Other categories of individuals and information under Articles 13 and 14 of the General Data Protection Regulation (GDPR)

Employees of the controller

Concluding and implementing employment contracts, providing information to eligible users, complying with the obligations laid down by law in the event of occupational injuries, collective accidents, dangerous occurrences, occupational diseases and work-related illnesses, providing preventive health checks, ensuring occupational health and safety measures and fire safety, and implementing other obligations arising from regulations and contracts

Labour Relations Act, Occupational Safety and Health Act, Labour and Social Security Records Act, Income Tax Act and others, collective agreements, contract, legitimate interests of the insurance company - employer

Individual*, databases

Personal data required by law, data necessary for the conclusion and performance of a contract and data based on the legitimate interests of the employer as controller

Employees of Triglav Group companies

Implementation of statutory obligations (management, strategic development, operational activities)

Insurance Act, European Commission Delegated Regulation Solvency II, legitimate interests

Individual*, Triglav Group company

Name, surname, contact details, job title, name and designation of the organisational unit, Triglav Group company name and other information in the context of the governance system, internal control, risk management and the implementation of other regulatory requirements

Jobseekers

Selection of a candidate for a published vacancy

Employment Relations Act, other regulations laying down the conditions for the post

Individual*

Data provided by the jobseeker (first name, surname, date of birth, contact details, schooling, work experience, additional skills, references, etc.)

Insurance agents and intermediaries

Supervising the work, keeping a register of insurance agents, calculating commissions, calculating and paying income tax and other duties in accordance with the applicable regulations

Contract, Insurance Act, Code of Obligations, Income Tax Act, etc.

Individual*, business entity, Insurance Supervisory Agency, databases

Name, surname, contact details, regulatory and other information necessary for the conclusion and performance of the contract

Controller's scholarship holders

Fulfilling the obligations and exercising the rights under the scholarship agreement

Scholarship Act, scholarship agreement

Individual*, educational institutions

Data required by law and data necessary for the conclusion and implementation of the scholarship agreement

Natural persons carrying out work for the controller on the basis of an author's contract or a freelance contract

Entering into and fulfilling obligations and exercising rights under an author's contract or freelance contract

Contract, Copyright and Related Rights Act, Code of Obligations

Individual*

Contact details and information for concluding and implementing the contract

Students working on the basis of a referral from an authorised organisation providing work for students

Pension, invalidity, sickness, occupational injury and disease insurance, and the fulfilment of other obligations and the exercise of rights arising from work on the basis of a referral

Student work referral form, Employment and Insurance Against Unemployment Act, Labour Market Regulation Act, etc.

Student service institution, individual*

Data from the student referral form: name, surname, contact details, details of educational establishment and course of study, student status, type of work, date of work, number of hours worked

Students on traineeships and their mentors

Provision of practical training to students and fulfilment of obligations and exercise of rights under the contractual relationship between the controller, the educational institution and the student

Vocational Education Act, contract

Individual*, educational institution, mentor

Information necessary for the conclusion and implementation of the contract

Members of the Supervisory Board and candidates for election to the Supervisory Board, and persons connected to them

Convening meetings, attending meetings with the controller, paying sitting fees, registering in the court register, fulfilling other legal obligations, verifying that the eligibility criteria for a member of the Supervisory Board or a candidate for a member of the Supervisory Board are met

Companies Act, Insurance Act, Worker's Participation in Management Act, Court Register Act, Financial Instruments Market Act, etc.

Individual*, databases

Data required by law, data from public databases, including a certificate of impunity, and data relating to the data subject (name and surname, relationship to the member and description of the leading position or function in another legal entity) provided by the data subject in accordance with the controller's internal rules for the purpose of complying with the controller's legal obligations

Members of the controller's Management Board and persons related to them

Compliance with legal obligations, registration in the court register, reporting to supervisory authorities and other data reporting obligations, verification of compliance with the eligibility criteria for a member of the Management Board or a candidate for election as a member of the Management Board

Companies Act, Insurance Act, Worker's Participation in Management Act, Court Register Act, Financial Instruments Market Act, etc.

Individual*, databases, Insurance Supervisory Agency

Data required by law, data from public databases, including a certificate of impunity, other data and data of persons related to them (name and surname, relationship to the member and description of the leading position or function in another legal entity) provided by the individual or obtained by the Insurance Supervisory Agency, in accordance with the internal rules of the controller, for the purpose of complying with the legal obligations of the controller

Retired persons who were employed by the controller before retirement

To provide information on company events and to send out an internal newsletter

Legitimate interest

Individual*

Name, surname, contact details

External visitors entering the premises of the controller

Security of property and persons on the premises of the operator, recording of entry

Legitimate interest

Individual*

Information on the visitor (name, surname, date of arrival and departure), purpose of the visit, image of the individual, date and time of entry to or exit from the premises under video surveillance

Representatives of contractual partners (contractors and suppliers)

Performance of service and supply contracts

Contract

Individual*, business entity on whose behalf the representative is acting

Name, surname, contact details, place of work, name of the contractual partner, other information necessary for the conclusion and performance of the contract

Participants and winners of competitions

Running the competition, communicating the results, awarding the prize and paying the income tax if the prize is worth more than EUR 42

General terms and conditions of the competition, Code of Obligations, Income Tax Act, Tax Procedure Act, consent

Individual*, parents or guardians of prize-winners, if the prize-winner is under 15 years of age

Contact details, in the case of a prize winner, tax number, other details in accordance with the general terms and conditions of the competition

Controller's shareholders

Holding general meetings, paying dividends, notifying shareholders, paying taxes

Companies Act, Insurance Act, Book-Entry Securities Act, etc.

Central Register at the Central Clearing and Depository Company, individual*

Name, surname, address, number of shares, tax number, amount of payment, advance payment of income tax, date of payment

Holders of Controller's bonds

Bond redemption, reporting, bond coupon payments, notification, tax payment

Companies Act, Book-Entry Securities Act, etc.

Central Register at the Central Clearing and Depository Company, individual*

Name, surname, full address, number of bonds, tax number, amount of payment, advance payment of income tax, date of payment

Lawyers, executors, liquidators, court experts and evaluators, and court interpreters

Communication in proceedings ordered by a court or by a party represented by a lawyer or under a statutory mandate in personal bankruptcy, enforcement and security, and other proceedings

Attorneys Act and Power of Attorney, Courts Act, Enforcement and Security Act, Financial Operations, Insolvency Proceedings, and Compulsory Dissolution Act, etc.

Individual*, other persons involved in proceedings, databases

Name and contact details, content of the request, pending application, opinion or report

Persons required to disclose circumstances indicating a (potential) conflict of interest, their family members and recipients of disclosures

Managing the risks arising from actual and potential conflicts of interest, verifying the existence of circumstances that could give rise to conflicts of interest, implementing rules, procedures and measures

Companies Act, Slovenian Sovereign Holding Act, Integrity and Prevention of Corruption Act

Individual*, databases

Name and surname, job title/function, debts, liabilities or guarantees assumed and loans in value given, held by the taxable person himself or by companies in which the taxable person holds an ownership interest of more than 25%, the manner in which the taxable person is related to the related person, other facts and information on the matter, information relating to the transaction in question, the qualified related person and the procedure for deciding whether to allow the qualified related person to do business with the taxable person

Applicants and recipients of funding – sponsorships and donations

To carry out the selection procedure in accordance with the terms of the invitation to apply, the processing of applications and selection of projects, the publication of the selection results, the disbursement of funds, for promotional and other purposes within the framework of each project, the conclusion and implementation of the contract and other activities

Invitation to apply, contract, consent, Code of Obligations

Applicant (individual* or associations and institutions in the field of socially responsible activities)

Data specified in the invitation to apply, data necessary for the conclusion and performance of the contract, data processed on the basis of the data subject's consent

Participants in events organised or co-organised by the controller

Organising or co-organising events, sending invitations to various events and activities and for publication in the media, on the controller's website, on the controller's social media profiles and on the websites of individual events, carrying out other activities in accordance with the consent given

Consent, without consent in the case of participation in mass events, contract

Individual*, business entities

Contact details and other data provided by individuals - in the context of mass events and crowd photography, there is no processing of personal data, except where the subject of the recording is a specific individual

Officials working for the authorities

Inspection procedures, infringement procedures and the exchange of various pleadings, opinions and clarifications from the authorities

Administrative Procedure Act, Offences Act, Inspection Act, etc.

Individual*, authority

Name, surname, post/title of official, name of authority and contact details

Beneficial owners of business entities, politically exposed persons (party representative or proxy, beneficial owners and their family members and close associates)

Customer screening, identification and verification of customer identity, identification of beneficial owners, monitoring of business activities, reporting and documentation of data reporting to the Office for Money Laundering Prevention

Prevention of Money Laundering and Terrorist Financing Act

Individual*, business entity, databases and publicly published data, Office for Money Laundering Prevention

Categories of personal data are determined by law

Representatives of the public

Dealing with questions from the press and other interested members of the public

Media Act, Public Information Access Act

Individual*

Only data provided by the individual*

Personal data controller and contact details

Legitimate interests

Where necessary, we process your personal data on the basis of legitimate interests, which include:

• Improvement, development and upgrading of insurance services, systems and products of the Company;
• Technical maintenance of websites and services;
• Customer relationship management and customer satisfaction monitoring (e.g. provision of applications with information on contracts concluded and for the purpose of providing additional discounts and benefits (iTriglav, Triglav Komplet), issuing premium vouchers rewarding customer loyalty with promotional gifts, etc.);
• Equipping of business communication with marketing content;
• Preparation for the sales interview and review of previously concluded insurance;
• Contacting the customer about renewal or continuation of the insurance;
• Identification of the needs and requirements of the Company's potential and existing customers, including offering new insurance products with new guarantees where such customer needs and requirements are identified in the course of the sales interview;
• Sending offers to all potential customers without prior profiling and sending offers with prior profiling where a narrow set of personal data other than a specific category of personal datais used for this purpose (e.g. personal name, address of permanent or temporary residence, phone number, e-mail address and fax number, age, gender, types of insurance contract cocluded, term of expiry, etc.);
• Ensuring the operation of information systems, network security and information (prevention of events, illegal or malicious acts that threaten accessibility, authenticity, integrity and confidentiality of stored or transferred personal data and the security of related IT services), the prevention of unauthorized access to Company information system and the response to computer security threats and incidents;
• For the purpose of protection and insurance of assets and employees of the Company against threats and violence and in similar cases where, without processing personal data, it would not be able to protect and enforce its own legitimate interests and rights, which we enjoy under the law; this includes the implementation of video surveillance at entrances to business premises due to clarification of the circumstances of offences against the employees and assets of the Company, and supervision of access to the Company's business buildings in order to prevent access of unauthorised persons into business premises and in order to ensure house order in business premises of the Company;
• For the purposes of coclusion, processing and exchanging personal data for reinsurance purposes;
• For the purpose of carrying out actuarial calculations and accounts and the payment of commissions to insurance agents;
• To investigate suspicions of insurance fraud.

How long do we keep your personal data?

Where we process your personal data on the basis of law, we keep them until the expiry of the legal retention periods. Where we process your personal data on the basis of a contract, we keep them until the performance of our obligations under the contract and until the expiry of the time limits set out in the regulations on the retention of business records and on tax matters. Personal data processed on the basis of consent are kept until the consent is withdrawn. Personal data processed on the basis of the legitimate interests of Zavarovalnica Triglav, d.d. are kept until the legitimate interest is realised or until the expiry of the time limits set by the regulations.

Do I have any obligation to provide personal data?

You must provide us with the information we need to enter into, perform and fulfil our contractual obligations and the information that the insurer is required to collect in accordance with its regulatory obligations (e.g. insurance, tax, anti-money laundering). We cannot enter into, perform or fulfil a contract with you without your information if you have already entered into a contract with us.

Is there automated decision-making involving profiling that has legal or similar effects on me?

We do not make decisions based solely on automated processing of your data, which would involve profiling and would have legal or similar effects for you.

If you are a (potential) customer of Zavarovalnica Triglav, d.d., please also read the Information concerning the processing of personal data in the insurance sector.

If you are a visitor to the websites or a user of the applications of Zavarovalnica Triglav d.d., you can find more information in the Privacy Policy of Triglav d.d.

What rights do I have regarding my personal data?

I can request the following at any time:

• Access to my personal data (to find out whether you are processing personal data relating to me, to access or obtain a copy of the personal data, to obtain information about the purposes of the processing, the categories of data, the users of the data or categories of users, etc.);
• Rectification or deletion of my personal data (deletion cannot be requested for data stored or processed on the basis of law, and in some cases, deletion of data also implies the termination of the contractual relationship with us);
• Restriction of the processing of my personal data (e.g. until its accuracy has been verified);
• Transfer of my personal data (in the event that the data is processed on the basis of consent or a mutual agreement and by automated means, I receive personal data relating to me or request that it be transferred to another controller);
• Revocation of a decision based solely on automated processing, which includes profiling and which has legal or similar significant effects on me, and which is not necessary for entering into or performance of a contract or is not permitted by the Slovenian or EU laws or is not based on my explicit prior consent;
• Objection to the processing of personal data concerning me which is carried out solely in the legitimate interest of the insurance company or in the public interest (in this case, we will stop processing your personal data; an exception applies if we demonstrate that we have compelling legitimate grounds for processing which override your interests, rights and freedoms, or that we need it for the establishment, exercise or defence of legal claims).

If we process your personal data on the basis of your consent, you may withdraw your consent to processing at any time, temporarily or permanently. In this case, your revocation applies prospectively and does not affect the processing carried out up to the revocation.

You can make your request:

• in writing to Zavarovalnica Triglav, d.d., Miklošičeva cesta 19, 1000 Ljubljana, or
• to info@triglav.si or
• by using the online form available at www.triglav.si.

If you have any questions or would like to exercise your rights, you can also contact our Data Protection Officer: dpo@triglav.si.

The supervision of the lawfulness of processing and the protection of personal data in general in the Republic of Slovenia is carried out by the Information Commissioner, Dunajska cesta 22, 1000 Ljubljana.