”Compensa Vienna Insurance Group” ADB Privacy policy

ABOUT US

We, Compensa Vienna Insurance Group, ADB (hereinafter – Compensa), are an insurance company registered in Lithuania and having its branches in Latvia and Estonia. In Lithuania and Latvia the company operates under the Compensa Vienna Insurance Group brand, while in Estonia it operates under the Seesam Insurance brand. You can find our requisites on this web-page.

This Policy defines the rules applicable to the collection, use and processing of personal data, as well as the principles of personal data protection that we follow in our insurance activities.

In the event that you submit us not your own, but someone else's personal data, please notify that other person of this Privacy Policy and the content thereof (for example, you are seeking insurance for another person or his / her property, specify another person as the beneficiary).

We have appointed Data protection officer, and in case of any questions or concerns related to your personal data you can easily contact him by e-mail:

DPO@compensa.lt (Lithuania)
DPO@compensa.lv (Latvia)
DPO@seesam.ee (Estonia)

HOW DO WE PROCESS PERSONAL DATA?

We treat respect for the individual’s right to privacy is a core value. We take care of the protection of personal data in accordance with all requirements of the General Data Protection Regulation1 and other legislation governing insurance activities, the processing of personal data and the protection of privacy. These issues are among the most important elements of our business ethics. To ensure privacy in all aspects of our relationship with data subjects (policyholders, insured individuals and entities, beneficiaries, etc.), we regularly review and improve our standards, procedures and systems.

We make every effort to ensure that your personal data are:

being processed lawfully, fairly and in a transparent manner,
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date;
kept in a form which permits your identification for no longer than is necessary for the purposes for which the personal data are processed;
processed in a manner that ensures appropriate security of the personal data.

WHAT PERSONAL DATA DO WE PROCESS?

“Personal data” means any information relating to a natural person who can be identified directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Aiming to conclude and perform insurance contracts properly, we usually collect and process the personal data of the individual (such as name, surname, contact details) and the personal data related to insurance object (e.g. information about property, motor vehicle, etc.). Depending on the situation, we may also process other personal data which are necessary for conclusion and (or) performing the insurance contracts (e.g. individual characteristics data – driving experience, travel destinations and periods, etc.; financial data – bank account number, amount of debt, etc.).

We may also process your personal identification number for identification purposes or for the purpose of obtaining information from the data recipient (e.g. Real Estate Information Database of the State Enterprise Centre of Registers) which is necessary for the conclusion or performance of the insurance contract. The personal identification number cannot be processed for the purposes of direct marketing.

The collection of special categories of personal data (health data, data revealing political views) is only permitted with the explicit consent of the data subject (policyholder, insured person), and provided that such data is necessary for the conclusion and performance of insurance contract, insurance risk assessment, reinsurance. When concluding an insurance contract, we have the right to request provision of data which affects the decision to conclude the insurance contract, or the decision regarding certain terms of insurance contract.

Usually, the health data of the policyholder or insured person is required for the conclusion of insurance contract where the insured risk is related to the health of the policyholder or the insured person (e.g. personal accident insurance, health insurance).

In the event of the occurrence of an insured event, the policyholder, the insured person, the beneficiary and / or the third party victim must provide the insurer with all available documents and information on the circumstances and consequences of the insured event which are necessary in determining the amount of the insurance benefit, including special categories of personal data (data on health status, injuries, causes of death, etc.). We have the right to process this data in order to find out whether the insured event has actually occurred; whether the insured event occurred during the insurance period and what is the amount of damages.

We may collect and further process special categories of personal data not only from the policyholder, the insured person, the beneficiary and / or the third party victim, but also data available to data recipients such as health care institutions, the National Health Insurance Fund under the Ministry of Health or other state or municipal bodies (e.g. police authorities), as well as the data processed in registers, information systems or other data files on the health status of the insured person or the third party victim, treatment services provided, identified illnesses, injuries suffered, disability level and causes of death. Such collection of personal data may be based on the explicit consent of the data subject, except where the data subject is deceased, and if this is necessary to determine the circumstances and consequences of the insured event, the amount of insurance benefit.

For example, interrupted travel due to illness, with the travel insurance available, creates a reasonable basis for us to apply to the general practitioner of the insured person with request to provide information on the insured person in order to find out whether the insured event (illness) occurred during the insurance period and whether it was an unexpected and sudden event. The insured person‘s consent to collect his / her personal data is enclosed to the request submitted to the general practitioner.

When the data subject is presumed to be incapable to reasonably assess his/her interests, and where there is no consent of the data subject, e.g. upon receipt of the information from a foreign healthcare institution about the client in a state of coma, and in case we do not have the contact information of the relatives of this client, we can process the personal data of such data subject in accordance with Article 9(2)(c) of the GDPR.

We do not disclose information on the policyholder, insured person or beneficiary, their health status and other confidential information set forth in the insurance contract, all obtained in carrying out insurance activities, except as provided by law.

This is an illustrative list of personal data processed by Compensa; amount of information about particular natural person depends on his/her individual relationships with us. In all the cases, we do not collect any excessive personal data which are incompatible with data minimization principle.

You can anytime get the information about your personal data being processed by Compensa; for details please see chapter “What are your rights?”.

WHAT ARE THE PURPOSES AND LEGAL BASIS FOR DATA PROCESSING?

We ensure that personal data is processed in a legitimate, fair and transparent manner, and is collected for specified, explicit and lawful purposes. We generally process personal data on the following grounds of lawfulness:

the person has given consent (Article 6(1)(a), Article 9(2)(a) of the GDPR);
processing of data is necessary in order to perform a contract to which the data subject is party, or to take steps at the request of the data subject prior to the conclusion of the contract (Article 6(1)(b), of the GDPR);
the data processing is necessary for us to comply with the legal obligation that applies to us (Article 6(1)(c) of the GDPR);
the data processing is necessary in the pursuit of our or other parties' legitimate interests, except where the interests or fundamental rights and freedoms of the person, which require the protection of personal data, prevail over them, especially when the data subject is a child (Article 6(1)(f) of the GDPR);
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (Article 9(2)(f) of the GDPR).

The specific objectives and justification of their legitimacy are listed below.

Purposes of personal data processing	Legal bases for personal data
Business, identification of people, evaluation of solvency and insurance risk, accounting of insured persons, conclusion and administration of insurance contracts, management of insurance risks, submitting offers for the entry into insurance contract, retention of evidences of the data subject's approach of the insurer for the entry into the insurance contract	- Article 6(1)(a), (b), (c) and (f), Article 9(2)(a) of the GDPR - Other legal acts
Investigation and administration of insured events or events that may be recognized as insured events	- Article 6(1)(b) and (c), Article 9(2)(a) of the GDPR - Other legal acts
Direct marketing	- Article 6(1)(a) and (f) of the GDPR - Other legal acts
Recovery of amounts paid (recourse, subrogation)	- Article 6(1)(c), Article 9(2)(f) of the GDPR - Other legal acts
Debt recovery	- Article 6(1)(f) of the GDPR - Other legal acts
Fraud prevention	- Article 6(1)(b), (c) and (f) of the GDPR - Other legal acts
Processing court cases and other disputes participated by Compensa	- Article 6(1)(a), (c) and (f), Article 9(2)(a) and (f) of the GDPR - Other legal acts
Accounting of bank payments	- Article 6(1)(b), (c) and (f) of the GDPR - Other legal acts
Recording of telephone conversations for the purposes of preserving evidence and ensuring quality	- Article 6(1)(a), (b) and (c) of the GDPR - Other legal acts
Video surveillance to ensure the security of employees, customers and assets	- Article 6(1)(f) of the GDPR - Other legal acts
Implementation of international sanctions	- Article 6(1)(c) of the GDPR - Other legal acts
Data about insurance agents and ancillary insurance intermediaries processed for insurance activities	- Article 6(1)(a), (b) and (c) of the GDPR - Other legal acts
Data about insurance brokers processed for insurance activities	- Article 6(1)(a), (c) and (f) of the GDPR - Other legal acts
Fulfilment and accounting of contracts with providers of goods and services	- Article 6(1)(b) of the GDPR - Other legal acts
Communication with the representative of any interested party and storing data provided by the representative on behalf of any interested party	- Article 6(1)(c) and (f) of the GDPR - Other legal acts
Data about business partners (their employees) processed for business activities	- Article 6(1)(a), (b), (c) and (f) of the GDPR - Other legal acts
Selection of employees and recruitment	- Article 6(1)(a), (b) and (f) of the GDPR - Other legal acts
Management of employment relationship	- Article 6(1)(a), (b), (c) and (f), Article 9(2)(a) and (b) of the GDPR - Other legal acts

HOW DO WE COLLECT AND TRANSFER PERSONAL DATA?

Usually, we collect individual’s personal data from himself/herself. However, sometimes we have to collect personal data from other persons as well – e.g. from state registers, police offices, other state institutions or other persons. In all cases, we do not deliberately collect excessive personal data, which are not necessary aiming to achieve legal purposes of processing such data. Moreover, we inform the individuals about collecting their personal data from other persons, unless they already have this information or there are other legal grounds permitting not to provide such information.

We process your personal data in a secure manner and do not transfer it to any unauthorized persons. In cases specified below, part of the personal data we process may be transferred to other persons. Below is a description of the typical situations in which personal data may be transferred.

A. In certain cases, the transfer of personal data is based on a legal obligation which is incumbent on the insurer:

- to the Motor Insurers‘ Bureau of the Republic of Latvia (Law of the Republic of Latvia on Compulsory Insurance Against Civil Liability in Respect of the Use of Motor Vehicles) (or as appropriate in Lithuania and Estonia);

- to another insurance or reinsurance undertaking, an insurance or reinsurance undertaking of another state of the European Economic Area, or a branch of a third country insurance or reinsurance undertaking established in the Republic of Latvia or another state of the European Economic Area (Law on Insurance and Reinsurance) (or as appropriate in Lithuania and Estonia);

- to auditor;

- to supervisory authorities, pre-trial investigation authorities, prosecutor‘s office, court and the Financial Crime Investigation Service;

- to insolvency administrator, Notary Public and bailiff.

In the cases discussed, the fulfilment of a legal obligation is a condition for the lawfulness of the processing of personal data (Article 6(1)(c) of the GDPR).

B. Compensa may transfer part of its risks arising out of insurance contracts to Latvian (or as appropriate – to Lithuanian, Estonian) or foreign reinsurers in order to reduce losses due to the assumed insurance risk, to use the available capital efficiently or by expanding opportunities for assuming other insurance risks.

These reinsurers are provided with insurance technical data: the number of the insurance contract, the insurance premium, the type of insurance cover, of the risk and of the risk premium, and, in individual cases, with the detailed personal data. Reinsurers can be provided with detailed personal data if reinsurers participate in risk and damage assessment, and the data is required in assessing the risk and damage. Reinsurers are provided with special categories of personal data if such data is required for risk and damage assessment, and with the written consent of the data subject to transfer of such personal data.

C. Compensa, as the data controller, may submit the personal data of the data subject to the third parties, as the data processors, which provide us with services (perform works for us) and process personal data of the data subject on behalf of Compensa as the data controller.

The provision of services (performance of works) does not exempt us from liability arising out of insurance activities and we are responsible for the supervision of the provision of such services (performance of works).

When we engage data processors, we take all necessary measures to ensure that data processors have implemented appropriate organizational and technical security measures and confidentiality.

Data processors are obliged to comply with all personal data processing requirements by contract.

Compensa has the right to obtain from data processors detailed information related to their activities carried out under the contract, as well as set out for them in the contract binding instructions with regard to the activities they carry out.

An illustrative list of data processors includes:

a) Insurance intermediaries (agents, ancillary insurance intermediaries) acting as intermediaries in concluding and administering insurance contracts and in the exchange of information to the extent necessary for the performance of the contracts

b) Insurance claims administration partners (car repair companies, etc.) that process personal data for the purpose of registering and assessing damages, ensuring expert assessment.

c) Information technology companies processing personal data where this is necessary to ensure development, improvement, support and maintenance of information systems.

d) Call center service companies that process personal data to ensure proper telephone customer services.

e) Archiving, postal service providers (providing printing, enveloping services).

f) Companies providing quality research survey services which process on behalf of Compensa personal data required for service quality research.

g) Debt collection companies ensuring debt collection on behalf of Compensa.

h) Asset valuation and inspection companies that process personal data necessary for the qualified asset valuation during the insurance claims process.

i) Assisting partners abroad processing personal data in arranging medical, financial, legal and other assistance, in administering damage suffered, in providing assisting services after damage suffered, or in providing additional service.

D. Insurance contract can be concluded through an ancillary insurance intermediary and insurance intermediary: insurance agent or insurance brokerage company in providing insurance product distribution services.

An ancillary insurance intermediary or insurance agent that carries out activities of insurance product distribution on behalf of Compensa is considered to be data processor.

In carrying out activities of insurance product distribution, an insurance brokerage company operates as an independent data controller and is responsible for ensuring that the processing of personal data complies with legal requirements and guarantees protection of your rights.

E. We generally obtain personal data from the data subjects themselves. However, sometimes we also obtain it from other public authorities or bodies, natural or legal persons: the State Enterprise Centre of Registers, the State Enterprise “Regitra“, the Motor Insurers‘ Bureau of the Republic of Lithuania, the National Health Insurance Fund, the Fire and Rescue Service, healthcare institutions, police and other authorities having the information necessary for the conclusion and performance of insurance contract (as well as from corresponding institutions in Latvia and Estonia).

In concluding the contract for the Compulsory Insurance Against Civil Liability in Respect of the Use of Motor Vehicles, we have access to the data available in the Register of Road Vehicles of the Republic of Latvia (as well as in corresponding institutions in Lithuania and Estonia) which is necessary for insurance risk assessment and conclusion of insurance contract. In case of building insurance, we have the right to obtain data on real estate from the Real Property Cadastre and Register.

In case of an insured event, we may require information from all natural or legal persons which have information about the insured event (e.g. witnesses of the traffic accident, etc.). The most common data controllers providing personal data to insurers include police authorities, healthcare institutions and doctors, nursing care institutions, the National Health Insurance Fund and companies providing security services, other persons who have the information necessary to administer the claim.

In carrying out insurance activities, we may transfer personal data to other third parties or service providers as data controllers, and obtain personal data therefrom for the purpose of concluding and executing insurance contracts, for the purposes of investigating and administering insured events or events that can be recognized as insured events. Such data recipients may include pharmacies, opticians' services, healthcare institutions, experts, jurists, lawyers and law firms, banks, leasing companies, other insurance companies etc. We ensure that any data that we transfer to data recipients and to which we have access is processed only for the purpose of concluding and executing insurance contracts, for the purposes of investigating and administering insured events or events that can be recognized as insured events.

In all the cases, we transmit as little part of personal data to the third parties as it is necessary in order to achieve the legitimate purpose of such data transfer. Moreover, we use only those outsourced partners who guarantee the implementation of appropriate technical and organizational measures in such a manner that processing of your personal data will meet the legal requirements and ensure protection of your rights. We also constantly control our outsourced partners as regard the compliance with data protection requirements.

DIRECT MARKETING

Direct marketing offers may be made during the phone conversation or sent as SMS or by e-mail or other means (e.g. through our self-service system) with your prior consents (except as provided in the Law on Electronic Communications of the Republic of Latvia (or as appropriate in Lithuania and Estonia) and provided that you haven’t expressed your objection to receiving direct marketing offers).

Processing of data of natural persons for the purposes of direct marketing at our company is based on the consent of the data subject. This consent shall be obtained in advance and can not be obtained at the same time through the use of direct marketing tools. Silence, pre-ticked boxes or inactivity do not constitute consent. The consent must be freely given, it must be unambiguous, information-based and specific. Consent can be given in various ways, for example, by ticking the box for consent or objection to receiving direct marketing offers, by clicking on the appropriate icon, expressing verbal consent, etc.

You have the right to withdraw your consent at any time and express objection to processing of your personal data for the purposes of direct marketing. You can do this by calling the number +371 6755 8888 or by sending an e-mail letter to info@compensa.lv (or as appropriate in Lithuania and Estonia). If you withdraw your consent and there is no other legal basis for the processing of data, we shall delete your personal data processed for the purposes of direct marketing. If we receive your objection to processing of your personal data for the purposes of direct marketing, we shall immediately terminate the sending of the offers to you and your personal data shall no longer be processed for the purposes of direct marketing.

With possession of the contact data of our customers, we may use it to market our own similar insurance services, provided that customers are given with a clear, free and easily implemented option to object or to refuse such usage of contact details for the above mentioned purposes, when collecting such data, and if at first the customer did not object to such data usage when sending each message. Offering of our insurance services to natural persons and/or asking for their opinion about the services offered is considered as marketing of our own similar services. Such our processing of customer data for direct marketing purposes is based on our legitimate interests.

We do not process for the purposes of direct marketing special categories of personal data and personal identification number.

Extension of insurance coverage

Good practice of insurance services requires us to make reasonable efforts to ensure ongoing insurance coverage, if it is believed that the person has an interest in insurance coverage. Usually it is assumed that continuation of own insurance coverage constitutes the policyholder‘s interest. In accordance with the principle of good faith, we may notify you on the expiration of the insurance contract entered between us, and at the same time on the expiration of the insurance coverage. In this case, sending a new insurance contract to the policyholder and proposal to enter into negotiations before entering into an insurance contract are considered to be reasonable. In such case, our notification is not considered to be a direct marketing. This principle also applies if the existing contract is renewed, additional benefits are offered under the existing insurance contract, as well if the insurance contract has been transferred to a new policyholder.

PROFILING AND AUTOMATIC DECISION MAKING

Automatic decision making, including profiling, can be applied when purchasing the insurance services, e.g. such as Motor Third Party Liability Insurance, Personal insurance, Travel insurance, via internet or other channels. Automatic decision making, including profiling, is necessary in order to conclude, extend or renew the insurance contract between you and us and to evaluate insurance risk.

In such case the insurance offer is provided automatically, by evaluating your provided information and (or) data about insurance object, based on which you and (or) insurance object may be assigned to a particular risk group, i.e. insurer’s IT systems calculates automatically the insurance price, based on the data, such as: vehicle model, insurance history, age, region or other factors. Automatic decision making may also be performed when evaluating our experience on probability of insured events and potential damage. After evaluating this information and using statistical risk models, insurance risk is estimated and insurance premium is calculated accordingly.

You always have the possibility to apply for the insurance offer through other channels – by phone or by visiting our customer service departments.

After evaluation of insurance risk automatically, according to this assessment the contract may be concluded on conditions other than those indicated in your request, or we may refuse to conclude the insurance contract.

Automatic decision-making, including profiling, can be applied to the data subject when evaluating what marketing information to provide. In this case, automatic decision making shall be based on the data subject's insurance history and other data, the evaluation of which shall aim at providing the data subject with the best suited and most relevant information.

Automatic decision making may be also used to assess whether a person is subject to international sanctions. Automatic decision-making is done by assessing whether the data subject falls within the scope of persons (or is a specific person) subject to international sanctions.

You have the right of access to the personal data which was used for the creation of profile, as well as to get the information about the profile, and the segments and categories to which you have been assigned. In addition to the right of access to your personal data, you may also exercise other rights provided in the GDPR and described below in this Policy.

In the case of automatic decision making and profiling where the processing of personal data is based on Article 6(1)(e) or (f) of GDPR, as well as profiling for direct marketing purposes, you always have the right to object, as it is set in Article 21 of GDPR.

Upon review of automatic decision against you and in the cases referred to in Article 22(2)(a) and (c) of GDPR, you shall have the right to request our human intervention in writing or on arrival to us, to express your position, to receive the explanation of the decision, taken after his assessment, also you shall have the right to challenge this decision.

HOW LONG DO WE STORE PERSONAL DATA?

Your personal data may be stored in different documents or files both in paper and electronic form. Legal acts may provide different terms of their storage. We do not store any personal information longer than it is necessary according to the legal acts or to the purposes of data processing. Usually, the information containing your personal data is being deleted after the term of receipt of possible claims is expired.

Even if you decide to cease our cooperation, we may still store your personal data due to the possibility of prospective claims. Moreover, we shall store your personal data in order to be able to answer your questions or to provide you necessary information about our cooperation. However, we do not use your personal data for any other purposes than you have been informed about.

More exact information on how long we store your personal data may be found in our records of processing activities published in our website.

WHAT ARE YOUR RIGHTS?

You have the rights provided in the GDPR and described below. Please note that some of these rights are not absolute and we shall not necessarily and unconditionally satisfy your request for their implementation.

Your right	Description of the right
Right of access	You may ask for the confirmation as to whether or not your personal data are being processed, and where that is the case, access to your personal data and the information on its processing
Right to rectification	You may ask for rectification of inaccurate personal data, to have incomplete personal data completed
Right to erasure (“right to be forgotten”)	You may ask to erase your personal data without undue delay
Right to restriction of processing	You may ask for restriction of processing your personal data, where one of the following applies: - You contest the accuracy of the personal data – for a period enabling us to verify the accuracy of the personal data; - The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; - Compensa no longer needs your personal data, but you require them for the establishment, exercise or defence of legal claims; - You have objected to processing your personal data pending the verification whether our legitimate grounds override your ones.
Right to data portability	You may ask to receive your personal data in a structured, commonly used and machine-readable format and may transmit (or ask us to transmit) them to another data controller
Right to object	You have the right to object to processing your personal data which is based on Compensa’s legitimate interest; also, to processing the personal data for direct marketing purposes
Right not to be subject to a decision based solely on automated processing	You may ask not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

You may ask for the detailed explanation of your rights at our Data protection officer (see contact details in chapter “About us”) or find their description in GDPR. Intending to implement your rights, please contact our Data protection officer.

We provide the information about processing of your personal data free of charge. If your request is groundless, repetitive or disproportionate, we may charge a reasonable fee based on administrative costs. We may ask you to provide the proves for verification of your identity (e.g. identification document). We also may ask you to clarify your request in order to speed up our response. We reply to your request within 30 days since receipt of your application; this term may be extended if your request is complicated or if you submitted a lot of requests (in such case we will inform you about the delay of the response).

We appreciate for your feedback and kindly ask you to submit your concerns related to protection of your personal data to our Data protection officer (see contact details in chapter “About us”). You may also send your application to our office (requisites may be found on this web-page). Compensa assures that will thoroughly investigate all the incidents of possible non-compliance with this Policy and legal acts and will adopt all the necessary risk remediation measures to ensure the maximum protection of your personal data. If we don’t manage to solve the dispute, you also may submit the official complaint to the supervisory authority:

Lithuania: State Data Protection Inspectorate, L. Sapiegos g. 17, Vilnius;

Latvia: Data State Inspectorate, Blaumana str. 11/13-15, Riga;

Estonia: Estonian Data Protection Inspectorate, Väike-Ameerika 19, Tallinn.

Customer support and purchase of insurance policy

24/7 support phone

8888

By e-mail

info@compensa.lv

Customer service centers

All over Latvia