Our website uses cookies.

Learn more about them and how you can limit them here.

Euroins Partners Portal Online Payment Online Services About Claims Offices and Contacts +30 210 9764307
  • Home
  • Protection of Personal Data

Protection of Personal Data

Privacy Policy
Personal Data Protection Policy

1.  Preamble
The Company under the name "EUROINS INSURANCE COMPANY AD BRANCH GREECE" ("Company", "Data Controller") is an insurance company, for the purpose of conducting insurance and reinsurance.

The Company acts as a branch of the foreign company, under the name "EUROINS INSURANCE COMPANY A.D.", which, with the permission of the Bank of Greece, operates in the Greek territory, under the terms of the right of establishment. "EUROINS INSURANCE COMPANY A.D." is an insurance company, incorporated and operating in accordance with the legislation of the Republic of Bulgaria, with registered office and central address in Sofia, Bulgaria, Christoforou Columbus Avenue, No. 43. Its commercial strategy focuses on the full range of insurance products, covering a wide range of risks and ensuring advanced insurance service to customers. The company's portfolio includes 63 insurance products, corresponding to all 18 branches of general insurance.

In 2014, the company decided to operate in Greece through the Freedom to Provide Services regime. As of 01.02.2019 it established a branch under the name "EUROINS INSURANCE COMPANY AD GREEK BRANCH" and headed Mr. Evgeny Svetoslavov Ignatov, who is Executive Director and Member of the Board of Directors of the Company.

Upon notification of the Company to the Bank of Greece, through the Private Insurance Supervisory Authority of the Republic of Bulgaria, the Branch may provide services and promote insurance products relating to a number of insurance sectors (such as accidents, illnesses, land vehicles, ships, transported goods, fire and elements, civil liability, guarantees, legal protection, etc.). 

Each group company generally has the status of Data Controller for the activities and processes through which it processes personal data and is responsible for safeguarding and securing information, in accordance with the respective information and protection policy for the processing of personal data, internal policies and procedures and the rules and requirements of the applicable national and regulatory law legislative framework for the protection of personal data. In most cases, the company which covers the insurance policy, which has been concluded with the subject, is the Data Controller.

In the context of its commercial activity and the fulfillment of its corporate purpose, i.e. in this case, the Company "INSURANCE COMPANY EUROINS AD BRANCH OF GREECE" collects and processes personal data of natural persons, in particular, as appropriate, a) applicants for insurance, b) persons / policyholders contracted with the Company, c) insured persons, d) beneficiaries of the insurance policy,  (e) third natural persons to whom any kind of damage has been caused; (f) third parties other than those mentioned above, as appropriate.

The Company has the status of Data Controller for the activities mentioned herein, for which it determines the purposes, means and means of processing.

Following this, with this Policy for the Information and Protection of Personal Data of Insured Persons (hereinafter referred to as the "Policy"), the Company, with a particular sense of responsibility and respect for the protection of the privacy of the persons with whom it deals and being vigilant to ensure the security of their personal data, provides the following information and information on the processing of personal data and on the rights of  of such persons, as data subjects.

The object of this Policy is to define the basic principles and rules according to which the Company collects, stores and generally processes personal data and with a view to transparency, the Company, through the Policy, informs regarding the type of personal data processed, as the case may be, the legal basis and the purpose of their processing,  recipients, retention time, technical and organizational measures applied to protect them, users' rights as subjects of personal data, etc.

2.  Legislative Framework
The processing of personal data is governed by the relevant provisions of the applicable national legislation on the protection of personal data (where applicable, indicatively Law 2472/1997, Law 4624/2019, as applicable, etc.), the Directives and Regulations of the European Union (in particular the General Data Protection Regulation (EU) 2016/679 – GDPR, hereinafter referred to as "GDPR"),  the Recommendations, Statements, Opinions and Guidelines of the European bodies (Supervisory Authorities, EDPB, Art. 29 WP, etc.), as well as the relevant decisions, directives and regulatory acts of the national supervisory authority, the Personal Data Protection Authority (hereinafter referred to as "HDPA") and subject to the legal formalities and restrictions they set.

3.  Definitions
For the purposes and needs of the Policy, the following definitions are mentioned and adopted, as reflected in the relevant legislative framework on the protection of personal data and in the general and special insurance terms, which also interpret this paragraph of the Policy:

-          "Policy": all content, information, and information of this Privacy Policy, as in force from time to time since the last amendment.

-          'Personal data'; 'data' means any information relating to an identified or identifiable natural person (hereinafter referred to as 'data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more physical factors; the physiological, genetic, mental, economic, cultural or social identity of that natural person.

For the purposes and needs of the Policy, data subjects are, as the case may be, natural persons and specifically a) insurance applicants, b) persons / policyholders contracted with the Company, c) insureds, d) beneficiaries of the insurance, e) third natural persons, to whom some type of damage has been caused, as interpreted in parallel and in combination with the general and special terms,  accompanying the insurance contract.

-          'Special categories of personal data'; 'sensitive data' means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person's sex life or sexual orientation.

-          "Controller": the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this regard, the role of Data Controller is taken by the Company.

-          'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available;  association or combination, restriction, deletion or destruction.

-          "Processor": the natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller.

-          'recipient' means a natural or legal person, public authority, agency or other body, to whom personal data are disclosed, whether a third party or not. Please note that public authorities that may receive personal data in the context of a specific investigation in accordance with Union or Member State law are not considered to be recipients and the processing of such data by those public authorities is carried out in accordance with the applicable data protection rules depending on the purposes of the processing.

-          'Third party' means any natural or legal person, public authority, agency or body, with the exception of the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

-          'consent' of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

-          'Personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

-          "Data Protection Officer" ("DPO"), "DPO": The Data Protection Officer, designated by the Controller, who holds the position and duties defined by the applicable legislative framework on the protection of personal data.

4.  Controller
The controller of the personal data of the subjects processed, as referred to in the Policy, is the legal entity under the name "INSURANCE COMPANY EUROINS AD BRANCH OF GREECE", based in Palaio Faliro, Attica (14 Amfitheas Avenue and 43 Agioi Anargyroi Avenue), tel. 210.9764307, e-mail: office@euroins.gr.

5.  Data Protection Officer (DPO)
The Company constantly monitors and updates compliance with the legislative framework on the protection of personal data and has appointed a Data Protection Officer (DPO) to this end. The Data Protection Officer mediates between the Company and the subjects and takes care of its compliance actions with the applicable legislative framework on the protection of personal data. 

For any information, question or clarification regarding the Policy and in general with the processing of personal data by the Company, please contact the Data Protection Officer at dpo@euroins. gr.

6.  Necessity to provide personal data
The Company informs that the personal data provided by the subjects, in the context of the cooperation and / or the transactional relationship with the Company, in any form and in any way, before, during and / or after the termination of this cooperation, for the purpose of providing the Company's services to them, are absolutely necessary and necessary for the fulfillment of the purposes,  as specified in the Policy, where applicable, for risk assessment and assessment, for the conclusion, operation and monitoring of the insurance contract and / or for the fulfillment of legal and / or contractual obligations, as arising from the insurance contract, for the fulfillment of the Company's legal obligations, as arising from the applicable national and regulatory framework. These objectives are discussed in detail below.

Consequently, failure to provide such (mandatory) data, either before drawing up, concluding the insurance contract, or in the process, execution, operation, etc. and / or during its validity, makes it absolutely impossible, on a case-by-case basis, to examine, evaluate, assess the risk, decide on the application and determine the general and special terms of the insurance contract, and / or monitor, operate and smoothly manage it, provide the agreed insurance coverage, evaluate, assess,  the control, determination of the amount and settlement of the insurance indemnity, in case of occurrence of the insurance risk and / or the payment of the insurance premium, as deriving from the general and / or special terms of the insurance contract, and, consequently, impossible the cooperation between the Company and the subjects.

As a rule, personal data provided by data subjects are absolutely and fully necessary and mandatory under the relevant national and regulatory legislation. Where appropriate, however, the provision of certain personal data may be optional (specifically mentioned in the relevant forms and/or forms, etc.). In this case, the non-provision of such data does not entail consequences regarding the main and basic purposes of the processing, since their provision is usually intended to optimize the quality, monitoring and operation of the insurance contract and the quality of the services provided by the Company but does not make its smooth development impossible.

7.  Principles of processing personal data
The processing of personal data is based, where applicable, on the following data protection principles, based on the applicable national and regulatory legislative framework on the protection of personal data (art. 5 GDPR):

-          Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

-          Personal data are collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes.

-          Personal data are adequate, relevant and limited to what is necessary for the purposes for which they are processed.

-          Personal data should be accurate and, where necessary, kept up to date. All reasonable steps are taken to immediately erase or rectify personal data which are inaccurate in relation to the purposes of the processing.

-          Personal data shall be kept in a form which permits identification of data subjects only for the period necessary for the purposes of processing the personal data.

-          Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

8.  Lawfulness of processing of personal data
The processing of simple personal data is based, where applicable, on one of the following legal bases for processing (art. 6 GDPR):

-          Where the subject has consented to the processing of the subject for one or more purposes,

-          When processing is necessary for the performance of a contract to which the subject is a party or in order to take steps at the request of the subject prior to entering into a contract.

-          When processing is necessary for the Company's compliance with a legal obligation, as it follows that the applicable legal framework,

-          When processing is necessary to safeguard the vital interest of the subject and / or another natural person,

-          When processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, under the conditions of the legislative framework.

9.  Processing and lawfulness of processing of special categories of personal data ("sensitive data")
In the context of the operation and servicing of the insurance contract and the execution of the contractual terms, as deriving from this contract, as well as for the following purposes, as appropriate, the Company collects special categories of personal data, in particular data relating to health. 

The processing of personal data of these categories is based, where applicable, on one of the following legal bases for processing (art. 9 GDPR):

-          The data subject has given explicit consent to the processing of such personal data for one or more specified purposes. 

-          processing is necessary to protect the vital interests of the data subject or of another natural person, where the data subject is physically or legally incapable of giving consent. 

-          The processing concerns personal data which is manifestly made public by the data subject. 

-          processing is necessary for the establishment, exercise or defense of legal claims.

-          processing is necessary for reasons of substantial public interest. 

-          processing is necessary for the purposes of preventive or occupational medicine, assessment of the worker's working capacity, medical diagnosis, provision of health or social care or treatment or management of health and social systems and services under Union or Member State law or pursuant to a contract with a health professional. 

-          processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices.

-          Processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes.

In any case, the processing will be lawful and will correspond to the legal bases of the applicable national and regulatory legislative framework on the protection of personal data and the purpose of processing will be proportionate to the intended purpose, respecting the essence of the right to protection of personal data and in combination the pressured rightsized out with adequate safeguards and appropriate measures are provided to ensure  rights and interests of the data subject.

10.  Purposes of processing personal data
The Company, where applicable, collects and processes personal data, in the context of preparation, conclusion, operation and monitoring of the insurance contract, for one or more of the following purposes:

-          Before drawing up the insurance contract, (a) to issue a relevant offer in the context of the conclusion of an insurance contract, to personalize the proposed insurance product, (b) to identify the applicant subject when applying for the insurance contract, (c) to carry out the subsequent examination, evaluation, risk assessment, pre-insurance control, in the context of the insurance contract and to determine its general and special terms,  (d) to take a decision on such an application for the conclusion of the insurance company; σύμβασης και για την ένταξη του υποκειμένου σε ομοιογενή risk category, (e) for calculating and determining the premium and for determining the method of payment, (f) for issuing and sending the insurance contract and calculating and pricing the premium, (g  ) for communicating with the subjects and informing them about possible issues of the application,  

-          During the duration of the insurance contract, a) for its monitoring, operation and smooth management, b) for the provision of the agreed insurance covers, c) for the management of damage caused by a traffic accident or other insurance case (additional risks), which are linked to the insurance policy and, in particular, for the control of the conditions,  the collection of evidence, d) for the assessment, assessment, control, determination of the amount and settlement of the insurance indemnity, in case of occurrence of the insurance risk and / or the payment of the premium, as it arises from the terms of the insurance contract, e) to check the correctness of registered and generally brought to the attention of the Company data and information of the subject,  (f) examining an application for renewal of the insurance contract, including a reassessment of the risk and, consequently, accepting or rejecting, as the case may be, the relevant application for renewal of the insurance contract; e)  to communicate with the subjects and to be informed about possible issues of the insurance contract, such as l. X. i) for the renewal of the insurance contract, the possibilities of payment, ii) for possible (permissible) modifications, changes, revisions of the terms and conditions  and / or policies and / or procedures of the Company   ,  when concern the subjects, as appropriate, iii) for possible issues that arise, and / or questions and / or complaints posed to the Company by the subjects themselves, in the context of the operation of the insurance contract, in order to provide optimal specialized service    ,   immediacy and quality management thereof, iv)   for the management of complaints and / or referral to the competent Departments of the Company and   / or to the competent associates of the Company, for their evaluation, assessment and resolution of these , 

-          In addition, where applicable, a) to inform about new products and / or services of the Company and / or announcements and / or news of the Company, b) in the context of investigating the level of customer satisfaction, to evaluate the products and / or services provided, conducting research, submitting a review, in the context of satisfaction with products and / or services and in particular,  as the Company may make in relation to other, past or future, insurance applications, accident reports and c) informing about new products and / or services of affiliated companies of the Company and promoting them (provided that consent has been provided). In cases where consent is required, subjects reserve the right to revoke it at any time, through a relevant link, which is present in each promotional email (unsubscribe / cancel subscription) or by contacting the Company, using the relevant email addresses, which are mentioned in each email. The Company recalls that its goal is respect and Compliance with the relevant requests of the subjects to accept or refuse to receive marketing emails, with respect for the rights and freedoms of natural persons, in the context of protection and security of their personal data.

-          Also, as the case may be, the purpose of processing is a) the Company's compliance with legal obligations, as imposed and arising from the applicable national and regulatory framework, in the context of the application of i) the legislation on risk assessment and solvency of insurance and reinsurance undertakings (Law 4364/2016, as applicable), ii ) the legislation on compulsory insurance against motor vehicle accident liability (Law 489/1976, as in force from time to time), iii) the legislation governing insurance contracts (Law 2496/1997, as applicable), (iv) national and regulatory tax legislation, including international tax compliance and the implementation of the Foreign Account Tax Compliance Act (FATCA); b) taking action to prevent and combat insurance fraud and insurance crime, including communication with the EUPM on these matters,  in particular in the context of managing and responding to reports; c) the Company's compliance with the national and regulatory legislative framework for the prevention and suppression of money laundering, Automatic Exchange of Financial Account Information between OECD countries and between EU Member States, d)   the Company's compliance with legal obligations,  as imposed and arising from the applicable national and regulatory framework , on consumer protection, by the Code of Consumer Conduct for Electronic Commerce, where applicable  , e)  the Company's compliance with the acts of the Executive Committee of the Bank of Greece; 

-          In some cases, personal data may be used to export and extend anonymized statistics, e.g. a) in the context of statistical surveys, for internal use within the Company, in the context of reports, b) in the context of statistical data, which relate to objections and are brought to the attention of the Bank of Greece (anonymized), c) in the context of statistics,  which are sent to the Hellenic Association of Insurance Companies (H.A.E.E.).

The Company will not process personal data of natural persons for any other purpose, incompatible with those mentioned above, without prejudice to the applicable national and regulatory legislative framework, which may impose and / or require processing. 

11. The case-by-case processing of personal data (categories of subjects, categories of data, purpose and legal basis of processing)
Following the above paragraphs, in the table below, the Company informs the subjects, on a case-by-case basis and based on the respective processing / processing of personal data, per case of insurance sector, about the categories of data collected and processed, for each purpose and the legal basis for processing.

DETAILED TABLE OF THE PROCESSING OF PERSONAL DATA

In addition, the Company keeps in a physical and / or electronic file, the personal data, which are contained and referred to in forms, applications, required supporting documents, answers, electronic communications, etc. brought to its attention and submitted to it, in accordance with the provisions of the applicable national and regulatory legislative framework, in compliance with all appropriate technical and organizational measures for the protection of personal data from accidental or unlawful destruction, accidental loss, alteration, prohibited disclosure or access and any other form of unlawful processing.

12.  Specific information on the Company's social media

The Company ensures its presence in social media, Facebook, Twitter, Instagram, Linked In, Youtube. With this paragraph and in combination with the entire Policy, the Company provides the necessary information for the processing of their personal data through social media.

Thus, through social media, the Company often provides the opportunity to submit comments, send messages, updates, etc. In all the above cases, for the processing of personal data, joint Data Controllers are both the Company and the respective operator of each social media platform (Facebook, Instagram, etc.), within the meaning of art. 26 GDPR.

So that it is not always possible for the Company to have full knowledge of the type of data that the operators of each platform process, but, in any case, the best possible efforts are made, the Company takes care of the configuration of the pages, which it manages on social media and acts according to the capabilities available to it from the operators,  in order to ensure the processing of personal data, in accordance with the applicable national and regulatory legislative framework on the protection of personal data.

More information and further information on the processing of personal data by the operators of social media platforms can be found in the relevant privacy policies / information strategies available to the operators, available on their websites.

During interaction with the Company, through social media, the purposes of processing personal data are in particular to communicate and inform about any form of issues and / or issues that arise, and / or questions and / or complaints posed to the Company, in the context of the operation of the insurance contract and / or for other purposes, in order to provide optimal specialized service,  immediacy and quality management of all issues and general service of persons, in the context of an incident / damage, which is related in any way to an insurance policy between the Company and the subject and / or to answer questions and / or any form of requests, as the case may be (where this possibility exists, e.g. communication by sending a message or posting a comment,  etc.).

13.  Sources of personal data collection
As a rule, the Company collects and processes personal data, which are submitted and / or disclosed to it, orally or in any way or by any means, written and / or electronic, by the subjects themselves, through forms, applications, statements, compensation claims, objections, etc. 

In some cases, the Company collects and processes personal data, which originate (submitted / disclosed) from third parties and in particular, where applicable, from:

-        Any person authorized by the subject (e.g., where applicable, parent, lawyer, attorney, etc.).

-        The contracting party (where applicable, in the insurance contract in favor of a third party),

-        Collaborating insurance intermediaries, coordinators of insurance consultants, insurance agents, insurance brokers (network of partners of the Company),

-        Other natural or legal persons cooperating with the Company who provide services to the Company (e.g. doctors, hospitals, diagnostic centers, clinics, health centers, laboratories and other health service providers, health audit services, experts, experts, special investigators, roadside assistance companies, damage repair companies, garages, accident care companies, other management and support companies, certified auditors and other general consultants, technical, legal, financial, etc.),

-        Other natural and / or legal persons, with whom the subject contracts in any way, when the latter joins a group insurance policy,

-        Lawyers and law firms,

-        The Bank of Greece and other banks and banking institutions,

-        Other persons involved in the insurance case.

-        Other domestic or foreign insurance or insurance companies,

-        Domestic or foreign compensation bodies.

-        Police, prosecutorial and other public authorities.

-        Registers (such as the archive of the Insurance Companies Statistics Service (Y.S.A.E.)),

-        The Auxiliary Fund for Motor Accident Liability Insurance.

14.  Data relating to minors
For the purposes hereof, minors are considered persons who have not completed the eighteenth (18th) year of age. The Company processes personal data of minors, in case a minor participates in the insurance, in the capacity of compensation beneficiary, or becomes a beneficiary himself as a third party, due to the occurrence of an insurance case, on the basis of the above legal bases for processing personal data, where applicable, and in any case, only if the respective legal conditions apply. Where data of a minor is submitted, the submitter shall declare that he or she has parental responsibility over the person.

The Company treats with particular sensitivity personal data and information belonging to minors. Thus, in such cases, the Company assures that it acts with absolute confidentiality and by taking appropriate measures to protect the data of minors, including the absence of direct marketing to minors and the abstention from automated individual decision-making, including profiling.

It is noted that when the processing of personal data is based on consent in accordance with art. 6 para. 1 f. a) GDPR, in relation to the offer of information society services directly to a child, the consent provided by the minor and consequently the processing is lawful, if the minor is at least fifteen (15) years old. In the event that the minor is under fifteen (15) years of age, such processing is lawful only if and to the extent that such consent is provided or approved by the minor's legal representative (art. 8 GDPR in combination with art. 21 of law 4624/2019).

15.  Recipients of personal data
The Company safeguards the confidentiality of personal data and, as a rule, does not transmit them to any third party (natural or legal) person, except where required and / or permitted by the applicable national and regulatory legislative framework and the legal obligations arising from it. 

Where applicable, personal data shall be communicated/transmitted:

-        The Company's Departments (including the hierarchical head and the administrative secretarial staff), which are responsible for their processing from time to time, always in accordance with the above legal bases and for the above purposes. Indicatively, and not restrictively, the Management, the Underwriting Department, the Financial Services Department, the Back Office Department, the Risk Underwriting Department, the Actuarial Department, the Risk Assessment Department, the Claims Department, the Legal Service, the Computerization, etc. 

The employees authorized by the Company who process personal data, are bound by confidentiality and confidentiality clauses, which ensure the confidentiality of personal data. 

-        The Company's designated Data Protection Officer (DPO)

-        The Parent Company under the name "EUROINS INSURANCE COMPANY A.D.", based in Bulgaria,

-        To third parties (natural or legal) to whom the Company assigns the execution of specific tasks on its behalf ("Processors"). In this case and in order to ensure compliance with the requirements of the applicable legislative framework on the protection of personal data, regarding the processing to be carried out by a Processor, the Company uses only persons who provide sufficient assurances, in particular in terms of expertise, reliability and resources, to implement technical and organizational measures, including those relating to the security of processing. The execution of the processing by a Processor is carried out on the basis of explicit instructions and clear instructions from the Company. The Processors have been instructed by the Company to process personal data on its behalf and under its clear orders and explicit instructions. The Company ensures that it is contractually bound to comply with the applicable national and regulatory legislative framework on the protection of personal data and to ensure the integrity of confidentiality, availability and generally the confidentiality and confidentiality of personal data processed, based on art. 28 GDPR.

-        The Company under the name "ECLAIM SETTLEMENT SERVICES SINGLE MEMBER PC", which has the status of "Processor" and processes the personal data of the subjects, for the control and evaluation of the insurance case, with a view to the restoration, approval of the payment of the insurance premium, the settlement of the insurance compensation, in case of occurrence of the insurance risk,  etc., in general in the context of the proper and smooth operation, monitoring and management of the insurance contract. In the event that the Processor "ECLAIM SETTLEMENT SERVICES SINGLE MEMBER P.C.", hires another processor to carry out specific processing activities on behalf of the Company, the same obligations for compliance with the applicable national and regulatory framework on the protection of personal data, imposed on the Processor, through contractual commitments.

-        Cooperating insurance intermediaries, coordinators of insurance consultants, insurance agents, insurance brokers (including the hierarchical head and administrative secretarial staff of the organizational unit to which the insurance partners belong). The Company informs that, in the event that an insurance intermediary, coordinator of insurance consultants, insurance agent or insurance broker changes the name and / or legal personality of his company and after a relevant audit of the Company, the data is transmitted to this new company of the partner. In cases where an insurance intermediary, coordinator of insurance advisors, insurance agent or insurance broker requests from the Company the transfer of their portfolio to another, the data shall be communicated to the new / other insurance intermediary, coordinator of insurance advisors, insurance agent or insurance broker, to whom the former partner requests the management, continuation the context of management,  continuation and execution of the insurance contract between the Company and the subject. In the above cases, the subjects will be informed accordingly.

-        Insurance control and management companies, premium collection companies,

-        Companies managing residual values of damaged vehicles,

-        Other domestic or foreign insurance or reinsurance companies or domestic or foreign claims management organizations. 

-        Collaborating lawyers, law firms, bailiffs, debtor information companies (Law 3758/2009, as applicable),

-        Collaborating experts, experts, special investigators, roadside assistance companies, damage repair companies, garages, accident care companies,

-        Certified auditors and consultants in general, technical, legal, financial, according to their respective competence,

-        Collaborating doctors, hospitals, diagnostic centers, clinics, health centers, laboratories and other health service providers, health control services,

-        To cooperating credit institutions and / or financial institutions, payment service providers,

-        Courier or postal service providers,

-        Providers of electronic services and network support, software, advertising companies, etc.

-        Companies providing printing, organization and delivery services,

-        To telephone service providers,

-        Companies that undertake the safekeeping, maintenance, management and / or destruction of physical records of the Company,

-        In companies of research, commercial communication, evaluation of products and services and customer satisfaction, 

-        Representatives or managers of companies,

-        The Association of Professional Insurers of Greece (E.E.A.E.) and the Statistical Service of Insurance Companies (Y.S.A.E.) of H.E.A.E., for statistical purposes,

-        The Bank of Greece Private Insurance Supervision Directorate / DEIA),

-        The competent national authority, the Independent Authority for Public Revenue (AADE) and/or the Anti-Money Laundering Authority and/or the Bank of Greece and/or, any other competent authority designated, on a case-by-case basis, in the context of the Company's compliance with the applicable legal framework on Tax Compliance of Foreign Accounts (FATCA, Law 4493/2017, as applicable),  on the prevention and suppression of money laundering and terrorist financing (Law 4557/2018, as applicable), on administrative cooperation in the field of taxation and on mutual assistance of the competent authorities of the Member States in the field of direct taxes and taxes on insurance premiums (Law 4170/2013, as applicable), on Automatic Exchange of Financial Account Information (Law 4428/2016,  as applicable), 

-        The Auxiliary Fund for Motor Accident Liability Insurance

-        The Consumer Ombudsman,

-        The General Secretariat for Consumers,

-        The Greek Information Centre,

-        At the International Insurance Bureau,

-        in health districts,

-        The competent Public Financial Services (D.O.Y.), the Independent Authority of Public Revenue (A.A.D.E.), the Financial Crime Prosecution Corps (S.D.O.E.), 

-        The Hellenic Statistical Authority (ELSTAT),

-        To other competent supervisory, auditing, regulatory, independent, judicial, public and / or other authorities and bodies, public services, insurance funds, in the context of fulfilling the legal obligations of the Company, when this is permitted by the applicable national and regulatory legislative framework and / or is required for the compliance of the Company, with a legal obligation and / or for documentation, exercise, defending or defending legal claims.

-        To other persons involved in the insurance case,

-        To natural and/or legal persons involved, in the event of a change of ownership, corporate reorganization, merger, etc. or transfer or other disposal of the Company or part thereof.

In any case, the Company is committed to the security of each notification / transmission, so that the latter concerns only the necessary personal data, for each purpose, are processed only for the specific purpose of processing and that their processing will be carried out in accordance with the applicable national and regulatory legislative framework.

16.  International transfers of personal data
In principle, the Company does not transfer your personal data to third (non-EU or EEA) countries or international organizations, which do not ensure an adequate level of protection (based on an Adequacy Decision, etc.). Any transfer follows and complies with the relevant provisions of the applicable legislative framework, in particular art. 44 et seq. GDPR and measures are taken to ensure the protection, confidentiality, integrity and availability of personal data, in accordance with the rules, terms and requirements of the applicable national and regulatory framework on the protection of personal data.

In particular, the Company may transfer personal data to third (non-EU or EEA) countries or international organizations, provided that:

-        an adequate level of protection is ensured, in accordance with a decision of the European Commission, by the third country, by a territory or by one or more specified sectors within that third country or by the international organization, or 

-        appropriate safeguards have been provided for the processing, based on the applicable legislative framework,

Otherwise, if the derogations referred to in Art. 44 et seq. GDPR, such as, indicatively and not restrictively, a) the subject has given explicit consent, b) the transfer is necessary for the performance of a contract between the subject and the Company or for the implementation of pre-contractual measures taken at the request of the subject (e.g. insurance of a vehicle located in a third country or the owner is a foreigner, etc.,  (c) the transfer is necessary for important reasons of public interest; (d) the transfer is necessary for the establishment, exercise or defense of legal claims; (f) the transfer is necessary for the protection of the vital interests of the data subject or of other persons where the data subject does not have the physical or legal capacity to give consent.

17.  Retention period of personal data
The Company retains personal data in a form that allows the identification of the subject, only for the time required to fulfill the respective processing purpose (limitation of storage period), otherwise for the time required by the applicable national and regulatory legislative framework and / or the exercise of legal claims and / or the defense of rights and legitimate interests. The same applies to printed or electronic files, applications, etc., which bear a signature and/or personal data of subjects.

Personal data are retained by the Company, as the case may be, in printed and/or electronic form, throughout the duration of the subject's contractual relationship with the Company and the latter's individual contractual commitments, depending on its nature, taking into account the Company's legal obligations and any legal claims that may be raised by it,  in order to justify the retention period of the personal data accordingly. 

In accordance with the general rule and subject to the applicable legislative framework, which provides for a different period of time, the data between the Company and the subjects of the insurance contract / insurance policy, as well as the data processed in the context of the operation and validity of the insurance contract [e.g. personal data, which are related to a) monitoring,  the operation and smooth management of the insurance contract, b) the provision of the agreed insurance covers, c) the assessment, assessment, control, determination of the amount and settlement of the insurance indemnity, in case of occurrence of the insurance risk and / or the payment of the premium, d) the issuance and dispatch of the insurance contract and the calculation and pricing of the premium,  e) the announcement of damage and the payment of the insurance premium, f) the management, evaluation, completion of complaints and / or complaints, etc.] are maintained, in principle, for as long as the insurance contract lasts and for a period of up to twenty (20) years, from the expiration or in any way termination of the insurance contract, otherwise, in the case of damage, from the last act by virtue of which the Company's liability arose (e.g. claims for damages, settlement of claims, etc.), especially in the case where there is an unfulfilled service.

The Company, as the case may be, retains the personal data received and processed during the pre-contractual stage (e.g. in the context of submitting an offer, etc.) for a period of five (5) years, from the rejection of the relevant application for the conclusion of an insurance contract or from the termination in any other way of the pre-contractual stage, subject to the applicable legislative framework,  which provides for a different period of time. 

In addition, where applicable, personal data, which are collected and processed, in the context of electronic communication, for the service of the subjects, information and in general proper functioning of the insurance contract and / or before its conclusion and / or after its expiry, are retained only for the necessary time to achieve the purpose of their processing, as specified in the Policy,  subject to their retention to cover queries and/or issues and/or concerns that may arise at a future stage,  in particular in the context of the handling of compensation claims.

 Personal data collected during telephone service (call recording) are retained for a period of six (6) months.

In cases where the legal basis for the collection and processing of personal data is the Company's compliance with legal obligations, the data are kept for the legal period of time, as provided for by the respective applicable national and regulatory legislative framework, and, in any case, until the fulfillment of the legitimate purpose of their processing.

In cases where a claim is raised or litigation is pending or there is an indication of control by public (tax, etc.) authorities, and the personal data processed concern the data subject directly or indirectly, the above period may be extended, as the case may be, until the conclusion of the legal dispute and the issuance of an irrevocable court decision or until the conclusion of the audit, where applicable.

However, the Company applies a maximum retention period of twenty (20) years, with the possibility of extending the above period, as appropriate.

In cases where the processing of personal data is based on the consent provided, personal data is retained by the Company for as long as provided by law, depending on the purpose and type of processing, including the Company's legal obligation to retain.

18.  Technical and organizational measures
The Company takes all appropriate technical and organizational measures to safeguard technological and physical security, in accordance with the rules, terms and requirements of the respective national and regulatory framework for the protection of personal data (and in particular art. 32 GDPR).

Indicatively, the Company applies encryption techniques and ensuring the security of communications where possible (user interaction with the website and sending emails), techniques for controlling and managing technical and logical errors, general Security Policy as well as specialized Security Policies and corresponding Procedures for the implementation of those mentioned at a high level in the Security Policies, Secure remote access procedure to the  internal network of the Company, techniques to increase the level of security of the company's network, regular updates of service infrastructure, information processing infrastructure and electronic security infrastructure with the latest security updates from suppliers, installation of malware or intrusion prevention applications at end user level in all information processing infrastructures,  classified and controlled access to all infrastructures processing personal data and protection of credentials using encryption, backup to all critical infrastructures of the company for business continuity purposes, installation of closed circuit video surveillance (only in the physical installation facilities of the infrastructures but also of the physical archive, where this is provided for by law) and other infrastructures but also  personnel to ensure the physical security of the information processing infrastructure and the physical archive. The Company assesses, evaluates and continuously upgrades the desired level of information security, taking additional measures on a case-by-case basis to address new threats and associated risks, but also in the context of the planned and in accordance with the will of the Management adoption of new factors of further risk reduction.

In general, the Company shows, to the extent possible, due diligence in ensuring the integrity, confidentiality and availability of personal data. Therefore, it remains ready in order to deal with a valid and timely response to a possible personal data breach. To this end, it adopts, updates and implements appropriate internal Policies and Procedures, in accordance with good international practices and standards.

The employees of the Company's personnel, who process personal data, have classified and limited access only to these data, which are necessary for the operation and completion of the processing, for which they are charged and trained on a frequent basis in order to ensure the fair and safe protection of personal data.

In addition, the Company keeps an up-to-date record of processing activities, with the information required by art. 30 GDPR, has appointed a Data Protection Officer (DPO), based on art. 37 et seq. GDPR, trains and sensitizes its staff on security and personal data protection issues.

The Company continuously assesses and evaluates the high level of security, taking additional measures on a case-by-case basis to address new threats and associated risks.

The Company exercises, to the extent possible, due diligence in ensuring the integrity, confidentiality and availability of personal data. Therefore, it remains ready in order to deal with a valid and timely response to a possible personal data breach. To this end, it shall establish, adopt, update and implement appropriate internal procedures, in accordance with best practices and international standards.

19.  The rights of personal data subjects
In accordance with the applicable national and regulatory legislative framework on the protection of personal data, natural persons, as subjects of personal data, retain the following rights:

-        Right to transparent information and information on the exercise of their rights (art. 12, 13, 14 GDPR), before and during processing, i.e. the right to be informed about the processing of their personal data (as detailed in this Policy),

-        Right of access (art. 15 GDPR) to the personal data processed by the Company, i.e., the right to receive from the Controller confirmation as to whether or not the personal data concerning them are being processed and the right to receive a copy of the data concerning them, 

-        Right to rectification of inaccurate data and completion of incomplete data (art. 16 GDPR), i.e., the subjects reserve the right to request from the Company the correction of inaccurate personal data concerning them and, having regard to the purposes of processing, the right to request the completion of incomplete personal data, 

-        Right to erasure personal data / "right to be forgotten" (art. 17 GDPR). The right is subject to conditions and subject to the Company's obligations and any legal claims for data retention, based on the provisions of the applicable national and regulatory legislative framework. The request for the deletion of some and / or all personal data may be satisfied under specific circumstances and subject to legitimate reasons for retention and continuation of processing by the Company and provided that its interests are not affected,

-        Right to restrict the processing of personal data if, either their accuracy is contested and for a period of time that allows the Company to verify the accuracy of the personal data, or the processing is unlawful and the restriction of processing is requested instead of the deletion of personal data, or the purpose of processing is missing and provided that there is no legitimate reason for the processing,  but the data cannot be deleted (art. 18 GDPR),

-        Right to portability of personal data (art. 20 GDPR). Subjects are entitled to request the receipt of their personal data, in a structured, commonly used and machine-readable format, as well as to be transmitted, under legal conditions, to another controller, provided that this does not adversely affect the rights and freedoms of others (concerns only automated processing of information and cases where the data subject provided the personal data by means of  his/her consent or if the processing is necessary for the performance of the contract between him and the Company),

-        Right to object to the processing of personal data (art. 21 GDPR), subject to legal obligations of the Company or when the processing is carried out in the context of fulfilling an overriding legitimate interest of the Company, such as objection to profiling or direct marketing,

-        Right to withdraw the consent already given (art. 7 par. 3 GDPR), which concerns the possibility of withdrawing consent at any time, for processing, which is based on consent. It is noted, in this case, that the lawfulness of the processing of personal data is not affected by the withdrawal of consent, until the moment it was revoked,

-        Right to human intervention (art. 22 GDPR), i.e., the subject has the right not to be subject to a decision taken solely on the basis of automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him in a similar way. In such cases, the Company applies appropriate measures and guarantees to protect the rights, freedoms and legitimate interests of the subject and grants him the right to human intervention, in order to receive clarifications and a reasoned response to the relevant decision, which was taken in the context of the above assessment. 

The above rights are subject to the respective restrictions and are subject to the conditions provided by the applicable national and regulatory legislative framework on the protection of personal data (art. 12 et seq. GDPR and art. 31 et seq. law 4624/2019).

Also, data subjects reserve the right to apply to the Personal Data Protection Authority (www.dpa.gr) if they consider that their personal data is being unlawfully processed or has been breached.

20.  How to exercise rights
In the context of informing the subjects about the processing of their personal data and the satisfaction of their rights, the Company, for the possibility of exercising their legal rights, refers to the relevant Form for the Exercise of Rights (hereinafter referred to as the "Form"), through which they may easily exercise their legal rights. The Form is posted on the Company's website (www. euroins. gr) and, in physical form, at the Company's stores.

Any request regarding the exercise of rights, as deriving from the applicable national and regulatory framework on the protection of personal data, must be addressed in writing to the Company, through the Form, completed with the instructions mentioned therein.

In particular, it is reminded that the Company, in order to evaluate, assess and respond to the relevant request, must identify the data subject, so that it is necessary to attach a legal document certifying identity. Where the right is exercised on behalf of the data subject by a legal representative of the data subject, a valid authorization document from the data subject must also be attached.

The Form must be sent completed, accompanied by the relevant documents, in the following ways:

-        by e-mail to dpo@euroins.gr,

-        by post to the Company's headquarters, Amfitheas Avenue no. 14 and Agioi Anargyroi no. 43, PC 17564, Palaio Faliro, Attica,

-        by personal delivery to the Company's headquarters on the above street.

Upon receipt of the Form, the Company examines and evaluates it. The satisfaction of the relevant request is subject to the conditions of the applicable legislative framework on the protection of personal data. The Company undertakes to make every effort to take the required actions within a period of thirty (30) days from the receipt of each request, unless the work, related to its satisfaction, is characterized by peculiarities and / or complications, based on which the Company reserves the right to extend the period of completion of the actions, for sixty (60) additional days. In this eventual case, the Company shall inform us of the above extension within the period of thirty (30) days.

The personal data, which are provided and submitted when completing the Form, are processed by the Company exclusively for the examination, evaluation and satisfaction of the request and for the purpose of communicating with the subject for this purpose. Depending on the nature of the request, the information may be transmitted to the competent Departments of the Company and to the Data Protection Officer (DPO), designated by the Company, for its timely and valid examination.

The Company will retain the Form and the data and information contained therein for a period of five (5) years, starting from the end of the evaluation of the request and the response, subject to an extension of this period, especially in case of legal claims and in any case in accordance with the applicable legal framework.

It is noted that, in the event that the Company processes personal data in its capacity as Data Processor on behalf of a Controller, the Company sends the relevant request to the competent Controller, who is legally obliged to evaluate and satisfy the requests of the subjects. However, in this case, the Company will inform the subject accordingly. Similarly, in the event that a certain right is exercised to one of the processors on behalf of the Company, then the processor is bound by the Company to forward the request to the Company.

21.  Special cases of processing
21.1.       Processing by automated means
The Company, in order to ensure a potentially higher degree of consistency or objectivity of the decision-making process (including reducing the likelihood of human error) and to improve efficiency in the provision of its products and services, may carry out personal data processing operations with the support of automated processes (automated software, computer systems), in order to proceed to automated  decision-making, including profiling, in accordance with the applicable national and regulatory framework for the protection of personal data and especially in cases where, a) this is necessary for the conclusion or performance of a contract between the subject and the Company or b) the data subject has given explicit consent to this effect.

The performance of these operations is based in particular on mathematical and / or statistical analyses of the critical technical parameters and / or algorithms, which make it possible to safely assess each case, objectively assess the risk, integrate into a homogeneous group of risks, based on the frequency and intensity of damage, etc.

Thus, automated decision-making by the Company may be carried out, on a case-by-case basis, in order to a) check the correctness of the data and information entered in the application for the conclusion of the insurance contract, b) pre-insurance control (vehicle insurability check), in the context of the registration process of the insurance contract application (e.g. search for accident history, other characteristics of the vehicles to be insured,  etc.), (c) deciding on such an application for the conclusion of the insurance contract, (d) laying down the general and special terms of the insurance contract; (e) assessing, examining, evaluating the risk to be assumed and placing the subject in a homogeneous category of risks; (f) determining the appropriate and proportionate amount of the premium and the correct pricing;  (g) the assessment and assessment of damage costs.

In addition, the Company may use automated procedures, during the term of the insurance contract, in order to carry out audits, in the context of compliance with the applicable regulatory and national legislative framework, e.g., for the automatic exchange of information related to financial accounts, for anti-money laundering purposes and/or insurance fraud avoidance.

In such cases, the Company implements appropriate measures and guarantees to protect the rights, freedoms, and legitimate interests of the subject, in compliance with appropriate technical and organizational measures, in order to minimize the prevention of errors, to repair any factors that could entail inaccurate decisions, to ensure the confidentiality, security and integrity of personal data.

In case of rejection of the relevant application, the Company makes the necessary procedural arrangements, ensuring the subject the right to human intervention, in order to check the result and receive detailed clarifications, explanations and a reasoned response to the relevant decision, which was taken in the context of the above evaluation.

21.2.       Processing in case of conclusion of an insurance contract in favor of a third party
In case a person submits to the Company personal data of third parties, it is necessary to have previously duly informed and / or secured their consent, in cases where this is required. In such cases, the signatory of the relevant application declares that he has previously duly informed and/or obtained their consent, as appropriate. 

21.3.       Processing in case of group insurance policies
In cases involving the inclusion of a person in a group insurance policy, the contracting party with the Company, as the case may be, must have previously duly informed and/or secured the relevant consent of that person (applicant / insured), in as many cases as required. It is necessary for the contracting party to duly inform the subjects (insureds), in accordance with the Policy, at the time of the application for membership and throughout the duration during which the group policy is in force. The Company remains at the disposal of the parties to support and assist in this.

22.   Specific statements of the Company


 -        The subject becomes aware of the above processing, which is in accordance with the applicable regulatory and national legislative framework on the protection of personal data, exclusively for the purposes mentioned above and for purposes compatible with them.

-        The Company declares that the Policy may be modified and updated at any time in order to respond to changes in the applicable national and regulatory framework and the operational needs of the Company. The subjects will be informed accordingly.

23.  Contact
 

-        Data Controller's Details:

«INSURANCE COMPANY EUROINS SA GREEK BRANCH», Amfitheas Avenue no. 14 and Agioi Anargyroi no. 43, PC 17564, Palaio Faliro, Attica, tel.: 210.9764307, e-mail: office@euroins.gr.

-        Data Protection Officer (DPO) details: dpo@euroins.gr

-        Details of the Hellenic Data Protection Authority (HDPA, competent national Supervisory Authority): 1 – 3 Kifissias Avenue, P.C. 115 23, Athens, tel.: +30 2106475600, fax: +30 2106475628, e-mail: contact@dpa.gr

 

Last updated: May 2023