Privacy Policy

Our Approach to Privacy

Personal data means any information that relates to an identified or identifiable natural person. In particular, the personal data which is processed by us is that of natural persons who are our clients (including policy holders and individuals named under a policy), contractors, employees, directors, members and/or business affiliates as well as personal data of any other individuals including but not limited to authorised representatives, employees, directors, beneficial owners and shareholders of our clients contractors and/or business affiliates, being legal entities (“you”). Gan Direct is committed to protecting your and your family’s personal information. The privacy and security of your personal information is very important to us and we want to assure you that your information will be properly managed and protected whilst in our hands.

Pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”) and The Protection of Natural Persons against the Processing of their Personal Data and the Free Movement of such Data Law of 2018 (L.125(I)/2018), as amended and other applicable data protection laws, as amended from time to time, we are required to notify you of the information contained herein.

Section 1: WHO WE ARE

We are Gan Direct Insurance Limited (“we”, “us” or “our”), we operate in Cyprus and you will know us by our brand name Gan Direct. During the course of our business relationship, we collect and process relevant personal data. We are a data controller in respect of such personal data. This means that we are responsible for determining the purposes and means of the processing of such personal data.

For the purposes of this Privacy Notice, ‘Processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, storage, use, disclosure, erasure or destruction. “Business relationship” means the provision of insurance and/or our commercial and/or business and/or other relationship with you including, but not limited to, for the provision of our services to you and the various transactions entered into between us and you from time to time.

This Privacy Policy relates to our use of any personal information we collect from you via our Branches, Call Centre, emails, fax, in person, other third-party sources or via the following online services:

  • Any Gan Direct website that links to this Policy (“Websites”)
  •  Social Media or Gan Direct content on other websites;
  • Mobile and other applications (“Apps”)

Section 2: WHAT INFORMATION DO WE COLLECT ABOUT YOU?

We may receive personal information about you, when you contact Gan Direct for example by doing any of the following:

  • Creating a new account
  • Requesting or obtaining a quote
  • Purchasing a Gan Direct product from us
  • Using the Websites and Apps
  • Entering Gan Direct competitions
  • Using live chat
  • Taking part in any event organized by us
  • Telephoning, texting, writing by post, fax or email, or communicating via online channels as online chat and social media.

This information may include:

  • Basic personal details such as your id or passport number, full name, address, e-mail address, telephone number(s), date and country of birth, gender, marital status, occupation
  • Additional Information about your lifestyle and insurance needs, such as details of your car(s), your home, your properties, your household, your health, or your travel arrangements
  • Information about your other policies, such as claims history, quotes or policies history, additional policies held, claims data
  • Technical Information when using our websites or Apps such as date and time of access, Browser type/version, used operating system, URL of the previously visited website, amount of data sent;
  • Information about your employment, including salary;
  • Your marketing preference; and
  • Car: we may collect vehicle registration details and data about your car from publicly available sources.

From potential employees:

We may also collect personal data from candidates for recruitment purposes. The information that we may collect and hold about candidates may include:

  • Name, surname, address, telephone number(s) and email address
  • Details of qualifications, skills, experience, employment history
  • Any additional information contained in a candidate’s CV such as referee information disclosed at interview or otherwise provided to us during the recruitment process.
  • Competency tests results

The Company needs to process data to decide whether to enter into a contract of employment with a particular candidate and may also process certain data to ensure that it is complying with its legal obligations. The Company has legitimate interest in processing personal data during the recruitment process and in keeping records of the process in order to manage the recruitment process. It is required to assess and confirm a candidate’s suitability for employment and decide to whom to offer a particular role. We may also need to process candidate data to respond to and defend itself against legal claims.

The Company will not share a candidate’s data with third parties, unless we have his or her consent, his or her application for employment is successful and an offer of employment is made to him or her. Once an offer of employment has been made and accepted by a candidate, we may also contact the previous employers named by that candidate as referees for the purpose of obtaining employment references.

Special Categories of Personal Data (sensitive data)

In certain cases we collect and process special categories of personal data such as data concerning health information (for example tobacco use, current state of health, existing conditions, family or personal history in relation to some conditions). We shall process such data subject to your documented consent and/or where the processing is necessary for the establishment, exercise or defense of legal claims relevant to us.

We obtain the above from your mobile devices for driving applications and the following people:

  • The main policyholder will provide most of the information we collect about health (including confirming whether hospital treatment is being sought), including on behalf of others named on the insurance policy e.g. medical screening to support a travel policy;
  • Fraud prevention or law enforcement agencies may provide details to us about criminal convictions or offences;
  • Witnesses to an accident may provide medical information to us if there is an investigation of a claim;
  • We may use information about a child, for example, where the child is a beneficiary under a policy or if involved in an accident.
  • We collect and use this information as part of your insurance quotation or contract with us, or where it is necessary for a legal obligation, or as part of the establishment or defence of a legal claim.

If during the course of our business relationship there is a change in your personal data we ask you to ensure that the above details (as and where applicable) are updated by contacting us as soon as practically possible.

Information collected from you & cookies policy

Where we have collected information directly from you it will usually be obvious what this is, as you will have given it to us. This might not be the case where we have used cookies to collect information from your computer or portable electronic devices. Please see our cookies policy for more information. Specifically, we use might collect the following information when visiting our website or using our applications:

Location Data: We may receive information about your location. We may determine your location through your IP address and, when accessing the Website through a mobile device, by using the data that we collect from this device. This includes information about the wireless networks or cell towers near your mobile device at the time of access.

We also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data may be derived from your personal data but is not considered personal data by law, as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

Information collected from others

We can collect information about you from others. This includes information from:

  • Policyholders, Joint policyholders or policy beneficiaries. Where you are named on a policy as named additional driver or joint policyholder or a beneficiary of that policy we may collect information about you from any named policyholder. We will ask them to confirm that they have your permission to give us this information about you and we will contact you following the issuance of a policy to confirm your details and explicit take your consent.
  • Fraud prevention, law enforcement or government agencies and other data sources used to prevent or detect fraud or provide details to us about criminal convictions or offences.
  • Authorities in relation to regulatory issues.
  • External sources such as no claims discount databases, the electoral roll and insurance comparison websites to help us decide what the risk is in selling the policy and from companies that hold information about insurance renewal dates, marital status, household residents, vehicle details, employment status and household income to help us work out which information we should provide to you about our other products and services.

Personal information about others

We may collect information about other members of your household or family or friends, for example, family members or friends who may drive your car or children who may be insured for health insurance by you.

If you give us information about another person, it is your responsibility to ensure and confirm that:

  • You have told the individual who Gan Direct is and how we use personal information, as set out in this Privacy Notice; and
  • You have the consent from the individual to provide that information (including any sensitive personal data) to us and for us to process it, as set out in this Privacy Notice.


Use of CCTV

Our offices may have also installed CCTV cameras which may capture and collect video footage or images of you for security purposes.

SECTION 3: WHAT DO WE DO WITH INFORMATION WE COLLECT ABOUT YOU AND WHY WE MAY DO THIS?

We may use your personal information in order to meet our obligations in our contract of insurance with you, to fulfil our legal obligations, to protect your or another data subjects’ vital interests and to fulfil our legitimate interests.

Specifically, we use your personal information in the following ways:

A. Provide insurance services

When you request us to provide you with a quote for one of our insurance policies or you purchase an insurance policy from us, we use information about you:

  • To decide what the risk might be in selling you the policy, to quote for, and provide you with, a premium for that policy and any special terms that may apply to that policy (noting that we may use automated decision making to make this assessment – see section 9 below);
  • To administer your policy and monitor the payment of instalments if you pay your premium in this way;
  • To contact you about the policy (e.g. to inform you about your renewal or about any missing documents or information); and
  • To provide the agreed service if you make a claim (e.g. sending an external associate or member of our staff to assist you in a roadside breakdown or accident situation or to assist you under a property damage or to provide you with medical assistance if you are injured or unwell when overseas).

We cannot provide the services unless we use the information about you in this way.

B. Do what we are required to do by law

As part of our duty as an insurer providing insurance services, sometimes we are required by law to use information about you:

  • To help make sure our customers are being treated fairly (e.g. to assist our regulators where we have a legal duty to do so);
  • To deal with complaints;
  • To supply your personal information to databases after request from government or other authorities;
  • To help prevent and detect crime (including, for example, the prevention or detection of fraud); and
  • To comply with a legal or regulatory obligation.

We can use your personal information in this way because we are required to do so by law.

C. Prevent fraud occurring

Fraud has an impact on all customers as it increases costs for everyone. We use your personal information to check for signs that customers might be dishonest (e.g. if someone has behaved dishonestly in the past it may increase the risk they will do so in future).

We may use your personal information in this way because it is in our interests to detect fraud and in all our customers’ interests to ensure that they are not prejudiced due to increased premiums as a result of a few customers acting dishonestly.

D. Recover debt

If you owe us money we will use your personal information to help us recover it.
We can use your personal information in this way because it is a necessary part of the contract of insurance. We need to ensure that premiums are paid so that the majority of our customers do not suffer (e.g. through increased premiums) due to the actions of a small minority of customers.

E. To inform you about and promote products (marketing)

You can clearly indicate your marketing preferences when registering for an online account. These preferences can be revisited at any time by contacting any of our Customer service Representatives or by visiting your online account. Please see section 10 for contact details.

We may use your personal information to offer you suggestions about products and services you might want to buy. We may use external companies to do this on our behalf.
We can use your personal information in this way on the basis of your explicit consent or on the basis of the legitimate interests pursued by us. We aim to provide you with the right information at the right time, so that we may look at ways of extending our relationship that we have with you. We will always ensure that we keep the amount of your personal information that we collect and the extent of any processing to the absolute minimum to meet this legitimate interest.

Where we have a legitimate interest to do so or, where you have given us your consent, we may pass your personal information to third parties including:

  • Companies that introduce our customers to products and services. We may send you marketing from them where we believe you will have an interest in their communications and / or
  • External companies such as digital content providers to display adverts about our products and services.

If you are a client and you have not opted out of marketing we will send you information about our products and services by email, post, telephone or SMS unless you tell us not to. If your information has been provided to us by a third party for marketing purposes, we will rely on the documented consent (if and where applicable) you have provided to them to conduct direct marketing.

If at any time you do not wish us to use your personal information for this purpose (direct marketing), you may ask us not to do so. In such case we will no longer process your personal data to the extent that it is related to such direct marketing. See section 10 below for how to contact us. Should you choose to opt out of receiving our marketing material, we will continue to carry out our other relevant activities using your personal data.

F. Where your or another person’s life may be at risk

We will use your personal information to assist where your or another person’s life or health is in danger and obtaining your permission is not possible (e.g. arranging emergency medical treatment in a remote location).

G. To administer and improve our services

To administer our services, we will share information with others (including to people or organisations that may be based overseas):

  • In order to enable us to process your claim or administer your insurance policy more cost effectively;
  • Understand your risk to offer you our best price based on your personal information;
  • To help develop our products, services and systems to deliver you a better sales and claims experience in the future;
  • To understand how our prospective customers, make decisions about which insurance policy is the optimal policy;
  • To remind you about the quotation obtained by us and/or its expiration date;
  • Verify your identity and carry out anti-fraud checks.

We may also process your personal data to better understand you as a customer, including to determine how best to retain your custom, and to ask you to provide feedback on the service we provide to you.

We can use your personal information in this way because it is in our legitimate interests to provide the services in the most efficient way. We will always ensure that we keep the amount of your personal information that we collect and the extent of any processing to the absolute minimum to achieve this efficiency.

SECTION 4: HOW DO WE SHARE YOUR PERSONAL INFORMATION WITH OTHERS AND WHY DO WE DO IT?

We may share your personal information with third parties for the purposes mentioned in Section 3 above.

You should make sure everything you tell us is correct because your records may be checked in the following circumstances:

  • When you apply for insurance or work
  • By police and other law enforcement agencies.
  • In particular we share information with:
  • Fraud prevention agencies that provide databases and services to prevent or detect fraud.
  • Fraud prevention agencies will process this personal information in order to assist our prevention of fraud and money laundering, and to verify your identity and may also process your personal information in order to prevent fraud and money laundering by other people.
  • If we or a fraud prevention agency determine that you pose a fraud or money laundering risk, we may refuse to provide the services and/or financing you have requested.
    A record of this risk will be retained by the fraud prevention agencies and may result in others refusing to provide services or financing to you. If you have any questions about this, please contact the appropriate fraud prevention agency.
  • Your spouse or partner or any family member who calls us on your behalf, provided they are named on the policy or you gave us your permission to do it. Please tell us who they are when you take out your policy. If you would like someone else to deal with your policy on your behalf on a regular basis, please let us know. In some exceptional cases, we may also deal with other people who call on your behalf, but only with your permission. If at any time you would prefer us to deal only with you, please let us know.
  • Other insurance companies to help settle any insurance claim or to verify that the information you have provided is correct (e.g we will check the amount of No Claims Discount you have told us with your previous insurer).
  • Insurance industry bodies such as The Department of Road Transport to meet our obligations under the Road Traffic Act.
  • Insurance industry databases
  • Government bodies
  • We may outsource the processing of certain functions and/or information to third parties that provide services (acting as data processors) and are involved in the fulfilment of our services to you. Other service providers include consultants and advisors, financial institutions and legal consultants

When we share your personal data with third parties, we make sure that they use the same level of protection we use, respect and protect the security of your personal data in accordance with the applicable law (including the GDPR) and apply adequate security measures and safeguards.

SECTION 5: WILL WE SEND YOUR PERSONAL INFORMATION OVERSEAS?

We may send your personal information overseas to any part of the world including to countries located outside of the EEA. We carry out such transfers (i) to a recipient who is in a country which provides an adequate level of protection for personal data or (ii) to a recipient who is in a country which does not provide an adequate level of protection for persona data, under appropriate safeguards pursuant to the provisions of applicable data protections laws (e.g. under an agreement in the form of standard data protection clauses adopted by the European Commission, the form of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

In some cases, we might need to share information to carry out the services we have promised to carry out, for example if you require urgent assistance abroad. In such an urgent situation we may not always have the time to put in place the type of agreement we would normally want to. In such (occasional) cases we may carry out such transfers where (a) we have obtained the explicit consent from you in respect of the proposed transfer, provided that you have been informed of the possible risks of such transfer (due to the absence of an adequacy decision and appropriate safeguards); (b) the transfer is necessary for the performance of a contract between you and us, or (c) the transfer is necessary for the performance of a contract concluded in the interest of the data subject between us and another person or (d) the transfer is necessary for the establishment exercise or defense of legal claims.

SECTION 6: HOW LONG MAY WE KEEP YOUR PERSONAL INFORMATION FOR?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. We will only store data for as long as is required to fulfill that purpose or for the purpose of satisfying legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use and/or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and also the applicable legal requirements.

Retention period enables us to use the data for defending potential legal claims, taking into account the applicable limitation periods under relevant laws, as well as, if applicable, to comply with accounting and tax laws, applicable to certain jurisdictions which we operate in.

In some circumstances you can ask us to delete your data. In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

SECTION 7: WHEN CAN YOU ASK US TO STOP USING THE INFORMATION?

If we rely on your consent to collect and process your personal information, you can ask us to stop using your personal information at any time by withdrawing that consent and we will stop using your personal information for those purposes. We may rely on your consent to tell you about products or services which may be of interest to you or to use computers to make decisions about you to improve our services or develop our products (see section 9).

At any time, you can tell us to stop using your personal information to tell you about products or services that may be of interest to you or allowing computers to make decisions about you in order to improve our services or develop our products (see section 9). To find out how to do this, see section 10.

SECTION 8: WHAT HAPPENS IF YOU DON’T GIVE US SOME OF YOUR PERSONAL INFORMATION?

Where you do not provide the personal information we need in order to provide the service you are asking for or to fulfil a legal requirement, we will not be able to provide the service that you are asking us to give you.

We will tell you about why we need the information when we ask for it.

SECTION 9: WHEN DO WE USE COMPUTERS TO MAKE DECISIONS ABOUT YOU?

We will collect information about you and put this into our computer systems. The computer systems will make certain automated decisions about you which will be based on comparing you with other people. This will have an impact in terms of the level of premium or product that we offer to you or the products or services that we decide to tell you about. We may also use automated decision making to conduct an identity verification check.

For example, if you are under 25 years of age, the computer system may determine that you are more likely to have a car accident. This is because the computer system has been told that more people aged under 25 have car accidents. Another example is that, if you are under 25, the computer system may determine that you are going to be interested in a travel policy which covers high risk activity, such as skiing. Therefore, we would proactively seek to tell you about such policies as we would consider them to be of interest to you.

This is important because:

  • In providing insurance services it helps us decide what price you should pay for your policy and understand any risks associated with that policy;
  • In identity verification it helps us to check that you are who you say you are and to prevent others from imitating you;
  • In selling you other products it helps us decide which other products might be useful to you.

We also use computer systems to carry out modelling. Sometimes using your personal information and sometimes using data in anonymised form. We conduct this modelling for a variety of reasons, for example, for risk assessment purposes to make decisions about you, such as your likelihood to claim. However, we may also use your personal information in that modelling to make decisions about how we improve and develop our products and services, or our pricing and underwriting, or to better understand how our prospective customers make decisions about which policy is the optimal policy (i.e. we are not making decisions directly about you).

SECTION 10: HOW TO CONTACT US ABOUT THIS PRIVACY NOTICE

Our Data Protection Officer is in charge of answering questions about this privacy notice or your requests to exercise your rights which are set out below. The Data Protection Office may be contacted at GAN DIRECT Insurance Ltd, 220 Arch. Makariou III Avenue, 3030 Limassol, Cyprus or via email on dpo@gandirect.com.

You may contact us at the address or through the email address above for one or more of the following reasons, which are also your rights as a data subject, pursuant to provisions of the GDPR:

  1. To ask us to delete personal information about you (the “Right to be Forgotten”).
  2.  To ask us to correct personal data we hold about you that is wrong or incomplete (“Right to Ratification”)
  3. To tell us you no longer agree to, that you object to, or that you wish to restrict us using information about you and ask us to stop (“Right to Object”).
  4. To tell us to stop using your personal information to tell you about products or services that may be of interest to you (direct marketing).
  5. A right of access, namely, to ask us to provide you with a copy of all of the personal information that we have about you. (“Right to Access”).
  6. A “data portability” right, namely, to obtain and reuse the information that you have provided to us for your own purposes across different services. You may ask for this information to be provided directly to you or directly to another organisation. We will provide the information in a machine-readable format so that another Organisation’s software can understand that information.
  7. To ask us not to use information about you in a way that allows our computer systems to make decisions about you (as explained in section 9) (“Right to Restriction of Processing”).

Sometimes we will not be able to stop using your personal information when you ask us to (e.g. where we need to use it because the law requires us to do so or we need to retain the information for regulatory purposes).

In other cases, if we stop using your personal information, we will not be able to provide services to you, such as administering your insurance policy or servicing your claim.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We will tell you if we are unable to comply with your request, or how your request might impact you, when you contact us.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Complaints

If you have any concerns about the way in which we are using your personal information, please contact our Data Protection Officer in the first instance and we will endeavour to resolve your concern. However, you do also have the right to complain about how we treat your personal information to the Office of the Commissioner of Personal Protection. The Commissioner can be contacted at:
Website or Telephone: +357 22818456 Fax: +357 22304565

Modifications of this Policy

We may revise this policy occasionally by publishing a new version on our website. You may choose to check this page on a regular basis to note any changes to this notice. We might inform you of significant changes to this policy by email or through a private messaging system on our website.

Last Update 10/09/2024.