Personal Data Protection Policy
The protection of your personal data is important to us. This Privacy Policy (hereinafter referred to as the "Policy") concerns the processing of your personal data by CRÉDIT AGRICOLE LIFE INSURANCE SINGLE MEMBER S.A. as Data Controller, with registered office in Athens, 25 Filellinon Street, tel. 2144166700, e-mail: custserv@ca-life.gr, website: www.calife.gr. We are at your disposal for any questions you may have. If you wish to contact us regarding any issue related to the processing of your Data and the exercise of your rights, you can contact the Data Protection Officer (DPO) at email: dpo@ca-life.gr. The Data Protection Officer mediates between our Company and you and oversees our Company's compliance actions.
1. A few words about CRÉDIT AGRICOLE LIFE INSURANCE SINGLE MEMBER S.A.
The Company CRÉDIT AGRICOLE LIFE INSURANCE SINGLE MEMBER S.A./ Crédit Agricole Life (hereinafter referred to as the "Company") has been active in the life insurance sector since 2001, and since 2011 its main shareholder has been Crédit Agricole Assurances S.A., a member of the Crédit Agricole S.A. group. Our goal is to provide affordable and complete savings and protection products that fully meet the needs of our customers.
2. What is personal data?
The term "personal data" refers to information about natural persons, such as name, postal address, email address, contact telephone number, etc., which identify or can identify your identity, hereinafter referred to as "Personal Data or Data".
3. What is Personal Data Processing?
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
4. What Data do we collect about you?
The Data you provide us with or authorise us to collect from third parties is the minimum necessary to assess the insurance risk in order to draw up a Life Insurance, Pension or Investment contract that matches your profile. For this reason, we ask you to fill in a standardised application form and questionnaire or authorise us to collect:
– Identification information (first name, surname, residential address).
– Date of birth, as an essential and necessary element for our cooperation.
– Unique identifiers (tax identification number, identity card number, passport number).
– Financial data (financial information, bank account).
– Health data (e.g. completion of medical questionnaire, health status).
– Contact information (telephone, email).
– Information from third parties regarding the above (diagnostic centres, clinics, etc.) Furthermore, in the context of managing our contract, the Company's compliance with the regulatory and legislative requirements governing its operation and the provision of its services, as well as the fulfilment of the Company's legitimate interests, we also collect the following data:
– Financial data (e.g. amount/level of compensation, date of issue of receipt, IBAN)
– Insurance data (e.g. contract number) Somatic data (e.g. height, weight)
– Assessment data (result of the assessment / whether the person belongs to the PEP list)
– Employment data (e.g. occupation category, status of person included in the PEP list)
If you do not wish to provide us with the above information, we will not be able to cooperate in order to execute the contract and serve you properly. The information above is required by insurance legislation, which you can consult (Law 2496/97), as well as by the regulatory and legislative requirements governing the operation of our Company. and providing inaccurate information may result in the risk of not being compensated or in the termination of our contract or the adjustment of your premium.
5. For what purpose do we process your data?
The purpose of processing your Data is to evaluate our cooperation and subsequently ensure the smooth execution of insurance contracts, as well as to serve you during our cooperation.
This purpose includes:
– evaluating your request in order to assess the risk and determine the appropriate premium and plan for you.
– providing insurance services and support for the policy and additional transactions.
– answering your questions and communicating with you about the management of your policy.
– processing claims and payments.
– taking the appropriate actions to pay compensation to beneficiaries.
– handling complaints and requests.
– protecting the operation of our Company, your security, optimising the quality of services provided and effectively addressing any issues that arise.
– compliance with our legal obligations, including a) legislation on the prevention and suppression of money laundering and terrorist financing (Law 4557/2018 and its implementing decisions/administrative directives), b) legislation on administrative cooperation between European Union Member States in the field of taxation (Law 4170/2013, as applicable), c) legislation on the multilateral agreement between competent authorities on the automatic exchange of financial account information (OECD CRS- Law 4428/2016) and e) the legislation on the Agreement between the Government of the Hellenic Republic and the Government of the United States of America to Improve International Tax Compliance and to Implement the Foreign Account Tax Compliance Act (FATCA- N.4493/2017) and – your response to requests from public authorities or organisations.
6. What is the legal basis for the Company's processing of your Data?
The processing of your Data is carried out in accordance with:
– the terms of our contractual relationship
– your consent to receive specific categories of health data in order to assess your insurance conditions
– the regulatory framework of insurance contract legislation
– the legal requirements relating to the prevention and suppression of money laundering and terrorist financing and the agreements between Greece and other countries (EU, OASA and USA) on the automatic exchange of information
– our Company's legitimate interest, which specifically consists of increasing the level of customer satisfaction, optimising the management of our customer base and achieving the most efficient operation of our Company.
7. Who are the recipients of your Data?
The recipients of the data are:
– Our Company and its employees within the scope of their responsibilities, as well as insurance intermediaries.
– Our representatives and/or subcontractors for the purpose of supporting, promoting and executing our transactional relationship.
– The competent authority of the Ministry of Finance, which may forward the necessary data to the competent tax authorities of another country or countries where you are a tax resident, pursuant to Law 4170/2013, as applicable, and the applicable multilateral and intergovernmental agreements on Mutual Administrative Assistance in Tax Matters (indicatively MCAA OECD CRS – Law 4428/2016 and FATCA – Law 4493/2017).
– The Bank of Greece as the supervisory authority of our Company pursuant to Law 4364/2016.
– Our parent company, within the framework of intra-group audits, within the EU (except for special data).
– Alpha Bank, our strategic partner, as the Company's insurance programmes are distributed and serviced exclusively through its branch network.
– Healthcare institutions, doctors (for the purpose of performing the contract and not for their own use).
– Reinsurers.
– Lawyers.
– Other external partners who provide us with services for the servicing of your contracts (print management, physical file storage, etc.).
– And other supervisory, auditing, independent, judicial, public and/or other authorities and bodies within the scope of their legal responsibilities, duties and powers (such as the Authority for Combating Money Laundering, the Consumer Ombudsman, etc.).
8. How do we ensure that our partners respect your Personal Data?
Our partners have agreed and committed themselves in writing to the Company:
• to maintain confidentiality and to bind their staff to the corresponding obligations
• not to disclose Data to third parties without our written permission
• to take organisational and technical data security measures that protect their logical and physical security, such as secure software and physical protection
• inform us of any incident involving the breach of your personal data
• delete or return your Data to us upon termination of our contract, and
• comply with the legal framework for the protection of Personal Data and in particular the General Data Protection Regulation (GDPR).
9. Do we send your Data abroad?
We do not send your Data outside Greece. Your Personal Data is stored and processed within Greece, except for special category data relating to our Reinsurance Companies (Munich Re & RGA) for risk assumption or compensation purposes. Also, for the sole purpose of controlling intra-group transactions, non-special category data may be sent to our parent company in France, Crédit Agricole Assurance S.A.
10. How long do we keep your Data and when do we delete it?
Our Company retains your Data for the entire duration of our contract in physical and electronic files, and for five (5) years from the end of the year in which the respective claim arises. Your data that must be retained for the Company's compliance with tax and/or other legal requirements is retained for as long as required by applicable law, and in particular from five (5) to twenty (20) years, depending on the case (e.g. Article 30(3) of Law 4557/2018, Article 13(2), Article 36, Article 51 of Law 4174/2013, Article 7 of Law 4308/2014). Data relating to your health is destroyed/deleted after you exercise your right to withdraw your consent in any way. In the event of legal proceedings, your data will be retained until the conclusion of the court case with a final court decision.
11. Is your data secure?
Any processing of your Data is only permitted to persons authorised by us, our employees and associates, exclusively for the purposes mentioned above. We have taken the necessary and appropriate organisational and technical measures to ensure the security and protection of your Data from any form of accidental or unlawful processing, both at a physical level and at a logical security level (e.g. physical security procedures, graded access to data, protection of computer systems and software). These measures are reviewed and amended when necessary.
12. What are your rights?
– You have the right to be informed.
During the collection phase, as well as in any subsequent phase of processing your personal data, you have full capacity to exercise your legal rights, as described below. During the collection of your data, from the start of our contractual relationship, you are informed of this both through our standardised Applications and through the General Terms and Conditions of the Insurance Contract. However, you can consult your rights at any time on the home page of our website www.ca-life.gr for information on the following:
• our identity,
• the purposes of the processing,
• the recipients of the data,
• any third parties to whom the data is transferred,
• your rights, as described in detail above.
– You have the right to access your Personal Data.
This means that you have the right to be informed by us about how and what Data we process. You can request information about the purpose of the processing, the type of Data we hold, who we give it to, how long we store it, and whether automated decision-making takes place.
– You have the right to correct inaccurate personal data.
If you find that there is an error in your Data, you can submit a request for us to correct it (e.g. correction of name or notification of change of address).
– You have the right to erasure.
You can ask us to erase your Data if it is no longer necessary for the above-mentioned processing purposes.
– You have the right to data portability.
You may request us to provide you with the Data you have provided in a readable format or request us to transfer it to another controller.
– You have the right to restrict processing.
You may request us to restrict the processing of your Data for as long as your objections to the processing are pending.
– You have the right to withdraw/object to the processing of your Data.
You may object to the processing of your Data or withdraw your consent, where required, and we will stop processing your Data unless there are other compelling and legitimate reasons that override your right or if it is no longer necessary for the above-mentioned processing purposes. However, this will result in the termination of your insurance contract and you will no longer be covered because (as mentioned above) no insurance contract can function without processing the personal data and/or special categories of personal data of the insured person (data subject).
13. How can you exercise your rights?
At any time, you may exercise all your rights under the law regarding the processing of your Personal Data by sending your request directly to our Company's Customer Service Department or to branches of our partner bank, ALPHA BANK. Your request must be recorded in writing and submitted in one of the following ways, following the corresponding steps:
• electronically by sending an email to: dpo@ca-life.gr.
In this case, you will send your signed Request with your signature certified as genuine. You will receive our response at the email address you have provided, unless you request that it be sent to you by other means.
• by post, to the Company's address (25 Filellinon Street, Athens).
In this case, after completing the Application, you will certify the authenticity of your signature at a Citizen Service Centre (KEP) or Police Station and send it.
• in person at the Company's headquarters (25 Filellinon Street, Athens) or at the branches of our partner bank, ALPHA BANK. If you deliver your application yourself either to the Company's head offices or to a branch of ALPHA BANK network, you are not required to certify the authenticity of your signature, but you will be asked to show your police ID or other official identification document to the competent employee for identification purposes.
14. When do we respond to your requests?
We respond to your Requests free of charge without delay, and in any case within one (1) month of receiving your request. However, if your Request is complex or there are a large number of Requests, we will inform you within the month if we need to request an extension of another two (2) months, within which we will respond to you. If your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may impose a reasonable fee, taking into account the administrative costs of providing the information or performing the requested action, or refuse to follow up on the Request, giving reasons in its response to you.
15. Where can you go to follow up on your requests?
For more information, please call 214-4166700 (Customer Service Department).
16. Do we use automated decision-making, including profiling, when processing your Data?
Our company does not perform automated processing for marketing and direct commercial promotion purposes. Automated processing is linked to the purpose of the insurance contract and risk assessment, as well as our compliance with the legislation on money laundering, or agreements between Greece and other countries (EU, OASA and USA) on the automatic exchange of information. The information you have provided is analysed in order for us to recommend the best and most suitable program to cover you, within the framework of an objective assessment of all the risks involved. Please note that this processing does not involve fully automated decisions that produce legal effects for you or significantly affect you, as any relevant decision is made after human intervention.
17. What is the applicable law when we process your Data?
The applicable law is Greek law, as formulated in accordance with the General Data Protection Regulation 2016/679/EU, and in general the applicable national and European legislative and regulatory framework for the protection of Personal Data. The competent courts for any disputes arising from issues relating to your Personal Data are the Courts of Athens.
18. Where can you go to check if your rights have been respected?
You have the right to lodge a complaint with the Personal Data Protection Authority (1-3 Kifissias Avenue, 115 23 Athens, tel.: 210 6475600, contact@dpa.gr) if you believe that the processing of your Personal Data violates the applicable national and regulatory framework for the protection of Personal Data.
19. How will you be informed of any changes to this Policy?
We update this Policy whenever necessary. If there are significant changes to the Policy or the way we use your Personal Data, we will post an update on our website before the changes take effect and notify you in any appropriate manner. We encourage you to review this Policy periodically to stay informed.
