According to the Regulation of the European Parliament and the EU Council No. 2016/679 from 27. April 2016 on the protection of individuals with regard to processing of personal data and on the free movement of such data (hereinafter „GDPR“).
IDENTITY OF THE CONTROLLER
The controller processing personal data is NOVIS Insurance Company, NOVIS Versicherungsgesellschaft, NOVIS Compagnia di Assicurazioni, NOVIS Poisťovňa a.s., Námestie Ľudovíta Štúra 2, 811 02 Bratislava (hereinafter „Controller“). Business ID: 47251301, VAT registration number: 7120001350, registered in the Business Register of the District Court Bratislava I, Section: Sa, Insert No.: 5851 / B, NBS License No. ODT-13166 / 2012-16.
DATA PROTECTION OFFICER
The Controller has a designated data protection officer. You can contact this person by post on the address of the registered office of the Controller or via email at: dataprotection@novis.eu. Data subjects may contact the data protection officer for any questions concerning the processing of their personal data and the exercise of their rights under GDPR. Data protection officer shall in the performance of duties be bound by the obligation of secrecy and/or confidentiality of information in accordance with Union and/or Member State law.
PURPOSES OF THE PROCESSING
The Controller processes personal data of its clients to provide high-quality services for the conclusion and administration of insurance contracts, underwriting or claims management. Specific purposes of processing and the legal basis for processing:
Purpose – Legal title
1. performance of the insurance activity related to the client - Act on Insurance
2. performance of activities related to supervisory and other authorities - Act on Insurance
3. registry administration (post office) - Archives and Registry Act
4. accounting registration - Act on Accounting
5. management of the joint stock company agenda - Commercial Code
6. complaint settling - Act on Insurance
7. litigation - legitimate interest in the protection of property and rights of the Controller
8. relations management with business partners – business contracts
9. addressing requests of data subjects - Regulation of the European Parliament and the Council of the EU no. 2016/679
10. prevention of legalization of proceeds of criminal activity and terrorist financing - Act on the Prevention of Legalization of Proceeds of Criminal Activity and Terrorist Financing
11. reporting the anti-social activities - Act on Certain Measures Related to Reporting The Anti-Social Activities
12. automatic exchange of information about financial accounts for the purposes of tax administration (FATCA/CRS)
13. archive management - Archives and Registry Act
14. marketing - consent of the data subject
RECIPIENTS OF PERSONAL DATA
Depending on the activities, statutory and contractual obligations, the Controller provides personal data to the following categories of beneficiaries: reinsurers, marketing companies, lawyers, notaries, executors, managers, state institutions and supervisory authorities.
• The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA (service „Mailchimp“)
• Market Vision Slovakia, Ružová dolina 6, 821 08 Bratislava, Slovakia (service „FeedTrack“)
• 2create, s.r.o., Hálkova 9, 831 03 Bratislava, Slovakia.
Cross-border transfer to a third country is realized to the USA by sending emails to the email address using the application MailChimp for sending emails operated by the company The Rocket Science Group LLC d/b/a MailChimp, a limited liability company with the registered seat at 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, USA, which participates and confirmed the compliance with the rules of EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. The transfer to the USA is solely subject to your contact details (name, surname, email). For more about the personal data processing by the company operating MailChimp, you can find on their website https://mailchimp.com/legal/privacy/
RETENTION PERIOD
The Controller processes personal data for the time necessary to fulfill the purpose of its processing. Usually, for as long as there is a legal relationship and one year after its termination or otherwise if the legislation or contractual relationships state a different retention period.
RIGHTS OF THE DATA SUBJECT
A data subject is a natural person whose personal data are being processed. Data subjects have the right to:
• access personal data,
• demand correcting, erasing or restricting the processing of personal data,
• object to the processing of personal data,
• transfer personal data.
Access to personal data
The data subject shall have the right to obtain from the Controller a confirmation of the processing of personal data concerning him or her from the Controller and, if so, he or she shall have the right to access such personal data and the following information: purpose of processing, categories of personal data concerned, the nature of the recipients to whom personal data were or will be provided, the estimated period of retention of personal data, the existence of the right to demand the Controller to correct personal data related to the data subject or to erase or restrict their processing, or the right to object such processing, the right to lodge a complaint to a supervisory authority if personal data have not been obtained from the data subject, any available information as far as their source is concerned.
Rectification of personal data
The data subject shall have the right to obtain from the Controller without un-due delay the rectification of inaccurate personal data concerning him or her. With regard to processing a data subject shall have the right to have the in-complete personal data completed, by providing a supplementary statement.
Erasure of personal data („right to be forgotten“)
The data subject shall have the right to obtain the erasure of personal data concerning him or her without undue delay by the Controller and the Controller shall have the obligation to erase personal data without undue delay if one of the following grounds is met:
• personal data are no longer necessary for purposes for which they were collected or otherwise processed,
• the data subject withdraws the consent on which the processing is based and where there is no other legal ground for the processing,
• the data subject objects to the processing pursuant to Article 21 (1) of GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) of GDPR,
• personal data have been processed unlawfully,
• personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject,
• personal data have been collected in relation to the offer of information society services referred to Article 8 (1) of GDPR - child‘s consent.
Restriction of processing personal data
The data subject shall have the right to request from the Controller restriction of processing insofar the data subject contests the accuracy of personal data:
• during a period enabling the Controller to verify the accuracy of the personal data,
• the processing is unlawful, and the data subject opposes the erasure of personal data and requests the restriction of their use instead,
• the Controller no longer needs the personal data for processing, but they are required by the data subject to for the establishment, exercise or defense of legal claims,
• the data subject has objected to processing pursuant to Article 21 (1) of GDPR pending the verification whether the legitimate grounds on the part of the Controller override the legitimate grounds of the data subject.
Where processing has been restricted, such personal data shall with the exception of retention, only be processed with the consent of the data subject, or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject, who has achieved restriction of data processing shall be informed by the Controller before the restriction of processing is revoked.
Objecting to processing of personal data
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data, which is necessary for the performance of a task carried out for the public interest or for the exercise of public power, or for purposes of legitimate interests pursued by the Controller or a third party with the exception of cases where such interests prevail over the interests or fundamental rights and freedoms of a data subject that require the protection of personal data, especially when the data subject is a child. The Controller mustn´t further process personal data unless it demonstrates compelling legitimate grounds necessary for the processing that outweigh the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. When personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for purposes of such marketing, which includes profiling to the extent that it is related to such direct marketing.
Transfer of personal data
The data subject shall have the right to obtain personal data related to him or her and which he or she has provided to the Controller in a structured, commonly used and machine-readable format and shall have the right to transfer such data to another controller or processor without objections from the Controller to whom such personal data have been provided, if processing is based on consent or contract and if processing is carried out by automated means. A data subject shall, in exercising his or hers right on data portability referred to in paragraph 1, have the right to transfer personal data directly from one controller to another as far as it is technically possible.
CONSENT REVOCATION
In the event that a data subject has given the Controller a consent for processing personal data, such consent may be revoked at any time without affecting the legality of processing based on the consent given prior to its revocation. Revocation of consent is effective as soon as the Controller is notified.
LODGING A COMPLAINT
The data subject shall have the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data relating to him or her infringes GDPR. The supervisory authority for the Controller is the Office for Personal Data Protection of Lithuania - Valstybinė duomenų apsaugos inspekcija. The supervisory authority that has received the complaint shall inform the complainant on the progress and the outcome of the complaint including the possibility to commence a judicial remedy pursuant to Article 78 of GDPR.
VOLUNTARY PROVISION OF DATA
Regardless of the purpose of personal data processing, the provision by the data subject for the Controller is always voluntary. The Controller needs to process personal data to fulfill its statutory and contractual obligations. Failure to provide personal data may therefore lead to the inability to enter a contractual relationship with the Controller.