SunLife Privacy Notice
Effective from: October 2023
- At SunLife, we aim to be the UK’s most trusted over 50s financial services company in the UK. As part of this ambition, we offer products and services that are designed to help protect your family, your health and your lifestyle.
- We promise to keep your data safe, be open about how we use that data, and uphold your rights relating to your data. We buy basic personal details of some potential customers from specialist companies for marketing purposes. We will never sell your data and we only share it with trusted partners where we have a lawful reason for doing so.
- If you wish to opt-out of getting marketing communications from SunLife, you can let us know using any of the ways shown on our Marketing Information page or by taking direct action in response to a received marketing communication (for example, marketing emails contain an Unsubscribe button).
- We make some decisions using automated profiling of your personal information, which may have legal or other significant implications. For example, to carry out fraud detection and online eligibility assessments for insurance products. Such processing is subject to suitable safeguards.
- This Privacy Notice explains what personal data we collect, how and why we process it and who it is shared with. It also explains the choices you have about how we use your data and who you can contact if you have any questions or concerns.
- As a UK-based organisation that processes personal data, we are subject to the requirements of the UK General Data Protection Regulation (“UK GDPR”), as tailored by the UK Data Protection Act 2018.
Sections:
- Who are we?
- What personal data do we collect and why?
- How do we collect your data?
- Who do we share your data with?
- Where is your data processed?
- How long do we keep your data for?
- How do we protect your data?
- What rights do you have regarding how we process your data?
- Where can you go for further information or to raise a concern?
- Future Updates and Accessibility
1. Who are we?
We are SunLife Limited. We offer financial products and services to people over 50 in the UK and our customers are at the heart of what we do. We offer financial products and services that are designed to help protect your family, health and your lifestyle. SunLife works closely with trusted partners in order to provide its products and services, and is part of Phoenix Group, the UK's largest long-term savings and retirement business. You can find out more about our latest products and services by visiting our website or you can visit the About Us section to find out more about SunLife.
For general enquiries, you can find our contact details on the Contact Us page .To discuss how we handle your personal data, you can find contact details of our Data Protection Officer and other relevant people in section “Where can you go for further information or to complain?” below.
2. What personal data do we collect and why?
In order to provide its products and services, SunLife collects certain information about you. The following table outlines the types of personal data we collect and why.
We will only collect and process your data if we have a legally valid reason, also known as a lawful basis.
Here are the lawful reasons for collecting personal data under the UK General Data Protection Regulation (GDPR):
- Consent – Where we will only use your data for a specific purpose with your permission.
- Soft Opt In – Where you have previously engaged with us and not opted out.
- Legitimate Interests – Where collecting and using your data is necessary and reasonable for our legitimate interests as a commercial business. (You can request more information on our completed Legitimate Interests Assessment from our Data Protection Officer - contact DataProtection@sunlife.co.uk).
- Contract – Where it is necessary for entering into and upholding a contract with us.
- Legal – Where it is necessary for us to comply with the law.
- Vital Interests – Where it is necessary to protect someone’s life.
| Purpose | Types of Personal Data Processed | Lawful Basis |
|---|---|---|
| To share resources you have requested, such as a newsletter or article | Contact details e.g. name, address, email address | Consent |
| To respond to an enquiry about our products and services | Contact details e.g. name, address, email address, phone number | Contract |
| To inform you of products and services we think will be of interest to you (We send marketing material in a variety of formats such as postal, phone or email communications. We also carry out targeted online advertising with a presence on selected online services such as Amazon and Google.) |
Contact details e.g. name, address, email address, phone number | If no prior relationship exists between you and SunLife: Consent If a prior relationship exists between you and SunLife: Email, text or any other electronic messaging – Soft opt in Post or telephone – Legitimate Interests |
| Policy information e.g. policy number, product name | Legitimate Interests | |
| Online identifiers and profile – for more details please see our Cookie Policy. | Consent | |
| To confirm your eligibility and process your application for our products and services (including sending out any gift you are eligible for) | Contact details e.g. name, address, email address, phone number | Contract |
| Identification information e.g. date of birth | Contract | |
| For certain products, health-related data e.g. smoker status, medical history1 | Contract / Substantial Public Interest (necessary for providing insurance) | |
| To validate you are who you say you are before sharing any confidential information | Identification information e.g. date of birth | Contract |
| Policy information e.g. policy number, call recordings | Contract | |
| To share important updates relating to your product or service | Contact details e.g. name, address, email address, phone number | Contract |
| To ensure your records are kept up to date | Policy information e.g. policy number, details of cover | Contract |
| To handle any complaints raised by or relating to you | Contact details e.g. name, address, email address, phone number | Legal |
| Policy information e.g. account notes, call recordings | Legal | |
| To safeguard your health, interests and wellbeing. For example, making adjustments to our service so it is delivered in a more suitable way for you. | Information about a risk to your health, or a potential or actual vulnerability e.g. financial difficulties or a physical or mental impairment. | Depending on the specific circumstances: Consent or Contract or (rarely) Vital Interests For health data, one of the following conditions under UK GDPR will also apply: Explicit Consent or Substantial Public Interest (necessary to safeguard the economic well-being of certain individuals) |
To analyse and improve our business. For example:
|
Information about your lifestyle and interests. This can involve the use of profiling2 to better understand what is likely to be of most interest to you. | Depending on the specific activity: Consent or Legitimate Interests |
| Contact details e.g. name, address, email address, phone number | Legitimate Interests | |
| Policy information e.g. details of cover, account notes | Legitimate Interests | |
| Online identifiers – for more details please see our Cookie Policy | Non-essential cookies: Consent Essential cookies (e.g. for maintaining the security of our website): Legitimate Interest |
|
| To run competitions and prize draws you choose to enter and get in touch if you have won | Contact details e.g. name, address, email address, phone number | Consent |
| Photographs, videos and testimonials of winners | Consent | |
| To meet our regulatory and legal obligations. For example, resolution of legal disputes or blocking transactions if they are considered suspicious. | Contact details e.g. name, address, email address, phone number | Legal |
| Identification information e.g. date of birth | Legal | |
| Policy information e.g. policy number, details of cover | Legal | |
| Financial information | Legal | |
| Other people’s information e.g. power of attorney holders3 | Legal | |
| To respond to a request or correspondence from you | Contact details e.g. name, address, email address, phone number | Depending on the specific circumstances: Consent or Contract |
| Policy information e.g. policy number, details of cover | Depending on the specific circumstances: Consent or Contract |
1Certain information is considered more sensitive under UK GDPR due to the heightened risk of harm if it is not handled responsibly. Where we collect data that falls into one of these special categories, we will only do so where there is no alternative, we have a lawful basis for doing so and we have assessed the need for additional safeguards. For example, we collect health-related data when you apply for certain insurance policies with us.
2We group and organise the information of those we interact with to help us better understand their likely needs and interests (also known as profiling). This enables us to provide a tailored experience and make informed decisions when assessing how suitable our products and services are likely to be for certain groups of individuals. Examples of data processed for this purpose (where we have a lawful basis to do so) can include:
- Your age
- Types of policy held
- Topics of interest based on articles you’ve accessed on our website
- Your purchasing behaviours
- Opinions and audio recordings obtained during a customer survey (If you are contacted for research by us or a third party on our behalf, we will be clear about the purpose of the research and how any information given will be used, who will have access to it and how long it will be kept).
We may share your marketing profile with online advertising providers who can show you tailored advertisements that you are likely to be interested in based on your marketing profile. We may also share limited personal data with these providers to help identify other individuals with a similar online profile that are likely to be interested in our products and services. We also sometimes use automated tools in our computer systems to process personal data for decision-making purposes; for example, to assess your eligibility for one of our products or to identify potentially fraudulent transactions. You can opt out of marketing by visiting our Contact Us page.
3Where you provide information about other people (such as a Power of Attorney), please ensure you have obtained their permission to do so. You are responsible for ensuring they are aware that we hold their data and it is being handled in accordance with this Privacy Policy.
3. How do we collect your data?
We may receive information about you from a number of sources including:
- you (for example, when using our online services or requesting information from us);
- your device and online presence when you visit our website (more details on this can be found in our Cookie Policy);
- trusted distribution partners who sell you a SunLife branded product directly under their own regulatory permission;
- marketing partners who reach out to potential customers to discuss products and services that may be suited to their needs. We pay some of these partners to receive the personal details of individuals they’ve identified as having a potential need for our products and services;
- partners providing their own products that we support the provision of as an intermediary;
- third parties acting on your behalf - such as a solicitor or Power of Attorney;
- third parties used to confirm the accuracy of your information or validate your identity;
- research organisations or from publicly available sources; and
- from another organisation as part of a purchase, sale or merger.
4. Who do we share your data with?
Subject to the type of relationship we hold with you, we may share your data with the third parties outlined in the table below. When we share personal data with any third party, we only ever share the minimum required for their specified processing activity(s) and take precautions for data to be transferred and stored securely. We conduct due diligence and have contracts in place with our data processors that mean they are not permitted to do anything with your personal information outside of our instructions. They are required to hold it securely and only retain it for the period we instruct, after which it will be securely deleted or returned to us as appropriate.
| Who we share personal data with | Why |
|---|---|
| Phoenix Group | SunLife is part of a group of companies called the Phoenix Group. We may share information with other areas of the group to offer and deliver products, along with protecting you against fraud and activities that may otherwise negatively affect you. You can visit Phoenix Group’s Privacy Hub for more details on how personal data is handled across the group. |
| Distribution and marketing partners | We use partners that support the distribution and marketing of SunLife branded products and services. We send minimal data back to these partners for quality assurance purposes. |
| Partners providing their own products | We act as an intermediary for a select number of partners to help facilitate and support the provision of their own products; for example, funeral service providers. |
| Social media platforms and other online advertising providers (including but not limited to Facebook (Meta), Amazon and Google) |
We share limited personal data with providers of online marketing services and tools to help us, and them, better understand the individuals we interact with. This is usually done by matching information we hold to other information they hold from your direct use of their services. |
| Product manufacturers | We offer SunLife branded products that are manufactured for us by third parties. We need to share data with them so they can deliver and manage any such products you hold and they share data back so that we can maintain our records. |
| Third party service providers | We use third party companies in the operations and support of our products and services. For example, some of our customer telephony lines are run by a third party on our behalf. |
| Anyone you ask us to share your information with | For example, a trustee, professional adviser or Power of Attorney. We would check to confirm that the person asking for information on your behalf has your permission. |
| Law enforcement bodies and other government authorities, where we are required to do so by law | In some circumstances we are legally obliged to share information or we follow a recognised code of best practice that requires data to be shared. We will always first make sure there is a lawful basis for any such data sharing. |
| Customer research partners | We sometimes use third party partners to conduct customer research so we can better understand what our customers think about the products and services we provide. |
| Professional advisers | We use professional advisers to provide services to us such as legal advice, accountancy services and consultancy services. |
| Anyone in the future who may buy, or merge with, our business | If we merge with another company or are sold, we may need to share your information with the other party as part of that transaction if there is not a viable alternative. |
5. Where is your data processed?
We operate primarily in the United Kingdom. Sometimes the information that we collect from you may be viewed from, transferred to, or stored, within or outside the European Economic Area (EEA).
We ensure there are appropriate safeguards in place for all international transfers of your data so that it is subject to at least the same level of data protection as it is in the UK and meets the requirements of the UK GDPR.
If you would like more information on the safeguards we have in place for such data transfers, please refer to section “Where can you go for further information or to raise a concern?”.
6. How long do we keep your data for?
We will keep your personal data for only as long as we have a lawful purpose to do so. For example, if you arranged a product or service through us or one of our distribution partners, we will retain associated personal data for an appropriate limited time after its expiry to enable us to:
- maintain business records for analysis and audit purposes;
- comply with record retention requirements under the law;
- defend or bring any existing or potential legal claims; and
- deal with any complaints regarding our products or services.
We will delete personal data when we no longer have a lawful purpose for processing it.
If you would like more information on our approach to data retention, please refer to section “Where can you go for further information or to raise a concern?”.
7. How do we protect your data?
We take the security of your information seriously and ensure there are effective controls in place to keep it safe and secure. We have data protection and information security policies that require us to take certain precautions such as limiting who can access your data, encrypting data during transfer and maintaining cyber security controls. When we are processing for a specific purpose that does not require the use of all your personal data, we will take steps to ensure such use is proportionate; for example, only using the minimum details needed or replacing details you can be identified from with anonymous data.
Our data security controls are also subject to regular review by independent auditors to confirm their effectiveness. If you would like more information on how we keep your data safe, please refer to section “Where can you go for further information or to raise a concern?”.
Where we provide links to websites of other organisations, this privacy notice does not cover how those organisations process personal data, which is outside of our control. We encourage you to take precaution and familiarise yourself with the privacy notices of any other websites you visit.
8. What rights do you have regarding how we process your data?
Your data rights under the UK GDPR and who you can contact to exercise these rights are outlined below. We will uphold requests wherever possible, unless we are required to continue the processing to uphold other obligations that we will explain in our response. For your security, we take reasonable steps to confirm your identity before actioning certain requests. If we have shared the personal information in question with another party, we will also require them to uphold any valid requests. Please note that any such request can take up to 30 days to be fully actioned; for example, if you opt out of marketing there is a chance you may receive further marketing during this time.
You can contact us using any of the ways shown on our Contact Us page for the following:
- To withdraw consent previously given for certain data processing or to opt out of future marketing communications and profiling. You can also find out more about how to change your marketing preferences on our Marketing Information page. If you opt out, but at a later stage explicitly opt back in, you may receive further marketing. You will always have the right to opt out of receiving marketing from us.
- To correct or update information we hold about you.
- To ask us to restrict the use of your data to certain activities only or for a limited time.
To request that we send a copy of your data to another organisation. We will usually provide it in a common electronic format unless otherwise requested.
Please contact our Data Protection team directly on DataProtection@sunlife.co.uk for any of the following requests:
- To access personal data we hold about you. For valid requests, a copy of your personal data will be shared in a suitable format and usually provided free of charge.
- To ask us to delete the data we hold about you.
- To object to any other uses of your data, including those involving automated decision-making. If your data has been used for automated decision-making, you have the right to receive an explanation of the logic used, to challenge the decision and to ask for the decision to be reviewed by a person.
For details on how we use website cookies and your options for managing these, please refer to our Cookie Policy.
Whilst the UK GDPR does not apply to deceased persons, we take our duty to our customers seriously and would be happy to talk through options relating to any data we hold for a deceased person's data if you get in touch using one of the ways shown on our Contact Us page. You can also find out more about how to make a claim or register a death by visiting our Make a Claim page.
9. Where can you go for further information or to raise a concern?
If you are unhappy with any aspect of our products and services, you can get in touch through one of the ways shown on our Contact Us page. More information on how to make a complaint can be found on our Complaints and Feedback page.
If you would like to contact our Data Protection Officer with questions relating to how we process your personal data, they can be contacted on:
- Email: DataProtection@sunlife.co.uk
- Post: SunLife Data Protection Officer, 30 Lothian Road, Edinburgh, EH2 2DH
If you are not happy with how we handle your personal data or how we have dealt with your concerns, you also have the right to complain to the UK Information Commissioner whose contact details can be located on their website.
10. Future Updates and Accessibility
We keep our privacy notice under regular review to make sure it is up to date and accurate. Any changes we make in the future will be posted on the Privacy Policy section of our website and, where necessary, notified to you.
If you would like this Privacy Notice or any subsection of it provided in another format for accessibility reasons, please let us know by getting in touch through one of the ways shown on our Contact Us page.