Understanding personal data processing in insurance

1.

Data controller and contact details

2.

How do we obtain your personal data?

We obtain personal data directly from you.

In the provision of our services, we may also use personal and other data obtained from the following sources, in accordance with the applicable regulations:

• Databases of state authorities;

• Databases of healthcare providers and related service providers and the Health Insurance Institute;

• Databases of the Pension and Disability Insurance Institute and the ministry responsible for social affairs;

• Databases of the ministry responsible for transport, the ministry responsible for internal affairs and organisations performing vehicle type-approval and registration;

• Databases of individual insurance companies and the Slovenian Insurance Association during the resolution of disputed insurance claims,

• State authorities, self-governing local community authorities, public agencies, public funds and other public law entities, as well as bodies who exercise public authority and providers of public services, based on a written request and in connection with the personal data filing systems they manage;

• Other persons with knowledge of an insurance event (e.g. persons causing the damage, person suffering the loss, witnesses);

• Information systems of the Slovenian Insurance Association – more information is available at https://www.zav-zdruzenje.si/pravila-o-zasebnosti/,

• Publicly available data and/or databases based on publicly available data,

• Other persons based on your consent.

2.1

Categories of personal data

In the databases that the insurance company establishes, manages and maintains in accordance with the regulations governing the protection of personal data and insurance, it collects, stores, transmits and uses (hereinafter: processes) the following personal data of individuals:

• Data specified in the insurance contract (i.e. the insurance proposal or the application form with supplements and declarations, the insurance policy, special written statements), in the annexes and supplements to the insurance contract, including questionnaires;

• Data related to insurance claims, and data for the assessment of insurance coverage and the amount of compensation or insurance benefit, as well as for the conduct of recourse proceedings;

• Data obtained by the insurance company during other communications with the policyholder, the insured person or third parties (e.g. during prize draws, events organised by the insurance company, registration for and use of the insurance company's mobile applications, use of the insurance company's web applications, etc.);

• Data concerning consents given and data transmitted by an affiliated company within the Triglav Group on the basis of your consent.

Special categories of personal data

To fulfil the legally defined purposes of the Insurance Act, we also process your health data, which falls under special categories. This includes information about your prior injuries, health status, the nature of any bodily harm, the duration of treatment and its consequences for both the insured and any injured third party, as well as the costs of medical care, medications and medical devices for both parties. We obtain this information directly from you through a health questionnaire. However, we may also collect it from your doctor, other healthcare providers or other individuals where provided by regulations.

Furthermore, Zavarovalnica Triglav processes special categories of your data under its legitimate interest when you or your authorised representatives disclose personal circumstances that impede your ability to settle a subrogation claim. In these instances, we will request supplementary evidence from you or your representative to verify these circumstances, which may encompass details regarding your financial, social or health status. Upon reviewing the submitted documentation, we, as the creditor, will then assess the validity of your request and appropriately consider grounds for reducing, waiving or easing the payment of the subrogation claim.

Moreover, in accordance with the Prevention of Money Laundering and Terrorist Financing Act we are obligated to verify the potential political exposure of our clients.

3.

Purposes of the processing of personal data

We process your personal data in accordance with the General Data Protection Regulation, the Insurance Act, the Compulsory Motor Third-Party Liability Act, the Personal Data Protection Act and other regulations governing the scope and purposes of personal data processing that we, as the controller, are authorised to carry out.

3.2

Legitimate interests

Where necessary, we process your personal data on the basis of legitimate interests, which include:

• Improving, developing and upgrading the insurance company's services, systems and products for simple, efficient and secure operations;

• For the technical maintenance of our websites and services in order to ensure the security of the websites and related services and to prevent misuse;

• Managing client relationships and monitoring client satisfaction (providing applications with information relating to concluded contracts and for the purposes of providing additional discounts and benefits (i.triglav, Triglav Komplet), surveys, issuing vouchers for the payment of premiums, rewarding customer loyalty with promotional gifts, implementing loyalty programmes, etc.);

• Including marketing content in business communication;

• Preparing for sales conversations and reviewing previously concluded insurance policies;

• Contacting clients regarding the renewal or continuation of insurance;

• Identifying the needs and requirements of potential and existing insurance company clients, including offering new insurance products with new coverage when such needs and requirements of the clients are identified during the sales conversation;

• Sending offers to all clients (customers) or potential clients without prior profiling, and sending offers with prior profiling when we use a narrow range of personal data that is not a special category of personal data (e.g. personal name, permanent or temporary address, phone number, email address and fax number, age, gender, types of insurance contracts concluded, contract expiry date, etc.). It is in the legitimate interest of Zavarovalnica Triglav to offer you, as our client, our insurance products and other services within our registered activity that are comparable to your previous purchases. We may also use your email address as an identifier when advertising on social media. You have the right to object to the processing of data for direct marketing purposes;

• Sending push notifications in the iTriglav and DRAJV mobile applications;

• Ensuring the accuracy and updating of personal data on policyholders, insured persons and other beneficiaries of compensation or insurance payments;

• Ensuring the operation of information systems, network and information security (preventing events, illegal or malicious acts that threaten the availability, authenticity, integrity and confidentiality of stored or transmitted personal data and the security of related IT services), preventing unauthorised access to the insurance company's information systems and responding to computer security threats and incidents;

• For the purpose of protecting and securing the property and employees of the insurance company from threats and violence and in similar cases where, without the processing of personal data of individuals, it would not be possible to protect and assert its own legitimate interests and rights enjoyed in accordance with legislation, including the implementation of video surveillance of entrances to business premises in order to clarify the circumstances of criminal offences against employees and the property of the insurance company, and monitoring access to the insurance company's business premises in order to prevent access by unauthorised persons to the business premises and to ensure compliance with internal regulation in the insurance company's business premises;

• For the purposes of concluding, processing and exchanging personal data relating to reinsurance;

• For the purpose of efficient management of the claims process, automatic license plate recognition is carried out in the motor vehicle damage assessment area;

• For the purpose of conducting an effective motor vehicle damage assessment, fixed photography using a scanner is carried out on the assessment lane;
  

• For the performance of actuarial calculations and accounting and control of the payment of commissions to insurance agents;

• For investigating suspected insurance fraud;

• For the purpose of handling requests from subrogation debtors and individuals with an interest in settling the subrogation claim who are authorised to represent the subrogation debtor, regarding the consideration of personal circumstances related to the payment of subrogation claims;

• Recording telephone calls to the Assistance Centre telephone number in order to protect the interests of the insurance company and callers in the event of clarifying the appropriateness of the explanations given or the appropriateness of the provision of assistance services;

• Conducting fit and proper assessment of key function holders and business functions in Zavarovalnica Triglav, d.d.;

• For internal administrative purposes within the Triglav Group or related companies;

• For the purposes of internal analyses and monitoring of strategic objectives within the Triglav Group.

3.3

Performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller

Where processing is necessary for compliance with our legal obligations carried out in the public interest: 

• Preventing money laundering and terrorist financing;

• Fulfilling tax obligations;

• External audits of operations in accordance with regulations in the field of insurance, commercial companies and auditing;

• Implementing sanctions measures in accordance with domestic and international regulations;

• Fulfilling obligations in relation to the insurance company's supervisory authorities, which supervise the operation of the insurance market, consumer protection, fulfilling tax obligations, preventing money laundering, processing personal data and fulfilling other obligations (e.g. the Insurance Supervision Agency, the Financial Administration of the Republic of Slovenia, the Market Inspectorate of the Republic of Slovenia, the Information Commissioner of the Republic of Slovenia, the Agency for Communication Networks and Services);

• In other cases, in accordance with regulations.

3.4

Consent

We may process your personal data for certain purposes of use only on the basis of your consent (e.g. for segmented (direct) marketing, including profiling, which we carry out for marketing our own products and services and for marketing the products and services of companies within the Triglav Group, and/or for the transfer of your personal data to companies within the Triglav Group with a registered office in the Republic of Slovenia, engaged in insurance and/or financial services (this includes Zavarovalnica Triglav, d.d., Triglav, pokojninska družba, d.d., Triglav Investments, upravljanje premoženja, d.o.o. – for a complete list of companies please visit the Triglav Group website, www.triglav.eu) for the purpose of preparing personalised offers of their own products and services). Consent for direct marketing also includes the use of your data for advertising on social media.

If you give us your consent for segmented (direct) marketing, including profiling, we may process the following personal data: your full name, address, tax number, date of birth, email address, phone number and mobile phone number, if you provide them to us. In accordance with the Insurance Act, we may also process your gender for marketing purposes.

Additionally, for marketing purposes based on your consent, we may also process data regarding your age and/or the extent of your insurance coverage and/or the duration of your insurance in order to ensure that, in accordance with the requirements of the Insurance Act relating to the distribution of insurance products, we properly consider the needs and requirements of our clients in relation to the type of insurance product we are marketing.

If you consent to the transfer of your data to companies within the Triglav Group based in the Republic of Slovenia engaged in insurance and/or financial services, we will transfer the following personal data: full name, address, tax number, date of birth, email address, phone number, mobile phone number and additionally your gender.

In the case of a telephone call recording, we will explicitly inform you of the recording before the conversation starts. The recording will be stored to serve as evidence of your consent.

You always have the right to object to the processing of your personal data for direct marketing purposes.

You may withdraw your consent at any time, either partially or fully.
Your withdrawal is effective from the time it is made and does not affect processing carried out before your withdrawal.

4.

Recipients and categories of recipients of personal data and processors of personal data

Only employees responsible for fulfilling our contractual and legal obligations have access to your personal data within the insurance company.

In accordance with data protection legislation, recipients of personal data include the Slovenian Insurance Association and other insurance companies, to the extent and for the purposes defined by law. Other categories of recipients are listed on the List of categories of recipients of personal data published on our website.

Your personal data may also be processed by our contractual data processors, whose contractual obligations regarding data protection we rigorously oversee. These include (for example) insurance agents and brokers in various organisational forms, marketing service providers, printers, IT service providers as well as banks and leasing companies with whom you have a credit or other contractual relationship. A list of categories of data processors is available here.

4.1

Other persons who may have access to your personal data

In order to fulfil our legal obligations, your personal data may also be accessed by supervisory authorities (see point 3.3) and other persons where you have given your consent or where they have a legal basis for accessing the data and/or demonstrate a legitimate interest. You can view a list of these persons on the insurance company's website (point 4).

5.

How long will we keep your personal data?

We will retain your personal data related to your insurance for the following periods:

• 10 years after the termination of the insurance contract;

• In the event of an insurance incident, 10 years after the end of the insurance claim processing;

• In the event of legal proceedings to recover unpaid obligations arising from insurance contracts, 10 years after the conclusion of the legal proceedings;

• Data relating to the insurance incident and for assessing insurance cover and the amount of compensation or insurance payment is stored for 10 years after the end of the insurance claim processing. If the policyholder or injured party submits, or it is reasonably expected that they will submit, a new claim for the exercise of rights arising from the insurance incident after this period, the retention period is extended as necessary so that the data is kept for 5 years after the end of the processing of the new claim or until the possibility of submitting a new justified claim expires;

• In the event of the processing of your data in procedures for the prevention of money laundering and terrorist financing, the implementation of restrictive measures and other activities on the basis of special legal obligations of the insurance company, until the expiry of the special legal deadlines for their retention.

6.

Will my personal data be transferred to third countries?

Transfer of data to third countries or outside the European Union is possible if carried out in accordance with the conditions laid down by the General Data Protection Regulation. Such transfers may occur pursuant to the Compulsory Motor Third-Party Liability Insurance Act, which transposes into Slovenian law Codified Directive 2009/103/EC on motor insurance, which lays down the obligations of insurance companies with regard to the implementation of motor insurance and the handling of claims under the green card system. In these procedures, data is sent by registered mail or by email, secured with TLS/SSL encryption.

Certain personal data may also be transferred, within the scope of collaborations with social media providers and analytics tools (e.g. Microsoft, Google, Meta), to countries that are not members of the EU or the European Economic Area. These relationships are governed by Standard Contractual Clauses (model contracts adopted by the European Commission) and/or the Data Privacy Framework (DPF) agreement between the EU and the USA.

7.

Do I have any obligation regarding the provision of personal data?

You are required to provide us with the data we need to enter into, execute and fulfil our contractual obligations, as well as the data that the insurance company must collect in accordance with prescribed legal obligations (e.g. in accordance with insurance, tax, and anti-money laundering regulations). Without your data, we cannot enter into a contract with you, nor can we execute or fulfil it if you have already entered into one.

We would particularly like to draw your attention to the fact that, in relation to insurance products where there is a risk of money laundering and terrorist financing, we are obliged under the Prevention of Money Laundering and Terrorist Financing Act to establish the identity of the client (and any person acting on behalf of the client) based on your personal identification document, and to obtain personal data (full name, permanent and temporary residential address, date and place of birth, tax number or Slovenian personal identification number - EMŠO, citizenship, and the number, type, and name of the issuing authority of the official personal identification document), data on the beneficial owner of the client, obtain data on the purpose and intended nature of the business relationship or transaction, regularly and diligently monitor the business activities carried out by the client with the insurance company, and verify and update the obtained documents and information about them. In order for us to fulfil these obligations, you are required to provide us with the data and information stipulated by the aforementioned regulations. We process the information about the expiry of your official personal identification document based on a legitimate interest arising from the limited period of validity of official personal identification documents, and in accordance with the requirements of the law, which stipulates that an official personal identification document can only be a valid document issued by the competent state authority of the Republic of Slovenia or another country and which is considered a public document under the law of the issuing country. In addition, we would also like to inform you that, in addition to the legally required data, and only based on your consent for the purpose of sending notifications regarding concluded insurance policies, we may also process your email address, whereby you can withdraw this method of business communication at any time by contacting us at: Zavarovalnica Triglav, d.d., Miklošičeva cesta 19, 1000 Ljubljana, or by email at info@triglav.si, or by submitting a change of your email address on the prescribed form. If you fail to fulfil your obligations and do not provide us with all the legally required data, we are not permitted to conclude an insurance policy with you or we must terminate any existing policy. 

If you or a person you authorise to represent you informs us of circumstances related to a subrogation claim that make it difficult for you to pay, we will ask you to submit evidence demonstrating your inability to meet your obligations. Based on the submitted evidence, we will be able to decide on the merits of your request in accordance with our internal policies.

In accordance with legal obligations (in particular the Prevention of Money Laundering and Terrorist Financing Act, the Tax Procedure Act, and based on international agreements regarding CRS and FATCA), we are obliged to inform the competent state authorities (the Office for the Prevention of Money Laundering, the Financial Administration of the Republic of Slovenia, etc.) about data related to concluded life insurance policies.

8.

Is automated decision-making, including profiling, carried out which produces legal effects concerning me or similarly significantly affects me?

Profiling or automated processing of certain aspects of your personal data is used in the following cases: 

• In accordance with the Insurance Act, we may process certain data (such as age, health status, disability and occupation, and other personal circumstances that may reasonably affect the level of assumed risk, excluding gender, maternity and pregnancy) in the process of risk selection and assessment, premium determination and the payment of insurance benefits, with regard to life insurance products and accident and health insurance products, while taking gender into account on an aggregate level when calculating premiums and benefits. Insurance companies may process gender as a factor for the calculation of technical provisions, internal pricing, reinsurance pricing, marketing and advertising, and risk assessment in life, health and accident insurance; 

• In the process of online insurance conclusion, certain data is processed automatically. As a result, online conclusion may not be possible, for example due to specific circumstances that prevent the calculation of a premium or the provision of equivalent treatment in accordance with underwriting rules and conditions. In such cases, you can contact the call centre or an insurance agent to receive an offer or conclude a contract; 

• In the case of certain legitimate interests listed under point 3.2; 

• In all cases where you have given your explicit consent to such processing at the time of data collection or subsequently.

Zavarovalnica Triglav, d.d. does not use the above-mentioned profiling for decision-making based solely on automated processing that would produce legal effects concerning you or similarly significantly affect you.

9.

Is data transferred to third countries or international organisations?

In the event that the transfer of personal data to third countries or international organisations is necessary, we will carefully verify, prior to the transfer of data, whether there is an adequate legal basis and appropriate safeguards for such a transfer (existence of an adequacy decision, existence of binding corporate rules, use of standard contractual clauses, approved certification mechanisms (e.g. Privacy Shield between the European Union and the USA), using standard contractual clauses).

10.

What rights do I have regarding my personal data?

You can request the following at any time:

• Access to your personal data (to obtain information on whether we are processing your personal data, to access it, or to obtain a copy of your personal data; to obtain information about the purposes of the processing, the categories of data, the recipients or categories of recipients of this data, etc.);
• Rectification or erasure of your personal data (erasure cannot be requested for data that is stored or processed by law, and in some cases, erasure of data also means the termination of the contractual relationship with us);
• Restriction of the processing of your personal data (e.g. until its accuracy is verified);
• Portability of your personal data (where the data is processed based on consent or a mutual contract and by automated means, you can receive the personal data concerning you or request that it be transferred to another controller);
• To object to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, and where this decision is not necessary for entering into or performing a contract, or is not permitted by UK or EU law, or is not based on your explicit prior consent;  
• To object to the processing of personal data concerning you, which is carried out solely in the legitimate interests of the insurance company or in the public interest (in this case, we will cease processing your personal data; an exception applies if we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if we need it for the establishment, exercise or defence of legal claims); 

If we process your personal data based on your consent, you can withdraw your consent for processing at any time, either temporarily or permanently. In this case, your withdrawal applies from that point onwards and does not affect processing that has been carried out before the withdrawal. 

You can exercise your rights by:

• Sending a written request to: Zavarovalnica Triglav, d.d., Miklošičeva cesta 19, 1000 Ljubljana, Slovenia or
• Emailing info@triglav.si.
• Using the online forms provided by Zavarovalnica Triglav, d.d.

When we have reasonable doubts concerning the identity of the person making a request to exercise any of their rights, we may request the provision of additional information necessary to confirm the identity of the data subject.

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, Zavarovalnica Triglav, d.d. may: 

• Charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested and reasonably applying the price list governing the calculation of material costs related to the provision of public information at Zavarovalnica;  
• Refuse to act on the request.

In case of any questions or regarding the exercise of your rights, you can also contact our Data Protection Officer: dpo@triglav.si.

The Information Commissioner, Dunajska cesta 22, 1000 Ljubljana, carries out supervision over the lawfulness of processing and the protection of personal data in general in the Republic of Slovenia.