Sunshine Finance Limited "SFL"
Data Protection Policy
Sunshine Finance is a boutique lender offering a wide array of financial products including both realty and personal financing. We are focused on customer service and efficiency of process.
As a boutique lender, we have the agility to tailor products to meet the needs and capacity of our clients and we have become the Private Lending Partner to countless of Bahamians and Bahamian residents.
Sunshine Finance is licensed and regulated by the Securities Commission of The Bahamas
Definitions
“Back-up System” means data kept in electronic network storage for the purpose of replacing other data in the event of that data being altered, lost, damaged or destroyed.
“Company” or “SFL” means a company incorporated under the laws of the Commonwealth of The Bahamas and carrying on business within the said Commonwealth
“Creditor” a person or company to whom money is owing
“CPA” means the Credit Reporting Act of The Bahamas
“CRIF” is a credit bureau in the Bahamas licensed to collect credit information from designated Credit Information Providers (such as banks, credit unions, utility companies, micro finance organizations, insurance companies etc). The credit information is then validated and transformed into factual and usable credit reports
“Customer” a person who has a facility with the Company or who completes an application form to obtain a loan with the Company
“Data” any personal information in a form in which it can be processed
“Data Controller” means a person who, either alone or with others, determines the purposes for which and the manner in which any personal data are, or are to be, processed
“Disclosure” in relation to personal data means the disclosure of information extracted from such data but does not include a disclosure made directly or indirectly by a data controller to an employee or agent of theirs or to a data processor for the purpose of enabling the employee, agent or data processor to carry out their duties; and, where the identification of a data subject depends
partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed.
“DPA” means the Data Protection (Privacy of Personal Information) of The Bahamas
“Duty of care” means that a person or organization is legally obligated to avoid acting in such a way that may cause harm in any form to others.
“Financial data” a customer job letter including details of their occupation and salary and a customer pay slip detailing creditors
“Personal data” means data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller. Examples of personal information may include an individual’s name, gender, date of birth, email address, telephone number, residence address, dependents, signature, assets, insurance information and commentary or opinion about a person.
“Processing” in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including --
i. organization, adaptation or alteration of the information or data;
ii. retrieval, consultation or use of the information or data;
iii. transmission of data;
iv. dissemination or otherwise making available; or
v. alignment, combination, blocking, erasure or destruction of the information
“Sensitive personal data” means personal data relating to --
Personal identification information, including address, gender, phone number, date of birth, email address, identifying social media names/handles and financial data;
i. racial origin;
ii. country of origin;
Our Purpose:
As a Bahamian based company SFL is a Data Controller under the provisions of the DPA. As such, the Company is required to safeguard the personal information of its customers. SFL is committed to the highest standards of privacy and information management. Our Data Protection Policy refers to our commitment and operational policy to gather, store, disclose and handle the data of our customers and other interested parties in accordance with the DPA.
Scope:
This policy applies to all customers of the Company, all data obtained from said customers and Employees of the Company.
Policy:
As part of the Company’s operations, SFL needs to obtain and process data retrieved from customers. This data may be personal data or sensitive personal data.
Requirements under the Data Protection Act
The Bahamas Data Protection (Privacy of Personal Information) Act, 2003, (“Data Protection Act”) (“DPA”) protects the privacy of individuals in relation to personal data and regulates the collection, processing, keeping, use and disclosure of personal information.
If there is any discrepancy between this policy document and the legislation or its regulations, the legislation takes precedence.
The Company collects data from its customers through application forms and documents that may be requested to support the customers application with their full knowledge and consent in a lawful and fair manner as required by the DPA. Once this information is retrieved, the DPA requires the Company:
1) To ensure that the data is accurate and kept up to date and every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay and/ or upon written request from the customer;
2) To only keep the data for specified and lawful purposes;
3) To not use or disclose data in any manner incompatible with the purpose for which is was obtained (except when required by Law);
4) To only obtain data that is adequate, relevant and not excessive in relation to the purpose for which is was obtained;
5) To not keep the data for longer than is necessary for that purpose for which is was obtained;
6) To ensure appropriate security measures are taken against unauthorized access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
Data is only used for credit adjudication or collection purposes. Credit adjudication and collection purposes include, but are not limited to:
1) Determining if a customer can qualify for a loan
2) Determining if a customer can qualify for an advance or extension on an existing loan
3) Determining a customer financial position if payments are not being made as contracted
4) Verifying data the customer provides to SFL
5) Locating a customer for legal collection processes
Data may be shared with a customer employer; other creditors of the customer, police officers for the purpose of serving legal documents and Government agencies as is required for the purposes listed above.
Right of Access
In compliance with the DPA, customers have the right to access the personal data held by the Company and be supplied with the data held by the Company.
Right of correction or erasure
A customer is entitled to have corrected or, where appropriate, erased any data relating to him or her that was inappropriately collected.
Right to prohibit processing for purposes of direct marketing
A customer can make a written request for the data controller to stop using for the purpose of direct marketing, any data which was kept for that purpose. The data controller shall i) erase all data as was kept for the purpose aforesaid; or (ii) if the data are kept for that purpose and other purposes, cease using the data for that purpose; and (iii) notify the data subject in writing accordingly.
Duty of Care owed by data controllers
Under the DPA, SFL owes a duty of care to its customers with regards to the personal data collected or used.
Disclosure
The Company, its employees or agents shall not disclose a customer data to a third party without the prior consent of the Customer except where authorized by law or falls within the exceptions in the DPA. Restrictions on the disclosure of personal data do not apply if the disclosure is:
i. determined by the Minister with responsibility for Information Privacy and Data Protection or the Minister of National Security required for the purpose of safeguarding the security of The Bahamas;
ii. required for preventing, detecting or investigating offences or collecting any tax, duty or money owed to the Government, statutory corporation, public body or a local authority;
iii. required for protecting the international relations of The Bahamas;
iv. required urgently to prevent injury or damage to the health of a person or serious loss of property; or required by a rule of law or order of a Court;
v. an obligation under s.18 of the CPA to provide customers data to a credit bureau (CRIF)
Beneficiary Knowledge and Consent:
The Company collects data in a lawful and fair manner and with customers full knowledge and consent. If the Company intends to obtain a credit bureau report from Credit Information Services Bahamas, consent is retrieved from the customer before such report is requested.
Data Governance:
The Company collects, processes, keeps, uses and discloses personal data in accordance with the Data Protection Act.
The President of SFL determines the purposes and manner in which personal data are processed.
The Compliance Officer is a member of SFL’s senior management team with a strong understanding of the relevant laws that govern data protection in The Bahamas and possesses a legal background as a Barrister at Law.
Breach:
In the event of a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data, the Company shall contain, investigate and address all privacy incidents or breaches.
All SFL personnel are responsible for immediately reporting a privacy incident or breach to the Compliance Officer. It is the Compliance Officer’s responsibility to report privacy incidents or breaches to SFL management.
Any person reporting an incident, from SFL or otherwise, is required to provide a description of the incident or breach, the individuals involved and immediate steps taken, if any, to contain the incident or breach.
SFL extends whistleblower protection (i.e., confidentiality and immunity) to anyone who reports a privacy incident or breach.
All SFL personnel are responsible for actively supporting the Compliance Officer in privacy incident or breach containment, investigation and remediation activities as needed.
A breach in this data protection policy by an employee or agent of the company may result in disciplinary and/or legal action.
Last Updated: March 15, 2023
Data Protection Policy
Sunshine Finance is a boutique lender offering a wide array of financial products including both realty and personal financing. We are focused on customer service and efficiency of process.
As a boutique lender, we have the agility to tailor products to meet the needs and capacity of our clients and we have become the Private Lending Partner to countless of Bahamians and Bahamian residents.
Sunshine Finance is licensed and regulated by the Securities Commission of The Bahamas
Definitions
“Back-up System” means data kept in electronic network storage for the purpose of replacing other data in the event of that data being altered, lost, damaged or destroyed.
“Company” or “SFL” means a company incorporated under the laws of the Commonwealth of The Bahamas and carrying on business within the said Commonwealth
“Creditor” a person or company to whom money is owing
“CPA” means the Credit Reporting Act of The Bahamas
“CRIF” is a credit bureau in the Bahamas licensed to collect credit information from designated Credit Information Providers (such as banks, credit unions, utility companies, micro finance organizations, insurance companies etc). The credit information is then validated and transformed into factual and usable credit reports
“Customer” a person who has a facility with the Company or who completes an application form to obtain a loan with the Company
“Data” any personal information in a form in which it can be processed
“Data Controller” means a person who, either alone or with others, determines the purposes for which and the manner in which any personal data are, or are to be, processed
“Disclosure” in relation to personal data means the disclosure of information extracted from such data but does not include a disclosure made directly or indirectly by a data controller to an employee or agent of theirs or to a data processor for the purpose of enabling the employee, agent or data processor to carry out their duties; and, where the identification of a data subject depends
partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed.
“DPA” means the Data Protection (Privacy of Personal Information) of The Bahamas
“Duty of care” means that a person or organization is legally obligated to avoid acting in such a way that may cause harm in any form to others.
“Financial data” a customer job letter including details of their occupation and salary and a customer pay slip detailing creditors
“Personal data” means data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller. Examples of personal information may include an individual’s name, gender, date of birth, email address, telephone number, residence address, dependents, signature, assets, insurance information and commentary or opinion about a person.
“Processing” in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including --
i. organization, adaptation or alteration of the information or data;
ii. retrieval, consultation or use of the information or data;
iii. transmission of data;
iv. dissemination or otherwise making available; or
v. alignment, combination, blocking, erasure or destruction of the information
“Sensitive personal data” means personal data relating to --
Personal identification information, including address, gender, phone number, date of birth, email address, identifying social media names/handles and financial data;
i. racial origin;
ii. country of origin;
Our Purpose:
As a Bahamian based company SFL is a Data Controller under the provisions of the DPA. As such, the Company is required to safeguard the personal information of its customers. SFL is committed to the highest standards of privacy and information management. Our Data Protection Policy refers to our commitment and operational policy to gather, store, disclose and handle the data of our customers and other interested parties in accordance with the DPA.
Scope:
This policy applies to all customers of the Company, all data obtained from said customers and Employees of the Company.
Policy:
As part of the Company’s operations, SFL needs to obtain and process data retrieved from customers. This data may be personal data or sensitive personal data.
Requirements under the Data Protection Act
The Bahamas Data Protection (Privacy of Personal Information) Act, 2003, (“Data Protection Act”) (“DPA”) protects the privacy of individuals in relation to personal data and regulates the collection, processing, keeping, use and disclosure of personal information.
If there is any discrepancy between this policy document and the legislation or its regulations, the legislation takes precedence.
The Company collects data from its customers through application forms and documents that may be requested to support the customers application with their full knowledge and consent in a lawful and fair manner as required by the DPA. Once this information is retrieved, the DPA requires the Company:
1) To ensure that the data is accurate and kept up to date and every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay and/ or upon written request from the customer;
2) To only keep the data for specified and lawful purposes;
3) To not use or disclose data in any manner incompatible with the purpose for which is was obtained (except when required by Law);
4) To only obtain data that is adequate, relevant and not excessive in relation to the purpose for which is was obtained;
5) To not keep the data for longer than is necessary for that purpose for which is was obtained;
6) To ensure appropriate security measures are taken against unauthorized access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
Data is only used for credit adjudication or collection purposes. Credit adjudication and collection purposes include, but are not limited to:
1) Determining if a customer can qualify for a loan
2) Determining if a customer can qualify for an advance or extension on an existing loan
3) Determining a customer financial position if payments are not being made as contracted
4) Verifying data the customer provides to SFL
5) Locating a customer for legal collection processes
Data may be shared with a customer employer; other creditors of the customer, police officers for the purpose of serving legal documents and Government agencies as is required for the purposes listed above.
Right of Access
In compliance with the DPA, customers have the right to access the personal data held by the Company and be supplied with the data held by the Company.
Right of correction or erasure
A customer is entitled to have corrected or, where appropriate, erased any data relating to him or her that was inappropriately collected.
Right to prohibit processing for purposes of direct marketing
A customer can make a written request for the data controller to stop using for the purpose of direct marketing, any data which was kept for that purpose. The data controller shall i) erase all data as was kept for the purpose aforesaid; or (ii) if the data are kept for that purpose and other purposes, cease using the data for that purpose; and (iii) notify the data subject in writing accordingly.
Duty of Care owed by data controllers
Under the DPA, SFL owes a duty of care to its customers with regards to the personal data collected or used.
Disclosure
The Company, its employees or agents shall not disclose a customer data to a third party without the prior consent of the Customer except where authorized by law or falls within the exceptions in the DPA. Restrictions on the disclosure of personal data do not apply if the disclosure is:
i. determined by the Minister with responsibility for Information Privacy and Data Protection or the Minister of National Security required for the purpose of safeguarding the security of The Bahamas;
ii. required for preventing, detecting or investigating offences or collecting any tax, duty or money owed to the Government, statutory corporation, public body or a local authority;
iii. required for protecting the international relations of The Bahamas;
iv. required urgently to prevent injury or damage to the health of a person or serious loss of property; or required by a rule of law or order of a Court;
v. an obligation under s.18 of the CPA to provide customers data to a credit bureau (CRIF)
Beneficiary Knowledge and Consent:
The Company collects data in a lawful and fair manner and with customers full knowledge and consent. If the Company intends to obtain a credit bureau report from Credit Information Services Bahamas, consent is retrieved from the customer before such report is requested.
Data Governance:
The Company collects, processes, keeps, uses and discloses personal data in accordance with the Data Protection Act.
The President of SFL determines the purposes and manner in which personal data are processed.
The Compliance Officer is a member of SFL’s senior management team with a strong understanding of the relevant laws that govern data protection in The Bahamas and possesses a legal background as a Barrister at Law.
Breach:
In the event of a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data, the Company shall contain, investigate and address all privacy incidents or breaches.
All SFL personnel are responsible for immediately reporting a privacy incident or breach to the Compliance Officer. It is the Compliance Officer’s responsibility to report privacy incidents or breaches to SFL management.
Any person reporting an incident, from SFL or otherwise, is required to provide a description of the incident or breach, the individuals involved and immediate steps taken, if any, to contain the incident or breach.
SFL extends whistleblower protection (i.e., confidentiality and immunity) to anyone who reports a privacy incident or breach.
All SFL personnel are responsible for actively supporting the Compliance Officer in privacy incident or breach containment, investigation and remediation activities as needed.
A breach in this data protection policy by an employee or agent of the company may result in disciplinary and/or legal action.
Last Updated: March 15, 2023