Data Processing Information
With the following information we would like to offer you a detailed insight on the processing of your personal data (for the purpose of taking actions in accordance with your request and, prior to insurance contract stipulation, in relation to insurance contract stipulation and execution), as well as on the rights to which you may be entitled with respect to the processing of such data.
The protection of your privacy is of the utmost importance to us and therefore we ask you to read this information carefully.
1. Who is responsible for processing of your personal data?
In accordance with the General Data Protection Regulation (Regulation (EC) 2016/679) and having in mind that we determine the purposes and means of processing of your personal data, we are the Controllers i.e. we are responsible for processing of your personal data:
GRAWE Hrvatska Inc., Ulica grada Vukovara 5, 10000 Zagreb, Croatian Personal Identification Number (OIB): 28406115764
Phone: +385 (0)1 30 34 000; Fax: +385 (0)1 30 34 500
If you have any question regarding the processing of your personal data or on how to exercise your data protection rights, please contact our Data Protection Officer:
GRAWE Hrvatska Inc., Ulica grada Vukovara 5, 10000 Zagreb, with the indication “For Data Protection Officer”
Tel. +385 (0)1 30 34 865
2. For what purpose and on which legal basis is Your data processed?
We shall process your personal data in accordance with the provisions of the General Data Protection Regulation of the Act on Implementation of General Data Protection Regulation and other personal data protection rules.
We shall process your personal data for the purposes stated in this information and in accordance with the following legal basis:
2.1. Pre-contractual activities per your request, stipulation and execution of insurance contracts
Personal data you submit to us via the offer to conclude an insurance contract and other documents shall be processed for the purpose of determining your needs and requests and in order for us to be able to offer you objective information on a particular insurance product. Furthermore, your personal data shall be processed for the purpose of assessing a risk we assume and on the basis of which we shall decide whether and on what terms (e.g. the amount of the premium, insurance amount, scope of cover) we shall accept your offer and stipulate an insurance contract. We may also process your data for the purpose of informative calculation of the insurance premium.
In case you stipulate an insurance contract with us, we shall process your personal data for the purpose of contract execution (e.g. for drawing up of insurance policy, drawing up and sending of a notice on insurance payment due, notice on attributed profit, notice on insurance expiry, for administering contracts, for making assessments whether and on what conditions an insurance contract may be amended, for payments of obligations due).
In case we need to resolve claims, we shall process additional data related to a harmful event in order for us to determine whether and to what extent we shall be obliged to pay the insurance compensation.
If you are an insured person, your personal data shall be processed in order for us to stipulate an insurance contract with the policy holder, but also for us to fulfil our obligations from the insurance contract.
If you exercise your rights under the insurance contract as a beneficiary, a secured creditor, an injured party, etc., your personal data shall be processed in order for us to fulfil our obligations from the insurance contract.
2.2. Fulfilment of legal requirements
We shall also process your personal data for the purpose of fulfilment of our legal obligations (e.g. duty to give pre-contract information to an insurer, handling of complaints, requirement to retain business documents).
With respect to a stipulated life insurance contract, we shall process your data on tax residence in order for us to fulfil our obligation of delivering required information to tax authorities in accordance with the Law on Administrative Cooperation in the Field of Taxation and with the respective bylaws, as well as with the Agreement between the Government of the Republic of Croatia and the Government of the United States of America for improving tax obligations on international level implementing and complying to FATCA. Furthermore, as an entity subject to Anti Money Laundering and Terrorist Financing Law, we are obliged to implement measures for preventing and detecting money laundering and terrorist financing. Therefore we shall process your personal data (e.g. ID data, data related to sources of funding and data on political exposure) for such purpose, too.
2.3. Legitimate interests
We shall be entitled to process your personal data for achieving purposes in our legitimate interests except for the cases in which your interests and your basic rights and freedom requiring your personal data protection are more substantial than our interests. We shall, however, take into consideration your reasonable expectations with respect to processing of personal data based on your contractual or any other relationship with us.
Our legitimate interest is for example processing of personal data for the purpose of preventing and detecting insurance frauds and any other felony or misdemeanour, transfer of personal data of the GRAWE group for internal administrative purposes, processing of personal data for direct marketing purposes (including marketing research and customer satisfaction survey), in case such direct marketing is directed towards you as a policy holder during the term of the insurance contract. In such case we shall process your personal data in order for us to be able to adjust our marketing campaigns to your needs and to be able to send you personalised information on our products and/or services, sales campaigns, business news, etc. via mail, email, social networks and other media.
In case we shall process your data for the purpose of direct marketing, we inform you that you shall be entitled at any time to oppose to such processing. Upon receipt of your complaint, we shall stop using your data for such purpose.
We shall process your personal data for statistical purposes related to insurance (e.g. for developing and improving of existing insurance products or for complying with the regulatory requirements). We shall, however, take very good care that the processing of your personal data for statistical purposes never reveals your identity.
Unless their processing is not necessary for us to establish, satisfy or defend us from legal claims, we may process special categories of your personal data (e.g. data on your health condition, political opinion), only on the basis of your explicit consent. In such case, we shall take adequate measures to inform you in a timely, concise, transparent, understandable and accessible manner on the purpose of the processing for which we need your consent in order for you to be able to take a fully informed decision on whether or not you want to give us your consent.
If the terms and conditions of use of your personal data for direct marketing purposes on the basis of our legitimate interest (e.g. if you are an insured person, a beneficiary, a person with powers of representation, a premium payer or a third party) have not been met, then we must have your consent for processing of your personal data for such purpose.
In case we shall process your personal data based on the given consent, we inform you that you shall be entitled at any time to withdraw such consent in the way described in the point 8. - „ Which rights do you have under the Data Protection Law?
3. Which categories of personal data do we process?
We shall process personal data we collected from you from the offer to conclude an insurance contract, from the insurance contract, from a request for the exercise of the insurance rights and from other documents you sent us, as well as the data we received from third parties (e.g. from a doctor-censor, an expert, insurance distributors, other insurance companies), from public authorities or from publicly available sources.
This shall include your basic personal data (e.g. name and surname, date of birth, your domicile or residence, personal identification number, ID or passport number, email address, telephone number), data from the insurance contract (e.g. data on the insurable interest depending on the type of insurance, data on the insured person, real estate, vehicle, vessel, etc.), data on the insurance amount, duration of the contract, insurance premium, surrender and paid up policy value), payment data (e.g. bank data such as IBAN or amount to be paid).
In case of a harmful event, we shall collect and process your personal data related to such harmful event (e.g. date and time of a harmful event, cause of a harmful event, photos), as well as data on insurance compensation (amount of the compensation, payment data). If need be, this shall include data collected from third parties participating in the procedure for the settlement of claim (e.g. from a doctor-censor, an experts), from person that can offer us necessary information (e.g. competent bodies, witnesses) or from person that are related with the performance of our obligations related with a harmful event (e.g. health institutions, doctors, repair services).
In certain cases it will be possible to fulfil the purpose of data processing by using less data than described above, since we shall collect only those data necessary for us to reach a certain purpose.
4. With whom do we share your data?
If need be and for the purpose of obtaining the above mentioned purposes of data processing, i.e. in case it is established by regulations in force, we may share your personal data with natural and legal persons, public authorities or other bodies (recipients).
Notwithstanding to which recipient we shall deliver your personal data, we shall deliver only those data that are necessary for the achievement of the specific purpose of data processing. The recipients may be the following:
4.1. Reinsurance companies and other insurance companies
While underwriting certain risks, we cooperate with other reinsurance companies to which we transfer a part of the risk we have underwritten (reinsurance). For the same purpose, we may cooperate with other insurance companies to which we may transfer a part of the risks we have underwritten (co-insurance). In such case it may be necessary to share with such companies your personal data from the insurance offer, insurance contract or from the claim.
We may also exchange your personal data with other insurance companies in some other cases (e.g. for the purpose of claim management in cases of multiple or double insurance policies, for the purpose of performing obligations from correspondent contracts when handling international claims).
4.2. Insurance distributors
If during the preparatory works prior to insurance contract stipulation i.e. during stipulation, execution and management of the stipulated contract, as well as in case of handling a claim, you are assisted by an insurance distributor (e.g. representative or intermediary) who collects your personal data and transfers such data to us, we shall share with him your personal data to the extent necessary for the performance of the aforementioned activities.
4.3. Public authorities, courts and other recipients
In accordance with specific provisions, we may deliver your personal data to public authorities for them to be able to perform their official tasks. These authorities may be e.g. Croatian Financial Services Supervisory Agency, Ministry of Finance, Ministry of Interior Affairs, Public Prosecutor’s Office, Courts, Notary Publics or Tax authorities for the purposes of the procedure in course, Croatian Insurance Office, Insurance Ombudsman, Anti-money laundering office, Personal Data Protection Agency, etc.
We may deliver your personal data to other recipients i.e. natural or legal persons with whom we have a business relationship related to stipulation and execution of insurance contracts, handling of claims and recourse claims, recovery of claims, providing of marketing and other services, etc. (e.g. doctors – censors, health institutions and doctors, experts, providers of services of help and assistance, providers of detective services, attorneys, debt collection agencies, print services providers, providers of postal and courier services, translators, marketing agencies, IT services providers, creditors, financial institutions, statutory auditors/audit firms, providers of services related to sanctions check and checks on politically exposed persons).
Should we need, for the purpose of processing your personal data, to employ other natural or legal persons who shall process your personal data solely in our name and in accordance with our instructions (Processor), we shall engage, pursuant to a written agreement, only those Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing shall meet the requirements of the General Data Protection Regulation and of personal data protection rules and shall ensure the protection of your rights.
5. Where shall we process your personal data?
Your personal data shall be processed within the European Economic Area (EEA).
Should it be necessary to process Your data outside this area, your personal data shall be transferred to recipients in third countries only if the European Commission established these countries ensure an adequate level of protection of personal data as required under the General Data Protection Regulation i.e. if appropriate safeguards have been provided (e.g. standard data protection clauses). For more information on protective security measures taken, you can contact our Data Protection Officer.
6. For how long shall your data be stored?
We shall store your personal data only for as long as is necessary for the fulfilment of the purpose for which they are being processed, unless we are not obliged by other legal deadlines to other storage periods.
With respect to insurance contract, the storage period shall be determined by the term of the insurance contract. However, since we are subject to statutory obligations of keeping the data on you, third parties, your insurance contract and harmful events even upon the insurance contract expiry i.e. upon payment of insurance contract obligation, we may store such personal data also upon the insurance contract expiry i.e. upon payment of compensation. The documents we are obliged to keep as well as the retention periods are set out in the General Tax Law, Anti Money Laundering and Terrorist Financing Law and others.
Moreover, we shall keep your personal data for as long as a statutory possibility of imposing statutory requirements on the basis of insurance contract exist, which also includes a legally prescribed period of time (e.g. for the purpose of enforcement proceedings, exercising extraordinary legal remedies) upon the definitive termination of a court, administrative or any other appropriate proceedings instituted for the purpose of exercising rights and obligations under the insurance contract.
In case we shall process certain personal data on the basis of the consent, in case of the withdrawal of such consent we shall cancel your personal data unless other legal ground for data processing exists or the processing of your data is necessary for the establishment, exercise or defence of legal claims.
7. What are the possible consequences if you choose not to provide your personal data?
We require your personal data for the purpose of performing precontractual activities as per your request, stipulating and executing the insurance contract as well as for processing claims for damage. If you chose note to provide the necessary personal data, we may not be able to conclude an insurance contract with you or we may not be able to fulfil our obligations from the insurance contract, including the processing of claim for damage. Please pay special attention to the fact that in case you choose not to provide the necessary personal data and we are not able to fulfil our obligation from the insurance contract, we shall not bear any liability for the non-performance of our obligation.
In some cases in which specific regulations apply, the refusal to provide necessary personal data may result in us not being authorised to stipulate an insurance contract with you (e.g. in case you chose not to provide the data necessary for the performance of an in-depth analysis during the stipulation of a life assurance contract, all in accordance with the Anti-Money Laundering and Terrorist Financing Law).
8. Which rights do you have under the Data Protection Act?
In addition to the requirements laid down in the General Data Protection Regulation, you shall have the following rights with respect to the processing of your personal data:
- The right of access – you shall have the right to be informed on the processing of your data and, if such data are being processed, to access your personal data and information on, among other, processed personal data, purpose of processing, duration of storage of your data, transfer to third countries, etc.
- The right to rectification – you shall have the right to rectify incorrect and amend your incomplete personal data.
- The right to erasure/Right to be forgotten – you shall have the right to erase your personal data related to you if, among other, your personal data are not necessary anymore for the purposes they were collected and processed in some other way, if you have withdrawn your consent for processing of your data, if no other legal basis for the processing exist, if your personal data were illegally processed, etc. This right has certain restriction and cannot be applied if the processing of your personal data is necessary for the establishment, exercise or defense of legal claims or for the purpose of fulfilling our legal obligation requiring the processing in accordance with rules binding on us.
- The right to restrict processing – you shall have the right to request from us to restrict the processing of your personal data (e.g. when you contest the accuracy of your data, when you oppose the erasure of illegally processed data).
- The right to object – you shall have the right to object to the processing of your personal data that we process on grounds of the legitimate interests, including the profiling. In such case we shall be allowed to process your personal data only if we prove that our legitimate interests for such processing override your interests, rights and freedom, or for the purpose of establishing, exercising or defending legal claims.
- The right to data portability – you shall have the right to receive and transfer data to other Processor if you provide us with your personal data in a structured, commonly used and machine-readable format, if the processing is done automatically and is based on consent or a contract.
- Rights in relation to automated decision making and profiling – you shall have the right not to be subject to a decision based solely on automated processing, including profiling,which produces legal effects concerning you or affecting you significantly in a similar way, unless such decision shall be necessary for stipulation and execution of your insurance contract, if such decision is permissible under EU law or under national law, providing for appropriate safeguards for the rights and freedoms and legitimate interests of the data subject, or if such decision is based on the data subject's explicit consent.
- The right to withdraw consent – if the processing of your data is based on your consent, you shall have the right to withdraw your consent at any time and with no adverse consequence by sending a written notice on the consent withdrawal to our Data Protection Officer, by coming in person to our GRAWE Hrvatska Inc. sales office or online, via the user interface (if applicable). In such case we shall no longer be allowed to process your personal data, unless there is no other legal ground for them to be processed. The withdrawal of your consent shall be effective as of the day of your withdrawal notice, meaning that the withdrawal of your consent shall not affect the lawfulness of processing of your personal data before the withdrawal of the consent.
In order to exercise all your rights related to the processing of your personal data, please contact our Data Protection Officer using the contact details given in the point 1. – “Who is responsible for processing of your personal data?”
In order to proceed in accordance with your request for withdrawal of the consent, we shall be entitled to ask you some additional information in order to establish your identity. Should we not be able to determine your identity, we shall be entitled to refuse to proceed in accordance with your request.
However, if your requests for the exercise of rights are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee based, or refuse to act on the request.
9. Right of lodging a complaint with a supervisory authority
If you consider that the processing of your personal data does not comply with the personal data protection rules, you are entitled to lodge a complaint with a supervisory authority in the Member State in which you have your normal residence, in which you work or in which data protection rights have been violated.
The supervisory authority in the Republic of Croatia with which you may lodge a complaint is the Croatian Personal Data Protection Agency (www.azop.hr).
Without prejudice to your lodging a complaint with a supervisory authority, we suggest you contact our Data Protection Officer before lodging it in order to settle with him/her the issues raised.
All information on data processing you may also find on our website www.grawe.hr.