Privacy Policy — Insurance

Note: This is an English translation provided by Pago for convenience. The original legally-binding document is provided by Renomia in Romanian. In case of any discrepancy, the Romanian version prevails.

Starting on 25.05.2018, the European Union General Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "Regulation") becomes applicable. The main purpose of the Regulation is to ensure a high level of protection of personal data and to create a framework of trust so that you have the possibility to retain control over your own data.

Renomia Insurance Reinsurance Broker SRL ("Renomia") hereby informs you of the following essential information regarding your rights in accordance with the provisions of the Regulation:

(1) What personal data do we process? The personal data we process consist mainly of data from copies of identity cards or other identification documents, residential address, e-mail address, phone number, data about your health, where applicable, as well as any other data necessary to provide our services or products. If, in order to conclude an insurance contract / insurance policy, personal data of third parties are also required, we kindly ask you to communicate a copy of this notice to the person concerned and, in accordance with the provisions of the Regulation, you have the obligation to obtain that person's consent. When the third party is a minor, consent must be given by the minor's parent or legal guardian.
(2) For what purpose do we collect your personal data? Personal data are collected: (i) for the purpose of concluding insurance policies or insurance contracts, (ii) in order to properly perform the obligations assumed under the insurance contracts / insurance policies — for example, claims handling and settlement, exercising the right of recourse, (iii) for the renewal of insurance contracts / insurance policies. Without these personal data, we are unable to conclude insurance contracts or insurance policies with you and consequently you will not be able to benefit from our services. Your personal data will also be processed in order to fulfill obligations resulting from applicable legal provisions or in accordance with the requirements of other local or central public authorities, as well as in accordance with ASF requirements. In situations where the purpose of processing your personal data is marketing and/or statistical purposes, the personal data will be processed only if we have your prior consent expressed to that effect.
(3) The rights you have under the Regulation. (i) The right of access of the data subject. To exercise the right of access, you may contact us at any time with a request to obtain a report of the personal data. You can contact us at the following e-mail address cristian.nitu@renomia.ro or at the registered office address Bucharest, 89-97 Grigore Alexandrescu Street, building A, 6th floor, Sector 1. (ii) The right of rectification. You have the right to obtain rectification of personal data when they are incorrect or have undergone certain modifications or need to be completed. (iii) The right to erasure. You have the right to request erasure of personal data as follows: i) when the data are no longer necessary for the purpose for which they were collected or processed, ii) if you wish to withdraw the consent on the basis of which the processing takes place, iii) if you wish to object to the processing of personal data, iv) or if the personal data have been processed unlawfully or a legal provision in force requires their erasure. (iv) The right to restriction of processing. You have the right to obtain restriction of processing where one of the following cases applies: i) the accuracy of personal data is contested, ii) the processing is unlawful and you oppose erasure of personal data, but request restriction of their use instead, iii) Renomia no longer needs the personal data for processing purposes, but you request restriction of processing for the establishment, exercise or defense of legal claims, iv) you object to processing in accordance with article 21(1) of the Regulation pending verification of whether Renomia's legitimate grounds prevail over yours. (v) The right to data portability. You have the right to request the transfer of personal data to a third party. (vi) The right to object. You have the right to object at any time, on grounds relating to a particular situation, to the processing of personal data based on points (e) and (f) of Article 6(1) of the Regulation. (vii) The right to withdraw consent. You have the right to withdraw your consent regarding the processing of personal data at any time, where personal data are processed based on consent. (viii) The right to lodge a complaint with the supervisory authority. If you consider that your legitimate rights in connection with the processing of personal data have been infringed, you may file a complaint with the National Supervisory Authority for Personal Data Processing, headquartered at 28-30 G-ral. Gheorghe Magheru Bd., Sector 1, postal code 010336, Bucharest, Romania.
(4) To whom do we transmit personal data? In certain situations, in order to fulfill our contractual obligations properly and in accordance with the legal provisions in force, your personal data are also communicated to third parties, as follows, listed by way of example: (i) external consultants who provide consultancy or assist us in exercising and defending rights, as well as judicial bodies in the country or central and local public authorities, (ii) banking and financial institutions, (iii) insurance and reinsurance companies with which we have contractual relations in connection with the provision of insurance services, (iv) service providers such as IT service providers (maintenance, software development), physical and/or electronic archiving, courier service providers, providers of services for the transmission of marketing communications, providers of services in the field of health and medicine.
(5) How long is personal data stored? Renomia will process personal data throughout the duration of the insurance contract / insurance policy, plus the period of time necessary to exercise the rights resulting from the insurance contracts / insurance policies. After the expiration of this period, personal data are deleted, except for personal data that are part of acts / documents for which the law provides an archiving term, and upon expiration of the legal archiving term, they will be destroyed.
(6) Protection of personal data. Renomia applies an internal framework of policies and minimum standards regarding the protection of personal data. These policies and standards are updated periodically to comply with regulations and market evolution. In accordance with the legal provisions in force, we take appropriate technical and organizational measures (policies, procedures, security, etc.) precisely to ensure the confidentiality and integrity of personal data, as well as to provide the necessary framework for their processing.


Procedure for requesting access to personal data

1. Scope, purpose and users
This procedure establishes the steps for handling a request regarding access to personal data made by data subjects, their representatives or other interested parties. This procedure will allow RENOMIA to comply with the legal obligations imposed by the law (TBD), hereinafter referred to as GDPR. This procedure applies in all entities or subsidiaries owned or operated by the company but does not affect any other local national laws or regulations that may be applicable. This procedure applies to all employees handling data access requests, including the data protection officer.

2. Personal data access request ("DSAR")
A personal data access request (DSAR) is any request made by an individual or by the legal representative of an individual for information held by the company about that individual. A personal data access request gives data subjects the right to see their personal data, as well as to request copies of that data. Such a request must be made in writing. In general, verbal requests for information held about a person are not valid DSARs. A DSAR can be made by any of the following methods: e-mail, fax, mail, social media.

3. Rights of a data subject
The rights of a data subject in the case of a personal data access request include: a) The right to receive all personal information held within the Company about that data subject. b) The right to receive details about that personal data including: -the purposes of processing; -the categories of personal data concerned; -the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; -the period for which the personal data are expected to be stored; -the existence of the right to request the controller to rectify or erase the personal data or to restrict the processing of personal data concerning the data subject or the right to object to the processing; -the right to lodge a complaint before a supervisory authority; -where personal data are not collected from the data subject, any available information about their source; -the existence of automated decision-making, including profiling, and pertinent information regarding the logic used and the importance and expected consequences of such processing for the data subject. The Company must provide a response to a DSAR within a maximum of 30 calendar days from receipt of the request.

4. Process for handling a DSAR

4.1. Request. Upon receipt of a DSAR, the DPO will analyze the request. The applicant may be asked to provide more information about themselves and the data concerned to better enable the Company to locate the relevant information.

4.2. Identity verification. The DPO must verify the identity of anyone making a DSAR to ensure that information is given only to the person entitled to that data. If the identity of the DSAR applicant has not been provided, the person receiving the request will ask the applicant to provide forms of identification. If the applicant is not the data subject, written confirmation that the applicant is authorized to act on behalf of the data subject is required.

4.3. Information for the personal data access request. Upon receipt of the request from the applicant, if the request meets the conditions of a DSAR (written request, necessary documents), the data protection officer will inform the applicant that they will receive the response to the DSAR within 30 calendar days. The applicant will be informed by the data protection officer in writing if the response will deviate from the 30-day interval from the time of the DSAR request and why.

4.4. Information review. The data protection officer will contact all departments that process personal information. Thus, the IT departments (for e-mail systems and archived data), administrative (for policies in processing), accounting & HR (for employees, collaborators, former employees and collaborators) and SRBA-App (for all details that may be stored in SRBA-App) will be contacted. These requests will be sent to the departments within a maximum of 3 days from receipt of the DSAR. Each department will have a maximum of 15 days to respond to such a request. The response of each department must include:
- A copy of the personal data of the data subject stored (eliminating confidential elements and personal data of other data subjects).
-the purposes of processing; -the categories of personal data concerned; -the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
-the period for which the personal data are expected to be stored;
-the existence of the right to request the controller to rectify or erase the personal data or to restrict the processing of personal data concerning the data subject or the right to object to the processing;
-the right to lodge a complaint before a supervisory authority; -where personal data are not collected from the data subject, any available information about their source;
-the existence of automated decision-making, including profiling, and pertinent information regarding the logic used and the importance and expected consequences of such processing for the data subject.

4.5. Response to access requests. After receiving the response from all departments, the data protection officer must ensure that all this information is aggregated into a Word document in DOCX format, ensuring that no confidential information or personal data of other data subjects is displayed. The data protection officer will provide the final response, together with the information provided by each department and/or a statement that the Company does not hold the requested information or that an exception applies. The data protection officer will ensure that a written response is sent back to the applicant. This will be by email, unless the applicant has specified another method by which they wish to receive the response (for example, mail).

4.6. Archiving. Once the response has been sent to the applicant, a DSAR will be considered closed and archived by the data protection officer. The procedure is presented as a flow diagram in the annex to this document.

5. Exceptions
An individual does not have the right to access information recorded about someone else, except in the case of being an authorized representative or having parental responsibility.
The Company will not respond to information requests without verifying the identity of the data subject making the request.
The Company will not disclose the following types of information in response to a DSAR:
- Information about other persons
– A data subject's personal data may be in records containing personal data of other data subjects. Access to such data will not be granted unless there is a legal basis for their disclosure.
- Repeated requests
– If a similar or identical request regarding the same data has been previously resolved within a reasonable time and there are no significant changes to the personal data, the data subject will be informed that a request has been answered in the past and the previous communication will be attached.
- Confidential information
– Any confidential information held by the Company must not be disclosed in a response to a DSAR.

6. Responsibilities
The responsibility for ensuring the handling of a DSAR lies with the data protection officer. If the company acts as a data controller, the provisions of this procedure will apply. If the company acts as a data processor, the data protection officer will forward the request to the appropriate data controller on whose behalf the company processes the personal data of the data subject making the request.