PassportCard’s Privacy Notice
Please read this statement carefully. This Privacy Notice and Declaration of consent and release of secrecy (“Privacy Notice”) is about the processing of personal data. It explains to you which personal data is processed for which purposes. "Personal data" is any information relating to an identified or identifiable natural person.
The controller of the Personal Data is:
PassportCard Cyprus Insurance Broker Ltd (hereinafter: "PassportCard" or "We")
Address: 7 Florinis Street Greg Tower, 6th Floor, 1065 Nicosia, Cyprus.
Phone number: +357-22007080
Data Protection Officer of Controller: email@example.com
This Privacy Notice applies to the collection of personal data via inbound and/or outbound telephone calls, via our mobile app (“APP”), via our website, as well as for any other collection of your personal data, including via other digital channels such as WhatsApp.
This Privacy Notice applies to our customers, our business partners, our contractors as well as to applicants for a position within our company.
If necessary and where legally required, we will also inform you separately about the processing of your personal data in other contexts if this has not yet been done by this privacy notice.
If necessary and where legally required, we obtain a separate explicit consent declaration including by obtaining confirmation of the following Declaration of consent for the processing of health data, transfer of personal data to outside EU and release from confidentiality of medical providers and PassportCard as insurance intermediary:
We will not use or disclose your Personal Data for purposes other than those purposes specified in this Privacy Notice. We will do our best to protect the privacy of your Personal Data. If you have any concerns about the way we process your Personal Data, you are welcome to contact our data protection team at: firstname.lastname@example.org or contact our customer service center. We will look into your enquiry and make good-faith efforts to resolve any existing or potential dispute with you. If you remain unhappy with the response you received, you can also refer the matter to the relevant supervisory authority.
1. Processing of Personal Data of children under the age of 18
We are legally obliged to only provide our services to people who are at least 18 years old. By concluding a contract with PassportCard, you confirm that you are over 18 years of age.
2. How and why we need your Personal Data - provision of services
Your Personal Data is collected from the personal digital spaces we provide you (APP, webpage and self-service webpage), by our sales department, or by our services representatives, also, of you agree, via telephone.
We use the Personal Data we collect and receive to provide our service, to study and analyze the functionality of our services, website and APP and to analyze users' activities, to provide support, to measure service activity, to conduct surveys and send questionnaires, to maintain our service, to make it better and to continue developing the service and to communicate with natural persons working for our business partners.
We may use your email address to contact you when necessary, to send you reminders and to provide you information and notices about our service, provided that other necessary prerequisites are also fulfilled.
We obey the law and expect you to do the same. If necessary, we may use your Personal Data to enforce our terms, policies and legal agreements, to comply with court orders and warrants, and assist law enforcement agencies, to collect debts, prevent fraud, misappropriation, infringements, identity thefts and any other misuse of our service, and to take any action in any legal dispute and proceeding.
Though you are not required by law to provide us your Personal Data, failing to provide us with any necessary Personal Data might jeopardize our ability to provide you with essential services including providing you with health insurance coverage and/or managing pending claims you may have filed with us.
3. The Personal Data you provide in order to apply for insurance coverage
As a potential insured member, we may ask you to provide us with your personal data. We may ask you for your name, your contact details, your gender, your birthday, your passport number (or other forms of state issued identification number), your email address, profession, medical history and/or current status and financial information. If you wish to enroll any of your family member to our insurance policy, we may ask you the same information about them as well. If you are enrolled to our insurance policy as part of a corporate group, we may also ask for your workplace and job title. Subject to your consent, we will also store our phone conversation with you.
As an insured member we may ask you to provide additional personal details, such as medical documents and legal documents and your premium debt status. When you file an insurance claim with us, we may collect and process your medical bills, your written correspondences with us and any written notes taken about you by our customer representatives.
If you, as a potential insured member or as an insured member, correspond with us by telephone, recording our phone conversation with you is subject to your consent and we will make sure to ask for it before we record you.
If you purchased an insurance cover with us via a credit/debit card, please note that we comply with the Payment Card Industry Data Security Standard (PCI DSS). Accordingly, we have implemented data security and organizational measures that protect your payment information such as credit/debit card number and keep them in confidence.
If you provided us with your bank account information for future insurance payments, we will keep those in confidence in accordance with the data protection standard described in this statement.
When you contact us, or when we contact you, we may receive and process any personal information that you provide us. We may participate in correspondences you have with treating and/or advising physicians for rendering you further services and/or examining eligibility for insurance.
We advise you to be cautious when uploading insurance related content through our APP and/or our self-service website and/or through emails. Please also avoid any involuntary disclosure of your Personal Data or disclosure of others' Personal Data without their consent.
4. The Personal Data that we collect when you access our website or mobile app
When you access our website or mobile app, our servers may log certain 'traffic/session' information from your device, such as the country from which you use the Service, the browser type, operating system, geo-location and the Internet Protocol (IP) address. We also collect information about your activity, for example your log-in and log-out time, the duration of sessions, viewed web-pages or specific content on web-pages, etc. Log-files store this information with your full IP-address in case of a corresponding declaration of consent.
5. Is there an obligation to provide Personal Data?
We are required to collect your Personal Data as set out in paragraph 3. Without this data, we will generally not be able to provide you with health insurance coverage and/or manage pending claims you may have filed with us.
In some cases, we are under a legal obligation to process personal data. Examples are to detect, prevent and investigate fraud or to facilitate the exercise of your consumer rights. Further we may need to process your personal data to detect, prevent and investigate any other actual or suspected violations of law or misuse of our service.
6. On what legal basis do we process your Personal Data?
We process Personal Data under the following lawful grounds: (i) the processing of special categories of personal data such as the data concerning health is based on your explicit consent; (ii) the processing of your personal data is necessary for us to perform the agreement with you and to take steps at your requests prior to entering into the agreement between us; (iii) the processing of your personal data is necessary for us to comply with legal obligations to which we are subject; (vi) the processing of your personal data is necessary for legitimate interests, such as cyber security and data protection, fraud detection, service maintenance and control, support, back-up, data disaster recovery.
7. Who receives your personal data?
Except as set out in this Privacy Notice, we do not sell, trade or otherwise transfer your Personal Data to outside parties. Your Personal Data may be transferred to the following categories of recipients:
• Parent companies, subsidiaries, and other affiliated companies.
Within PassportCard your Personal Data is provided to the respective departments that need such data for the execution of the insurance policy you have chosen.
Please find a list of the affiliated companies here http://www.davidshieldgroup.com/.
• Third party administrative services providers
• Third party information technologies providers (such as cloud providers)
Third-party service providers engaged by us and working on our order to support data processing (so-called “processors”) may also receive data for these purposes. Service providers can also be commissioned to provide server capacity.
Your Personal Data will be disclosed by us to third parties only if this is necessary for the fulfillment of our legal and/or contractual obligations, if we or the third party have a legitimate interest in the disclosure, or if you have given your consent in relevant cases. In addition, data may be transferred to third parties to the extent we are required to do so by law or by enforceable regulatory or judicial order. Third parties to whom we may transfer your Personal Data, irrespective of the services we provide, include:
• Medical providers
• Legal representatives
• Insurance consultants
• Corporate contact personnel (applicable to groups/business insurance policies)
• Insurance brokers and agents
• Law enforcement departments (after providing us with a valid legal request for disclosure)
• Insurance companies that ultimately will be responsible to pay your insurance claim (if applicable)
• Experts for the purpose of assessing inter alia injuries, diseases and their causes
• Relevant financial institutions such as: banks, credit cards processors, clearing houses, Payment Service Providers (gateway companies), and card issuers
8. Where do we process your Personal Data?
Your Personal Data is generally processed in Cyprus and Germany
Not all of the parties listed in paragraph 7 above are located in the European Economic Area. If we need to transfer Personal Data to a party which is located outside the EEA, we ensure that the transfer shall take place in accordance with the general principles of transfer as laid down in the GDPR. To the extent necessary under EU privacy laws and regulations, we have implemented data onward transfer instruments, such as the Controller to Processor Standard Contractual Clauses (SCCs), the Controller to Controller SCCs. The transfer may be subject to appropriate safeguards included in the EU-US Privacy Shield Framework.
In certain cases, we may need to transfer your personal information to countries outside Europe. This transfer is either necessary for the fulfilment of our insurance contract (see Art. 49 subsection 1 sentence 1b GDPR) or covered by your consent declaration (see above).
9. Public access to your personal information
Prior to our first communication with you, we may have received, or granted access, to your Personal Data from social media and other public online platforms on which you publicly published your Personal Data. This personal information may include, but is not limited to, your personal and contact information, geographical location and other types of data that appears, publicly, in your social media and other public accounts.
10. How long will we store your Personal Data?
We need your Personal Data to adjudicate any claims you may file with us under your health insurance coverage and or with the insurance company (for example to receive insurance reimbursements). We will store your Personal Data for at least the minimum amount of time required by the regulations of your jurisdiction.
If after a request for an offer for an insurance agreement, a contract with PassportCard is not concluded, health related data is stored for a period of 3 years from the end of the calendar year of my request. Other, not health related personal data is, in such a case, stored for a period of 6 years after the end of the year of the respective application based on HGB and AO (obligation to store business letter for at least 6 years).
11. Data protection related information for applicants for a job at our company
We use, process and store Personal Data that you provide to us in connection with an application for a job at our company based on Article 6 subsection 1a GDPR, your respective consent declaration which is expressed in the transmission of these documents.
Application documents are processed by employees of our Human Resources department and as the case may by superiors of the respective department. Beyond that, applicants’ personal data can, for organizational reasons, be exchanged within the http://www.davidshieldgroup.com/, of which PassportCard is part of, for example for the purpose of the better organization of trainings.
Applicants’ personal data will be deleted not later than 6 months after the rejection of the respective application unless there is a consent to a longer storage provided by the respective applicant.
12. Personal Data security
We will use our best efforts to protect the confidentiality of your Personal Data. We use reasonable data security measures in line with the high industry standards. We also adopted strict rules that include technical and physical administrative measures for protecting your Personal Data, including protecting against Personal Data misuse and against unauthorized hacking.
13. Web services disclaimer
Our websites might include links to external third-party websites. If you follow a link to any of these websites, please not that they have their own privacy notices which should be reviewed. Please note that we are not responsible for the privacy protection, policies, and use of any software offered in these external websites. we will not be responsible for any direct or indirect damages caused from the use of third-party websites.
The 3 main types of cookies we use on our website are:
Strictly necessary cookies
These cookies are essential. Without them you might not be able to get the information or service you have asked for. They are needed for things like logging whether you see error messages – so we can make improvements and fix bugs – as well as allowing you to apply online for an insurance solution on our online form.
Analytics and measurement Cookies
We use several technologies to understand how visitors use our website or app. These help us to identify areas for improvement, and to collect and report on commercial data (like sales volumes). We may, for example, analyse website usage and identify a page where people struggle to know what to do next; we'd then use session capture to observe some individual site visitors and find out what the issue is.
Tools we use for analytics and measurement include:
Google Analytics (Google Inc.)
Our website uses Google Analytics, a web analysis service from Google Inc. ("Google. Google Analytics employs so-called “cookies“, text files that are stored to your computer in order to facilitate an analysis of your use of the site. The information generated by these cookies about your visits to our site is transmitted to Google’s servers in the US and stored there. However, using the IP anonymization (“anonymizeIP”) activated for this website, Google will shorten your IP address (IP masking) within the member states of the European Union, or other countries within the European Economic Area (so-called IP masking).Only in exceptional cases will the full IP address be transferred to a Google server in the USA, and will be shortened there for further processing. On behalf of the website provider, Google will use this information to evaluate your use of the website, to compile reports on the website activities, and to provide other services related to website use to the provider. The IP addresses transferred in the context of Google Analytics from the App will not be put together with other Google data. You can prevent cookies from being installed by adjusting the settings on your browser software accordingly. You should be aware, however, that by doing so you may not be able to make full use of all the functions of our website. You can prevent the transfer of data created by the cookie and related to your use of the website (including your IP address) to Google and the processed of tis data by Google, by downloading and installing the browser plugin available under the following link (https://tools.google.com/dlpage/gaoptout?hl=en).
You can prevent the identification by Google Analytics on this website, by clicking on the following link. An opt-out cookie will be placed which prevent the future collection of your data when visiting this website:
Deactivate Google Analytics
We would like to point out that on this webstie Google Analytics uses the “anonymizeIP” function in order to ensure anonymous detection of IP addresses (so-called IP masking). This ensures that one cannot create a personal reference using IP addresses.
Your consent to cookies:
Strictly necessary cookies do not require your consent.
For analytical and measurement cookies as well as for targeting or advertising cookies we request your consent before placing them on your device. You can give your consent by continuing to use our website or by clicking on the appropriate button on the banner displayed to you when visiting our website.
What about links to other websites and their Cookies?
We often link to other sites to give you extra information or services. Where these are provided by a third party, you may leave our website by clicking through to theirs. In this case, the Cookies policy set out on the third party's website will also apply. As this won't be controlled by us, you should read their policy to find out what information is being collected and how it's used.
How to control Cookies
You can restrict, remove or block Cookies through your browser settings at any time.
In addition to what is specified in this document, the user can manage preferences for Cookies directly from within their own browser and prevent – for example – third parties from installing them. Through the browser preferences, it is also possible to delete Cookies installed in the past, including the Cookies that might possibly have saved the consent for the installation of Cookies by this website. It is important to note that by disabling all Cookies, the functioning of this site may be compromised. Users can find information about how to manage Cookies in their browser at the following addresses: Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Windows Explorer.
15. What rights do I have?
As the data subject, you are entitled to the following data protection rights:
Access: You have the right to request access to personal data related to you and stored at PassportCard and about the scope of data processing and data transfer performed by PassportCard and to obtain a copy of your stored personal data.
Rectification: With respect to your personal data stored at PassportCard, you have the right to demand the immediate rectification of incorrect personal data and you have the right to have incomplete personal data completed.
Erasure: You have the right to demand the immediate deletion or erasure of your personal data stored by PassportCard, if the legal requirements are satisfied.
This is the case, in particular, if
• Your personal data is no longer needed for the purposes for which it was collected;
• The sole legal basis for processing such data was your consent, and you have withdrawn such consent;
• You have objected to processing on the legal grounds relating to your particular situation, and we cannot prove that there are overriding legitimate grounds for processing;
• Your personal data were processed unlawfully; or
• Your personal data must be erased in order to comply with legal requirements.
If we have transmitted your data to third parties, we will inform them about the erasure to the extent required by law.
Please note that your right to erasure is subject to certain limitations. For example, we may not and/or must not erase data that we are still required to retain due to statutory retention obligations. In addition, your right of erasure does not extend to data that we need in order to assert, exercise or defend against legal claims, unless other grounds for continued storage exist.
Restriction to the Processing:
Under certain conditions, you have the right to request that processing be limited (i.e., the marking of stored personal data with the aim of limiting its processing in the future). The requirements are:
• The accuracy of your personal data is contested by you and PassportCard must verify the accuracy of the personal data;
• The processing is unlawful, but you oppose the erasure of the personal data and request the restriction of their use instead;
• PassportCard no longer needs the personal data for the purposes of processing, but you require the data to establish, exercise or defend your legal claims.
• You have objected to processing pending the verification of whether the legitimate grounds of PassportCard override your legitimate grounds.
Where processing has been restricted, such data will be marked accordingly and, with the exception of storage, will be processed only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest the EU or an EU Member State.
To the extent that we automatically process your personal data that you have provided to us based on your consent or any contract with you, you have the right to receive such data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from PassportCard. You also have the right to have the personal data transmitted directly from PassportCard to another controller where technically feasible, provided that such transmission does not adversely affect the rights and freedoms of others.
Right to Object:
If we process your personal data on grounds of legitimate interests or in the public interest, then you have the right to object to the processing of your personal data on grounds relating to your particular situation. In addition, you have an unrestricted right to object if we process your data for our direct marketing purposes. Please see our separate note in the section titled “Information about your right to object”.
Withdrawal of Consent:
If you have given consent to the processing of your personal data, then you can withdraw such consent at any time. Please note that the withdrawal applies prospectively only. Processing that occurred before the withdrawal of consent remains valid.
Furthermore, you have a right to file a complaint with a data protection authority, if you believe that the processing of your personal data is unlawful. The right to file a complaint does not affect any other administrative or judicial remedies.
The address of the data protection supervisory authority responsible for PassportCard is:
Office of the Commissioner for Personal Data Protection
P.O. box 23378
1682, Nicosia, Cyprus
Information about Your Right to Object
Right to object for personal reasons
You have the right to object to the processing of your personal data on grounds relating to your particular situation. The prerequisite for this is that the data processing takes place in the public interest or on the basis of a balancing of interests. This applies also to profiling.
Insofar as we base the processing of your personal data on a balancing of interests, we generally assume that we can demonstrate compelling legitimate grounds but will, of course, examine each individual case.
In the event of an objection, we will no longer process your personal data, unless
• We can demonstrate compelling legitimate grounds for the processing of these data that override your interests, rights and freedoms, or
• Your personal data serves the establishment, exercise or defence of legal claims.
Right to object to the processing for direct marketing purposes
You have the unrestricted right to object to the processing of your Personal Data for direct marketing purposes, which include profiling to the extent that it is related to such direct marketing without providing any reason.
In the event of an objection, we will no longer process your Personal Data.
Exercise of the right of objection
The objection can be made without form and should preferably be made to the contact data listed in this data protection notice.
16. Disclosure of Personal Data in case of emergency
In cases of an emergency, we may choose to disclose your Personal Data to a third party if all of the following apply:
1. We are approached by a third party, who is your close relative or is otherwise connected to you, asking us to disclose your Personal Data (we will verify by reasonable means the third party’s connection to you).
2. We are unable to contact you after reasonable efforts, depending on the nature and scope of the emergency.
3. We conclude after reasonable evaluation that the requested disclosure is necessary in order to protect your vital interests.
17. Notification of changes
We may change the terms of this privacy notice occasionally. We will notify you via our website or mobile app. Please read all occasional changes to this policy as they may affect your privacy rights.
18. Less secured communication during emergencies
You might need our services during unfortunate circumstances such as emergency medical care, hospitalization, during various types of check-ups with your doctors and more. During these times, and within the scope of our services, you will need to share with us Personal Data relating to your specific problem. While we prefer using secured communication channels through which you may provide us, and we may send you, Personal Data, we also understand that these channels will not always be available to you during times of need. Thus, if you are interested in sending us, and receiving from us, respectively if you send us Personal Data about you via unsecured communication channels (such as Whatsapp, S.M.S and any other IM or unsecured channel) you accept the above mentioned risks. Please note that we will not be liable for any system failure or personal data hacking while using these channels and to use these channels you retain the sole and full responsibility for using these unsecured methods of communications.
19. Direct Marketing
If you purchased an insurance cover with us and are therefore an existing customer, we have included you in our marketing distribution list. We will send you in the future information on our company and its offers. You can opt out from our marketing distribution list by sending us a request to csr@PassportCard.com.cy or by clicking the remove option in our notices. Opting out from the marketing distribution list will have no effect on your contractual rights. We will inform you on this right and possibility in the course of every single marketing information.
If you do not have an insurance cover with us and are interested in receiving information about the products we offer, you can contact us at csr@PassportCard.com.cy and request to be listed on our marketing distribution list.