Personal Data Protection

Personal Data Protection Policy

Ethniki Insurance is committed to collecting and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), with Law 4624/2019 (Government Gazette, Series I, No 137, 29.08.2019), and with any secondary legislation/opinions/decisions issued by the Hellenic Data Protection Authority and the relevant laws.

Categories of personal data we process

Ethniki Insurance processes:

Personal data, such as identification data, contact details, payment data, insurance data necessary for the conclusion and management of your insurance contract, special category personal data, such as information concerning your health (physical condition, any incapacity or disability, medical history, medication, etc.), information related to your financial situation/assets and your investment/savings goals, data concerning your driving behaviour, in case of car insurance, etc.

Personal information collected on our website depending on the visitor’s/user’s request. Furthermore, personal data may also include your curriculum vitae, in case of expression of interest in cooperating with the Company. Where appropriate and depending on the type of request submitted, some of the aforementioned data may be submitted by the visitor/user optionally.

Online service interaction data: IP address, cookies, browser information, device data, etc., which do not reveal your identity directly.

How we collect personal data

We collect personal data:

At the time of submission of insurance applications, requests for modification/conversion/cancellation/redemption, applications for insurance benefits, applications for participation in group insurance, damage reports;
For motor insurance in particular, we collect data on accident history and information from the Insurance Companies Statistical Service archives on the basic characteristics of the vehicles to be insured;
Through our authorised officers/partners (e.g. experts);
Through affiliated service providers (e.g. hospitals, diagnostic centres);
From the visitors/users of our website, only when they provide such data voluntarily for the purpose of processing submitted electronic requests;
In the context of promotional activities intended to advance our products, in the context of expression of interest campaigns for a specific insurance programme (lead generation) and when conducting competition draws.

Purpose of processing

We describe below all the ways in which we intend to use your personal data and the legal grounds on which we rely for such processing. We also describe our legitimate interests, where applicable.

If you wish to receive clarifications on the specific legal grounds on which we rely for the processing of your personal data, you may contact us.

If you are an insurance policyholder or an insured person, we collect and process your personal data for the following purposes:

A. i) to personalise the insurance product we will recommend to you; ii) to propose an insurance offer; iii) to carry out a pre-insurance inspection, to assess the risk of an insurance contract, to determine the general and special conditions, and the appropriate premium; iv) to issue a green card on your behalf; v) to respond to a request for modification/conversion/cancellation/redemption, or a claim for insurance benefits (indemnification, periodic payment/pension, and to manage your insurance contract in general; vi) to conclude an insurance contract, vii) to process and deliver your insurance policy, including actions related to: (a) managing the payment of premiums, (b) collecting and recovering monies owed to us, (c) reimbursing premiums; viii) to process your claim in connection with the damage report, ix) to request information about your level of satisfaction with our Company’s services; x) to manage our relationship with you, including: (a) notifying you about changes to the terms and conditions or the privacy statement, (b) asking you to review our services or take part in a survey; xi) conducting an expert evaluation following a damage report. The legal basis in this case is the conclusion/performance of the insurance contract (Article 6(1)(b) of the GDPR).

B. i) to handle grievances, objections and complaints; ii) to manage and protect our Company and our website (including problem solving, data analysis, testing, system maintenance, support, reporting and data retention); iii) to ensure proper service to all our policyholders, find ways to optimise the Company’s internal processes and prevent fraud against the Company; v) to prevent and combat money laundering and terrorist financing; vi) to exchange information on financial accounts for the purposes of taxation in order to combat tax evasion; vii) to respond to a request from public/judicial authorities, independent bodies, insurance funds or the supervisory authority (the Private Insurance Supervision Directorate of the Bank of Greece), and (viii) to comply with court decisions and respond to requests from public authorities. The legal basis for this processing is the Company’s compliance with obligations imposed by the applicable legal and regulatory framework (Article 6(1)(c) of the GDPR).

C. i) to manage an application for cooperation you have submitted on our website; ii) to conduct market research; iii) to provide marketing services and present personalised information and insurance offers to you; v) to promote our products to you, only if you have explicitly stated that you wish to receive promotions, having checked the corresponding box on our website or in the consent form, which constitutes the legal basis for such processing (Article 6(1)(a) of the GDPR); vi) to give you the opportunity to participate in a draw or a competition, or to fill in a questionnaire; vii) to record telephone calls for the purposes of proving a commercial transaction after informing you and receiving your unequivocal consent. The legal basis for such processing is the explicit consent of the data subject (Article 6(1)(a) of the GDPR). Any collection and processing of special categories of data (health data) that may be required (for life and health insurance, as well as in case of traffic accidents resulting in bodily injuries), is carried out exclusively in accordance with one of the following legal grounds: a. with your explicit consent, after you have been specifically informed; b. for the purpose of complying with legal obligations imposed by employment law and social security law; c. for the establishment, exercise or defence of legal claims. If you are a supplier or a professional provider of independent services, the Company will collect and process your personal data:

A. i) in order to take all necessary steps prior to entering into a contract in the context of procedures for concluding supply or service contracts, ii) in order to implement the contract that may be concluded and perform the required administrative, tax and accounting activities. The legal basis in this case is the conclusion/performance of the contract (Article 6(1)(b) of the GDPR).

B. i) to handle grievances, objections and complaints; ii) to manage and protect our Company and our website (including problem solving, data analysis, testing, system maintenance, support, reporting and data retention); iii) to ensure proper service to all our policyholders, find ways to optimise the Company’s internal processes and prevent fraud against the Company; v) to prevent and combat money laundering and terrorist financing; vi) to exchange information on financial accounts in the field of taxation in order to combat tax evasion; vii) to respond to a request from public/judicial authorities, independent bodies, insurance funds or the supervisory authority (the Private Insurance Supervision Directorate of the Bank of Greece), and (viii) to comply with court decisions and respond to requests from public authorities. The legal basis for this processing is the Company’s compliance with obligations imposed by the applicable legal and regulatory framework (Article 6(1)(c) of the GDPR).

Συνδέσεις τρίτων

In case visitors/users of our website are redirected to websites that are under the responsibility of third parties (natural or legal persons), Ethniki Insurance shall not be held liable for the terms of the personal data protection and management policies they follow.

Who are the recipients and/or processors of your data?

During the lifetime of your insurance contract, your data will be processed by the departments responsible for risk-carrying, for managing your insurance contract, processing your requests and claims, as well as by other departments in the context of their legal functions (such as Actuaries, Legal Service, Internal Audit, Risk Management, Regulatory Compliance). In the context of the lawful execution of the insurance contract and to the extent necessary to ensure that you receive the best possible service and are provided with the services/coverages envisaged in the insurance contract, your data may also be transmitted or collected or processed for the purpose of providing services to us by the following entities or persons, acting as processors: the parent company or affiliated companies of the Group to which we belong, providers cooperating with the Company, such as insurance intermediaries, banks acting as insurance intermediaries, reinsurers, cooperating insurance companies providing coverage, collectors or premium collection companies, cooperating debtor notification companies, experts, investigators, consultants, claims management companies, health service providers in case of bodily injury as a result of a traffic accident, collaborating hospitals, clinics, nursing institutions, diagnostic centres and laboratories, health service companies, companies providing health consulting and health audit services, physicians, companies providing emergency transport/air transport/evacuation where such coverage is provided, companies providing second medical opinion, any cooperating record keeping and management companies, document destruction companies, collaborating IT companies, collaborating companies providing printing, layout and delivery services, telephone service providers.

In all such cases, those cooperating with the Company must act only on its instructions and must be specifically authorised for this purpose, and are fully bound by the confidentiality requirements and obligations provided for in the legislation governing the collection and processing of the above data. As provided by law, the Company may also disclose your data to public services, insurance funds, judicial, public and independent authorities, such as the Supervisory Authority Bank of Greece (Private Insurance Supervision Directorate), the General Secretariat for Consumers of the Ministry of Development and Competitiveness, the Consumers’ Ombudsman Independent Authority, competent Ministries, Prefectures, Regional Health Services, Customs, Tax Offices, the Financial and Economic Crime Unit, the National Organisation for Health Care Services, Police Stations, Public Prosecutors, independent audit firms, upon lawful request on their part, only where it is absolutely necessary for the protection of the Company’s legal rights or the fulfillment of its obligations. In addition, pursuant to the legislation on the exchange of information on financial accounts in the field of taxation (FATCA, Law 4493/2017: Memorandum of Cooperation between Greece and the USA, Law 4170/2013 on mandatory automatic exchange of information in the field of taxation between the Member States of the European Union (EU), Law 4428/2016: Agreement on Mandatory Automatic Exchange of Information in the Field of Taxation between OECD Member States), the Company is obliged, only if you fall within the scope of this legislation, to collect and process your personal data for the purpose of identifying you as a person subject to the above legislation; the recipient of such data is the competent Greek Authority (the Independent Public Revenue Authority) or any other competent authority that may be designated.

In case of motor insurance in particular, your personal data may be transmitted to experts, investigators, experts, cooperating companies providing emergency technical assistance and their associates, to traffic accident investigators, vehicle technical service companies, residual value management companies for damaged vehicles, to the Traffic Accident Liability Insurance Guarantee Fund, the Hellenic Information Centre, the International Insurance Office, to the IT Directorate of the Insurance Companies Association (the Insurance Companies Statistical Service archives) for the purposes of discharging their statutory responsibilities, protecting the insurance market and preventing insurance fraud; your personal data may also be transferred to other insurance companies for settlement purposes within the framework of the Agreement for Direct Settlement of Traffic Accident Claims. In the same context and for a more comprehensive risk assessment, the Company has established and follows a specific procedure when registering a motor insurance application, involving automated search of the accident history and the basic characteristics of the vehicles to be insured.

In addition, in cases where you choose the coverage of your vehicle and for optional coverages, such as against theft, fire, damage, etc., the Company may transmit your personal data to the cooperating company providing remote expert assistance software solutions, in order to handle your request. More information about the automated data processing process and the terms of use of this service can be found in the related documents below. Furthermore, your personal data may be transmitted to the cooperating roadside assistance company for the purposes of your insurance contract and to the extent necessary to provide you with the best possible service and/or to ensure compliance with any legal obligations of the roadside assistance company, which may collect and process additional personal data concerning you or injured third parties, natural persons. If included in your insurance coverage, road, medical and travel assistance, local towing of vehicles following an accident, and accident care are provided by the Greek branch of the foreign (French) insurance company AWP P&C SA (located in Agios Dimitrios, Attica, 10 Premetis Street and operates under the law as a vehicle roadside assistance company within the meaning of Law 3651/2008, as amended and in force) with which the Company has signed a reinsurance contract.

Personal data in fire insurance contracts in particular may be disclosed by the Company to cooperating companies providing emergency technical assistance.

What is the data retention period?

The Company will retain and process your personal data for as long as our contractual relationship lasts, both in paper and electronic format. In case the relationship is interrupted or terminated in any way, we will retain your personal data for as long as it is required until the limitation period of any relevant claims expires and in any case for as long as it is required under the tax legislation, the applicable legal and regulatory framework and the approved codes of conduct. The Company will also retain and process your personal data for up to five (5) years in case your application is rejected and no insurance contract is signed. It is noted that if a legal dispute between us is pending after the expiry of the aforementioned processing periods, we will retain your data until the court case is closed with a final judgment.

Processing for marketing purposes

Ethniki Insurance collects, stores and processes data to carry out targeted marketing or sales promotion activities for the Company and the companies of the Group to which it belongs, or to conduct research on the quality of the services it provides, only with the express consent of the data subjects. In the context of the aforementioned purpose, data may be transmitted to collaborating research companies and promotion companies. The data subject has the right to object to such processing at any time by sending a request to this effect to the Company at the e-mail address: parapona@ethnikiasfalistiki.gr.

Data Security

Complying with the relevant provisions of the new Regulation on the protection of natural persons with regard to the processing of personal data, the Company is committed to protecting your personal data as it considers that the security of the personal data of its customers and/or prospective customers is an important and integral part of corporate information management. To this end, the Company takes all necessary measures to ensure that your personal data are secured and protected from loss, mishandling, unauthorised access, modification or disclosure.

What are our commitments?

We are committed to keeping your data up-to-date and accurate, to store and erase them safely, not to collect and retain data that are not necessary for us, to protect your data from loss, misuse, unauthorised access or disclosure, and generally, to ensure that appropriate technical and organisational measures are in place to ensure that they are protected.

What are your rights in relation to the processing of your data?

You can exercise the following rights:

i) the right of access so that you can obtain information, upon your request, whether or not your personal data are being processed and to receive a copy of the personal data and further information on the processing carried out;

ii) the right to rectification of inaccurate personal data concerning you or to have incomplete personal data completed;

iii) the right to erasure (‘right to be forgotten’) of your personal data, provided that their processing is no longer necessary in relation to the purposes for which they were collected;

iv) the right to restriction of processing in case of doubt as to their accuracy;

v) the right to data portability, i.e. the right to receive your personal data in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller;

vi) the right to object to their processing and the right to obtain human intervention in automated processes.

Anyone interested in exercising the aforementioned rights may contact the Company in one of the following ways:

by sending an e-mail to: parapona@ethnikiasfalistiki.gr, attaching the exercise of right form, which you will find below;

by sending a letter to Ethniki Insurance, 103-105 Syngrou Avenue, 117 45, with the indication ‘GDPR’, enclosing the filled-in exercise of right form, which you will find below.

The rights are exercised at no cost to you, unless repetitive request result in administrative costs for the Company.

For any clarification regarding the submission procedure, you can contact us at tel. +30 210 90 99 777.

Should you exercise any of these rights, we will take all possible measures to satisfy your request within 30 calendar days of receipt, informing you that the request has been satisfied or stating the reasons for which it cannot be satisfied. It is noted that you may at any time withdraw your consent to the processing of your personal data and special categories of personal data collected for the purposes of the insurance contract. However, we declare that the withdrawal of your consent as well as the exercise of the right to object to the processing of your data will result in the termination of the insurance contract between us and you will no longer have coverage, as no insurance contract can operate without processing the personal data of the policyholder and/or the insured person and/or the beneficiary of the policy.

Finally, if you believe that the protection of your personal data is threatened in any way, you have the right to appeal to the Personal Data Protection Authority, using the following contact details:

Website: www.dpa.gr

Postal Address: 1-3 Kifissias Avenue, 115 23 Athens

Call Center: +30 210 647 56 00

Fax: +30 210 647 56 28

E-mail: contact@dpa.gr

Who you can contact

For any other information regarding the General Data Protection Regulation (GDPR), you can contact the Company's Data Protection Officer by e-mail at: dpo@ethnikiasfalistiki.gr.