Who is responsible for processing your personal data?

The information and/or personal data which you provide us including, your health data, are included in a file whose controller is:

• Identity: MAPFRE Middlesea Plc- Company Number C5553
• Post address: Middle Sea House, Triq San Publiju, Floriana, Malta FRN1442,
• Telephone: +356 21246262
• Email: mapfre@middlesea.com
• Data Protection Officer Contact: dpo@middlesea.com

For what purposes do we process your personal data?

MAPFRE Middlesea Plc shall process all the personal data voluntarily provided by the interested parties directly or through its Insurance Intermediaries, and those obtained by recording telephone conversations or as a result of browsing through Internet webpages or another medium, for the enforcement of the agreement or for a query, application, or to purchase any service or product, even after the end of the pre-contractual or contractual relationship for the following purposes:

• Management of the insurance activity and/or fulfilment of the agreement or pre-agreement as well as of the legal obligations.
• Risk assessment and delimitation, for the detection, prevention, suppression and investigation of fraud; in risk selection and claims management, irrespective of whether the insurance agreement is formalised or not and after its termination, if applicable.
• The performance of statistical studies and calculations, surveys, market trend analyses, and quality control.
• The processing, monitoring, and updating of any request for information, business, pre-contractual, or contractual relationship, of any of the various MAPFRE Group companies, and management of activity with Insurance Intermediaries.
• Maintenance and integral and centralised management of its relationship with the various MAPFRE Group companies.

All the data obtained, as well as the processing and purposes specified above are required or related to adequately maintain, implement, and control the contractual relationship.

Only to the extent that you have not expressly objected, the accepted purposes include the delivery of information and advertising, including via email, on offers, products, recommendations, services, promotional items, and customer loyalty campaigns of MAPFRE Middlesea Plc and the various MAPFRE Group companies (www.mapfre.com) or third-party companies with which any MAPFRE Group company has signed partnership agreement; data extraction and storage, and marketing surveys to adapt our commercial offers to your specific profile, both if a transaction is formalised or not, and once the existing contractual relationship ends.

In order to adequately enforce the insurance agreement and be able to offer you products and services according to your needs, on the basis of the information provided, we will create different profiles based on your interests and necessities allowing the MAPFRE Group to define business strategies, and as a result may undertake automated decisions on the basis of these profiles.

How long will we keep your personal data?

The personal data provided will be kept for the period established on the basis of these criteria: (i) legal obligation of conservation; (ii) term of the contractual relationship and service of any responsibilities derived from the said relationship; and (iii) request of removal by the interested party in the applicable cases.

What is our legal standing regarding the processing of your data?

The legal basis for the processing of your data for the purposes specified in the section “For what purposes do we process your personal data?” is the enforcement of the insurance agreement. The prospective offer of products and services included in the section “For what purposes do we process your personal data?” is based on the consent which you have given us. Under no circumstances will the withdrawal of this consent place conditions on the enforcement of the insurance agreement. You are obligated to provide us with your personal data to sign the insurance agreement. Should you fail to do so, the Company reserves the right not to sign the insurance agreement.

To whom will your data be communicated?

MAPFRE Middlesea Plc may communicate your data, including your health data and the data on the claims associated with the policies, exclusively for the purposes included in the section “For what purposes do we process your personal data?”, to other Insurance and Reinsurance Companies, Insurance Intermediaries, Financial Institutions, Real Estate Agents, and other Service Providers related to its business, belonging to the MAPFRE Group (www.mapfre.com), Subsidiaries and Investees, the Fundaciόn MAPFRE, Public Administrations, and other natural or legal persons that also conduct any of the aforementioned activities and with which the various MAPFRE Group companies enter partnership agreements, whether a transaction is formalised or not, and once the existing contractual relationship has ended, with no need to notify every first communication sent to the aforementioned recipients.

Likewise, any company that is a member of the MAPFRE Group (www.mapfre.com), subsidiaries and investees, may communicate your personal data to any of the aforementioned companies, in order to conduct integral and centralised management of the relationships between the interested parties and the various MAPFRE Group companies, and that interested parties may benefit from the possibility of accessing their data from any of them, complying in all cases with the applicable legislation on personal data protection, with no need for the interested parties to be notified of every first communication made. The communication of data between MAPFRE Group companies is necessary for the maintenance of integral and centralised management of your relationship with the Company, the application of the premium discounts, and other benefits obtained from this fact and the management of customer loyalty programmes if you subscribe to them.

As part of the communications described in the previous paragraph, international data transfers may be made to third parties or international organisations, whether there exists a European Commission decision on their adequacy or not. International transfers to countries that cannot guarantee an adequate protection level shall be made on an exceptional basis and will be made whenever they are necessary for the adequate development of the contractual relationship.

The MAPFRE Group has data protection clauses to adequately ensure the protection of your data as part of the communication and international transfer of your data in countries in which they can be applied.

What are your rights when you provide us with your data?

Under the terms and scope established in the regulations in force, any person is entitled to:

– confirm whether MAPFRE Middlesea Plc is processing personal data that concern you, and access them and the information related to their processing.
– request the rectification of inaccurate data
– request the removal of data, among other reasons, when they are required for the purposes for which they were collected, in which case the Company will cease to process the data except for the filing of or defence against potential claims.
– request the limitation of the processing of your data, in which case they will only be processed with your consent, with the exception of their storage and use for the filing of and defence against claims or for the protection of the rights of another natural or legal person or for reasons of significant public interest in the European Union or in a certain Member State.
– object to the processing of your data, in which case, MAPFRE Middlesea Plc shall cease to process your data, except for the defence against potential claims.
– receive, in a structured, widely-used format that can be machine readable, the personal data that concern you and that you have provided to the Company or request that MAPFRE Middlesea Plc transfers them directly to another controller when technically possible.
– withdraw the consent granted, if applicable, for the purpose specified in the section “What do we use your personal data for?”, without affecting the lawfulness of the processing based on consent prior to withdrawal.

The aforementioned rights of access, rectification, erasure or right to be forgotten, restriction of processing, portability, objection, and the right to object to automated individual decision making may be directly exercised by the data owner or its legal or voluntary representative, through a written communication sent to the Rights Management Bureau on rmb@middlesea.com

The Data Subjects may file a claim with the Office of the Information and Data Protection Commissioner or through https://idpc.org.mt, particularly if they feel that the concerns raised with the Company in the exercise of its rights, have not been successfully answered.