Oney Insurance (PCC) Limited and Oney Life (PCC) Limited (‘We’, ‘Us’, ‘Our’, ‘Company’) strive to protect the privacy and the confidentiality of Personal Data that the Company processes in connection with the services it provides to clients and individuals.
Oney Insurance (PCC) Limited and Oney Life (PCC) Limited are the Data Controllers in respect of the Personal Data as defined by relevant Data Protection Laws and regulations.
As an entity established in Malya, EU, the main Data Protection legislation that are applicable to Us in so far as You are concerned, are as follows:
- The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issues under the same – the ‘DPA’
- The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the ‘GDPR’.
All the above, as may be amended from time to time, referred to together as the ‘Data Protection Laws and Regulations’.
‘Personal Data’ meany any information that identifies You as an individual or that related to an identifiable individual. Whenever it is not possible or feasible for Us to make use of anonymous and/or anonymized data (in a manner that does not identify any User of the Sire or customers of Our Services), We are nevertheless committed to always protecting your privacy and the security of Your Personal Data.
Depending on your relationship with us, we may collect, store, and use the following categories of personal information about you (“Personal Data”):
- General identification and contact information such as name; residential address; e-mail and telephone details; identity card number; passport number; nationality, relationship to the policyholder, insured or claimant; date of birth.
- Financial information and account details such as credit/ debit card details, bank account or other financial account numbers, income and other financial information.
- Information enabling us to provide products or services such as location and identification of property insured (for example property’s serial number/ IMEI number); policy and claim numbers; prior accident or loss history; information about your other policies such as claims history, claims data. Family details such as details on your dependents/ spouse/ partner/ family.
- Fraud Prevention information such as checks relating to terrorist activities.
- Locational information such as IP addresses when visiting our website without disabling Cookies including related location data.
- Social media account and information when you use our Social Media Pages such as your social media ID and profile picture.
We may also collect, store and use the following “special categories” of more sensitive personal information such as:
- Health Information such as current or former physical/ mental condition; health status, injury or disability information; medical procedures performed; family or personal history in relation to medical conditions.
- Criminal Data Records such as information about your criminal record or civil litigation history in the process of preventing, detecting and investigating fraud; checks relating to terrorist activities.
We will only use your Personal Data when the law allows us to. Most commonly, we will use your Personal Information in the following circumstances:
1. Where we need to perform the contract which we have entered with you
2. Where we need to comply with a legal obligation; and
3. Where it is necessary for our legitimate interests or those of a third party, provided that such legitimate interests are not overridden by your interests or fundamental rights and freedom which require the protection of Personal Data.
We may also process your personal data in the following situations, which are likely to be rare:
1. Where we need to protect your vital interests or the vital interests of another person;
2. Where it is required in the public interest or for official purposes.
If you fail to provide certain Personal Data when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations.
Special categories of Personal Data require higher levels of protection. We need to have further justification for collecting, storing and using this type of Personal Data. We may process special categories of Personal Information in the following circumstances:
1. In limited circumstances, with your explicit written consent
2. Where we need to carry out our legal obligations
3. Where it is needed in the public interest
4. Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards
5. Where it is needed in relation to the exercise or defence of legal claims.
Less commonly, we may need to process this type of information where it is needed to protect your vital interests, or the vital interests of other persons and you are not capable of providing consent or where you have already made the information public.
We will not use Personal Data for any other purpose incompatible with the purposes described in this Notice, unless such use is required or authorised by law, authorised by you, or is in your own vital interest (such as in the case of a medical emergency).
We may share your Personal Data within our different departments, our associated companies and our partners. This is generally required for the performance of our contract with you; in order to identify products which may be of interest to you; for pricing and underwriting purposes; for claims management purposes; for marketing and product research and development purposes; and for statistical analysis purposes. We may share your Personal Data to prevent, detect and/or suppress fraud and in order to comply with our legal obligations.
We may also share your Personal Data with third parties, including:
- Insurance intermediaries (such as Insurance Brokers and Insurance Agencies), insurance distributors (such as retail shops and banks), claims handlers (with whom personal data can be exchanged mainly for the purposes of insurance distribution, policy underwriting and administration and claims handling)
- Services providers (such as actuaries, lawyers, archiving companies, debt management companies, repair services providers, IT service providers, Cloud Service Providers, Auditors, Marketing Consultants) – with whom personal data can be exchanged for the purposes of providing ancillary services to the policy management, distribution and claims handling
- Health care provides (such as public or private hospitals, general and specialised medical practitioners), with whom personal data can be exchanged mainly for the purposes of evaluation and management of claims
- Any other third parties legally entitled to communicate personal data to us in relation with the policy management, distribution and claims handling, such as the Insured Parties’ employers, notaries, appointed experts by court or the Policyholder/insured party together with the Commissioner of Police and any kind or any person, body or authority authorised by law to disclose and receive personal data.
In all cases, the sharing of your Personal Data is made subject to appropriate confidentiality safeguards.
Due to the global nature of our business, we may share your Personal Data with third parties established within the European Economic Area, subject to observance with all confidentiality safeguards applicable according to Law.
Many of the categories of Personal Data above are collected directly from You (for example, Your Contact Details). However, WE MAY ALSO COLLECT PERSONAL DATA FROM OTHER SOURCES, including data companies, insurance intermediaries, regulatory authorities, insurance brokers or distributors, third party administrators, publicly accessible databases, joint marketing partners, social media platforms and other third parties. We may also receive Personal Data about You from third parties when We need to confirm Your Contact Details or even certain Financial Information. Should this be the case, We will take all measures as required by law to further inform You about the source of such Personal Data as well as the categories of Personal Data We collect and process. There are certain instances at law where We are specifically forbidden from disclosing to You such activity (for example, when carrying out due diligence for anti-money laundering purposes). Our head office is equipped with CCTV cameras for security purposes.
We will take appropriate measures to protect Personal Data and Sensitive Personal Data that are consistent with applicable privacy and data security laws and regulations, including requiring service providers to use appropriate measures to protect confidentiality and security of Personal Data and Sensitive Personal Data.
The Company has taken appropriate physical, logic, and organisational measures to guard against the loss, improper use, unauthorised access or diffusion, alteration, or possible destruction of Personal Data. However, despite our efforts to protect your Personal Data, we cannot guarantee the infallibility of this protection due to the unavoidable risks that may occur during the transmission of Personal Data.
Since all Personal Data is confidential, access is limited to the Company’s employees and third parties that require it for the execution of their missions. Everyone with access to Personal Data is bound by a confidentiality obligation and is exposed to disciplinary action and/or other sanctions if these obligations are not respected.
We will take reasonable steps to ensure that the Personal Data and Sensitive Personal Data processed by us, is reliable for its intended use, and is accurate and complete for carrying out the purposes described in this Notice.
We will retain Your Personal Data only for as long as is necessary (taking into consideration the purpose for which they were originally obtained). The criteria We use to determine what is ‘necessary’ depends on the particular Personal Data in question and the specific relationship We have with You (including its duration).
Our normal practice is to determine whether there is/are any specific EU and/or Maltese law(s) (for example tax or corporate laws) permitting or even obliging Us to keep certain Personal Data for a certain period of time (in which case We will keep the Personal Data for the maximum period indicated by any such law). For example, any data that can be deemed to be ‘accounting records’ must be kept for ten (10 years).
We would also have to determine whether there are any laws and/or contractual provisions that may be invoked against Us by You and/or third parties and if so, what the prescriptive periods for such actions are (this is usually five (5) years in those cases where Our contractual relationship with You terminates or two (2) years in those cases where no such contractual relationship exists). In this case, We will keep any relevant Personal Data that We may need to defend Ourselves against any claim(s), challenge(s) or other such action(s) by You and/or third parties for such time as is necessary.
Where Your Personal Data are no longer required by Us, We will either securely delete or anonymise the Personal Data in question.
Before processing any request, you make, we may need to verify Your identity. We will strive to address your requests as promptly as possible. However, as outlined in the Retention Periods section, we may need to retain certain personal data to comply with legal obligations or to finalise any transactions initiated before the requested change or deletion.
Your Legal Rights include the following:
Right of Access
You have the right to request confirmation on whether we are processing Your personal data. If we are, you make request access to the following details:
- The personal data we hold about you
- The reasons we process it
- The parties we share it with
- The duration for which we intend to store it (when possible)
- Whether we transfer your data internationally and the safeguards in place
- Your rights regarding your data
- How you can file a complaint
- The source of Your personal data
- Whether we conduct automated decision-making, including profiling, and any related details
- How you can access your own data
Upon request, we will provide you with a copy of your processed personal data within one month. If necessary, this period may be extended by up to two months, depending on the complexity and volume of requests. Should an extension be required, we will inform you within the initial one-month timeframe, including the reason for the delay.
Right to Rectification
If your personal data is inaccurate or incomplete, you have the right to request corrections or updates. Before making any rectifications, we may need to verify the accuracy of the information provided.
Right to Erasure (Right to be Forgotten)
You have the right to request the deletion of your personal data, and we will comply without unnecessary delay, but only under the following circumstances:
- The personal data is no longer needed for the original purposes it was collected for.
- You have withdrawn your consent (where processing was based on consent) and no other legal basis exists for processing your data.
- You have exercised your right to object (as outlined below), and there are no overriding legitimate grounds for processing.
- Your personal data has been processed unlawfully.
- Deletion is necessary to comply with specific children’s rights regulations.
However, we may not be legally required to fulfill your erasure request if processing your personal data is necessary for:
- Compliance with a legal obligation (including data retention requirements)
- The establishment, exercise, or defence of legal claims.
Other legal grounds may also justify the denial of an erasure request, but the reason above are the most common.
Right to Restriction of Processing
You have the right to request that we restrict (i.e., store but not further process) your personal data, but only in the following cases:
- You contest the accuracy of your personal data (pending verification)
- Processing is unlawful, but you prefer restriction instead of deletion.
- We no longer need the data for its original purpose, but you require it for legal claims.
- You have objected to processing, and we are verifying whether our legitimate grounds override your obligation.
During a restriction period, we will only process your data in the following situations:
- With your consent
- For legal claims
- To protect the rights of another individual or entity
- For important public interest reasons
Right to Data Portability
You may request a copy of the personal data you provided to us in a structured, commonly used, and machine-readable format. Where feasible, you can also request that we transfer this data directly to another data controller, provided this does not infringe on the rights and freedoms of others.
This right applies only when:
- Processing is based on your consent or necessary for contract performance
- Processing is carried out through automated means.
- Personal data is used for direct marketing purposes, including profiling.
Right to Object to Certain Processing
You can object to the processing of your personal data in cases where we process it based on:
a) The public interest
b) Our or a third-party’s legitimate interests.
In such cases, we will cease processing your data unless we demonstrate compelling legitimate grounds that override your rights or if processing is necessary for legal claims.
If you believe your data protection rights have been violated, you can file a complaint with the relevant Data Protection Authority. In Malta, this is the Office of the Information and Data Protection Commissioner (OIDPC). You can contact the Commissioner by following this link: https://idpc.org.mt/file-a-complaint/
While you have the right to escalate issues to the Authority at any time, we encourage you to contact us first so we try to resolve your concerns.
To ensure the security of your personal data, we may need to verify your identity before processing your requests. This helps prevent unauthorised access or disclosure.
We aim to respond to all valid requests within one month. If your request is particularly complex or if multiple requests are submitted, the response time may extend beyond one month. In such cases, we will keep you informed of any delays.
For any privacy-related inquires or to exercise your rights, please contact our Data Protection Officer:
The Data Protection Officer
Oney Insurance (PCC) Limited
171, Old Bakery Street, Valletta Malta or
dpo@oney.com.mt
