Information about personal data processingInformation about personal data processing
Below you can find all necessary information about the personal data processing in ERGO Poisťovňa, a.s.
Information about personal data processing in conditions of ERGO Poisťovňa, a.s.Information about personal data processing in conditions of ERGO Poisťovňa, a.s.
ERGO Poisťovňa, a.s., Apollo Business Center II. Blok D, Prievozská 4C 821 08 Bratislava, company no. 35 779 012, incorporated in the Commercial Register held at the District Court Bratislava I, section Sa, insert 2332/B, www.ergo.sk, 0850 777 777, +421 2 32 11 20 20, email@example.com (“ERGO”) is, in relation to clients, representatives of clients, prospective clients, representatives of prospective clients, and other persons, in particular the party who pays premiums in the name of the policyholder where the premiums are not paid by the policyholder, persons who report insured events, injured parties, parties at fault (“data subject”), the controller who has determined the purposes and means of processing the personal data of data subjects.
2. Data protection officer
ERGO has designated a data protection officer for data subjects to contact, by email to firstname.lastname@example.org, by telephone at the numbers indicated above, or in person at the registered office of ERGO, with questions concerning the processing of their personal data and the enforcement of their rights in accordance with the General Data Protection Regulation (GDPR).
3. Purposes of personal data processing
ERGO processes the personal data of data subjects in connection with its insurance business and for the purposes of identification of clients and representatives of clients and preserving the possibility of subsequent verification of such identification; concluding insurance contracts; administration of insurance as between the insurer and its clients; claims adjustments and settlements by the insurer; protection and redress of the rights of the insurer as against its clients; documenting the activities of the insurer; supervision of the insurer and its activities; fulfilment of the statutory obligations and duties of the insurer; administration of reinsurance contracts as between the insurer and re-insurer; processing claims under reinsurance contracts; review of payouts made on insurance policies which are reinsured by the reinsurer; examination of healthcare provided as an insurance benefit; exchange of information necessary to verify the accuracy and completeness of data concerning insured events and loss/damage events; prevention and detection of money laundering and terrorism financing; customer care; identification of unusual business transactions; provision of information on financial accounts to the Member State in which an individual is tax resident, to a contracting state in which an individual is tax resident, and to the United States of America with a view to the accurate assessment of taxes; processing complaints; accounting; tax administration; document retention management; other purposes in accordance with specific laws; and for the purposes of the legitimate interests of ERGO (paragraph 6). ERGO processes the personal data of data subjects strictly for privileged purposes (statistics, archiving) which are compatible with the purposes for which the personal data were initially collected. Such further processing is subject to the security measures implemented by the controller that serve as appropriate safeguards for the rights and freedoms of data subjects in connection with the processing of their personal data for a different purpose.
4. Legal basis for processing personal data
The personal data of data subjects must be processed:
- to satisfy the legal obligations of ERGO, in particular as provided by Act No 395/2002 on insurance; Act No 186/2009 on financial intermediation and financial advisory; Act No 18/2018 on personal data protection; Act No 576/2004 on healthcare and healthcare services; Act No 566/1992 on the National Bank of Slovakia; Act No 747/2004 on financial market supervision; Act No 297/2008 on the prevention of money laundering and terrorism financing and amending certain acts; Act No 359/2015 on automatic exchange of information on financial accounts for tax purposes; the Civil Code; the Code of Civil Contentious Procedure; the Criminal Code; the Code of Criminal Procedure; the Commercial Code; the Code of Enforcement Procedure; Act No 431/2002 on accounting; Act No 511/1992 on administration of taxes and fees; Act No 595/1991 on income tax; Act No 395/2002 on data retention; and other specific regulations
- to perform the insurance contract and any steps prior to entering into the contract pursuant to Article 6(1)b) of the GDPR
- to protect the vital interests of the data subject or of another individual pursuant to Article 6(1)d) of the GDPR
- for the purposes of the legitimate interests pursued by ERGO according to Article 6(1)f) of the GDPR
Where ERGO has no other legal basis, the processing of personal data requires the consent of the data subject.
5. Categories of personal data that are processed
The controller processes routine personal data – the identifying data of the data subject including a generic identifier; contact details of the data subject; data and documents establishing the ability of the client to meet the obligations under the insurance contract, the required security for the obligations arising out of the insurance contract; authorisation for representation; satisfaction of the requirements and conditions for concluding an insurance contract; personal data contained in the identity document, including a copy thereof; other data from documents, and the special category of personal data: data pertaining to the health status of the data subject to the extent provided for particularly by specific regulations and the insurance contract or the legitimate interests of ERGO.
6. Legitimate interests of ERGO
Based on the relationship with the person concerned, ERGO defined the justified interests that may be reasonably expected in connection to its entrepreneurial activities and that prevail the interests and basic rights of the person concerned and provide a legal basis for processing personal data beyond the scope specified by law and the contract, involving the protection of rights and legally protected interests of ERGO, in particular the protection of ERGO, its employees and clients, protection of persons, assets, health and know-how of ERGO, protection of financial and other interests of ERGO, physical security, including security of the ERGO headquarters with camera monitoring systems, security of ERGO information systems, prevention of fraud and dishonest business practices, prevention of money laundering and fight against terrorism, keeping a client database, improving the quality of the services provided, brand support, informing clients about developments within the company and sending offers to clients (direct marketing), preventing breaches to personal data security, reporting potential criminal activity or threats to the public security, provided that these do not breach the legal, professional or other confidentiality obligation.
7. Categories of recipients of personal data
ERGO provides the personal data to shareholders; re-insurers; financial agents; the central register of reported insurance incidents; treating physicians and healthcare facilities; forensic experts; and persons that provide roadside assistance, telemarketing, auditing, IT, banking, postal, courier, data and document retention, and receivables management services to ERGO; lawyers; enforcement agents; National Bank of Slovakia conducting supervision of the activities of ERGO; tax office; courts; law enforcement; and other persons and authorities to whom ERGO is required by law to provide information.
The current list of recipients is available on the ERGO website.
8. Transfer of personal data to third countries and international organisations
The personal data of data subjects may be subject to cross-border flow of personal data, strictly to Member States of the European Union and/or the European Economic Area which ensure an adequate level of protection of personal data. Where the data subject is physically or legally incapable of giving consent, personal data are not transferred to third countries or international organisations unless the transfer is necessary to fulfil the insurance contract or to protect the vital interests of the data subject or other persons.
9. Period of time for which personal data will be stored
The personal data of clients and representatives of clients are processed for the term of the insurance contract and for the period of time after the expiration of the insurance contract necessary to enforce the rights of ERGO and to comply with the obligations imposed on ERGO, a period of at least ten years after the contractual relationship with the client has ended. After that period, any unnecessary personal data will be destroyed. The personal data of prospective clients and representatives of prospective clients will be stored for a period of 13 months after they are collected. After that period, any unnecessary personal data will be destroyed.
10. Rights of the data subject
Data subjects have the right:
- to information about the processing of their personal data
- to obtain confirmation whether ERGO is processing personal data concerning them
- to access the personal data collected about them, including a copy of that personal data
- to rectification of personal data and completion of incomplete personal data by means of providing a supplementary statement
- to erasure of personal data (right to be forgotten), except where the personal data are processed, inter alia, to fulfil the legal obligations of ERGO
- to restriction of the processing of personal data where the personal data are inaccurate, where the processing is unlawful, where data is processed for the establishment, exercise or defence of the legal claims of the data subject, where the data subject has objected to the processing pending the verification of the legitimate interests of ERGO
- to the transfer of personal data to another controller
- to object on grounds relating to their specific situation to the processing of personal data for the purposes of direct marketing, on the basis of the legitimate interests of ERGO (paragraph 6), for statistical purposes, for evaluation of the data subject solely on the basis of automated individual decision-making (paragraph 13), and to profiling (paragraph 14)
- to withdraw consent to personal data processing in a manner as easy as it was to give consent. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal
- to protection of the personal data of the data subject
- to lodge a complaint to the supervisory body in the Member State of their habitual residence, place of work or place of the alleged infringement (Office for Personal Data Protection of the Slovak Republic) if the data subject considers that the processing of personal data relating to him or her infringes the GDPR Data subjects or their representatives may exercise their rights with the data protection officer (paragraph 2).
11. Requirements for the processing of personal data
The provision of the personal data of data subjects is a lawful as well as a contractual requirement when concluding an insurance contract and for the performance of the lawful and contractual obligations of ERGO. ERGO and its financial agents must refuse to conclude an insurance contract where the client wishes to remain anonymous. ERGO does not conclude insurance contracts directly with children.
12. Source of personal data that are processed
Personal data that are not obtained directly from the data subject or the representative of the data subject are collected primarily from policyholders with whom the insurance contract is concluded, children’s legal guardians or representatives, and the processors used by ERGO to process on behalf of ERGO the personal data of data subjects, namely the financial agents who concluded the insurance contract; persons who provide services to ERGO in connection with conducting insurance business (roadside service providers, telemarketing companies, banks, post office, couriers, receivables management companies, lawyers, enforcement agents) and/or third parties (doctors, medical facilities, forensic experts).
13. Automated individual decision-making
As strictly necessary to conclude a contract online, ERGO processes personal data to the extent required for a proposal form for an insurance contract on the basis of automated processing of personal data without human intervention, consisting of evaluating the personal aspects relating to an individual which produces legal effects concerning the data subject or similarly significantly affects the data subject (concluding an insurance contract, refusal to conclude an insurance contract), apart from the special category of personal data important to approving an individual for insurance cover or accepting the proposal form for an insurance contract according to the designated criteria of the specific insurance product.
ERGO uses automated processing of personal data of the persons concerned involving the use of this personal data for assessing certain specific aspects relating to a natural person (profiling), primarily analyses or prognoses of the aspects of the relevant natural person regarding their assets, profession, source of income, behaviour of the relevant person while concluding insurance policies and throughout the term of insurance policies for protection against legalisation of proceeds from criminal activities and financing terrorism, protection against fraud and dishonest business practices. ERGO may use profiling, and in particular analyses or prognoses of the aspects of the relevant natural person regarding their assets, health, personal preferences, interests, reliability, conduct, location or movement for direct marketing purposes if necessary or beneficial in connection with the selection of a target group for the relevant marketing activity, in which case only those clients who meet the determined criteria of the marketing activity will be contacted.
15. Breach of personal data
ERGO will notify the data subject without undue delay or otherwise inform the data subject in an effective manner of any personal data breach that is likely to result in a high risk to the rights and freedoms of that individual where ERGO has not or will not adopt and implement adequate security measures to eliminate the likelihood of such risk. ERGO will notify the public or implement a similar measure if notification of the data subject whose personal data are concerned would involve a disproportionate effort.