Policy shall be applied to all personal data of the Client of the Insurer the Insurer is processing, that is, for which the purpose and method of processing is determined as well as other persons stated in this clause. Policy shall be applied to all services and products of the Insurer including processing of personal data. If the basis of processing is consent, the last expression of will of data subjects, by which such person provides consent for personal data processing shall be applied to all services and products of the Insurer used by such person. Policy shall primarily be applicable and shall refer to:

1. Natural persons applying for or using services and products of the Insures (hereinafter referred to as: Client)

• Natural persons applying for or using services and products of the Insurer in their name and for their own account (for example, policy holder),
• Natural persons establishing a relationship with the Insurer on behalf of legal entities, organizations, associations and other formations that may establish a contractual relationship with the Insurer (authorized representatives, procurators, legal representatives, holders of power of attorney, etc.),
• Natural persons (legal representative, parent, guardian, authorized representative, signatory, representing or acting on behalf of the person from item 1),
• Successor of the person from item 1),
• Other natural persons (for example, complainant, authorized person) exercising rights, that is, for which the conclusion of the contract with the Insurer or use of its products may create certain rights and/or obligations,

2. Natural persons interested in the use of services and products of the Insurer (hereinafter referred to as: Potential Client),

3. Other natural persons whose data is received by the Insurer during their operations in line with current regulations (for example, insurance beneficiary).

Policy shall not be applied to anonymized data or data based on which the identity of persons cannot be determined directly or indirectly. Anonymized data shall mean a data that is altered in a manner that it cannot be connected to certain natural person, therefore, in line with current regulations, it shall not be considered personal data. Insurer shall process personal data for different purposes, while the means of collection, legal basis for collection, use, disclosure and keeping periods may differ depending on the purpose.

The Insurer shall process personal data in a legal, transparent and fair way by implementing the following activities:

• Informing the data subjects on the purpose of processing and legal basis for processing in a clear, simple and transparent manner,
• Only necessary processing shall be performed, for the purpose of implementing contracts concluded with data subjects (for example, policy holder, insured person, potential policy holder and insured person, insurance beneficiaries, engaged associates, etc.), processing that is required by certain regulations and represent a legal obligation of the Insurer as controller, processing necessary for accomplishment of legitimate interest of the Insurer, but only in cases when such interest prevails compared to the interest of data subjects, as well as processing performed based on explicit and free consent of data subjects.

Insurer shall process personal data for the purposes that are specifically determined, explicit, justified and legal. Personal data cannot be processed in a manner that is not in line with such purpose. Insurer shall apply principle of minimum data volume during collection of personal data, thus, only personal data that is necessary to meet the purpose for which it is collected shall be collected from data subjects. In case additional personal data is necessary, such data shall be collected with consent of such data subjects. Insurer shall secure personal data accuracy by applying technical and organizational measures and periodical data updating. Data keeping periods shall be set in internal acts of the Insurer in a manner that assures such data is kept within period necessary to achieve the purpose of processing and in line with the legal requirements. Insurer shall follow the principle of personal data integrity and confidentiality. Insurer implements technical and organizational measures for personal data protection following regulations, good business practice and internationally recognized standards. Insurer may engage personal data processor based on a contract regulating, among others, duties of the processor related to personal data protection.

Insurer shall collect personal data in the following manner:

1. Directly from Clients and Potential Clients, by direct delivery from the Client and/or Potential Client (for example, by submitting request directly to the Insurer, during the direct sales of services of insurance, during communication of the Client/Potential Client with employees of the Insurer or through web pages and social media, during complaint submission, etc.),
2. Through insurance brokers, based on concluded contracts on insurance brokerage based on which the brokers operate in the name and for the account of the Insurer,
3. Through insurance brokers, based on concluded contracts on insurance brokerage based on which the brokers deliver personal data of persons interested in insurance services for the purpose of connecting interested parties,
4. From publicly available sources such as, for example, data from public services,
5. From other controllers based on existing contractual relationship. In situations when other controllers entrust certain activities of processing personal data to the Insurer, based on previously concluded contract, Insurer, in the capacity of the processor, may process all personal data entrusted to the Insurer for processing by another controller.

Precondition for each personal data collection is the existence of relevant legal basis in line with the Law.

Insurer shall collect and process the following personal data categories:

• Information included in contracts with Clients and request form for Potential clients.

Personal data contained in contracts/request forms from pre-contractual phase, which are necessary to provide service, meet contractual obligations or conclude a contract. This may mean processing of the following data: name and surname, date of birth, sex, personal number, address of residence, citizenship, number of the identification document, place and date of issuing identification document, state of birth, telephone number (fixed, mobile), e-mail address, data on method and history of payment of services (debt, current account number, etc.), health data, work data, work status data, as well as responses to certain questions related to determination of risk from money laundering and financing of terrorism, which is necessary for compliance with the Law on Prevention of Money Laundering and Financing of Terrorism.

• Data collected after the occurrence of insured event during determination of right to payment of insured sum.

Personal data shall be collected from the Claimant and/or insurance beneficiary, but the stakeholder may be a business bank if the insurance is contracted related to debt of the insured person towards such bank. The Claim shall include collection of the following data on the applicant: name, surname and address, biometrical data from the personal document, number of current account as mandatory data, and telephone number and/or e-mail address as optional data. When submitting Claim and procedure of decision making on the Claim, the Insurer shall collect data on the name, surname, date of birth, personal number, address and current account number of the insurance beneficiary, delivered by the Claimant or the insurance beneficiary personally, as well as other personal data contained in documentation of competent state authorities, that must be delivered for the purpose of decision making on the Claim, such as, for example, court decision on inheritance, and marriage certificate, birth certificate (for children), etc. During the decision-making process on justification of payment of insured sum, health data of the insured person, data on disability and/or data on criminal proceedings initiated against a person may be processed, only to determine cause and circumstances of occurrence of insured event and decision making related to the Claim.

• Information delivered by Clients and/or Potential Clients by completing relevant forms on our webpage.

This includes data received for the purpose of sending inquiries, submitting complaints or appeals, sending requests. Personal data processed for this purpose may include but are not limited to name, surname, e-mail address.

• Information contained in records on communication and correspondence in situations of contacting the Client, Potential Clients and other natural persons.

This data shall include recordings of conversations with employees of the Insurer, written or electronic communication.

• Information collected from Clients and processed for the purpose of improving communication, transfer of contacts, as well as for improving quality of products and services.

This includes data on professional interests, customer experience with services of the Insurer, data base containing number of mobile and fixed telephone, name and surname and address of residence.

• Data on visits to our online portals and data on resources used to access or downloaded.

This data is processed in line with Terms of Use, available at https://www.otposiguranje.rs/uslovi-koriscenja/.

• Information collected and processed by the Insurer for the purpose of direct marketing and profiling, based on freely given consent of the data subject.

Depending on the amount of insured sum being contracted, the Insurer may examine the health condition of the insured person based on completing questionnaire on health condition or through delivery of medical analysis necessary depending on specific case, thus conducting profiling. Insurer shall collect this data based on explicit consent of the insured person. During profiling, a professional shall assess the health condition of the insured person and what consequences it may have related to the accomplishment of insured risk that is subject of contracting, and based on this assessment, the risk taken by Insurer upon contract conclusion is assessed. Based on estimated risk, the Insurer shall decide on amount of premium responding to such risk, with possible consequence of Insurer not be willing to conclude the insurance contract with such estimated risk. In case of insured event, the Insurer shall collect data on cause and circumstances of occurrence of insured event based on medical documentation and documentation of competent state authorities which depict such facts. This data shall be profiled, it is estimated under which circumstances this insured event happened and what was the health condition of the insured person at the moment of occurrence of the insured event, and based on this data, contractual provisions shall be applied and justification of payment claims shall be assessed. This includes processing of the following personal data: name and surname, e-mail address, mobile telephone number, health data on the insured person and other data. Insurer shall process personal data based on legal obligations and contractual relationship and/or consent.

• Information collected for fulfilment of legal obligations.

This includes personal data Insurer is obligated to collect, keep and process in line with current laws of the Republic of Serbia and delivered to competent state authorities (courts, competent authorities, investigative bodies, etc.).

• Other information collected for exercising certain legitimate interest of the Insurer.

When personal data is collected based on legitimate interest, Insurer shall consider, with special attention, the impact of processing to rights and liberties of data subjects. Legitimate interest of Insurer are not above the interests of data subjects. In case that, compared to legitimate interest of Insurer, predominant interests or basic rights and liberties of data subject demand personal data protection, especially if the data subject is a minor, Insurer shall not perform processing, unless explicit consent of the data subject is received, that is, consent of the parent exercising parent right or other legal representative of the minor in line with relevant regulations.

As a rule, the Insurer shall process special types of personal data, namely biometric data and data on health status of the insured person, as well as data on disability and criminal record of the insured party and initiated criminal procedures against them if such information is significant to determine the circumstances of occurrence of insured event. The legal basis for data processing originates from the law, that is, based on necessity to act at the request of data subjects, that is, necessity to execute contract, also, processing shall be necessary to meet legal obligations of the Insurer. In addition to aforementioned, the processing shall be based on consent of data subjects.

Insurer shall process personal data of data subjects only when such processing is legal. Processing shall be legal in the following cases:

1. Processing shall be necessary for execution of contract with data subjects or in order to act at the request of data subjects prior to contract conclusion. For the purpose of providing services to Clients, minimum set of data shall be processed which is necessary to provide certain service, or product sales. Otherwise, or if the data subject refuses to deliver a required necessary set of data, the Insurer shall not be able to conclude the contract with the Client and enable the use of products or service. Minimum data set shall include use of data to check the identity of the Client and/or Potential Client, use of residential address to contact or provide service, and other actions connected to conclusion and execution of the contract, as well as processing of health data and other data necessary for risk assessment or assessment of circumstances leading to occurrence of insured event.
2. Processing shall be necessary in order to meet the legal obligations of the Insurer (current regulations the Insurer is obligated to follow). Based on the written request based on current regulations, the Insurer shall be obligated, in certain situations, to deliver or enable access to competent authorities (for example, courts, police, etc.), or enable access to certain personal data of Clients. Insurer shall also be obligated to deliver certain data to regulatory bodies performing supervision over its operations, as well as external audit.
3. Processing shall be necessary for the purpose of exercising legitimate interest of Insurer or third party, except when interests or basic rights and liberties of data subjects requesting protection of personal data are higher than such interests, especially if the data subject is a minor. Legitimate interest of the Insurer shall include processing used to improve the process, development of products and improvement of business, service upgrading, offer products and services that are expected to improve operations with Clients. This, for example, may include use of Client’s data to prevent, detect and process abuse damaging for a Client or Insurer, protect the property of the Insurer, create service and offers meeting requirements and desires of Clients, market research and analysis, etc.
4. Data subject provided consent for processing of own personal data for one or several specific purposes, where such consent must be provable and voluntary, written in easily understandable language, and the data subject shall be entitled to withdraw such consent at any time.
5. Processing shall be necessary for vital interests of data subject or other natural person.
6. Processing shall be necessary for the purpose of performing activities in public interest or execution of authorities of Insurer prescribed by law.

Decision making based on automatic data processing, including profiling, shall be an integral part of operations of the Insurer, and shall be executed in line with:

1. Current laws,
2. Execution of contractual obligations,
3. Explicit consent of data subject,
4. Legitimate interest of the Insurer.

The Insurer shall perform automated data processing during performance of work on insurance contract conclusion, and also later on, during contract and obligations management for certain processes. Automatic data processing entails regular personal control and right to human intervention, as well as the right to express dissatisfaction with such processing, in order to review such actions.

Depending on the amount of insured sum and the age of the insured person, the Insurer may examine the health condition, lifestyle and financial data of the insured person based on completing questionnaire and/or through delivery of medical analysis necessary depending on specific case, thus conducting profiling. During profiling, a professional shall assess the health condition of the insured person and what consequences it may have related to the accomplishment of insured risk that is subject of contracting, and based on this assessment, the risk taken by Insurer upon contract conclusion is assessed. Based on estimated risk the Insurer shall decide on the amount of premium responding to such risk, which may lead to consequence of Insurer being unwilling to conclude the insurance contract with estimated risk.

In case of occurrence of insured event, the Insurer shall collect data on cause and circumstances of occurrence of insured event based on medical documentation and documentation of competent state authorities including such facts. This data shall be profiled and then it shall be determined under which circumstances the insured event occurred and what was the health condition of the insured person at the moment of such occurrence, where based on this data, contractual provisions shall be applied and justification of claim shall be assessed. In line with the Law, Insurer shall enable data subjects to submit complaints to automatic processing, including profiling. Complaint may be submitted to initial or further processing, at any time, free of charge.

Only employees of the Insurer, as well as engaged associates shall have access to personal data, including, primarily insurance brokers, in line with operations performed based on relevant authorizations set by the Insurer and only to minimum extent, with the obligation to act in line with normative acts of the Insurer regulating the area of personal data protection.

Personal data shall be available to third parties, other than the Insurer, only in the following cases:

• In case of legal obligation or explicit authorization based on the law (request from court, for example),
• If a third party or a subcontractor has been engaged for performance of certain tasks (processor), where such processor shall act only in line with orders from the Insurer, and the Insurer shall provide all measures for data protection as if such tasks were performed individually,
• Related companies of the Insurer provided that such transfer or access is based on legal basis (consent of persons or legitimate interest),
• If data must be forwarded for contract execution,
• Members of Insurer’s Group,
• Other persons, other than the Insurer, for which explicit consent of data subjects exists.

Insurer shall process your personal data, as a rule, in the Republic of Serbia, and exceptionally, the Insurer may process this personal data in other states and international organizations in line with the Law on Personal Data Protection.

Personal data shall be treated as trade secret of the Insurer and thus, shall be classified as confidential, that is, strictly confidential data. In line with their classification, adequate protective measures shall be applied to them, used to protect this data from violation, unauthorized access, accidental loss, destruction, damage, and any violation of security. For this purpose, technical and organizational measures shall be applied, such as control of access right, establishment and implementation of information security policy and other relevant internal acts, establishment of duty segregation system, establishment and assurance of meeting obligations of confidentiality and compliance with the law of all third parties that have access to personal data in the information system of the Insurer, application of method of monitoring access and activities in information systems, as well as application of software solutions to protection information resources. Insurer has implemented information security management system and within such system, the Insurer has established adequate measures for protecting confidentiality, integrity and/or availability of personal data. In case of violation of personal data that may lead to accidental or intentional destruction, loss, amendment or unauthorized disclosure of personal data during processing, that may cause high risk for the rights and liberties of natural persons to which such data refers, the Insurer shall, immediately upon learning of such violation, without undue delay, notify the Commissioner and the data subject in a clear and understandable manner with mandatory stating contact data of the personal data protection officer, description of possible consequences and description of measures taken. Insurer shall, in case of violation of personal data, immediately take appropriate measures to prevent further violation of rights and obligations of data subject and to mitigate consequences due to such violation.

Data subjects may exercise the following rights:

a) Right to access personal data – the applicant shall be entitled to receive information on existence of personal data processing related to such applicant, on the purpose of processing, on type of personal data processed, recipients or categories of recipients to which such personal data is disclosed to or may be disclosed to, on keeping periods, on the right to request amendment or deletion of personal data, that is, the right to limit processing of such data, on the right to file a complaint to the Commissioner.

b) Right to amend personal data – the right to demand correction of false personal data, as well as the right to complement incomplete data.

c) Right to limit processing of personal data in the following cases:

• When accuracy of personal data is under dispute, the Insurer shall temporarily limit processing in the period that is sufficient to check accuracy of personal data,
• When there is no legal basis for processing personal data, and the data subjects objects deletion of data for application, exercise or defense of legal requirements,
• The Insurer no longer needs personal data to accomplish the purpose of processing, but the data subject requested such data for the purpose of application, exercise or defense of legal requirements,
• When complaint is submitted to processing, and assessment whether the legal basis for processing by the Insurer is predominant compared to the interests of such persons is ongoing.

d) Right to object shall refer to the right of persons to object at any time to the Insurer related to the legality of processing of their personal data established based on relevant legal basis for processing

• The Insurer shall limit processing upon reception of complaint in line with this paragraph, and after the completion of assessment of justification of the complaint, stop processing personal data of the complainant, unless it is able to prove there are legal reasons for processing that are predominant over the interests, rights or liberties of data subjects or are related to application, exercise or defense of a legal requirements,
• Data subjects shall be entitled to object to processing of their personal data at any time, that is processed for direct marketing, including profiling, to the extent it is connected to direct marketing,
• If the data subject objects to processing for direct marketing, the personal data cannot be further processed for that purpose.

e) Right to deletion (“Right to be forgotten”) of personal data related to data subject may be exercised in the following cases:

• Personal data is no longer necessary for the purpose they were collected for or processed in any other way,
• Data subject withdraws the consent based on which the processing was performed, and there is no other legal basis for processing,
• Data subject filed a complaint to processing in line with the Law, and there is no other legal basis for processing that is predominant over the legitimate interest, rights or liberties of data subjects,
• Personal data was illegally processed,
• Personal data must be deleted for the purpose of executing legal obligations of the controller.
• Personal data is collected related to use of information system services.

f) Right to data portability means the right of the person (and the obligation of the Insurer) to receive personal data previously submitted to the Insurer in a structured, commonly used and electronically readable format, as well as the right to transfer such data of the data subject from the Insurer to another controller if the following conditions are met:

• Processing is based on consent, performed based on the contact that is, in line with Article 17, paragraph 2 item1 of the Law,
• Processing is done automatically.

Your rights related to personal data the Insurer is processing about you may be exercised at the address of the seat of the company or at e-mail address: zastita.podataka@otposiguranje.rs.

Data subjects may exercise their rights by completing a relevant form. Forms for exercise of rights may be received at the seat of the Insurer, or at the webpage of the Insurer, at the section dedicated to data protection. Request submitted must be legible and properly completed and signed (in case of electronic submission, signed by qualified electronic certificate). The request submitted through the holder of the power of attorney shall be accompanied by the power of attorney certified in front of the Notary Public authorizing the holder of the power of attorney to act in front of the company related to exercise of rights regulated by the Law on Personal Data Protection. Signed request for exercise of rights of data subjects shall be delivered to the seat of the Insurer or in any branch of insurance brokers that cooperate with the Insurer. The Insurer shall respond to the request without delay, within 30 days from the reception of complete and full request at the latest. Such deadline may be extended for another 60 days if necessary, considering the complexity and number of requests. The Insurer shall notify the data subject on extension of the deadline and reasons for such extension within 30 days from the reception of the request.

Objection form regarding the processing of personal data

Request for the exercise of rights in connection with the processing of personal data

You can send your request to the Insurer in the following manner:

1. At the seat of the Insurer, personally or through the holder of the power of attorney.
2. By electronic mail to the address delivered to the Insurer as contracted communication channel for Insurers, at zastita.podataka@otposiguranje.rs. In case of using this channel of communication the request must be signed using a qualified electronic certificate.

All additional questions related to processing of your personal data, as well as questions related to exercise of your rights may be sent to the personal data protection officer at zastita.podataka@otposiguranje.rs.

Supervisory body for the protection of personal data in the Republic of Serbia shall be the Commissioner for Information of Public Significance and Personal Data Protection, 15 Bulevar Kralja Aleksandra Street, Belgrade (hereinafter referred to as: Commissioner). Data subject shall be entitled to submit a complaint to the Commissioner in case data subject considers processing of his/her personal data by the Insurer is contrary to the provisions of the Law. Data subject shall be entitled to protection from the court in case data subject feels that, contrary to the Law, his/her right regulated by Law has been violated by the data controller or processor through data processing. Filing a suit to the court shall not prevent this person from initiating other procedures of administrative or court protection. Suit from this paragraph shall be submitted to competent higher court.

See detailed information on Personal Data Protection Policy below. Notice on processing and handling of personal data related to insurance products may be downloaded below in pdf format, while the Notice related to other processing of personal data shall be timely delivered to data subjects in specific situations and business circumstances. Data subject shall be entitled to submit a complaint to the Commissioner in case data subject considers processing of his/her personal data by the Insurer is contrary to the provisions of the Law. Data subject shall be entitled to protection from the court in case data subject feels that, contrary to the Law, his/her right regulated by Law has been violated by the data controller or processor through data processing. Filing a suit to the court shall not prevent this person from initiating other procedures of administrative or court protection. Suit from this paragraph shall be submitted to competent higher court.

Personal data protection policy

Notice on Personal Data Processing and Handling