Privacy Notice

1. Introduction

Strategic Risk Solutions, Inc. (“SRS”) is the world’s leading independently owned insurance company manager. We operate in leading US, Europe and international domiciles.  SRS provides independent solutions for the management of captive insurance companies, commercial insurance companies, reinsurance ventures and ILS/Fund services. These services include the provision of financial reporting and accounting services, regulatory compliance and governance services, general management services and consulting services. We operate globally providing services to clients in the US, Europe, Barbados, Bermuda and the Cayman Islands. Our staff are located throughout these regions and in South Africa.

2. Commitment to Personal Data Privacy

Maintaining the trust of our clients in the management of their companies is critical to the success of our business. As part of our operations, we receive personal information for our employees, clients and third parties. Maintaining the privacy of that information is a core component of us maintaining your trust. SRS is committed to protecting the privacy of the personal information we receive and meeting the requirements of data privacy and security regulations related to this personal information in the regions in which we operate.

3. Responsibility

We will protect personal information consistent with the principles of the General Data Protection Regulations of EU, Federal and State requirements including the Protection of Personal Information of Residents of the Commonwealth (the “Massachusetts Policies”), 201 Mass. Code Regs. 17.00, promulgated under Massachusetts General Laws c. 93H (the “Massachusetts Privacy Law”), The California Consumer Privacy Regulations (the “CCPA”), Personal Information Protection Act (PIPA) of Bermuda, Data Protection Act 2019 of Barbados, The Data Protection Act of Cayman Islands, the Health Insurance Portability and Accountability Act and other applicable privacy regulations.

4. Personal Information We Collect

The personal information we collect depends on the nature of the services used by our clients and the activities of the clients that we are managing. We collect personal information in three ways.

    1. Automatically through our website, (“Site”) and emails. The information collected by SRS through the Site falls into two categories: (1) information voluntarily supplied by visitors to our Site and (2) information gathered via automated means as visitors navigate through our Site.
    2. Directly from prospective and current clients. This information may include personal information related to proposed directors and officers of companies we manage and ultimate beneficial owners of prospective clients. For example,  prospective insurance company clients, we may receive claims information containing personal information as part of the feasibility assessment for the establishment of an insurance company subsidiary.
    3. From clients and third parties as part of client company activities, including policyholder, claimant and investor information.

The personal information we collect includes both personally identifiable information (PII) and Protected Health Information (PHI).

Personally Identifiable Information (PII): PII is any data about an individual that could, potentially identify that person, such as a name, fingerprints or other biometric data, email address, street address, telephone number or social security number. A subset of PII is personally identifiable financial information. For our purposed, individually identifiable data transmitted or maintained in any form will come under this category.

Protected Health Information (PHI): PHI includes any, and all information created or received at SRS that identifies or can readily be associated with the identity of an individual, whether oral or recorded in any form or medium that relates to the past, present, or future:

  • Physical, mental, or behavioral health or condition of an individual.
  • Healthcare services received by an individual, or payment for those services.

5. How We Use Personal Information

SRS uses personal information for the provision of professional services, the management of client engagements and the operation of its business.

Provision of Professional Services

We process personal information as part of the management services we provide to company clients and the consulting services we provide to prospective company owners. The precise purposes for which personal information is processed is determined by the scope of our management services and consulting agreements, the risks being insured by our clients,  applicable laws, regulatory guidance and professional standards.

Management of Client Engagements

We process personal information about our clients and the individual representatives of our clients to:

  • Carry out regulatory and compliance obligations, including:
  • “Know Your Customer/Employee/Vendor”; we are required to “identify and verify”;
  • Anti-money laundering;
  • Sanctions screening;
  • Fraud prevention activities
  • Communicate with our clients, including addressing client inquiries and servicing requests;
  • Co-ordinating management services including conducting Board of Director and other client meetings;
  • Communications and marketing to our clients and prospective clients, including providing;
    • Newsletter and promotional materials,
    • Articles, white paper and research information
    • Invitations to webinars and SRS events and the administration of those events

Operation of Our Business

We process personal information during the course of operating our business. These activities include:

  • Evaluating process and service improvements including the testing of new technologies
  • Research into new service offerings, including data analytic and benchmarking studies
  • Mergers and acquisitions: we process personal information in evaluating an acquisition, sale or re-organization
  • Processing applications for employment and the management of employee records including payroll services

If we wish to use your personal information for a purpose which is not compatible with the purpose for which it was collected, we will request your consent unless your personal information is being processed to satisfy our legal and regulatory obligations.

6. Legal Basis for the Use of Personal Information

SRS only collects and process personal information where it is lawful to do so. We rely on the following legal grounds to collect and use your personal information.

  1. In the performance of a service contract with you.

Where we offer services or enter into a contract with you, we will collect and use personal information to the extent it is necessary for us to execute the contract and to perform the services under that contract.

  1. To meet our legal and regulatory obligations.

It may be necessary for us to collect and use personal information as part of our legal and regulatory obligations, for example in supplying application and regulatory reports to the domicile regulators who license our client companies in our role as the manager for those client companies.

  1. Where it is necessary for our legitimate interests.

We may collect personal information to enable us to pursue our legitimate commercial interests. These include the operation of our business in developing business solutions; managing relationships with our clients, partners, prospects and vendors; conducting due diligence on potential clients; and corporate development activities including merger and acquisitions.

  1. With our clients’ consent.

We may rely on your consent as the legal basis for the collection and use of personal data. This may include the use of personal data related to the insurance policies underwritten by our client companies, including policyholder and claimant information. It may also include director and officer information collected as part of the operations of the client company.

Where we rely on your consent to collect and use personal information you are not required to provide your consent and you may withdraw your consent. However, if you refuse to provide the information we require to reasonably provide the services and we have no other legal basis for the collection and use of the personal information, we may have to terminate our services with immediate effect.

  1. Where it is in the public interest

If allowed under law, we may collect and use your information for a substantial public interest, for example preventing or investigating unlawful acts.

7. How We Protect the Privacy of Personal Information

SRS takes the security of all personal information very seriously. We take precautions to maintain the security, confidentiality, and integrity of the information we collect. Such measures include access controls designed to limit access to the information to the extent necessary to accomplish our mission. We also employ various security technologies to protect the information stored on our systems. We routinely test our security measures to ensure that they remain operational and effective. We train appropriate personnel on our privacy and security policies and compliance requirements.

Limits on Collection, Use and Retention of Data

SRS will not retain any more personal information than we believe is necessary for any of the purposes set out in this Privacy Notice or is dictated by legal or professional requirements. We will not retain personal data for longer than it is needed for business, legal or professional purposes.

8. Transfers of Data

As part of our normal course of business, SRS may transfer data to and from third parties and within the firm. These transfers may include data transfers across international borders. When permitted by law, we use the following legal mechanisms to protect your data during these transfers.

  • Transfers to Third Parties: we use reasonable efforts to ensure that third parties are bound by the same provisions as this Privacy Notice including the use of contractual commitments to protect the data, including the use of standard contractual clauses as defined by the European Commission.
  • International Transfers: we will only transfer data internationally:
    • With the data subject’s consent; or
    • If the transfer is necessary for the performance of a contract; or
    • If the transfer is permitted by applicable data privacy law; or
    • To a country considered to have an adequate level of protection by the European Commission or with equivalent data privacy laws to the originating country; or
    • With appropriate safeguards in place, which may include binding corporate policies or standard contractual clauses as defined by the European Commission.

9. Data Subject’s Rights

As a data subject, you may have certain rights to your personal information depending on the jurisdiction in which you live and purpose for which the data is being used. These rights may include:

Right to Access
You have the right under certain circumstances to access and inspect personal information which SRS holds about you.

Right to Correction
You may have the right to request us to correct your personal information where it is inaccurate or out of date.

Right to be Forgotten or the Right to Erasure
You have the right under certain circumstances to have your personal information erased. Your information can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data.

Right to Restrict Processing
You have the right under certain circumstances to request the restriction of your personal information from further use, e.g., where the accuracy of the information is disputed, and you request that the information not be used until its accuracy is confirmed.

Right to Data Portability
You have the right under certain circumstances to data portability, which requires us to provide personal information to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) consent; or (ii) the performance of a contract to which you are a party.

Right to Object to Processing
You have the right to object to the processing of your personal information at any time, but only where that processing is based our legitimate interests as its legal basis. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

Right to Decline Automated Decision Making
You have the right to object to decisions involving the use of your personal information, which have been taken solely by automated means, i.e. without human involvement.

Right to Object to Direct Marketing
Where your personal information is processed for direct marketing purposes, you have the right to object at any time to processing of personal data used for such marketing. We will provide specific information on how to opt-out from our marketing initiatives through the medium we communicate with you.

You can exercise your rights by contacting us, as detailed in section 10 below.

10. Contact Us

If you have any questions, concerns, or complaints about this Privacy Notice, our privacy practices in general or your personal information, they should be directed to SRS at dataprotection@strategicrisks.com or by contacting SRS at:

Strategic Risk Solutions
2352 Main St #301
Concord, MA 01742
USA

In certain jurisdictions, you also have the right to contact the local data protection authority regarding the use of your personal data. Contact details for applicable authorities are shown below.

Jurisdiction Data Protection Authority Contact Details
Bermuda Office of the Privacy Commissioner for Bermuda PrivCom@privacy.bm
Cayman Islands Cayman Islands’ Ombudsman 1-345-946-6283
info@ombudsman.ky
Guernsey Office of the Data Protection Authority https://odpa.ggenquiries@odpa.gg 
Ireland Data Protection Commission info@dataprotection.ie
Luxembourg Commission Nationale pour la Protection des Données info@cnpd.lu
Malta Office of the Information and Data Protection Commissioner idpc.info@idpc.org.mt
Switzerland Federal Data Protection and information Commissioner +41 (0)58 462 43 95
info@edoeb.admin.ch

11. Changes To This Privacy Notice

The Privacy notice is subject to change at any time. If we make changes to this Privacy Notice, we will change the last updated date at the bottom of this page. Any changes we make to this Privacy Notice become effective immediately, so you should review this Privacy Notice regularly for changes.

This Privacy Notice was last updated on July 28, 2021.