Introduction

Hyperion Risk Solutions and Hyperion Insurance Management (Hyperion) are a group of regulated insurance providers which operates through a number of separate legal entities in various international locations being Anguilla, Barbados, British Virgin Islands, Cayman Islands, Nevis and the Turks and Caicos Islands.

Hyperion is committed to protecting the privacy and security of your personal information. The following statement sets out our privacy policy which is issued on behalf of Hyperion and gives an explanation of how we process your data as part of conducting our business.

References to Hyperion, “we”, “our” “us” and “the firm” within this statement means the relevant Hyperion entity responsible for processing your data. The entity with which you contract will be set out in any engagement letter or email.

Who do we collect information on?

This privacy notice applies to the following individuals whom we collect personal information from or about:

• those who have entered into, or are contemplating entering into, a contract for the provision of services (Individual Client); those who are connected to Individual Clients (such as family members); and those who are connected to a client who is not an Individual Client (such as owners, investors, controllers, employees, directors and officers of a corporate client or other legal or non-legal body) (together Clients);
• third parties with whom we interact as part of providing our services to our Clients (Intermediaries);
• those who may be party to, or connected to party to, a legal transaction or legal proceedings involving our Client and/or the services which we have been engaged to provide to our Clients;
• those who are, work for or are agents of, suppliers or service providers who provide goods and services to us;
• those who apply for or express an interest in an employment or other similar position with Hyperion, whether existing at the time or not;
• those who request newsletters, marketing material or other publications from us; and
• visitors to our website www.hyperion-risk.com.

What is Personal Information?

Personal information means any information about you from which you can be identified. This includes but is not limited to, name, address, date of birth and gender. There are “special categories” of more sensitive personal information which require a higher level of protection. These include information regarding race, health, genetic information and biometric data, religious beliefs, sexual orientation, criminal convictions and political opinions.

How do we collect and use information about you?

We collect personal information either directly from you when you engage us to provide services or through your use of our website or client portals, or indirectly from other members of the Hyperion Risk Solutions/Hyperion Insurance Management group of companies, our Clients, Intermediaries, providers of independent or background checks or publicly available sources.

By using our Website or otherwise contacting us, obtaining services from us or by providing your personal information to us via the forms or contact options on this Website you acknowledge that you have read and understood this Privacy Policy.

General visitors to the website

No personal information is collected about general visitors to our website. However, in addition to the information collected by us in accordance with this Privacy Policy your browser supplies some basic information about your visit. The collection of this information is common practice and is used to analyse and understand how the website is being used. The following information is logged:
• IP address (the internet address of your computer),
• date and time of your visit, the type of computer,
• browser and operating system you are using,
• the URL’s of websites that referred you to the website and the path you take through the website.

Personal information provided via the website

In certain areas of our Website, you can choose to provide personal information by completing any of the forms or using any of the email addresses which are included in the following pages:

Publications
Contact Us

The Personal Information we hold

We collect a variety of information from you and about you. The extent of the information collected will depend on a variety of factors including the nature of the relationship between us and the extent of the contact with you.

The type of information we may process are set out below:

Your contact details including (but not limited to)
• your full name,
• postal address,
• email or other electronic communication addresses
• telephone numbers.

In certain circumstances we may also record your job title and other identification information as set out below.

KYC information and documentation which is required for Hyperion to fulfil its legal and regulatory requirements.

This may include, but is not limited to, identity information such as
• your passport or other identity document details, date of birth, nationality, place of birth and country of residence, job title, source of wealth or funds and other information concerning your background (which may include sensitive information such as criminal records);
• information provided in the course of the provision of services for example information on professional relationships and background, your business dealings with any of the Hyperion Risk Solutions/Hyperion Insurance Management group of companies or any of our Clients which we manage or administer, which may also include sensitive information such as marital status, mental and physical health and criminal allegations or convictions;
• financial information such as payment related information;
• professional interests and preferences with respect to marketing interactions, attendance at conferences, events or seminars;
• information provided to us in respect of an application for, or expression interest in, a job with any of the Hyperion Risk Solutions/Hyperion Insurance Management companies, such as personal information relating to your education and employment history, any professional qualifications, your nationality, your immigration, right to work or residential status. We may also collect information from third parties. This may include information such as references, or background checks provided by agencies such as credit reference agencies. In addition, we may also obtain information about you from public sources, such as information published on social media accounts;
• any other information which you may provide to us.

How and Why Do We Use Personal Information?

For each of the purposes for which we process information, we rely on one or more of the following five legal justifications:

  1. Contractual Necessity. Personal information is processed in order for us to discharge our contractual relationship with our Client.
  2. Legitimate Business Interest. Personal information is processed in circumstances where can balance our legitimate interests with your own legitimate interests. We consider our legitimate interests to include: (a) providing legal and corporate services; (b) carrying out such services effectively; and (c) communicating with you in respect of those aspects of our services which we consider to be of relevance to you.
  3. Legal and Regulatory Requirement. Personal information is processed in order for us to comply with a legal obligation (other than one imposed by a contract).
  4. Consent. Personal information is processed on the basis of consent given by you. We will only seek to rely upon your consent where no other legal justification is available to us.
  5. Legal proceedings, etc. Personal information is processed on the basis that it is necessary for (a) any legal proceedings; (b) obtaining legal advice; or (c) establishing, exercising or defending legal rights.

We process personal information for the following purposes.

  1. Purpose: Provision of services (including client relationship management) and developing those services.
    • delivering our services to our Clients, developing those services and managing, maintaining and developing our relationships with our Clients;
    • performing the service which we have been engaged to provide;
    • facilitating effective client and matter management including collation of know-how materials, and generating internal financial and marketing reports; facilitate administrative or operational processes within our business, for example assessing legal and financial risks to our business and debt management including credit control and collecting debt;
    • engaging other service providers to provide services to you where necessary to facilitate the provisions of services to you in connection with the engagement;
    • improving and developing our products and services including carrying out analysis on Hyperion’s performance to ensure that our client care is of the highest standard;
    • respond to requests, enquiries or complaints received; and
    • providing access to our online services including those at this link.

Legal justification: contractual necessity and legitimate interests.

  1. Purpose: Legal and regulatory requirements.
    • undertaking internal conflict of interest checks; and
    • respond to requests, enquiries or complaints received.

Legal justification: Legal and Regulatory Requirements.

  1. Purpose: Marketing.
    • to promote Hyperion’s services and provide newsletters, marketing material or other publications to our contacts and to invite you to conferences, events or seminars which may be of interest to you. This may involve contacting you or, where applicable, individuals within your organisation using the contact details that you have provided to us;
    • to manage Hyperion’s circulation lists for such marketing material and events; and.
    • to compile anonymous statistics, for example, website usage statistics.

Legal justification: Legitimate interests.

Individuals have the right to unsubscribe from mailings or manage their preferences via a link in such marketing material or by emailing info@hyperion-risk.com at any time.

  1. Purpose: To review and process CVs or applications for positions with Hyperion (whether available now or in the future).

Legal justification: Consent, Legitimate Interest, Contractual Necessity.

  1. Purpose: To ensure security of Hyperion’s systems, staff and premises. Crime prevention
    • CCTV at Hyperion’s premises; and
    • undertake maintenance, testing or development of any of our systems or processes

Legal justification: Legal proceedings and legitimate interest of protecting Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies, business, staff, systems.

Automated Decision Making

Hyperion does not have systems or procedures that make a decision without human intervention. Therefore, there are no circumstances where decisions will be taken about you using fully automated means.

Transfer of information within Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies and with third parties

We may transfer your Personal Information to others where it is necessary to fulfil one or more of the purposes outlined above and this may also include sharing your information with a third party as part of an outsourcing or other data processing arrangement. Where we share your Personal Information, whether internally or externally, we will ensure that the sharing of such data is kept to the minimum necessary.

The following is a list of the potential recipients of your information:
• another member of the Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies;
• any sub-contractors, agents or service providers providing services to any member of Hyperion, including without limitation, our information technology and telecommunications providers, auditors, consultants, insurers, providers of background checks and business risk screening, third parties for marketing or business development purposes and so on;
• other professional advisers, agents or third parties providing services in relation to any matter on which the Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies has been instructed or in respect of which the Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies is providing corporate services. This may include those who may be party to, or connected to party to, a legal transaction or legal proceedings involving you and/or the services which we have been engaged to provide to our Clients;
• other members or associates of your organisation;
• any registrar of a public register where the data is to be held in a public registry;
• a regulatory, governmental or judicial authority with whom we are legally obliged to share your information.

We reserve the right to share your information with other third parties in the context of a possible sale or restructuring of the business or part thereof.

We will seek to ensure that our suppliers and service providers are contractually bound to process your personal information in line with our policies and that they have adequate measures in place to protect your information from unauthorised access, disclosure, loss or destruction. We do not allow our third-party service providers to use your personal information for their own purposes. We only permit them to process your personal information only in accordance with our instructions.

We have a data sharing agreement in place between Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies that enables information to be shared across the businesses in accordance with the applicable data protection laws. In such circumstances different Hyperion entities may be joint controllers of your personal information. We have a robust Data Protection Policy to which all partners and employees of Hyperion must adhere to ensure appropriate and legitimate data access and processing.

Transfer of Information

As part of the transfer of information within the Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies or with third parties, your Personal Information may be transferred to or accessed by the recipients described above from countries located anywhere in the world. Such countries may not be the subject of an adequacy decision under Article 45 of the GDPR and therefore may not have the same level or type of statutory (or other legal) protection as countries within the European Economic Area, or your respective local data protection laws. Where we share your Personal Information, we will seek to ensure that transfers of such data comply with all applicable laws and regulations by ensuring that either:
• you have expressly consented to the cross-border transfer; or
• the recipient is in a country which has been deemed to have an adequate level of protection under GDPR or equivalent legislation or if the recipient is in the United States of America, that they are part of the Privacy Shield; or
• the recipient is contractually bound to protect the information to the same or higher standards applicable to the data being transferred.
• Whilst we operate in jurisdictions which have not been deemed adequate for Article 45 of GDPR, we have a global Data Protection Policy which means all of our entities operating in these jurisdictions are required to meet the same standard as our other offices.

Where it is necessary we will enter into the relevant form of EU standard contractual clauses to ensure that any transfers of Personal Information to our entities outside of Europe (pursuant to GDPR or equivalent legislation) or outside of the Cayman Islands (pursuant to the Data Protection Law 2017) continues to be protected to the relevant standards.

Addendum’s or other amendments where we act as Data Processor

Where we provide insurance management services, insurance intermediary services, directors services, and similar services we consider each of our entities to be a ‘controller’ in their own right for the purpose of the applicable data protection law and we will not agree to enter into addendum’s or agreements which seek to impose the requirement of Article 28 of GDPR or equivalent legislation on us. However where we provide registered office, formation/ incorporation, or corporate administration or similar services where we exercise little or no autonomy or discretion in the role we perform in connection with the provision of such services and as such are acting as a data processor under the applicable data protection law, our Data Processing Addendum, which sets out our obligations, will be deemed to be incorporated into the respective client engagement agreement.

Rights of Data Subjects

You may have certain legal rights in respect of the Personal Information which is processed by Hyperion pursuant to applicable data protections laws including the rights of access; right to have your data corrected, updated, rectified or erased; right to object to the processing of or restrict the processing of your data; right to withdraw your consent previously given to processing of your data; and to request the transfer of your data to another party. Should you wish to exercise any of your rights you should send your request to Info@hyperion-risk.com.

Please note that the rights set out above are subject to certain exemptions and conditions. We may decline to comply with any request to delete or restrict the use of your information if we still require that information for any legal or contractual reasons. Where we are processing your information on the basis of Contractual Necessity or Legal and Regulatory Requirement, it is likely that the provision and processing of such information will be mandatory. In addition, in the event that you choose not to provide any personal information or to exercise one or more of the rights above to restrict the processing of your information, this may restrict the services which Hyperion is able to provide or we may have to decline to act on your behalf.

Security

Hyperion takes its responsibility to secure your information very seriously. We have put in place robust systems and policies and procedures to prevent and detect any incidents where your information may be subject to an unauthorised access, use or disclosure.

In the unlikely event that there is a security breach, we will take all necessary steps to identify the cause and mitigate the effects. Where necessary, we will also notify you of such a breach in accordance with our obligations under the applicable data protection law.

Retention

The Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies will keep your personal information for at least as long as necessary to fulfil the purpose for which we have collected it. In relation to client matters it is Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies policy to retain data for 11 years from the conclusion of the matter subject to the following exceptions:
• where the matter relates to trust, wills and probate, or property in which case the data may be kept indefinitely;
• where we consider it necessary to protect ourselves from a legal claim or potential dispute in connection with any services we have provided, we will keep the data for the relevant limitation period; or
• where the data cannot be deleted for legal, regulatory or technical reasons.

Who can I contact?

If you have any questions in respect of this privacy policy, or the processing of your Personal Information, or you wish to exercise any of your rights referred to above please contact us by email to compliance@hyperion-risk.com

If you are dissatisfied with our response and you wish to make a formal complaint to the data protection authority of the country where the relevant Hyperion entity is located:

Cayman Islands

Cayman Islands Ombudsman
Physical address: 5th Floor, Anderson Square, 64 Shedden Road, George Town, Grand Cayman
Mail: PO Box 2252, Grand Cayman KY1-1107, Cayman Islands
Email: info@ombudsman.ky
Call: +1 345 946 6283
Website: www.ombudsman.ky

British Virgin Islands
There is currently no formal legislation regulating data protection in the British Virgin Islands and no authority to which you can report data or security breaches. However, the BVI Court will be persuaded by the English common law principles of confidentiality and privacy.

It is recommended that you seek independent legal advice in relation to any complaints you may have pertaining to a data breach in this jurisdiction.

Cookies

Cookies are small text files that are placed on your computer by websites you visit. They are widely used in order to make websites work, or work more efficiently, to improve the user experience. They also provide certain information to the owners of a site.

Most browsers are initially set to accept cookies, if you prefer you can set your browser to refuse cookies. However, if you choose to do so it might affect certain site functionality. We may in the future, without notice, determine to change our use of cookies. By continuing to use this site and by using any video and social media functionality, you consent to the relevant cookies being set on your device.

The hyperion-risk.com website currently uses a category 2 performance cookie (used for Google Analytics). This information does not identify visitors or collect any personal details. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how the website works.

Our website contains links to other websites. Please note that we are not responsible for the privacy policies of such other websites and advise you to read the privacy policies of each website you visit which collects personal information

For general information about cookies and how to disable them, please visit allaboutcookies.org.

To prevent Google Analytics cookies being set, you may install the Google Analytics Opt-Out Browser Add-On.

Disclosure

The Hyperion Risk Solutions/Hyperion Insurance Management’s group of companies does not control and is not responsible for the privacy policy of any website or organisation to which this website provides links. By including references, hyperlinks or other connections to such third-party websites we do not imply any endorsement of them or any association with their owners or operators.

Whilst we do our best to safeguard your Information we cannot ensure or warrant the security of any information that you may transmit to us.

Data Controller

Where necessary under legislation the relevant Hyperion entity has been registered with the relevant authority as a “Data Controller”. Details of those entities are listed below.

Data controllers are the persons who are responsible for determining the purposes for which and the manner in which any personal information is, or is to be processed.

The data controller for this website is Hyperion Risk Solutions (Cayman) Limited.

Changes to this Privacy Policy

This Privacy Policy may be updated from time to time and any updates will be published on our website at www.hyperion-risk.com

Updated: 29 September 2019.