Personal data collected in the process of concluding an insurance contract, in the pre-contractual stage, and in the contracting phase, are used for the purpose of risk assessment regarding insurance coverage, contract execution, fulfillment of contractual obligations by the Insurer and providing the insurance coverage on the base of the contract, as well as to exercise the Insurer’s rights based on the concluded insurance contract. The Insurer uses the collected data for informing the person to which the data relate about the rights and obligations under the contract and providing benefits under the contract. In the case of fling an objection to the Insurer’s work, or an objection for the protection of personal data, the Insurer is authorized to use the personal data of the objector, as well as the persons to whom the objection relates to the extent necessary to resolve the objection. Should a judicial or any other proceeding be instituted before a competent state authority with respect to the contractual relation, the Insurer shall use the necessary personal data for the purpose of conducting the proceedings or acting on the orders received by the competent authority. The legal basis for processing data for these purposes is statutory, and in particular it is based on the necessity to take actions at the request of the person whose data is being processed, i.e. on the necessity for contract performance, and also the processing is necessary in order to comply with the legal obligations of the Insurer.

Collecting of the insured person’s health data is done solely for the purpose of assessing the Insurer’s risk in connection with the occurrence of the insured event, the decision on underwriting, and determining the amount of the insurance premium. Furthermore, this data is collected and used after the beneficiary has filed the insurance claim , and then the additional data is collected on the health status of the insured in order to determine the cause and circumstances of the insured event and decide upon the claim. The legal basis for processing data for these purposes is statutory, and in particular it is based on the necessity to take actions at the request of the person whose data is being processed, i.e. on the necessity for contract performance, and also the processing is necessary in order to comply with the legal obligations of the Insurer. Additionally, processing is also based on the consent of the data subject.

Biometric data are collected for identification of person in a contractual relation and acting in accordance with the Law on Prevention of Money Laundering and Financing of Terrorism. The legal basis for processing this data is statutory, however, since it is a specific type of data, the consent of the data subject is also obtained.

Within marketing and commercial activities, personal data will be used for the purpose of information about the Insurer’s activities and new insurance products, testing the service satisfaction, informing about additional benefits with the insurance service. Data collected by the Insurer will also be analyzed, but this data will be anonymized so that during the analysis, the information on age or gender cannot be linked to the identity of the person to whom they belong. The legal grounds for the processing of this data is the consent of the data subject, based on a concludent action by submitting a telephone number or e-mail address. The data subject has the right to withdraw his / her consent at any time by sending a request to the e-mail address zastita.podataka@otposiguranje.rs

The data will also be used for reporting to the supervisory authority over the work of the Insurer, as well as in cooperation with the audit firm with which the Insurer cooperates. The legal basis for processing this data is statutory.

In case of modification or extension of the list of recipients of personal data, the changes will be presented on the Insurer’s website and will be available at any time.

For all insurance products:

• OTP Group, of which the Insurer is a member, and its other members;
• The insurance agent or intermediary through which the specific contract was concluded, or which participates in the process of concluding the contract, whose data is indisputably known to the insurance contractor and the insured person at the moment of initiation of such procedure;
• IN2 informatički inženjering d.o.o. Beograd, with its seat at the address 9ž Milutina Milankovića Street, Belgrade;
• Insurance intermediary company
• Comtrade System Integration d.o.o. Beograd, with its seat at the address 7 Savski nasip Street, Belgrade;
• Društvo za reosiguranje Dunav Re a.d.o., with its seat at the address 18/I Bulevar kralja Aleksandra Street, 11000 Belgrade, if the specific insurance contract is subject to reinsurance;
• ARHIVIRAJ d.o.o. with its seat at the address 6a Maksima Gorkog Street, Belgrade
• National Bank of Serbia, with its seat at the address 12 Kralja Petra Street, Belgrade;
• Tehnobiro d.o.o. Beograd, with its seat at the address 14 Varvarinska Street, Belgrade;
• Simplify Outsourcing d.o.o. Beograd, with its seat at the address 26 Milovana Glišića, Beograd;
• Advokatska kancelarija Aleksić sa saradnicima, with its seat at the address 1 Grčkoškolska, Novi Sad;

For the My Prevention insurance product, in addition to the above recipients, the information is also provided to the following recipients of personal data:

• New Health System doo Beograd, with its seat at the address 24 Bulevar kralja Aleksandra Street, Belgrade;
• Doo za trgovinu i usluge Cards Print, with its seat at the address 124g Kudelarski nasip prva Street, Pančevo
• The medical facilities listed on the insurer’s website are not named in this notice because the medical facilities network is subject to change, but the data subject has the opportunity at any time to access the information about the relevant facilities through the Insurer’s website, provided that the personal data will be exchanged only when the Insured calls the Insurer Contact Center to schedule medical examination;

For the My Security insurance product, in addition to the above recipients, the information is also provided to the following recipients of personal data:

• EUROP ASSISTANCE Magyarorszag KFT. – Branch Office, Belgrade, with its seat at the address 76a Gandijeva Street, Belgrade

In the case of the need for performing insurance and reinsurance activities, as well as in the case of conducting business cooperation within the Group of which the Insurer is a member, the collected personal data may be transferred outside the Republic of Serbia to countries that are members of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, i.e. to countries that have been found by the European Union to provide an adequate level of protection.

In accordance with the regulations of the Insurance Act, the Insurer is obliged to keep personal data that are important for exercising the right to compensation, i.e. payment of contracted amounts for 10 (ten) years after the expiration of the insurance contract, and in case of occurrence of the contracted insured event, within the period of 10 ( ten) years from the determination of the right to insurance benefits.

If the Insurer has an obligation under the regulations of the Republic of Serbia to keep personal data longer than 10 (ten) years, for example for reporting or proving certain facts, it will do so on a legal basis from a specific regulation.

Data subjects have the right to request from the Insurer access, correction or deletion of his/her personal data, as well as the right to limit processing, the right to file objection, and the right to data transmission, all in accordance with the provisions of the Law on Personal Data Protection. Withdrawal shall be sent to the Insurer in writing by e-mail to zastita.podataka@otposiguranje.rs.

Data subject has the right to withdraw the consent to the processing of personal data, at any time, provided that such withdrawal shall have effect only from the moment of notification of the withdrawal to the Insurer, and shall not affect the use of the data before such withdrawal. Withdrawal can only be made with respect to the data used by the Insurer on the basis of the consent of the individual, and not the data for which the grounds for collection and processing is either provided in the law, or in the contract, i.e. data necessary for the fulfillment of the contract.

If the processing of data is based on necessity for the purpose of performing activities in the public interest, or the exercise of the Insurer’s statutory powers, or the processing is necessary for the exercise of legitimate interests of the Insurer or a third party, the data subject shall have the right to file an objection at any time to processing of his/her data. In such case, the Insurer shall suspend the processing of the data on the person who submitted the objection, unless it has demonstrated that there are legal reasons for processing that outweigh the interests, rights or freedoms of the data subject, or that are related to the submission, realization or defending of a legal claim.

The data subject has the right to object at any time to the processing of his or her personal data that are processed for direct advertising purposes, including profiling, to the extent it is connected to the direct advertising.

The objection can be filed in writing, in one of the following ways:

• By visiting the Insurer’s premises
• By sending the objection by mail to the address OTP Osiguranje ADO Belgrade, 50 a/b Bulevar Zorana Đinđića Street, Belgrade
• By sending the objection electronically to the e-mail address zastita.podataka@otposiguranje.rs

The individual whose personal data is collected and processed has the right to file a complaint on the acts or omissions of the Insurer to the Commissioner for information of public importance and personal data protection, at the address 15 Bulevar kralja Aleksandra Street, 11120 Belgrade, email: office@poverenik.rs, phone: +381 11 3408 900, fax: +381 11 3343 379.

The Insurer does not conduct automated data processing.

Depending on the amount of the insured sum to be contracted, the Insurer may examine the health status of the insured person by completing a health questionnaire, or by submitting medical analyses that are necessary depending on the particular case, and this is how the profiling is carried out. The insurer collects this information based on the express consent of the insured. When profiling, the expert assesses the health status of the insured and what consequences it may have on the realization of the insured risk that he/she wishes to contract, and this assessment is used as base to determine the risk that the Insurer would assume by conclusion of the contract. Based on the estimated risk, the Insurer decides on the amount of the premium corresponding to that risk, and as a consequence it may occur that the Insurer does not have the will to conclude the insurance contract with the estimated risk.

If the insured event occurs, the Insurer shall collect information on the cause and circumstances of the occurrence of the insured event, based on medical documentation and documentation of the competent state authorities establishing the same. These data are profiled, and it is assessed under which circumstances the insured event occurred, and what was the health status of the insured at the time the insured event occurred, and based on these data, the contractual provisions are applied and the merits of the claim for insurance benefits are assessed

A person whose personal data is collected in the capacity of the  insurance holder and/or insured person, submits to the Insurer personal data on name and surname, date of birth, personal identification number, gender and address, as mandatory in the sense that they are necessary for the conclusion of the insurance contract, and this minimum data is necessary for conclusion of the insurance contract and unless they are delivered the Insurer cannot conclude the contract. In addition to the above data, the Insurer needs additional data on the workplace of the individual or his/her employment status, as well as answers to certain questions regarding the identification of money laundering and terrorist financing risks, which are required for compliance with the Law on Prevention of Money Laundering and Financing of Terrorism. This data is also necessary for the conclusion of the contract and the obligation to provide the same is statutory and, if not provided, the Insurer cannot conclude the contract.

Personal data relating to telephone number and email address are collected based on the consent of the person to whom they belong, and are not necessary for the purpose of concluding the insurance contract, and the contract can be concluded without providing this information, but the person who did not provide this information will not be able to receive notifications and information from the Insurer through communication channels using a telephone number or email address.