Principles for personal data processing
1. General provisions
These Principles for Personal Data Protection set out how and for what purpose the company SATUM CZECH s.r.o. obtains, stores and further processes your personal data in the course of its activity as an insurance intermediary, i.e. in connection with mediating the conclusion of insurance contracts with insurance companies. We place great emphasis on personal data protection. We treat the personal data we process as confidential, we maintain that confidentiality, we emphasize the security of data processing, the choice of contractual partners, and strict adherence to the statutory rules of processing.
The processing of personal data is an essential part and precondition for the distribution of insurance (provision or mediation of insurance). It is our responsibility to distribute insurance with professional care, and we process your personal data so that we can offer you a proposal for insurance and provide recommendations based on your requirements, goals and needs.
The purpose of these Principles for Personal Data Protection is to inform you how and why we collect and process your personal data, about your rights and how you can exercise them, and what measures we have taken to protect your personal data and to exercise your rights.
Personal data is any information regarding an identified or identifiable natural person, i.e. about you, if you are a natural person, and/or your employees and/or your family members or other natural persons, where you provide us with this information (hereinafter referred to as “Personal Data”). Health data is among the so-called special categories of Personal Data, sometimes also referred to as “sensitive” Personal Data.
2. The position of the company SATUM CZECH s.r.o.
The company SATUM CZECH s.r.o., registered office Ostrava, Moravská Ostrava, Porážková 1424/20, postcode 702 00, company identification number 253 73 951, registered in the Commercial Register maintained by the Regional Court in Ostrava in Section C, File 16189 (hereinafter referred to as the “independent broker”, “data administrator” or “we”), processes your Personal Data in connection with the insurance intermediation between you and the insurer/insurance company and other activities that are related to the exercise of rights and obligations under such insurance contract, including the exercise of insurance rights.
In those cases where we address people interested in insurance, where we submit proposals for negotiating insurance and perform preparatory work aimed at arranging insurance, we are usually in the position of Personal Data administrator. Where we mediate insurance on behalf of the insurer or provide assistance in administering insurance and exercising insurance rights, we are in the position of Personal Data processor. In such case, the Personal Data administrator is then our partner insurance company, for which and on whose authority we carry out these activities, and to which we transfer your Personal Data.
3. Personal Data Protection Officer
The Data Administrator has appointed a Personal Data Protection Officer. The Personal Data Protection Officer’s contact information:
Name of the officer: Ing. Ivona Moravcová
phone: +420 595 132 309
4. Purpose of the processing
When performing insurance mediation, we process Personal Data in order to:
(i) offer the option of negotiating, modifying or terminating insurance, including making insurance comparisons,
(ii) submit proposals for the negotiation, modification or termination of insurance,
(iii) carry out other preparatory work for the negotiation, modification or termination of insurance, including the provision of a recommendation leading to the conclusion, modification or termination of insurance,
(iv) arrange or change insurance or assist in the administration of insurance and in the exercise of insurance rights,
(v) fulfil the obligations imposed us by legislation in the area of the distribution of insurance or provisions regarding measures against money laundering (identifying and checking the client pursuant to Act No. 253/2008 Coll., on Certain Measures against the Legalization of Proceeds from Crime and Financing of Terrorism, as amended),
(vi) send business communications such as information about offerings we mediate of insurance products on the market, or information about events we hold (hereinafter collectively referred to as “marketing purposes”), provided you have given us permission to use your contact information for these purposes or to the extent we are authorized to do so under the applicable law (e.g. Act 480/2004 Coll., on Certain Services of an Information Company).
Because of your status as a party interested in insurance for yourself and/or your employees and/or your family members, we need to know Personal Data so that we can mediate insurance and perform the activities under (i) to (v) above in relation to you, your employees, family members and/or the third parties whose Personal Data you provide to us. Conversely, the possible granting of consent to process Personal Data for marketing purposes under (vi) is entirely voluntary, and is not a prerequisite for providing our brokerage services, and you may revoke your consent to these purposes at any time.
5. Legal basis
5.1. SATUM as an insurance broker
In those cases where we act as an insurance broker in accordance with Section 12 of Act No. 170/2018 Coll., on the distribution of insurance and reinsurance, as amended (hereinafter referred to as the “Act”), we process Personal Data, except for health data and genetic data from the medical records provided, including in particular your predisposition to various diseases and illnesses, based on the fulfilment of the contract and the implementation of measures taken before the conclusion of the contract between you and us or based on our legitimate interest.
If we process Personal Data that is both data and health or genetic data, we process these so-called special categories of data (sensitive data) on the basis of your consent (which also includes the provision of such data to the relevant insurance company).
In the event that we require your consent (or the consent of a natural person who is the data subject) to the processing of Personal Data and you (or the data subject) decide not to grant it or revoke it, the consequence may be that we will not be able to perform the necessary acts to provide you with some of our services. This is particularly the case because granting consent to the provision of Personal Data, including especially sensitive Personal Data, is usually a condition for the conclusion of an insurance contract between you and the insurance company.
5.2. SATUM as an insurance agent
In those cases where we act as an insurance agent in accordance with Section 12 of Act No. 170/2018 Coll., on the Distribution of Insurance and Reinsurance, as amended (hereinafter the “Act”) (i.e. we have entered into a contractual relationship with the insurance company, not with you), we process Personal Data, including health and genetic data, based on your consent. The granting of consent applies in the same way as stated in paragraph 5.1 above.
5.3. Processing the Personal Data of your employees, family members, or other persons
In order to comply with your request to mediate the conclusion of an insurance contract with an insurance company, we also occasionally process the Personal Data of your employees, family members and/or other natural persons we have received from you. Regardless of whether we are in the position of an insurance broker, agent or other mediator in relation to you (see above), we process such Personal Data solely for the purpose and to the extent necessary to mediate the conclusion of an insurance contract for those natural persons (insured persons) whose Personal Data you provide. In some cases, we may require such third parties to consent to the processing of their Personal Data, and in such cases, we will require your cooperation necessary to ensure such consent. The granting of consent applies in the same way as stated in paragraph 5.1 above.
5.4. Processing that is essential for meeting statutory obligations or protecting legitimate interests
Regardless of whether we are in the position of an insurance broker, agent or other mediator (see above), we also process Personal Data to comply with statutory obligations in accordance with applicable legal provisions (e.g. in relation to contact data for invoicing purposes in accordance with accounting and tax regulations, anti-money laundering regulations, etc.); in accordance with the relevant rules and guidelines issued by the Czech National Bank; and, potentially also based on our legitimate interest as the data administrator, or the legitimate interest of the insurer/insurance company, which consists in the determination, protection and performance of our legal claims or the claims of the insurer/insurance company. Such processing may occur even after termination of the contract (between you and us, or between you and the insurer/insurance company).
6. Scope of the data processed, its source and processing time
We process your Personal Data to the extent you provide us with it through filled-in questionnaires, personal communication, by telephone or electronically, depending on the type of insurance you are interested in, and to the extent necessary to secure the performance of insurance contracts or the administration of related claims. We, therefore, obtain Personal Data directly from you and from persons who take out insurance to your benefit, as well as from insurance companies and other partners and persons who provide us with data related to your insurance or for whom we verify this data. The specific type and scope of Personal Data always depend on the purposes of processing, such as the type of insurance sought or negotiated, or the type of damage occurrence. This includes, in particular, the following:
Identification and contact information
- name, surname and title, birth certificate number (or date and place of birth, if no birth certificate number has been assigned to you), correspondence address, permanent residence address, nationality and country of birth, sex, telephone number (fax number), e-mail , occupational position, salary, height and weight, identity card and driving license data
- card number, issuing authority, the period of validity of the card, place of birth;
health data and genetic data, including in particular your predisposition to various diseases and illnesses if you are interested in getting insured, securing the performance of insurance contracts or administering the related claims for which it is necessary to assess this data, where you voluntarily submit this data to us,
data from a purchase contract, lease agreement, rental agreement, deed of gift, credit agreements, land register data, your real estate and household data (e.g. real estate area, year of property approval, number of household members), data on accounting, personal property, your car (e.g. a copy of the technical card, above-standard equipment of the vehicle, security for the vehicle, number of km travelled), data from the employment contract, work contract, contract for work, if you are interested in getting insurance, ensuring performance of insurance contracts or administering the related claims for which it is necessary to assess this data, where you voluntarily submit this data to us,
We will process your Personal Data for as long as is necessary to fulfil the purposes stated in Article 4 above. We will always process Personal Data for the duration of the insurance contract, as a minimum, and keep it until the end of the tenth calendar year from its termination or until the end of the tenth calendar year from the end of the insurance period. If no insurance is taken out, we will keep Personal Data until the end of the second calendar year since our last communication with you, all in accordance with Section 80 Subsection 4 of Act No. 170/2018 Coll., on the Distribution of Insurance and Reinsurance, as amended (hereinafter referred to as the “Act”).
If the insurance contract has already been terminated, we will continue to process Personal Data only if it is necessary to comply with a statutory obligation for a period of time determined by law (such as the abovementioned accounting or anti-money laundering regulations) or if the Czech National Bank rules and instructions require it, or authorize us to do so (such as the obligation to ensure the storage of documentation produced in connection with mediating insurance products for a period of time which takes into account the running of limitation periods, in order to prove the exertion of professional care). Some Personal Data may also be retained based on our legitimate interests consisting in identifying, protecting and enforcing our legal claims, for the duration of limitation periods, claims arising from or relating to our mediation activities, extended by one year with a view to protecting our legal claims. In the event of judicial, administrative or other proceedings, we will process Personal Data to the extent necessary for the duration of such proceedings.
If you gave your consent to the processing of your Personal Data and then revoked it, we will cease processing your Personal Data for the purposes for which the consent was granted; such revocation of consent does not affect the legality of prior processing based on such consent (i.e. prior to its revocation) or the lawfulness of the processing of Personal Data on legal grounds other than consent (e.g. legitimate interest or fulfilment of a legal obligation). See also paragraph 5.1 above.
7. Sharing and Transfer of Personal Data
We may share Personal Data collected by the methods described above with third parties that distribute insurance by providing or arranging insurance or provide certain services related to insurance and reinsurance distribution, administrative support or use of software resources. These persons are thus in the position of administrators or processors of Personal Data.
Therefore, we can provide your Personal Data to, or share it with, the following recipients, who will usually be in the position of administrators:
(i) partner insurers/insurance companies, a list of whom will be provided upon request;
(ii) state authorities or other third parties in the performance of statutory obligations or if necessary for the exercise of our rights (e.g. the Czech National Bank, courts, prosecuting authorities, tax administrators, etc.).
We may further share your Personal Data with the following recipients, who are in the position of processors:
(i) our SATUM Group subsidiary companies or affiliated companies, especially for the purposes of administrative support;
(ii) suppliers of our IT systems, who may have access to your Personal Data in certain cases;
(iii) subordinate insurance intermediaries, including intermediaries outside the European Union, if you wish to arrange insurance with an insurer outside the European Union;
(iv) with external legal counsels, if this is necessary for the exercise of our rights or for the protection of our legitimate interests.
We have entered into Personal Data processing agreements with Personal Data processors pursuant to the preceding paragraph that guarantee at least the same level of protection of your Personal Data as these Principles for Personal Data Protection.
The list of current processors of your Personal Data will be sent to you on request.
8. Method of processing and securing data
We process your Personal Data manually and in an automated manner in information systems. We have introduced and maintain the necessary technical and organizational measures, internal audits and information security processes in line with best business practice corresponding to the potential risk to data subjects. At the same time, we take into account the state of technological development in order to protect Personal Data from accidental loss, destruction, alteration, unauthorized disclosure or access. These measures may include, inter alia, the adoption of reasonable steps to ensure the liability of employees and other persons performing brokering activities for an insurance intermediary who has access to Personal Data, training staff, regular backups, data recovery procedures and incident management, software protection of equipment for storing Personal Data, etc.
9. Your rights
If you exercise any of your rights under this Article or the applicable laws, then information regarding the measures taken, or the deletion of your Personal Data, or processing of restrictions in accordance with your request will be given to every recipient to whom such data has been provided under these Principles for Personal Data Protection, provided such communication is possible and/or will not require undue effort.
We will respond within one month of receiving your request, but we reserve the right to extend this period by two months.
9.1. What can you request?
In accordance with the applicable law, you have the right to request access to your Personal Data that we process as the Personal Data administrator, the right to its correction, deletion or transfer (such as transferring your Personal Data to another service provider), the right to object, and the right to request that our processing be restricted.
9.2. Correcting your Personal Data
Under the applicable law, you have the right to correct the Personal Data that you share with us. If you wish to exercise this right, please contact us via the email address firstname.lastname@example.org. We take reasonable steps to ensure that you can keep your Personal Data accurate and current. You can always contact us to ask whether we are still processing your Personal Data.
9.3. Deleting your Personal Data
You can ask us to delete your Personal Data at any time. If you contact us with such a request, we will erase without any undue delay all your Personal Data that we have, provided your Personal Data is no longer needed to meet contractual and legal obligations or to protect our legitimate interests as outlined above.
9.4. Accessibility and portability of your Personal Data
You have the right to receive Personal Data about your person and the Personal Data you have provided us with. If you require, we may send some of your Personal Data (especially data that we process on the basis of the performance of your contract and/or your consent) directly to a third party (another data administrator) that you specify in your application, unless such a request has a negative impact on the rights and freedoms of others, and provided it is technically feasible.
9.5. Restrictions on processing
If you ask us to limit the processing of your Personal Data, for example, should you question the accuracy, legality or our need to process your Personal Data, we will limit the processing of your Personal Data to the minimum required (storage) and, if applicable, will process it only to determine, exercise or justify legal claims, or for the protection of the rights of another natural or legal person, or for other limited reasons prescribed by applicable law. If the restrictions are lifted, and we continue to process your Personal Data, we will inform you without undue delay.
9.6. Complaint at the Office for Personal Data Protection
You have the right to file a complaint regarding our processing of data with the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Praha 7. Office website: www.uoou.cz.
9.7 Right to revoke consent
Your consent to the processing of certain Personal Data may be revoked at any time without giving any reason, without prejudice to the lawfulness of the processing based on the consent granted prior to its revocation. Please contact the Data Protection Officer for this purpose. In such case, we will delete your Personal Data without delay.
9.8 Objections against processing
You have the right to object at any time to the processing of Personal Data that is processed based on our legitimate interest. If there are shown to be no significant legitimate reasons for processing data on our part that outweigh the interests or rights and freedoms of the data subject, or further processing will not be necessary to determine, exercise or justify our legal claims, we will no longer continue to process your Personal Data.
Version 2, valid from 1 December 2018