PRIVACY POLICY

The Company

Commercial General Insurance Ltd (hereafter referred to as “the Company”) holds a leading role among Cypriot general insurance companies and its headquarters are located at Arch. Makarios III Avenue, 1071 Nicosia, Cyprus.

The Company was founded in 1973 by the British insurance company Commercial Union Assurance plc, present-day Aviva plc, and the Christophides Group, which had represented said company in Cyprus since 1925. With branches in all cities, and having created an expansive, modern and notable network of representatives who operate across the whole of Cyprus, the Company stands by its customers and offers its complete services.

It offers an array of modern insurance policies, especially designed to meet the needs of any individual or business and securing complete cover for its customers. Its goal is to continue its successful operations in the Cypriot insurance market, with particular commitment to its professional paradigms and business ethics, and to secure the full satisfaction of its customers’ insurance needs, focusing on the continuous improvement of its services and utilizing all modern technological means.

Furthermore, the Company remains focused on maintaining high standards of professionalism, innovates and creates within the field of insurance, having earned the trust and appreciation of the public through its credibility and reliability.

The purpose of this document is to inform you in an accessible, transparent and direct manner about the processing of your personal data, which the Company collects and processes within the framework of its responsibilities toward you, because it has committed, in accordance with current legislation, to securing and safeguarding your right to be protected against the unlawful processing of your personal data, as well as your right to privacy, but also to protecting the retained personal data concerning you.

Your personal data can help the Company to better comprehend your insurance needs, and to offer you a more rounded and personalised service. The Company nevertheless understands that preserving the security and confidentiality of your personal data is a great responsibility, which it takes very seriously into consideration. For this reason, it has designed this Privacy Notice which, among other measures, aims to inform you about the type of personal data collected, the reasons behind such collection, and the uses of the collected data.

This Privacy Notice addresses natural persons who are existing or potential clients of the Company, policyholders, authorised persons, third parties, suppliers and partners. By providing your personal data, or those of another person such as a policyholder, or of a claimant to whom you have given consent or by whom you have been authorised to process his personal data, you accept that the Company will use such data in the manner detailed in this Privacy Notice. You will need to direct the attention of the person whose personal data you give to the Company, to this Privacy Notice.
You may be given further Notices of Processing at a later stage, which will emphasise particular uses of your personal data.

Certain changes to the Privacy Notice may also be carried out, so that it may conform to legislative changes, operational or technological advancements. You will need to periodically check the Company website for the most recent version of this Privacy Notice.

Within the Privacy Notice, your personal data may at times be referred to as “Personal Data”, “Personal Information”, “Data” or “Information”. For the purposes of this Privacy Notice, Personal Data shall be deemed to include any piece of information concerning a natural person who can be identified either directly or indirectly, in particular by reference to identifiers, such as his full name, identity card number, or any factor(s) specific to the physical, physiological, genetic, mental, economic, cultural or social identity of said natural person.

The term Personal Data also includes, among others, sensitive information (or information of special categories) such as, for example, information which concerns the health of a natural person, possible criminal convictions and information which reveals his racial or ethnic origin.

When the Company states that your Personal Data are subject to “Processing”, this term includes any action undertaken in relation to such data, such as their collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure and destruction.

In case you require further information regarding the processing of your personal data by the Company, you can contact the Data Protection Officer (DPO) of the Company at the address of its registered office, Arch. Makarios III Avenue, 1071 Nicosia, or by email at dpo@cgi.com.cy .

Principles relating to processing of personal data

During its collection of sensitive Personal Data, the Company is bound by the General Data Protection Regulation (EU) 2016/679, and taking into consideration all the necessary organisational measures, it proceeds with processing according to the following principles of Personal Data Processing:

  • They are subject to lawful and fair processing in a transparent manner.
  • They are collected for specified, explicit and legitimate purposes and are not further processed in a manner that is incompatible with the purposes for which the Company collects these data.
  • Only adequate and relevant data are collected, and they are limited to what is necessary for the purposes for which they have been collected.
  • They are accurate and updated when necessary.
  • They are only retained for the period necessary for the purposes for which they have been collected.
  • They are processed in a manner that guarantees their appropriate security, including, among others. their protection against unauthorised or unlawful processing and accidental loss, destruction or damage, through the use of suitable technical or organisational measures.
  • When the Company transfers your Personal Data either to another country, or to a person who processes them on behalf of the Company, all necessary precautions for the protection of your data are taken, such as for example the conclusion of specialised agreements for data processing.

Collection of Personal Data

Personal Data collection mostly occurs directly from you, either through consultants or intermediaries. These data can be obtained through a proposal, which is directly or indirectly submitted to the Company (through partners and/or representatives) or through an agreement between us, or through telephone or any other communication with us.

Nevertheless, in some cases, Personal Data collection can be carried out by third parties, when for example someone names you as part of a proposal / contract. Your personal data can be received either through third parties (partners, representatives, lawyers, authorised persons) or through other insurance companies or even through sources available to the wider public.

More specifically, your Personal Data can be collected:

(a)From you (directly or indirectly):

  • Through the information form when submitting an insurance proposal.
  • Through telephone communication with the Company, which is likely to be recorded.
  • Through queries, grievances, complaints or claims on your part.
  • By filling out the “Website-Application Form for Employment”.
  • Submission of personal information documents.
  • In person, directly from natural persons.

(b)From various other/third-party sources (for example):

  • From other insurance policies, on which you are named as part thereof (e.g. if you are a named driver on a motor insurance policy).
  • From other insurance services.
  • Accounts, Managers, CEO’s Executive Assistant.
  • From partners / service providers, intermediaries or representatives of the Company.
  • From members of your family (in specific cases where you are unable to provide such information by yourself).
  • From doctors or other similar healthcare professionals (e.g. during the evaluation of a claim for indemnity on your part).
  • From legal advisors (e.g. in cases where you are not insured with the Company but have a claim submitted against you by one of its clients due to an accident).
  • The Road Transport Department.
  • From specialists, experts.
  • By telephone or fax.
  • Photographic material.
  • By email, ERP systems.
  • By telephone from the Police.
  • Application form at our website (www.cgi.com.cy).
  • Evaluation form during an interview.
  • Registrar of Companies and Official Receiver- Insolvency Service.

Types of personal data processed by the Company

The Company collects and processes several types of Personal Data according to the services provided in each specific case. This Privacy Notice applies to both those directly and indirectly involved, as well as its potential and existing clients.

For all the aforementioned reasons, the Company collects and Personal Data according to the insurance to be provided, as follows:

  • Contact details (such as full name, address of residence, email address, telephone number, occupation, identity card / passport number, date of birth, nationality, etc.).
  • Information and contact details of third parties, who are in any way named as part of the contract (e.g. named drivers on a motor insurance policy).
  • CV (Name, Address, Tax Identification Number, Identity Card Number, Social Security Number, Bank Account Number, IBAN number, Appointment Letter, Confidentiality Agreement,
  • Details of referees, medical certificate)
  • Bank details (e.g. IBAN).
  • Personal data relating to your state of health, both medically and mentally, and information about past accidents, illnesses and treatments thereof.
  • Information relating to your past, such as bankruptcies, penalty points, past claims and pending judicial proceedings against you.
  • Information relating to the nature of your occupation and insurance history, as well as those of all named individuals, so that the Company may evaluate its risk as an insurance company.
  • Information relating to the item for which the Company provides or is to provide cover (such as your vehicle, boat, house, etc. according to the insurance type).
  • Information relating to your property (movable and immovable), anything located within this, and any type of charge that concerns it (mortgages, debts, etc.).
  • Data collected through the Company website, through the use of cookies.
  • Information in relation to underwriting

How the Company uses your personal data

Once collected by the Company, your Personal Data may be processed, as mentioned earlier, by the Company, its employees, its partners or representatives, so as to offer you a personalised service.

The Company uses your Personal Data for the following purposes:

  • To communicate with you.
  • To carry out evaluations and decisions (whether automated or not, including profiling) relating to the provision and the terms of insurance, settling claims, and the provision of support and other services.
  • To provide services that derive from the insurance contract, to submit claims for indemnity and support, as well as other products and insurance services offered by the Company, including the valuation of claims, the handling, settling and resolution of discrepancies.
  • To improve the quality of the products and insurance services provided by the Company.
  • To prevent, detect and investigate crimes, including fraud and money laundering, and to analyse and manage other commercial risks.
  • To carry out surveys and data analysis, including analysis of the Company’s customer base and other persons who have given their personal details and information (e.g. third parties claiming indemnity), and of the risks faced by the Company, always in accordance with current Cypriot and European legislation (including the obtaining of consent, where required).
  • For marketing purposes. The Company can undertake marketing at its own discretion and, with your consent, through the use of email.So that the Company may comply with current laws and regulatory obligations, European guidelines and principles, judicial decisions and other legal proceedings; to respond to enquiries submitted by public and national authorities, according to what is prescribed by Cypriot and European legislations.
  • To exercise and defend the Company’s legal rights, to safeguard its professional operations and the operations of its business partners, and to protect the rights, the privacy, the security or the assets of the Company, as well as those of its business partners, yourself or other persons or third parties; to enforce its terms and conditions, to pursue the available measures of reparation and to minimise its losses.

To whom the Company may disclose your Personal Data?

The Company may need to disclose your personal data to its partners so that it can provide you with your required insurance and fulfil its obligations to you; such partners may include experts, assessors, intermediaries, intermediaries, lawyers of the Company, lawyers of clients and third parties, other insurance companies that may be involved, doctors, reinsurers (according to sum/circumstances), representatives, credit institutions, the Motor Insurers’ Fund (MIF) in case of accident with an uninsured driver, the Police, the Superintendent of Insurance, inspectors, the Commissioner of Administration and Human Rights (Ombudsman), the Road Transport Department, Social Insurance Services, Income Tax, public authorities, investment organisations, financial offices, Cyprus Telecommunication Authority (CYTA) and other services.

In no case will the Company disclose your Personal Data for processing for reasons contrary to those described within this Privacy Notice or without your prior notice.

Your Personal Data may be disclosed to public authorities, auditors, assessors, reinsurance companies, the Superintendent of Insurance, who as processors will process them on behalf of the Company, on the basis of our agreement. Disclosure of Personal Data abroad may occur between the Company and service providers or reinsurance companies, lawyers and specialists.

In any case of disclosure to third parties, the Company takes all precautions to ensure that the disclosed data are those necessary for the performance of the contact, in accordance with the terms for their lawful and fair processing, and the organisations to which data are disclosed have bound themselves in writing toward the Company, to the fulfilment of the provisions of the general data protection regulation. Cases in which disclosure of data is necessitated by any legal or regulatory obligation, are excluded.

In cases where your Personal Data must be disclosed to countries outside the European Union, and which do not sufficiently protect your Personal Data, the Company will be liable and will need to enact contractual clauses between itself and the company to which the data are disclosed, for the purposes of securing and protecting the disclosed data.

Retention period of your personal data

The Company retains your Personal Data in its records only for the period necessary for the completion of the insurance contract between us, unless otherwise required by legal or regulatory obligations. This also applies to cases where said insurance contract is annulled for whatever reason.

Conforming to the Regulation, the Company has determined the various retention periods of your Personal Data according to the processing which they undergo. The factors taken into consideration when deciding these retention periods were the provision of better services to you, as well as the operational needs, legal obligations and the protection of the legal interests thereof.

For more details on said retention periods, please contact the Data Protection Officer of the Company.

Your Rights

The General Data Protection Regulation specifies your rights in relation to your personal data. The Company has hence developed a procedure for settling any demand relating to your personal data, as follows:

I. Right to Access: You have the right to access the data concerning you that the Company retains, and to obtain a copy thereof, provided that they are stored digitally.

II. Right to Rectification: You have the right to access and rectify your Personal Data. You may, at any stage in our relation, review and update your Personal Data, providing always the necessary documentation, and requesting the rectification or filling in of any inaccurate information.

III. Right to be Forgotten: You have the right to request the erasure of all or any part of the data concerning you. It is nevertheless emphasised that the Company is only obligated to erase those Personal Data that can be erased or are permitted to be erased.

IV. Right to Restriction: You retain the right to request the restriction of the processing of your Personal Data, even when the accuracy of such data is in doubt, or when they are no longer of use to the Company, but you nevertheless request their safeguarding due to legal proceedings.

V. Right to Object: You may at any time express your objections to the processing of your Personal Data. In case you exercise this right, such processing ceases automatically, unless the Company proves a legal interest, or the data are required in support of a legal/judicial case.

VI. Right to Data Portability: You retain the right to data portability, i.e. the transfer of your Personal Data to another organisation in a recognisable and widely use format. The data in question will then be erased, as defined by the Company’s erasure policy.

VII. Right to Withdrawal of Consent: You retain the right to withdraw your consent for the processing of your Personal Data, at any time, without however affecting the legality of said processing, on which the Company relied prior to your withdrawal. The Company informs you that withdrawal of consent may lead to the termination of relevant services.

VIII. Right to Submit a Complaint: You retain the right to submit complaints in relation to the processing of your Personal Data, to the Commissioner for Personal Data Protection.

IX. If during the submission of a complaint, you have doubts about the outcome of your enquiry, you may also submit it in writing to the Commissioner for Personal Data Protection at the following address:

Office of Commissioner for Personal Data Protection
Iasonos 1, 2nd floor
1082 Nicosia
PO Box 23378
1682 Nicosia
Phone No.: 22818456 Fax No.: 22304565
Email address: commissioner@dataprotection.gov.cy

To exercise the above rights or in case you require further information relating to your rights, you can contact the Data Protection Officer of the Company, at the address of its registered office, and through the email address dpo@cgi.com.cy .

Amendments to the Company’s Privacy Notice

Amendments to Legislation or technological advancements necessitate corresponding amendments on the part of the Company.

You are requested to remain informed about the Privacy Notice of the Company, which may at any time change and adapt to new developments and states of affairs.

The revised Privacy Notice of the Company will be uploaded to our website at www.cgi.com.cy .

Finally, you are able to request a physical copy of the most recent version of the Privacy Notice.

May 2018