This Policy (“Policy”) sets out the terms and conditions under which individuals whose personal data are processed by Netins Insurance Brokers Ltd. may exercise their rights under personal data protection law.
NETINS INSURANCE BROKERS processes and protects the personal data collected in the course of its activities, honestly, lawfully and in accordance with the purposes for which the data were collected.
Employees who process personal data for the purpose of distributing insurance products, concluding contracts for the provision of insurance services and fulfilling the obligations under such contracts as part of their employment obligations, observe the following principles when processing personal data:
- personal data are processed lawfully and in good faith;
- personal data are collected for specific, well-defined and lawful purposes and are not further processed in a way incompatible with those purposes;
- the personal data collected and processed in the management of human resources are relevant, related to and not exceeding the purposes for which they are processed;
- personal data are accurate and, if necessary, updated;
- personal data shall be deleted or corrected when they are found to be inaccurate or disproportionate to the purposes for which they are processed;
- personal data shall be maintained in a form that allows the identification of the individuals concerned for a period not longer than the period necessary for the purposes for which the data were collected.
Employees who process personal data receive initial and periodic training on data confidentiality and become familiar with applicable law.
The definitions listed below have the following meanings:
“Personal data” means any information relating to an identified natural person or natural person which can be identified directly or indirectly, in particular by means of an identifier such as name, identification number, location data, online identifier or one or more features, specific to the physical, physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual;
“Applicable law” means the law of the European Union and the law of the Republic of Bulgaria, which is relevant to the protection of personal data;
“Profiling” means any form of automated processing of personal data, in the form of the use of personal data for the assessment of certain personal aspects relating to an individual, and in particular for analyzing or forecasting aspects relating to the performance of professional duties of that natural person, his/her economic condition, health, personal preferences, interests, reliability, conduct, location or movement;
“Data subject” means a natural person who can be identified, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more characteristics specific to the physical, physiological, genetic, the mental, intellectual, economic, cultural or social identity of that individual;
“Regulation (EU) 2016/679” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), published in the Official Journal of the European Union on 4 May 2016.
Rights of personal data subjects
- Personal data subjects have the following rights regarding their personal data:
- right of access;
- right of correction;
- right to data portability;
- right of deletion;
- right of erasure (right to be forgotten);
- right to request a restriction on processing;
- right to object to the processing of personal data;
- right of the data subject not to be the subject of a decision based solely on automated processing, whether or not such processing includes profiling.
Right of access
Upon request, NETINS INSURANCE BROKERS provides the following information to a personal data subject:
- information whether NETINS INSURANCE BROKERS processes or does not process the personal data of the person;
- copy of the personal data of the person processed by NETINS INSURANCE BROKERS
- explanation of the data processed
- The explanation of data processing includes the following information about the personal data processed by NETINS INSURANCE BROKERS:
- the purposes of processing;
- the relevant categories of personal data;
- the recipients or categories of recipients to whom the personal data are or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the intended period for which the personal data will be stored and, if that is not possible, the criteria used to determine that period;
- the existence of a right to request the correction or deletion of personal data or to restrict the processing of personal data relating to the data subject, or to object to such processing;
- the right to appeal to a supervisory authority;
- where personal data are not collected by the data subject, any available information on their source;
- the existence of automated decision-making, whether this processing includes profiling and information on the logic used, as well as the significance and intended consequences of this processing for the data subject;
- where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate guarantees in connection with the transfer.
- The explanation of the data processed contains the information that NETINS INSURANCE BROKERS provides to the data subjects through privacy notices.
- At the request of the personal data subject, NETINS INSURANCE BROKERS may provide a copy of the personal data that are being processed.
- When providing a copy of personal data, NETINS INSURANCE BROKERS should not disclose the following categories of data:
- personal data of third parties, unless they have expressly agreed to do so;
- data that constitute trade secrets, intellectual property or confidential information;
- other information that is protected under applicable law
- Granting access to personal data subjects may not adversely affect the rights and freedoms of third parties or lead to a breach of a regulatory obligation of NETINS INSURANCE BROKERS.
- Where requests for access are clearly unreasonable or excessive, in particular because of their repetitive nature, NETINS INSURANCE BROKERS may charge a reasonable fee based on the administrative costs of providing the information or refuse to respond to the request for access.
- NETINS INSURANCE BROKERS assesses on a case-by-case basis whether a request is clearly unreasonable or excessive.
- In case of refusal to provide access to personal data, NETINS INSURANCE BROKERS justifies its refusal and informs the data subject of his/her right to file a complaint to the Commission for Personal Data Protection.
Right of correction
- Data subjects may request that their personal data processed by NETINS INSURANCE BROKERS be corrected if the latter is inaccurate or incomplete.
- Upon a request for correction of personal data, NETINS INSURANCE BROKERS notifies the other recipients to whom the data has been disclosed (eg public authorities, service providers) so that they can reflect the changes.
Right to be erased (right to be forgotten)
- Upon request, NETINS INSURANCE BROKERS is obliged to delete personal data if any of the following reasons exist:
- personal data are no longer needed for the purposes for which they were collected or otherwise processed;
- the data subject withdraws his/her consent on which the data processing is based and there is no other legal basis for the processing;
- the data subject objects to the processing and there are no legitimate grounds for the processing to take precedence;
- the data subject objects to the processing of personal data for the purposes of direct marketing;
- personal data have been processed illegally;
- personal data must be deleted in order to comply with a legal obligation of NETINS INSURANCE BROKERS;
- personal data have been collected in connection with the provision of information society services to children within the meaning of Article 8 (1) of Regulation (EU) 2016/679
NETINS INSURANCE BROKERS is not obliged to delete personal data insofar as the processing is necessary:
- to exercise the right to freedom of expression and the right to information;
- to comply with a legal obligation of NETINS INSURANCE BROKERS;
- for reasons of public interest in the field of public health in accordance with Article 9 (2) (h) and (i) and Article 9 (3) of Regulation (EU) 2016/679;
- for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1) of Regulation (EU) 2016/679, in so far as the right to be erased is likely to make it impossible or seriously impede processing;
- for the establishment, exercise or defense of legal claims.
Right to limit processing
The data subject has the right to request a restriction on processing when one of the following applies:
- the accuracy of personal data is disputed by the data subject; the restriction on processing applies for a period that allows the controller to verify the accuracy of personal data;
- the processing is unlawful, but the data subject does not wish the personal data to be deleted, but instead requests their use to be restricted;
- NETINS INSURANCE BROKERS no longer needs personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or protection of legal claims;
- the data subject has objected to the processing on the basis of the legitimate interest of NETINS INSURANCE BROKERS and an investigation is underway as to whether the legal grounds of the controller take precedence over the interests of the data subject.
NETINS INSURANCE BROKERS may process personal data, the processing of which is limited, only for the following purposes:
- for data storage;
- with the consent of the data subject;
- for the establishment, exercise or defense of legal claims;
- to protect the rights of another natural person;
- for important reasons of public interest
Where a data subject has requested a restriction on processing and any of the grounds under the article above are present, NETINS INSURANCE BROKERS shall inform him/her before the restriction on processing is lifted.
The right to data portability
The data subject has the right to receive the personal data concerning him/her and which he/she has provided to NETINS INSURANCE BROKERS in a structured, widely used and machine-readable format.
Upon request, this data may be transferred to another controller designated by the data subject, where technically feasible.
The data subject may exercise the right of portability in the following cases:
- the processing is carried out on the basis of the consent of the data subject;
- the processing is performed on the basis of a contractual obligation;
- the processing is performed in an automated manner.
The right of portability may not adversely affect the rights and freedoms of others.
Right to object
The data subject has the right to object to the processing of his/her personal data by NETINS INSURANCE BROKERS if the data are processed on one of the following grounds:
- the processing is necessary for the performance of a task in the public interest or in the exercise of official powers conferred on the administrator;
- the processing is necessary for purposes related to the legitimate interests of NETSINS INSURANCE BROKERS or a third party;
- data processing includes profiling
NETINS INSURANCE BROKERS terminates the processing of personal data unless it proves that there are compelling legal grounds for its continuation, which take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or protection of legal claims.
Right to object to personal data for direct marketing purposes
When personal data are processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of personal data for this purpose, including with regard to profiling related to direct marketing.
When the data subject objects to processing for direct marketing purposes, the processing of personal data for these purposes shall be terminated.
Right to human intervention in automated decision making
In cases where NETINS INSURANCE BROKERS make automated individual decisions, whether these decisions are made through profiling, which have legal consequences for individuals or significantly affect them in a similar way, these individuals may request a review of the decision with human intervention, as well as to express their point of view.
NETINS INSURANCE BROKERS provides the natural persons subject to automated decision-making with essential information about the logic used, as well as about the significance and anticipated consequences of this processing for the person.
Procedure for exercising the rights of personal data subjects
The subjects of personal data may exercise the rights under this Policy by submitting a request to exercise the respective right.
A request for the exercise of the rights of personal data subjects may be submitted as follows:
Controller of your personal data
- Electronically to the following email address: firstname.lastname@example.org
- On site at the office of NETINS INSURANCE BROKERS;
- On the website of the Company;
- By mail – at the address of the headquarters of NETINS INSURANCE BROKERS: city of Sofia 1000, 61 Han Asparuh Str.
The request for the exercise of rights related to the protection of personal data should contain the following information:
- Identification of the person – name and Personal No. /EGN/
- Contacts for feedback – address, phone, e-mail
- Request – description of the request
Competent supervisory authorities
Commission for Personal Data Protection (CPDP) 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd., Tel.: +359 2/91-53-518
Web page: http://www.cpdp.bg
NETINS INSURANCE BROKERS provides information on the actions taken in connection with a request to exercise the rights of data subjects within one month of the reception of the request.
If necessary, this period may be extended by a further two months, taking into account the complexity and number of requests from a particular person. NETINS INSURANCE BROKERS shall inform the person of any such extension within one month of the reception of the request, stating the reasons for the delay.
NETINS INSURANCE BROKERS is not obliged to respond to a request if it is unable to identify the data subject.
NETINS INSURANCE BROKERS may request the provision of additional information necessary to verify the identity of the data subject when there are legitimate concerns about the identity of the requesting individual.
Where the request is made by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject has requested otherwise.
This Policy was adopted by a decision of May 23, 2018.