Data Processing Information

PRELIMINARY REMARKS

In the provision of their services, RCI Life Limited and RCI Insurance Limited carry out processing of Personal Data, which is any information relating to You, the insured as a ‘Data Subject’. As you are most probably aware, the General Data Protection Regulation (GDPR) will be coming into force by the 25th May 2018, and will be directly effective in each EU Member State therefore becoming directly applicable to RCI Life Limited and RCI Insurance Limited in the processing operations concerning Personal Data. Your privacy is important to RCI Life Limited and RCI Insurance Limited, and therefore in complying with the new obligations under the GDPR, RCI Life Limited and RCI Insurance Limited are implementing changes to their policies, contracts, and procedures.

DATA CONTROLLERS, DATA PROCESSORS & THE DATA SUBJECT

RCI Life Limited and RCI Insurance Limited, both with a registered address at Level 3, Mercury Tower, The Exchange Financial & Business Centre, Elia Zammit Street, St. Julian’s, STJ 3155, Malta, are ‘Data Controllers’ that is they are the entities that determine the purpose and means of the processing of your Personal Data.
You, the insured, are the ‘Data Subject’ that is the identifiable natural person who is the subject of the Personal Data being collected and processed by the Data Controllers.
The Data Controllers, in the provision of their services, require the communication of the Data Subject’s Personal Data to third parties, referred to as ‘Data Processors’ that are natural or legal persons or entities which process the Personal Data on behalf of the Data Controllers. These Data Processors shall be primarily and where relevant entities within the Mobilize Financial Services, its business partners and where relevant, to agents of the Data Controllers, reinsurers or professional bodies concerned by the [Contract], amongst others.

PURPOSES & GROUNDS FOR PROCESSING OF PERSONAL DATA

The Data Controllers inform you that the Personal Data you disclose and any other data that is subsequently collected in pursuance of the insurance services provided by the Data Controllers shall be processed by them in accordance with the GDPR and any applicable law and regulation relating to the processing of personal data applicable during the term of the [Contract], for the following purposes:
(a) to evaluate risk and manage your application;
(b) in the case of application for the corresponding policy, in order to maintain, execute and supervise such policy;
(c) for statistical purposes;
(d) for claim handling purposes;
(e) for the purpose of preventing, detecting and suppressing insurance fraud;
(f) for any other purposes as otherwise required by law

The Data Subject is advised that the processing of Personal Data pertaining to him/her by the Data Controller is necessary for the performance of the [Contract] or in order to take steps at the request of the Data Subject prior to entering into the [Contract] and this constitutes a valid ground for the processing of the Personal Data.

DATA TRANSFERS

Personal Data shall be communicated exclusively to the entities within the Mobilize Financial Services, its business partners or any third party within the European Union and where relevant, to agents of the Data Controllers, reinsurers or professional bodies concerned by the contract, in their capacity as Data Processors. The Personal Data transfer shall be made for the purposes and on the grounds of the processing of personal data outlined herein and subject to compliance with all applicable relevant legislation, and to the required confidentiality agreements and restrictions on any further processing of such Personal Data.

PRINCIPLES RELATING TO PERSONAL DATA & DATA SUBJECT RIGHTS

Personal Data shall be processed for the abovementioned reasons both manually and by automated means, as hardcopy and/or electronically while maintaining required controls to ensure the security, protection and confidentiality of such data. No Personal Data shall be collected if irrelevant to the purpose underlying collection of Personal Data herein stated. Personal Data shall not be retained for a period longer than is necessary and allowable by law, having regard to the purposes for which it is processed. Therefore, the Data Controllers will ensure that Personal Data will only be retained to the extent that the reason justifying its collection subsists and that no other legitimate reason for its retention exists.
As the Data Subject, you have the following rights:
i. Right to request from the Data Controllers access to the Personal Data concerning you, and this only upon presenting your ID (copy of ID) / passport;
ii. Right to request from the Data Controllers the rectification of the Personal Data concerning you;
iii. Right to request from the Data Controllers the restriction of the Personal Data concerning you;
iv. Right to object to the processing of Personal Data concerning him or her by the Data Controllers;
v. Right of Data Portability; you shall have the right to obtain from the Data Controllers your Personal Data in a structured and commonly used and machine readable format in order to send them to other data controller, or to have that data directly transmitted to the other data controller by the Data Controllers where technically feasible;
vi. Right to request from the Data Controllers the erasure of the Personal data concerning you;
vii. Right to lodge a complaint with a Supervisory Authority;

The exercise and subsequent fulfilment of such rights shall be subject to applicable law and the limitations stipulated therein. Data Processors shall be obliged to assist the Data Controllers in the fulfilment of the Data Controllers’ obligation to respond to such requests made by the Data Subject.
In the provision of the service, the Data Controllers also require the collection and processing of Sensitive Personal Data. This Special Category of Data is often defined as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. In the performance of the [Contract], the Data Controllers may require the collection and processing of data concerning your health, and this as is necessary for the establishment, exercise or defence of legal claims. By signing this [Contract], you are expressly consenting to the processing of your Sensitive Personal Data by the Data Controllers, which processing shall be in accordance with this Addendum and applicable relevant law and regulation.
If you wish to exercise any of the above rights or have any queries please forward your requests to the Data Controllers’ Data Protection Correspondent ‘DPC’. Contact details of the DPC are as follows:

The Data Protection Correspondent
RCI Insurance Ltd
Level 3, Mercury Tower, The Exchange Financial & Business Centre,
Triq Elia Zammit,
St Julian’s – STJ 3155
Malta
Alternatively you can contact the Data Controllers’ Data Protection Correspondent ‘DPC’, directly via email on dataprotectionofficer-malta@rcibanque.com