Data Protection Statement

This Statement sets out how AIB Insurance Brokers Limited (we) meets its obligations regarding data protection and the rights of its customers, prospective customers, beneficiaries under an insurance policy, their family members, claimants and other parties involved in a claim during the insurance lifecycle (data subjects) in respect of their personal data under the Data Protection Act and the General Data Protection Regulation (the Regulation).

The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. For the purposes of this statement, any reference to ‘personal data’ includes a reference to ‘sensitive personal data’, as applicable, where ‘sensitive personal data’ means ‘personal data that incorporates such categories of data as are listed in the GDPR’.

The Data Protection Principles

We comply with the Regulation which sets out the following principles with which any party handling personal data must comply. All personal data must be:

1. processed lawfully, fairly, and in a transparent manner in relation to the data subject;
2. collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific, regulatory or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific, regulatory or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject;
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

How we will collect information

We will only collect and process personal data for and to the extent necessary for the specific purpose(s) of which we inform the data subjects.

The information obtained about data subjects will be that which is supplied by the data subjects themselves and their agents and representatives, as well as information: received from insurers and their agents; generally available such as online and from third party data processors; and searches that we undertake in relation to sanctions, money laundering, and credit checks. Personal data may also be obtained from other sources including but not limited to insurance companies’ systems, the Electoral Register, and the Transport Malta system.

We may also collect sensitive personal data about data subjects such as criminal convictions or health information.

How we will use the information

The personal information collected will be used to enable us to fulfil our role in relation to the provision of insurance cover and the provision of any ancillary risk management services. This will be by:

1. assessing the proposer circumstances and insurance needs;
2. presenting such details to insurers for the purpose of obtaining quotations and placing cover;
3. processing claims;
4. undertaking checks to guard against fraud, money laundering, bribery and other illegal activities;
5. handling complaints; and analysing data, identifying trends, and developing our business services.
6. To ensure that our processing of your data is lawful, such processing will only be undertaken if;
7. you have given your consent; or
8. it is necessary for the performance of a contract to which you are, or will be, a party; or
9. processing is necessary for compliance with a legal obligation to which we are subject; or
10. processing is necessary to protect the vital interests of data subjects; or
11. to perform a task carried out in the public interest or in the exercise
    of official authority vested in us; or
12. processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the fundamental rights of data subjects and freedoms which require protection of personal data, in particular where the data subject is a child.

Disclosure of your personal information

We may share relevant information with third parties including insurers; loss adjusters and loss assessors; professional advisors; other insurance brokers; agents and service providers/processors.

Information may also be supplied to our internal auditors and regulatory bodies if required by them and to other parties if required or permitted by law.

It is our policy to retain documents and information, including insurances effected, in electronic or paper format for a minimum of ten years or such longer period as appropriate having regard to when a claim or complaint may arise in connection with our processing of the information provided.

The legal basis for this processing is that it is necessary for the protection of our legitimate interests. After ten years, these may be destroyed without notice to the data subjects.

Data Subject’s rights

All data subjects have the right to;

1. information about how their data is processed,
2. access the data we hold about them which will be provided to them within one month of making the request, and is free of charge unless we reasonably believe that the request made is manifestly unfounded or excessive,
3. have incomplete or inaccurate data rectified,
4. restrict our processing of the data subject’s personal data (although we will still be permitted to store it),
5. data portability. We are obliged to provide the data subject’s data in a format that allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability),

Data subjects who may wish to exercise the above rights may do so by writing to us. Should any data subject wish to make a complaint about how we use their Personal Data our Data Protection Officer may be contacted at the following address:

The Data Protection Officer
AIB Insurance Brokers Limited
501, Triq il-Kbira San Ġużepp,
Santa Venera, SVR1016

If a data subject considers that the processing of any personal data by us is not in compliance with the provisions of the GDPR, a complaint may be lodged with the Office of the Information and Data Protection Commissioner. Floor 2, Airways House, Triq Il–Kbira, Sliema SLM 1549.