Smart Drive Privacy Policy
Our Company’s main priority is the protection of your personal data that it processes. Our Company constantly complies with the applicable legislation on Personal Data Protection.
We urge you to read this information notice carefully in order to be adequately informed on the type of data we process when you obtain insurance through our Company's Cyprus branch under the Smart Drive Program. The data subject for the purposes of this notice is either the person in whose name the insurance policy under the Smart Drive program is issued or the main driver of the insured motor vehicle, in case these are different persons. References to "you", "yours" etc. will be interpreted accordingly.
It is clarified that this information notice is supplementary to the Company's general privacy policy above concerning personal data protection in the context of the business of its Cyprus branch. In case you are insured under the Smart Drive Program, both notices apply to you. Please read both carefully.
1. General information and processor
"INTERAMERICAN HELLENIC INSURANCE COMPANY S.A." (hereinafter the "Company", "INTERAMERICAN", "we", "us" or "our"), is a Greek company based in Athens at 124-126 Syggrou Ave., contact no. 210-9462200 and email: custserv@interamerican.gr. The Company is registered with the Registrar of Companies of the Republic of Cyprus as a foreign company with registration number AE 3036 and has a branch engaged in insurance activities in Cyprus (hereinafter the "Branch") at 42 – 44 Griva Digeni Avenue, Nicosia 1080), contact no. 800 88 800 and email: helpdesk@anytimeonline.com.cy. The company is the data controller, responsible for the collection, storage and generally the processing of personal data of the Smart Drive applications (the "Application") users who are insured through the Branch.
2. What personal data we collect and how
For the purposes of the Smart Drive program, the collection and processing of your personal data is carried out as follows:
a. Collection and Processing of the insured/test user's data
When you register on the Application as a trial user, you will be asked to provide your personal email so that a sign-in link can be sent to you. This allows us to respond to your requests, improve the information we provide, and ensure a discount on your insurance premiums if you decide to purchase insurance after the trial period, depending on your driving behavior. It should be noted that the test user's email is stored only within INTERAMERICAN's systems and not within the Application. This information does not directly identify you; it is the only information required to use the Application and will not be reused for purposes inconsistent with the service's scope. When you register on the Application as an insured user, the sign-in link will be sent to your email address.
b. Collection of the User’s Primary Data
The application may collect and process “Primary Data” (including location data) for the operation of the automated route recording function even when the application is closed or is not in use, which data is stored only on the user’s device (without being transferred to the processor). Only Primary Data recorded during a route is transferred to the data processor (our technical service provider), OSeven (“OSeven”), for processing on our behalf. The following constitutes Primary Data:
• Time data: The time of recording of the following parameters.
• Location data: Longitude, latitude and altitude of the vehicle, horizontal and altitude accuracy of the location, speed of the vehicle, direction of movement of the vehicle
• The angles formed by the local axes of the mobile phone in relation to the North and to the horizontal level (ground).
• Rate of change in the angles formed by the local axes of the mobile phone to the North and to the horizontal level (ground) in terms of time
• Accelerometer data: Acceleration values on the three local axes (the three dimensions) of the mobile phone, including and excluding the acceleration of gravity
• Gyroscope data: Angular velocity values around the three local axes of the mobile phone
• WiFi: Record of WiFi operation on a mobile phone. It is used to improve driving record accuracy given it was pre-used by Apple and Google in conjunction with GPS. At the same time, it is used to send data from the device of the Application’s user (the «User») to and from the platform of the Provider at the choice of the User
• Push Notification Token Data: A unique alphanumeric code generated by Apple and Google, which is sent to the mobile device. This code is associated with one and only one installation of the Application. In the event of an uninstallation and reinstallation of the Application by the User, a new code is generated, including the date and time it was produced. This code, along with the date and time, is primarily recorded (1) for sending Notifications to the User, (2) for identifying potential uninstallation and reinstallation of the Application by the User in order to detect any unrecorded trips by the User, and (3) for the technical support of Users.
• Activity Recognition / Motion and Fitness data: Data of the User’s activity (indicatively walking, stopping, driving).
• Screen Status (Android only): Data on screen activation (active or inactive) as an additional criterion for determining mobile usage while driving.
• Mobile device data. These are provided by Google and Apple and include the manufacturer’s name, device model, operating system name and version, and the type of device sensors (e.g. accelerometer, gyroscope, compass, etc.) used to record data. These data are used for (i) providing support / service to you and for (ii) targeted troubleshooting
• Push Notification Token Data: A unique alphanumeric code generated by Apple and Google which is sent to the mobile phone. The specific code relates to a single installation of the Application only. In case of uninstalling and reinstalling the Application, a new code is generated stating the date and time it was generated. The specific code with the date and time is registered (i) for sending Notifications (ii) for providing service / protection / security to the User and (iii) for identifying any uninstallation and reinstallation of the User’s Application, for the purpose of detecting non-recorded Routes
• Data for the time and date of your entry / exit (Sign in / Sign out) from the Application. They are used for your support / service and for calculating the duration and/or frequency you are in Signed out mode in order to detect non-recorded Routes. In case you are in Sign out mode, the Application’s recording is blocked
• Data for the time and date of activation / deactivation of Location Services (GPS). Used for support / service
• Data for the time and date of activation / deactivation of Location Services (GPS). They are used for your support / service and for calculating the duration and/or frequency that you keep the GPS inactive in order to detect non-recorded Routes. In case it is inactive, the Application’s recording is blocked.
• Data for the time and date of activation / deactivation of Activity Recognition / Motion and Fitness data. They are used for providing support / service to you and to calculate the duration and/or frequency that you keep this setting inactive in order to detect non-recorded Routes. In case it is inactive, the Application’s recording is blocked.
• Data for the time and date of activation / deactivation of Compass Calibration (only for iOS). They are used for providing support / service to you and for the calculation of the duration and/or frequency that you keep this setting inactive in order to detect non-recorded Routes. In case they are inactive, the accelerometer and gyroscope data collection is blocked and so is the Application’s recording.
• Data for the time and date of activation / deactivation of the Application’s recording through its settings. They are used for providing support / service to you and for calculating the duration and/or frequency with which you keep the recording capability inactive, in order to detect non-recorded Routes. In case the recording of the Application is inactive, the Application’s recording is restricted.
• Data for the time and date of activation / deactivation of automatic background services (Background App Refresh, iOS only). They are used for your support / service and to calculate the duration and/or frequency that you keep this setting inactive in order to detect non-recorded Routes. In case it is inactive, the Application’s recording is blocked.
• Data for the time and date of WiFi activation / deactivation. They are used for your support / service and for calculating the hours and/or frequency that you keep this setting inactive in order to detect non-recorded Routes. If WiFi is inactive, it has been noticed that there may be a delay in the Application’s recording or it may be unable to operate.
• Data regarding the paired Bluetooth devices.
Certain Primary Data mentioned above (specifically, the data regarding the time and date of activation/deactivation of the mobile phone and the data regarding the time and date of activation/deactivation of the Motion and Fitness functionality / Activity Recognition / User Activity Data, Technical Data related to the operation of the Application) are collected only locally and are not sent to O7PLATFORM. It is emphasized that in the event the User submits a technical support request to the Company and the Company informs the Provider to enable the collection of Debug Logs (Technical Support Log Files), the Debug Logs may contain any of the aforementioned Primary Data. The Company must inform the User before enabling the Debug Logs.
3.The purposes of recording and processing the "Primary Data"
The purposes for which the above "Primary Data" are recorded are the following:
A) The removal of recordings (noise filtering) from the device's sensors that do not correspond to the driving behavior of the Application User.
B) For technology providers to determine, if available, the duration of speeding.
C) To determine the use of the mobile phone (how many times the User has made use of the mobile phone) and the duration of the use of the mobile phone, during a Route. It is clarified that only the use of the device during driving is examined (for speaking or recording a message or any other use of the mobile phone). The use of specific applications or their content, which concern the User’s personal data to which the Company cannot have any access, is not detected.
D) To determine «Incidents of Abrupt Driving Behaviour» (abrupt accelerations, decelerations) and the deceleration and acceleration profiles.
E) To determine the distance travelled in hours of increased risk (10pm - 4am).
F) To determine the distance travelled per Route and the total per time period (day, week, month, year) and until the end of the Insurance Policy or the Trial Period.
G) Determining the status of the Application User per Trip: driver of the vehicle or passenger.
H) Determining the type of vehicle in which the Application User is located per Trip: car, public transport, motorcycle, bicycle.
I) Developing specialized functionality in the Application that helps Application Users identify instances of unsafe driving behavior and improve their driving habits (e.g., maps, messages).
J) Optimizing the algorithms and scoring models in the Provider's system, with the aim of continuously improving the accuracy of the results provided to the Application Users and the accuracy of the results provided to the Company related to the calculation of premiums.
Meaning of "Trip"
A "Trip" is defined as the User's driving from the moment they start their vehicle until any stop lasting longer than 5 minutes. It should be noted that, in order to achieve even greater protection of Users' personal data, a portion will be deleted at the end of each Trip, a maximum of 1 minute or a maximum of 50 meters, whichever comes first, with the algorithm moving from the end to the beginning of the drive.
Specifically, regarding the geographic longitude and latitude data of the Application Users from GPS recordings, this information is stored and maintained on the O7PLATFORM for:
"Trips as a Passenger" are the trips that:
a) have been classified by the application as a passenger (i.e., a passenger in a car or another mode of transport, such as public transportation), in case you did not confirm your trip type and
b) you have personally marked the trip as a passenger-co-passenger. OSeven, which developed the SmartDrive application, may use pseudonymized driving data (e.g., time, GPS data) from these specific trips to improve the app and enhance the accuracy of its algorithms, thereby improving the accuracy of the results you receive if you provide your consent for this purpose.
If you do not accept this optional and additional consent for the use of data from these trips, you acknowledge that the data related to "Trips as a Passenger" will be anonymized and permanently removed from your profile fourteen (14) days after the start date of the trip, and you will not have access to these specific trips through the SmartDrive application.
It is clarified that the processing of Primary Data occurs both on a per-trip basis and for the totality of the User's trips until the expiration of their insurance policy. Additionally, the Primary Data is stored in connection with the User ID / Driver ID until the end of the insurance policy or the Trial Period, by the Provider, for each User in aggregate, with a recognized cloud service provider within the European Union, as chosen by the Provider, in a corporate account maintained by the “Provider” using cloud services. It is noted that INTERAMERICAN has no access to the Primary Data.
Extracting Driving Behaviour and Vehicle Use Data
From the above processing of the "Primary Data" through the technologies developed by OSeven, the "Driving Behaviour and Vehicle Use Data" are extracted. Indicatively, these concern the following:
• Number of Routes (per time period - day, week, month, year).
• Time and date of driving per Route.
• Distance travelled (per Route and in total per time period -day, week, month, year).
• Duration of driving (per Route and in total per time period - day, week, month, year).
• Number of steep brakes and degree of deceleration (per Route and in total per time period - day, week, month, year).
• Number of sharp accelerations and degree of acceleration (per Route and in total per time period - day, week, month, year).
• Average / maximum speed during a Route.
• Distance or duration of speeding in the driving area, for as long as the speeding lasts, if available from a technology provider (per Route and in total per period of time - day, week, month, year).
• Average speed of the User when they exceed the speed limit, if available from a technology provider
• Road type (urban road network, provincial road network, highway), within which the User moves, if available from a technology provider (per Route and in total per time period - day, week, month, year).
• Duration of mobile phone use, while driving, per Route. The user’s device (mobile phone) is detected and recorded in car activity, while driving (indicatively recording a message, speech or any other movement made by the User with his mobile phone) (per Route and in total per time period - day, week, month, year)
• Distance travelled in hours of increased risk (10pm - 4pm) (per Route and in total per time period - day, week, month, year).
• The classification of the User of the Application per Route (if they were a driver or passenger of the vehicle).
• The classification of the User of the Application per Route, with respect to the type of vehicle in which they are travelling (car, train or bus, motorcycle, plane, ship, bicycle).
The driving behaviour evaluation model per route takes into account the following parameters:
• Duration of speeding in the driving area and average speed over the speed limit, if available from a technology provider.
• Duration of mobile phone use while driving.
• Sharp decelerations (number and intensity) and deceleration profile.
• Sharp accelerations (number and intensity) and acceleration profile.
• Distance travelled in hours of increased risk (10pm - 4am).
The total score of the User and the vehicle respectively is calculated according to the weighted average of your scores for Routes you have driven (with distance being a weighing factor).
When covered by Smart Drive insurance, OSeven will send to INTERAMERICAN a total score regarding your driving behaviour, up until when the payment notice for the renewal is issued. Additionally, at the end of each month, it will send to INTERAMERICAN the monthly distance travelled recorded by the application, with you as driver, in order to determine the completion of the minimum requirement of recorded kilometres (250) each month. The final decision on whether or not there will be a reduced premium will be made by human intervention, by an authorized employee of INTERAMERICAN.
The above data will not be disclosed to third parties, subject to the contents of this information notice, except following a court summons, a public authority request or other legal procedure or any other event where national, European or international legislation imposes the above obligation.
The legal ground which INTERAMERICAN relies on for the above processing (collection of insurance policy data, the primary data of the users of the application as well as the driving behaviour data) is the execution of our contract while the legal ground for the processing that takes place if we are ever required to transfer data to public authorities, is for compliance with our legal obligations.
4. Data retention period
The personal data of Users is retained exclusively for the period required to fulfill the specific purpose for which it was collected, in full compliance with applicable law. Once the purpose of processing your personal data is completed, the data is either deleted or fully anonymized. The specific retention periods for each of the relevant processing purposes are outlined below.
Regarding the data collected through the Application:
In the case of the Trial User of Smart Drive, the data is retained throughout the duration of the trial use. After its termination, the retention period for the data collected by the Application is seven (7) days. After these 7 days, the Primary Data and the Driving Behavior and Vehicle Usage Data collected through the Application are disconnected from the unique user codes, resulting in the complete anonymization of the already pseudonymized data that OSeven had collected as the data processor. This process is irreversible.
INTERAMERICAN retains the Driving Behavior Data of the Trial User received from the Application for the entire duration of the trial period and for 6 months after its termination.
It is clarified that the Trial User's email is not stored in the Application; it is collected exclusively by INTERAMERICAN and is maintained in its records for the entire duration of the trial use and for 6 months after its termination.
When you enter into an insurance policy under the Smart Drive program, the only data we transmit to OSeven are the user’s and the transaction’s unique codes which cannot on their own be linked to a natural person. This data is stored on the OSeven platform within the European Union. Therefore, it is not possible for OSeven to identify the insured motor vehicle or the User, even if an insurance policy is entered into, since the data in its system are pseudonymized (the pseudonymization has been carried out by INTERAMERICAN).
When using the Application once an insurance policy is entered into, the retention period of the data collected by OSeven is seven (7) days after the termination of the insurance policy, if not renewed. After 7 days, the Primary Data and the Driving Behaviour and Vehicle Use Data collected through the Application are disconnected from the unique user codes, resulting in complete anonymity of the already pseudonymous data collected by OSeven as the processor. This process is irreversible.
5. Automated data processing
Automated processing of personal data and the relevant (automated) decision-making takes place in the «Pay how you drive» program. Automated data processing is performed as described above in sections 2 and 3.
(a) Automated processing is necessary to rate the insured’s driving behaviour and its ultimate goal is to provide an incentive (lower premium) to improve the driving behaviour of the insured.
(b) This automated treatment may result in a lower premium.In any case, there will be human intervention between the driving behaviour score formed based on the application and the decision to offer the lower premium.
(c) The Company shall take all measures required under the General Data Protection Regulation and the Code of Conduct for Personal Data of the HAIC when making a decision on the basis of automated processing, including profiling, with these measures being in particular concerned with ensuring human intervention, the use of suitable statistical or mathematical procedures and the application of technical and organizational measures in order to correct factors that lead to inaccuracies and to minimize the risk of errors during processing.
(d) The Company may also utilize automated processes during the term of the insurance contract in order to conduct checks to prevent insurance fraud and to comply with obligations arising from legislation aimed at preventing money laundering and the automatic exchange of information regarding financial accounts.
e)You have the right to express your opinion on a decision taken on the basis of the above automated procedure, to challenge it and to request a review by a competent employee. To exercise your rights, you should contact the Data Protection Officer (contact details: dpo1@interamerican.com.cy).
6. Your rights
Under the General Data Protection Regulation of the European Union and national law, you have various rights regarding your personal data. More information on these and how you can exercise them, you can see below in article 10.
In relation to the right of access to the personal data in connection with the Application specifically, please note the following.
You have the possibility to be informed through the Application for Driving Behaviour and Vehicle Use Data, such as the following (per Route and per period of time, where calculation per period is possible): Route date, Route start time, Route end time, Route duration, distance travelled, distance or duration when speed limit is exceeded in the driving area for as long as the speeding lasts, average speeding speed, rating by category (categories are: acceleration, deceleration, speed limit, duration of mobile phone use while driving), number of Routes, driving duration, number of steep brakes, number of steep accelerations, region / city in which you are moving when driving, your categorisation for each Route (if you are a driver or passenger), as well as and the final categorisation you choose, the categorisation for the type of vehicle you are in per Route (car, train or bus, motorcycle, plane, ship, bicycle), as well as the final classification you choose.
Moreover, you have the possibility, if you enable this in the Application’s settings, to display each Route on a map and to display driving behaviour data (speed limit, mobile phone use while driving, steep brakes, steep accelerations) on the map.
Through the request of access, you can be informed of the personal data concerning you exclusively, their source, the purpose of their processing, the recipients or the categories of recipients, the evolution of the processing for the period of time since your latest update, the rationale behind the automated processing and of the notification to third parties to whom the data has been disclosed. It is emphasized that INTERAMERICAN, as the data controller, has chosen not to have access to the Primary Data collected through the application with the aim to protect your personal data.
In any case, it is noted that access to and information on the logic behind the automated processing will not be able to reach such an extent so as to reveal the source code of the application used and the algorithm on which it operates.
7. How and with whom we share your personal data (recipients of personal data)
Information on how and with whom we generally share your personal data is included in the Company's general privacy policy above.
The following apply especially in relation to the Primary Data and the Driving Behaviour and Vehicle Use Data collected through the Application.
We have chosen not to have access to this data. We only take the score of the User's driving behaviour to determine whether he is entitled to a discount and the total distance travelled per month to check whether the relevant term in your insurance policy is observed for a minimum monthly distance.
OSeven processes the Primary Data and the Driving Behaviour and Vehicle Use Data on our behalf, as the data processor. In its system, OSeven maintains Primary Data and Driving Behaviour and Vehicle Use Data, which are pseudonymized (not linked to a natural person, but to an id user - only INTERAMERICAN has access to the link between the insured and the id user). We note that, in any case, OSeven undertakes, both itself and its associates, to use your data exclusively for the performance of lawful activities or any kind of activities they perform on our behalf and not for their own benefit. In cases where OSeven transfers your data to third-party processors, it signs a special agreement with the processors to ensure that the processing is carried out in accordance with the applicable legal framework, that suitable measures are taken for protecting the confidentiality and security of personal data and that each User will be able to exercise their rights freely and unhinderedly.
OSeven may transmit the User's Primary Data and Driving Behaviour and Vehicle Use Data across the borders within the European Union, always in a non-personalized form, to its parent company, or other subsidiaries, joint ventures or other companies that are under the same control. (collectively, "Collaborating Companies").
It is also possible to transfer the User's Primary Data and Driving Behaviour and Vehicle Use Data to a company that merges with OSeven, or acquires it or buys its assets.
OSeven may transfer your personal data outside the European Union only during use of the functions of the Firebase service of Google. The Application utilises the functions of the Firebase service of Google for achieving the optimal operation and technical support of the Application. Without these functions, then the Application or parts of it may not function properly or even at all. These functions are: Firebase Cloud Messaging, Firebase Crashlytics, Firebase Remote Config and FirebaseDynamic Links. Additionally, the Application utilises the GoogleAnalytics for Firebase function for the purpose of analysing user behaviour and improving the Application based on their preferences. The GoogleAnalytics for Firebase is not under any circumstances used for marketing and promotional purposes. You may find information regarding the collection and processing of your personal data by the aforementioned Google services here. Such data may be transferred outside the European Union at Google’s systems. Such transfer is made by using Standard Contractual Clauses, as approved by the European Commission.
8. Data security
The Company assures users that it takes all suitable technical and organizational measures for the security of their personal data, to ensure the confidentiality of their processing and protection from accidental or unfair destruction / loss / alteration, prohibited dissemination or access and any other form of illicit processing.
Although our company has chosen not to have access to the primary data collected through the Application, it has ensured that its data processor and provider of the application (OSeven) collaborates with the most reliable cloud computing providers and uses commercially widespread security practices and techniques, following the recommendations of European regulations and national legislation, such as pseudonymization, encryption and firewalls.
Your Primary Data and Driving Behaviour and Vehicle Use Data are stored securely in OSeven’s database, while your personal data collected on entering into the insurance policy as well as the data transmitted by OSeven to INTERAMERICAN (scores for driving behaviour and total distance travelled each month), are stored securely in INTERAMERICAN’s database.
However, no matter how effective the technology is, no security system is or remains impenetrable.
Therefore, even though we have taken care to adopt all the technically modern practices and to fully align with the strictest standards of the current legislation, these cannot fully guarantee the security of the database of their systems, nor that the information that they provide will not be stolen, as they are transmitted over the internet.
9. Amendments
This Information Notice on the processing of personal data for the Smart Drive Program has been drafted in accordance with the provisions of the General Data Protection Regulation No. 2016/679/EU and was last updated on 1/5/2020. In case of updates, any amendments will be posted on the Company's mobile application and website, and will note the date of the update.
10. Personal Data Protection Officer / How to submit requests, queries or complaints
You have the following rights with respect to your personal data:
1) Right of Access - the right to know which data of yours we are processing, the purpose for which they are processed and their recipients, as well as to receive copies of the data kept at our Company.
2) Right to Rectification - the right to request that any deficiencies or inaccuracies in your data be rectified, although we may need to verify the accuracy of the new information you have provided.
3) Right to Erasure - the right to request the erasure of your personal data, if you no longer wish this data to be processed, and if there is no legal basis for our Company to own and process it.
When can we deny requests to erase? You should know that the right to erasure is not an absolute right, and there are cases where it cannot be fulfilled, such as when your information is processed based on certain legal grounds such as those described above, including forwarding or defending legal claims on behalf of or against the Company.
Do we need to inform other recipients of your personal data about your request to erase? In case your right to erase is fulfilled, if we have provided the personal data that you want erased to third parties, we will take measures to inform them of your request to erase, so that, in turn, they erase that personal data but this may not always be feasible or may require a disproportionate effort on the part of our Company.
Especially regarding the deletion of your account data stored in the Application (App data Deletion) in addition to the possibility offered to you within the Application, you can also exercise your right from the website here. In this case your request is transferred immediately to the Technical Provider (OSeven) who performs the deletion.
4) Right to Restriction of Processing- the right to restrict the processing of your personal data when you disagree with the accuracy of the information and until the accuracy of the information is verified or if the processing is no longer necessary for the Company but you need it, in order to file, exercise or defend a legal claim or where the use of the data is unlawful but you do not want us to erase it.
Should we inform other recipients of your personal data about the restriction? In the event that we have shared your personal data with third parties, we will take action, if possible, to inform them about the restriction on the processing of your information, so that they do not continue to process it.
When can we refuse requests to restrict processing? You should be aware that this right is not an absolute right, and there are cases where it cannot be fulfilled, such as when your information is processed based on certain legal grounds, such as those described above, including the filing or defending legal claims on behalf of or against the Company.
5) Right to Data Portability - the right to receive your data in a structured and commonly used format.
6) Right to Object - the right to object to the processing of your personal data where we are relying on a legitimate interest (or the interests of a third party) and there is something about your particular situation that makes you want to object to the processing on this ground as you feel that this has an impact on your fundamental rights and freedoms. You also have the right to object when we process your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data, which override your rights and freedoms.
7) The right not to be subject to automated individual decision making - The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning or similarly significantly affects you to a significant degree.
8) Withdrawal of consent - The right to withdraw your consent at any time, in cases where we rely on your consent for the processing of your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise if this is the case at the moment you withdraw your consent.
For more information on each of these rights, including circumstances in which they apply, please contact us or visit the website of the Office of the Commissioner for Personal Data Protection (www.dataprotection.gov.cy).
If you wish to exercise any of these rights, please:
• send an email to us at dpo1@interamerican.com.cy or submit a contact form on our website or by mail - see below: «How to submit requests, queries or complaints»,
• clearly define the right you wish to exercise in relation to the personal data you request and provide us with the information relating to your request,
• provide enough information to recognize you,
• provide proof of your identity.
If your request is not clear, we may request further personal data for clarification.
You will not have to pay any fees to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in such cases.
If you exercise any of these rights, we will take every possible measure to satisfy your request within thirty (30) days of receiving the relevant request, after informing you either of its satisfaction or of the objective reasons that prevent its satisfaction.
Notification concerning the processing of personal data through video survellaince
1. Data controller
The company INTERAMERICAN HELLENIC INSURANCE COMPANY S.A.will process your personal data collected from the use of a video surveillance system as the data data controller. You can find our contact details in section 7 below.
2. Purpose and legal basis of processing
We operate a surveillance system for security purposes,to protect individuals and property. For this reason, the processing is necessary for the legitimate interests pursued by the company INTERAMERICAN as data controller (article 6, paragraph 1(f) of the General Data Protection Regulation 2016/679).
3. Our legitimate interests
Our legitimate interest arises from the need to protect our premises, facilities and the property located there, from illegal acts. The same applies with regards to the safety of life, the physical integrity and health as well as the property of our staff and third parties legally present in the supervised area. We wish to inform you that the installed cameras focus on the property which they are intended to protect, ie the safety of our property and people, therefore we have restricted the scope of the image to the absolutely necessary spaces in front of the entry points and exit points, in the cash register/reception area, in the corridors, but also in critical areas in our facilities (such as electromechanical installations, warehouses, computer rooms, car parks, etc., where visitors are not allowed access) without however recording images of persons or sound from indoor or outdoor adjacent areas. The way our cameras are installed, they do not in any case record the movement of persons in adjacent outdoor areas and roads, nor internally in work spaces, recreational spaces or in the bathrooms. Additionally, our company applies privacy masks to all installed cameras when taking pictures, ie any faces and any adjacent traffic areas (roads, passers-by, etc.) are sketched over. Our company implements all modern and appropriate technical and organizational measures for the processing of video surveillance data, the responsiveness of which is checked regularly. In addition to all the above, before a person enters in the scope of the video surveillance system, we ensure that he is informed, in an appropriate, obvious and understandable way, that he is about to enter an area where a closed circuit television is operating and that he is given all the necessary information regarding the processing, the nature of the system used and who the Data Controller is. We have displayed information signs visible to the public and our employees in internal areas where cameras have been fitted.
4. Recipients
Only authorised personnel, employed by us and the security company which we work with, has access to stored material.Such material is not transferred to third parties, except in the following situations: a) to competent judicial, governmental and police authorities as part of an investigation of a criminal offence, which relates to people or the property of the Data Controller, b) to competent judicial, governmental and police authorities who legally request to receive data in the exercise of their authority, and c) to the victim or offender of a criminal offence, if the data may be used as a evidence for the offence.
5. How long personal data is kept
Our recording system processes and keeps sketched the images it receives from the video surveillance system. The data from the CCTV system is kept for 15 days, in accordance with the law, and is erased after this period expires. In case we discover an incident during this time, we will isolate the relevant part of the video and keep it for up to an additional month, in order to investigate the incident and initiate legal proceedings to protect our legitimate interests. If the incident concerns a third party, we will keep the video for up to an additional 3 months.
6. Data subjects’ rights
The data subjects have the following rights:
- Right to access: you have the right to know whether we are processing your image and, if this is the case, to receive a copy thereof.
- Right to restriction of processing: you have the right to require us to restrict processing of your personal data, for example by not deleting data which you consider necessary for establishing, exercising or supporting legal claims.
- Right to object: you have the right to object to the processing of your personal data.
- Right to erasure: you have the right to require us to delete your personal data.
You may exercise your right by using our contact details below (“How to submit a request, question or complaint”). In order to examine a request concerning your image, you must specify to us when (approximately) you were within the range of the cameras and to hand over a picture of yourself to us, to help us locate your personal data and hide the data of third parties. Alternatively, we may give you the opportunity to come to our premises in order to show you the images in which you appear. We also note that, exercising the right to object or erasure does not immediately lead to the your data being deleted or to any changes in the processing. In any case, we will reply to you in detail as soon as possible, within the time frames provided by the GDPR.
7. How to submit a request, question or complaint
If you have any questions concerning the processing of your personal data, if you want to exercise any of your rights or submit any complaint with respect to your personal data, you may contact the Data Protection Officer of our Company by sending a letter at Griva Digeni Avenue 42 – 44, 1080 Nicosia or by e-mail at helpdesk@anytimeonlince.com.cy or by calling at 80088800.
Furthermore, if are not satisfied with our reply to your request, you always have the right to address your request to the Office of the Commissioner for Personal Data Protection in Cyprus, at Iasonos 1, 1082 Nicosia P.O. Box 22378, 1682, Tel: +357 22818456 Fax: +357 22304565 or by sending an email at: commissioner@dataprotection.gov.cy and the Data Protection Authority in Greece, which is based in Athens and accepts the submission of complaints, either by calling at +30-210 6475600 or by submitting your request in writing at Kifisias Avenue 1-3, P.O. Box 115 23, Athens or by email at contact@dpa.gr.