This is your guide to how your personal data is managed by GlobalCapital Health Insurance Agency Limited. Please read it carefully.
Our commitment to privacy:
Your information will be held by GlobalCapital Health Insurance Agency Limited, a limited liability company registered under the laws of Malta with Company Registration Number C 6393 and having its registered office at GlobalCapital, Testaferrata Street, Ta’ Xbiex, XBX 1403, Malta (“GCHIA” or the “Company”).
We consider it crucial to protect your rights as our policyholder/s under applicable legislation and want you to feel confident about the privacy and security of your personal data.
1. Who we are
Throughout this Privacy Notice, “we”, “us”, “our”, and “ours” refer to GCHIA.
We form part of the “GlobalCapital Group”, whose holding company is GlobalCapital p.l.c., a public limited liability company incorporated under the laws of Malta with company registration number C-19526 and having its registered office at GlobalCapital, Testaferrata Street, Ta’ Xbiex XBX 1403, Malta. The members of the GlobalCapital Group comprise: GlobalCapital plc, GCHIA, GlobalCapital Life Insurance Limited and GlobalCapital Financial Management Limited. More information about the GlobalCapital Group can be found at: www.globalcapital.com.mt
2. The information we collect relating to you
We collect and process various categories of personal information at the start of and for the duration of your relationship with us as per Section 3 below. We will limit the collection and processing of information to information necessary to achieve one or more legitimate purposes as identified in this Privacy Notice.
The information we collect about you may include:
• Basic personal information, including name and address, date of birth, nationality, country of birth and contact details;
• Financial information, including account and transactional information and history;
• Information about your family, lifestyle, social circumstances (such as dependents, marital status, next of kin and contact details);
• Details of any contact we have had with you, such as any complaints or incidents;
• Information about how you use our products and services, such as insurance claims;
• Education and employment information, including salary; and
• Information about how you use our website, including IP addresses or other device information.
We may also process certain special categories of information for specific and limited purposes, such as medical underwriting, detecting and preventing financial crime or to make our services accessible to customers. We will only process special categories of information where we have obtained your explicit consent or we are otherwise permitted by law to do so (and then only for the particular purposes set out in Section ‘How we use your information’, for which the information is provided). This may include:
• Physical or psychological health details or medical conditions including genetic information or biometric information; and
• Information about your race, ethnic origin and religion.
Where permitted by law, we may process information about criminal convictions or offences and alleged offences for specific and limited activities and purposes, such as to perform checks to prevent and detect crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions.
If the data provided by you refer to third parties, you confirm to having obtained and received their prior consent to providing information on them, and to have informed them, before including them in our documentation.
3. When and how we collect information about you
As you use our services, apply for products, make enquiries, and engage with us, information is gathered about you. We collect information about you in view of:
• Enquiries about our products which require your data and to provide you with quotations;
• The proper performance of your contract of health insurance or the implementation of pre-contractual measures you request or require;
• Underwriting and issuing contracts of health insurance, collecting premiums and submitting other bills, settling claims or paying other benefits;
• Compliance with legal obligations to which the Company is subject including but not limited to those obligations arising out of laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions;
• The establishing, exercising or defending of any legal claims arising;
• Market research and analysis, internal management, accounting and auditing, product development and public relations;
• The exchange of information for preventing, suppressing and detecting of health insurance fraud and any other criminal activity which we are bound to report; and
• The protection and promotion of our legitimate interests and the proper conduct of our business.
Furthermore, we may receive personal or sensitive data relating to you and/or your dependents, spouse, partner, and family from third parties such as Court Judgments database, the Registry of Companies, World Check, fraud-detection and credit-reference agencies, doctors and health care professionals, hospitals, clinics and other health care providers and sources which are available to the public, which entities are all legally entitled to communicate such data and that such data is be processed for the stated purposes.
We may also record telephone conversations to offer additional security and resolve complaints. Personal data is also collected when you complete the “Contact Us” section on our website. Such personal data which is submitted online is then used by us in order to reply to your message. CCTV cameras are also in use throughout our offices for security purposes and this is clearly indicated with appropriate signage once you enter our premises.
4. How we use your information
We have described the legal grounds for which your information may be used in detail below:
• Contractual necessity: its use is necessary in relation to a service or a contract that you have entered into or because you have asked for something to be done so you can enter into a contract with us. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to provide products and services to you.
• Our legitimate interests: we may process your information where it is in our legitimate interests to do so, without prejudicing your interests or fundamental rights and freedoms. Its use is in accordance with our legitimate interests outlined in this Privacy Notice;
• Legal obligations: when you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you. Its use is necessary because of a legal obligation that applies to us (except an obligation imposed by a contract); and
• You have consented or explicitly consented to the using of your data (including sensitive data) in a specific manner.
All the necessary personal data that we shall collect will be held by us and processed:
• For consultancy and advisory services;
• For underwriting and internal risk assessment;
• Where you have specifically consented to doing so, to communicate with you market and promote our services and of those carefully selected third parties that GlobalCapital Group work with; and
• For any other purpose that may be necessary for the performance of the health insurance service contract and/or for the execution of your instruction given to us from time to time or as may be allowed or required by any law or insurance regulation.
We may also engage in insurance industry standard profiling, wherein the assessment of risk is made by automated means. However, all final decisions which produce any legal effects on data subjects, including without limitation, the decision on whether to underwrite a risk and issue a contract of insurance, are taken with human intervention. We will keep such information as long as is necessary for the purpose(s) for which it was collected, such as underwriting, and in accordance with this Privacy Notice. Data will be securely destroyed when is no longer required.
5. Who we share your information with
Whilst you are our customer we undertake the responsibility not to transfer or exchange any information that we hold about you unnecessarily to or with any third parties without first obtaining your written consent. Nevertheless, and in line with our regulatory and legal obligations, there may be instances during the course of providing you with our services where we may be required to disclose, share or exchange some or all of your personal information, whether sensitive or otherwise, to the following persons:
• Your introducer or your tied insurance intermediary representative;
• Our agents and advisers who we use to help run your accounts and services;
• Your employer, if you are covered by a health insurance policy your employer has taken out on your behalf;
• Companies in the GlobalCapital Group;
• Companies that provide support services for the purposes of protecting our legitimate interests;
• Statutory and regulatory bodies, any public or governmental authority and/or to disclose any information before any court or adjudicating body of a competent jurisdiction where such disclosure is compelled by law or authorised/ordered by a court or adjudicating body of a competent jurisdiction;
• In anonymised form, as part of statistics or other aggregated data shared with third parties;
• Companies you ask us to share your data with; and
• Other insurances companies as may be necessary.
6. How long we hold your information
In line with our regulatory and legal obligations, including inter alia the Anti-Money Laundering regime and the Maltese Tax legislation, and for the purpose of underwriting and/or claims handling, we will keep your personal data, whether sensitive or otherwise, on the following basis:
• Our legal obligation for retention of your information;
• The term of the contractual relationship and necessary services to carry out such relationship; and
• Any request of the deletion of data by the relevant party, where applicable.
The information will be destroyed as soon as it is no longer required for the lawful purpose(s) for which it was obtained. We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that we will be able to produce records as evidence, if they’re needed. Nevertheless, data collected for inquiries which will not result in any type of contract will not be retained and will be discarded immediately.
7. Implications of not sharing your information
As stated above, we may need to collect personal information by law, or under the terms of a contract we have with you.
If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we may not be able to provide you with certain products and services that you request. We may not be able to continue to provide you with or renew existing products or services.
When we request information, we will tell you if providing it is a contractual requirement or not, and whether or not we need it to comply with our legal obligations.
8. Processing your information outside the EEA
Your information is stored on secure systems within the GlobalCapital Group premises and with providers of secure information storage. We may transfer or allow the transfer of information about you and your products and services with us to our service providers and other organisations outside the European Economic Area (the “EEA”), but only if they agree to act solely on our instructions and to protect your information to the same standards that are applied in the EEA.
We will only send your personal information outside of the EEA to:
• Follow your instructions;
• Comply with a legal duty; and
• Work with our service providers and advisors to help run your services.
If we do transfer information to our service providers and advisors outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA.
9. Your rights
Providing and holding personal information comes with significant rights on your part and significant obligations on ours. You have several rights in relation to how we use your information:
The right to be informed - You shall have the right to request us to inform you about the personal data that we process about you, the purpose of the processing, the categories of data that are being processed, the recipients of the data and the type of processing. If at any point you believe that the information we process on you is incorrect then you can request to see this information, have a copy of such data and have it corrected or deleted. Any such access/ratification requests must be made to us in writing and must further be signed by you as the data subject.
If you later wish to raise a complaint on how we handled your personal data, you can contact us to have the matter investigated. In the event that you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can then file a complaint with the Office of the Information and Data Protection Commissioner by accessing the following link: https://idpc.org.mt/en/Pages/contact/complaints.aspx.
The right to maintain your personal data accurate and up to date - We make every effort to ensure that all the personal data that we process about you is accurate and regularly updated. However, should you become aware of any errors or omissions in respect of your personal data you are kindly requested to inform us about such errors in writing. If it transpires that the information held is inaccurate, we will make the necessary amendments and inform you that these have been made.
The right to be forgotten - Where applicable, and in exceptional cases as allowed by law, you shall also have the right to request erasure of your personal data on inter alia the following grounds:
• Subject to our legal and regulatory obligation where processing is no longer necessary for its intended purpose;
• If your personal data has been given to us solely for consultation purposes, such as a policy estimation, and you choose not to avail yourself of any of our services;
• When erasure is necessary for compliance with a legal obligation by the judiciary of Malta;
• When you object to the processing, unless there are overriding legitimate grounds for us to process;
• When the data concerns a child and has been collected solely for marketing purposes and not arising out of a contractual relationship for services required from us;
• Where any data has been collected solely for marketing purposes.
Instead of requesting erasure, you can also request a restriction of the processing of data in cases where the personal data is inaccurate, unlawful or pending a decision on a complaint lodged by you. In such case we can only store your personal data and any further processing is only possible with your consent or in a limited number of situations.
The right to data portability - Since your personal data is subject to automated processing on the basis of our contractual relationship, you are thus allowed to request a copy of the data concerned in order for you to be able to transmit your processed data to another controller without any hindrance from our part.
The right to object- You have a right to object to us processing your personal information where the legal basis for our use of your data is our legitimate business interests or the performance of a task in the public interest. However, in doing so this may have an impact on the services and products we can/are willing to provide. You also have the right to object to the use of your personal data for direct marketing purposes. If you object to this use, we will stop using your data for direct marketing purposes.
The right to withdraw your consent- where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific processing activities.
It is important to note that, in certain circumstances, you may not be able to exercise your rights as stipulated above or you may be able to exercise such rights but only in a limited manner, as dictated by law.
10. How to contact us
11. Changes to this Notice
We will update this Notice from time to time. Any changes will be communicated to you without delay, and where appropriate, notified to you by SMS or email.
We undertake to implement all appropriate measures and safeguards in order to protect confidentiality, integrity and availability of all data processed. Accordingly, we declare that we have appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing together with accidental alteration, destruction, loss and to also ensure compliance with the obligations imposed by the Data Protection legislation. We also maintain strict information security policies designed to prevent unauthorised access to your information by anyone, including our staff unless required to give a service. We can ensure you that all of our staff who have access to any of the personal data held are personally responsible for maintaining customer confidentiality.
Nevertheless, kindly note that any duty of confidentiality owed by us is conditional on the representations and warranties made by you being true and complete in all respects and at all times and on the fulfilment by you of your obligations under the Policy Application Documentation. We shall not be bound by any duty of confidentiality where disclosure is necessary, in our absolute discretion, to safeguard our legitimate interests.