Information on processing of personal data in the field of insurance

1.

Personal data controller and contact details

2.

How do we obtain your personal data?

We obtain personal data directly from you.

In the provision of our services, we may also use personal and other information obtained from the following sources in accordance with the legislation:

• From national authority databases;
• From databases of providers of health and related services and the Health Insurance Institution (Zavod za zdravstveno zavarovanje);
• From the databases of the Pension and Disability Insurance Institution (Zavod za pokojninsko in invalidsko zavarovanje) and the ministry responsible for social affairs;
• From the databases of the ministry responsible for transport, the ministry responsible for the interior and the organisations which carry out the type-approval and registration of vehicles;
• From other databases of individual insurance companies and the Slovenian Insurance Association in the process of settling disputed insurance cases;
• From state authorities, self-governing local authorities, public agencies, public funds and other public law bodies, as well as holders of public powers and providers of public services, on the basis of a written request and in relation to the personal data collections held by them;
• From other persons who have knowledge of the insurance case (e.g. the persons who caused the damage, the injured parties, witnesses);
• From the information systems of the Slovenian Insurance Association - more information is available at https://www.zav-zdruzenje.si/pravila-o-zasebnosti/;
• From publicly published data and/or databases based on publicly published data;
• From other persons on the basis of your consent.

2.1

Categories of personal data

The insurance company collects, stores, transmits and uses (hereinafter referred to as "processes") the following personal data of its customers in the databases it establishes, manages and maintains in accordance with the regulations governing the protection of personal data and the insurance industry:

• Information set out in the insurance contract (i.e. the offer to take out insurance or the declaration of acceptance with supplements and declarations, the insurance policy, special declarations in writing), on annexes and supplements to the insurance contract, including questionnaires);
• Information on insurance cases, to assess insurance cover and the amount of compensation or insurance benefits, and to carry out recourse procedures;
• Data obtained by the insurer in other communications with the policyholder, the insured or third parties (e.g. prize draws, events organised by the insurer, registration and use of the insurer's mobile applications, use of the insurer's web applications, etc.);
• Information about the consent given and information provided by an affiliated company in the Triglav Group on the basis of your consent.

Special categories of personal data

On the basis of the Insurance Act, we also process your medical data (e.g. information about your previous injuries, your state of health, the type of injuries, the duration of treatment and the consequences for the insured and the injured party, the costs for medical care, the insured and the injured party's medicines and medical devices) for the purposes of the law. We obtain this data directly from you (health questionnaire), but we may also obtain it from your doctor, other healthcare providers or other persons, if so provided for by the law.

Under the Prevention of Money Laundering and Terrorist Financing Act, we are also obliged to check the potential political exposure of our clients.

Zavarovalnica Triglav also processes special categories of data concerning you on the basis of the legitimate interests of the insurance company when, in connection with the repayment of a recourse claim, you inform us of personal circumstances that make it difficult for you to pay or persons whom you have authorised inform us of such circumstances. In those cases, we will ask you or your authorised representative for further evidence of those circumstances, which may include information about your financial, social or health situation. On the basis of the evidence provided, the insurer will be able to decide on the merits of your application and, as creditor, make an appropriate assessment of the grounds for reducing, waiving or mitigating the payment of the claim.

We also process personal data relating to crimes and offences in connection with insurance cases in the database of insurance cases and for the purpose of assessing insurance cover in accordance with the Insurance Act, whereby we process personal data only to the extent necessary to fulfil the purposes of processing set out in point 3.1.

3.

Purposes of processing of personal data

We process your personal data in accordance with the General Data Protection Regulation, the Insurance Act, the Personal Data Protection Act and other regulations governing the scope and purposes of the processing of personal data that we, as the controller, may process.

3.2

Legitimate interests

Where necessary, we process your personal data on the basis of legitimate interests, which include:

• Improvement, development and upgrading of insurance services, systems and products of the Company;
• Technical maintenance of websites and services;
• Customer relationship management and customer satisfaction monitoring (e.g. provision of applications with information on contracts concluded and for the purpose of providing additional discounts and benefits (iTriglav, Triglav Komplet), issuing premium vouchers rewarding customer loyalty with promotional gifts, etc.);
• Equipping of business communication with marketing content;
• Preparation for the sales interview and review of previously concluded insurance;
• Contacting the customer about renewal or continuation of the insurance;
• Identification of the needs and requirements of the Company 's potential and existing customers, including offering new insurance products with new guarantees where such customer needs and requirements are identified in the course of the sales interview;
• Sending offers to all potential customers without prior profiling and sending offers with prior profiling where a narrow set of personal data other than a specific category of personal datais used for this purpose (e.g. personal name, address of permanent or temporary residence, phone number, e-mail address and fax number, age, gender, types of insurance contract cocluded, term of expiry, etc.);
• Ensuring the operation of information systems, network security and information (prevention of events, illegal or malicious acts that threaten accessibility, authenticity, integrity and confidentiality of stored or transferred personal data and the security of related IT services), the prevention of unauthorized access to Company information system and the response to computer security threats and incidents;
• For the purpose of protection and insurance of assets and employees of the Company against threats and violence and in similar cases where, without processing personal data, it would not be able to protect and enforce its own legitimate interests and rights, which we enjoy under the law; this includes the implementation of video surveillance at entrances to business premises due to clarification of the circumstances of offences against the employees and assets of the Company, and supervision of access to the Company's business buildings in order to prevent access of unauthorised persons into business premises and in order to ensure house order in business premises of the Company;
• For the purposes of coclusion, processing and exchanging personal data for reinsurance purposes;
• For the purpose of carrying out actuarial calculations and accounts and the payment of commissions to insurance agents;
• To investigate suspicions of insurance fraud.

3.3

Performance of a task carried out in the public interest or in the exercise of official authority vested in the operator

Where processing is necessary for compliance with our legal obligations carried out in the public interest:

• Preventing money laundering and terrorist financing;
• Tax compliance;
• External audits of operations in accordance with insurance, company and auditing regulations;
• Implementation of restrictive measures in accordance with domestic and international regulations;
• Performance of obligations towards the insurance company's supervisory authorities that supervise the functioning of the insurance market, consumer protection, tax compliance, prevention of money laundering, processing of personal data and other obligations (e.g. the Insurance Supervision Agency, the Financial Administration of the Republic of Slovenia, the Market Inspectorate of the Republic of Slovenia, the Information Commissioner of the Republic of Slovenia, the Agency for Communication Networks and Services);
• Implementation of legal obligations on whistleblower protection;
• In other cases, as provided for by law.

3.4

Consent

We may process your personal data for certain purposes only on the basis of your free, specific, informed and unambiguous consent, e.g. for segmented (direct) marketing, including profiling, which we carry out for the marketing of our products and services and for the marketing of the products and services of Triglav Group companies, and/or for the transfer of your personal data to Triglav Group companies based in the Republic of Slovenia, which are engaged in insurance activities and/or financial services (this includes Zavarovalnica Triglav, d.d, Triglav, Zdravstvena zavarovalnica, d.d., Triglav, pokojninska družba, d.d., Triglav Skladi, družba za upravljanje, d.o.o. – for a complete list of companies, please visit the Triglav Group website, https://www.triglav.eu/en/) for the purpose of preparing tailored offers of their own products and services to you.

In case you give us your consent for segmented (direct) marketing, including profiling, we may process the following data about you: first name, last name, address, tax number, date of birth, e-mail address, telephone number and mobile phone number, if you provide it to us. In accordance with the Insurance Act, we may also process gender data for marketing purposes.
In addition, we may also process information about your age and/or the extent of your insurance and/or the duration of your insurance for marketing purposes on the basis of consent to ensure that we take into account the requirements and needs of our customers in accordance with the requirements of the Insurance Act in relation to the distribution of insurance products, depending on the type of insurance product we are marketing.
If you give us your consent to send your data to companies of the Triglav Group based in the Republic of Slovenia, which are engaged in insurance and/or financial services, we will provide them with the following data: your first name, surname, address, tax number, date of birth, e-mail address, telephone number, mobile telephone number and, in addition, gender information.

If we are recording a phone call, we will explicitly warn you about this before recording the phone call. We keep the recording so that we can prove your consent.

You always have the right to temporarily or permanently withdraw your consent to the processing of your personal data for the purposes for which you have given your consent or to object to the processing of your personal data for direct marketing purposes, or to request access to, or the completion, rectification, correction, restriction of processing, transfer or erasure of your personal data.
Your cancellation applies prospectively and does not affect the lawfulness of the processing carried out up to the date of your cancellation.

4.

Users and categories of users of personal data and processors of personal data

Your personal data is processed by the persons responsible for fulfilling your contractual and legal obligations (employees).

Users of personal data include, in accordance with the regulations, the Slovenian Insurance Association and other insurance companies to the extent and for the purposes set out in the regulations, as well as other categories of users published in the List of categories of users of personal data on the website.

Your personal data may also be processed by our contractual processors of personal data whose contractual obligations in relation to the processing of personal data are carefully monitored by us (e.g. insurance agents and intermediaries in various organisational forms, marketing service providers, printers, providers of specific IT services, banks and leasing companies with which you have credit or other contractual relationships, and others). A list of categories of personal data processors is also available here.

4.1

Other persons to whom your personal data may be disclosed

In the context of legal obligations, your personal data may also be accessed by supervisory authorities (see section 3.3) and other persons where you have consented to such access or where they have a basis in law for accessing the data and/or where they demonstrate a legitimate interest. You can see a list of these persons on the insurer's website (point 4).

5.

How long do we keep your personal data?

We keep your personal data in relation to the insurance taken out:

• 10 years after the end of the insurance contract;
• In the event of an insurance case, 10 years after the end of the processing of the insurance case;
• In the event of legal proceedings for the recovery of unpaid obligations under insurance contracts, 10 years after the conclusion of the legal proceedings;
• Data relating to the insurance case and for the assessment of the insurance cover and the amount of compensation or insurance benefit are stored for 10 years after the end of the processing of the insurance case. If, within that period, the insured person or the injured party makes, or is reasonably expected to make, a new claim to enforce the rights arising from the insurance case after the expiry of that period, the retention period shall be extended, if necessary, so that the data are retained for 5 years after the end of the processing of the new claim or for as long as it is possible to make a new substantiated claim;
• In the case of processing of your data in the course of anti-money laundering and anti-terrorist financing procedures, implementation of restrictive measures and other activities on the basis of specific legal obligations of the insurance company until the expiry of the specific legal time limits for their retention.

The insurance company will keep your personal data processed on the basis of your consent until you withdraw your consent. The same applies to the processing of such data by affiliated companies (point 3.4) to which, with your consent, your personal data have been provided for the same purpose of processing. However, other personal data obtained as part of the expressed intention to conclude, conclusion or performance of an insurance contract or on the basis of the law is kept by the Company until the expiration of the statutory retention period.

6.

Will my personal data be exported to third countries?

The transfer of data to third countries or outside the European Union is possible if it is carried out in accordance with the conditions laid down in the General Data Protection Regulation or if the data transferred to third countries are subject to an equivalent level of protection of personal data as is ensured within the EU/EEA. In view of the above, the export may take place in accordance with the Law on Compulsory Motor Insurance, which transposes into the Slovenian legal order the Codified Motor Insurance Directive 2009/103/EC, which lays down the obligations of insurers with regard to the provision of motor insurance and the handling of claims under the Green Card system. In these procedures, data is sent by registered mail or by email, secured by TLS/SSL encryption.

7.

Do I have any obligation to provide personal data?

You must provide us with the information we need to enter into, perform and fulfil our contractual obligations and the information that the insurer is required to collect in accordance with its regulatory obligations (e.g. insurance, tax, anti-money laundering). We cannot enter into, perform or fulfil a contract with you without your information if you have already entered into a contract with us.

In particular, we would like to remind you that, in relation to insurance products where there is a risk of money laundering and terrorist financing, we are required by the Prevention of Money Laundering and Terrorist Financing Act to identify and verify the identity of the customer (and of any person acting on behalf of the customer) on the basis of your identity document, and to obtain personal data (personal name, address of permanent and temporary residence, date and place of birth, tax number or ID number, nationality and the number, type and name of the issuer of the official identity document and the period of validity of the identity document), information about the beneficial owner of the customer, to obtain information about the purpose and intended nature of the business relationship or transaction, to regularly and carefully monitor the business activities carried out by the customer with the insurer, and to verify and update the documents and information obtained about the customer. In order to carry out the above obligations, you are obliged to provide us with the data and information required by the aforementioned regulations. An official identity document can only be a valid document with a picture issued by a competent state authority of the Republic of Slovenia or another country and which is considered a public document under the law of the issuing country. We would also like to remind you that, in addition to the information required by law, and only on the basis of your consent, we may also process your e-mail address for the purpose of providing you with notifications in connection with the insurance policies taken out, whereby you may at any time cancel this method of business communication by sending an e-mail to Zavarovalnica Triglav, d.d., Head Office (Centrala), Personal Insurance (Osebna zavarovanja), Verovškova 60c, 1107 Ljubljana, or by sending an e-mail to soglasja@triglav.si, or by notifying us of a change in your e-mail address using the prescribed form. In the event that you fail to comply with your obligations and do not provide us with all the information required by law, we may not conclude insurance with you or we may be obliged to terminate it.

If you, or someone you authorise to represent you, inform us of circumstances that make it difficult for you to pay in relation to a recourse claim, we will ask you to provide evidence that you are unable to pay. On the basis of the evidence provided, we will be able to decide on the merits of your application in accordance with our internal rules.

In accordance with our legal obligations (in particular the Prevention of Money Laundering and Terrorist Financing Act, the Tax Procedure Act and international agreements on CRS and FATCA), we are obliged to inform the competent state authorities (the Office for Money Laundering Prevention, the Financial Administration of the Republic of Slovenia, etc.) of the data relating to life insurance and pension insurance policies taken out.

8.

Is there automated decision-making involving profiling that has legal or similar effects on me?

Profiling or automated processing of some of your personal attributes is used in the following cases:

• In accordance with the Insurance Act, we may process certain data (age, state of health, disability and occupation, and other personal circumstances which may reasonably affect the amount of the risk assumed, with the exception of sex, maternity and pregnancy) in the selection and assessment of risks and in the determination of premiums and the payment of benefits, in relation to life insurance and accident and health insurance, taking into account the personal circumstance of sex in the calculation of premiums and benefits at an aggregate level. Insurance undertakings may process the gender factor for the calculation of technical provisions and internal pricing, for reinsurance pricing, for marketing and advertising and for the risk assessment of the life insurance group and the health and accident insurance classes;
• In the process of online insurance contract conclusion, we process some data automatically. This may result in an online conclusion not being possible, e.g. due to the existence of certain circumstances that would make it impossible to calculate the premium or ensure equivalent treatment conditions in accordance with the insurance bases and conditions. In such cases, you can contact the Call Centre or an insurance agent to prepare an offer or conclude an insurance contract;
• In the case of the exercise of certain legitimate interests referred to in point 3.2;
• In all cases where you have given us your explicit consent to such processing at the time of collecting the information, or subsequently.

Zavarovalnica Triglav, d.d. does not use the profiling presented above to make decisions based solely on automated processing or to create any legal effects for you or to influence you significantly in a similar way.

9.

Are data transferred to third countries or international organisations?

In the event that a transfer of personal data to third countries or international organisations would be necessary, we will carefully check whether there is an appropriate legal basis and safeguards for such transfer (existence of an adequacy decision, existence of binding corporate rules, use of so-called standard contractual clauses, approved certification mechanisms (e.g. Privacy Shield between the European Union and the United States of America), using so-called standard contractual clauses) prior to the transfer of the data.

10.

What rights do I have regarding my personal data?

I can request the following at any time:

• Access to my personal data (to find out whether you are processing personal data relating to me, to access or obtain a copy of the personal data, to obtain information about the purposes of the processing, the categories of data, the users of the data or categories of users, etc.);
• Rectification or deletion of my personal data (deletion cannot be requested for data stored or processed on the basis of law, and in some cases, deletion of data also implies the termination of the contractual relationship with us);
• Restriction of the processing of my personal data (e.g. until its accuracy has been verified);
• Transfer of my personal data (in the event that the data is processed on the basis of consent or a mutual agreement and by automated means, I receive personal data relating to me or request that it be transferred to another controller);
• Revocation of a decision based solely on automated processing, which includes profiling and which has legal or similar significant effects on me, and which is not necessary for entering into or performance of a contract or is not permitted by the Slovenian or EU laws or is not based on my explicit prior consent;
• Objection to the processing of personal data concerning me which is carried out solely in the legitimate interest of the insurance company or in the public interest (in this case, we will stop processing your personal data; an exception applies if we demonstrate that we have compelling legitimate grounds for processing which override your interests, rights and freedoms, or that we need it for the establishment, exercise or defence of legal claims).

If we process your personal data on the basis of your consent, you may withdraw your consent to processing at any time, temporarily or permanently. In this case, your revocation applies prospectively and does not affect the processing carried out up to the revocation.

You can make your request:

• in writing to Zavarovalnica Triglav, d.d., Miklošičeva cesta 19, 1000 Ljubljana, or
• to info@triglav.si or
• by using the online form available at https://www.triglav.si/.

Where we have reasonable doubt as to the identity of the person making a request for the exercise of one of his or her rights, we may require him or her to provide us with additional information necessary to confirm the identity of the data subject of the request.

If the data subject's requests are clearly unfounded or excessive, in particular because they are repetitive, Zavarovalnica Triglav, d.d. may:

• charge a reasonable fee, taking into account the administrative costs of providing the information or communication or of carrying out the requested measure, and applying mutatis mutandis the price list governing the calculation of material costs in connection with the provision of information of a public nature by the insurance company,
• or refuses to act on the request.

If you have any questions or would like to exercise your rights, you can also contact our Data Protection Officer: dpo@triglav.si.

The supervision of the lawfulness of processing and the protection of personal data in general in the Republic of Slovenia is carried out by the Information Commissioner, Dunajska cesta 22, 1000 Ljubljana.