1. Our commitment
For the MDS Group (hereafter "MDS"), privacy and protection of its clients' personal data and the data of any other data subjects are of key significance.
Therefore, MDS is committed to complying with all applicable legislation on matters of personal data protection, upholding fundamental principles and data subjects' rights. This Privacy Policy complements other contract provisions and information that may be provided by MDS to its clients, as well as other policies and directives that may be created for the purpose of data protection.
MDS recommends that you read this Policy as well as other documents that may be provided or relayed to you on the privacy and protection of your personal data; document updates will be made available on mdsinsure.com.
To get to know the entities operating under the MDS Group, kindly visit https://www.mdsinsure.com/en/mds-group/
2. The MDS position on processing your personal data
The entity responsible and accountable for data processing will be the company, MDS, which provides services and products to you and, as such, decides on the data to gather, processing methods and purposes for your data, in the cases identified by item 4below.
In certain cases, MDS will act as a subcontractor, processing your data on behalf of another entity that shall be the one accountable for data processing, which will happen namely with insurance companies when MDS provides them services connected with the management and execution of an insurance contract to which the data subject is a party (for example, for claims management).
In such cases, we recommend that you read the privacy policy and/or any other information on the processing of your data provided by the entity that is accountable for data processing.
3. Essential Concepts
a) What is personal data?
Personal data is any information of any nature, on any medium, concerning a natural person, identified or identifiable. Identifiable is any person that may be identified, directly or indirectly, and particularly with reference to an identifier, such as a name, an identification number, location data, electronic identifiers, or one or more specific elements of physical, physiological, genetic, mental, economic, cultural or social identity of that person.
b. Who are the data subjects of the personal data processed by MDS?
Data subjects are the natural persons whom the personal data concerns. For example, as the entity responsible for processing, MDS may process personal data whose data subjects are its clients (natural persons) that purchase services and products from MDS; its former clients; and its potential clients. As a subcontractor, MDS may process personal data whose data subjects are policyholders, beneficiaries or insured persons, according to a given insurance contract, or persons named witnesses in the event of a claim.
c. What personal data does MDS process?
MDS only gathers and processes data as necessary to provide quality service to you, in order to provide products and services that best address your needs and perform to the highest standard any service you may have contracted, and to comply with its obligations as a subcontractor.
MDS will also process personal data necessary to fulfilling legal obligations it is subject to, or to pursue its own legitimate interest. As a service provider, MDS processes the following personal data categories:
- Identification data related to the policyholder, persons insured, injured parties and beneficiaries, as applicable (e.g., name, address, place of birth, nationality, citizenship/double citizenship, national identity card number, gender, date of birth, phone number, email address, tax ID number, marital status, occupation);
- Claims records in the life line (e.g., death certificates and records, inheritance claims, medical reports, funeral directors' receipts, accident reports, autopsy reports, drug and alcohol test reports, payment order to be filled by beneficiary, proof of IBAN);
- Claims records in the health line (e.g., insured's medical history, medical reports, support documents for claim regularization);
- Claims records in the workplace accident line (e.g., date insurance was activated and accident description, remuneration, premiums, extras, gratifications, food allowance, support data for claim regularization);
- Claims records in the personal accident line (e.g., accident description, medical information, support documents on the accident, legal beneficiaries);
- Claims records in the auto line (e.g., Auto DAA accident report data, identification of injured third parties, witness identification);
- Claims records in other lines (e.g., accident report data);
- Identification data for the insured object (e.g., vehicle type, aircraft type, vessel type, registration number, brand/make, model, year of manufacture, chassis number, registration date, cylinder capacity, number of seats, engine power, policy number, identification of other insured objects, such as jewellery, artworks, household, household effects or animals);
- Charge/collection data (e.g., NIB/IBAN, Swift code, signature, account holder, address, policy number);
- Health and lifestyle data (e.g., lifestyle information, such as eating habits, sports, alcohol consumption, smoking habits, biometric indicators, clinical history); and
- Records of telephone call data (e.g., records and recordings of telephone call, including voice recordings and telephone number records).
MDS also processes these personal data categories where the data subjects are underage.
MDS only processes the special data categories indicated above, meaning, data pertaining to your health, biometric data or genetic data, as a subcontractor.
4. Reasons to process your data, and when
a) Data processing when MDS is accountable for processing Wherever MDS is accountable for data processing, it only processes personal data in the following situations:
i. To perform the terms of a contract with you or to pursue pre-contract diligence and efforts at your request
To render services and provide products the client may wish to contract, MDS may need to process your personal data. This will occur, for instance, in the following cases:
- Record and proof of commercial transactions and pre-contract information, which includes, among others:
- answers to requests for information originated by clients or potential clients
- requests for estimates so we may quote/propose insurance policies;
- Monitoring contract execution and performance, which includes, among other things, quotes on insurance policies in accordance with the client's interests;
ii. Compliance with legal obligations MDS must adhere to
While conducting its business, MDS is bound by legal and statutory obligations the adherence to which may entail the need to process your personal data:
- For tax withholding purposes, tax payments or reports for tax purposes;
- To comply with legal obligations originated by requests from the authorities (e.g., Insurance and Pension Fund Supervisory Authority, and Courts of Law);
- To comply with procedures on matters of prevention and combat against money laundering and funding for terrorism.
iii. To pursue MDS's own interests
MDS uses your personal data to develop, improve and promote its services and protect its legal rights and interests, including:
- Improvement of service quality, which includes:
- conduction of market surveys;
- analysis of customer service on telephone calls;
- Marketing and communication, which includes:
- sending communications to clients and former clients on MDS products and services;
- analysis and management of requests made over websites and other channels.
- Management of complaints and monitoring of legal proceedings, which includes:
- analysis and monitoring of complaints registered by clients with regard to MDS services;
- analysis and monitoring of contentious cases that MDS is a party to;
iv. To satisfy your own choices
MDS will also process your personal data when you have provided explicit prior consent to that end, and when that consent meets all legal requisites. This will occur in the following cases:
- Commercial prospecting (e.g., communication on MDS products and services to people who are not clients or former clients of MDS),
- Improvements to Service Quality (e.g., when we record telephone calls).
b) Data processing as a subcontractor
When MDS acts as a subcontractor, meaning, on behalf of other entities, specifically insurers, the purpose of personal data processing will be determined by such entities as the ones accountable for the processing. In such cases, MDS will process your personal data only to those purposes and in accordance with the instructions conveyed to it by the entities accountable for data processing.
5. Transfer of personal data and possible recipients for your personal data
For MDS to fulfil all its duties and provide you with the best possible service, you may have to communicate, or give other entities access to your personal data. MDS will only communicate or give access to your personal data to the following entities:
- Service providers that render services to MDS (e.g., services contracted with third parties for the provision of data centre management services);
- To insurance and reinsurance companies with which insurance or reinsurance contracts have been entered into; and
- Public authorities such as the Tax Authority or Courts of Law.
MDS will only communicate personal data indispensable to the provision of contracted services or indispensable to the fulfilment of legal obligations it is subjected to. In some cases, MDS may have to carry out international transfers of your personal data (i.e., to territories outside the European Union).
Should the European Commission declare through an adequacy decision that the country located outside the European Union in question guarantees a level of data protection equivalent to that arising from European Union legislation, the data transfer will have such an adequacy decision for its basis.
You may look up existing adequacy decisions at www.eur-lex.europa.eu.
In cases where data transfers are made to countries or organizations outside the European Union for which there is no adequacy decision by the Committee, MDS will ensure that these data transfers strictly comply with legal statutes and that adequate guarantees be implemented to ensure the protection of your data. 6. For how long is your data processed and kept? MDS will only process your personal data for the ends stated above and only during the time period necessary to fulfil those ends. The following are the periods during which we keep your personal data:
Purpose | Type of Data | Period Kept |
Record and Proof of Commercial Transaction and Pre-Contract Information | Telephone call recording data; identification data for policyholder and insured persons, injured parties and beneficiaries; identification data for insured object. | General: 90 days counting from the date of call recording; When contracts are entered into remotely, the applicable time period is the contract period, and we may add to this period as much time as necessary to fulfil all the obligations arising from the contract. |
Monitoring of contract management and execution | Identification data for policyholder, insured persons and beneficiaries; identification data for insured object. | Contract duration. |
Commercial prospecting | Identification data for data subject, insured persons and beneficiaries; identification data for insured object. | 1 year, counting from the date of contact with data subject. |
Marketing and communication | Identification data for data subject, insured persons and beneficiaries; identification data for insured object. | 1 year after contract expiration or after contact through MDS worksites. |
Management of complaints and monitoring of legal proceedings: | Identification data for the policyholder, insured persons, injured parties and beneficiaries; claim record data in the life line; claim record data in the health line; claim record data in the workplace accident line; claim record data in the personal accident line; claim record data in the auto line; claim record data in other lines; health and lifestyle data. | While legal dispute or claim are ongoing. |
Improvements to service quality | Identification data for policyholder, insured persons and beneficiaries; telephone call recording data. | General: 1 year; If we record telephone calls, the recordings will be kept for a period of 90 days. |
Fulfillment of Legal Obligations | Identification data for policyholder, insured persons and beneficiaries, payment data | 10 years for the fulfilment of tax obligations; 7 years for the fulfilment of obligations on matters of prevention of money laundering and terrorism funding. |
Do not hesitate to contact MDS through the usual channels if you have questions. These are listed on 8.b below.
7. Automated Individual Decisions
MDS does not make automated individual decisions, meaning, decisions made exclusively on the basis of automated processing of your personal data that will have legal effects or will significantly impact you in a similar way.
Should MDS adopt this decision method, your will be informed of the fact, as well as the logic underlying those decisions and the importance and possible consequences to the data subject arising from that treatment.
8. Data subjects' rights
a) What rights do you have with regard to the processing of your personal data?
i. Right of access
Whenever you request it, you will have the right to obtain confirmation on whether your personal data is processed by MDS, as well as information pertaining to that processing (e.g., to what purpose data is processed, who the recipients are, and how long we keep your data). You also have the right to obtain a copy of your personal data that have been the object of processing by MDS.
ii. Right of rectification
Whenever you consider that your personal data is incorrect or incomplete, you may request that it be rectified or completed.
iii. Right of erasure
Under certain circumstances, you may request the erasure of your personal data. In such cases, MDS will erase your data unless the data is necessary to some of the following purposes:
- exerting freedom of speech and information;
- fulfilment of legal obligation, that applies to MDS, demanding processing;
- public interest motives in the public health domain;
- public interest archiving purposes, scientific, historical or statistic research insofar as the exertion of the right of erasure gravely impedes the fulfilment of the objectives of such processing; or
- assertion, exercise or defence of a right in a legal proceeding.
iv. Right to restriction of processing
In certain cases, you may ask MDS to restrict access to personal data or suspend processing activities. This will happen where, for example, you contest the accuracy of your personal data during a period of time allowing MDS to check their accuracy, or where you have opposed processing, until it is verified whether the legitimate interests of MDS prevail over yours.
v. Right to data portability
In the cases provided for by applicable legislation, you have the right to receive your personal data that you have provided to MDS, in a structured, current, automatically-readable format. You also have the right to ask MDS to transfer such data to another processor as long as the transfer is technically possible.
vi. Right to object
You have the right to object to the processing of your personal data at any time, for motives connected with your own circumstances, when such processing is based on the legitimate interests of MDS or when processing is conducted with purposes other than the ones for which the data has been collected but are compatible with the original purposes for data collection.
MDS, in such circumstances, will stop processing your personal data unless it has legitimate motives to conduct processing and such motives prevail over your own interests. You may also object, at any moment, under no obligation to justify your decision, to the processing of your data for the purposes of direct marketing.
vii. Right not to be subject to automated decision making MDS does not undertake automated decision making, including profile definitions, that will have effects in your legal circumstances or affect you significantly in a similar fashion.
viii. Right to withdraw consent
Where data processing is conducted based on your consent, you may withdraw your consent at any time.
Should you withdraw your consent, your personal data will no longer be processed, except where grounds for continued processing exist, such as a contract, or MDS's legitimate processing, that permit continued processing.
ix. Right to lodge a complaint with a supervisory authority
You have the right to lodge complaints with the pertinent supervisory authority on matters connected with the treatment of your personal data.
In Portugal, the pertinent control authority is the Comissão Nacional de Proteção de Dados (National Data Protection Committee). To learn more, please visit www.cnpd.pt.
b) How can you exert your rights?
You can exert your rights over the following channels:
E-mail: You can exert your rights over email by writing to protecaodedados@mdsinsure.com.
Online: You can exert your rights online at mdsinsure.com/pt/politica-de-privacidade
By letter: You can exert your rights by letter address to MDS Corretor de seguros SA, at the following address: Av. da Boavista, 1277/81, Piso 0, 4100-130 Porto, Portugal
Telephone: You can exert your rights over the phone by calling +351226082410. You will not be charged for exerting your rights.
9. Indirect collection of your personal data
It is possible that MDS may have collected your personal data via third parties or other means even if you are not a client of MDS's. This may happen whenever your contact details are supplied by a relative or a third party, when you are beneficiary to an insurance policy, when you are an employee at an MDS client's, or when you are a member of a governing body of a legal person that is a client of MDS's. Whenever MDS collects your data via third parties or other means, MDS will endeavour to provide you with the information pertaining to the processing of your data at the earliest opportunity.
10. Security, technical and organizational measures
To guarantee the security of the personal data made available to MDS, MDS has implemented several security, technical and organizational measures to safeguard personal data against loss, destruction, alteration, publishing or unauthorized access to personal data and against any other form of illicit processing. Where MDS contracts with other entities for the provision of services involving the sharing of personal data, these entities are obligated to implement the necessary technical and organizational measures so as to safeguard personal data against loss, destruction, alteration, publishing or unauthorized access to personal data and against any other form of illicit processing
11. Responsibility over services and websites
We recommend that you read the rules on the use of cookies by MDS websites. You may also read the MDS Cookie Policy here.
MDS websites may contain hyperlinks to third-party websites, products and services. MDS does not have relationships with these third parties, nor are they bound by this Privacy Policy. MDS therefore advises that you inform yourself of the rules established by such third parties on the processing of your personal data by addressing these third parties directly.
12. Stay up to date on the security of your personal data and processing by MDS
The information on this document may have to be changed from time to time. Therefore, we recommend that you visit www.mdsinsure.com/pt/politica-de-privacidade/,where such information will be kept updated at all times so you may stay current on the processing conducted on your data.
Whenever changes occur with regard to the processing of your personal data, MDS will inform you through its website,www.mdsinsure.com/pt/politica-de-privacidade/ or through other habitual channels.
13. More information
You can access information on privacy, security measures and protection of personal data:
Cookie Policy, available at www.mdsinsure.com/pt/politica-de-cookies/