Data privacy statement
We process personal data which is necessary to provide our customers with insurance services. Examples include; when an insured person suffers an injury, or a claim is made against a policyholder. In such cases we need personal data about the injured party in order to meet our obligations as per the insurance contract and to establish the eligibility of the claim. It is voluntary to provide personal data, but without necessary personal information we will not be able to provide the claimant with a correct compensation payment.
Protector Vakuutus (Protector) processes personal data in accordance with applicable laws. Your privacy is important to us, and we focus on ensuring that your personal data is processed in accordance with the principles of confidentiality, integrity, accessibility and robustness. If a security breach occurs, which entails a significant risk to our customer’s or others’ rights, we will report this to the relevant parties.
Please note that we recommend sending information containing sensitive personal data or social security number(s) via encrypted e-mail.
Why and how do we process personal data?
We process personal data for the following main purposes:
- The administration of our insurance products, including providing offers on new insurance products. This may be in order to identify you as a policyholder or a claimant.
- Dealing with specific claims, including assessing whether compensation is payable.
- Human resources (HR) administration, including recruitment.
Our processing of personal data is handled by our competent staff. We use professional systems, with robust security to store and process your personal data.
Only a select group of people are able to process and access potentially sensitive information in our professional systems. Physical documents containing sensitive personal data are securely locked away when not being processed by the case handler.
All staff of Protector are subject to obligations of confidentiality. Our employees have a duty of confidentiality both in relation to external persons and companies as well as internally between colleagues. The duty of confidentiality does not cease upon the cessation of employment.
What types of personal data does Protector process?
Information processed at Protector can be categorized as follows:
- Administrative data such as name, address, phone number, e-mail address and civil registration number.
- Information about insured risk and coverage.
- Health information.
- Information about injury, loss and/or damage required to determine the outcome of an insurance claim.
- Information about a third party as a result of this person’s association with a policy, such as benefits.
Which bases for processing does Protector use?
In connection with the above-mentioned main processing purposes, we process personal data on the following bases:
- Processing is necessary to conclude or fulfil an insurance contract.
- Processing is necessary to comply with the legal obligation incumbent on us as the data controller. For example, we may be required to share information with a public authority, such as a municipality or relevant tax authority.
- Processing is necessary for us or a third party to pursue a legitimate interest.
- Processing is necessary for the establishment, exercise or defense of a legal claim.
- If you have given your consent. For example, if you have consented to us obtaining information concerning your health.
Special categories of personal data
In some cases Protector will process special categories of personal data, including information about health. I these cases we will ask power of attorney to collect personal information about you from, for example; doctors, hospitals, other health personnel or public registers. For claims regarding statutory insurances, we have the right to request information without a separate power of attorney.
The power of attorney is limited to just include necessary information so Protector will be able to fulfil its legal obligation.
If power of attorney is not given it might have a consequence in the decision of the compensation claim.
Who do we share personal data with?
We may provide personal data to public authorities if required by a statutory obligation to disclose information.
We may disclose personal data to third parties if permitted by the General Data Protection Regulation (GDPR) and Personal Data Act. In some cases, we may need to provide personal information about you in order to fulfil our agreement with you as a policyholder/injured party. This applies, for example, in the event of an evaluation by a professional specialist. If we provide information to a third party in accordance with the law, we will inform you thereof, if it is not explicitly required in law or regulation that the disclosure of the information shall be kept confidential.
If it is necessary for us to use a data processor, the data processor will only process personal data in accordance with detailed instructions from Protector. This is to safeguard your rights and protect your data. Any third party receiving personal data from us is subject to the obligations of confidentiality by contractual agreement.
We may also provide information after obtaining your consent. For example, this could be health information provided to another insurance company with whom you have an accident insurance policy.
How long do we store personal information about you?
We do not store personal data longer than is necessary to fulfil the purpose of processing and what is required by the law. If you have a customer relationship or personal injury claim registered with us, personal information about you will be stored. This is due to possible future claims, which can then be linked to the relevant insurance history.
Protector will delete the personal data when there is no longer a basis for processing of personal data. This is in most cases dependent upon the statute of limitation for that specific insurance.
Your right to access, rectification, erasure and transferal of data
Right to access:
You have the right to obtain information about whether we process personal data about you and to request access to your personal data. In this context, you also have the right to receive information about which purposes and bases for processing we use, which data we process about you, the recipients or categories of recipients to whom your personal data is disclosed, how long the information is stored and where the information is collected.
Right to rectification and erasure:
If you believe that Protector has registered incorrect information about you, you have the right to have this information rectified without undue delay; for example by having incomplete personal data completed by submitting an additional declaration.
You have the right to have your personal data deleted without undue delay if any of the following conditions apply:
- The information is no longer necessary to fulfil the purpose of processing.
- You withdraw your consent, which has been used as the basis for processing and there is no other legal basis for the processing.
- You object to the processing and there are no overriding legitimate grounds for the processing.
- Your personal data has been processed illegally.
- Personal data must be deleted in order to comply with a legal obligation under EU or national law.
It should be noted that the right of erasure does not apply if, for example, the processing of personal data is necessary for the establishment, exercise or defense of a legal claim.
Right to data portability:
You have the right to receive any personal information we have stored about you in a structured, commonly used and machine-readable format. You also have the right to require us to transfer information we have received from you to another data processor, provided this is technically possible and the processing of the personal data is based on consent or agreement.
Data Protection Officer (DPO):
If you have any questions regarding how we process personal data or wish to exercise any of your rights under the GDPR, please contact our Data Protection Officer.
A DPO has a duty of confidentiality and is obliged to prevent others from accessing or acquiring knowledge of your personal data unless you have given your consent in advance. This also applies after the processing has ended.
E-mail address: DPO@protectorvakuutus.fi
The data controller is the one who determines the purpose of processing personal data and any methods used. In its role as data controller, Protector monitors the processes, business areas and systems that process personal data, and carries out internal controls and risk assessments to ensure compliance with the GDPR.
You can contact the data controller via mail at:
Protector Forsikring ASA, Suomen sivuliike
Protector Forsikring ASA
Pb 1351 Vika
0113 OSLO, NORWAY
How to make a complaint about the processing?
The Office of the Data Protection Ombudsman is responsible for ensuring compliance with the GDPR. If you experience anything you believe is in breach of the rules, you can write to:
Office of the Data Protection Ombudsman
PL 800, 00531 Helsinki
Link to Data Protection Ombudsman’s web site https://tietosuoja.fi/en/contact-information
(Latest version on March 24th 2022)