PERSONAL DATA PROTECTION POLICY

We at Capstone Insurance Agency Pte. Ltd. (“Capstone”, “us”, “our” or “we”) take our responsibilities under Singapore’s Personal Data Protection Act 2012 (“PDPA”) seriously.

This Personal Data Protection Policy (“Policy”) sets out the basis which Capstone may collect, use, disclose or otherwise process personal data of our customers in accordance with the PDPA. This Policy is also designed to assist you in understanding how we manage, protect and process your personal data which is in our possession or under our control, including personal data in the possession of organisations which we have engaged to
collect, use, disclose or process personal data for our Purposes.

1. 1. As used in this Policy: “customer” means an individual who (a) has contacted us through any means to find out more about any products we distribute and/or services we offer, or (b) may, or has, entered into a contract with us for the provision of any products and/or services by us; and “organisation” is defined under the PDPA to mean any individual, company, association or body of persons, corporate or unincorporated, whether or not: (a) formed or recognized under the law of Singapore; or (b) resident, or having an office or a place of business, in Singapore. “personal data” is defined under the PDPA to mean data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access.
2. 2. Due to the nature of our business activities and services which we perform for you, and depending on the nature of your interaction with us, we will be required to collect personal data from you which may include but not limited to your name and identification information such as your NRIC number, passport number, employment pass number/FIN number, contact information such as your address, email address or telephone/hand phone number, nationality, gender, date of birth, marital status, educational background, driving records, employment history, professional licenses and affiliations, relationship to the policyholder, insured or claimant, photographs and other audio-visual information, medical and health records, employment information and financial information such as credit card numbers, debit card numbers or bank account information.
3. 3. We will collect your personal data in accordance with the PDPA. We will notify you of the Purposes for which your personal data may be collected, used, disclosed and/or processed, as well as obtain your consent for the collection, use, disclosure and/or processing of your personal data for the intended Purposes, unless an exception under the law permits us to collect and process or disclose your personal data without your consent.
4. 4. In order to conduct our business operations smoothly, we may also be disclosing the personal data you have provided to us to our third party service providers, insurers, agents or intermediaries whether sited in Singapore or outside of Singapore, for one or more of the Purposes as described below. Such third party service providers, insurers, agents or intermediaries would be processing your personal data either on our behalf or otherwise, for one or more of the Purposes as described below.
5. 5. Generally all your personal data will be processed in Singapore. However, we may in certain situations transfer your personal data to a country outside of Singapore for one or more of the Purposes as described below on a need to know basis. In such an event, we will ensure that the receiving entities are bound by laws or contractual obligations for the protection of your personal data to a standard comparable to the Singapore PDPA.
6. 6. This Policy supplements but does not supersede nor replace any other consents you may have previously provided to us nor does it affect any rights we may have at law in connections with the collection, use or disclosure of your personal data. Other terms used in this Policy shall have the meanings given to them in the PDPA (where the context so permits).

COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA

Collection of Personal Data

1. 7. We generally do not collect your personal data unless:
1. (a) it is provided to us knowingly and voluntarily by you directly or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”) after (i) you (or your authorised representative) have been notified of the Purposes for which the data is collected, and (ii) you (or your authorised representative) have provided written consent to the collection and usage of your personal data forthose Purposes, or
2. (b) the collection and use of personal data without consent is permitted or required by the PDPA or other laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a Purpose which has not been notified to you (except where permitted or authorised by law).
2. 8. Without limiting the generality of the foregoing, Capstone may collect your personal data in one or more of the following ways:
1. (a) when you submit an enquiry, application or registration form, or any other forms relating to any product(s) distributed and/or services offered by us;
2. (b) when a policyholder takes up an insurance policy for your benefit or appoints you as the life assured/insured members;
3. (c) when you enter into any agreement or provide other documentation or information in respect of your interactions and transactions with us, or when you use our services;
4. (d) when you interact with our service officers, representatives, or agents (for example, via telephone calls, letters, fax, face-to-face meetings, social media platforms, surveys, workshops, e-mails and/or official website);
5. (e) when you use our electronic services, or interact with us via our official websites or web services;
6. (f) when you request us to contact you (whether pursuant to a request for more information, complaints, or any other purposes);
7. (g) when your images are captured by us via CCTV cameras while you are within our office premises, or via photographs or videos taken by us, our representatives or our agents when you attend our events;
8. (h) when we receive references from business partners or third parties (for example, where you have been referred by them);
9. (i) when we seek information from third parties about you in connection with the product(s) and/or services you have applied for; including but not limited to from other insurers, insurance associations, healthcare institutions, clinics, investigators, ex-employer and the relevant authorities;;
10. (j) when you submit your personal data to us for one or more of our Purposes or for any other reason with your consent; and/or
11. (k) through publicly available sources where relevant and appropriate.
Please note that if you provide us with any personal data relating to a third party (for example, information about your spouse, children or parents), you represent and warrant to us that you have obtained the consent of the third party to provide us with their personal data for the relevant Purposes.

Use of Personal Data

1. 9. We may collect and use your personal data for any or all of the following purposes (“Purposes”):
1. (a) performing obligations in the course of or in connection with the provision of our services requested by you (for example, providing professional insurance advice and services or quotation for purchasing, renewing or reinstating of an insurance policy);
2. (b) the collection and use of personal data without consent is permitted or required by the PDPA or other laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a Purpose which has not been notified to you (except where permitted or authorised by law).
3. (c) recommending insurance covers, product(s) and/or services based on evaluation(s) of your needs analysis;
4. (d) verifying your identity;
5. (e) responding to, handling, and processing queries, requests, applications, complaints, and feedback from you in connection with our services and/or any of your policies;
6. (f) carrying out, processing and/or managing your relationship with us;
7. (g) administering of your insurance cover and policy, which may include but is not limited to:
1. (i) requesting and collecting premiums;
2. (ii) processing your premium and other payments and transactions;
3. (iii) providing regular information about your insurance policy;
4. (iv) reviewing or renewing or reinstating your insurance policy;
5. (v) carrying out your instructions or responding to any enquiries by you; and/or
6. (vi) processing your claim(s) made under your insurance policy.
8. (h) conducting market research and analysis, including satisfaction surveys;
9. (i) sending you marketing information about the products we distribute and/or services we offer including notifying you of our marketing events and policy covers;
10. (j) providing general information on product enhancements and services, which are relevant to your needs or policies (such as increasing benefits, adding riders/supplements and/or insured lives);
11. (k) assisting in investigating fraud, misconduct, any unlawful action or omission, whether relating to your policy, your claims or any other matter relating to your policy, and whether or not there is any suspicion of the aforementioned;
12. (l) dealing in any matters relating to your policies (such as the mailing of certificates, correspondences, invoices, notices, reports, statements, and other documents to you which may disclose certain personal data about you on the envelopes/mail packages);
13. (m) complying and monitoring internal policies and procedures for matters including but not limited to audit reviews, business continuity, due diligence checks (such as personal background, “knowyour-client” checks, file and document management, IT system and data and website hosting, 5 other screening activities and/or risk management procedures put in place by Capstone and/or the industry);
14. (n) archiving, backing-up or destroying personal data;
15. (o) complying with any applicable laws, regulations, codes of practice, guidelines, directions or rules imposed by any statutory body, governmental and/or regulatory authority, law enforcement agency or dispute resolution body;
16. (p) complying with and assisting with law enforcement and investigations conducted by any statutory body, governmental and/or regulatory authority, or law enforcement agency;
17. (q) transmitting personal data to your insurer and any unaffiliated third parties including our third party service providers and agents, and any statutory body, governmental and/or regulatory authority, whether in Singapore or abroad, for the aforementioned Purposes;
18. (r) any other purposes for which you have provided the information; and
19. (s) any other incidental business purposes related to or in connection with the above.
The Purposes listed in the above clauses may continue to apply even in situations where your relationship, insurance policy and/or customer account with us is no longer in force, terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with you).

Disclose of Personal Data

1. 10. We may disclose your personal data:
1. (a) where such disclosure is required for performing obligations in the course of or in connection with our provision of the product(s) or services requested by you; or
2. (b) to third party service providers, insurers, agents, intermediaries and other organisations we have engaged to perform any of the Purposes listed in clause 9 above for us.
2. 11. Without limiting the generality of the foregoing, Capstone may also disclose such personal data of yours to the following parties for the following purposes:
1. (a) To medical organisations (such as medical practitioners, hospitals and clinics), insurance associations, offices or organisations, insurers, credit agencies, motor workshops, legal firms or advisers, dispute resolution bodies, surveyors, or investigators for claims, insurance and compliance/audit purposes;
2. (b) To your insurer or representatives (including any new intermediary appointed by you) to service and administer your insurance plan or policy;
3. (c) To your insurer for payment, collection or refund of any monies due or payable or upon their valid request;
4. (d) To third party vendors engaged by Capstone to store and maintain our data and documents (including storage for business recovery purposes); and
5. (e) To any statutory body, governmental and/or regulatory authority, or law enforcement agency to comply with applicable laws or regulation or upon their valid request.
12. Without prejudice to any other clause in this Policy, we may disclose your personal data to your insurer and/or third parties without first obtaining your consent in certain situations, including, without limitation, the following:
1. (a) cases in which the disclosure is required or authorised based on the applicable laws and/or regulations;
2. (b) cases in which the purpose of such disclosure is clearly in your interests, and if consent cannot be obtained in a timely way;
3. (c) cases in which the disclosure is necessary to respond to an emergency that threatens the life, health or safety of yourself or another individual;
4. (d) cases in which the disclosure is necessary for any investigation or legal proceedings;
5. (e) cases in which the personal data is disclosed to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer;
6. (f) cases in which the disclosure is to a public agency and such disclosure is necessary in the public interest; and/or;
7. (g) where such disclosure without your consent is permitted by the PDPA or by law.
Capstone nor any of its officers shall be liable for any loss or damage suffered by you or any user as a result of any disclosure of any personal data which you have consented to Capstone and/or any of its officers disclosing.

GIVING AND WITHDRAWING YOUR CONSENT

Giving Consent

13. By submitting your personal data to us or by engaging us to provide you product(s) we distribute and/or services we offer, you signify that you have read and understood this Policy, and that you consent to Capstone:
1. (a) collecting, using, disclosing and/or processing the personal data mentioned above for the Purposes as described in clause 9 above; and
2. (b) transferring the personal data mentioned above to your insurer and/or unaffiliated third party service providers, insurers, agents or intermediaries where such third party service providers, insurers, agents or intermediaries are sited (whether in Singapore or outside of Singapore), for the Purposes as described in clause 9 above.

1. 14. The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop using and/or disclosing your personal data for any or all of the Purposes listed above by submitting your request in writing or via email to our Data Protection Officer (“DPO”) at the contact details provided below.
2. 15. Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within thirty (30) days of receiving it.
3. 16. Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing the product(s) which we distribute and/or services we offer to you. We shall, in such circumstances, notify you before completing the processing of your request. For example, if you withdraw your consent for Capstone to collect, use or disclose your personal data, Capstone will be unable to process, administer and/or manage your relationship, insurance policy and/or customer account with us. Therefore, withdrawing your consent in this case may be disadvantageous to you, as you may be losing valuable services from us or it may not be possible for you to obtain a similar level of protection from your insurance policy on the same terms in the future. However, should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described in clause 9 above.
4. 17. Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.

ACCESS TO AND CORRECTION OF PERSONAL DATA

18. If you wish to make:
1. (a) an access request for access to a copy of the personal data which we hold about you;
2. (b) an access request for information about the ways in which we use or disclose your personal data; or
3. (c) a correction request to correct or update any of your personal data which we hold about you,
you may submit your request in writing or via email to our DPO at the contact details provided below.
1. 19. We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).
2. 20. Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your access request.

3. 21. For a request to correct personal data, we will:
1. (a) correct your personal data pursuant to clause 18 above; and
2. (b) subject to clause 22 below, send the corrected personal data to every other organisation to which the personal data was disclosed by Capstone within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.
4. 22. Notwithstanding clause 21(b) above, we may, if you so consent and instruct, send the corrected personal data only to specific organisations to which the personal data was disclosed by us within a year the date the correction was made.

PROTECTION OF PERSONAL DATA

1. 23. To safeguard your personal data from unauthorised or unlawful access, collection, use, disclosure, copying, modification, disposal or similar risks, Capstone has introduced appropriate administrative, physical and technical measures such as up-to-date antivirus protection, encryption and the use of privacy filters to secure all storage and transmission of personal data by Capstone, and disclosing personal data both internally and to our authorised third party service providers and agents only on a need-to-know basis.
2. 24. You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, Capstone strives to protect the security of your information and are constantly reviewing and enhancing our information security measures.
3. 25. Please note that Capstone does not sell or rent your personal data to third parties.

LINKS TO OTHER WEBSITES

26. Our website may contain links to other websites of interest. However, once you have used these links to leave our website, you should note that we do not have any control over such other websites. Such other website are not operated or maintained by us. Capstone is not responsible for the data protection policies and/or procedures of such other websites. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such other websites. You should exercise caution and review the personal data protection policy and/or privacy statement applicable to the website in question.

ONLINE ADVERTISING & COOKIES

27. Capstone’s official website does not use cookies. Please note that you can access and browse our official website without disclosing any personal data. However, Capstone’s online advertisement (“Capstone Ad”) which is displayed through Google’s online advertisement services (“Google Adwords”) uses Google Adwords Conversion Tracker. This tracker uses cookies to help us track visitor activity and determine how many people who clicked on Capstone Ad end up contacting us through the website. Tracking cookies are set on your browser only when you click on the Capstone Ad. These tracking cookies expire within thirty (30) days and do not contain information that can identify you personally. Please refer to Google’s Advertising Privacy Notice for more information about Google Conversion Tracking and the ability to opt out.

ACCURACY OF PERSONAL DATA

28. Capstone generally relies on personal data provided by you (or your authorised representative). We will take reasonable efforts to ensure that your personal data in our possession or under our control is accurate and complete. However, in order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing our DPO in writing or via email at the contact details provided below. We will not be responsible for relying on inaccurate or incomplete personal data if you did not update us of the changes in your personal data.

RETENTION OF PERSONAL DATA

1. 29. Capstone may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws.
2. 30. Capstone will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.

TRANSFERS OF PERSONAL DATA OUTSIDE OF SINGAPORE

31. Capstone generally does not transfer your personal data to countries outside of Singapore. However, if we do so, we will obtain your consent for the transfer to be made and we will take steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA.

DATA PROTECTION OFFICER

1. 32. You may contact our DPO if you have any enquiries or feedback on our personal data protection policies and procedures; or if you wish to make any request(s) in connection with your personal data, in the following manner:

   The Personal Data Officer
   
   519 Balestier Road
   #02-04, Singapore 329852
   Office No.: 6635 1820
   Fax No.: 6235 3368
   Email: DPO@capstone.com.sg
   

EFFECT OF NOTICE AND CHANGES TO NOTICE

1. 33. This Policy applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
2. 34. As part of our efforts to ensure that we properly manage, protect and process your personal data, we review this Policy, and our procedures and processes periodically. We reserve the right to modify, amend or revise this Policy from time to time without any prior notice or reason. Nevertheless, Capstone commits to ensuring that the privacy rights of individuals are maintained at all times. You may determine if any such modification, amendment or revision has taken place by referring to the date on which this Policy was last updated.
3. 35. Any amended, modified or revised Policy will be posted and can be viewed on Capstone’s official website. You are encouraged to visit our official website from time to time to ensure that you are well informed of our latest Policy in relation to personal data protection.
4. 36. Your continued use of the product(s) we distribute and/or services we offer constitutes your acknowledgement and acceptance of such changes.

GOVERNING LAW

1. 37. This Personal Data Protection Policy shall be governed in all respects by the laws of Singapore.
2. Effective Date: 5 October 2018
3. Last updated: 5 October 2018