Obligations of the Processor
European Reliance General Insurance Co. S.A. (hereinafter “the Company”), within the framework of its operations and the fulfillment of its purposes, cooperates with third party service providers. These providers (natural persons and legal entities) may process Personal Data / Special Categories of Personal Data of natural persons which are transferred from the Company in any manner, to perform the undertaken obligations and the tasks assigned to them. Therefore, they act as Processors for the Company and under this capacity they ought to meet, according to article 28 of the aforementioned EU Regulation 2016/679, all obligations for the protection of natural persons regarding the processing of personal data, such as:
a) implement all required technical and organizational measures, according to article 32 of EU Regulation 2016/679 for the security of personal data and their protection from any accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access and any other unlawful form of processing, by applying advanced security technologies.
b) process the personal data of natural persons that have transactions with the Company in any way, according only to the recorded orders of the Company, regarding, among others, the transfer of personal data to third parties, third countries or international organizations.
c) ensure that the persons that are authorized by them for the processing (the employees, insurance agents, subcontractors, etc.) have received in writing the Non-Disclosure Agreement or are subject to keep the due diligence regulatory obligations of non-disclosure. Moreover, the Processors undertake the obligation to ensure that the personnel and all of their colleagues have received the appropriate training for the protection and administration of personal data. In case of personal data breach by any of the persons mentioned in the present paragraph, the liable person on behalf of the Company will be the Processor.
d) assist the Company in meeting its obligation to respond to requests for the exercise of rights of the data subject, according to the EU Regulation 2016/679. More specifically, in case of submission of a request regarding the access, erasure, rectification, restriction of processing, data portability, right to be informed and right to object as a natural person, the Processors ought to inform the Company within three (3) working days, so that the Company will fulfill its obligations within the deadlines provided by the Regulation.
e) assist the Company in the assurance of compliance to the obligations deriving from Articles 32 and 36 of the EU Regulation 2016/679, taking into consideration the nature of the processing and the available information.
f) According to the decision of the Company, proceed to erasure or return of the personal data to the Company, after the completion of the undertaken project and erasure of every relevant copy.
g) To keep at the disposal of the Company any information required for the verification of their compliance with the obligations of the present article and allow and facilitate the audits, including the audits conducted by the Company or by another auditor appointed by the Company. The audit will be performed by the Company, after the briefing of the Processor, within forty-eight (48) hours before the upcoming audit.
h) At the planning, development and utilization of the objectives described in the present document, they should take all necessary measures for the compliance with the obligations of article 25 of EU Regulation 2016/679 for data protection from the planning and by default.
i) If the Processors have indications, are aware, or have legitimate reasons to believe that an accidental, unauthorized or unlawful destruction, loss, modification, disclosure or access to personal data takes or might take place, they are obliged to inform the Company without unjustified delay and in any case at least within twenty four (24) hours, after the moment they become aware of the information. The Contact Point of the Company is the Information Security Officer and/or the Data Protection Officer.
This briefing shall include at least the following: (i) a detailed description of the relevant breach of the data security, (ii) the category of data that were the subject of the breach, (iii) the identity of every affected person (or, when this cannot be exactly identified, the approximate number of affected subjects and files), (iv) a description of the possible consequences, (v) a description of the handling measures proposed or finally implemented by the Processor, including the appropriate measures for the mitigation of the potential, adverse consequences and (vi) the briefing to the Company for the subsequent time period and any relevant information that the Company may reasonably request, upon receipt or availability.
In the case in which, due to negligence or fault of the Processors or their colleagues, employees, etc., information is granted or leaks to third parties, or if the terms of the present order and/or the obligations of the Processors imposed by the National and European legal framework for personal data protection are in any manner violated, and if, as a result, the Company is called to pay a fine to the Personal Data Protection Authority or to third parties presented as affected persons, the Company holds the right to request the Processors the payment of any amount due.