Mediterranea Underwriting intends to communicate this informative document pursuant to art. 13 and ss. of EU Regulation no. 679/2016 (with regard to the processing of personal data) and subsequent amendments and additions, in order to set out the methods and purposes of the collection, processing and storage of personal data, including information on rights of the concerned party and their relative use.

This information is provided by Mediterranea Underwriting Srl, as data controller, based in Genova – Salita Santa Caterina 4, 16123 Genova.


Pursuant to EU Regulation 679/2016, the collection, processing and storage of personal data will be based on principles of correctness, lawfulness, transparency and protection of the privacy and other rights of the subject involved. Consequently, the provision of data is necessary for the purpose of completing, managing and performing the contract as well as allowing the assessment of the adequacy of this latter in relation to both the insurance needs and the risk concerning the policyholder. Without prejudice to the personal autonomy of the interested party, the provision of data is mandatory in the following cases:

(i) upon entering new contracts or management and performance of existing legal relationships or management and settlement of claims

(ii) according to law, regulation or EU legislation, limited to the personal data requested under the above legislations by the competent Public Authorities.

Data collection can be carried out directly from the interested party or from companies that perform underwriting tasks on our behalf (agents, sub-agents, brokers).

1.1 Consequences of any failure to provide

Failure to provide even just some of the information requested may affect the correspondence of the contract with the customer’s needs as well as the possibility, for the interested party, to enter a contract with Mediterranea Underwriting and to benefit of the offered services.


The processing is carried out by Mediterranea Underwriting as an independent owner for the purpose of managing the insurance business. The same treatment may possibly take place, through third-party (appointed by Mediterranea Underwriting ) who operate as independent data controllers or as external data controllers and who are obliged to comply with the legislation on the protection of personal data.

2.1 Treatment of personal data

For the purposes of applying point 1 (i), the processing is necessary for the execution of the contract to which the involved subject is a party, or for the execution of pre-contractual measures adopted at his request. In particular, the treatment allows:

  1. an assessment by the insurers of the eligibility to grant the policy contract;
  2. the fulfilment of the purposes of conclusion, management and execution of the insurance contract and liquidation of claims relating exclusively to the exercise of insurance and re-insurance activities.

In particular, the processing of personal data can be finalized to:

(i) the provision of contractual and insurance services requested and the compliance with the relevant law and administrative and accounting obligations;

(ii) face and prevent any kind of fraud activity;

(iii) the possible exercise of the right of defence before Courts;

(iv) carrying out data analysis activities based on product parameters, policy characteristics and accident rate, and related to statistical and tariff assessments;

(v) fulfilment of specific obligations established by law, by a regulation or by EU legislation (for example, those provided for in the field of “anti-money laundering”, regulations and Measures issued by the Supervisory Authority);

Furthermore, for the purposes referred to in points (ii), (iii) and (iv), the outstanding data may only be disclosed to subjects, public or private, external to our Company, which are involved in the provision of insurance services concerning the interested party.

2.2 Processing methods of personal data

The processing of personal data takes place, under the authority of the Data Controller, by persons specifically appointed, authorized and instructed in accordance with articles 28 and 29 of the Regulation. The processing of personal data is also carried out with the aid of electronic or automated means and includes: operations, collection (registration and organization), re-elaboration (modification, comparison, interconnection), use (consultation, communication ), conservation (cancellation / destruction), security / protection (accessibility or confidentiality, integrity and protection) and management / liquidation of claims.

In compliance with the provisions of art. 5 of the Regulation, the personal data involved are:

  1. processed in a lawful, correct and transparent manner towards the interested party;
  2. collected and recorded for specific, explicit and legitimate purposes, and subsequently processed in suitable terms with those purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, if necessary, updated;
  5. processed in a manner that guarantees an adequate level of security;
  6. stored in a form that allows the identification of the interested party for a period of time not exceeding the achievement of the purposes for which they are processed.

Personal data will be processed with suitable methods and procedures and will be accessible and known only to the personnel in charge of the aforementioned evaluation and for the fulfilment of the relevant obligations. These personal data will be accessible only to duly instructed data processors and external collaborators appointed as data processors (where necessary) 1. The electronic storage of personal data takes place through secure servers located in controlled access areas. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access. Personal data will be kept in full compliance with the security measures provided for by the legislation on the protection of personal data and will be kept for the duration of the insurance contract and, at its end, for the times provided for by the legislation on the conservation of documents for administrative, accounting, tax, contractual and insurance purposes. They can also be communicated exclusively whenever it is provided for by law or, for the purposes described above, to information services, archiving or other services (of a technical / organizational nature) Companies.

2.3 Further processing methods of personal data

It is understood that personal data may be processed by Mediterranea Underwriting even without the consent of the interested party, in order to fulfil legal and / or regulatory obligations, as well as to meet requests from the competent judicial and public security authorities, as well as for assert or defend a right in court. In some cases, the provision is required by law, regulation and Eu legislation or on the basis of the provisions issued by public entities 2 . Furthermore, whenever the data processing is based on the express consent of the applicant, the latter may revoke the consent without prejudicing the lawfulness of previous treatments which were based on the consent issued before the revocation.

2.4 Retention of personal data

Personal data are kept for the time strictly necessary to achieve the purposes for which they were collected and processed. In particular, such data will be kept for the entire period of validity of the contractual relationship between Mediterranea Underwriting and the contractor or for the time strictly necessary for the execution of the pre-contractual requests of the involved party and in any case as long as the interested party has not exercised his right to opposition or will not have revoked his consent to the processing and in any case for 10 (ten) years from the last contact with the interested party. However, it is understood that, once the purposes of the processing have been exhausted or in the event of the exercise of the right to object or to revoke the consent given, the personal data will be further stored in order to guarantee the implementation of some other purposes , such as the assertion or the defence of rights before Courts.


The privacy legislation (articles 15-22 of the EU Regulation) n. 679/2016, guarantees the right to access at any time, by the recipient of the treatment, to the data concerning him, to their correction and / or integration and, if inaccurate or incomplete, to their cancellation or limitation of their treatment. In the event that the conditions are met, this right includes the opposition to their processing for reasons related to the particular situation of the recipient and to the portability of data (if processed in an automated way) for contractual services, within the limits of the provisions of the Regulation. (Article 20). In particular, the recipient has the right to:

  • access to personal data, obtain information relating to their processing and confirmation of their existence and receive communication in an understandable form;
  • obtain information regarding the origin of the data, the purposes of their use, the related processing methods and the logic applied in the case of electronic processing as well as the possibility of obtaining the attestation that the processing has been, in the case, led to knowledge of third parties;
  • ask to rectify personal data concerning him if they are inaccurate;
  • obtain the cancellation of their personal data in certain circumstances provided for by law;
  • oppose the processing and obtain the limitation of the processing of your data in accordance with the law;
  • obtain the portability of personal data (i.e. receive some personal data in a structured format, commonly used and readable by computer) within the limits of art. 20 of the Regulation; 3
  • revoke the consent given at any time, without affecting the lawfulness of previous processing, which were based on the consent given before the revocation;
  • file a claim with the Guarantor Authority, the Privacy Guarantor, using the methods indicated on the website – – whenever it is deemed necessary for the protection of rights regarding personal data;
  • be informed and obtain corrections, cancellations, additions and updating of personal data, as well as their transformation into anonymous form
  • obtain, pursuant to art. 5.2 of the Regulations, the identification details of the owner, of the managers and of the designated representative; the rights provided for by the Regulations may be exercised according to the different methods described in point 4.


To know the detailed and constantly updated list of the subjects, to whom the personal data of the involved party may be communicated, pursuant to art. 15 et ss., it is possible to contact the data controller:

Mediterranea Underwriting Srl

Salita Santa Caterina 4, 16123 Genova, Italy

tel +39 39 010 094700



The Data Protection Controller is available to the recipient for any doubt or clarification he may need. For this purpose, the recipient can contact the indicated Mediterranea Underwriting registered office, or the aforementioned address, which can be also asked for the updated list of the categories of the recipients of data.

1. insurance companies, brokers, experts, agents, mediators, lawyers, information services companies and other personnel involved in the management of every phase of activity relating to insurance intermediation and obligations relating to insurance policies. In particular, it should be noted that the data may be disclosed to natural and legal persons operating in Italy and abroad with whom the Data Controller cooperates in the management of the same insurance risk, giving rise to the phenomenon of the so-called “insurance chain”.

2. such as the Judicial Authority or the Supervisory Authorities and / or intended for the fulfilment of specific legal obligations, for example for the provisions of IVASS, Ania, IRS, Privacy Guarantor and / or for the fulfilment of tax ascertainments.

3. this right to “portability” applies only to personal data provided by the interested party and may be subject to some restrictions, as provided for by the applicable legislation on the protection of personal data.