Principles of Personal Data Processing
ADB Gjensidige Principles of Personal Data Processing
We appreciate your trust in us and your choice of our insurance services. In order to be able to provide you our insurance services as a customer, we need some of your personal data. We process your personal data so that we can advise you as much as possible and offer the best insurance solutions, execute insurance contracts, and comply with legal requirements.
The protection of your personal data is one of our key priorities. Gjensidige ensures the confidentiality of customers’ personal data in accordance with the requirements of the law and, when processing the customers’ personal data, we apply all necessary organizational and technical measures necessary.
These Principles of personal data processing define how we at Gjensidige take care of your and other customers` personal data: what personal data we collect and process, for what purposes we use it, how we ensure their security, and your right to privacy.
Additional information on the processing of customers’ personal data may be found in service contracts and other service-related documents as well as on the website at www.gjensidige.lt.
1. Data Controller – ADB “Gjensidige”, a public limited liability company with headquarters in Lithuania and branches in Latvia and Estonia (hereinafter referred to as “Gjensidige”); registration No.: 110057869.
2. A Customer – a natural person who has entered into an insurance contract with Gjensidige, and who uses, has previously used, or intends to use the services in the future, the beneficiary, the injured third party or other person otherwise related to the services provided by Gjensidige.
3. Personal data – any information that directly or indirectly relates to the customer who can be identified.
4. Personal data processing – any activities performed with personal data (including collection, recording, storage, modification, access, sending up queries, transfers, etc.).
Purposes of personal data processing and categories of personal data
5. We process the personal data only for pre-defined purposes in order to conclude and execute insurance contracts and to perform services and activities related to concluded insurance contracts: to identify you, to obtain information about the insured object, to assess and manage insurance risk, to provide insurance proposal and prepare insurance contract, to assess damages of the insured event and administration of insured events, to administer insurance premium payments and related operations (including, sending invoices and debt collection), to contact you in relation to contract execution or to remind you of expiring insurance contract.
6. We may need personal data for other purposes, for example:
6.1. Direct marketing purposes – to provide you information on offers, promotions and other marketing communication, to ask for the customer`s opinion on quality, to perform market research. Your personal data is processed for direct marketing only if you have provided consent for that or with a legitimate interest of Gjensidige;
6.2. To record telephone conversations in order to maintain evidence on conclusion and execution of insurance contracts, administration of claims, and to perform evaluation of service’s quality. You will be informed at the beginning of the telephone conversation, and, if you do not agree to be recorded, please choose different way to contact Gjensidige (through website, by e-mail or at the office).
7. Your personal data processed by Gjensidige are obtained in the following ways:
7.1. Submitted by you (by filling in and submitting a request form on the website, by calling the contact centre’s phone number, visiting customer service branches, purchasing insurance products through Gjensidige 's insurance agents or other partners);
7.2. Received from third parties and/or publicly available registers or other sources, to the extent provided for by applicable law. Gjensidige may submit enquiries to state registers, institutions, other legal entities (for example, the State Enterprise Centre of Registers, the State Enterprise Regitra) and obtain the personal data and information necessary for the conclusion and execution of an insurance contract;
7.3. In the case that the customer has given consent for the processing of health data, Gjensidige may also submit enquiries and receive personal data and other information (e.g.: information on health condition, medical history, medical advice, diagnosis, treatment, illness or diseases, services rendered and goods sold) from health care institutions, pharmacies, companies providing health services, opticians, and other third parties for the purpose of concluding and executing the insurance contract, and investigating events that may be recognised as insured events;
7.4. In certain cases, your data may be obtained by Gjensidige when you are insured by another person (for example, one customer insures themselves and other travellers with travel insurance). Gjensidige considers that in such cases, the customer, insuring other persons, does so with the knowledge and consent or legitimate interest of such persons.
8. Depending on the insurance products that you have purchased or are asking about, we collect and process various personal data. The main categories of personal data processed by Gjensidige include, but are not limited to:
8.1. Personal data directly related to the person's identity, such as full name, personal identity number (personal code), date of birth;
8.2. Contact details, such as address, e-mail address, telephone number;
8.3. Financial data such as bank account number, payment information, debts;
8.4. Data on other parties to insurance contract: beneficiaries, insured persons, injured third parties;
8.5. Information about the insured object (depending on the type of insurance);
8.6. Details of insurance coverage
8.7. Information about insured event, damages;
8.8. Data on the profession, interests;
8.9. Data relating to the provision of services, such as data on performance or non-performance of contracts, valid or expired insurance contracts, applications and complaints filed;
8.10. Special categories of personal data – health data.
9. Our ability to offer you the best advice and insurance solutions and information related to the services we provide, depends to a big extent on how well we know you and how we process your accurate and correct data. Therefore, it is important that the information you provide to us is accurate and correct and that you inform us of any changes in the data.
10. If you want to conclude an insurance contract with us or receive an insurance benefit, you must provide your personal data for the purpose of concluding and executing a particular insurance contract or for the purpose of administration of a claims case. If you do not provide the personal data that is necessary for the purpose of concluding and executing a specific insurance contract or for administering a claims case, we will not be able to provide you with services.
Legal basis for the processing of personal data
11. In processing of personal data, Gjensidige is guided by the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and other applicable EU or local legislation.
12. Gjensidige collects and processes your personal data only on legal basis defined:
12.1. the processing is necessary to conclude and/or execute contracts;
12.2. you have given a consent for the processing for one or more specific purposes;
12.3. when processing personal data, Gjensidige is bound by the relevant legislation;
12.4. when the processing is necessary for Gjensidige's or third person's legitimate interest, except where such interests are overridden by your interests or fundamental rights and freedoms. Our legitimate interests are such as, fraud prevention, protecting our interest in the court or the intention to remind the customer of insurance coverage coming to an end.
Profiling and automated decision making
13. Profiling and automated decision making will be done in order to conclude an insurance contract is necessary when obtaining certain categories of insurance products, such as compulsory motor third party liability insurance, personal insurance, or travel insurance at www.gjensidige.lt. In such a case, the insurance offer is provided to you automatically upon assessing the data provided by you and data of the insured object and, accordingly, the person and/or the object of insurance can be assigned to a particular risk group. Automated decision making helps ensure that our proposals are provided quickly, are reasonable, efficient, and fair to the best of our knowledge. You always has the opportunity to apply for an insurance offer by other channels – by tel. 1626 or by visiting the Gjensidige`s office.
14. An automated decision on the insurance benefit may be made on the basis of evidence provided by the customer upon registration of an insurance event on the internet or with our health insurance partners, in order to provide prompt customer service. In this case, if there are no additional questions, the information is automatically assessed as a sufficient basis for payment of the insurance benefit. The customer can always register the insurance event by tel. 1626 or by visiting the Gjensidige`s office.
15. Profiling may be made to offer you specific services and products that best suit your needs, to set the prices for services and other areas where it is based on Gjensidige's legitimate interests, performance of the contract.
16. If you given the consent of direct marketing, we use profiling to provide you general and personal offers of our services. Gjensidige enables customers to choose whether they want to receive direct marketing communications from Gjensidige and manage their choices for direct marketing channels.
Recipients and processors of personal data (third parties)
17. Gjensidige always abides with confidentiality requirements when processing personal data. Your personal data may be disclosed to third parties if necessary for the purpose of concluding the contract and for its execution, for compliance with the relevant legislation or for other legitimate reasons. Information may also be provided to other parties at your request or in accordance with your contractual obligations to other parties such as leasing companies, banks, or other financial institutions.
18. We provide customer personal data to third parties such as:
18.1. When required by law – public authorities and other entities, including, Motor Insurers' Bureau of the Republic of Lithuania, institutions conducting pre-trial investigations, tax administration, supervision of the processing of personal data, financial market supervision, and other institutions in accordance with the applicable legislation;
18.2. If you do not fulfil your obligations to Gjensidige, we may notify you of joint debtor files and/or registers in which information about overdue payments and/or solvency is collected in accordance with the law .
19. We may provide your data to Gjensidige’s data processors who provide services (perform the work) for us and process your data on our behalf. Data processors have the right to process personal data only on the basis of a written agreement between Gjensidige and the processor, according to our instructions, and only to the extent necessary for the proper performance of the obligations set out in the agreement. We take all necessary steps to ensure that our data processors have the appropriate organisational and technical security measures in place and maintain the confidentiality of personal data. Below is a list of data processor categories (non-exhaustive):
19.1. Insurance distributors – who processes data in order to conclude and administer contracts with customers;
19.2. Insurance claims handling partners – who process the data in order to register and assess damage claims, provide you assistance in case of accident and provide expert assessment;
19.3. Information technology companies – who process data necessary to ensure the development, improvement, and maintenance of information systems;
19.4. Call center service companies – who process data necessary to ensure uninterupted customer service;
19.5. Reinsurance companies – who process data to reinsure the insured risks;
19.6. Legal and financial advisers – who process data in order to provide us legal and financial advises;
19.7. Archiving, postal service providers – who process data necessary for storage of data;
19.8. Health care institutions – who process data necessary to ensure settlement of health care services;
19.9. Service quality survey companies – who process data necessary to conduct service quality surveys on our behalf;
19.10. Debt collection companies – who ensure debt collection on our behalf;
19.11. Property valuation companies – who process data in order evaluate property properly during insurance claims handling process.
Transfer of personal data outside EU/EEA
20. Gjensidige will not transfer your personal data outside the EU/EEA, unless you are involved in an event outside the EU/EEA that may be recognised as insured event, and the transfer of the data is necessary for providing assistance to and for administration of the claims case.
21. Customers’ personal data are stored in printed documents and/or in our information systems.
22. We shall retain your personal data for no longer than required for the purpose of data processing or as provided by law. The period of storage of personal data depends on the contracts entered into with the Customers, the legal requirements, or the legitimate interest of Gjensidige. In our practice, personal data are stored for as long as reasonable requirements can arise from contractual relationships. Personal data that are no longer needed are destroyed or depersonalised in such a way that it is not possible to identify the data subject.
23. Even if you wish to terminate the contract and refuse our services, we will have to continue the storage of your personal data for possible future claims until the expiration term of the data storage. Information is also stored so that we can provide you with the necessary information, if necessary, in order to have a proper history of the relationship between the customer and Gjensidige, and answer all questions related to you and our cooperation.
24. Your consent for direct marketing (if you have provided the consent) will be valid for 24 months from the date of providing the consent, or until at least one insurance contract to which you are a party is valid and for 24 months from the expiration thereof (whichever is longer) or until your consent is withdrawn. If the consent for direct marketing is provided on several instances – the most recent consent is valid. You can review , change or withdraw the consent for direct marketing at any time by calling at 1626, at Insurer’s website www.gjensidige.lt or by sending an e-mail to email@example.com.
25. Gjensidige, when processing personal data, follows the principle of data minimization, which means that the data are processed only to the extent and for as long as necessary. We attempt not to keep outdated or unnecessary information and to ensure that personal data and other Customer information is kept up to date and accurate.
Customer rights related to the processing of their personal data
26. As a data subject, you have the following rights:
26.1. Obtain information whether Gjensidige processes your personal data and, if so, to have access to your personal data processed by Gjensidige (where they are collected, for what purposes they are processed, how much time we keep your personal data for, to whom we provide your personal data, etc.). It should be noted that your right of access to the data may be subject to the limitations of the law, the protection of privacy of other persons, and for reasons related to our business and practice. The right of access does not apply to our confidential information, commercial secrets, including, but not limited to, internal assessments and material;
26.2. Request rectification of personal data if it is incorrect, incomplete or inaccurate;
26.3. Require Gjensidige to erase the data related to you (right to be forgotten) if Gjensidige no longer has a legal basis for processing them or other legal grounds;
26.4. To withdraw your consent for processing of personal data if the data are processed on the basis of consent;
26.5. In certain circumstances, to object or restrict the processing of personal data;
26.6. To disagree that a completely automated decision making, including profiling, is applied to you, if the adoption of such a solution has legal effects or a similar significant effect. This right does not apply if such decision making is necessary for the purpose of concluding or executing a contract with the customer, is permitted by law or the customer has expressly consented to this;
26.7. Require to delete personal data if they are processed solely on the basis of consent and if you withdraw the corresponding consent. This right does not apply if the personal data requested to be deleted are also processed on other legal grounds, such as the processing necessary for the performance of the contract, in order to enforce, implement, or defend a legal claim or when the obligations are according to the applicable law;
26.8. To restrict the processing of your personal data in the case of conditions established by law. For example, where the data subject challenges the accuracy of data for a period during which the data controller can verify the accuracy of the personal data;
26.9. To receive your personal data that you provided to Gjensidige, in structured, commonly used and machine-readable format, and, if possible, to transmit such data to another service provider (data portability). The right to data portability is applicable if the data is processed on the basis of the conclusion of a contract or a consent, and the processing is automated;
26.10. You also have the right to object to the use of your personal information for direct marketing purposes, including the profiling associated with this purpose;
26.11. When you believe that your personal data is being processed in violation of legal requirements you can complain to the EU institution according to your place of residence. Information on institution you can find: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
28.1. remember and process goods in the shopping cart;
28.2. understand and save user preferences for later visits;
28.3. collect advertising information; collect shared data about website traffic and website interaction so that we can improve the use of the website in the future and provide useful tools.
29. You can cancel your consent at any time by changing your Internet browser settings and turning off all cookies or turning them off / on one by one. However, please bear in mind that in some cases this may slow down the speed of browsing, restrict the functionality of certain sites or block access to the website. Use the Internet browser Help features to set the required/preferred cookie options. For information on how to do this, see our browser help pages: Mozilla Firefox Google Chrome, Internet Explorer, Safari.
Contact information and explanations on how to file a complaint
30. You have the right to contact Gjensidige in order to submit enquiries regarding the processing of your data, to withdraw the consents given to the processing of data, to submit requests for the exercise of the rights of the data subject, and to lodge a complaint. You can contact Gjensidige on these matters in any of the following ways:
30.1. In Lithuania – Žalgirio str. 90, LT-09303 Vilnius, Republic of Lithuania; Tel. 1626, for calls from abroad +370 5 2721626; e-mail firstname.lastname@example.org;
30.2. In Latvia – Gustava Zemgala gatve 74A, Riga, Latvia, LV-1039, tel.: +371 67112222; e mail: email@example.com;
30.3. In Estonia – Sõpruse pst 145, Tallinn, Estonia, 13417; Tel. (+372) 611 6112; e-mail: firstname.lastname@example.org.
31. Contact email address of Gjensidige's appointed Data Protection Officer: email@example.com.
32. You also have the right to lodge a complaint to supervision authorities which is responsible for the supervision and control of personal data protection legislation:
32.1. In Lithuania – State Data Protection Inspectorate (A. Juozapavičiaus g. 6, 09310 Vilnius, e-mail firstname.lastname@example.org, tel. (+370 5) 271 2804);
32.2. In Latvia – Data State Inspectorate (Blaumaņa str. 11/13-15, Riga, Latvia, LV-1011, e mail: email@example.com, tel.: +371 67223131, website: http://www.dvi.gov.lv);
32.3. In Estonia – Estonian Data Protection Inspectorate; 19 Väike-Ameerika St., 10129 Tallinn; tel: +372) 627 4135; info[a]aki.ee.
Validity and changes to this document
33. Customers can access Principles of personal data processing online at www.gjensidige.lt or in Gjensidige office.
34. Gjensidige is entitled to unilaterally change these Principles of personal data processing at any time and will inform customers about changes by posting on the website at www.gjensidige.lt.