Principles of personal data processing from 01.07.2020
This Policy defines the rules applicable to the collection, use and processing of personal data, as well as the principles of personal data protection that we follow in our insurance activities.
How we process personal data?
We treat respect for the individual’s right to privacy is a core value. We take care of the protection of personal data in accordance with all requirements of the GDPR and other legislation governing insurance activities, the processing of personal data and the protection of privacy. These issues are among the most important elements of our business ethics. To ensure privacy in all aspects of our relationship with data subjects (policyholders, insured individuals and entities, beneficiaries, etc.), we regularly review and improve our standards, procedures and systems.
We make every effort to ensure that your personal data are:
- being processed lawfully, fairly and in a transparent manner,
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits your identification for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR)
What personal data do we process?
“Personal data” means any information relating to a natural person who can be identified directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Aiming to conclude and perform insurance contracts properly, we usually collect and process the personal data of the individual (such as name, surname, contact details) and the personal data related to insurance object (e.g. information about property, motor vehicle, etc.). Depending on the situation, we may also process other personal data which are necessary for conclusion and (or) performing the insurance contracts (e.g. individual characteristics data – driving experience, travel destinations and periods, etc.; financial data – bank account number, amount of debt, etc.).
We may also process your personal number for identification purposes or for the purpose of obtaining information from the data recipient (e.g. Building Registry of the Ministry of Economic Affairs and Communications) which is necessary for the conclusion or performance of the insurance contract. The personal number cannot be processed for the purposes of direct marketing.
The collection of special categories of personal data (health data, data revealing political views) is only permitted with the explicit consent of the data subject (policyholder, insured person), and provided that such data is necessary for the conclusion and performance of insurance contract, insurance risk assessment, reinsurance. When concluding an insurance contract, we have the right to request provision of data which affect the decision to conclude the insurance contract, or the decision regarding certain terms of insurance contract.
Usually, conclusion of insurance contract requires health data of the policyholder or insured person if an insurance contract where the insured risk is related to the health of the policyholder or the insured person is being concluded (e.g. casualty insurance).
In the event of the occurrence of an insured event, the policyholder, the insured person, the beneficiary and / or the third party victim must provide the insurer with all available documents and information on the circumstances and consequences of the insured event which are necessary in determining the amount of the insurance benefit, including special categories of personal data (data on health status, injuries, causes of death, etc.). We have the right to process this data in order to find out whether the insured event has actually occurred; whether the insured event occurred during the insurance period and what is the amount of damages.
We may collect and further process special categories of personal data not only from the policyholder, the insured person, the beneficiary and / or the third party victim, but also data available to data recipients such as health care institutions, the Health Board under the Ministry of Social Affairs or other state or municipal bodies (e.g. police authorities), as well as the data processed in registers, information systems or other data files on the health status of the insured person or the third party victim, treatment services provided, identified illnesses, injuries suffered, disability level and causes of death. Such collection of personal data may be based on the explicit consent of the data subject, except where the data subject is deceased, and if this is necessary to determine the circumstances and consequences of the insured event, the amount of insurance benefit.
For example, interrupted travel due to illness, with the travel insurance available, creates a reasonable basis for us to apply to the general practitioner of the insured person with request to provide information on the insured person in order to find out whether the insured event (illness) occurred during the insurance period and whether it was an unexpected and sudden event. The insured person‘s consent to collecting his / her personal data is enclosed to the request submitted to the general practitioner.
When the data subject is presumed to be incapable to reasonably assess their interests, and where there is no consent of the data subject, we can process the personal data of such data subject with the consent of the data subject's representative, spouse, cohabiting partner, of either parent (adoptive parent) of the data subject, or of either of his / her adult children to the extent necessary to protect the interests of the data subject. If there are no persons named above, the consent to processing of the personal data of the data subject must be obtained from one adult sibling of this data subject, or from one of his / her adult grandchildren, or from one of his / her grandparents to the extent necessary to protect the interests of the data subject.
We do not disclose information on the policyholder, insured person or beneficiary, their health status and other confidential information set forth in the insurance contract, all obtained in carrying out insurance activities, except as provided by law.
This is an illustrative list of personal data processed by Seesam; amount of information about particular natural person depends on his/her individual relationships with us. In all the cases, we do not collect any excessive personal data which are incompatible with data minimisation principle.
You can anytime get the information about your personal data being processed by Seesam; for details please see chapter “What are your rights?”.
What are the purposes and legal basis for data processing?
We ensure that personal data is processed in a legitimate, fair and transparent manner, and is collected for specified, explicit and lawful purposes. We generally process personal data on the following grounds of lawfulness:
- the person has given consent (Article 6(1)(a), Article 9(2)(a) of the GDPR);
- processing of data is necessary in order to perform a contract to which the data subject is party, or to take steps at the request of the data subject prior to the conclusion of the contract (Article 6(1)(b), of the GDPR);
- the data processing is necessary for us to comply with the legal obligation that applies to us (Article 6(1)(c) of the GDPR);
- the data processing is necessary in the pursuit of our or other parties' legitimate interests, except where the interests or fundamental rights and freedoms of the person, which require the protection of personal data, prevail over them, especially when the data subject is a child (Article 6(1)(f) of the GDPR);
- processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (Article 9(2)(f) of the GDPR).
The specific objectives and justification of their legitimacy are listed below.
|Purposes of personal data processing||Legal bases for personal data|
|Conclusion and performance of non-life insurance contracts||
Article 6(1)(b),(c) and (f), Article 9(2)(a) of the GDPR;
Insurance risk assessment
|Article 6(1)(b)(c), Article 9(2)(a) of the GDPR;|
Submitting offers for the entry into non-life insurance contract, retention of evidences of the data subject's approach of the insurer for the entry into the insurance contract.
Article 6(1)(a),(b) and (c), Article 9(2)(a) of the GDPR;
Investigation and administration of insured events or events that may be recognized as insured events.
Article 6(1)(b) and (c), Article 9(2)(a) of the GDPR;
|Direct marketing||Article 6(1)(a) and (f) of the GDPR;|
|Profiling and automatic decision making||Article 6(1)(a),(b),(f), Article 9(2)(a) of the GDPR|
Recovery of amounts paid (recourse, subrogation)
|Article 6(1)(c), Article 9(2)(f) of the GDPR;|
Article 6(1)(f) of the GDPR
Article 6(1)(b),(c) and (f) of the GDPR;
|Registration and investigation of complaints and claims, making, enforcing, or defending legal claims||Article 6(1)(a),(c) and (f), Article 9(2)(a) and (f) of the GDPR;|
|Recording of telephone conversations for the purposes of retaining evidences and quality assurance||
Article 6(1)(a),(b) and (c) of the GDPR;
|Video surveillance for the purposes of ensuring security of employees, customers and property||
Article 6(1)(f) of the GDPR
|Implementation of international sanctions under the Law of the Republic of Estonia on the Implementation of Economic and Other International Sanctions||Article 6(1)(c) of the GDPR;|
|Data sharing within the group of companies for administrative purposes (e.g. where this is necessary when planning and executing reorganisation of undertakings).||
Article 6(1)(f) of the GDPR
Compensa Vienna Insurance Group, ADB Estonian branch (Seesam) may share data when concluding a business transaction or negatiating a business transaction, which includes the sale or transfer of all our business or property. These transactions may include any merger, financing, acquisition or bankruptcy transaction or proceeding.
How do we collect and transfer personal data?
Usually, we collect individual’s personal data from himself/herself. However, sometimes we have to collect personal data from other persons as well – e.g. from state registers, police offices, other state institutions or other persons. In all cases, we do not deliberately collect excessive personal data, which are not necessary aiming to achieve legal purposes of processing such data. Moreover, we inform the individuals about collecting their personal data from other persons, unless they already have this information or there are other legal grounds permitting not to provide such information.
We process your personal data in a secure manner and do not transfer it to any unauthorized persons. In cases specified below, part of the personal data we process may be transferred to other persons. Below is a description of the typical situations in which personal data may be transferred.
A. In certain cases, the transfer of personal data is based on a legal obligation which is incumbent on the insurer:
- to the Estonian Motor Insurance Bureau (§ 74 of the Motor Insurance Act of the Republic of Estonia);
- to another insurance or reinsurance undertaking, an insurance or reinsurance undertaking of another state of the European Economic Area, or a branch of a third country insurance or reinsurance undertaking established in the Republic of Estonia or another state of the European Economic Area (Chapter 11 of the Insurance Activities Act);
- to auditor;
- to supervisory authorities, pre-trial investigation authorities, prosecutor‘s office, court and the Financial Supervision Authority;
- to insolvency administrator, Notary Public and bailiff.
In the cases discussed, the fulfilment of a legal obligation is a condition for the lawfulness of the processing of personal data (Article 6(1)(c) of the GDPR).
B. Seesam may transfer part of its risks arising out of insurance contracts to Estonian or foreign reinsurers in order to reduce losses due to the assumed insurance risk, to use the available capital efficiently or by expanding opportunities for assuming other insurance risks.
These reinsurers are provided with insurance technical data: the number of the insurance contract, the insurance premium, the type of insurance cover, of the risk and of the risk premium, and, in individual cases, with the detailed personal data. Reinsurers can be provided with detailed personal data if reinsurers participate in risk and damage assessment, and the data is required in assessing the risk and damage. Reinsurers are provided with special categories of personal data is such data is required for risk and damage assessment, and with the written consent of the data subject to transfer of such personal data.
C. Seesam, as the data controller, may submit the personal data of the data subject to the third parties, as the data processors, which provide us with services (perform works for us) and process personal data of the data subject on behalf of Compensa as the data controller.
The provision of services (performance of works) does not exempt us from liability arising out of insurance activities and we are responsible for the supervision of the provision of such services (performance of works).
When we engage data processors, we take all necessary measures to ensure that data controllers have implemented appropriate organizational and technical security measures and confidentiality. Data processors are obliged to comply with all personal data processing requirements by contract.
Seesam has the right to obtain from data controllers detailed information related to their activities carried out under the contract, as well as set out for them in the contract binding instructions with regard to the activities they carry out.
An illustrative list of data processors includes:
- Insurance intermediaries (agents, ancillary insurance intermediaries) acting as intermediaries in concluding and administering insurance contracts and in the exchange of information to the extent necessary for the performance of the contracts.
- Insurance claims administration partners (car repair companies, etc.) that process personal data for the purpose of registering and assessing damages, ensuring expert assessment.
- Information technology companies processing personal data where this is necessary to ensure development, improvement, support and maintenance of information systems.
- Call centre service companies that process personal data to ensure proper telephone customer services.
- Archiving, postal service providers (providing printing, enveloping services).
- Companies providing quality research survey services which process on behalf of Seesam personal data required for service quality research.
- Debt collection companies ensuring debt collection on behalf of Seesam.
- Asset valuation and inspection companies that process personal data necessary for the qualified asset valuation during the insurance claims process.
- Assisting partners abroad processing personal data in arranging medical, financial, legal and other assistance, in administering damage suffered, in providing assisting services after damage suffered, or in providing additional service.
D. Insurance contract can be concluded through an ancillary insurance intermediary and insurance intermediary: insurance agent or insurance brokerage company in providing insurance product distribution services.
An ancillary insurance intermediary or insurance agent that carries out activities of insurance product distribution on behalf of Seesam is considered to be data processor.
In carrying out activities of insurance product distribution, an insurance brokerage company operates as an independent data controller and is responsible for ensuring that the processing of personal data complies with legal requirements and guarantees protection of your rights.
E. We generally obtain personal data from the data subjects themselves. However, sometimes we also obtain it from other public authorities or bodies, natural or legal persons: the Estonian Motor Insurance Bureau, Business Register under the Centre of Registers and Information Systems, Credit Register “Creditinfo”, Estonian Health Insurance Fund, Estonian Rescue Board, healthcare institutions, police and other authorities having the information necessary for the conclusion and performance of insurance contract.
In concluding the contract for the Compulsory and Voluntary Motor Insurance, we have access to the data available in the Register of Estonian Motor Insurance Bureau (RELIKA service) which is necessary for insurance risk assessment and conclusion of insurance contract. In case of building insurance, we have the right to obtain data on real estate from the Regio Geographic Information System.
In case of an insured event, we may require information from all natural or legal persons which have information about the insured event (e.g. witnesses of the traffic accident, etc.). The most common data controllers providing personal data to insurers include police authorities, healthcare institutions and doctors, nursing care institutions, the Estonian Health Insurance Fund and companies providing security services.
In carrying out insurance activities, we may transfer personal data to other third parties or service providers as data controllers, and obtain personal data therefrom for the purpose of concluding and executing insurance contracts, for the purposes of investigating and administering insured events or events that can be recognised as insured events. Such data recipients may include pharmacies, opticians' services, healthcare institutions, experts, jurists, lawyers and law firms, etc. We ensure that any data that we transfer to data recipients and to which we have access is processed only the purpose of concluding and executing insurance contracts, for the purposes of investigating and administering insured events or events that can be recognised as insured events.
In all the cases, we transmit as little part of personal data to the third parties as it is necessary in order to achieve the legitimate purpose of such data transfer. Moreover, we use only those outsourced partners who guarantee the implementation of appropriate technical and organizational measures in such a manner that processing of your personal data will meet the legal requirements and ensure protection of your rights. We also constantly control our outsourced partners as regard the compliance with data protection requirements.
On the basis of the specific consent (except as provided in the Article 69(2) of the Law on Electronic Communications, unless you have expressed your objection to receiving direct marketing offers by e-mail) of the data subject, Compensa Vienna Insurance Group, ADB Estonian branch (Seesam) may contact you further via email and telephone in order to provide information about insurance offers, campaign offers, consumer games, satisfaction surveys, carefully selected offers from Seesam cooperation partners or other marketing communications. In that case your personal data may be processed for you to receive the best possible offers.
Processing of data of natural persons for the purposes of direct marketing at an insurance company is based on the consent of the data subject. Silence, pre-ticked boxes or inactivity do not constitute consent. The consent must be freely given, it must be unambiguous, information-based and specific. Consent can be given in various ways, for example, by ticking the box for consent or objection to receiving direct marketing offers, by clicking on the appropriate icon, expressing verbal consent, etc.
You have the right to withdraw the consent at any time, as well as to refuse the advertisements and offers by letting us know via e-mail email@example.com.
With possession of the contact data of our customers, we may use it to market our insurance services, and / or ask for your opinion about the services offered. You may at any time object to or refuse from such data usage. Such processing of customer data for direct marketing purposes by an insurance company is based on the legitimate interests of the insurer.
We do not process for the purposes of direct marketing special categories of personal data and personal numbers.
Extension of insurance coverage
Good practice of insurance services requires the insurer to make reasonable efforts to ensure ongoing insurance coverage. It is assumed that continuation of own insurance coverage constitutes the policyholder‘s interest. In accordance with the principle of good faith, we may notify you on the expiration of the insurance contract entered between us. In this case, sending a new insurance contract by the insurer to the policyholder and proposal to enter into negotiations before entering into an insurance contract are considered to be reasonable. In such case, the insurer‘s notification is not considered to be a direct marketing.
How long do we store personal data?
Your personal data may be stored in different documents or files both in paper and electronic form. Legal acts may provide different terms of their storage. Seesam do not store any personal information longer than it is necessary according to the legal acts or to the purposes of data processing. Usually, the information containing your personal data is being deleted after the term of receipt of possible claims is expired.
Even if you decide to cease our cooperation, we may still store your personal data due to the possibility of prospective claims. Moreover, we shall store your personal data in order to be able to answer your questions or to provide you necessary information about our cooperation. However, we do not use your personal data for any other purposes than you have been informed about.
What are your rights?
You have the rights provided in the General Data Protection Regulation and described below. Please note that some of these rights are not absolute and Seesam shall not necessarily and unconditionally satisfy your request for their implementation.
Right of access
You may ask for the confirmation as to whether or not your personal data are being processed, and where that is the case, access to your personal data and the information on its processing.
Right to rectification
You may ask for retification of inaccurate personal data, to have incomplete personal data completed.
Right to erasure (right to be forgotten)
You may ask to erase your personal data without undue delay.
Right to restriction of processing
You may ask for restrication of processing your personal data, where one of the following applies:
- You contest the accuracy of the personal data - for a period enabling us to verify the accuracy of the personal data;
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- Seesam no longer needs your personal data, but you require them for the esitablishment, exercise or defence of legal claims;
- You have objected to processing your personal data pending the verification whether our legitimate grounds override your ones.
Right to data portability
You may ask to receive your personal data in a structured, commonly used and machine-readable format and may transmit (or ask us to transmit) them to another data controller.
Right to object
You have the right to object to processing your personal data which is based on Seesam's legitimate interest; also, to processing the personal data for direct marketing purposes.
Right not to be subject to a decision based solely on automated processing
You may ask not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
You may ask for the detailed explanation of your rights at our Data protection officer (see contact details in chapter “About us”) or find their description in General Data Protection Regulation. Intending to implement your rights, please contact our Data protection officer.
Once per year we provide the information about processing of your personal data free of charge. If you apply more than once per year, or if your request is groundless, repetitive or disproportionate, we may charge a reasonable fee based on administrative costs. We may ask you to provide the proves for verification of your identity (e.g. identification document). We also may ask you to clarify your request in order to speed up our response. We reply to your request within 30 days since receipt of your application; this term may be extended if your request is complicated or if you submitted a lot of requests (in such case we will inform you about the delay of the response).
We appreciate for your feedback and kindly ask you to submit your concerns related to protection of your personal data to our Data protection officer (see contact details in chapter “About us”). You may also send your application to our office (requisites may be found on this web-page). Seesam assures that will thoroughly investigate all the incidents of possible non-compliance with this Policy and legal acts and will adopt all the necessary risk remediation measures to ensure the maximum protection of your personal data. If we don’t manage to solve the dispute, you also may submit the official complaint to the supervisory authority:
- Lithuania: State Data Protection Inspectorate, A.Juozapavičiaus g. 6, Vilnius L. Sapiegos g. 17, 10312, Vilnius, el. paštas firstname.lastname@example.org;
- Latvia: Data State Inspectorate, Blaumana str. 11/13-15, Riga, email email@example.com;
- Estonia: Estonian Data Protection Inspectorate, Väike-Ameerika 19, Tallinn, email firstname.lastname@example.org.