personal data, under certain conditions.
• The right to restrict processing – you have the right to ask that the Company restrict the processing of your personal data, under certain conditions.
• The right to object to processing – you have the right to object to the Company’s processing of your personal data under certain conditions for example withdraw consent to direct marketing.
• The right to data portability – you have the right to ask that the Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.
• The right to complain to the regulator. If you are not satisfied with the way we have handled the request, you have the right to escalate a complaint to the regulator.
• The right not to have your data sold to third parties. Enstar will not sell or rent your data unless we are engaged in the sale of the company or part of the company and in such case, we would need to transfer your data to honour our continuing obligations to you.

To exercise your Rights, please contact the Data Protection Officer, Ms. Nikita Saini, at Enstar: [email protected].

Automated Decision Making

Enstar does not engage in automated decision making or use artificial intelligence for processing the personal data it collects.

Retention Periods

We only retain data for as long as necessary to process your data. Our retention policy varies depending on the categories of information we collect and according to applicable law. Due to the nature of our business generally, we hold information for 10 years, but this could be longer depending on our obligations to you or whether we have an ongoing legal dispute with you. A copy of our retention policy can be obtained on request.

Data Security

We take the security of your data seriously and we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including:

• the pseudonymisation and encryption of personal data
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• the ability to restore the availability and access to personal data in a timely manner; and
• a process for regularly testing and evaluating the effectiveness of technical and organisational measures

We ensure that those who have permanent or regular access to personal data, or that are involved in the processing of personal data, or in the development of tools used to process personal data, are informed of their responsibilities when processing personal data.

How to contact us

If you have any questions concerning this notice, please contact the Data Protection Officer, Ms. Nikita Saini, at Enstar: [email protected].

Data Privacy Policy

Our Data Privacy Policy, outlining the measures we have in place, can be requested from the Data Protection Officer, Ms. Nikita Saini, at Enstar: [email protected].