Data Processing Information

GENERAL DATA PROTECTION AND DATA PROCESSING INFORMATION

 

PRELIMINARY REMARKS

In the provision of their services, RCI Life Limited and RCI Insurance Limited (the ‘Insurers’) carry out processing of Personal Data, which is any information relating to you, the Insured as a ‘Data Subject’. As you are most probably aware, the General Data Protection Regulation (GDPR) came into force on the 25th of May 2018 and is directly effective in each EU Member State therefore is applicable to RCI Life Limited and RCI Insurance Limited in the processing operations concerning Personal Data.

  1. DATA CONTROLLERS, THE DATA SUBJECT, DATA PROCESSORS & OTHER RECIPIENTS

RCI Life Limited and RCI Insurance Limited, both with a registered address at Level 3, Mercury Tower, The Exchange Financial & Business Centre, Elia Zammit Street, St. Julian’s, STJ 3155, Malta, are ‘Data Controllers’ that is they are the entities that determine the purpose and means of the processing of your Personal Data. RCI Life Limited and RCI Insurance Limited are your first point of contact for any questions you may have about data protection or if you would like to exercise your rights under GDPR (contact details below). Your inquiries will then be handled and answered by us. If you wish to learn more about the responsibilities of the Insurers and the Data Controllers, please contact us.

You, the Insured, are the ‘Data Subject’ that is the identifiable natural person who is the subject of the Personal Data being collected and processed by the Data Controllers.

The Data Controllers, in the provision of their services, may require the communication of the Data Subject’s Personal Data to third parties, referred to as ‘Data Processors’ that are natural or legal persons or entities which process the Personal Data on behalf of the Data Controllers. These Data Processors shall be primarily other entities within the RCI Banque (Mobilize Financial Services) group, relevant third-party service providers, intermediaries and ancillary intermediaries.

Besides that, the Data Controllers require the communication of the Data Subject’s personal data to other third parties, referred to as ‘Recipients’. ‘Recipients’ are all other natural or legal persons who receive the Data Subject’s Personal Data from the Data Controllers in the provision of their services and performing the insurance contract such as business partners and agents of the Data Controllers, reinsurers or professional bodies concerned by the insurance contract, amongst others.

  1. PURPOSES & GROUNDS FOR PROCESSING OF PERSONAL DATA

We process your personal data in compliance with the GDPR as well as any further relevant statutory provisions. Should we intend to process data for a purpose other than that for which your personal data has been collected according to this document, we will only do so in accordance with applicable data protection law.

  1. Conclusion of insurance contract

We process your personal data to assess  the risk that is to be insured and to confirm your insurance coverage. Data marked as mandatory in the application form is either required by law or necessary to confirm your insurance coverage. Failing to provide the data may have legal or economic disadvantages for you, because we cannot confirm your insurance coverage or perform our obligations under the insurance without processing your personal data.

This processing is based on Art. 6 (1) (b) GDPR (contractual purposes).

For this purpose, we process the following categories of personal data: Identification, authentication, and contact data e.g., your full name, address and other contact details, date of birth, tax identification number, other master data and financing contract data (e.g., contract details and vehicle data).

Recipients of your data: Other companies within the RCI Banque (Mobilize Financial Services) group, car dealers affiliated to the Renault group ; IT service providers; software manufacturers.

  1. Performance of contractual relationship

We process your personal data as necessary for the performance of the contractual relationship, in particular to fulfil our obligations under the insurance contract. Data processing is necessary to provide the customer service, the assessment of whether an insured event has occurred, the calculation of the amount of the insurance benefit and for the contract termination.

This processing is based on Art. 6 (1) (b) GDPR (contractual purposes).

For this purpose, we process the following data: Identification, authentication, and contact data (e.g., your full name, address, and other contact details), ID / Passport, civil status, date of birth, tax identification number, employment data, bank account details, social security number, health data, medical reports, police reports, convictions.

Recipients of your data: Other companies within the RCI Banque (Mobilize Financial Services) group, claims handlers / Third Party Administrator (TPA) and TPA subcontractors, regulatory authorities, external law firms, IT service providers; software manufacturers; payment service providers.

  1. Insurance-specific statistics

We process your personal data for the creation of insurance-specific statistics. The data processing is particularly necessary for business management monitoring as well as for pricing and for optimising our products.

This processing is based on Art. 6 (1) (f) GDPR (legitimate interest). We thereby pursue our legitimate interest in monitoring our customers relationship for business management and pricing and for optimising our products.

For this purpose, we process the following categories of data: date of birth, claims data (e.g., health data, medical reports, police reports, convictions, employment data), other master data and financing contract data (e.g., contract details and vehicle data).

Recipients of your data: Other companies within the RCI Banque (Mobilize Financial Services) group, regulatory authorities, IT service providers; software manufacturers.

  1. Statutory regulations

We also process your personal data to comply with statutory regulations. For this purpose, we may transmit your personal data to public bodies, e.g., for the fulfilment of our legal reporting obligations (i.e., fiscal authorities, data protection authorities and financial supervisory authorities).

This processing is based on Art. 6 (1) (c) GDPR.

For this purpose, we process the following categories of data: Identification, authentication, and contact data (e.g., your full name, address, and other contact details), date of birth, other master data and financing contract data (e.g., contract details and vehicle data), data from the fulfilment of our contractual obligations (e.g., performance data and claims data (including health data)).

Recipients of your data: Regulatory authorities.

  1. Fraud and criminal offence prevention and detection

We process your personal data to prevent and to detect criminal offences and fraud. We use data analysis to identify details that could indicate fraud (e.g., in connection with the claims management process).

This processing is based on Art. 6 (1) (f) GDPR as we thereby pursue our legitimate interest in protecting our assets.

For this purpose, we process the following categories of data: Identification, authentication, and contact data (e.g., your full name, address, and other contact details), date of birth, information related to your professional activity and the source of wealth and funds.

Recipients of your data: Other companies within the RCI Banque (Mobilize Financial Services) group, claims handlers / Third Party Administrator (TPA) and TPA subcontractors, regulatory authorities, external law firms, IT service providers; software manufacturers; payment service providers.

  1. Legal proceedings and disputes/complaints

We process your personal data for the establishment, exercise, or defence in case of legal proceedings and/or other disputes/complaints (especially insofar as this is necessary in case of court proceedings).

This processing is based on Art. 6 (1) (f) GDPR as we thereby pursue our legitimate interest in protecting our interests in legal proceedings and/or other disputes/complaints.

For this purpose, we process the following categories of data: Identification, authentication, and contact data (e.g., your full name, address, and other contact details), ID / Passport, civil status, date of birth, tax identification number, employment data, bank account details, social security number, health data, medical reports, police reports and convictions.

Recipients of your data: Other companies within the RCI Banque (Mobilize Financial Services) group, external law firms, regulatory authorities.

  1. Maintenance and implementation of IT systems and services

We process your personal data to keep our IT systems and services safe and secure.

This processing is based on Art. 6 (1) (f) GDPR (legitimate interest). We thereby pursue our legitimate interest in ensuring the security, functionality and reliability of IT systems and services.

For this purpose, we process the following categories of data: Identification, authentication, and contact data (e.g., your full name, address, and other contact details), other master data and financing contract data (e.g., contract details and vehicle data), claims data (including health data).

Recipients of your data: IT service providers; software manufacturers.

  • DATA TRANSMISSIONS

Personal Data shall be communicated exclusively to the entities within the Mobilize Financial Services group, its business partners or any third party within the European Union and where relevant, to agents of the Data Controller, reinsurers or professional bodies concerned by the contract. The Personal Data transfer shall be made for the purposes and on the grounds of the processing of personal data outlined herein and subject to compliance with all applicable relevant legislation, and to the required confidentiality agreements and restrictions on any further processing of such Personal Data.

Data Subject’s Personal Data will only be disclosed to Recipients by the Data Controllers if this proves necessary for the purpose of performing the insurance contract, if we are required to do so by law, if a legitimate interest exists in such a disclosure or if the Data Subject has given its consent. In each individual case, the Data Controllers only disclose Data Subject’s Data to the extent necessary for each specific purpose, or as required under the relevant legal provision, in line with any legitimate interest or, in the case of consent, as specified by the Data Subject.

  1. DATA TRANSFERS OUTSIDE THE EEA

Your data is processed in the European Economic Area (EEA). However, if in the future your personal data should be processed by our service providers located in countries outside the EEA, we will inform you of this. In such a case, we will pay particular attention to ensuring that the transfer is made in accordance with the applicable regulations and put in place safeguards ensuring a level of protection of your privacy and your fundamental rights equivalent to that offered by the European Union.

  1. PRINCIPLES RELATING TO PERSONAL DATA / DATA RETENTION & DATA SUBJECT RIGHTS

Personal Data shall be processed for the abovementioned reasons as hardcopy and/or electronically while maintaining required controls to ensure the security, protection, and confidentiality of such data. No Personal Data shall be collected if irrelevant to the purpose underlying collection of Personal Data herein stated. Should we intend to apply automated processing of Personal Data, including profiling, this will be clearly explained to you, detailing the parameters taken into account in the processing and the data used for this purpose.

Personal Data shall not be retained for a period longer than is necessary and allowable by law, having regard to the purposes for which it is processed. Therefore, the Data Controllers will ensure that Personal Data will only be retained to the extent that the reason justifying its collection subsists and that no other legitimate reason for its retention exists.

As the Data Subject, you have all the rights mentioned in Articles 12 – 23 GDPR, including the following:

  1. Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (only applicable if data processing is based on consent),
  2. Right to request from the Data Controllers access to the Personal Data concerning you,
  • Right to request from the Data Controllers the rectification of the Personal Data concerning you,
  1. Right to request from the Data Controllers the restriction of the Personal Data concerning you,
  2. Right to object to the processing of your Personal Data by the Data Controllers; if we process your personal data to pursue our legitimate interests, you can object to processing, in so far there are reasons that arise from your personal specific situation,
  3. Right of data portability; you shall have the right to obtain from the Data Controllers your Personal Data in a structured and commonly used and machine readable format in order to send them to other data controller, or to have that data directly transmitted to the other data controller by the Data Controllers where technically feasible,
  • Right to request from the Data Controllers the erasure of the Personal Data concerning you in certain cases,
  • Right to lodge a complaint with a Supervisory Authority.

 

The exercise and subsequent fulfilment of such rights shall be subject to applicable law and the limitations stipulated therein. Data Processors shall be obliged to assist the Data Controllers in the fulfilment of the Data Controllers’ obligation to respond to such requests made by the Data Subject.

If you wish to exercise any of the above rights or have any queries, please forward your requests to the Data Controllers’ Data Protection Officer ‘DPO’.

  1. DPO CONTACT DETAILS

The Data Protection Officer of RCI Insurance Limited and RCI Life Limited

Level 3, Mercury Tower, The Exchange Financial & Business Centre, Triq Elia Zammit, St Julian’s – STJ 3155 Malta.

Email: dataprotectionofficer-malta@rcibanque.com