PERSONAL DATA PROCESSING NOTICE

According to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“EU Regulation 2016/679” or “GDPR”) which is in force since 25 May 2018, Colonnade Insurance S.A. Luxembourg - Bucharest Branch, with registered offices in Calea Victoriei nr. 145, 8th floor, District 1, Victoria Center Building, registered with the Trade Registry under no. J40/17214/2017, fiscal registration number 38335135, telephone +40 21 300 96 21, facsimile number +40 21 300 96 36 and e-mail office@colonnade.ro (“Colonnade”), hereby informs you on the processing of personal data in relation to your contracting an insurance policy or in relation to a claim in which you are the injured person.

In this notice (the “Notice”) we explain how your personal data (the “Personal Data”) are collected, used and disclosed by Colonnade. Also, we will explain how you can access and update your personal data and express certain choices on how your personal data are used by Colonnade.

In order to contract or enforce your travel insurance policy, the personal data to be collected and processed by Colonnade include, without limitation, your identification data as follows: name, first name, address, personal number code, telephone number, e-mail, as the case may be, data on your health, if the insured risk materializes. Therefore, Colonnade shall be unable to enter into the insurance policy you have requested without processing your personal data, i.e. shall be unable to execute the insurance contract to which you are/will be a party/whose effects are produced on yourself, including, without limitation, the payment of damages if an insured risk materializes. Any potential further processing for statistical purposes shall be carried out in compliance with the principle of minimization of data and, to the extent to which this is possible, will exclude the processing of personal data, this operation relying upon aggregated data, which are not used in supporting measures or decisions regarding a certain individual.

For a clear image, this Notice provides important information in the following areas:

-     the type of personal data we process;

-     the use of personal data;

-     the disclosure of personal data;

-     the retention of personal data;

-     the storage and/or transfer of personal data;

-     access to the personal data;

-     information on the disclosure and use of the personal data;

-     changes to our notice;

-     our contact details.

1.     The personal data we collect from you and how we collect them

In order to conclude and carry out the insurance contract with Colonnade or in order to process a claim in which you are involved, we need to process the following personal data:

Identification personal data. These data include any information you provide, such as your name, first name, address, personal number code and the series and number of your identity card, as well as the date of issuance and the date of expiry of such identity card. These data are generally necessary to conclude insurance policies issued by ourselves or to carry out the contractual relations between ourselves and you.

Contact personal data. They include: your address, telephone number, e-mail.

Personal data classified as sensitive data. If an insured risk materializes, we process personal data on your health condition prior to the conclusion of the insurance policy related to the materialization of the insured risk, i.e. your physiological and/or illness condition, investigations and tests carried out, treatments administered and remedies prescribed by medical doctors in order to carry out the medical assessment of a claim file. These data may be collected directly from you, but also from medical services providers or other persons you are connected to. In this case, we will request your consent for such processing.

Personal data from your relationship with Colonnade. They include records of your telephone conversation with our call centers or information related to you (mainly in relation to the materialization of insured risks), which you choose to send through our websites. We will process these data mainly in relation to carrying out our insurance contracts and, secondarily, to improve the quality of our services and to ensure the functionality of our customer communication platforms.

 2.     Personal data of other persons

There are cases when you submit the personal data of other persons, either for the conclusion of an insurance contract or in relation to the enforcement of the insurance contract. We also understand that there is a possibility that the insurance you contract also covers travel risks children are exposed to. Generally, the personal data of such persons shall be limited to the data indicated under point 1 above. We reserve the right to request additional information in relation to the personal data you provided for other persons, in particular when related to the personal data of underage children. We will only make such requests in limited cases and only in order to establish with certainty that the personal data you provided are submitted according to the applicable legal requirements.

If, in order to execute the insurance contract, you (also) provide the personal data of other persons, please submit this Notice to such person in order for him/her to be correctly and fully informed in relation to our processing of their personal data, to the purposes and grounds for processing, and to the rights of such persons in relation to our processing of their data. Given the fact that we do not have a direct relationship to these persons and in order not to affect their right to privacy, as well as given the significant efforts involved in sending these notices to such persons, we will not attempt to communicate directly with these persons and will not request additional information about such persons only for the purpose of sending this Notice. However, if you provide e-mail addresses of such persons in relation to the issuance of the insurance policies for such persons, we will of course send them this Notice.

For any information regarding our processing of personal data, both you and the other persons whose personal data you submit to ourselves will be able to access our website using dpo@colonnade.ro or may request a copy of this Notice by writing to office@colonnade.ro or at our mailing address in Calea Victoriei nr. 145, 8th floor, Victoria Center Building, District 1, Bucharest or by telephone at: + 40 21 300 96 21 or by facsimile at: +40 21 300 96 36.

 3.     Obtaining your personal data from other persons

We will obtain your personal data from you, but may obtain such data from third parties, including from public sources, in the cases described in this section or when we carry out certain checks on you, according to this Notice.

It is possible to receive your personal data from other individuals in relation to the issuance of an insurance policy; this will be the case of travel insurance policies, when we receive your data from the persons that contact ourselves on your behalf in order to issue the insurance policies.

We will receive your personal data from your employer or from insurance brokers we have hired, if you contracted a collective insurance policy or you have contracted the insurance policy through insurance brokers or other agents. In other cases, if you are the injured person and need to be indemnified according to existing insurance policies of our clients, such as civil liability insurance policies, goods policies or construction/assembly policies, we will obtain your personal data from companies you enter into certain relations with, which caused the materialization of the insured risk. In case of insurance policies with a health component, such as travel policies, or in the case of civil liability policies, we may also receive your personal data from medical services providers, if the insured risks include components regarding your health condition, but only based on your express approval and in limited situations; in this latter case, we prefer to request such data directly from you.

Many times, however, we will only obtain your personal data if the insured risk materializes, and in this case we will collect sufficient data from third parties to be able to contact you, requesting from you directly the personal data we need to carry out our activity, which will allow you to have control over the personal data we process.

 4.     The purpose of processing your personal data

Your personal data are processed by Colonnade for the following purposes:

 


The purposes of processing your personal data


Grounds for processing

  • The conclusion and carrying out of the insurance contract and related operations, which may include, without limitation, the issuance of price quotations, the computation of insurance premiums, risk management, preparation and submission of the offer, issuance of the insurance policy, insurance policy management, your identification as Colonnade customer, the assessment and settlement of claims, the determination of the amount of indemnifications, the exercise of the right to recourse (if applicable). For these purposes, we shall use personal data consisting in all types of data indicated in section 1 above
 
  • The insurance contract you are a party to, which you request to conclude or based on which you claim indemnification or, as the case may be, Colonnade’s legitimate interest to be satisfied that any indemnification has been granted in a justified manner or, at least in the case of information on your health condition, your consent.
  • The compliance with our legal obligations and the satisfaction of requests from public authorities, which include, for example, the carrying out of know-your-client formalities. For these purposes, we will particularly use personal data consisting in identification and contact data, but we do not exclude the possibility for us to be required to submit other types of data as well
 
  •  Compliance with our legal obligations
  • In order to respond to your requests, complaints or suggestions. For these purposes, we will particularly use personal data consisting in your identification and contact data
 
  • Compliance with our legal obligations
  • In order to respond to your requests, complaints or suggestions. For these purposes, we will particularly use personal data consisting in your identification and contact data.                                                                              
  • The performance of our contractual obligations, your approval, our legitimate interest to improve the quality of our services
  • The carrying out of internal reports and analyses (at the level of Colonnade and of the group of companies we are part of), the carrying out of statistical/actuarial analyses, including the required analyses to design new products, analyses of the reliability of existing products, analyses regarding our interactions with customers or the improvement of the quality of our services. For these purposes, we shall use personal data consisting in all types of data indicated in section 1 above.
 
  • Our legitimate interest to carry out our activity efficiently and in an operative manner, and to develop similar products or services and to maintain our relations with customers
  • Carrying out checks and monitoring in relation to you or the contracts concluded with you, fraud detection and prevention. For these purposes, we shall use personal data consisting in all types of data indicated in section 1 above.
 
  • Our legitimate interest to ensure that any indemnification has been granted in a justified manner and to prevent any frauds or undue payments in claims
  • The settlement of potential litigations or disputes generally in relation to our contractual relation, the collection of your debts to ourselves. For these purposes, we shall use personal data consisting in all types of data indicated in section 1 above.
 
  • Our legitimate interest to protect our business interests

 

5.     Disclosure of your personal data

Our services providers. These are external companies that support us in carrying out our activity (e.g. the sale of our insurance products, the registration of insurance policies, the processing of payments, fraud detection and identity checks, the operation of our website, support services, promotions, website development, etc.). We will allow our services providers and their selected personnel to access and use your personal data for and on behalf of Colonnade only in relation to activities for carrying out the purposes indicated in this Notice, and they shall act only based on written contracts and instructions from ourselves, respecting the privacy and security of your personal data.

The external companies to whom we submit your personal data in carrying out our activity may include insurance brokers and generally agents involved in the management of your insurance contracts, companies providing applications and IT services, premium determination services providers, damage assessment and claim management agents, other insurance companies, underwriting companies, archiving companies, courier companies, public or private medical institutions and clinics and generally companies providing care and support to injured persons, claim collection companies, payment processors, call center and insurance assistance companies, other insurance support services companies, as well as other companies in relation to the achievement of the purposes indicated in this Notice (which may include lawyers, auditors and generally consultants, translation companies, assessment experts, various other services providers).

Companies in the Fairfax Group. Given that we are part of an international group of companies, on certain occasions related to carrying out our activities as related to the purposes identified in this Notice, we will also send your personal data to various entities in the Fairfax Group who carry out specific activities on our behalf or who centralize certain information on our activity. We will do this either in order to benefit from services at the quality standards of our group, which you are already familiar with, or for various internal purposes related to the analysis of our products and activity, the design of new products or the carrying out of statistical/actuarial analyses.

Public authorities and other entities. Your personal data may be also transferred to public institutions and authorities (including tax authorities, consumer protection authorities, insurance regulatory or generally financial regulatory authorities, criminal investigation bodies, courts of law or arbitration courts, judicial enforcement officers) or associations in the field (i) whenever required by the applicable law and (ii) as a response to certain judicial procedures.

Legal successors. If Colonnade or its assets are acquired by or merged into another company, we will share your personal data with any of our legal successors.

Sale-purchase or similar procedures regarding Colonnade’s shares. It is possible that your personal data are disclosed to third parties in potential sale-purchase procedures or similar operations regarding Colonnade’s shares, to the extent to which this is necessary in order to carry out specific due diligence processes regarding Colonnade’s activity in such procedures.

 6.     RETENTION OF YOUR PERSONAL DATA

Colonnade takes all reasonable steps to ensure that personal data are only processed for the minimum necessary period for the purpose provided in this Notice. We will retain your personal data in a format which allows identification only for such period in which the personal data are needed for the purposes provided in this Notice and such retention has valid legal grounds.

In what regards the duration of retention of personal data, we will retain the data for the duration of the insurance contract and for a certain period after its termination, which shall be determined on a case to case basis, depending on the contract enforcement needs, our legitimate interests and the applicable legal requirements. We will not retain your personal data longer than legal terms or applicable statutes of limitation.

In the case of claims, disputes or challenges of any nature whatsoever, we may continue to process your personal data for the additional period necessary in relation to such claim.

 7.     DISCLOSURE, STORAGE AND/OR TRANSFER OF YOUR PERSONAL DATA

We employ adequate measures (that we will present below) to preserve the privacy and security of your personal data. However, please be advised that such protection measures do not apply to the information you choose to disclose publicly, such as on social media networks owned by third parties.

Limitation of the personal data processed. According to the principle of minimization of the personal data employed, we will only process those personal data that are strictly necessary for our purposes. Also, we will review the personal data we use from time to time to ensure compliance with this principle.

The persons who may access your personal data. Your personal data shall be processed by our personnel or authorized representatives, only on a need-to-know basis, depending on the specific purposes for which your personal data were collected (e.g. our client relationship personnel shall have access to your records). We will periodically review the terms of access of our personnel to personal data.

Technical and organizational measures. We will take adequate steps to allow us to act accordingly when we receive requests for exercising your rights.

Measures in operating environments. We store your personal data in operating environments using reasonable security measures to prevent unauthorized access. We comply with reasonable standards for the protection of your personal data. Unfortunately, sending information over the Internet is not always completely safe and, even when we take all steps to protect your personal data, we cannot guarantee the security of such data while being sent through our Websites/applications.

The transfer of your personal data. It is possible that the processing of your personal data, as presented above, ultimately requires the transfer/submission of the personal data to and/or their storage in a location (other Colonnade entities) outside your country of residence, in particular in EU member states (e.g. Luxembourg, Slovakia, Hungary), where personal data protection requirements apply at a level similar to those in Romania.

Also, it is possible that in the future we transfer your personal data to states outside the European Economic Area (“EEA”) (e.g. to other Colonnade entities or entities in the Fairfax group), including to states with different data protection standards as compared to the ones applicable in EEA. For this purpose, we shall take the necessary steps to ensure that the transfer of your personal data is carried out according to the applicable law and ensures and adequate level of security of your personal data.

Among the measures required by the applicable law in relation to the international transfer of your personal data, (i) we shall apply the standard contractual clauses approved by the European Commission for the protection of your personal data (and you have the right to request a copy of such clauses (by contacting us as provided below)) or (ii) we shall transfer your personal data to jurisdiction which received from the European Commission a decision of adequacy of their personal data protection framework or (iii) we shall implement mandatory corporate rules approved by a supervisory authority in the European Union, which set up adequate securities and measures regarding the transfer of personal data or (iv) we shall request your express consent, if applicable.

Regarding the compliance with international sanctions, it may be necessary to transfer your personal data to DXC Technology, in the United States of America, this being a company which accessed the EU-US Privacy Shield Program, which means that DXC Technology undertook a commitment to protect and securely process personal data, according to the requirements in the applicable legislation in the European Union.

 8.     YOUR RIGHTS

According to the provisions of Regulation no. 679/2016, you have the following rights:

  • Right to information:
    • you have a right to be informed on the processing by Colonnade of your personal data;
    • you have the right to request information on the source of your personal data, whenever such data were not collected directly from you;
    • in case of any automated processing of your personal data which generates legal effects or other significant effects on you, you have the right to request information on its existence, on the logic involved, the significance and, as the case may be, any estimated consequences of such processing; in this case, you have the right not to be subject to an individual decision, if the processing was carried out using automated means;
    • Right to access: you have the right to request access to or copies of the personal data processed by us or on our behalf and the right to receive the personal data concerning you, in a structured, commonly used and machine-readable format which you may transmit to another controller;
    • Right to update the data: you have a right to obtain the rectification, update or erasure of incomplete or inaccurate data;
    • Right to withdraw consent: if we process your personal data based on your consent, you may withdraw such consent, and we will no longer process such data. The lawfulness of your personal data processing carried out by us prior to the withdrawal of your consent shall not be affected by such withdrawal;
    • Right to object: you have the right to object, for justified legitimate reasons, to the processing of your personal data;
    • Right to restriction: you have the right to request that your personal data processing is restricted to certain limited purposes, according to the law; and
    • Right to data portability: you have the right of portability of your personal data, for the purpose of their transfer to a different personal data controller appointed by you,
    • Right to erasure: you have the right to erase your data under certain circumstances (e.g. when the personal data are no longer necessary given the mentioned purposes);
    • Right to contact authorities: you have the right to make claims regarding the processing of your personal data with the National Supervisory Authority for Personal Data Processing (with address in B-dul G-ral Gheorghe Magheru nr. 28-30, District 1, postal code 010336, Bucharest, Romania, e-mail anspdcp@dataprotection.ro, tel. +40318059211 or +40318059212, facsimile +40318059602) and/or to refer to the competent court of law if any of your rights has been infringed.

The rights established in this section shall not affect or limit in any way whatsoever any other rights you have according to the law. Your decision to exercise any of such rights shall not affect your capacity as insured person of Colonnade. In order to exercise one or several of the rights mentioned above or in order to obtain additional information on such rights or on the processing of your personal data by ourselves, please do not hesitate to contact us using any of the following channels: in writing to the mailing address: Calea Victoriei nr. 145, 8th floor, Victoria Center Building, District 1, Bucharest, by telephone on +40 21 300 96 21 or by e-mail at dpo@colonnade.ro.

 9.     CHANGES TO THIS NOTICE

If we change the way we process your personal data, we will update this Notice and notify you according to the law. We reserve the right to change our practices and this Notice at any time.

 10.     DATA CONTROLLERS AND CONTACT DETAILS

To ask questions or submit comments on this notice and our privacy practices or to submit a claim that we failed to comply with the applicable privacy legislation, please contact us: in writing to the mailing address: Calea Victoriei nr. 145, 8th floor, Victoria Center Building, District 1, Bucharest, by telephone on +40 21 300 96 21 or by e-mail at office@colonnade.ro.

You can also contact our Data Protection Officer by e-mail, at: dpo@colonnade.ro or by mail, at: Calea Victoriei nr. 145, 8th floor, Victoria Center Building, District 1, Bucharest

We will confirm and investigate any complaint related to how we manage personal data (including any complaint that we have violated your rights according to the applicable data privacy legislation).

Date 25.05.2018