Personal Data Notice

PERSONAL DATA NOTICE

(According to the Regulation (EU) 679/2016 on personal data)

Our Company, under the corporate name GENIKI PANELLADIKI MUTUAL INSURANCE COOPERATIVE OF PRIVATE BUSES and distinctive title GENIKI PANELLADIKI MUTUAL INSURANCE COOPERATIVE, with registered offices in Athens, on 7 Voulis St., P.C. 10562, T +30 210, 3217801, Email: dpo@ genpan.gr, is a Greek insurance company (L. 4364/2016).

Our Company, by virtue of this document, in its capacity as Personal Data Controller, provides information on the protection of Personal Data, according the General Data Protection Regulation (EU) 2016/679, as follows:

Useful definitions

For the better understanding of this document, we use the following terms with the relevant meaning:

  • Personal data: Any information relating to a natural person and identifying it directly or indirectly (e.g. full name, ID Card number, driving license, TIN, home address, telephone numbers, age, sex, physical characteristics, family status, education level, profession, interests etc.). The so called “sensitive data” (“special categories of data”, according to the GDPR) are a subset of “personal data”, referring to the hard core of the human personality and benefiting from stricter protection (e.g. health condition, participation in trade unions etc.). The natural person to whom a piece of personal data relates, is called the data subject.
  • Processing: Any kind of collection and use of personal data, such as the storage, transfer to third parties, their deletion etc.
  • Legal basis for the processing: The conditions set out in the General Data Protection Regulation, indicatively:
  • in regard to “simple” data, the consent, the conclusion or execution of a contract, the Data Controller’s compliance to a legal obligation, the protection of the vital interests of the data subject or the legitimate interest of the data controller (article 6 of the GDPR).
  • in regard to the special data categories (“sensitive” data), the consent, the establishment, exercise or defense of legal claims, the substantial public interest, according to the European or Greek national law (article 9 of the GDPR).

Categories of personal data that are subject to being processed

GENIKI PANELLADIKI MUTUAL INSURANCE COOPERATIVE processes the following categories of personal data:

  • Identity details (full name, father’s name, date of birth, police ID card number or passport number, driving license, professional license, social security registration number).
  • Contact details (address, telephone, fax, email).
  • Vehicle details (vehicle registration number, other details regarding the vehicle, such as color, brand, model, age, sale and purchase agreement of vehicle, hiring contract, invoice for purchase, MOT certificate, registration certificate).
  • Details required for the payment and issuance of legal tax documents (bank account, payment card number, such as credit or debit, TIN, Tax Authority).
  • Details necessary for the conclusion and the management of an insurance contract, including the insurance requirements (insurance contract category and number, driving license acquisition date, vehicle damage history, driving behavior, in some cases the income of the insured person, information included in proxy, authorization forms and solemn declarations, traffic accident report, copies of incidents reports, case files, court decisions, invoices for vehicle repairs, receipts of subsistence expenses (travel, medical expenses, medicinal products etc.)
  • Settlement details (declaration of the accident, invoices and receipts for the provision of services, vehicle damage estimates, medical assessments and estimates on the accident conditions, expert reports on material damages, medical expert reports or expert reports on the accident conditions, which may be available for the specific case of insurance cover.
  • Images or video recordings collected in the framework of an incident and included in the file of damages, as well as the data recording from a closed circuit television camera operating in our office facilities.

How do we collect personal data?

GENIKI PANELLADIKI Mutual Insurance Cooperative collects the personal data either:

  • Directly from the “data subjects”, during the submission of an insurance application, an application for the modification or termination of the insurance contract, a petition for insurance benefits, a claim for indemnity, an application for group insurance policies for road assistance and legal protection, a damage declaration, which are submitted to our Company in written or electronic form, either in person to the Company’s employees, or through insurance intermediaries, experts, lawyers or road assistance and legal protection companies.
  • From third parties, partners or not, such as health service providers (e.g. hospitals, diagnostic centers, third-party databases, such as the Statistical Service of Insurance Companies, the Immediate Payment System and the of the Greek Auxiliary Fund Information Center, lawyers, public authorities, financial institutions and other insurance companies.
  • From the visitors/users of the website www.genikipanelladiki.gr, who provide them voluntarily for the processing of their electronic requests.
  • During user registration at the web application of the website www.genikipanelladiki.gr and during the use of this application.

Purposes and legal basis of processing

  • When you submit an insurance application, the Company processes your personal data in order to evaluate the risk it is called upon to assume and, subsequently, to draft an offer and to decide on the conclusion of the insurance contract, determining the general and special terms thereof as well as the amount of the insurance premium. The legal basis in this case is the conclusion/execution of the insurance contract (article 6(1) (b) of GDPR). In case further investigation is required in the framework of the pre-insurance control, the legal basis of this further “processing”(e.g. commercial information control) is the legitimate interest of the Company (article 6(1) (f) to assess the risk as accurately as possible and to decide whether to assume it.
  • Subsequently, if you submit a damage declaration, a claim for Indemnity and/or an amendment/modification/annulment/acquisition application of the insurance contract, the Company processes your personal data in order to examine your request and to manage the insurance contract during its period of validity or/and after its expiry, including the evaluation, control and settlement of claims in case of any insurance risk, or the payment of the amount provided for in the contract terms (indemnity), as well as the provision of road assistance, traffic accident care and legal protection. The legal basis in these cases is the enforcement of the insurance contract (article 6(1) (b) of GDPR), as well as our compliance with the obligations we have according to the law in our capacity as an insurance company (article 6(1) (c) of GDPR).
  • The issuance of the required tax documentation. The legal basis of this processing is our compliance with the relevant fiscal legislation in force (Article 6(1) (c) of GDPR).
  • The periodical update of the Insurance Companies Statistical Service regarding production details, indemnity payments and pending indemnity payments, aiming at the Company’s compliance with the obligations imposed by the legislative and regulatory framework in force (article 6(1) (c) GDPR).
  • The collection of debts or the defense against any claims, as well as the provision of data to third parties (private or public bodies) for judicial purposes. The legal basis for the aforementioned processing is the legitimate interest of the Company to ensure compliance with its contractual rights and to promote its interests, in case of claims arisen until the irrevocable, non-judicial or judicial settlement of these claims, as well as the legitimate interest of third parties (e.g. another insurance company) to receive and use specific data kept by the Company for defending their rights before the courts, always provided that the Company deems their provision necessary and useful to achieve this objective (article 6(1) (f) GDPR).
  • The prevention and repression of money laundering. The legal basis for this processing is the Company’s compliance with the obligations imposed by the legislative and regulatory framework in force (article 6(1) (c) of GDPR).
  • The monitoring and prevention of possible fraud in the framework of the settlement/indemnity payment through the examination of the vehicle damage history. The legal basis of this data processing is the Company’s legitimate interest to ensure that its contractual rights are being respected and to defend its interests (article 6(1) (f) of GDPR).
  • Our contact with you (by post or email, as well as via telephone or sms), for issues related to your insurance and to inform you on similar products and services offered by the Company via newsletters, sent to you by post or email or sms and social media. The legal basis of this data processing is the Company’s legitimate interest to inform you on similar products or services on the one hand and, on the other hand, to fulfill its contractual obligations (article 6(1) (f) of GDPR).
  • In cases of traffic accidents resulting in personal injuries, the “processing” of the required special categories of data (“sensitive data”) (e.g. photographs, medical tests/reports, treatments etc.) is subject to the explicit consent granted by the data subject (injured person), upon a special notice by the Company. If the data subject gives his consent, which shall be addressed to the doctor and/or hospital, the injured person (injured/insured by a third insurance company) they shall consent to the lifting of medical confidentiality (article 13, L. 3418/2005) and to the provision to the Company of the data related to the injuries provoked during the specific traffic accident (medical history, photographs, medical assessment, medical report, relevant healthcare and treatment receipts.
  • Our contact with you (a) for the purposes of surveys on the evaluation of the Company’s products and services and/or (b) for the purposes of your individual information regarding our new products and services, presenting to you information or offers customized for your insurance needs and (c) for the purposes of our client database analysis, only with your prior explicit consent, which is the legal basis of this data processing (article 6(1) (a) of GDPR).
  • Drawing of statistical conclusions, provided that (a) it has been verified that you cannot be identified and (b) the appropriate guarantees have been obtained regarding your rights and freedoms, ensuring that the technical and organizational measures are applied to guarantee the principle of data minimization.

Recipients of personal data

Besides our Company’s relevant internal departments (actuaries, legal department, internal audit, risk management, regulatory compliance) and the authorized employees and partners, your personal data may be transferred to third party recipients, such as:

  • Businesses and professionals also operating as “controllers” and independently responsible for the lawful processing of “personal data” according to what is mentioned in their own notices (insurance companies, reinsurers, financial institutes, experts, traffic accident investigators, lawyers, bailiffs, certified auditors, third party healthcare providers, such as public and private hospitals, diagnostic centers, health professionals).
  • Providers who are partners of the Company in the framework of the lawful enforcement of the insurance contract, such as road assistance companies, insurance intermediaries, IT companies, companies of vehicle technical services and residual value management companies).
  • Statistical Service of Insurance Companies of the Hellenic Association of Insurance Companies
  • Electronic Service of the Immediate Payment System (Amicable Settlement System).
  • Competent authorities, provided that this is required for our compliance with the obligations imposed by law or for the protection of our legal rights (social security funds, the Bank of Greece as a surveillance authority, Courts, Prosecuting authorities, Police, the “General Secretariat for Consumers” of the Ministry of Economy and Development, the independent authority of the “Consumer’s Ombudsman”, the competent Ministries, Tax Authorities, the Independent Authority for Public Revenue).

Transfer of personal data to third countries

In order to facilitate the conclusion and execution of insurance policies, the Company may transfer personal data to non-EU third countries (Law 4364/2016). This transfer is made based on the articles 45-47 of GDPR.

Time frame of personal data record keeping

Our Company keeps personal data for the period specified in the applicable legislation, and provided that there is no relevant provision, for the time period required to achieve the objective for which they have been collected, while in case of claims, for any time period required until their irrevocable resolution. Specifically:

  • In case of an insurance contract application which wasn’t concluded, the applicant’s personal data shall be kept for a two-year period from the application submission.
  • The image recording data, collected through a closed circuit television camera, shall be erased within 15 working days, In case of a harmful event against the Company or its employees (e.g. theft, robbery, beating) the images recording this event shall be kept in a separate file for 30 days. If the event is related to a third party (visitor in our offices), the Company shall keep the recording for 3 months, subject to further claims by the prosecuting and police authorities.

Data subjects’ rights

You may exercise the following rights at any time by submitting a relevant application to our Company and, specifically, to the Data Protection Officer, via email at dpo@genpan.gr, by registered letter or in person at our registered offices (7 Voulis St,, 10562 Athens, Attn. Data Protection Officer), in order to:

  • Receive information on whether we process your “personal data” and what type of data we process, as well as in what way (“right of information and right of access”).
  • Request the rectification and/or supplementation of inaccurate or incomplete “personal data”, e.g. in case you change address (“right of rectification”).
  • Request the erasure and/or the restriction of the “processing”, provided that it is no longer necessary or if you believe it is carried out in an unlawful manner, as well as in case that the deletion of “personal data” is mandatory by law (“right to be forgotten”).
  • Request the restriction of the “processing” (a) for the period during which the above request on the rectification or deletion of the “personal data” is pending, as well as (b) in case that we are obliged to cease the processing and delete the “personal data”, but we you request that we keep them only on your behalf, i.e. so that you can exercise your rights, for example defend yourself or substantiate any legal claims (“right to have the processing restricted”).
  • Receive your personal data in readable electronic format and transfer them to third parties indicated by you (“right to data portability”).
  • Object to specific “processing” actions (“right to object”) and indicatively:
  • To sending notifications via post, email or sms. In this case we shall interrupt these notifications.
  • To the transfer of personal data to third parties for judicial purposes, provided that the Company decided, upon evaluation, that their provision is necessary and useful to supporting the third party rights before the judicial authorities.
  • Therefore, we inform you that in case the data transfer is necessary to establish, exercise or support legal claims in or out of court, the Company’s legitimate interest prevails and it is not possible to exercise your right to object.
  • To withdraw the consent you had potentially granted to us regarding the processing of your “personal data”.

The Application Form for exercising the aforementioned rights is available here. In case that you are not satisfied with our response or you believe that your personal data is affected in any way, you reserve the right to make a complaint to the Personal Data Protection Authority (1-3 Kifisias St., 11523, Athens Τ +30 210 6475600, F +30 210 6475628, Email: contact@dpa.gr).

Amendments

Prior to any change regarding the processing of personal data, we shall amend the present accordingly by posting these amendments at the Company’s official website www.genikipanelladiki.gr, where they are available for your information.

Data Processing for Marketing purposes

I have been informed that the Company collects, stores and processes my personal data for the purposes of targeted marketing activities or commercial promotion of the Company’s products or for research purposes regarding the quality of the services it offers.

In order to achieve the aforementioned objective, my personal data may be transferred to subsidiaries, as well as to partner research and promotional companies.

In the framework of such processing, I have been informed on my right to object to it at any time by submitting a relevant request to the Company’s Data Protection Officer (dpo@genpan.gr, T +30 210 3217801, 7 Voulis St., Sintagma, 10562 Athens).