With this statement we would like to inform you which personal data we store and how we use them in the context of your contractual relationship (insurance contract) with us. Further we will inform you about the rights granted to data subjects by the EU General Data Protection Regulation (GDPR), taking effect on 25 May 2018.
All personal data provided to us in the insurance proposal or by third parties are stored and processed for the purposes of pre-contractual needs assessment, customer consulting, concluding and processing insurance contracts and the handling of claims. Personal data are processed only for specific purposes and in compliance with the GDPR, regulations of the Cypriot Data Protection Act, relevant provisions of the Austrian Insurance Contract Act (VersVG) and all other appropriate laws.
As a controller within the meaning of the GDPR we determine the purposes and means of the processing of your personal data:
Medlife Insurance Limited
Alpha Business Centre, 27 Pindarou Street, 3rd floor, Block B, CY-1060 Nicosia, Cyprus
office , phone +357 2245 1087 @ medlife.net
If you have any questions regarding the processing of your personal data you may as of 25 May 2018 address your request to the above stated address (for the attention of the “Data protection officer”) or send an email to dataprotectionofficer@ medlife.net
Which personal data do we use?
We process the data which are provided by you in the insurance proposal (application data), as well as contractual data and data received from third parties (brokers, doctors, experts, insurance agents etc.). Such data are, for example, your name, your date of birth, your address, information about the insured interest, the amount insured, the contract term, the insurance premium and your bank details.
If an insured event occurs, we will collect and process additional information about the event itself (e.g. date of the accident, cause of the accident, photos, documents etc.) and claim data (amount of the benefit, bank details etc.). If necessary, this may also include data obtained from third persons who were entrusted with the claim assessment (experts, for example), or who are competent in any way to provide information (authorities, witnesses etc.), or who are standing in connection with the payment of the benefit (doctors, hospitals etc.).
We collect only necessary information, which means that in some individual cases it will be sufficient to acquire just some of the above-listed data.
For what purpose and on which legal basis is data collected and processed?
a) Preparation, administration and fulfilment of (insurance) contracts (legal basis: art. 6 para. 1 (b) GDPR)
If you submit an application for insurance, your statements on the application form are required for an assessment of the risk to be insured. If an insurance contract comes into effect, these data will be processed for the implementation of the contract, like policy issuing and premium invoiceing. If an insured event occurs, we will have to process additional data relating to the event in order to determine the extent of our obligation to pay indemnification.
b) Consent of the data subject (legal basis: art. 6 para. 1 (a) and art. 9 GDPR, §11a VersVG)
The processing of special categories of personal data (like data concerning health) requires your explicit consent, unless it is needed for the establishment, exercise or defence of legal claims.
The conclusion and performance of insurance contracts is based on the processing of personal data. If you do not provide your personal data to the required extent, it may under certain circumstances be impossible to conclude the requested insurance contract with you or to examine and fulfil benefit claims arising from our insurance relationship.
c) Insurance-specific statistics (legal basis: art. 6 para. 1 (b) and (f) and art. 9 para. 2 (j) GDPR)
The processing of your personal data is also required for the compilation of insurance-specific statistics, which are used for the development of new insurance tariffs or the fulfilment of requirements of the supervisory authority. Furthermore, we use the data of all your insurance contracts to get an overview of the customer relationship with you, which helps us to improve our consulting service in regard of contract adaptions or supplements, make decisions on a goodwill basis or ensure a better exchange of information with you.
d) Data processing related to statutory obligations (legal basis: art. 6 para. 1 (c) GDPR)
We process your personal data in order to comply with legal obligations to which we are subject, such as supervisory provisions, provisions by corporate and tax laws concerning the keeping of records, and consultation obligations.
In the field of life insurance, we process data concerning your tax residence in order to fulfil our reporting obligations towards financial authorities under the Common Reporting Standard (CRS) and under FATCA (Foreign Account Tax Compliance Act) Intergovernmental Agreement with the USA. Furthermore, we are obliged by the Prevention and Suppression of Money Laundering Activities Law to fulfil our duties of due diligence in respect of combating money laundering and terrorist financing. Personal data (like identity data, information related to your professional activity and the source of your assets) is processed also for these purposes.
e) Marketing activities (legal basis: art. 6 para. 1 (a) and (f) GDPR)
We process your data also for marketing purposes in order to promote our own products and the products of our cooperation partners. In order to ensure a better tuning of our advertising according to customer needs and to be able to supply customized quotes we analyse data which are relevant for this purpose. We have a legitimate interest in offering our clients and potential customers insurance products which are well adjusted to their needs. You have the right to object to the processing of your data for direct marketing purposes.
If we want to process your personal data for other than the above mentioned purposes, we will inform you of this in compliance with the law.
With whom do we share data?
If required for the achievement of any of the above purposes or if prescribed by law, we will transmit data which are necessary in a specific case to the relevant recipient who needs them. Such recipients may be:
In the insurance of particular risks, we cooperate closely with reinsurers, supporting us in risk assessment and in the examination of claims. In these cases, it may be necessary to exchange data with reinsurers for the purposes of risk or claims assessment.
b) Independent insurance agents
When you use the service of a broker or an insurance agent, he/she collects and processes your personal data and passes them on to us for risk assessment, contract processing or claims assessment. Likewise, we share your personal data with your agent, if this is required for a competent insurance consultation.
c) Authorities, courts and other third parties
As an insurance company we are subject to strict regulatory requirements and to supervision by the authorities. In that context it may become necessary to disclose to authorities or courts upon their request the personal data of our policy holders.
During the examination of a claim it may be required to use the service of third parties like doctors, hospitals, experts or claim adjusters, and to share your personal data with them.
d) Recipients of data concerning your health
According to the legal regulations, data concerning your health may only in specific cases and within the scope of the consent you gave, but even without your explicit permission (given in individual situations) transmitted to the following recipients:
Examining and treating physicians and hospitals or other medical care and health care institutions, reinsurers, cooperating in the processing of the relevant claim, appointed and authorised experts, authorised or legal representatives of the persons concerned, courts, public prosecutors, administrative authorities, arbitration boards or other third party institutions and bodies responsible for dispute resolutions, including all experts appointed by them.
Where is data stored? Can data be transmitted to recipients in third countries?
All data processed in the course of insurance business operations is centrally stored in our internal computer centre in the head office of the mother company as well as partially on our servers in Cyprus.
A transmission of data to recipients outside the European Economic Area (EEA) takes only place when it has been officially confirmed by the EU Commission that the relevant third country is able to ensure an adequate level of data protection or if other safeguards for data protection, like binding corporate rules or EU Standard Contractual Clauses, exist.
For how long is data stored?
Basically, your data is stored for the duration of our insurance relationship. However, there are legal obligations concerning the preservation of records, requiring that we keep data concerning you or third parties (like co-insured persons), your claim cases and your insurance contract even beyond the term of the insurance relationship or for a certain time after the settlement of a claim.
Furthermore, we store your personal data for as long as any legal claims may be asserted in connection with our insurance relationship. The statutory periods of limitation are between 3 and 30 years.
Which rights do you have under the Data Protection Law?
In accordance with articles 15 - 22 GDPR you have the following rights against the data controller concerning the data stored in relation to your person:
• Right of access
• Right to rectification of inaccurate or incomplete data
• Right to erasure of data which have been unlawfully processed
• Right to restriction of processing (as of 25 May 2018)
• Right to object to the processing of personal data (if a legitimate interest exists)
• Right to data portability: right to receive the data you provided in a structured, commonly used and machine-readable format (as of 25 May 2018)
Where the processing of your data is based on your consent, you may withdraw this consent at any time with the effect that we will no longer process your data, unless there is another legal ground that requires a further processing. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The data subject must provide information enabling his or her identification in order to ensure that a response will reach the right person.
You have the right to lodge a complaint with the Cyprus Data Protection Authority (Commissioner for Personal Data Protection) as the supervisory authority, if you believe that your personal data is being unlawfully processed.