Our Approach to Privacy
Personal data means any information that relates to an identified or identifiable natural person. In particular, the personal data which is processed by us is that of natural persons who are our clients (including policy holders and individuals named under a policy), contractors, employees, directors, members and/or business affiliates as well as personal data of any other individuals including but not limited to authorised representatives, employees, directors, beneficial owners and shareholders of our clients contractors and/or business affiliates, being legal entities (“you”). Gan Direct is committed to protecting your and your family’s personal information. The privacy and security of your personal information is very important to us and we want to assure you that your information will be properly managed and protected whilst in our hands.
Pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”) and The Protection of Natural Persons against the Processing of their Personal Data and the Free Movement of such Data Law of 2018 (L.125(I)/2018), as amended and other applicable data protection laws, as amended from time to time, we are required to notify you of the information contained herein.
Section 1: WHO WE ARE
We are Gan Direct Insurance Limited (“we”, “us” or “our”), we operate in Cyprus and you will know us by our brand name Gan Direct. During the course of our business relationship, we collect and process relevant personal data. We are a data controller in respect of such personal data. This means that we are responsible for determining the purposes and means of the processing of such personal data.
For the purposes of this Privacy Notice, ‘Processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, storage, use, disclosure, erasure or destruction. “Business relationship” means the provision of insurance and/or our commercial and/or business and/or other relationship with you including, but not limited to, for the provision of our services to you and the various transactions entered into between us and you from time to time.
• Any Gan Direct website that links to this Policy (“Websites”)
• Social Media or Gan Direct content on other websites;
• Mobile and other applications (“Apps”)
Section 2: WHAT INFORMATION DO WE COLLECT ABOUT YOU?
We may receive personal information about you, when you contact Gan Direct for example by doing any of the following:
• Creating a new account
• Requesting or obtaining a quote
• Purchasing a Gan Direct product from us
• Using the Websites and Apps
• Entering Gan Direct competitions
• Using live chat
• Taking part in any event organized by us
• Telephoning, texting, writing by post, fax or email, or communicating via online channels as online chat and social media.
• Apply for work to us
This information may include:
• Basic personal details such as your id or passport number, full name, address, e-mail address, telephone number(s), date and country of birth, gender, marital status, occupation
• Additional Information about your lifestyle and insurance needs, such as details of your car(s), your home, your properties, your household, your health, or your travel arrangements
• Information about your other policies, such as claims history, quotes or policies history, additional policies held, claims data
• Technical Information when using our websites or Apps such as date and time of access, Browser type/version, used operating system, URL of the previously visited website, amount of data sent;
• Information about your employment, including salary;
• Your marketing preference; and
• Car: we may collect vehicle registration details and data about your car from publicly available sources.
Special Categories of Personal Data (sensitive data)
In certain cases we collect and process special categories of personal data such as data concerning health information (for example tobacco use, current state of health, existing conditions, family or personal history in relation to some conditions). We shall process such data subject to your documented consent and/or where the processing is necessary for the establishment, exercise or defense of legal claims relevant to us.
We obtain the above from your mobile devices for driving applications and the following people:
• The main policyholder will provide most of the information we collect about health (including confirming whether hospital treatment is being sought), including on behalf of others named on the insurance policy e.g. medical screening to support a travel policy;
• Fraud prevention or law enforcement agencies may provide details to us about criminal convictions or offences;
• Witnesses to an accident may provide medical information to us if there is an investigation of a claim;
• We may use information about a child, for example, where the child is a beneficiary under a policy or if involved in an accident.
• We collect and use this information as part of your insurance quotation or contract with us, or where it is necessary for a legal obligation, or as part of the establishment or defence of a legal claim.
If during the course of our business relationship there is a change in your personal data we ask you to ensure that the above details (as and where applicable) are updated by contacting us as soon as practically possible.
Information collected from you & cookies policy
Where we have collected information directly from you it will usually be obvious what this is, as you will have given it to us. This might not be the case where we have used cookies to collect information from your computer or portable electronic devices. Please see our cookies policy for more information.
Information collected from others
We can collect information about you from others. This includes information from:
• Policyholders, Joint policyholders or policy beneficiaries. Where you are named on a policy as named additional driver or joint policyholder or a beneficiary of that policy we may collect information about you from any named policyholder. We will ask them to confirm that they have your permission to give us this information about you and we will contact you following the issuance of a policy to confirm your details and explicit take your consent.
• Fraud prevention, law enforcement or government agencies and other data sources used to prevent or detect fraud or provide details to us about criminal convictions or offences.
• Authorities in relation to regulatory issues.
• External sources such as no claims discount databases, the electoral roll and insurance comparison websites to help us decide what the risk is in selling the policy and from companies that hold information about insurance renewal dates, marital status, household residents, vehicle details, employment status and household income to help us work out which information we should provide to you about our other products and services.
Personal information about others
We may collect information about other members of your household or family or friends, for example, family members or friends who may drive your car or children who may be insured for health insurance by you.
If you give us information about another person, it is your responsibility to ensure and confirm that:
• You have told the individual who Gan Direct is and how we use personal information, as set out in this Privacy Notice; and
• You have the consent from the individual to provide that information (including any sensitive personal data) to us and for us to process it, as set out in this Privacy Notice.
SECTION 3: WHAT DO WE DO WITH INFORMATION WE COLLECT ABOUT YOU AND WHY WE MAY DO THIS?
We use your personal information in order to meet our obligations in our contract of insurance with you. We use your personal information in the following ways:
A. Provide insurance services
When you request us to provide you with a quote for one of our insurance policies or you purchase an insurance policy from us, we use information about you:
• To decide what the risk might be in selling you the policy, to quote for, and provide you with, a premium for that policy and any special terms that may apply to that policy (noting that we may use automated decision making to make this assessment – see section 9 below);
• To administer your policy and monitor the payment of instalments if you pay your premium in this way;
• To contact you about the policy (e.g. to inform you about your renewal or about any missing documents or information); and
• To provide the agreed service if you make a claim (e.g. sending an external associate or member of our staff to assist you in a roadside breakdown or accident situation or to assist you under a property damage or to provide you with medical assistance if you are injured or unwell when overseas).
We cannot provide the services unless we use the information about you in this way.
B. Do what we are required to do by law
As part of our duty as an insurer providing insurance services, sometimes we are required by law to use information about you:
• To help make sure our customers are being treated fairly (e.g. to assist our regulators where we have a legal duty to do so);
• To deal with complaints;
• To supply your personal information to databases after request from government or other authorities;
• To help prevent and detect crime (including, for example, the prevention or detection of fraud); and
• To comply with a legal or regulatory obligation.
We can use your personal information in this way because we are required to do so by law.
C. Prevent fraud occurring
Fraud has an impact on all customers as it increases costs for everyone. We use your personal information to check for signs that customers might be dishonest (e.g. if someone has behaved dishonestly in the past it may increase the risk they will do so in future).
We may use your personal information in this way because it is in our interests to detect fraud and in all our customers’ interests to ensure that they are not prejudiced due to increased premiums as a result of a few customers acting dishonestly.
D. Recover debt
If you owe us money we will use your personal information to help us recover it.
We can use your personal information in this way because it is a necessary part of the contract of insurance. We need to ensure that premiums are paid so that the majority of our customers do not suffer (e.g. through increased premiums) due to the actions of a small minority of customers.
E. To inform you about and promote products (marketing)
You can clearly indicate your marketing preferences when registering for an online account. These preferences can be revisited at any time by contacting any of our Customer service Representatives or by visiting your online account. Please see section 10 for contact details.
We may use your personal information to offer you suggestions about products and services you might want to buy. We may use external companies to do this on our behalf.
We can use your personal information in this way on the basis of your explicit consent or on the basis of the legitimate interests pursued by us. We aim to provide you with the right information at the right time, so that we may look at ways of extending our relationship that we have with you. We will always ensure that we keep the amount of your personal information that we collect and the extent of any processing to the absolute minimum to meet this legitimate interest.
Where we have a legitimate interest to do so or, where you have given us your consent, we may pass your personal information to third parties including:
• Companies that introduce our customers to products and services. We may send you marketing from them where we believe you will have an interest in their communications and / or
• External companies such as digital content providers to display adverts about our products and services.
If you are a client and you have not opted out of marketing we will send you information about our products and services by email, post, telephone or SMS unless you tell us not to. If your information has been provided to us by a third party for marketing purposes, we will rely on the documented consent (if and where applicable) you have provided to them to conduct direct marketing.
If at any time you do not wish us to use your personal information for this purpose (direct marketing), you may ask us not to do so. In such case we will no longer process your personal data to the extent that it is related to such direct marketing. See section 10 below for how to contact us. However, we will keep a note of your earlier marketing preferences for 6 years. We will not contact you unless you change your mind and tell us that you would like to receive marketing again.
F. Where your or another person’s life may be at risk
We will use your personal information to assist where your or another person’s life or health is in danger and obtaining your permission is not possible (e.g. arranging emergency medical treatment in a remote location).
G. To administer and improve our services
To administer our services, we will share information with others (including to people or organisations that may be based overseas):
• In order to enable us to process your claim or administer your insurance policy more cost effectively;
• Understand your risk to offer you our best price based on your personal information;
• To help develop our products, services and systems to deliver you a better sales and claims experience in the future;
• To understand how our prospective customers, make decisions about which insurance policy is the optimal policy;
• To remind you about the quotation obtained by us and/or its expiration date;
• Verify your identity and carry out anti-fraud checks.
We may also process your personal data to better understand you as a customer, including to determine how best to retain your custom, and to ask you to provide feedback on the service we provide to you.
We can use your personal information in this way because it is in our legitimate interests to provide the services in the most efficient way. We will always ensure that we keep the amount of your personal information that we collect and the extent of any processing to the absolute minimum to achieve this efficiency.
SECTION 4: HOW DO WE SHARE YOUR PERSONAL INFORMATION WITH OTHERS AND WHY DO WE DO IT?
We may share your personal information with third parties for the purposes mentioned in Section 3 above. Please see section 10.
You should make sure everything you tell us is correct because your records may be checked in the following circumstances:
• When you apply for insurance or work
• By police and other law enforcement agencies.
• In particular we share information with:
• Fraud prevention agencies that provide databases and services to prevent or detect fraud.
• Fraud prevention agencies will process this personal information in order to assist our prevention of fraud and money laundering, and to verify your identity and may also process your personal information in order to prevent fraud and money laundering by other people.
• Fraud prevention agencies will hold your personal information for up to 1 year, or up to 6 years if you’re considered to pose a fraud or money laundering risk.
• If we or a fraud prevention agency determine that you pose a fraud or money laundering risk, we may refuse to provide the services and / or financing you have requested.
A record of this risk will be retained by the fraud prevention agencies and may result in others refusing to provide services or financing to you. If you have any questions about this, please contact the appropriate fraud prevention agency.
• Your spouse or partner or any family member who calls us on your behalf, provided they are named on the policy or you gave us your permission to do it. Please tell us who they are when you take out your policy. If you would like someone else to deal with your policy on your behalf on a regular basis, please let us know. In some exceptional cases, we may also deal with other people who call on your behalf, but only with your permission. If at any time you would prefer us to deal only with you, please let us know.
• Other insurance companies to help settle any insurance claim or to verify that the information you have provided is correct (e.g we will check the amount of No Claims Discount you have told us with your previous insurer).
• Insurance industry bodies such as The Department of Road Transport to meet our obligations under the Road Traffic Act.
• Insurance industry databases
• Government bodies
SECTION 5: WILL WE SEND YOUR PERSONAL INFORMATION OVERSEAS?
We may send your personal information overseas to any part of the world including to countries located outside of the EEA. We carry out such transfers (i) to a recipient who is in a country which provides an adequate level of protection for personal data or (ii) to a recipient who is in a country which does not provide an adequate level of protection for persona data, under appropriate safeguards pursuant to the provisions of applicable data protections laws (e.g. under an agreement in the form of standard data protection clauses adopted by the European Commission, the form of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.
In some cases, we might need to share information to carry out the services we have promised to carry out, for example if you require urgent assistance abroad. In such an urgent situation we may not always have the time to put in place the type of agreement we would normally want to. In such (occasional) cases we may carry out such transfers where (a) we have obtained the explicit consent from you in respect of the proposed transfer, provided that you have been informed of the possible risks of such transfer (due to the absence of an adequacy decision and appropriate safeguards); (b) the transfer is necessary for the performance of a contract between you and us, or (c) the transfer is necessary for the performance of a contract concluded in the interest of the data subject between us and another person or (d) the transfer is necessary for the establishment exercise or defense of legal claims.
SECTION 6: HOW LONG MAY WE KEEP YOUR PERSONAL INFORMATION FOR?
As a general rule, we will keep it for 7 years from the end of your relationship with us, as it is likely that we will need the information for regulatory reasons or to defend a claim. For example, should you wish to bring some form of legal action relating to your relationship with us, this would generally need to be done within 6 years from the end of that relationship. However, there may be exceptions where we need to keep your personal information for longer, such as where a claim has involved a minor.
We will also retain data in an anonymous form for statistical and analytical purposes, for example, to assess risk of flood damage occurring.
When you gave us information for quote purposes and you never purchase the policy, we will keep data for 1 year.
SECTION 7: WHEN CAN YOU ASK US TO STOP USING THE INFORMATION?
If we rely on your consent to collect and process your personal information, you can ask us to stop using your personal information at any time by withdrawing that consent and we will stop using your personal information for those purposes. We may rely on your consent to tell you about products or services which may be of interest to you or to use computers to make decisions about you to improve our services or develop our products (see section 9).
At any time, you can tell us to stop using your personal information to tell you about products or services that may be of interest to you or allowing computers to make decisions about you in order to improve our services or develop our products (see section 9). To find out how to do this, see section 10.
SECTION 8: WHAT HAPPENS IF YOU DON’T GIVE US SOME OF YOUR PERSONAL INFORMATION?
Where you do not provide the personal information we need in order to provide the service you are asking for or to fulfil a legal requirement, we will not be able to provide the service that you are asking us to give you.
We will tell you about why we need the information when we ask for it.
SECTION 9: WHEN DO WE USE COMPUTERS TO MAKE DECISIONS ABOUT YOU?
We will collect information about you and put this into our computer systems. The computer systems will make certain automated decisions about you which will be based on comparing you with other people. This will have an impact in terms of the level of premium or product that we offer to you or the products or services that we decide to tell you about. We may also use automated decision making to conduct an identity verification check.
For example, if you are under 25 years of age, the computer system may determine that you are more likely to have a car accident. This is because the computer system has been told that more people aged under 25 have car accidents. Another example is that, if you are under 25, the computer system may determine that you are going to be interested in a travel policy which covers high risk activity, such as skiing. Therefore, we would proactively seek to tell you about such policies as we would consider them to be of interest to you.
This is important because:
• In providing insurance services it helps us decide what price you should pay for your policy and understand any risks associated with that policy;
• In identity verification it helps us to check that you are who you say you are and to prevent others from imitating you;
• In selling you other products it helps us decide which other products might be useful to you.
We also use computer systems to carry out modelling. Sometimes using your personal information and sometimes using data in anonymised form. We conduct this modelling for a variety of reasons, for example, for risk assessment purposes to make decisions about you, such as your likelihood to claim. However, we may also use your personal information in that modelling to make decisions about how we improve and develop our products and services, or our pricing and underwriting, or to better understand how our prospective customers make decisions about which policy is the optimal policy (i.e. we are not making decisions directly about you).
SECTION 10: HOW TO CONTACT US ABOUT THIS PRIVACY NOTICE
Our Data Protection Officer is in charge of answering questions about this privacy notice or your requests to exercise your rights which are set out below. The Data Protection Office may be contacted at GAN DIRECT Insurance Ltd, 220 Arch. Makariou III Avenue, 2020 Limassol, Cyprus or via email on firstname.lastname@example.org.
You may contact us at the address above for one or more of the following reasons, which are also your rights as a data subject, pursuant to provisions of the GDPR:
1. To ask us to delete personal information about you (the “Right to be Forgotten”).
2. To ask us to correct personal data we hold about you that is wrong or incomplete (“Right to Ratification”)
3. To tell us you no longer agree to, that you object to, or that you wish to restrict us using information about you and ask us to stop (“Right to Object”).
4. To tell us to stop using your personal information to tell you about products or services that may be of interest to you (direct marketing).
5. A right of access, namely to ask us to provide you with a copy of all of the personal information that we have about you. To receive this information please write to the Data Protection Officer Team, Gan Direct Insurance Ltd, P.O. Box 51998, 3509 Limassol, Cyprus (“Right to Access”).
6. A “data portability” right, namely to obtain and reuse the information that you have provided to us for your own purposes across different services. You may ask for this information to be provided directly to you or directly to another organisation. We will provide the information in a machine-readable format so that another organisation’s software can understand that information.
7. To ask us not to use information about you in a way that allows our computer systems to make decisions about you (as explained in section 9).
Sometimes we will not be able to stop using your personal information when you ask us to (e.g. where we need to use it because the law requires us to do so or we need to retain the information for regulatory purposes).
In other cases, if we stop using your personal information, we will not be able to provide services to you, such as administering your insurance policy or servicing your claim.
We will tell you if we are unable to comply with your request, or how your request might impact you, when you contact us.
If you have any concerns about the way in which we are using your personal information, please contact our Data Protection Officer in the first instance and we will endeavour to resolve your concern. However, you do also have the right to complain about how we treat your personal information to the Office of the Commissioner of Personal Protection. The Commissioner can be contacted at:
Website or Telephone: +357 22818456 Fax: +357 22304565