The Information about Processing of Personal Data

Pojišťovna VZP, a. s., Insurance Company, would like to inform you that this document contains information on how we process personal data in connection with our insurance activities.

Personal data administrator:

Pojišťovna VZP, a. s., IČO (identification number): 27116913, with the seat at Lazarská 1718/3, 110 00 Praha 1, registered in the Commercial Register maintained by the Municipal Court in Prague under file No. B 9100 (hereinafter also referred to as the “Administrator” or “Insurance Company“).

The administrator provides information on the processing of personal data in accordance with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (General Data Protection Regulation), (hereinafter referred to as the “Regulation“).

1. What personal data we collect

For us as an insurance company, your personal data typically include the following information: first name, last name, date of birth, place of birth, birth number (if assigned), residential address, ID card number and copy of it, e-mail address, telephone number, and possibly other information that can be used to identify you (such as citizenship, age, tax residence and tax identification number, company ID number (if you are a natural person). The same information is also the personal data of your children or persons for whom you have parental responsibility.

Moreover, for us, this includes data concerning the services and products used, communication with us, transaction data (insurance premium payments, insurance benefit payments), data concerning the settlement of insurance claims, data for the evaluation of needs and the evaluation of the adequacy of insurance, and other data for the assessment of risk when entering the insurance contract. We consider data on health status to be sensitive data (the nature and scope of this data depend on the nature of the insurance contract being concluded).

Given the contractual nature of our relationships, the provision of personal and sensitive data is voluntary, however, it is a necessary condition for concluding an insurance contract.

2. Why we process personal data and what entitles us to do so

Whether we require your consent to process your personal data depends on the type of processing involved and your relationship with the Insurance Company. Whether you are an insurance applicant, a policyholder (the person taking out the insurance contract), an insured person (the person whose life, health, property, or liability is covered by the insurance, a third party (owner, operator), an injured party, or whether you are an authorized person who will receive insurance benefits if an insurance claim is settled.

We process the personal data:

1. without your consent, based on the performance of a contract, our legitimate interest, or for the purpose of complying with legal obligations;
2. with your consent.

Processing of personal data without your consent

We will process your personal data when we offer you the option to arrange, change, or terminate insurance; in this context, we will present you with draft contracts and perform preparatory and analytical work, calculations, model situations, risk assessments, and evaluations of your individual situation. The processing of personal data within the framework of the performance of the contract also includes assistance with insurance administration, investigation of insurance claims, payment of benefits under insurance contracts, including processing carried out prior to the conclusion of the contract, even if the contract is not ultimately concluded. The performance of the contract also includes the collection and recovery of insurance premiums. When investigating insurance claims, we may also process special categories of data (health data) and information relating to criminal matters, decisions, and proceedings. We also process your personal data if you participate in various customer programs, campaigns, or competitions in relation to the fulfilment of our obligations under these programmes.

In addition, we will process your personal data for the purpose of protecting our rights and legitimate interests. This includes, for example, determining, defending, and enforcing rights arising from insurance. To protect our interests, we also record telephone calls so that we can continue to improve our services. We process certain special categories of personal data (health data) after the conclusion of the contract because of the necessity to determine, exercise, or defend legal claims. We also process personal data for the purpose of analysing and evaluating potential risks. This includes, for example, improving and developing our services based on an analysis of your behaviour when using them. It also includes the assessment of the customer satisfaction with our services, the protection of property and persons, the prevention and detection of criminal or illegal activities, and the segmentation of clients. This also includes direct marketing aimed at our customers, including informing our customers about our new products and services. Based on legitimate interest, we also process the identification and contact details of injured parties, authorized persons for the purposes of settling insurance claims, owners/operators, representatives of legal entities, legal representatives, other persons authorized to represent the policyholder or insured person for the purposes of concluding an insurance contract, assessing insurance eligibility, administration, termination of an insurance contract, settlement of insurance claims, prevention and detection of insurance fraud.

It is possible to raise an objection to processing based on legitimate interests, which we will consider and evaluate whether the processing in question meets the requirements of the regulation.

We will also process your personal data to fulfil our legal obligations. These include obligations arising from regulations regulating insurance activities, but also general obligations in data storage and archiving, administrative obligations, and the obligation to cooperate with public authorities. We are also required to process your personal data for the purposes of preventing and detecting money laundering and terrorist financing. For this reason, we will perform identification, and verification checks on you

Processing of personal data with your consent for the purposes of offering services and marketing purposes

With your consent, we will process your personal data to evaluate your needs and assess the appropriateness of insurance, as well as to assess the risk when entering the insurance contract, the data on the use of services, for the purpose of sending discounts or other offers of our services (carrying out our own marketing activities). This helps us to understand and identify your needs better, create analyses, offer products and services that meet those needs, and improve our services. We may process your personal data in connection with direct marketing activities at your request (e.g., filling out a contact request form, subscribing to a newsletter). In such cases, consent is voluntary and may be revoked at any time. However, revoking consent does not affect the legality of processing before the time of revocation.

Processing of sensitive data with your consent

We may require your consent to process sensitive personal data in some situations, particularly health data, before concluding an insurance contract and when carrying out an investigation into a claim. For certain insurance products, consent to the processing of this personal data is a prerequisite for concluding an insurance contract or for determining whether and to what extent an insured event has occurred. For these reasons, once you have given your consent to the processing of sensitive personal data to the extent necessary, you cannot revoke it for as long as we are authorized to process it.

3. From what sources we obtain personal data

You have provided us, as the Administrator, with the above-mentioned processed personal data as a policyholder and/or an insured person in connection with the conclusion or amendment of an insurance contract, the administration of an insurance contract, and the provision of activities related to an insurance contract (settlement of insurance claims, assistance). This was done through our website, contractual documentation or other forms, and telephone, e-mail, or other communication. We also process data available from publicly accessible sources (e.g., commercial or insolvency registers) and from our own activities (especially regarding services or products you have requested).

As the Administrator, we may also obtain data from third parties if you have given your consent (e.g., from healthcare providers to determine your health status before arranging insurance), or if required by law (e.g., mutual information sharing between insurance companies under Act No. 277/2009 Coll. of Laws, on Insurance), or if it is necessary for the performance of obligations under the contract.

4. How long we keep your personal data

The period for which personal data shall be stored depends on the purpose for which it is processed. The Insurance Company shall store your personal data for a maximum of ten calendar years from the termination of your insurance contract. If no insurance contract is concluded, the Insurance Company shall store your personal data for a maximum of two calendar years from the date of the last communication with you. During this period, we must process (store) your personal data to comply with our legal obligations under the Insurance and Reinsurance Distribution Act and, where applicable, to protect our legitimate interests.

In the event of judicial, administrative, or similar proceedings, the period is extended at least until the conclusion of the proceedings.

If we process personal data based on your consent, we will store it until you revoke your consent

5. Who we share personal data with

Your personal data may be processed (i.e., data may be provided to these third parties) by our contractual partners, which may include:

• our business partners,
• marketing agencies in helping with campaigns and other marketing activities,
• providers of information systems and technical infrastructure (including archiving services),
• insurance brokers (processing of personal data for the purpose of the structuring of a contract draft, proposal and conclusion of an insurance contract, or administration of the contract or its termination, and for marketing purposes), reinsurance companies,
• external claims adjusters (for the settlement of insurance claims),
• contracted physicians and healthcare facilities (for assessing health status and acceptability when concluding or amending an insurance contract, or when settling insurance claims),
• law firms, auditing companies, bailiffs, and debt collection agencies,
• companies providing electronic communications services (external call centres, operators of e-mailing and SMS solutions).

There are also other recipients of personal data:

• subjects to whom we are required to disclose information by law (e.g., courts, criminal investigation and enforcement authorities, the Czech National Bank, the Czech Insurance Companies Association, the Czech Insurers´ Bureau, other insurance companies, for the purpose of fulfilling obligations related to the prevention and detection of insurance frauds, etc.).

We use processors with whom we have concluded a contract for the processing of personal data and who provide sufficient guarantees for the protection of your personal data.

Personal data is processed primarily within the EU/EEA. We only process data outside the EU/EEA if adequate safeguards are in place in accordance with the Regulation.

With your consent or at your request, personal data may also be provided to other subjects.

6. How we process your personal data and how we ensure their protection

When processing your personal data for the purpose of concluding an insurance contract or for the purposes of marketing, we may process the personal data provided either manually or automatically (i.e. using computer technology and information systems).

This is to evaluate certain personal aspects and assess the suitability of products, thereby ensuring that our offers best reflect your needs. You have the right to raise an objection to automated processing at any time.

At the same time, you have the right not to be subject to a decision based solely on profiling (which means automated processing of personal data for the purpose of evaluating certain personal aspects of a person – economic situation, health, preferences, behaviour, etc.) and which has legal effects concerning you or which affect you in a similarly significant way.

We protect personal data to prevent unauthorized or accidental access, transfer, alteration, loss, or other possible misuse of personal data. We have modern monitoring, technical, and security mechanisms in place to ensure the maximum possible protection of processed data against unauthorized access or transfer, loss, destruction, or other possible misuse. Persons who come to contact with personal data in the performance of their work or contractual obligations are bound by the obligation of confidentiality. All customer information is also protected by the obligation of confidentiality arising from the Insurance Act.

7. Your rights in relation to the processing of personal data

The right of access to personal data

You have the right to obtain confirmation from us as the Administrator whether your personal data are processed by us.

If your personal data are processed, you also have the right to access them. Upon request, we will also provide you with a copy of the personal data being processed. We are entitled to charge a proportionate fee based on administrative costs for the second and subsequent copies.

The right to correct personal data

You are entitled to require that we correct inaccurate personal data, or you also have the right to have incomplete personal data completed.

The right to raise an objection

You have the right to object at any time to the processing of your personal data based on our legitimate interests, including direct marketing and profiling.

The right to delete personal data

You have the right to have your personal data deleted if they are no longer necessary for the purposes for which they were collected or if you have withdrawn your consent under which they were processed and there is no other reason for processing them.

You also have the right to have personal data deleted if it becomes apparent that our processing was unlawful or if deletion is necessary to comply with our legal obligations.

However, the right to deletion does not apply if the processing of your personal data is still necessary to comply with our legal obligations or to establish, exercise, or defend legal claims.

The right to restrict the processing of personal data

In certain cases, you have the right to restrict the processing of personal data. This applies, for example, in situations where you dispute the accuracy of personal data or where we process your personal data without sufficient legal basis and you request restriction of processing instead of their deletion.

The right to portability of personal data

This is the right to obtain your personal data from us in a structured, commonly used, and machine-readable format, and the right to transfer this data to another administrator. You also have the right to have us transfer your personal data directly to another administrator, if it is technically feasible.

Right to withdraw consent to the processing of personal data

You have the right to withdraw your consent to the processing of your personal data for the purposes of offering you our products and services at any time.

You can withdraw your consent in writing using the contact details of the Administrator provided below.

Withdrawing your consent does not affect our processing the data before such withdrawal.

The right to make a complaint

If you think that the Administrator is processing personal data in a way that violates the Regulation, you can file a complaint directly with us as the Administrator, either in writing to the mailing address: Lazarská 1718/3, 110 00 Praha 1, or electronically by e-mail to: dpo@pvzp.cz.

The complaint must clearly state who is filing it and what it concerns.

We will process your complaint without undue delay, within one month of receiving it at the latest. In exceptional cases, particularly if the complaint is complex, we are entitled to extend the deadline by a further two months. We will inform you of any extension and the reasons for it.

You can also file a complaint with the Úřad pro ochranu osobních údajů (Office for Personal Data Protection), with seat at Pplk. Sochora 27, 170 00 Praha 7, Czech Republic, https://uoou.gov.cz/.

8. How to exercise your rights

To obtain information about the processing of your personal data or to exercise your rights, please contact the Administrator via our Data Protection Officer (DPO), who is an employee of our company: Mr. Ondřej Fiala, email: dpo@pvzp.cz, telephone No: +420 233 006 353.

9. Information on the principles and rules for the processing and protection of personal data

For information on personal data protection, please visit our website at https://www.pvzp.cz//.

We are fully committed to compliance with sector regulations, as represented by the Self-Regulatory Standards for the application of the General Data Protection Regulation (GDPR) in the insurance industry. The text of these standards can be found here.