Main menu

Products

General Insurance Business Products

 

Long-term Insurance Business Products

Main menu

Insurance for your business

Insurance for your business

Employee Benefits

Employee Benefits

Main menu

MAPFRE Middlesea Services

MAPFRE Middlesea - Services

GET A QUOTE

MAPFRE Middlesea - Services

CLAIM YOUR INSURANCE & ASSIST SERVICES

MAPFRE MSV Life

MAPFRE MSV Life - Services

Main menu

About us

About us Middlesea

About us MSV Life

About MAPFRE Company
Main menu

Contact Us

MAPFRE Middlesea

MAPFRE MSV Life

Main menu

News

News

Blog

Additional Data Protection Information – 2nd layer

Who is responsible for processing your personal data?

1. Data controller and contact details

Data controller: The data controller for the information and/or personal data that you provide to us, including, where appropriate, health-related data, is:

  • Name:                                                                                                 MAPFRE Middlesea Plc
  • Company Registration No.                                                       C-5553
  • Mailing address:                                                                            Triq San Publiju, Floriana FRN 1442
  • Data Protection Officer contact information:                 dpo@middlesea.com

Joint controllers: For certain processing detailed in section 4. Purposes and Legitimate basis, MAPFRE Middlesea Plc (The Company) will jointly process your data with that from MAPFRE MSV Life Plc, under the terms detailed in section 9. Joint control among MAPFRE Group companies.

 

2. Personal data categories

The data processed by MAPFRE Middlesea Plc are:

  • Data collected directly from the data subject.
  • Data obtained from sources other than the Data Subject and for which more detail is provided in section 3. Origin of personal data and/or in section 4. Purposes and legitimate basis.

The categories of data that will be processed by The Company, as applicable, are the following:

  • Identification data: ID card, postal or e-mail address, image (in video or other format), voice, Social Security or National Insurance
  • Number, telephone, names and surnames, signature, electronic signature, health card, IP.
  • Data related to the item to be insured: Vehicle Registration number, postal address, address of the property to be insured and other data.
  • Data relating to personal characteristics: marital status, date of birth, place of birth, age, gender, nationality.
  • Data related to social circumstances: Characteristics of accommodation, housing, property, possessions, hobbies and lifestyles, membership in clubs and associations, licenses, permits and authorizations.
  • Economic, financial, and insurance data: Income, revenues, investments, assets, credits, loans, guarantees, bank details, pension plans, retirement, payroll data, tax/tax deduction data, insurance, mortgages, subsidies, benefits, credit history, credit cards, history of claims and insured risks, data relating to non-compliance with monetary, financial or credit obligations.
  • Data related to transactions of goods and services: Goods and services provided by the affected party, goods and services received by the affected party, financial transactions, compensations/indemnifications.
  • Data related to commercial information: Activities and businesses, commercial licenses, subscriptions to publications or media, artistic, literary, scientific, or technical creations of which the Data Subject is the owner.
  • Academic and professional information: Education, qualifications, professional experience, membership in professional associations.
  • Data related to employment details: Profession, job positions.
  • Specially protected data: data relating to the health of the data subject.

Not all the data categories listed above are used for all the data processing detailed in section 4. Purposes and Legitimate. Additionally, where processing is based on your consent, you will be informed of the specific categories of data being processed in section 4. Purposes and Legitimate basis.

 

3. Origin of personal data

MAPFRE Middlesea Plc will process personal data relating to the Data Subject from the following sources:

(i) Provided directly by the Data Subject.
(ii) Facilitated by an insurance intermediary.
(iii) MAPFRE MSV Life Plc with which you maintain or have maintained a contractual relationship or from which you have requested to take out an insurance policy.
(iv) Other companies with which we have cooperation agreements, whether they belong to the MAPFRE Group or not, that you have authorized to share your personal data with MAPFRE Middlesea Plc.
(v) The Malta Insurance Fraud Platform with the aim to prevent, detect, suppress, and/or prosecute insurance fraud. The platform is administered on behalf of MAPFRE Middlesea Plc and other motor insurers by the Insurance Association of Malta (IAM). https://maltainsurance.org/?s=Malta+Insurance+Fraud+Platform in accordance with the information in section “9. Information on common files”
(vi) Databases of external origin obtained from public sources that will only be used for the purpose for which they were created, such as those related to geographic, socio-demographic, and statistical data.
(vii) Data sources supplied by providers, if their legality has been verified and that have been analysed for compliance with the purposes for which they are to be used.
(viii) Professionals or service providers that provide information on the valuation or appraisal of real estate, vehicles, or other private property, as well as all kinds of assets. Providers of the services covered by the policies or recommended, vetted service providers, including health professionals and centres, vehicle repair shops, motor vehicle assessors, loss adjustors, home repair professionals or companies, appraisers, or other similar professionals, as appropriate.
(ix) Data that has been made manifestly public and is freely accessible to third parties.

 

4. Purposes and Legitimate basis for processing

A) The following are the different purposes for which MAPFRE Middlesea Plc processes the persona data of Data Subjects who request an insurance quotation or take out and insurance policy:

i. Processing carried out to apply pre-contractual and other underwriting measures:

a. Management and evaluation of the insurance application to determine its acceptance and/or repudiation. For this purpose, MAPFRE Middlesea Plc may consult the data of the Data Subject indicated in section “9. Information on common files.”

b. Application of benefits, discounts and other advantages that correspond to you as a MAPFRE customer, for which we will consult your data with other insurers and with other MAPFRE Group companies to verify your customer status and identify what other products you have contracted.

c. Referral, maintenance, and follow-up of the insurance offer (quotation) during its term.

d. Evaluation of the economic solvency of the data subject for which information on the non-fulfilment of its monetary, financial or credit obligations may be obtained from common credit information systems.

 

ii. Processing carried out in compliance with MAPFRE Middlesea Plc’s legal obligations:

a. Assessment, selection, and pricing of risks associated with the contracting request made, including where applicable, compliance with Subsidiary Legislation 586.10, Processing of Data concerning Health for Insurance Purposes Regulations.

It involves the elaboration of a risk profile about you based on the data you have provided to us, in consultation with the Malta Insurance Fraud Platform and statistical and socio-demographic data, supported by predictive models that allow, based on past events and future calculations, taking as a reference the behaviour of other similar insured parties, to determine the risk profile (the possibility of suffering a loss) in order to assign the premium as close as possible to the probability.

Data Subjects may be exposed to automated individual decision-making throughout this process.

b. Application of due diligence measures for the prevention of money laundering and terrorist financing, all the above, in compliance with the Prevention of Money Laundering Act (Cap.373 of the Laws of Malta) and Subsidiary Legislation Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.03).

c. If applicable, the confidential completion of health questionnaires and collection of risk assessments on the Data Subject by medical / health professional, hospital, health centre or clinic, that has intervened in the health benefit or assistance, all in compliance with any applicable legislation.

d. Communication of information to authorities, regulators, or governmental bodies upon request.

e. Prevent, investigate and/or uncover fraud, within the remit of the Civil Code, Chapter 16 of the Laws of Malta. This processing involves the verification of the accuracy and validity of the documents and identification data provided by you to prevent identity theft and fraudulent access and operations.

At no time are automated individual decision-making processes undertaken.

 

iii. Processing carried out based on legitimate interest:

a. Centralized management of your data through IT, organizational and administrative resources (computer applications, servers, etc.) in your relationship with MAPFRE Group companies, for which it will be necessary to communicate the data. The legitimate interest pursued by MAPFRE Middlesea Plc consists of the efficient management of the resources necessary for the provision of the service.

b. Perform statistical studies to segment and analyse the business in an aggregated way. To this end, the minimum necessary data are processed by applying statistical techniques. The legitimate interest pursued by MAPFRE Middlesea Plc is to be able to know its business and identify market trends.

c. Anonymize data for the purpose of statistical studies and propensity modelling. The legitimate interest pursued by MAPFRE Middlesea Plc consists of improving the processes required to provide the service.

 

iv. Processing carried out based on consent. Provided that you have given us your consent by any means, including electronically, we will process your data for the following purposes:

a. To follow up and send an updated proposal of the request for a quotation, or initial insurance contract, after the expiry of the period of validity where applicable. To calculate and send the new proposal, we will process the personal data you have provided to us in connection with your initial request under the same terms detailed in section 4.A).

b. To send personalized sales communications by any means, including electronic and web-based, about products and services, discounts, gifts, promotions, and other advantages promoted by MAPFRE MSV Life Plc as a joint controller.

To personalize these communications, we will create a sales profile that, based on the analysis of your personal data, allows us to deduce and identify those products and services that may be of interest to you.

Below is an overview of how we do this:

  • Firstly, based on the data you have provided to us, as well as those that have been generated during your commercial or contractual relationship with MAPFRE, we compare you to an aggregate set of users who share similar characteristics (lifestyle, demographic and geographic circumstances, relationship with MAPFRE) and who have previously shown interest in or successfully purchased other products.
  • Secondly, we apply statistical calculations or algorithms, along with anonymization and pseudonymization methods, which allow us to find relationships between you and this set of users and to intuit based on past behaviour, or future scenarios, the products, services, and offers that we suggest to you.

At no time we will carry out automated individual decision-making.

Refusing this processing does not prevent, limit, or condition MAPFRE Middlesea Plc from sending you non-personalized commercial communications based on its legitimate interest as indicated in section 4. Purposes and legitimizing basis for processing A), iii.

Data processed for this purpose includes personal characteristics, identifying, economic, and insurance data;

This processing will be carried out by the MAPFRE MSV Life Plc, on a joint controller basis in accordance with the provisions on joint control processing in section 10. Joint control among MAPFRE Group companies.

c. To personalize and customize offers, information, prices, and services by analysing and evaluating personal data provided by third parties, from external public or private sources, to better understand your characteristics, preferences, or consumption needs.

Data processed for this purpose includes personal characteristics, identifying, economic, and insurance data.;

d. To send non-personalized commercial communications from the rest of the MAPFRE Group companies by any means, including electronically, about products and services, discounts, promotions, and other advantages of the MAPFRE Group and other collaborating companies. For this purpose, your data will be communicated by MAPFRE Middlesea Plc to MAPFRE MSV Life Plc.

 

B) The following are the different purposes for which MAPFRE Middlesea Plc processes the personal data of Data Subjects who are taking out an Insurance Policy:

i. Processing carried out to execute the contract:

a. Maintenance and execution of the insurance contract.
b. Application of benefits, discounts, and other advantages that correspond to you as a MAPFRE customer.
c. To manage claims and benefits, including damage appraisals, assessments and valuations in case of material and pecuniary damage, and medical reports wherever required, for which it will be necessary to exchange personal, financial and health data with the Companies and Medical Professionals, Hospitals and Clinics providing the services covered by the policies identified in section 3. Origin of personal data and section 5. Recipients of personal data.
d. To carry out the necessary verifications and investigations to determine and, if applicable, pay the indemnification to the Data Subject.
e. Communications and notifications related to maintaining and executing the contract by any means, including electronically.
f. To enter into a reinsurance agreement, for which purpose the Data Subject’s information must be communicated to reinsurance companies.
g. To determine the health care and compensation to be provided to the injured party when they are to be paid.
h. Adequate payment to health care providers or reimbursement to the Insured or their beneficiaries of the health care expenses incurred within the scope of the insurance contract.
i. In the case of group insurance, basic information on the identity of the Insured and that related to the insurance contract may be communicated to the Policyholder who has taken out the policy to inform them which persons are being covered at any given time.

ii. Processing carried out in compliance with MAPFRE’s legal obligations

a. To manage the resolution of complaints and conflicts that may arise between Policyholders, Insured Parties, Beneficiaries, injured third parties, or any of their rightful claimants, all in compliance with any applicable regulations.
b. To keep the accounting books, as well as the records of accounts, claims, technical provisions, investments, reinsurance and policy contracts, endorsements and cancellations issued, all in compliance with CAP 403, Insurance Business Act and any applicable regulations.
c. Communication of information to authorities, regulators or governmental bodies that request it.
d. To exchange information amongst MAPFRE Group insurance companies to comply with their supervisory obligations, in compliance with applicable regulations.
e. Periodic evaluation of the suitability or appropriateness of the insurance product contracted and sending information on costs, associated expenses, and return on investment, all in compliance with Article 29 of the Insurance Distribution Directive.
f. To issue to the owner of the vehicle and the policyholder of the insured vehicle a certificate accrediting the claims corresponding to the last five years of insurance.
g. Prevent, investigate, and/or uncover fraud, within the remit of the Civil Code, Chapter 16 of the Laws of Malta.

  • the development of a fraud profile on the Data Subject consisting of applying mathematical models to the data collected that predict the likelihood that, based on available historical data, there may be a tendency to commit fraud that impacts our legal obligations as an insurer.
  • Verify the accuracy and validity of the documents and identification data provided by you to prevent identity theft and fraudulent access and operations.

At no time are automated individual decision-making.

iii. Processing carried out based on the legitimate interest of MAPFRE Middlesea Plc:

a. Carrying out non-personalized commercial and/or advertising actions or communications, by any means, including electronic, related to products and services, discounts, gifts, promotions, and other advantages of MAPFRE Middlesea Plc like those contracted. The legitimate interest pursued by the Company is to ensure the loyalty of your relationship with us.
b. Centralized management of your data through IT, organizational, and administrative resources (computer applications, servers, etc.) in your relationship with MAPFRE Group companies. The legitimate interest pursued by MAPFRE Middlesea Plc consists of the efficient management of the resources needed to provide the service.
c. Perform statistical studies to segment and analyse the business in an aggregated way. To this end, the minimum necessary data are processed by applying statistical techniques. The legitimate interest pursued by MAPFRE Middlesea Plc is to be able to know its business and identify market trends.
d. Conduct quality and satisfaction surveys, including electronically, on the products and level of service provided by MAPFRE Middlesea Plc. The legitimate interest pursued by the Company of improving the portfolio of products and the provision of services.
e. Anonymize data for the purpose of statistical studies and propensity modelling. The legitimate interest pursued by MAPFRE Middlesea Plc consists of improving the processes required to provide the service.

 

iv. Processing carried out based on any consent you have given:

a.To send personalized sales communications by any means, including electronic and web-based, about products and services, discounts, gifts, promotions, and other advantages of MAPFRE MSV Life Plc identified in this document as a joint controller and collaborating companies. To personalize these communications, we will create a sales profile that, based on the analysis of your personal data, allows us to deduce and identify those products and services that may be of interest to you.

Below is an overview of how we do this:

  • Firstly, based on the data you have provided to us, as well as those that have been generated during your commercial or contractual relationship with MAPFRE, we compare you to an aggregate set of users who share similar characteristics (such as lifestyle, demographic and geographic circumstances, relationship with MAPFRE) and from whom you have previously shown interest in or successfully purchased other products.
  •  Secondly, we apply statistical calculations or algorithms, along with anonymization and pseudonymization methods, which allow us to find relationships between you and this set of users and to intuit based on past behaviour, or future scenarios, the products, services, and offers that we suggest to you.

At no time we will perform automated individual decision- making.

Refusing this processing does not prevent, limit, or condition MAPFRE Middlesea Plc from sending you non-personalized commercial communications based on its legitimate interest as indicated in section 4. Purposes and legitimate basis for processing, B), iii.

Data processed for this purpose includes personal characteristics, identifying, economic and insurance data.

This processing will be carried out by MAPFRE MSV Life Plc, on a joint controller basis and in accordance with the provisions on joint control processing in section 10. Joint control among MAPFRE Group companies.

b. To send non-personalized commercial communications from the rest of the MAPFRE Group companies by any means, including electronically, about products and services, discounts, promotions, and other advantages of the MAPFRE Group and other collaborating companies. For this purpose, your data will be communicated by MAPFRE Middlesea Plc to MAPFRE MSV Life Plc.

5. Storage periods for personal data

MAPFRE will apply the following criteria to determine the period during which Data Subjects’ Data will be retained:

A) If the Data Subjects have not yet taken out an insurance policy:

a. In general, the data will be kept for as long as the insurance offer made in response to your request remains in force where applicable.
b. However, the data will be kept for a period of 24 months from the end of the term of the offer, where applicable, to prevent, investigate, and/or detect fraud in contracting, in the terms indicated in section 4. Purposes and legitimate basis for processing.
c. Quotations or initial insurance contract offers may be followed up and updated, with the data kept and processed for this purpose for 24 months from the end of the validity of the quotation or contract offer where applicable, without prejudice to the possibility of revoking said consent under the terms set forth in paragraph 7. Data protection rights.
d. If the Data Subjects have given their consent to receive commercial communications about MAPFRE Group products or those of third parties by any means, including electronically, the data will be kept and processed for this purpose for a period of 24 months after the consent was given and without prejudice to the possibility of revoking it under the terms set forth in paragraph 7. Data protection rights.
e. Once the data becomes unnecessary for the purposes, it will be blocked and kept exclusively to be made available to the competent public authorities, judges and courts or the public prosecutor’s office to pursue any possible liabilities arising from the processing, as well as to exercise and defend claims before the Office of the Commissioner for Information and Data Protection Commissioner, during the periods legally established for such purposes.

B) If the data subjects have taken out an insurance policy:

a. In general, personal data will be retained for as long as the Data Subjects maintain their contractual relationship with MAPFRE and based on the legal storage obligations.
b. However, the data will be kept for a period of 10 years from the date of the last transaction to prevent, investigate and/or detect fraud in contracting and during the term of the insurance contract, in the terms indicated in section 4. Purposes and legitimate basis for processing.
c. If the Data Subjects have given their consent to receive commercial communications about MAPFRE Group products or those of third parties by any means, including electronically, the data will be kept and processed for this purpose for a period of 24 months after the end of the contractual relationship and without prejudice to the possibility of consent being revoked under the terms set forth in paragraph 7. Data protection rights.
d. Once the data becomes unnecessary for the aforementioned purposes, the data will be stored solely to cover any liabilities arising from such relationship and to make them available to the competent public authorities, judges and courts or the public prosecutor’s office to pursue any possible liabilities arising from the processing, as well as to exercise and defend claims before the Office of the Information and Data Protection Commissioner, during the periods legally established for such purposes.

 

6. Recipients of personal data

MAPFRE will communicate the Data Subjects’ data for the purposes described in section 4. Purposes and legitimate basis of processing exclusively to the following recipients or categories of recipients:

1. Public and Competent Authorities, the Financial Intelligence Unit, Malta Financial Services Authority, the Commissioner for Inland Revenue, Judges, and Courts amongst others, whenever MAPFRE Middlesea Plc is legally required to provide your Personal Data.
2. Other insurers and reinsurers, for the exclusive purpose of entering into coinsurance and reinsurance contracts.
3. In the case of Group Life Assurance and Group Health schemes, basic information on the identity of the Insured and that related to the insurance contract may be communicated to the Policyholder who has taken out the policy to inform them on the Data Subjects being covered by the policies at any given time and under what conditions.
4. The Malta Insurance Fraud Platform administered by the Insurance Association Malta with the objective to prevent, detect, suppress, and/or prosecute insurance fraud.
5. MAPFRE Group companies for the application of benefits, discounts and other advantages to which you are is entitled as a MAPFRE customer, compliance with supervision and solvency obligations, prevention, investigation and/or discovery of fraud, and centralized management of IT, organizational and administrative resources (computer applications, servers, etc.), all under the terms set forth in section “4. Purposes and legitimate basis for processing.”
6. Providers of the services covered by the policies or requested based on policies taken out by the Data Subject, including health professionals and health centres or clinics, vehicle repair shops, home repair professionals or companies, appraisers, or other similar professionals, as appropriate.

Likewise, MAPFRE will contract the provision of services from third party providers that carry out their activity in sectors including but not limited to: assistance services for claims management, documentation custody and digitalization services, pricing, insurance mediation services, administrative management and customer care services, advisory and consulting services, service quality auditing services or technological development services.

 

  1. Data protection rights

Under the terms and scope set out in current regulations, the Data Subject (you) may exercise the following rights:

  • Access: To see what personal data is in the possession of MAPFRE Middlesea Plc.
  • Rectification: Request the rectification of any incorrect data.
  • Erasure: To request that the data be erased where, amongst other reasons, it is no longer                necessary for the purposes for which it was collected.
  • Restriction of processing: Request that the Company stops processing your data, if, for     example, the data are inaccurate or the processing thereof is unlawful, however, it may still be                processed for the exercise or defence of possible claims, the protection of the rights of another              person or for reasons of public interest.
  • Object: To object to the processing of your personal data, except when necessary for amongst others, the development and renewal of the contractual relationship if appropriate, or for the exercise or defence of possible claims.
  • Portability: Receive your personal data in a structured, commonly used, and readable format, or      request that it be sent to another controller where technically feasible.

We remind you that you may also, at any time, withdraw your consent to the processing of your data.

The above rights may be exercised directly by the data subject by sending an email to rmb@middlesea.com attaching a copy of the Identity Card or another official identification document.

 

  1. Complaints to the supervisory authority

The Data Subject may contact the Company’s Data Protection Officer to submit his or her complaints regarding data protection on dpo@middlesea.com.  Additionally, you may contact the office of the Information and Data Protection Commissioner, located at Floor 2, Airways House, Triq Il – Kbira, Tas-Sliema SLM 1549 or by email on idpc.info@idpc.org.mt to file a complaint if you believe your rights have not been respected.

 

  1. Information on common files

MAPFRE Middlesea Plc, together with other insurance companies as joint Data Controllers may share some or all of the information that relates or is ancillary to the claims history of persons who may claim under your policy to the Malta Insurance Fraud Platform with the objective to prevent, detect, suppress and/or prosecute insurance fraud.  The platform is administered on behalf of the Insurance Companies by the Insurance Association Malta. If you want to know more about the Malta Insurance Fraud Platform you may wish to visit the administrator’s website on https://www.maltainsurance.org/.    You have the right to request access to, and rectification of your personal data held by the Malta Insurance Fraud Platform by contacting the Insurance Association Malta.

 

  1. 10. Joint control among MAPFRE Group companies

MAPFRE Middlesea Plc, in accordance with the provisions of applicable regulations, have signed a joint control agreement with MAPFRE MSV Life Plc, who commit themselves to comply with the obligations under data protection legislation to jointly create a global commercial profile:

 

Name:                                  MAPFRE MSV Life Plc
Address:                              The Mall, Triq il-Mall, Floriana, MALTA FRN 1470
Data Protection
Officer contact:                dpo@msvlife.com

 

  • Processing purposes:

To send commercial communications from the joint controller companies by any means, including electronic and web-based, about products and services, discounts, gifts, promotions, and other advantages, of the MAPFRE Group Companies both general and adapted to your characteristics

 

  • Profiling:

This involves creating a global commercial profile for you to adapt communications to your situation, which may be different from other types of customers.

Below is an overview of how we do this:

Firstly, based on the data you have provided to us and to MAPFRE MSV Life Plc of which you are a customer, as well as those that have been generated during your commercial or contractual relationship with MAPFRE Middlesea Plc, we compare you to an aggregate set of users who share similar characteristics (lifestyle, demographic and geographic circumstances, relationship with MAPFRE) and who have previously shown interest in or successfully purchased other products.

Secondly, we apply statistical calculations or algorithms, along with anonymization and pseudonymization methods, which allow us to find relationships between you and this set of users and to intuit based on past behaviours, or future scenarios, the products, services, and offers that we suggest to you.

No automated individual decision- making is carried out in this process.

  • Recipients of data: MAPFRE Middlesea Plc shall only communicate the data collected under the joint control system to the service providers that support data processing activities.
  • Legal basis: Consent
  • Exercise of rights: The data subject may exercise their rights before any joint data controller. Likewise, the joint controller companies have a one-stop shop mechanism for data subjects to exercise their rights, by sending an e-mail to rmb@middlesea.com and/or rmb@msvlife.com accepting their duty to collaborate and assist in those cases where appropriate.