Welcome to ART

Privacy Policy

CONTENTS

1. Introduction

African Risk Transfer Ltd (hereinafter referred to as “we,” “us,” or “our”) is a globally licensed insurance broker with its head office in Mauritius and also registered to operate in Seychelles, South Africa, and Zambia. We are committed to protecting the privacy and security of the personal data we collect, process, and store. This Privacy Policy outlines how we handle your personal data, your rights regarding that data, and our obligations under applicable data protection laws in the jurisdictions where we operate, including but not limited to Mauritius, Seychelles, South Africa, and Zambia.

By engaging with our services, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are

ART is an insurance broker dedicated to providing comprehensive insurance solutions to our clients. Our global license and presence across multiple African nations mean we adhere to a high standard of data protection, aligning with international best practices.

3. Information We Collect

We collect various types of personal data to provide our brokerage services. This may include:

  • Identity Data: Name, date of birth, gender, marital status, nationality, identification numbers (e.g., national ID, passport, driver’s license).
  • Contact Data Residential address, email address, telephone numbers.
  • Financial Data: Bank account details, payment card details, income, credit history, financial statements, tax information, and other financial details necessary for insurance underwriting and claims processing.
  • Insurance Policy Data: Information related to your current and past insurance policies, claims history, risk profiles, and underwriting information.
  • Sensitive Personal Data (Special Categories of Data):
  • Health Data: Medical history, health conditions, disability information, and other health-related data relevant to life, health, or travel insurance.
  • Criminal Records Data Information about criminal convictions or alleged offenses, where relevant and legally permissible for certain types of insurance (e.g., fidelity, professional indemnity).
  • Biometric Data: Where collected and processed, this will be done with explicit consent and in strict compliance with legal requirements.
  • Employment Data: Occupation, employment history, salary, and employer details.
  • Transactional Data: Details about payments to and from you and other details of products and services you have purchased from us.
  • Technical Data: Internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our websites or services.
  • Usage Data: Information about how you use our website, products, and services.
  • Marketing and Communications Data: Your preferences in receiving marketing from us and our third parties and your communication preferences.

4. How We Collect Your Information

  • Directly from You: When you complete application forms, communicate with us via phone, email, or in person, use our websites, or provide feedback.
  • From Third Parties:
  • Insurers and Reinsurers: For underwriting, policy administration, and claims handling.
  • Other Brokers or Intermediaries: When collaborating on placements or services.
  • Publicly Available Sources: Such as government registries, public databases, and social media.
  • Credit Reference Agencies and Fraud Prevention Agencies: For identity verification and risk assessment.
  • Medical Professionals or Healthcare Providers: With your explicit consent, for health-related insurance.
  • Employers or Scheme Administrators: For group insurance policies.
  • Lead Vendors or Marketing Partners: Where you have consented to them sharing your data.

5. How We Use Your Information

We use your personal data for the following purposes:

  • Providing Insurance Brokerage Services: To assess your insurance needs, obtain quotes from insurers, place insurance policies, administer policies, and assist with claims.
  • Client Communication: To establish and maintain communication with you, respond to inquiries, and provide updates on your policies or any other communication the company may require.
  • Identity Verification and Due Diligence: To verify your identity, conduct “Customer Due Diligence” (CDD) as required by anti-money laundering (AML) and counter-financing of terrorism (CFT) regulations, and comply with our licensing conditions.,
  • Risk Assessment and Underwriting: To analyze and assess risks responsibly and accurately for insurance purposes.
  • Payment Processing: To facilitate the payment of premiums and fees.
  • Claims Management: To investigate, process, and manage insurance claims.
  • Fraud Prevention and Detection: To detect and prevent fraudulent or illegal activities.
  • Regulatory Compliance: To comply with legal and regulatory obligations, including reporting to regulatory bodies (e.g., Financial Services Commission in Mauritius, Financial Sector Conduct Authority in South Africa, Information Commission in Seychelles, Data Protection Commissioner in Zambia) and responding to requests from law enforcement agencies or courts.,
  • Internal Operations: For internal record-keeping, statistical analysis, auditing, and improving our services.
  • Marketing: To notify you or allow our affiliated companies to inform you about relevant products or services, where you have provided consent or where permissible by law.
  • Training and Quality Assurance: To monitor and improve the quality of our services and for staff training.

6. Legal Basis for Processing

We will only process your personal data when we have a lawful basis to do so. The legal bases we rely on include:

  • Consent: Where you have given clear and explicit consent for us to process your personal data for a specific purpose. You have the right to withdraw your consent at any time.
  • Contractual Necessity: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract (e.g., to provide insurance quotes or administer your policy).
  • Legal Obligation: Where processing is necessary for compliance with a legal or regulatory obligation to which we are subject (e.g., AML/CFT regulations, tax laws, data protection laws).,,
  • Vital Interests: Where processing is necessary to protect your vital interests or the vital interests of another natural person (e.g., in a medical emergency).,,
  • Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided that your fundamental rights and freedoms do not override those interests. We ensure that a balance is struck between our legitimate interests and your privacy rights.
  • Public Interest: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

    For sensitive personal data (special categories of data), we will only process it under specific conditions, such as with your explicit consent, where necessary for reasons of substantial public interest, for the establishment, exercise, or defense of legal claims, or for purposes of preventive or occupational medicine.

7. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

  • Insurers and Reinsurers: To obtain quotes, place policies, and facilitate claims handling.,
  • Service Providers: Third-party service providers who perform services on our behalf, such as IT support, data storage, cloud services, payment processing, marketing, and administrative services. These providers are contractually bound to protect your data and use it only for the purposes for which they were engaged.
  • Professional Advisors: Lawyers, accountants, auditors, and other professional advisors.
  • Regulatory and Governmental Authorities: As required by law, court order, or governmental regulation, including financial services regulators, tax authorities, and law enforcement agencies.,
  • Affiliated Companies: Within our corporate group for internal administrative purposes, to provide services, or for marketing purposes, where permissible.
  • Successors in Business: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity.
  • Other Third Parties: With your explicit consent or as otherwise permitted or required by law.

    We do not sell your personal data to third parties.

8. International Data Transfers

Given our global operations, your personal data may be transferred to, stored, and processed in countries outside of your country of residence, including to our head office in Mauritius, our offices in Seychelles, South Africa, and Zambia, or to other jurisdictions where our insurers, reinsurers, or service providers are located.

We ensure that such international transfers comply with applicable data protection laws by implementing appropriate safeguards, which may include:

  • Mauritius (Data Protection Act 2017): Aligns with GDPR and has provisions for international transfers.,
  • Seychelles (Data Protection Act 2023): Requires that the recipient country affords a “comparable level of protection” or relies on other mechanisms like cross-border privacy rules (CBPR) schemes.,,
  • South Africa (POPIA): Requires that the foreign country provides an adequate level of privacy protection, the data subject consents to the transfer, or the transfer is necessary for the performance of a contract.,,
  • Zambia (Data Protection Act 2021): Generally requires personal data to be processed and stored on a server or data center located in Zambia, with exceptions for certain categories of data or with the Data Protection Commissioner’s approval. Sensitive personal data must be stored locally.

    We will implement measures such as Standard Contractual Clauses (SCCs), binding corporate rules, or other legally approved mechanisms to ensure your data receives an adequate level of protection in the recipient jurisdiction.

9. Data Security

We implement robust technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, destruction, or loss. These measures include:

  • Encryption: Using encryption for data in transit and at rest where appropriate.
  • Access Controls: Implementing strict access controls to limit who can access your data based on a “need-to-know” basis.
  • Physical Security Protecting our premises and data storage facilities.
  • Network Security: Employing firewalls, intrusion detection systems, and other network security measures.
  • Regular Audits and Assessments: Conducting regular security audits and data protection impact assessments (DPIAs) to identify and mitigate risks.,
  • Staff Training: Ensuring our employees are regularly trained on data protection best practices and their confidentiality obligations.
  • Data Breach Response Plan: Having procedures in place to promptly detect, assess, and report data breaches to the relevant authorities and affected individuals, as required by law (e.g., within 72 hours in Mauritius and Seychelles, as soon as reasonably possible in South Africa, and within 24 hours to the Commissioner in Zambia).

    While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. This includes:

  • As long as you are a client and for a period thereafter as required by law (e.g., up to ten (10) years in Mauritius after you cease to be a client).
  • To comply with regulatory obligations (e.g., financial services regulations, AML/CFT laws).
  • To establish, exercise, or defend legal claims.

    When your personal data is no longer required, we will securely delete or anonymize it.

11. Your Rights

Depending on the jurisdiction and the specific data protection laws applicable to you, you may have the following rights regarding your personal data:

  • Right to be Informed: The right to be informed about the collection and use of your personal data.,
  • Right of Access: The right to request access to the personal data we hold about you.,,,
  • Right to Rectification: The right to request correction of inaccurate or incomplete personal data.,,,,,
  • Right to Erasure (Right to be Forgotten): The right to request the deletion of your personal data under certain circumstances (e.g., where the data is no longer necessary for the purpose for which it was collected, or you withdraw consent).
  • Right to Restriction of Processing: The right to request that we limit the way we use your personal data under certain conditions.,
  • Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to Object: The right to object to the processing of your personal data, particularly for direct marketing purposes or where processing is based on legitimate interests.
  • Rights in Relation to Automated Decision-Making and Profiling: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless certain exceptions apply.

    To exercise any of these rights, please contact us using the details provided in the “Contact Us” section below. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or toexercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

12. Cookies and Other Technologies

Our websites may use cookies and similar tracking technologies to enhance your browsing experience, analyze site usage, and for marketing purposes. Where required by law (e.g., POPIA in South Africa), we will obtain your explicit consent for the use of non-essential cookies. You can manage your cookie preferences through your browser settings.,

13. Data Protection Officer (DPO)

Where required by applicable data protection laws (e.g., in Seychelles for large-scale processing of sensitive data or regular and systematic monitoring, and in Zambia depending on the intensity of processing activities), we have appointed a Data Protection Officer (DPO) or a designated person(s) responsible for overseeing compliance with data protection regulations.,, The DPO’s contact details are provided below.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. We will notify you of any significant changes by posting the updated policy on our website or by other appropriate means. Your continued use of our services after such modifications will constitute your acknowledgment of the modified Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact our Data Protection Officer:

African Risk Transfer
FAO Data Protection Officer

Unit 1, Building E, Quartier des Serres, Rue de Labourdonnais, Mapou

You also have the right to lodge a complaint with the relevant data protection authority in your jurisdiction