Sunshine Finance Limited “SFL” Data Protection Policy

Sunshine Finance is a boutique lender offering a wide array of financial products including both realty and personal financing. We are focused on customer service and efficiency of process.

As a boutique lender, we have the agility to tailor products to meet the needs and capacity of our clients and we have become the Private Lending Partner to countless of Bahamians and Bahamian residents.

Sunshine Finance is licensed and regulated by the Securities Commission of The Bahamas

Definitions

• “Back-up System” means data kept in electronic network storage for the purpose of replacing other data in the event of that data being altered, lost, damaged or destroyed.
• “Company” or “SFL” means a company incorporated under the laws of the Commonwealth of The Bahamas and carrying on business within the said Commonwealth
• “Creditor” a person or company to whom money is owing
• “CPA” means the Credit Reporting Act of The Bahamas
• “CRIF” is a credit bureau in the Bahamas licensed to collect credit information from designated Credit Information Providers (such as banks, credit unions, utility companies, micro finance organizations, insurance companies etc). The credit information is then validated and transformed into factual and usable credit reports
• “Customer” a person who has a facility with the Company or who completes an application form to obtain a loan with the Company
• “Data” any personal information in a form in which it can be processed
• “Data Controller” means a person who, either alone or with others, determines the purposes for which and the manner in which any personal data are, or are to be, processed
• “Disclosure” in relation to personal data means the disclosure of information extracted from such data but does not include a disclosure made directly or indirectly by a data controller to an employee or agent of theirs or to a data processor for the purpose of enabling the employee, agent or data processor to carry out their duties
• “DPA” means the Data Protection (Privacy of Personal Information) of The Bahamas
• “Duty of care” means that a person or organization is legally obligated to avoid acting in such a way that may cause harm in any form to others.
• “Financial data” a customer job letter including details of their occupation and salary and a customer pay slip detailing creditors
• “Personal data” means data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller.

Our Purpose

As a Bahamian based company SFL is a Data Controller under the provisions of the DPA. As such, the Company is required to safeguard the personal information of its customers. SFL is committed to the highest standards of privacy and information management. Our Data Protection Policy refers to our commitment and operational policy to gather, store, disclose and handle the data of our customers and other interested parties in accordance with the DPA.

Scope

This policy applies to all customers of the Company, all data obtained from said customers and Employees of the Company.

Requirements under the Data Protection Act

The Bahamas Data Protection (Privacy of Personal Information) Act, 2003, (“Data Protection Act”) (“DPA”) protects the privacy of individuals in relation to personal data and regulates the collection, processing, keeping, use and disclosure of personal information.

If there is any discrepancy between this policy document and the legislation or its regulations, the legislation takes precedence.

Key Requirements

1. To ensure that the data is accurate and kept up to date
2. To only keep the data for specified and lawful purposes
3. To not use or disclose data incompatibly with its original purpose
4. To only obtain data that is adequate, relevant and not excessive
5. To not keep the data longer than necessary
6. To ensure appropriate security measures are taken

Data Usage

Data is only used for credit adjudication or collection purposes, including:

• Determining loan qualification
• Determining loan advance or extension qualification
• Assessing customer financial position
• Verifying customer-provided data
• Locating customers for legal collection processes

Customer Rights

Right of Access

Customers have the right to access personal data held by the Company.

Right of Correction or Erasure

Customers are entitled to have incorrect or inappropriately collected data corrected or erased.

Right to Prohibit Direct Marketing

Customers can request to stop using their data for direct marketing purposes.

Data Disclosure

The Company shall not disclose customer data to third parties without prior consent, except in specific legal circumstances such as:

• Safeguarding national security
• Preventing or investigating offences
• Protecting international relations
• Preventing injury or property loss
• Complying with legal requirements

Data Governance

The Company processes personal data in accordance with the Data Protection Act. The President of SFL determines data processing purposes and methods.

Breach Protocol

In the event of a data security breach, the Company will:

• Contain and investigate the incident
• Require immediate reporting to the Compliance Officer
• Provide whistleblower protection
• Take potential disciplinary or legal action

Last Updated: March 15, 2023