Privacy Policy of CROMAR

For CROMAR and its employees, the privacy and protection of confidentiality and the security of the personal data of our policyholders, intermediaries, associates, and all individuals who trade in any way with the company is a top priority. We would like to assure you that CROMAR collects, processes, and stores your personal data in accordance with the General Regulation for Data Protection (EU) 679/2016 (hereinafter “GDPR”) as well as any other applicable legislation or decree by any Regulatory or Supervisory Authority and takes all necessary measures to prevent incidents of theft, loss, and breach of personal data.

This current privacy policy details how we process the personal data we collect, as part of our business activities. The following information clarifies which entity of CROMAR group of companies will be responsible for processing your data and it is addressed to CROMAR’s customers, the visitors to our online site, our partners, and our employees.

Controller of personal data
Controller is the individual or entity which, alone or jointly with others, determines the purposes and means of the processing of personal data and, indicatively, collects, controls, maintains and uses personal data on paper or in electronic files. You will find below information on which company of the CROMAR group is independently responsible for the processing of your data, depending on whether you deal directly with CROMAR or on the capacity/ professional license of the insurance intermediary contacting CROMAR on your behalf.

  1. a) If the insurance intermediary contacting CROMAR on your behalf is an insurance broker (as defined by Law 4583/2018 incorporating into Greek law of the Directive 2016/97/EU of the European Parliament and of the Council on the distribution of insurance products) or if you approach it directly, your data’s Controller is “CROMAR Insurance Brokers Single Member SA”, having its office in Marousi, Attica, Ag. Konstantinou 17 and Ag. Anargyron, PC 15124, with Companies’ Registry no. 68768603000 and
  2. b) If the insurance intermediary contacting CROMAR on your behalf is an insurance agent (as defined by same law as above) or if you approach it directly, your data’s Controller is “CROMAR Insurance Agency Single Member S.A.” having its office in Marousi, Attica, Ag. Konstantinou 17 and Ag. Anargyron, PC 15124, with Companies’ Registry no. 149475603000.

For your visit to this site, the above companies are the joint controllers of your data.

If you have entered an employment contract with one of the above companies, that company is the controller of your personal data.

What is personal data?
“Personal Data” is any information that identifies, directly or indirectly, your identity as an individual and relates to you or other persons (such as persons dependent on you). The processing of personal data is any operation or operations performed with or without automated means (e.g., computers) such as collection, registration, storage, organization, change, etc. This Privacy Policy describes how we handle the collected personal data.

What categories of data do we collect and process?
Depending on the purpose, the personal data collected and processed by CROMAR, may be:

• Identification data, such as name, surname, date of birth, police ID/ passport number, social security number, tax registration number.
• Contact details collected when you enter the insurance policy and at any other stage of the process before and after, such as e-mail/ post address, telephone/ fax numbers.
• Payment Information, such as bank accounts, debit /credit, and other bank cards.
• Insurance Data necessary for the assessment, control, conclusion and management of the insurance policy, e.g. data on the driving behavior of a candidate for car insurance.
• Special categories of personal data, such as information related to health (physical condition, any disabilities, medical history, medication, etc.).
• Settlement data, i.e. data necessary for the management of insurance claims, contained in the application for compensation/ buy-out/ payment of premium or in accompanying (supporting or related) documents.
• Browsing data, when you visit our website, information related to your visit can be recorded (e.g., IP address). Further, when browsing our website, cookies may be stored on your device.

For more information on cookies and our Policy, please click here.
• Data collected in case of a complaint, such as name, telephone, mailing address, e-mail address.
• Data collected during telephone calls to CROMAR; the content of the call and your number are recorded.
• When you enter our offices, your image is recorded by a closed-circuit security camera (CCTV) for the operation of which you are informed upon entry, while we fully comply with all the provisions of applicable law.
• Where CROMAR is acting as an employer, we collect the necessary personal data of our employees, such as identification data (name, date of birth, ID number, social security number, tax registration number) contact details (home and e-mail address, tel. number), payment
details for the payment of salaries and compensations (bank accounts, etc.), social security data, special categories’ data if required (such as health information, disabilities, medical history, etc.), other data required by law and relevant to the employment relationship.

You are not required by law to provide us with your personal data. If, however, you wish to purchase our products/ services or enter any contractual relationship with CROMAR (insurance policy, partnership, employment relationship), we require your personal data. If you do not wish to provide them to us, we may not be able to provide the products/ services you have requested from us or enter the contractual relationship you desire.

Sources of the collected personal data
We collect personal data either directly from you (i.e. the data subject) or from sources other than yourself. These sources indicatively are:
• The insurance application, application for amendment/ endorsement/ cancellation/ buy-out, application for insurance benefits, for the participation in group insurance, announcement of a claim.
• Our authorized employees, the insurance intermediaries (brokers or agents) belonging to the various CROMAR sales network, as well as our third-party partners (e.g. technical consultants, experts, claim adjusters), service providers, insurance brokers, insurance consultants and insurance agents, researchers, experts, technical consultants, health professionals, employers and other third parties.
• We collect special categories’ personal data from you with your explicit consent; we may also collect them through contracted health service providers (e.g. hospitals, private clinics, diagnostic centers, doctors).
• The visitors/ users of our website, only when they voluntarily provide them with the purpose of having their submitted electronic requests processed.
• Via software applications made available for your help and from our social media pages.
• Via promotional actions for our products, from the collection of contact details for sales purposes (leads), subject to your explicit consent for their further process.
• Databases, such as the Insurance Companies’ Statistics Service and the Auxiliary Fund’s Information Center.
• Public and judicial authorities.
• The security systems at our premises, such as closed-circuit security cameras (CCTV).
• Other sources to the extent that this is permitted by applicable law and in particular by the GDPR.

Before you disclose to us the personal data of a third party, you must inform them of the contents of this Privacy Policy and obtain their respective consent.

The Purposes for processing your personal data.
When you submit your proposal form to CROMAR, you are thereby stating your intention to transfer the risk you have chosen (e.g., third party liability of any kind, fire, health, etc.) to any one of the insurance companies we cooperate with, be it as coverholders, brokers or agents. Depending on the information you have disclosed in your proposal form, we will assign a risk category and calculate the proper and proportionate applicable premium, calculating and estimating, amongst other things, the loss frequency and severity for the risk in question.

The personal data disclosed in your proposal form are, therefore, essential for the assessment of the risk and for the purpose and operation of the policy. You are required by law to provide correct and complete information. Inaccurate or incomplete information may give us the legal right to cancel or terminate your insurance policy at any time.

In view of the above, we only process our policyholders’ and all individuals’ personal data for the stated purpose or purposes, unless we reasonably believe that we must process them for additional purpose which must be compatible with the original purpose. We process personal data:
• For risk assessment, with the purpose of underwriting the risk and determining terms of insurance, premium and entering requested insurance policy, for purposes of management during the policy’s term, for reviewing and settling claims in the event of loss and for paying any
amount under the policy; for the prevention and avoidance of insurance fraud and for the defense of the legal interests of all parties doing business with CROMAR, and of the insurance company.
• In life/ health insurance and in the occurrence of car accidents involving injuries, we collect and process special categories’ data (where explicit consent from the data subject is required, see
below in the legal bases of processing).
• When a claim is announced to us for car damage and for the purpose of the claims’ management, we collect and process personal data that become known to us in case of an accident where a third-party individual is involved. This data is required for CROMAR to process the claim for compensation. If, as a third-party individual, you withhold consent or
object to the processing of your data prior to the finalization of your claim’ settlement, we will not be able to complete the process of your compensation.
• To comply with obligations deriving from the current legislation such as tax legislation, legislation on the prevention and suppression of money laundering and terrorist financing, the sanctions lists of the UN and the EU, the Automatic Exchange of Information with the US with
respect to accounts held in financial institutions by US residents, the Ratification of the Memorandum of Understanding and the Agreement between the Government of the Hellenic Republic and the US Government for the improvement of the international tax compliance with the implementation of the Law on Tax Account Compliance of Foreign Accounts (FATCA), the legislation on the Automatic Exchange of Financial Account Information between OECD countries and between EU member states (Common Reporting Standards). To satisfy a
request from public/ judicial or independent authorities, such as the Supervisory Authority etc.
• To manage a request and/ or complaint.
• For marketing reasons, for customer satisfaction/ quality of services market research that CROMAR may conduct, for the commercial promotion of new products and services.
• To manage requests for cooperation/ job recruitment in CROMAR.

Legal Basis for the process.
Depending on the nature and purpose of the process, the legal basis outlined here below may apply. Please note that these legal foundations may apply alternatively and that, subject to the conditions, CROMAR may apply only one/some of them and not all.

• The process is required for the performance of a contract to which you are a party to or in order to take steps prior to entering into a contract.
• The process is carried out with your explicit consent, after you are specifically informed on the purpose and nature of the processing. This legal foundation is applicable mainly when you are required to provide special category personal information, like health data.
• The process is required for the substantiation, exercise, or defense of legal claims.
• The process is required for CROMAR’s compliance to legal requirements.
• The process is required for CROMAR’s compliance to requirements set by the legislative and regulatory framework.
• The processing is necessary for the improvement of CROMAR and the protection of our legal interests.
• The process is required for CROMAR to prevent events fraud, for the benefit of the insureds and the protection of the reliability of the insurance market.
• Where CROMAR is acting as an employer, the process is carried with the explicit consent of the party interested in being employed by CROMAR and/or with the purpose of complying with CROMAR’s legal requirements.

Who is the Data Protection Officer.
If you have any questions regarding the management of your Personal Data, you can send an e-mail to dpo@cromar.gr or contact us by phone at 210 8028946 or by fax at 210 8029055.

How we use your Personal Data.
We use your Personal Data to:
· communicate with you as part of our business,
· send you important information relevant to the function of our policies,
· evaluate insurance proposals and provide insurance services and support,
· provide high quality service and training,
· detect and prevent crimes related to fraud and money laundering, and to analyze and manage
the insured risks,
· carry out market research and analysis, including surveys regarding customer satisfaction,
· facilitate the function and use of our social media,
· manage complaints and requests for access to or correction of data,
· comply with current legislation and regulations and respond to requests from public and
government authorities,
· protect our business operations and minimize our losses.

Transmission of Personal Data.
Your data will be passed on within CROMAR to departments responsible for accepting the risk, for the proper and uninterrupted operation of your insurance policy and for your compensation; departments such as the underwriting department, processing, claims department, customer service department, etc. Your personal data may be passed on to legal entities and/ or persons with whom we maintain contracts for the proper servicing and compensation of our policyholders, as well as for the assessment of a claim. However, please note that these legal entities and/ or persons, acting as data processors, will process your personal data solely for the purpose of providing services to us and not for their own benefit.

CROMAR will not disclose in any way your personal data to any third party that is not related to your insurance policy and the provision of the coverage and services provided by it, unless required by law or by lawful request or mandate of a public authority. CROMAR will not transfer any of your personal data to third parties for use in commercial promotions or research purposes.

International Transfer of Personal Data.

As coverholders for insurance companies with establishments also in the United Kingdom, for the purposes outlined above, we may transfer Personal Data to third parties established in the United Kingdom. Pursuant to article 45 of GDPR, the European Commission adopted the decision dated 28.06.2021 holding that, for the purposes of the GDPR, the Un. Kingdom ensures an adequate level of protection for personal data transferred from the EU to the Un. Kingdom and that, therefore, personal data may be transferred freely from the EU to the Un. Kingdom. Please note that we always take every step required to ensure that the data to be transmitted is always the minimum necessary and that the conditions for legitimate and lawful processing are always met.

Personal Data Security.
CROMAR will take appropriate technical, physical, legal, and organizational measures that comply with the applicable privacy and data security laws. When CROMAR provide personal data of the policyholders to a service provider for the management of the insurance policy, the provider will be carefully selected and will have to take appropriate measures to protect the confidentiality and security of this data. If you feel that your personal information held by us has been compromised in any way, please notify our Company’s Data Protection Officer.

Automated data processing
CROMAR only allows password protected access to our platform for intermediaries accredited with CROMAR and acting on the behalf of their customers, and the issuance only of a specific type of personal accident policy. The premium for this type of policy and the conditions under which it is issued are set and known in advance. To the extent that these conditions are met, the policy will be issued. The subjects of the personal data must give their explicit consent to the processing of their personal data, for the purpose of issuing the specific policy. This procedure involves a minimum of automated data processing, which is required to classify the risk, to calculate the frequency and severity of the potential damage, and for the speedy, accurate and consistent issuance of policies. We carry out regular inspections to minimize the risk of errors during the process.

During the term of the policy, we may carry out automated checks with the aim to prevent insurance fraud, to comply legislation concerning money laundering and the automatic exchange of information on financial accounts and to avoid violations of international sanctions directives. You have the right to obtain human intervention on our part, to express your point of view and to contest the decision taken based on the above automated procedure. To exercise your rights, you should contact the Data Protection Officer. For your further rights, see immediately below.

What are your rights
You may at any time exercise the right to receive information, to access and to rectify your Personal Data. Specifically, and provided that the legal requirements are met, you have:

· the right of access to your personal data, to obtain confirmation as to what data we process, the purposes of this process and the recipients of the data.
· The right to the rectification of inaccurate data and to have incomplete personal data completed.
· the right to have your personal data erased. Please note that, to the extent that the processing is necessary for the specific lawful purposes listed above, the right for the erasure of your data may not be satisfied.
· the right to the restriction of the processing of your Personal Data. Please note that, to the extent that the processing is necessary for the specific lawful purposes listed above, the right for the restriction of the processing of your data may not be satisfied.
· the right to the portability of your personal data.
· the right to object to the processing of your personal data (including automated individual decision-making and profiling).
· the right to withdraw your consent to the processing at any time, without prejudice to the legitimacy of the consent-based processing before consent is revoked. You should be aware that this will lead to the termination of your policy and to the lack of coverage, because the
policy cannot operate without the processing of the insured person’s personal data.
· the right to file a complaint with the competent supervisory authority.

How long do we keep your Personal Data?
We ensure that the personal data we collect is processed for no longer than is necessary to meet the specific purpose it was provided for and/ or as required to comply with any record keeping obligation provided for by any applicable law.

Use of Cromar Electronic Services by Minors
Our e-Services are not intended for persons under eighteen (18) years of age, and we ask those persons not to provide Personal Information through our Electronic Services.

Use of Cookies
To personalize your visit to our website and to ensure the operation of certain features of our website, we use “cookies” to collect and store data. For more information, please refer to our cookie policy.

Changes to this Privacy Policy
We review this Policy regularly and reserve our right to make amendments at any time to take account of changes in our business activity and legal requirements. We will post the updates on our website.